On 11/21/2009 06:31 PM, Jerry Leichter wrote:
Well, my building card is plain white. If anyone duplicated it, there'd be nothing
stopping them from going in. But then the actual security offered by those cards - and
the building controls - is more for show (and I suppose to keep the "riffraff"
out - than anything else.
My work card has my photo and name on it, but there's nothing to correlate name
with underlying ID in normal operation. Snap a photo of the card while you
clone it, make up a reasonable simulacrum with your own picture and name, and
walk right in.
Not really more or less secure than the old days when you flashed you (easily
copied) badge to a card who probably only noticed that it was about the right
size and had roughly the right color. But it's higher tech, so an improvement.
:-)
Physical security for most institutions has never been very good, and
fortunately has never *needed* to be very good. Convenience wins out, and
technology gives a nice warm feeling. A favorite example: My wife's parents
live in a secured retirement community. The main entrance has a guard who
checks if you're on a list of known visitors, or calls the people you're
visiting if not. Residents used to have a magnetic card, but that's a bit of
pain to use. So it was replaced by a system probably adapted from railroad
freight card ID systems: You stick big barcode in your passenger side window,
and a laser scanner on a post reads it and opens the door.
Simplest card/token is basically (single-factor) "something you have"
authentication
the "cheapest" RFID proximity card is just some static data ... that can be trivially copied and reproduced ... think of it somewhat akin to a
wireless magstripe. that has also the "YES CARD" point-of-sale "contact" card vulnerability. Compromised POS terminal that recorded the
"static data" from card transaction and trivially used to produce a counterfeit card (little or no difference from compromised POS terminal that
records magstripe data). What made it worse than magstripe was that POS terminals were programmed to ask a validated chip three questions 1) was the entered
PIN correct, 2) should the transaction be done offline, and 3) is the transaction within the account credit limit. A counterfeit "YES CARD" would
answer "YES" to all three questions (it wasn't necessary to even know the correct pin with counterfeit "YES CARD" ... and deactivating the
account ... as in magstripe ... wasn't sufficient to stop the fraud). A counterfeit "YES CARD" was also some other counterme
asures that had been built into the infrastructure:
http://web.archive.org/web/20030417083810/http://www.smartcard.co.uk/resources/articles/cartes2002.html
a little more secure is two-factor token that requires both the token and possibly
"something you know". However, two-factor authentication is assumed more secure
is based on single factor authentication is based on
the different factors having independent compromises. In the case of the "YES
CARD" (supposedly two-factor) ... it was only necessary to compromise the token's
static data ... and it wasn't even necessary to know the correct PIN. In the case of
pin-debit cards ... skimming compromises of ATMs or point-of-sale terminals can collect
both the PIN and the magstripe data at the same time (invalidating assumption about
independent compromises).
we had somewhat been asked in the mid-90s to participate in the x9a10 financial standard
group (which had been given the requirement to preserve the integrity of the financial
infrastructure for all retail payments) because of having worked on this stuff now
frequently called "electronic commerce". This was *ALL* as in debit, credit,
ACH, internet, point-of-sale, low-value, high-value, face-to-face, unattended, and/or
transit. Transit-turnstyle has similar requirements to building access ... although the
contactless power limitations and contactless elapsed time requirements can be more
stringent than building access.
Somewhat as a result ... the related work on the AADS chip strawman, had all sorts of
requirements ... form factor agnostic, very-very fast, very-very low-power, contactless
capable ... but for high-value ... had to no have *NO* "static data" and very
difficult to counterfeit ... but at the same time ... for low-value ... had to have as
close to zero cost as possible.
Most of the alternatives from the period ... tended to only consider a very small subset of those
requirements ... and therefor created a solution that had a single, specific operation and were ill-suited
for a general purpose use. A simple issue was having the same token that was multi-factor authentication
agile ... operate with single-factor (something you have) at a transit turnstyle (no time to enter PIN) ...
but works the same way at a high-security building access turnstyle that requires multi-factor authentication
("something you have" token in conjunction with PIN "something-you-know" or palm
"finger length" something-you-are). The same token then also works the same way at point-of-sale
... where low-value may just be single-factor authentication ... but increasing value transaction may have
increasingly complex authentication.
Many of the above issues were also part of the prerequisite for being able to move from an
"institutional-centric" paradigm (that also tended to only meet a small subset of
possible authentication requirements) and a generalized "person-centric" paradigm.
The requirements to address *ALL* retail-payments in the mid-90s (in the x9a10
financial standard group) ... then were large factor in driving the AADS chip
strawman by the the late-90s ... that had the features necessary for satisfying a
*person-centric" paradigm.
--
40+yrs virtualization experience (since Jan68), online at home since Mar1970
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
