PARIS — The state of the security of smart cards has as much to do with the financial payoff that hackers stand to gain from unraveling the data inside them as it does protecting the technology.
"All cards can be hacked. It doesn't necessarily mean that all cards are insecure," Karsten Nohl, the chief scientist with Security Research Labs in Berlin, said here Dec. 8 during a presentation at Cartes & Identification conference and exhibition.
Nohl is a recognized cryptographer. In 2008 he was part of a research team that brought to light the major security flaws of Netherlands-based NXP Semiconductors' MiFare radio frequency identification chip used in public-transportation payments and access cards by showing that its encryption could be breached. "Every card is hackable given enough resources," Nohl said. "It depends on the amount of incentives you put on a single card that determines whether people will go for your application or not."
In a transportation setting, there may be little incentive to hack a prepaid transit card given its low value, even though the barriers are porous. But if a hacker is able to use the data gained from a single card to make cloned cards, the incentive is higher, Nohl said.
Smart cards, particularly payment cards built to the EMV security specifications, generally are considered safer than their magnetic-stripe counterparts, but hackers have gotten more adept at breaking down their complex codes.
Financial institutions and others that have adopted EMV have been aggressive about keeping standards updated to address emerging security concerns, Randy Vanderhoof, executive director of the Smart Card Alliance in Princeton Junction, N.J., said in a Dec. 8 interview. "The smart card industry itself has really excelled … at building security at the chip level, the application level and … certification level," Vanderhoof said.
