A User Centric Security Model for Tamper-Resistant Devices

1.1 Setting the Scene
1.1 Setting the Scene
We open the discussion in this chapter by exploring the evolution of the smart card from
its beginnings to the present. This is followed by a discussion of the reasons for having
a user centric approach to the management of a security-critical device like a smart card
and the challenges this approach involves. We then discuss the contributions of the thesis,
and outline its structure.
1.2 A Brief History of Smart Cards
Card-based transactions originated in the USA, starting with a system which came to be
known as metal money. This was a metal card issued by Western Union 1 as part of a
deferred payment scheme [2]. In 1946, John Biggins, a banker at Flatbush National Bank
of Brooklyn, issued a banking card to his customers called Charg-It [3]. Customers used
their Charg-It cards to pay for groceries at local shops. In 1951, New York's Franklin
National Bank issued the rst credit cards [4] to gain a competitive advantage over rival
banks. During the same period, an exclusive club known as the Diners Club issued the rst
plastic cards [5]. These cards reected the high status of the individuals who used them.
Instead of using cash, cardholders would use these cards to pay for services at selected hotels
and restaurants. This was the beginning of plastic money as we know it; however, the rapid
proliferation of plastic cards came when Visa 2 and MasterCard 3 entered the eld [5].
These early cards spread from the USA to Europe and within a few years to the rest of
the world. They had a very simple mechanism to store user-specic data and secure it
against forgery. These cards carried the name of the cardholder and a unique card number
printed or embossed on the card along with the card issuer's logo and a signature panel.
The signature panel was used as a security mechanism to link the card to its cardholder.
When used at a merchant's premises, the merchant had to verify the printed/embossed
features of the card and ask the cardholder to sign the receipt. To verify the cardholder's
right to use the card, the merchant could then match the signature on the receipt with the
one on the signature panel [5]. The system relied heavily on the competence of the person
at the Point of Sale (POS). This system worked for a while on a limited scale, but as the
use of plastic cards increased, banks soon realised that a machine-readable and automated
system would benet all parties including cardholders, merchants, and banks [6].
1 Western Union is a US-based nancial company that provides person-to-person money transfer, business
and commercial services.
2 Visa: Trademark of Visa Inc, San Francisco, California, USA. A global payment technology and
transaction management company that provides nancial services to banks.
3 MasterCard: Trademark of the MasterCard Worldwide that provides technology and architecture to
support the relationship between nancial institutions, merchants, and consumers for monetary transactions.
19