Mifare, Oyster and ITSO Cards Hacked Smart Card & Identity News
Mifare, Oyster and ITSO Cards Hacked Smart Card & Identity News Mifare, Oyster and ITSO Cards Hacked Smart Card & Identity News
…. Continued from page 1 Although smart cards of the same type may be used in the ITSO environment, the risk of this kind of attack has been recognised throughout the development of the ITSO environment and ITSO uses an internationally recognised security system which sits over and above the proprietary security algorithm that has reportedly been cracked. Schemes using Customer Media of this type within the ITSO environment can be assured that, even if an individual card can be cracked (and it reportedly took the alleged hackers a week to do so), their transport products in the card still remain secure when the security seal is verified by the ITSO Secure Application Module (ISAM). ITSO, being a multi-platform Specification and environment, also offers its members the opportunity to use other, more secure, alternative Customer Media types, should they be required. Now maybe ITSO has come up with something revolutionary but it seems to us that if you have cracked the crypto algorithm then you are capable of copying, emulating or counterfeiting commercial Mifare cards and their contents without detection by the terminal. In other words you could produce a copy of a card containing perhaps an annual first class rail ticket. No matter what cryptography has been applied to that electronic ticket if it’s not an integral part of an authentic and verifiable smart card instrument then the terminal can’t tell one from another. Of course you may become aware of multiple copies of such a ticket but again it’s not obvious how you can effectively manage that process. Just for the avoidance of doubt neither can you protect against replays but please read an updated version of our original article on Mifare (In)security published in this month’s newsletter. David Everett, Technical Editor. News In Brief US Passport Card Criticized By Privacy Advocates Passport cards for Americans who travel to Canada, Mexico, Bermuda and the Caribbean will be equipped with technology that allows information on the card to be read from a distance. The technology was approved Monday by the State Department and privacy advocates were quick to criticize the department for not doing more to protect information on the card, which can be used by U.S. citizens instead of a passport when travelling to other countries in the western hemisphere. The technology would allow the cards to be read from up to 20 feet (6 meters) away. This process only takes one or two seconds, said Ann Barrett, deputy assistant secretary for passport services at the State Department. The card would not have to be physically swiped through a reader, as is the current process with passports. The technology is inherently insecure and poses threats to personal privacy, including identity theft. Ari Schwartz, of the Center for Democracy and Technology, said in a statement. Schwartz said this specific technology, called 'vicinity read', is better suited for tracking inventory, not people. The State Department said privacy protections would Smart Card & Identity News • January 2008 be built into the card. The chip on the card will not contain biographical information, Barrett said. And the card vendor, which has yet to be decided will also provide sleeves for the cards that will prevent them from being read from afar, she said. A 2004 law to strengthen border security called for a passport card that frequent border crossers could use that would be smaller and more convenient than the traditional passport. Currently, officials must swipe travellers' passports through an electronic reader at entry points. The technology change for passport cards was initially proposed in October 2006, and public comments closed on Jan. 7, 2007. The State Department received more than 4,000 comments, and most were about the security of the technology. To relieve a backlog at U.S. passport offices, the Bush administration recently delayed a requirement that Americans present passports when crossing the U.S. border by land or sea. The administration wanted to begin requiring passports or passport cards in mid-2008, but Congress mandates that the rule not go into effect until mid-2009. 4
