Are smart cards insecure if Mifare Classic RFID encryption is cracked?

BROWSE BY TAG Identity Management and Access Control,   Security Token and Smart Card Technology,   Enterprise Identity and Access Management,   User Authentication Services,   Two-Factor and Multifactor Authentication Strategies,   Expert Archive: Identity Management and Access Control,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Management and Access Control Is Identity Management as a Service (IDaaS) a good idea? How to log in to multiple servers with federated single sign-on (SSO) How to confirm the receipt of an email with security protocols Learn about enterprise strategy for server virtualization single sign-on Employee information security awareness training for new IAM systems Can you combine RFID tag technology with GPS to track stolen goods? Is there a free enterprise-caliber password-management tool? Cryptosystem attacks that do not involve obtaining the decryption key Can any firm or organization get a digital signature certificate? Should the CTO have domain administrator access? Security Token and Smart Card Technology First Data, RSA push tokenization for payment processing How to log in to multiple servers with federated single sign-on (SSO) Best Authentication Products Are 'strong authentication' methods strong enough for compliance? Risk management must include physical-logical security convergence RSA researcher Ari Juels: RFID tags may be easily hacked Portable security storage device could replace OTP devices Can you combine RFID tag technology with GPS to track stolen goods? Security token and smart card authentication Embedded smart card chips are open to hack attacks Two-Factor and Multifactor Authentication Strategies Two-factor authentication, vigilance foil password theft Security on a budget: How to make the most of authentication tools Best Authentication Products Best Identity and Access Management Products Are 'strong authentication' methods strong enough for compliance? PCI compliance requirement 7: Restrict access PCI compliance requirement 9: Physical access Best practices: How to implement and maintain enterprise user roles Changing times for identity management RSA researcher Ari Juels: RFID tags may be easily hacked

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary authentication server  (SearchSecurity.com) Chameleon Card  (SearchSecurity.com) key chain  (SearchSecurity.com) key fob  (SearchSecurity.com) key string  (SearchSecurity.com) national identity card  (SearchSecurity.com) security token  (SearchSecurity.com) smart card  (SearchSecurity.com) tokenization  (SearchSecurity.com) two-factor authentication  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

The cracking of a widely used smart card, like those with the Mifare Classic RFID chip, is definitely a cause for concern. It could expose facilities worldwide to malicious access, since 1 billion passes have been distributed outside its original base in the Netherlands.

But the issue goes far beyond the Mifare chip to the security of smart cards and RFID chips in general. The technology definitely has some security chinks in its armor, but it would be premature to say it's in jeopardy because of security issues. The technology is growing in popularity and ease of use, but its security isn't quite mature yet.

Smart cards and RFID chips, on the surface, are supposed to be stronger forms of authentication than, say, user IDs and passwords, which are easy to steal and guess. But on the other hand, the chips on cards also have weaknesses. Over the past two years, several researchers in the UK, Germany and the Netherlands have designed ways to clone chips and cards, steal data from radio signals emanating from RFID chips or break the encryption algorithms on chips. In some cases, they've used homemade devices that can be cheaply constructed from readily available materials.

RFID chips have been criticized heavily as being the most exposed. The chips are now used on credit cards and some U.S. passports, opening up users to potential credit card fraud or identity theft. The issue is that signals from RFID chips frequently aren't encrypted and can be easily captured by readers. Someone with an RFID credit card in their wallet could unwittingly lose his or her account number just by walking past a malicious reader a few feet away.

The other issue with both smart cards and RFID chips is that they can only hold a limited number of encryption keys due to their small size and capacity, making their algorithms susceptible to cracking.

The security issues that need to be resolved are encryption of RFID signals, shielding of RFID signals from malicious access and better encryption of chips on smart cards. Until then, simply cutting out the chips on credit cards could make them inoperable and would invalidate a passport. But despite those challenges, security is still playing catch up as the technology's usage and popularity continues to grow.

More information:

• Learn more about securing implanted chips and RFID tags.
• Prevent hack attacks against smart card systems with these best practices.