Every once in a while, I just scratch my head and wonder just what in the wide, wide world of tech is going on. More than ever, it seems the big barriers to adoption aren’t a lack of technology – instead, barriers come from a system that staunchly defends the old way of doing things, even when the participants are battered, broken, and bleeding.
Consider smart cards, for instance. We have had both the international standardization and the microcontroller and RF technology available for some time. Smart cards are routinely used in 130 countries worldwide – but for the most part, not the US, outside of the well-known mobile phone SIM module. Financial transactions in the US still mostly rely on magnetic stripe technology. Why can’t we get on board?
Part of the answer lies in sheer size. By some estimates, changing the US financial system – card issuers, retailers, and almost every consumer – to a smart card transaction infrastructure could cost as much as $35B. Smart cards themselves, each carrying a microcontroller and non-volatile memory supporting encryption of stored information, are about five times more expensive to produce compared to trivial mag stripe versions (but maybe not the versions of cards with holographic logos, bearer photos, and other features).
There is also security to consider. Ironically, the recent Target breach could be the straw that finally breaks the camel’s back and lowers the resistance to smart cards. Mag stripe cards are trivial to counterfeit, but smart cards are a much more difficult nut to crack for forgers. However, there is controversy over whether the two-factor authentication method for smart cards should be chip-and-PIN, or chip-and-signature. As many pundits point out, while these cards provide more security in physical transactions, in an economy increasingly moving to online purchases, smart cards don’t create much of a change.
I remember when the buzz on NFC was that it was going to take over payments. On the trail, I wandered around CTIA Mobile in San Diego in the fall of 2011, asking a few vendors what they thought. The response was a bit startling: retailers won’t change their infrastructure. It’s a lesson we learned from RFID in the previous decade, where item-level tagging and seven-cent chips were going to sweep the universe and make everything “smart”, displacing that rotten old barcode technology.
Things didn’t happen that way. Smooth-talking marketers said it was all about the use case, that these new technologies don’t create a big enough change to justify investment. Those same marketers also managed to siphon most of the energy out of the term “smart”, nullifying it with the suggestion that it offered anything but extra cost for consumers. (See: smart grid.)
The other blowback is being “too far in front of the bus”. That usually comes from sales people making a comfortable living selling mostly old stuff to their mostly old customer buddies. The problem: embedded life cycles are really long, two, three, sometimes five years. If you miss the bus, your best case outcome is running like crazy for the next two years to catch the next one. The worst case is it goes by, and as Tom Peters succinctly put it, you wake up dead one day without understanding what happened. Sometimes, it’s better to be hit by the bus – it can be a great call to action.
The smart card bus is here, in a system riddled with hacking, fraud, and identity theft, and some big names are getting run over and hurt badly because switching from mag stripes was sold to a lot of people as too expensive. We got what we asked for by avoiding the fairly obvious. Now, how do we get what we really need?
It starts at the building block level, and dealing with the myth that smart cards have to be expensive to produce. An ultra-low power MCU and NVM with 10-year-plus data retention isn’t that costly any more, with 8-bit engines under 25 cents, and 32-bit engines under $1 and dropping thanks to IoT demand. Those costs are offset by reduced card replacement due to mag stripe erasure (like setting your phone on your wallet), and in response to all-too-frequent identity compromise. Some NVM technologies, like Sidense 1T-OTP, are also secure against physical inspection attacks – without visually revealing the state of programmed memory cells, hackers can’t reverse engineer the application code or encryption keys easily.
Next, we have to get over this “absolutely secure” excuse, postponing change waiting for a perfect solution. Signatures should have gone out with the Declaration of Independence, and are totally non-secure. Two-factor authentication schemes using PINs are pretty good. I actually like the two-factor NFC approach using a smartphone, but that’s another discussion. US banks and consumers need to just get behind the EMV smart card standards and chip-and-PIN, and get over the IT changes needed to make it happen. Nothing is bulletproof, but what we have now looks like Swiss cheese in comparison to what we should have – and attacks are only going to increase the longer we wait.
Of course, there are still lawyers to deal with, and they may be the ultimate barrier to progress. I enjoyed this analysis in the NY Times:
… Visa and MasterCard have both set forth timetables that attempt to institute the adoption of embedded-chips technology by the fall of 2015. Although the timetables are not mandatory, they would essentially shift the liability for card losses on to whichever side — the bank or the retailer — has the least secure technology.
That is world-class FUD if I’ve ever seen it, but unfortunately it is exactly the type of misunderstood risk a lawyer would use to stop change in its tracks. I may switch careers to become an expert witness: “Well, their card uses an MCU with known security vulnerabilities ….”
Seriously, the time has come for smarter payment systems – smart cards, NFC-enabled phones, anything but mag stripes – in the US. Technologists need to lead this charge and debunk some of the myths surrounding “smart”, communicating the benefits to consumers more clearly. I hope I’m part of that. What are your thoughts on this melee?
Share this post via:
Comments
0 Replies to “Smart cards hard for the US to figure out?”
You must register or log in to view/post comments.