Payzone To Target The 'Unbanked' With Pre-paid Card A joint venture between the Luxembourg-based Bank Invik and Payzone plc, announced the launch of a new pre-paid debit card, "payzone worldwide money". The new card was being trailed in London and the South East in the run-up to Christmas and will be rolled-out nationwide in Q1 2008. The card is targeted at the estimated 3 million people in the UK that do not have a bank account and who are at increasing risk of being excluded from engaging in an increasingly card-based economy. As banks tighten up on sub-prime lending a record 3.27 million credit card applications were turned down in the UK between April and September last year, and the numbers of the 'unbanked' in the UK have been further swollen by the estimated 1.9 million immigrants now working in the UK, many of whom are from the new EU states such as Poland and Romania and who find it difficult to access traditional banking services. A Mastercard-branded product, the payzone worldwide money card can be loaded with up to £350 in cash per transaction, with no credit checks. The re-usable card will cost £6.99 with loading costs of £4 for up to £100 and £8 for up to the maximum of £350. Egyptian ID Cards Proposed The Egyptian Government has finally decided on issuing two Identity Cards for each of its nations 50 Million applicants. The first card is for Ministry of interior applications such as ID, Driving license, E-passport, etc, while the second Card will be for all the other government services such as Health cards, Family cards, Tax cards, etc. Dr.Ahmad Darwish the Egyptian minister of administrative development and the National ID committee chairman will give a key note speech at Cardex conference during the 25th – 27th May 2008 informing the industry about the details of this mega project which is expected to be the biggest project in the region for many years to come. Gemalto To Provide Yemen's National Electronic ID System Gemalto, announced that it has been selected to deliver the electronic ID cards solution commissioned by the Ministry of Interior of Yemen for the next national elections. Under the contract, Gemalto will implement the whole solution including enrolment processes, creation of a secure biometric national registry, maintenance, local support, training and integration services, as well as provide the 10 million Smart ID cards that will see Yemen step in the digital security era. The first cards will be delivered to the Yemeni citizens during first half of 2008, and the program will reach completion by 2009 when the population is to vote for the new Parliament. Smart Card Communication To Be Based On HTTP Sagem Orga GmbH and the Software Quality Lab (slab) at the University of Paderborn have extended their research cooperation by a further two years following one year of successful project work. Next Generation Java Card is the new specification for Java on Smart Cards from Sun Microsystems GmbH. Among other things, this new standard envisages integration of a Web server and support of servlets. A servlet is an object that dynamically generates responses to queries. Servlets allow dynamic content to be added to a Java-based Web server. The cooperation with s-lab relates to the current issue of servlets on Smart Cards. It builds on the first successfully completed project "Secure and highperformance standard Java implementation on a Smart Card platform", in which the prototype of a Java Virtual Machine for the Next Generation Java Card was implemented. "The card of the future will be Web-enabled, i.e. communication with the card will preferentially be based on HTTP," says Carsten Rust, Project Manager at Sagem Orga. "Development of card applications will thus move closer to Web application development and so be possible for a larger number of developers. We aim to create the conditions for that as part of the project. Basic services on the card can be developed as servlets and so can be integrated simply by application developers in more extensive systems." Smart Card & Identity News • January 2008 5
- Page 1 and 2: dentity News • Smart Card & Ident
- Page 3: Contents Regular Features Lead Stor
- Page 7 and 8: What are the changes or differences
- Page 9 and 10: Carl-Otto Künnecke Growing market
- Page 11 and 12: Versatile Hardware Security With Cr
- Page 13 and 14: True Hardware-based Security Crypto
- Page 15 and 16: It is important to note that the cr
- Page 17 and 18: attacks. The Mifare card because it
- Page 19 and 20: Buying into Contactless Payment By
Payzone To Target The 'Unbanked'<br />
With Pre-paid <strong>Card</strong><br />
A joint venture between the Luxembourg-based<br />
Bank Invik <strong>and</strong> Payzone plc, announced the launch<br />
of a new pre-paid debit card, "payzone worldwide<br />
money". The new card was being trailed in London<br />
<strong>and</strong> the South East in the run-up to Christmas <strong>and</strong><br />
will be rolled-out nationwide in Q1 2008.<br />
The card is targeted at the estimated 3 million people<br />
in the UK that do not have a bank account <strong>and</strong> who<br />
are at increasing risk of being excluded from<br />
