← Back to context

Comment by mynameisvlad

9 months ago

That seems entirely like an implementation detail that doesn't have anything to do with the smart card interface itself.

It's not like it's rocket science to have the reader application detail what the request is used for, and encoding it in the request/response, verified when used, so that it can't be used for anything but the approved purpose.

7 comments

mynameisvlad

Reply
lmm  9 months ago

> It's not like it's rocket science to have the reader application detail what the request is used for, and encoding it in the request/response

The reader application can, sure, but what ensures that that "reader application" is genuine and can't be subverted? The card's own processor is supposedly tamperproof, but all the display etc. is in the reader which is probably owned and controlled by whatever third-party you're identifying yourself to, or at best it's a random application running on your PC/phone with whatever malware you have.

  • DiogenesKynikos  9 months ago

    This is already a more restricted type of attack than the common identify theft that's rampant right now in the US.

    What you're describing requires the actual terminal you're interacting with to be malicious, and it can only be used to authorize individual transactions.

    As things stand in the US, a much broader class of attacks are not only possible but common, in which the attacker takes over the identify of the victim and can authorize any number of transactions in their name.

lmz  9 months ago

Why do you trust the reader though? It could display one thing and send another. Although I guess this also happens with payment card terminals. Who's to say the €3 displayed is not charged as €300...

  • DiogenesKynikos  9 months ago

    This is a solved problem.

    If the ID is on your phone, you can make it so that the transaction details have to be digitally signed by the person authorizing them in order to be valid. Then, if 3€ shows up on your phone, that's what you're authorizing, not 300€.

    • lmz  9 months ago

      Sure, given an advanced enough device anything is possible. But I think here we are still discussing a "card" form factor for ID? (Being an "unperson" simply because you don't have a smartphone or have a rooted one would be "interesting").

      2 replies →