PARIS–The security of smart cards has as much to do with the financial payoff that hackers stand to gain from unraveling the data inside them as it does protecting the technology.
“All cards can be hacked. It doesn’t necessarily mean that all cards are insecure,” Karsten Nohl, the chief scientist with Security Research Labs in Berlin, said here Dec. 8 during a presentation at Cartes & IDentification conference and exhibition.
Nohl is a recognized cryptographer who in 2008 was part of a research team that brought to light the major security flaws of Netherlands-based NXP Semiconductors’ MiFare radio-frequency identification chip used in public-transportation payments and access cards by showing that its encryption could be breached.
Nohl’s point was simple: manufacturers of smart card technology and the organizations that issue their end products assume the complexity of the cards will prevent surreptitious players from stealing their data. But the overriding factor that will deter or entice hackers to set their sights on a particular card application is whether what they will gain from doing so outweighs the investments needed to crack the technology, he said.
“Every card is hackable given enough resources,” Nohl said. “It depends on the amount of incentives you put on a single card that determines whether people will go for your application or not.”
In a transportation setting, there may be little incentive in hacking a prepaid transit card because of its low value, despite the barriers to doing so being modest. But if a hacker is able to use the data gained from a single card to make clone cards, the incentive is higher, Nohl said.
“The attack surface of this chip didn’t disappear,” Nohl said. It instead has moved to “where the bits are being decrypted” in the card, he said.
The challenge is that smart cards are built to defend against documented attacks. Because a particular technology has not been breached does not mean it is foolproof, Nohl said.
Smart cards, particularly payment cards that are built to the EMV security specifications, generally are considered safer than their magnetic stripe counterparts, but hackers have grown savvier in their ability to break down their complex codes.
Financial institutions and others that have adopted EMV have been aggressive about keeping standards updated to address emerging security concerns, Randy Vanderhoof, the executive director of the Smart Card Alliance, a Princeton Junction, N.J.-based group, said in a Dec. 8 interview.
“The smart card industry itself has really excelled ... at building security at the chip level, the application level and ... certification level,” Vanderhoof said.
What do you think about this? Send us your feedback.
