Archive for June, 2009

American Banker Reports

Europe to Eye Mag-Stripe Ban

Cardline Global  |  Friday, June 26, 2009

European banks may consider banning the use of magnetic stripe credit and debit cards, according to Gerard Hartsink, the chairman of the European Payments Council.

Hartsink, who is also a senior executive vice president at ABN Amro in Holland, said that European financial companies will have largely completed the transition to the EMV Integrated Circuit Card Specification by 2011, and the council, which is driving the transition to the Single Euro Payments Area, could then advise its members to stop accepting magnetic stripe cards, which are considered less secure than those that use EMV.

“My feeling is, although it has not yet been decided, the [council] will take a decision in 2011, maybe 2010, to only use chip cards,” he said in comments during a presentation this week at the Contactless Cards and Payments conference in London.

The council has no enforcement power, but if banks in Europe went along with such a decision, it could leave U.S. cardholders in the lurch when they traveled to Europe and tried to use cards for purchases or ATM withdrawals.

“If [Americans] visit Europe, it’s not such a problem; their institution could issue an EMV card,” Hartsink said.

Payments council members will probably debate the issue in 2010 or 2011, he said.

Hartsink is not the only person suggesting a ban on magnetic stripe cards, according to Dave Birch, a director at the U.K. research company Consult Hyperion. In a recent blog post, he cited comments from a financial regulator in Singapore pressing for a “concerted, global effort to phase out magnetic stripe technology entirely.”

Recently I came across an article that spoke to an idea that i had back in 1996 when I envisioned a personal device that allowed the consumer to merge their leather wallet, Filofax, mobile phone, walkman and PDA into a single light weight device.

http://www.andreae.com/presentation/Wallet_Pockets/my_dream_Start.htm

The author of this article talks to the need to create a secure mechanism to authenticate, identify and as appropriate verify that it is I.  When we looked to smart cards that was what we where looking to do and the SIM that is inserted into a GSM capable mobile phone is able to offer the security that Kurt Marko seeks.

Has the time come to move forward with my dream?

 

That was part of the dream that drove the creation of  EMV. 

Personal Portable Security Devices

 
Are Pocket-Sized, All-In-One Security Devices Ready For Prime Time?

Key Points

• Personal portable security devices integrate cryptographically strong user authentication, such as OTPs (one-time passwords) and public key certificates with ample hardware-encrypted flash storage, all housed in a compact USB device.

• The functional integration enables new usage models for secure mobile computing, such as standalone portable applications, browsers, or complete desktop environments.

• PPSDs are a relatively new and evolving technology that suffers from hardware costs substantially higher than those of point products, such as encrypted storage or OTP tokens, complex deployment processes, and necessary additional management software.

 

USB thumb drives have become the sneakernet’s backbone, the result of plummeting prices and burgeoning capacities for flash memory. These tiny wonders are spacious enough to store an OS installation with room to spare for user data; however, they are also inherently insecure. Although vendors have addressed this shortcoming with drives incorporating hardware encryption chips, these haven’t yet achieved mass acceptance. Small USB devices have also become a common vehicle for delivering secure, two-factor user authentication.

Wouldn’t it be nice if secure storage and authentication features were combined into a compact Swiss Army knife of security? A relatively new class of products, PPSDs (personal portable security devices) “combine the flash storage of universal serial bus thumb drives with the access control and secure storage capabilities of the smart card,” says Burton Group Senior Analyst Mark Diodati. “PPSDs leverage the USB form factor, use hardware cryptographic processing to provide smart card and one-time password device services, have secure storage capabilities, and reside in a tamper-resistant container.”

The real security magic comes from the synergistic integration of the two sets of capabilities; for example, users cannot access the flash memory without first providing strong authentication. Diodati adds, “The PPSD overcomes two issue— the limited storage capability of smart cards and the relative insecurity of USB flash drives. Larry Hamid, CTO of MXI Security, says the combination allows “a device that serves multiple security functions.”

