Schneier on Security
A blog covering security and security technology.
« Identity Theft in the UK |
| The Militarization of Police Work »
February 9, 2006
Multi-Use ID Cards
My eleventh column for Wired.com is about ID cards, and why you don't -- and won't -- have a single card in your wallet for everything. It has nothing to do with security.
My airline wants a card with its logo on it in my wallet. So does my rental car company, my supermarket and everyone else I do business with. My credit card company wants me to open up my wallet and notice its card; I'm far more likely to use a physical card than a virtual one that I have to remember is attached to my driver's license number. And I'm more likely to feel important if I have a card, especially a card that recognizes me as a frequent flier or a preferred customer.
Some years ago, when credit cards with embedded chips were new, the card manufacturers designed a secure, multi-application operating system for these smartcards. The idea was that a single physical card could be used for everything: multiple credit card accounts, airline affinity memberships, public-transportation payment cards, etc. Nobody bought into the system: not because of security concerns, but because of branding concerns. Whose logo would get to be on the card? When the manufacturers envisioned a card with multiple small logos, one for each application, everyone wanted to know: Whose logo would be first? On top? In color?
The companies give you their own card partly because they want complete control of the rules around their own system, but mostly because they want you to carry around a small piece of advertising in your wallet. An American Express Gold Card is supposed to make you feel powerful and everyone else feel green. They want you to wave it around.
Posted on February 9, 2006 at 6:39 AM
• 29 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"An American Express Gold Card is supposed to make you feel powerful and everyone else feel green. They want you to wave it around."
Yeah, but the downside is that if you go waving a Gold Card around in public, you are announcing to any would-be muggers "I have valuable plastic things to steal! And I don't have the sense God gave a rutebega! Mug me!!!"
Good and well written article.
You pointed out an important fact that most (if not all) of those cards we have in our wallets contain nothing but some information concatenated together forming a pointer to a database, in other words, a unique identifier. Why they work is there's many independent databases, so if one gets compromised those others are still unaffected. Why they also work, is that if your ID gets lost or stolen you just get the old ID revoked and get a new one, again, without affecting the rest.
"Nobody bought into the system: not because of security concerns"
Not sure which system you are talking about but if it's SET it failed due to the 'What's in it for me' attitude of the custommers and merchants.
Basically SET was so secure (apparently) that you could not revoke transactions made with it. The customers voted with their feet for the old CC system where they could revoke transactions etc.
The merchants where faced with very expenisve computer systems to do all the crypto and they did not want it either (thay did a marginal cost on it and found it was a pup).
The reason I say SET was 'apparently' secure was that allthough the comms and transaction side had been detailed down to the last detail just about every thing else was up in the air.
Most worryingly was on line "E-Wallets" you generated your PK Pair sent of the public one to be signed.
Unfortunatly most of the E-Wallet software was so bad you could quite easily work out what the two (not realy) random primes where.
It was a case of ease of use before security...
got a 404 on the link... anyway, you should also mention that cards, especially "loyalty" ones, are nowadays mainly used for (extremely valuable) statistic analysis on buying habits. And that's where a big problem lies: who controls those statistics? Wal-Mart certainly doesn't want to share that with anybody else...
In the UK, we have a loyalty scheme called Nectar, that does exactly that: it includes a number of major retailers and allows you to get "points" and "rewards" from all of them. It started as The Next Big Thing, but it's facing more problems as companies leave the scheme or are replaced, because it's a third-party company that maintains all the info and statistics, so there is a suspicion that the data could be (or it has been already) sold to direct competitors of the brands who promote it.
"Not sure which system you are talking about but if it's SET..."
The secure, multi-application smart-card operating system described in the paragraph. This essay has nothing to do with SET. It's about the cards in your wallet.
@Ed T.: You're obviously not supposed to wave it around in public; you're supposed to wave it around when you stay at the Hilton or buy a first-class plane ticket or something like that. And even though there's probably more an bigger criminals in those places than in your average seedy ghetto neighbourhood, they won't be the kind of criminal that mugs you to steal your wallet.
"an american express gold card is supposed to make you feel powerful and everyone else green..."
power is relative in this case. i've heard of something called the american express black card, aka the centurion, which is supposed to leave green and gold in the dust status-wise, never actually seen one.
is it safe to generalize that women suffer from card color envy, while men suffer from color/status loss fear?
First Data and Stop 'n' Shop are piloting a program that lets customers initiate ACH payments using their store loyalty cards.
