But the issue goes far beyond the Mifare chip to the security of smart cards and RFID chips in general. The technology definitely has some security chinks in its armor, but it would be premature to say it's in jeopardy because of security issues. The technology is growing in popularity and ease of use, but its security isn't quite mature yet.
Smart cards and RFID chips, on the surface, are supposed to be stronger forms of authentication than, say, user IDs and passwords, which are easy to steal and guess. But on the other hand, the chips on cards also have weaknesses. Over the past two years, several researchers in the UK, Germany and the Netherlands have designed ways to clone chips and cards, steal data from radio signals emanating from RFID chips or break the encryption algorithms on chips. In some cases, they've used homemade devices that can be cheaply constructed from readily available materials.
RFID chips have been criticized heavily as being the most exposed. The chips are now used on credit cards and some U.S. passports, opening up users to potential credit card fraud or identity theft. The issue is that signals from RFID chips frequently aren't encrypted and can be easily captured by readers. Someone with an RFID credit card in their wallet could unwittingly lose his or her account number just by walking past a malicious reader a few feet away.
The other issue with both smart cards and RFID chips is that they can only hold a limited number of encryption keys due to their small size and capacity, making their algorithms susceptible to cracking.
The security issues that need to be resolved are encryption of RFID signals, shielding of RFID signals from malicious access and better encryption of chips on smart cards. Until then, simply cutting out the chips on credit cards could make them inoperable and would invalidate a passport. But despite those challenges, security is still playing catch up as the technology's usage and popularity continues to grow.
This was first published in August 2008