What techniques are being used to hack smart cards, and what best practices do you recommend to thwart them?
A smart card looks like a credit card, but unlike a credit card, which just has a magnetic stripe, a smart card contains a chip with customer information. The information may include not only data about customers themselves, but also account information, financial or medical records and, in some cases, encryption keys or even money.
Smart cards are most commonly used with readers for granting access to a facility or system. They can be used by themselves or with a PIN number in a two-factor authentication system. Smart cards requiring an additional PIN number use a technology called "Chip and PIN," which is popular in the UK and Europe.
The chips on smart cards are microprocessors, and can be either programmable or static. Either way, unlike the processor in a larger device, like a full-size laptop or workstation, they can only hold so much data. This can limit the size of the encryption keys they carry, which reduces the strength of the encryption protecting the card's data.
A number of researchers have found ways to hack smart cards by tampering with the microchip using light from camera flashbulbs and radio signals. But the most recent possible hack was demonstrated in February by two researchers in the UK. Saar Drimer and Steven Murdoch of Cambridge University found a way to steal data from a smart card by manipulating the terminal that reads the card. The researchers showed that the Chip and PIN technology, which is a government mandate in the UK, isn't as strong as its proponents claim.
Drimer and Murdoch found a way to bypass the encryption on the card by setting up a fake terminal that wasn't connected to a bank, but rather to a thief's laptop. The laptop is used to steal the card information as the unsuspecting user puts in his or her card and enters a PIN. The thief's laptop relays the information to an accomplice's laptop, which is connected to a fake card used for maliciously accessing the victim's bank account.
The researchers deliberately kept details from the media of how they manipulated the fake card to copy the data, claiming that they didn't want the information to fall into the wrong hands. But, in the same breath, the researchers suggested additional cryptographic handshakes could be added to the smart card transaction process to thwart this attack method.
Despite these types of attacks, smart cards shouldn't be discounted altogether as an authentication method to protect access to systems. They still offer a greater level of protection than user IDs and passwords, which can be easily stolen or guessed, and can be combined with other controls in a robust two-factor authentication system.
Related Q&A from Joel Dubin
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ...continue reading
In the IAM world, what's the difference between access control and identity management. This IAM expert response explains how the two relate as well ...continue reading
When working with PeopleSoft and Unix, which single sign-on (SSO) vendors offer the most effective products? Learn how to choose an SSO product in ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.