On 2.4.2019 4.08, Arnor Baldvinsson wrote:

> But the moment you hook it up to the computer it's fair game for
> hackers. Just putting the stuff on a card doesn't make it any more secure.

Once the EV certificate private key is installed on the USB security
token, it cannot be extracted or copied from the device, since it is
stored securely in a tamper-proof memory area on the device (write-only
/ write-once in that sense). Signature operations are completed on the
device itself with a certificate password used to unlock the private
key, so the token must be plugged in for the certificate to be available
for operations.

So hackers can't copy your certificate and they would need to physically
steal the token to use it.

Cheers,
--
Timo