Mifare, Oyster and ITSO Cards Hacked Smart Card & Identity News
Mifare, Oyster and ITSO Cards Hacked Smart Card & Identity News
Mifare, Oyster and ITSO Cards Hacked Smart Card & Identity News
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Smart</strong> <strong>Card</strong> & <strong>Identity</strong> <strong>News</strong><br />
Is published monthly by<br />
<strong>Smart</strong> <strong>Card</strong> <strong>News</strong> Ltd<br />
Head Office: <strong>Smart</strong> <strong>Card</strong> Group,<br />
Columbia House, Columbia Drive,<br />
Worthing, BN13 3HD, UK.<br />
Telephone: +44 (0) 1903 691779<br />
Fax: +44 (0) 1903 692616<br />
Website: www.smartcard.co.uk<br />
Email: info@smartcard.co.uk<br />
Managing Director – Patsy Everett<br />
Subscriptions & Administrator –<br />
Lesley Dann<br />
Editor –John Owen<br />
Contributors to this Issue – Tom<br />
Tainton, Remy De Tonnac, Carl-Otto<br />
Künnecke, David Everett, Eustace<br />
Asanghanwa, Legic<br />
Printers – Hastings Printing Company<br />
Limited, UK<br />
ISSN – 1755-1021<br />
Editorial<br />
Disclaimer<br />
<strong>Smart</strong> <strong>Card</strong> <strong>News</strong> Ltd shall not be liable<br />
for inaccuracies in its published text.<br />
We would like to make it clear that<br />
views expressed in the articles are those<br />
of the individual authors <strong>and</strong> in no way<br />
reflect our views on a particular issue.<br />
All rights reserved. No part of this<br />
publication may be reproduced or<br />
transmitted in any form or by any<br />
means – including photocopying –<br />
without prior written permission from<br />
<strong>Smart</strong> <strong>Card</strong> <strong>News</strong> Ltd.<br />
© <strong>Smart</strong> <strong>Card</strong> <strong>News</strong> Ltd<br />
<strong>Smart</strong> <strong>Card</strong> & <strong>Identity</strong> <strong>News</strong> • January 2008<br />
Well the Xmas holiday season is well <strong>and</strong> truly<br />
over but not without a flurry of activity at the<br />
Chaos Communication Congress held in Berlin<br />
at the end of December. Researchers Karsten<br />
Nohl (University of Virginia), Starbug <strong>and</strong><br />
Henryk Plötz from the Chaos Computer Club<br />
Patsy Everett reported their reverse engineering attacks on the<br />
<strong>Mifare</strong> Crypto-1 security algorithm. It looks to<br />
be just a matter of time before they prove their<br />
results with a practical demonstration. I leave the more technical<br />
discussions to others which you will find reported in our lead story<br />
<strong>and</strong> also with an update on <strong>Mifare</strong> security from David Everett which<br />
we originally reported in 2004.<br />
So what does all this mean to you <strong>and</strong> me? Should we stop<br />
using our <strong>Oyster</strong> card or write to the Major of London, Ken<br />
Livingstone, to warn him of the dangers? Well we don’t need to stop<br />
using our cards because the loser here is the service provider who has<br />
the risk of providing the service to hackers for free. This was also my<br />
differentiation between a hacker <strong>and</strong> a researcher, the former sets out<br />
to abuse the commercial service upon which the technology is<br />
unraveled by the researcher. Clumsy perhaps but one just seems<br />
much nicer than the other.<br />
The problem for the user would be if the <strong>Mifare</strong> card is used<br />
as any form of identifier to an account such as an epurse or what<br />
have you, then you st<strong>and</strong> to lose by having the hacker empty your<br />
account. It’s a bit like payment cards today, the banks usually try to<br />
make you prove that you didn’t use the card rather than them prove<br />
you did. That’s not so good in a scenario full of copied or emulated<br />
cards.<br />
However significant as this may be, my memory of 2007 is<br />
all about data loss. This culminated in the HMRC’s loss of CDs<br />
containing the records of 25 million people. It’s a classic example of<br />
the failure of government departments to manage people’s privacy a<br />
point made by many security experts in their concerns about the<br />
National ID register. Worse still concerns have also been raised<br />
about the NHS national records service <strong>and</strong> other large scale public<br />
data bases. Just before Xmas we also heard about the Post Office<br />
sending out account records to the wrong people.<br />
Stolen laptops were also high on the list of data loss in 2007<br />
<strong>and</strong> it just seems inconceivable to me that this data is not encrypted.<br />
There must be hundreds of commercial products available to protect<br />
this sort of data, why isn’t it being used? Encryption of data <strong>and</strong><br />
smart cards for access control are fundamental security controls yet<br />
the organisations you would most expect to be using such techniques<br />
are seemingly falling down on the most basic principles.<br />
The banks through Mastercard <strong>and</strong> Visa have been<br />
progressively enhancing the security of cardholder data most recently<br />
with the Payment <strong>Card</strong> Industry (PCI) Data Security St<strong>and</strong>ard (DSS)<br />
that must be adopted by all organisations storing or processing card<br />
holder data. Is the government really that far behind? Let’s hope that<br />
in 2008 we see evidence of a more credible security approach.<br />
Patsy.<br />
Our Comments<br />
Dear Subscribers,<br />
2