Monday, October 20, 2008

Are the Smart Cards we carry Secure?

Chip cards have become an indispensable part of us. You will most likely be carrying an ATM, Credit or Fuel card in your wallet or purse. These cards contain an integrated circuit or 'chip' which gives the card the ability to store and/or process data and thereby achieve its designed function.

There are three types of chip cards. The first one is the memory (or flash memory) card which contains storage but no processing or significant security capabilities. These cards are used in digital cameras, handheld computers, mobile phones and other electronic devices.

The second type of chip card is the smart card. It contains a processor and system or application software. Permanent data is engraved into non-volatile memory and some volatile memory is used as a working storage area. They are widely used. Examples include Credit or ATM cards, SIMs for mobile phones and authorization cards for pay television.

Smart cards are further divided into contact and contactless. Contact smart cards have a gold plated contact area that is inserted into a reader that reads and writes information from the chip, for example an ATM card.

Contactless smart cards, on the other hand, only require close proximity to an antenna to complete transactions and use RFID (radio frequency identification) technology. They are often used in transactions that must be hands free or processed quickly. Examples include door access cards, some supermarket discount cards or mass transit cards like the Oyster Card that is used in the London Underground.

The third type of chip is the super smart card which is a card with a small key pad and display. These cards are expensive to manufacture and therefore rare.

Security

Smart Cards do not have guaranteed security. Incidents of card ‘cracking’ have been widely reported. Cracking a contactless smart card would, for example, involve scanning a card with the intention of collecting a cryptographic key. This key is used to keep the card system secure. The scanned key is then uploaded into a laptop which technically becomes a portable card reader. This laptop is then used to wirelessly upload information from other similar smart cards. This information is then used to program new fake cards.

Cracking contact smart cards (for example your ATM card) is achieved through the use of a hacking software program and a card reader/writer. In this instance access to your card is crucial, even if for a short duration.

Card readers are widely used to scan credit cards in retail outlets and it is advisable to be present during the credit card payment process.

Organizations that use smart cards for access control are also vulnerable. To reduce the risk of card cloning it is advisable to combine the smart card process with a biometric authentication feature for example the fingerprint.

The multiple smart cards we are carrying provide motive and opportunity for a cyber criminal. Utmost care should be taken in ensuring only authorized people can access these cards. Upon loss or theft one should immediately report this occurrence to the relevant authorities.

No comments: