IMO smart card readers are the worst solution for everything. They are invariable less capable and less secure than my phone. Why would I carry 2 devices (one of these quite primitive) if I could only carry one?
All the ones I've seen have no security, either it's just a changing password (e.g. RSA key), or you input your card (optionally entering your PIN which you share with every POS terminal / shop) and get a password.
My phone requires a password (which I can set to be arbitrarily secure, not 4-digit PIN (LOL)) or a fingerprint (which is something noone can steal, unlike a credit card... or at least I'd notice it's missing much sooner!)
As I expected: you don't appear have a clue on what a smartcard actually is.
> My phone requires a password (which I can set to be arbitrarily secure, not 4-digit PIN (LOL)) or a fingerprint (which is something noone can steal, unlike a credit card... or at least I'd notice it's missing much sooner!)
Anyone can steal your fingerprint, and you can't reset your fingerprint like you can with a password or PIN.
A smartcard will self-destruct (wipe the key material) after a number of unsuccessful PIN entries, so the chance of someone successfully guessing the PIN is ~1:3333 for a 4 digit PIN with 3 attempts.
This is good enough for banks to offer fraud insurance, in the off-chance that your card gets cracked your bank will reimburse the damage.
> optionally entering your PIN which you share with every POS terminal / shop) and get a password.
Yes, but that would still require physical access to your card. So they'll need to have both your card and your PIN. At that point you'll need to have your card/account blocked ASAP anyway. Your bank will supply you with a new card and PIN, which is a way better solution compared to cutting off your fingers and attaching new ones ;-)
RSA SecurID is not a smartcard. It's basically equivalent to TOTP except as a physical object rather than a phone app. There's secret baked into the SecurID and the issuer knows that secret so they can use it to generate the same one time code.
You seem to imagine that your phone, on which you run most likely not only a wild variety of apps from potentially untrustworthy sources, but also a web browser, which is a huge attack surface facing the Internet, is more secure than a simple smart card and that doesn't make a whole lot of sense.
In both cases the main real world security is that bad guys will probably need to _steal them_ which is difficult and a completely different skillset from the skills to make phishing emails or lie on the phone. But the phone is a bit worse here because maybe they can attack that remotely via, as I mentioned, your web browser, instant messaging stack or other components of a very complicated device.