One less card to carry. What could be wrong with that? :^)
here's snopes' humorous entry on the black card "centurion", its $2500 annual fee and the funny things rich people do with them, including:
a customer who wanted to buy the horse kevin costner rode in "dances with wolves". the horse was located in mexico and shipped to europe.
a customer who wanted some sand from the dead sea for a child's project on the holy land. a motorcycle courier was dispatched to the dead sea to get the sand.
i predict that at some point, black cards will become passe and a new, supersecret, really hoity-toity card color will have to be developed.
Anyway, why bother looking for a gold card on possible victims? Just look for them "Mug Me" White earbuds. A nice $50-500 a mugging, easy-peasy.
Bruce's comments about card issuers wanting control and why people will still carry multiple cards reminds me of former New Jersey governor Whitman's proposal for a smart card drivers licences. In her 1999 NJ budget speech, she said "Smart card technology can condense a wallet-full of credit cards, ATM cards, licenses and the like into one piece of plastic -- and that will take yet another load off people's backs."
I attended a public forum on NJ privacy around that time and recollect one speaker mentioning an interesting source of objections to the "one card" proposal. It was some of the credit/bank/ATM card issuers. They had noted that their cards are to carry their "service mark" and the propose NJ motor vehicles cards serving as credit cards might be rejected by various businesses.
(Also, lose that one card and one becomes a "persona non-data". At least with multiple cards, I can select which ones go with me when I travel or just go out of the house.)
The technical issues are being resolved, and Global Platform 2.2 will make managing multi-application cards by multiple parties much easier. That said I agree that the branding issues can trump the technical ones. It doesn't do much good to be able to do a post-issuance update to a card and load a new applet if the surface of the card doesn't indicate the presence of the applet.
Maybe card compatibility networks will emerge similar to the ATM networks, indicating that you can use your card anywhere the logo appears. Additional applets could be loaded on first use.
Another possibility would be to list all participants on the back of the card.
I for one would love to be able to toss my cards from Hertz, Delta, Hilton, Marriott, American Airlines, United, etc. and replace them with a single smart card. I would no longer have a Sienfeldesque fat wallet.
The Amex Centurion card is for people who spend more than $100k/year on their Amex card and is by invitation only.
This article gave me the idea of producing cards with 4 mag stripes(top/bottom, front/back). The store wants their brand in my wallet. I want the discounts associated using the card. I don't care about their branding. It seems like I could get three store cards and a credit card into the same size if I had a card writer.
On a less technical note, I finally found the wallet of my dreams at http://all-ett.com It truly is the thinnest wallet possible. I've been very happy with the "junior" model for daily use. Cheers.
Recently in the US, Bio Pay merged with Pay By Touch to form perhaps the largest fingerprint-based electronic wallet concept company. The idea seems to be electronically retrieving any card information from one's fingerprint at a point of sale. They also do ACH payments.
Is it too early to predict whether this is going to fly or fail? I think the non revocability aspect of a fingerprint and the poor fingerprint image in older people is going to be a huge challenge, even beyond the security concerns.
yeah, i just went through a bunch of meetings related to a major ecommerce company who suggested everyone jump on board with their common "wallet"...the discussion always starts with a "simplicity, convenience, and ease of use" paradigm and ends up with a "keep your hands off my brand, stay away from my customer data, etc." discord. seems to me a government is the right place for generating common currency, and the discussion in europe leading to the EU is a fine example of how to overcome the differences between invested parties.
"(Also, lose that one card and one becomes a "persona non-data". At least with multiple cards, I can select which ones go with me when I travel or just go out of the house.)"
Not really, just got to:
Be sure to leave the "S" off for savings. (bad sarcasm).
Seriously: Having one company to call and report all stolen cards is easier than remember which cards you had in your wallet or hunting them down.
Besides that, the service could also allow me to actively select and deselect the currently available accounts from a web site.
The issue is brands.. Most (I know for a fact not all) companies like their logos/names out there. But the interesting thing is (thinking out of the box here), there is potential for marketing/advertisments through that one for all card.
While true, this is obviously silly, and easily circumventable by the resourceful consumer with the time and energy to reverse engineer.
My bank may care that my check card carries both their logo, and VISA may care that it carries theirs... but all the dude at the cash register cares about is the magnetic strip.
I smell a burgeoning parasitic industry waiting to be born.
Another development that might lead to card consolidation is the use of contactless technology in cell phones. It isn't unreasonable to think of being able to select a "card" function from the cell phone's UI, which would be able to display any needed branding and other info, and then wave if in front of a reader.
