Mifare, Oyster and ITSO Cards Hacked Smart Card & Identity News
Mifare, Oyster and ITSO Cards Hacked Smart Card & Identity News
Mifare, Oyster and ITSO Cards Hacked Smart Card & Identity News
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
…. Continued from page 1<br />
Although smart cards of the same type may be used in the <strong>ITSO</strong> environment, the risk of this kind of attack has<br />
been recognised throughout the development of the <strong>ITSO</strong> environment <strong>and</strong> <strong>ITSO</strong> uses an internationally<br />
recognised security system which sits over <strong>and</strong> above the proprietary security algorithm that has reportedly been<br />
cracked.<br />
Schemes using Customer Media of this type within the <strong>ITSO</strong> environment can be assured that, even if an<br />
individual card can be cracked (<strong>and</strong> it reportedly took the alleged hackers a week to do so), their transport<br />
products in the card still remain secure when the security seal is verified by the <strong>ITSO</strong> Secure Application<br />
Module (ISAM).<br />
<strong>ITSO</strong>, being a multi-platform Specification <strong>and</strong> environment, also offers its members the opportunity to use<br />
other, more secure, alternative Customer Media types, should they be required.<br />
Now maybe <strong>ITSO</strong> has come up with something revolutionary but it seems to us that if you have cracked the<br />
crypto algorithm then you are capable of copying, emulating or counterfeiting commercial <strong>Mifare</strong> cards <strong>and</strong><br />
their contents without detection by the terminal. In other words you could produce a copy of a card containing<br />
perhaps an annual first class rail ticket. No matter what cryptography has been applied to that electronic ticket if<br />
it’s not an integral part of an authentic <strong>and</strong> verifiable smart card instrument then the terminal can’t tell one from<br />
another. Of course you may become aware of multiple copies of such a ticket but again it’s not obvious how<br />
you can effectively manage that process.<br />
Just for the avoidance of doubt neither can you protect against replays but please read an updated version of<br />
our original article on <strong>Mifare</strong> (In)security published in this month’s newsletter.<br />
David Everett, Technical Editor.<br />
<strong>News</strong> In Brief<br />
US Passport <strong>Card</strong> Criticized By<br />
Privacy Advocates<br />
Passport cards for Americans who travel to Canada,<br />
Mexico, Bermuda <strong>and</strong> the Caribbean will be<br />
equipped with technology that allows information on<br />
the card to be read from a distance. The technology<br />
was approved Monday by the State Department <strong>and</strong><br />
privacy advocates were quick to criticize the<br />
department for not doing more to protect<br />
information on the card, which can be used by U.S.<br />
citizens instead of a passport when travelling to other<br />
countries in the western hemisphere.<br />
The technology would allow the cards to be read<br />
from up to 20 feet (6 meters) away. This process only<br />
takes one or two seconds, said Ann Barrett, deputy<br />
assistant secretary for passport services at the State<br />
Department. The card would not have to be<br />
physically swiped through a reader, as is the current<br />
process with passports.<br />
The technology is inherently insecure <strong>and</strong> poses<br />
threats to personal privacy, including identity theft.<br />
Ari Schwartz, of the Center for Democracy <strong>and</strong><br />
Technology, said in a statement. Schwartz said this<br />
specific technology, called 'vicinity read', is better<br />
suited for tracking inventory, not people.<br />
The State Department said privacy protections would<br />
<strong>Smart</strong> <strong>Card</strong> & <strong>Identity</strong> <strong>News</strong> • January 2008<br />
be built into the card. The chip on the card will not<br />
contain biographical information, Barrett said. And<br />
the card vendor, which has yet to be decided will also<br />
provide sleeves for the cards that will prevent them<br />
from being read from afar, she said.<br />
A 2004 law to strengthen border security called for a<br />
passport card that frequent border crossers could use<br />
that would be smaller <strong>and</strong> more convenient than the<br />
traditional passport. Currently, officials must swipe<br />
travellers' passports through an electronic reader at<br />
entry points.<br />
The technology change for passport cards was<br />
initially proposed in October 2006, <strong>and</strong> public<br />
comments closed on Jan. 7, 2007. The State<br />
Department received more than 4,000 comments,<br />
<strong>and</strong> most were about the security of the technology.<br />
To relieve a backlog at U.S. passport offices, the<br />
Bush administration recently delayed a requirement<br />
that Americans present passports when crossing the<br />
U.S. border by l<strong>and</strong> or sea. The administration<br />
wanted to begin requiring passports or passport cards<br />
in mid-2008, but Congress m<strong>and</strong>ates that the rule not<br />
go into effect until mid-2009.<br />
4