The United States' need for smart cards might prove to become the smartest
of all applications and implementations anywhere to date. Quantum-leaping
ahead of the current generation of smart technology, America has awakened
to the potential of smart credentials and tokens for cyber IDs and other
applications that require a stronger "authentification" (authentication
and identification). Cyber IDs combined with advancements in microprocessor
technologies, increased memory capabilities, and the emergence of common
operating systems, build a robust framework from which advanced smart
card applications can blossom and thrive.
There is a strong case in the U.S. for advanced authentification strategies,
particularly in light of the explosive growth of Internet usage and
the potential for fraud that exists when buyers and sellers do not meet
face-to-face. Online criminals target victims through a variety of measures,
most notably fraudulent billing of credit card numbers. On May 11, 1999,
for example, federal agents arrested a Malibu, California man who had
used the Internet to scam roughly USD $45 million from unsuspecting
credit card holders by charging hundreds of thousands of fraudulent
transactions to their accounts.
Visa International reports that, while the Internet generates only
2% of its credit card business, e-commerce accounts for roughly 50%
of discovered fraud and billing disputes, Identity theft (when criminals
assume their victim's identities to obtain credit cards and loans in
their name and pillage their bank accounts) is another type of on-line
fraud that is proliferating. Without the Internet, identity theft was
already a serious source of fraud in the U.S., targeting more than 500,000
victims and costing roughly USD $2 billion per year. At issue has been
business use of Social Security numbers as unique identifiers and the
practice of credit card agencies using insufficient identifiers when
issuing cards. The use of the Internet by the ill intentioned has propelled
identity theft into the fastest growing crime in the U.S. Today, a skilled
hacker can access a company's client database to obtain customer records
(likely including Social Security numbers), and use this information
to order credit cards and/or apply for loans in other peoples' names,
without leaving home.
According to the Washington-based National Consumers League, 6 million
Americans feel they have been victims of on-line fraud or misuse of
credit card information. Nonetheless, a November 1999 Business Week
estimate predicts that goods and services exchanged on-line will grow
from a total of USD $37 billion in 1999 to more than USD $327 billion
by 2002. The potential exponential growth in fraud concomitant with
that of electronic transactions is a serious matter that could tarnish
e-commerce, impeding its growth and costing billions of dollars in lost
sales and write-offs.
There is, therefore, a strong demonstrated need to protect individuals
and corporations from these "cyber-bandits." Digital certificates
provide a strong means of protecting both the consumer, through authentication;
and on-line vendors, through promoting authentication and non-repudiation
(i.e. guaranteeing that a transaction is valid and can not be disputed
once it has been completed). The use of smart cards raises today's assurance
levels to a much higher point.
Business and government have been active in promoting the use of digital
certificates. In 1996, Cisco Systems, AT&T Corp, and Merrill Lynch
& Co. announced their intention to back a secure electronic transaction
infrastructure provided by VeriSign and in 1998, ABN AMRO North America,
Bank of America, Citibank, Mellon Bank Corp, and Zions Bank announced
plans to test the use of digital certificates. Also, in 1998, the Federal
Government announced plans to build a security infrastructure for U.S.
citizens and businesses, with the intention of eventually issuing a
digital certificate to every business and person in America. The impetus
for the move lies in the increasing use of the Internet by the government,
in ordering and fulfillment, in sharing information, and in providing
services, such as allowing users to check the status of tax returns.
The Federal Government is promoting the use of digital certificates
based on the ITU-T X.509 standard (X509 certificates). Eventually, X509
certificates will become part of a cyber ID carried by many Americans,
and may be used for completion of certain services such as renewing
drivers licenses, paying taxes, renewing and issuing passports, and
many other functions that would normally require the presence of a notary
public. In doing so, X509 may become the de facto standard for e-commerce.
The U.S. Government's efforts build on efforts and initiatives already
taken by others, such as the Spanish Mint's CERES project. Digital certificates
stored on CERES smart cards are being used to secure networked communications
between government departments and public sector organizations. CERES
smart cards will also be used for securing private sector interaction
with government web sites and will be issued to millions of Spanish
citizens.
Storing digital certificates on smart cards creates a more secure,
more robust environment in which e-commerce can thrive. The smart card
offers tamper-resistant storage, isolates mission-critical security
elements from other parts of the system, and enables portability of
credentials and other private information. The digital certificate can
be carried wherever the smart card's owner travels and need not reside
on a PC or laptop. This allows the consumer to use his or her smart
card to purchase items on-line from any PC or point-of-sale device (POS)
with a compatible smart card reader, which is important for three reasons:
- If the certificate were stored on a PC, it could be available for
use by other users when the owner is not present
- A networked PC can be hacked and the digital certificate can be
pirated
- The smart card can be used in interactions with non-PC Internet
aware devices, such as personal digital assistants, telephones, set-top
boxes, intelligent automobiles, etc.