It's not always that companies want cards. We issue about 6 million cards for our members each year. We'd love not to. Each card ends up being around a couple of bucks we spend and frankly we'd love to save the money and turn it around into other services for our customers. But the reality is this would *never* fly with our customers - the tangible card is something they demand. If they lose the one they have, we tell them they can print a replacement off our portal that has all the info they need - they still want a plastic card sent to them...
" why you don't -- and won't -- have a single card in your wallet for everything"
Of course not, it will eventually be an RFID implant or something similar. It will come when people are convinced it's "cool" enough or required, but it's coming.
If it's all bout branding, maybe new technology like e-ink, i.e. very thin, flexible, washable displays with very low power consumption, can offer a solution. You would then be able to switch between the different 'personalities' of your card by pressing a 'button' on the card. The card's surface (= variable display) would cycle through all the issuer's brandings (= surface designs). After maybe one minute it would return to its default state displaying the logos of all the 'personalities' stored on the card (in possibly random order). The card owner thus knows which uses his card currently offers.
Dear Mr. Schneier,
First of all, let me thank you once again for your Cryto-Gram newsletter.
Being a Spaniard and having spent most of my life in Spain, some sentences such as "Your credit card company doesn't want your ability to make purchases to disappear if you have your driver's license revoked" sound very strange to me. I would add that forcing you to drive a car (or, at least, to have a driver's licence) in order to get a credit card sounds nearly crazy, but I understand that those methods are normal in countries where a national ID card scheme is not in place. As you know, the National ID Card (we call it DNI - Documento Nacional de Identidad) is compulsory and ubiquitious in Spain. It is used for identifying yourself nearly everywhere. Thus, we already have that convenient central point around which all other ID schemes could work. The vast majority of companies, however, still issue their own serial numbers for their credit/service/loyalty/discount schemes, plus the physical plastic cards, of course. As you can see, not even when the necessary underlying infrastructure is in place, people are smart enough to take advantage of it.
Good point about branding. But I would submit that the real reason organizations issue their own ID card is somehwat simpler: to make customer-facing employees more efficient, increase "productivity", and thus increase profits.
Recently I bought something at my favorite outdoor equipment store and forgot my card with the "membership number" on it. This store has a bunch of my personal data in their system, and they could look me up ten different ways any time they needed to. But I practically had to plead with the checkout clerk to perform this search so I could associate the purchase with my account.
I'm guessing the kid at the register is under STRICT INSTRUCTIONS not to spend precious checkout time doing this unless the customer starts getting upset and demands it. He will ask repeatedly if a customer can supply a membership number first. Next, he will see if he can complete the current activity without needing to know it at all. Holding up a line of paying customers to have a long discussion about name spelling, previous address history, etc, must kill any profit they stood to make on that transaction. (Plus giving all clerical staff access to databases containing personal info is always an issue - consider the DMV). It may seem like a small policy matter, but multiplied by the number of cutomer ID lookups happening around the world at any given moment, adhering to this policy would save organizations billions in wasted time.
In addition to training employees, companies spend heavily to train customers. Whatever it costs a company to send out shiny new cards from time to time (or even some kind of sticker with a customer ID number on it to affix to something that customers *will* carry with them), it is easy to show this sum will be recouped in efficiency gains during customer interactions. It would be much harder (not impossible, just less compelling) to make the case that the money would be recouped in brand loyalty and "mind share".
I'm sure we will all agree personal data is hard to key off of, and numbers are easy. It's why customers have felt like they have been "reduced to just a number" ever since the dawn of the computing age: they *have* been. But you can't offset the decreased customer goodwill with the promised increase in efficiency if you don't have the number handy when it's time to use it. Hence the card.
(Getting even further off the security topic, this is all part of a larger trend where customers do more of the menial work of customer interaction themseleves and a major reason why selling online can be so appealing to a company: the time spent populating their databases with customer and order data is yours, not theirs. See the May 31 survey in the Economist at http://www.economist.com/surveys/... )
bruce - thanks for your article on Multi-Use ID Cards, but there is one more
point i would like to add: there is an advantage for me as user as
well to have one card per company or service.
that advantage is that i'm in control what data i give to said company
or service. sure, that could be done with cryptography as well, but
there i have to trust the crypto and even if i do, i still don't know
if company A has no key of or contract with company B and can thus read
and understand my data as well. as a human being it is far easier to
control some physical object (a card) than something virtual (data on
how do i cheak too see were my card house number is
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.