Once a year the smart card industry meets in Nice, during an event named Chip to Cloud, co-located with the NFC World Congress and the M2M Innovation event. Chip to Cloud tagline is ‘Security Forum’. In other words, this is where you will meet the traditional security solution industry, this old good industry relying on chip/hardware/tokens (call it as you want) to secure the world. The number of tracks was impressive, as usual, but here is a take away from what I captured, between two coffees with goods friends.
The traditional industry is getting modern.
Being part of that industry since quite a long time now, we all know by heart our favorite use cases. Banking, corporate, telecom business… But this year, some new markets were mentioned. As an example social media was discussed with the underlying problem of trust in reputation. How to make sure a user is a real/good/reliable user ? Three distinct problems that may require a system based on trusted assets and security to maintain it. Vehicle to vehicle network was also addressed. How to get benefit of the large number of devices present in a vehicle (tablet, smartphone, car system), connected thanks to a large number of technologies (Bluetooth, NFC, 3G or 4G network) and design a dynamic peer to peer communication network, respecting users privacy ? That is one of the challenge that the 2020 will have to answer. Always in the the car domain, the question whether the next hacking targets would be your car infotainment systems was also debated. Most of those systems, providing information and entertainment to the car passengers are based on mobile operating system. This convenient re-use brings also the existing tribes of malwares to the car space. A malware braking instead of you, just because you wanted to have a movie on the road, may not be the kind of situation you would like to experience. Last but not least, the conversation went also on the ultimate digital money, trying to define the most adapted solution to virtualize (even more) our money. Some people mentioned that BitMint could be the disruptive money to look at. based on random number generated and stored on a unique server, it seems to be easy to make a split-able and anonymous money, like our round coins are today.
Fingerprinting at large.
Chip to Cloud was in the run of the last iPhone disclosure, its related fingerprint buzz and the even-more-discussed pseudo-hack of its fingerprint sensor (I say pseudo hack, as more then being hacked, it was fooled with a high quality and expensive material). Few presentations were related to that technology. Fingerprinting usage in payment card. One suggested that the biometric on card verification could be a mean to replace user signature while making a payment transaction at the cashier. The presentation mentioned that few amendments to the EMV transaction specification (protocol used for all Visa or MasterCard based transaction) would be required and that convenience for user, reliability for merchant would be part of the key benefit for such system. Fingerprint sensor as a cheap technology. A high biometric vendor presented a new generation of cheap, portable and passive fingerprinting sensors, pluggable on any device having a camera. I suspect that sensor specialist such as Validity may have an opinion on the reliability of such material, but it is worth knowing that some people thought about it. Fingerprinting being part of the universal authentication scheme. Last but not least, the initiative of FIDO Alliance was promoted, explaining that any biometric operation could be the universal authentication. Combined with a second factor of authentication (e.g. a pincode, OTP, …) it could be the simple formula to make the user life easier.
And some usual question stays open.
The mobile identity use case was also extensively discussed. The GSMA, gathering most of Mobile Network Operators in the world, witnessed about their recent initiative related to mobile identity. They admitted that the topic was quite complex, with a lost of competitors coming from the OTT (over the top, the ones using MNOs as simple communication channel providers). This was confirmed by a report from ABi research suggesting that a unique mobile identity would not the killer app, would not be unique.
There were much more topics discussed during that conference, but here is a flavor of what was exposed. Proceedings are private for such event, so all content could not be disclosed in that post. Feel free to leave comment to raise question or keep in touch.