to answer the threat of a diner presenting somebody else’s card. So we see that a battery of known answers to potential problems have been embedded into the scripted play.

However, in the world of security, there is always a new threat. We will now look at how scripted plays are modified and evolved as security improves. As we just say, stealing a chip card without stealing the personal identification number is of limited value. Therefore, elaborate schemes have been developed to uncover the personal identification number of a card, and actually, this has been so much of a threat that it is already guarded against in some respect in the way we will now explain. Actually, when the diner enters her personal identification number in the restaurant banking terminal, the entry is very different from entering a personal identification number in a regular computer, as opposed to a secure core device. In a regular computer, a person enters a personal identification number at the keyboard, the computer reads the personal identification number from there, and then sends it wherever is needed. However, this creates a security hole. The computer can decide to store the personal identification number somewhere before sending it, and then, it can reuse it at will later on. To guard against this, certified banking terminals have a personal identification number entry mechanism that does not transit by the terminal before being presented to the card. There is actually a direct physical link between the personal identification number entry and the card, so that only the card can see the personal identification number. Entry of the personal identification number is therefore protected from onlookers, and yet another threat has been answered and is included in the scripted play.

But now, we’ll look at the next step the fraudster may take, and what we’ll describe has actually occurred, and is still occurring today. By tampering with the terminal, it’s possible to steal the personal identification number. This has been done in various ways, from the simple idea of spying the personal identification number entry with, say, a tiny camera, to elaborate ways involving superimposing the keyboard with a fake one, and even more pernicious ways consisting in designing a bogus terminal embedding the first one. We will not detail those here; suffice it to say that the personal identification number is secure only to a point in attaching a card to a person. When we’re talking about paying the restaurant, the fraud might be tolerable. When we’re talking about using similar technology in higher security situations, we may be talking about threats that cannot be accepted. That’s why the next idea has been to include a fingerprint sensor in the card itself. As we described it earlier, a tiny sensor is used either as an array where the finger is placed, or a bar against which the finger is scanned. To come back to our restaurant, with a fingerprint sensor on the card the banking terminal would never be involved in the capture of the link between the card and the cardholder, and that link would therefore be much more trustworthy than the personal identification number; actually, in situations of higher security, the two can be combined. With this new measure then, yet another set of threats are addressed, and the scripted play can change.

Using the traditional form of theater inherited from the Greeks as a metaphor for interactions in a social ecosystem, we see that the competence of the system (the script in this case) is fixed and predetermined, and the performance (the actual play) maps very closely the competence. This model of interaction defines a set way to answer possible threats, and is capable to guide us in many of our activities. It is very close to the way computers know how to do things today: instruct them in advance of all threats and answers, and they’ll faithfully perform the play, albeit with different levels of performance depending on their other strengths and capabilities, like their inherent speed or communication bandwidth.

Book available at Midori Press (regular)
Book available at Midori Press (signed)
Book available at Amazon (regular)