Cartes conversations

Exciting innovations were on show for mainstream markets to look forward to

By Stephen Wilson

December 11, 2008

The 23rd annual Cartes smartcard exhibit and conference was held over November 4th to 6th at the vast Paris-Norde Villpinte exhibition centre.  It was quite a party atmosphere – and I don’t just mean the French exhibitors’ fondness for a bottle of red at lunchtime! 

Even in the midst of an economic implosion that might have put a dampener on proceedings, I found the event to be an exuberant celebration of smart technologies. 

Cartes is probably unrivalled worldwide as the leading smartcards show.  This year there were nearly 500 exhibitors, including in excess of 70 companies specialising in identity technology.  This is an industry with lots of impressive machinery to show off; card personalisation equipment, like motorcar assembly lines in miniature complete with robot pick-and-place machines, are especially eye-catching. 

Europe is in the midst of a second wave of identity applications which leverage EMV cards, so access control was a hot topic.  Beyond banking, government ID and health and welfare cards were popular items too. 

It’s been said by the organisers that contactless was the major theme of Cartes 2008.  But everyone will come away from an event like this with their own impressions, and what impressed me was the extraordinary innovation in general. 

Alone, amongst identity and access technologies, smartcards and their kin (including mobiles) present a flexible and powerful platform on which to develop further applications and infrastructure. 

While USB crypto-keys (which package a smartcard chip in a USB form factor) have been available for many years, they now appear to be booming.  An important development is the locked-down web browser, which boots up automatically when the USB key is plugged in, and runs entirely within secure ROM in the device.  This configuration is immune to today’s ‘man-in-the-browser’ attacks since the contents of the USB key are not readily modified by any malware that has infected the host PC. 

Variations on the USB key theme were many.  A new product called @MAXX launched by SCM Microsystems combines both contact (SIM) and contactless (ISO 14443) readers into the one device, with 1 GB or more of memory, and even a MicroSD card slot for more.  At least two other vendors at Cartes demonstrated similar USB-based tamper resistant browser solutions (and that’s not including the “ZTIC” separately announced by IBM recently). 

The annual SESAME awards are conferred at Cartes, in 10 different categories including verticals (like payments, health and transport) and the general classes of hardware and software. This year, four of the winners especially took my eye.

The banking award winner was another unconnected Chip-and-PIN smartcard reader from Xiring.  The new model features contactless as well as contact interfaces, and a larger more feature-packed keyboard.  Ironically, while these devices were first rolled out because connected readers were thought to have higher support costs, as the unconnected readers grow in functionality, they look more and more like PDAs. 

Two more USB crypto keys popped up in the SESAMEs: One in Gemalto’s “Smart Card Web Mashups” which took out the software award, and the other in Oberthur’s WebSTIC which won the health category.

The security award went to GO-Trust, which has packaged a smartcard chip into a MicroSD card to deliver smart ID functionality to an estimated one billion mobile devices. 

Not quite all of Cartes is dedicated to smart devices.  One proud exception was the French company Mediscs which has developed a personalised CD-ROM card to deliver keys and digital certificates for PKI applications. 

They claim it eases the historic problems of porting keys and certificates in software.  It’s certainly novel yet I wonder if it is fighting a losing battle against chips in all their guises, which seamlessly manage not just one key and digital relationship but many. 

Closer to home, the Australian “Emue” hybrid smartcard was featured at Visa’s exhibition stand, where it has been branded as the “Visa PIN Card”.  Emue integrates a PIN pad and LCD display into a smartcard.  It’s a sexy hybrid of one time password and card technologies, and presents another option for Internet authentication. 

So, innovation is alive and well in the smartcard and identity markets.  And looking at the financial crisis, it’s just as well.  In the current climate of contraction, financial institutions cannot compete on volume or efficiency alone. 

Instead, to increase their share of a smaller pie, banks may strive for product differentiation.  Add to that the pressure to contain losses, and security may emerge as a competitive imperative.   In the payments space, with fraud mounting, and both cardholders and merchants looking for better protection and better convenience, everyone should be looking for innovation.

Stephen Wilson is a leading international authority on identity management and information security. In early 2004, Stephen established Lockstep Consulting to provide independent security advice and to develop new smartcard solutions to identity theft.