engaging in an increasingly card-based economy. As<br />
banks tighten up on sub-prime lending a record 3.27<br />
million credit card applications were turned down in<br />
the UK between April <strong>and</strong> September last year, <strong>and</strong><br />
the numbers of the 'unbanked' in the UK have been<br />
further swollen by the estimated 1.9 million<br />
immigrants now working in the UK, many of whom<br />
are from the new EU states such as Pol<strong>and</strong> <strong>and</strong><br />
Romania <strong>and</strong> who find it difficult to access<br />
traditional banking services.<br />
A Mastercard-br<strong>and</strong>ed product, the payzone<br />
worldwide money card can be loaded with up to<br />
£350 in cash per transaction, with no credit checks.<br />
The re-usable card will cost £6.99 with loading costs<br />
of £4 for up to £100 <strong>and</strong> £8 for up to the maximum<br />
of £350.<br />
Egyptian ID <strong><strong>Card</strong>s</strong> Proposed<br />
The Egyptian Government has finally decided on<br />
issuing two <strong>Identity</strong> <strong><strong>Card</strong>s</strong> for each of its nations<br />
50 Million applicants.<br />
The first card is for Ministry of interior applications<br />
such as ID, Driving license, E-passport, etc, while the<br />
second <strong>Card</strong> will be for all the other government<br />
services such as Health cards, Family cards, Tax<br />
cards, etc.<br />
Dr.Ahmad Darwish the Egyptian minister of<br />
administrative development <strong>and</strong> the National ID<br />
committee chairman will give a key note speech at<br />
<strong>Card</strong>ex conference during the 25th – 27th May 2008<br />
informing the industry about the details of this mega<br />
project which is expected to be the biggest project in<br />
the region for many years to come.<br />
Gemalto To Provide Yemen's<br />
National Electronic ID System<br />
Gemalto, announced that it has been selected to<br />
deliver the electronic ID cards solution<br />
commissioned by the Ministry of Interior of Yemen<br />
for the next national elections. Under the contract,<br />
Gemalto will implement the whole solution including<br />
enrolment processes, creation of a secure biometric<br />
national registry, maintenance, local support, training<br />
<strong>and</strong> integration services, as well as provide the 10<br />
million <strong>Smart</strong> ID cards that will see Yemen step in<br />
the digital security era. The first cards will be<br />
delivered to the Yemeni citizens during first half of<br />
2008, <strong>and</strong> the program will reach completion by 2009<br />
when the population is to vote for the new<br />
Parliament.<br />
<strong>Smart</strong> <strong>Card</strong> Communication To Be<br />
Based On HTTP<br />
Sagem Orga GmbH <strong>and</strong> the Software Quality Lab (slab)<br />
at the University of Paderborn have extended<br />
their research cooperation by a further two years<br />
following one year of successful project work.<br />
Next Generation Java <strong>Card</strong> is the new specification<br />
for Java on <strong>Smart</strong> <strong><strong>Card</strong>s</strong> from Sun Microsystems<br />
GmbH. Among other things, this new st<strong>and</strong>ard<br />
envisages integration of a Web server <strong>and</strong> support of<br />
servlets. A servlet is an object that dynamically<br />
generates responses to queries. Servlets allow<br />
dynamic content to be added to a Java-based Web<br />
server.<br />
The cooperation with s-lab relates to the current<br />
issue of servlets on <strong>Smart</strong> <strong><strong>Card</strong>s</strong>. It builds on the first<br />
successfully completed project "Secure <strong>and</strong> highperformance<br />
st<strong>and</strong>ard Java implementation on a<br />
<strong>Smart</strong> <strong>Card</strong> platform", in which the prototype of a<br />
Java Virtual Machine for the Next Generation Java<br />
<strong>Card</strong> was implemented.<br />
"The card of the future will be Web-enabled, i.e.<br />
communication with the card will preferentially be<br />
based on HTTP," says Carsten Rust, Project Manager<br />
at Sagem Orga. "Development of card applications<br />
will thus move closer to Web application<br />
development <strong>and</strong> so be possible for a larger number<br />
of developers. We aim to create the conditions for<br />
that as part of the project. Basic services on the card<br />
can be developed as servlets <strong>and</strong> so can be integrated<br />
simply by application developers in more extensive<br />
systems."<br />
<strong>Smart</strong> <strong>Card</strong> & <strong>Identity</strong> <strong>News</strong> • January 2008<br />
5
Change language