PPSD Features

Furthering the theme of convergence, PPSDs also incorporate several strong authentication technologies. Like traditional USB tokens, PPSDs embed a certificate-based smart card in hardware; however, they add a software-based OTP (one-time password) generator. Unlike SecurID tokens, most PPSDs don’t sport a display; thus, to generate and view the password, users must plug into a PC’s USB port and run an embedded application. This makes PPSDs problematic for use on public kiosk PCs where the ports are usually disabled. Like USB security tokens or smart cards, PPSDs can hold any number of certificate-based credentials for Windows login or PKI (public key infrastructure).

PPSDs pair their strong authentication features with gigabytes of flash storage. Hardware-based encryption is accomplished via a symmetric algorithm such as AES, and, while standard USB flash drives can be encrypted with software, they are arguably less secure. In addition, PPSDs are tamper-resistant because they use their internal smart card to store encryption keys and an embedded chip to execute the encryption. Some PPSDs also support biometric authentication via an integrated fingerprint reader for added security.

Advantages & Usage Scenarios

Like plain-vanilla flash drives, PPSDs have benefitted from dramatic increases in flash memory density and are available in capacities from 1 to 16GB. Such abundant storage enables some intriguing applications, according to Diodati. He sees PPSDs as an ideal way to protect mobile professionals via solutions such as hosting a complete virtual desktop OS, “hardened” business applications, Web browsers, or SSO (single sign-on) systems.

For example, using software, users can carry a fully customized Windows Desktop environment on a USB stick. Similarly, some let users install and run individual applications directly from a USB drive while leaving no traces behind on the host PC. PPSDs enhance these portable application environments by running them within a much more secure framework.

PPSDs look like the perfect security multitool, so what’s not to like? Unfortunately, according to Diodati, “the functionality of the PPSD comes with a price.” He explains that extensive processes are required to initialize devices for a particular organization, customize and personalize them for users, and bind their security credentials to internal directories. Although vendors provide administrative tools to automate these tasks, Diodati notes these often aren’t the end of the story. “Additionally, a smart card management system is required for most deployments, adding to the cost of the PPSD deployment.”

Cost vs. Alternatives

Aside from the administrative overhead and costs of ancillary software such as a CMS and OTP system, PPSDs themselves aren’t cheap. For instance, 2GB devices run around $150 with 4GB devices pushing $200. Compare that to a 4GB flash drive bundled with software encryption for less than $30, and it’s tough to justify the PPSD’s six-to-one price disadvantage if all one needs is secure storage.

The mobility of today’s workforce opens enterprises up to more security risks, according to Hamid. “You either have to compromise security [or] compromise functionality.” He sees PPSDs as a technology that can make security simpler, more portable, and less burdensome. Hamid believes carrying applications or entire desktop environments on a secure PPSD could emerge as an important new security model for mobile users.

Diodati is equally enthusiastic about the market potential of PPSDs but believes they need further development. “While the PPSD has the opportunity to be a stronger authentication market disruptor, the price must come down.” He’s also concerned about the complexity of PPSD deployment. “The orchestration of smart card management systems, key management/recovery, Active Directory, and PKI will remain a daunting task for most enterprises in the foreseeable future.” Hamid agrees that costs are a problem but promises new product lines “with drastically reduced pricing.”

Although the integration of strong authentication credentials and copious encrypted storage in a key fob-sized device promises to enhance and simplify mobile security while giving new meaning to the notion of a “mobile desktop,” the nascent state of PPSD technology means that it’s more appropriate for evaluation and prototyping than large-scale deployment. As hardware costs continue to plummet and management software matures, PPSDs could revolutionize the mobile security landscape.

by Kurt Marko

Key Features Of PPSDs

• Strong authentication via public key certificates or one-time passwords

• Native, hardware-based file encryption

• Portable single sign-on via the ability to carry both a user’s SSO credentials and an on-demand enterprise SSO system

• Ability to securely host a complete portable desktop environment

• Ability to securely carry portable applications, particularly a hardened browser with a restricted operating environment and secure configuration

Source: “Postcards from the Enterprise: The Authentication Experience”; Mark Diodati; Burton Group