Non-PC devices are expected to outsell PCs by 2002, eventually outselling
them by a factor of 10-to-1 by 2010 - and will provide the backbone
access technology for the next generation of e-commerce. Today, 94%
of Internet traffic is generated by PC use, a number which is predicted
to decrease to less than 50% in the near future, with other wired and
wireless devices emerging as dominant players (thereby extending the
reach and functionality of the Internet).
In the cyber world, the need for secure, portable authentification
will only become stronger. The smart card represents a powerful option,
and its adoption will be further promoted by the convergence of platform-independent
operating systems. Actively fighting for this opportunity are: the JavaCard
platform, developed by Sun Microsystems; and the Smart Card for Windows
platform, developed by Microsoft.
Sun's JavaCard technology is touted as being platform-independent and
multi-application capable, as well as providing the ability to install
and remove applications post issuance. These features will provide the
opportunity for multiple vendors to have a stake in a card, thereby
defraying card development costs, and will allow the card to be tailored
to individual requirements (including loading and managing digital certificates).
Dynamic card management will become necessary as each user may have
his own unique "complement" of web-enabled appliances that
the smart card will interact with daily.
Smart Card for Windows, conversely, has four goals: enabling smart
cards to be an extension of the PC environment; providing software development
tools that have a broad base of developer familiarity and support; offering
card issuers the ability to choose card components from a variety of
suppliers; and delivering lower cost smart cards. The platform is expected
to gain broad acceptance because it is based on the PC/SC interface
standard and is very tightly integrated with the Windows NT, Windows
CE and Windows 2000 operating systems and Microsoft Internet Explorer
browser software. Windows NT 4.0 and Windows 95 already support smart
cards and readers based on specifications developed by the PC/SC Workgroup.
Windows 2000 takes this one step further - it has a security provision
in which smart cards can be used to gain network access. Meanwhile,
Windows NT 5.0 will have an incorporated logon feature, through which
access can be gained using an X509 digital certificate stored on a smart
card. By leveraging its dominance in the PC environment, Microsoft may
prove to be a significant force itself in shaping evolution of the smart
card operating system.
In addition to common operating environments, the smart cards of the
future will be faster, have greater memory, and be far richer in terms
of type of information carried and capabilities. Most importantly, these
cards will support storage of digital certificates, providing a CyberID
to support on-line transactions.
The U.S. Government's Department of Defense (DOD) is taking a lead
role in promoting the storage of digital certificates on smart cards.
By 2003, the DOD intends to replace active and reserve military ID cards
with smart cards, which may also contain inoculation, medical and dental
records, as well as provide authentication for physical access to buildings
and electronic access to DOD computer networks. The program will be
implemented from FY2000 to FY2005, is expected to cost USD $145 million,
and will play a critical role in shaping the smart card market in the
US.
The U.S. General Services Administration (GSA) is also proposing to
implement a somewhat similar smart card system for all federal employees.
This is another example of how government has the ability to shape a
market - the technology of choice may become a de facto standard due
to the number of cards that will be issued. While individual agencies
have the power to select a preferred vendor, card applications and functionality,
all implemented solutions must be consistent with guidelines (specified
by guidelines) specifying interoperability and compatibility between
solutions. Thus, the migration towards interoperability and standards
will be sped up as vendors attempt to win these contracts, as will the
evolution of multi-application smart card solutions.
The American Express "Blue" card is also accelerating the
use of smart cards forward in the U.S. Blue is the first smart card
issued for mainstream use by credit card issuers in the U.S. and is
targeted to the technically savvy. A digital certificate is carried
on the card that, through smart card readers that American Express will
provide, will enable several card management functions and transactions
to be completed on-line. As well as allowing cardholders to create a
secure online wallet and purchase items through the Internet, the authentification
features allows users access to online financial management tools that
can be tailored to a specific cardholder, view and pay their bills online,
view online statements that can be downloaded into personal money management
applications such as Quicken and Microsoft Money, and be made aware
of special online offers available to Blue cardholders.
