[LINK] Chip vs mag stripe [was: Consumer Credit-Card Risks]

Thu Jan 14 09:36:50 AEDT 2010

Jan Whitaker wrote:
> At 11:49 AM 13/01/2010, Stephen Wilson wrote:
>> Now, do you mind if I push the envelope a little?  The reason chip cards
>> are important in payments is that, one way or another, they protect the
>> integrity of the cardholder account number and other details, as
>> transmitted with the user's consent (PIN), from the card to the
>> terminal.  The details are encrypted (signed if you will) between the
>> chip and the terminal, which stops replay attack and thwarts ID theft.
>> More subtly, by increasing the dependability of those details, it means
>> that in princple less personal information is needed to corroborate a
>> transaction.
> But wouldn't this protection only be the case if there were no 
> magstripe that included the 'same' info as the chip? What I'm getting 
> at is that the magstripe is still needed as long as the chip readers 
> aren't ubiquitous.
Yes indeed.  But the chip can contain different (additional) and 
unskimmable information from that in the stripe.  Moreover, receiving 
parties can tell the difference between personal data that has been read 
off a static stripe versus that presented dynamically by a chip, which 
opens up new possibilities.

For illustration, when a doctor creates an electronic Medicare claim 
relating to services they provided me, my Medicare number needs to be 
input.  Today it's picked up from a local database, or manually 
entered.  A level of Medicare fraud occurs because there are no 
protections around the Medicare number entered.  One way to curtail this 
form of fraud is to involve a smartcard at the time of service, and use 
a private key in the chip to digitally sign the claim, so as to bind a 
genuine Medicare number.  A Medicare number presented from a chip by way 
of a digital signature cannot be replayed or made up.  Any software 
downstream can tell the difference between a Medicare number presented 
cryptographically from a chip, and a number that has been manually 
entered or transcribed.

I advocate protecting new health identifiers this way (be they national 
"cradle to grave" IDs, commercial health record IDs or whatever).  In 
some use cases, the health ID might be entered/transcribed as a simple 
"naked" number, but in others, it might be presented by way of a digital 
signature.  Different presentations could be matched to different use 
case scenarios depending on risk; different levels of service might be 
made available depending on the mode of presentation. 

I rail against the idea that impending Health Identifiers be treated 
like static numbers.  A few years ago NEHTA used to say that it wouldn't 
matter how individuals kept their Health ID; you could write it down, or 
save it to a USB stick, or have it on magnetic stripe.  In essence this 
would treat Health IDs no differently from credit card numbers.  I even 
heard it said that the Health ID could be a log-in identifier for 
accessing ones own EHRs.  Yikes!  This style of authentication is 
completely obsolete in banking, but at least there you can get a credit 
card number cancelled and re-issued.  It beggars belief that health IDs 
rolling out in the next few years could follow security practices that 
were broken years ago.

Cheers,

Steve Wilson
Lockstep
www.lockstep.com.au

Lockstep Consulting provides independent specialist advice and analysis
on digital identity and privacy.  Lockstep Technologies develops unique
new smart ID solutions that enhance privacy and prevent identity theft.