jamtronix

(via Schneier on Security) - FedEx Kinko's Payment Card Hacked

The whole notion of using 'smart cards' for stored value has never made any sense to me. This seems to be a particularly lame implementation, but even if you have enough faith in your crypto to be confident that people holding your cards can't work out a way to modify the values on them, the economics of smart cards still don't seem to stack up.

Depending on the volume of cards you are buying, you might get the cost of your smart cards down to say $1 personalised. Compare that to a standard 'mag stripe' card, which you can get in bulk at maybe 10c personalised. That 90c price difference is pretty hefty on a card that might only ever be loaded with $5.00

In theory, a smart card will let you save the cost of communicating with a central server on each transaction. But unless you're putting a vending machine in Antarctica, and the only option for calling home is via Iridium, the comms cost of a typical 1KB transaction is going to be a fraction of a cent.

This not to say that smart cards can't be add value to systems built on real-time central authorisation. Tamper-resistant smart cards storing personalised private keys can go a long way to cutting out the cloning which is the biggest risk to ordinary mag-stripe stored value systems. But in this age of broadband everywhere, there's just no excuse not to be doing real-time validation of each transaction against a central db.