Blue is targeted to a specific demographic group - the technologically
aware, Internet-active with high disposable incomes and the traditional
early acceptors of new techno-logy. Success of Blue will further promote
acceptance of smart cards by later adopters, and other demographic groups
will surely follow, as we have seen in the past with other technologies,
including credit cards. Blue will allow American Express to make the
first steps necessary to improve Internet payments and gain widespread
acceptance of smart cards in the U.S. through the use of digital certificates
loaded on the card.
The Health Passport Project is another example of how the U.S. is making
use of smarter applications and implementations of card techno-logy.
The Health Passport Project, which is currently in pilot phase in Bismarck,
ND, Cheyenne, WY, and, in March 2000, in Reno, NV, is one of the first
multi-agency, multi-function healthcare applications implemented in
the world of smart cards. Health Passport smart cards store personal
demographic information, such as Social Security numbers and addresses;
vital health records, including growth charts, test results, physician,
and insurance information; and participation in state- and federally-sponsored
welfare programs. The goal is to provide improved quality of care, by
preventing duplication of tests, reducing fraudulent activity, and increasing
awareness of social service programs, ensuring that recipients gain
access to the services they are eligible to receive.
An additional feature of the Health Passport card is its role in the
distribution of welfare benefits through electronic benefits transfer
(EBT) in the Cheyenne, WY and Reno, NV pilot sites. Participants in
the Women Infants Children (WIC) program receive monthly benefits packages
through their Health Passport cards. When buying groceries, the card
is presented at checkout, inserted into a card reader, and, through
the supermarket's computer system, provides payment for those items
that are included on the WIC list of acceptable items. The card carrier
need only pay for items not covered by the WIC program - WIC eligible
items are automatically deducted from the bill. This speeds up checkout
and, through links to on-line transaction processing systems, also speeds
up vendor reimbursement and reduces the number of vendor billing errors.
With the intention of smart cards to carry X509 digital certificates
as a means for authentification, the market is in a unique position
to prosper from the rapid growth of the Internet and e-commerce and
other services and applications. The emergence of common operating systems/environments,
promoted by Sun Microsystems and Microsoft (and others, such as MULTOS),
creates the opportunity for interoperable smart card systems and the
dynamic management of card applications. The U.S. government is taking
an active role in planning to issue smart cards for physical and cyber
identification (allowing physical building access and entry to networks),
as well as other applications including carrying medical and dental
information, and other uses.
Microsoft has extended its support for smart cards into its operating
systems by including a security function that makes use of smart cards
(carrying X509 digital certificates) for gaining access in Windows 2000,
released in Spring 2000. The American Express Blue card, which is targeted
to early adopters of technology, allows for secure on-line transactions
and access to a series of other cardholder services on-line. Clearly,
the U.S. has demonstrated its own context and needs for smart cards,
and companies and the government have responded by creating unique and
constructive implementations of smart card technology.
References:
- Computer World, 11 May 1999, "Feds Make Bust in $45 Million
Net Scam" Kim S. Nash and Ann Harrison
- Computer World, 24 March 1999, "Visa: E-commerce is a Major
Source of Fraud" David Legard
- Other cases of fraud include: "pump-and-dump" stock scams
(in which phony press releases encourage investors to buy particular
stocks, and the stock price becomes artificially - and temporarily
- inflated), selling inferior or fake products (such as phony weight-loss
plans and cheap, fake Viagra pills), and bogus or spurious auction
sites (see reference below).
- CNN, 11 October 1999, "Fighting the Plague of Identity Theft,"
Heather Hayes
- Infoworld Electric, 16 August 1999, Security Watch," Stuart
McClure and Joel Scambray
- CNN, 17 April 1998, "Internet Identity Theft: Minimizing the
Risk," Don Knapp
- Computer World, 21 May 1999, "Despite Fraud, Consumer Confidence
with E-Commerce Rises"
- PC Week, 16 December 1996, "Major Backers Set for Digital Certificates,"
Michael Moeller CNN, 16 July 1998, "Feds Want a Digital Certificate
in Every Pot," Ellen Messmer
- Spanish Mint CERES Project Web site (http://www.fnmt.es/ceres/pceres.htm)
- International Data Corporation Web site (http://www.idc.com)
- The JavaCard Web site (http://www.javasoft.com/products/javacard/javacard21.html)
- Windows for Smart Cards Web site (http://www.microsoft.com/windowsce/smartcard/start/background.asp)
- American Forces Press Service, 27 October 1999, "DOD To Implement
Smart Card Program," Linda D. Kozarn
- American Express Blue Web page (http://home4.americanexpress.com/blue/splash.asp)