Someone finally gets what strong security is about
August 14, 2006
The world is not lost yet. Here is someone who gets what strong token-based security is about. I’ve been reading this “ID cards (or any other universal tokens) are bad for security because then government can spy on you” nonsense for too long to even react anymore. So these words from George are simply music to my ears.
The problem is that some people always manage to confuse strong authentication with government tracking and the storing private data on a single card when nothing could be further from the truth. Smartcards or cryptographic tokens are just tiny computers with random numbers inside of them with absolutely no personal data inside of them. It is true that they can store encrypted private data but that is an optional feature not essential to the strong authentication aspect of smartcards or cryptographic tokens. The issue of tracking of people has absolutely nothing to do with strong authentication. /—/ The same token can be used for as many services as the user desires from corporate VPN to online Banking to online shopping.
Call me up if you want to see how it works in real life. I have a strong authentication token that I can use today in all the e-banks I have an account with, plus to sign in to the government databases to see what those guys have recorded about me and who’s using the data. And I voted in local elections with it last year and will most likely vote again in next year’s parliament elections.
The only true security problem I’ve had with any of these services is that I once got pickpocketed and the bad guys milked my credit card (well technically speaking it was a corporate one so I didn’t bear the cost but it still sucked). We challenged the bank because each transaction is supposed to have a check with my signature of it, but they responded “uh .. yeah .. well you know what, we really don’t care about that and it’s cheaper for us to have you bear the cost than track down the receipts in weird foreign countries”. They actually received a fax with the receipt, and what was on it was nothing like my signature, but then again the fax quality was so bad that it wasn’t that legible in the first place, and blah blah blah, and I think they just dropped the case. After all the amount wasn’t anything humongous and we figured we’d just write it off as learning cost and move on.