Smart cards not security liabilities

Government agencies and organizations need not shun the use of smart cards despite reports of security breaches targeting such cards as manufacturers are increasing their emphasis on digital and mobile security, observers noted.

Jafizwaty Ishahak, research director of Asia-Pacific ICT practice at Frost & Sullivan, pointed out that what makes smart cards secure are the integrated circuit (IC) modules and applications on it. These cards have various security elements such as the triple data encryption system (DES) and are not easy to hack, she told ZDNet Asia in an e-mail.

Additionally, these cards are typically made from multi-chip unit-based (MCU) cards that are contact, contactless or a combination of both interfaces, and are considered "highly secure and intelligent", she stated.

With this in mind, she said governments need not move away from using smart cards as a security measure for employees despite the recent hacking incident in the United States that targeted secure information from the Department of Defense and other related agencies.

"Instead of moving away [from smart cards], governments should [keep] their options open and aim to associate themselves only with trusted service managers (TSMs) or secure IC providers," Ishahak said.

Chinese hackers reportedly adopted a malware variant called Sykipot to deposit into the authentication machine. Once in, the malware uses a keylogger to steal personal identification numbers (PINs) for the smart cards. When a card is inserted into the reader, the malware then acts as the authenticated user and can access sensitive information, an earlier report stated.

Smart cards not weakest link
Commenting on the incident, Andy Kellett, senior analyst at Ovum, said Sykipot had been around for some time and the attack was believed to be well-funded and motivated to acquire specific, high-value information. He noted that for the keylogger to be successful once it identified user passwords and smart card-generated PIN, it has to be able to access sensitive information and pass it on.

"Therefore, there needs to be a failure of data loss prevention (DLP) technology. The smart card element is only one aspect of a general data protection failure," Kellett stated.

Steve Owen, vice president of global sales identification at NXP Semiconductors, agreed with Ishahak and Kellett that governments should not boycott the use of smart cards as the vulnerability did not originate from the card but from the keylogger in the card reader.

He added that the IC modules not only add hardware security to smart cards but also to devices such as mobile phones, computers and servers. Both card makers and semiconductor companies are continuously improving the security of their offerings, too, he said.

One country that is not deterred from utilizing smart card tech for its security measures is Singapore. A spokesperson from the country's Ministry of Defense (Mindef) added it would continue to leverage the use of smart cards in light of the U.S. attack, but declined to reveal which smart card chip it uses or how the tech is implemented within the organization.

Ishahak did warn that hybrid smart cards represent the highest risk of being hacked because these cards combine both old and new technology, though.

Elaborating, she said the interface of these hybrid cards were developed during the migration of credit and banking cards from pure magnetic to EMV-based cards. As such, the vulnerability lies in these cards' magnetic strip, he noted.