By the way, in some jurisdictions this might be regarded as identity theft since the owner of the applet is masquerading as the cardholder (by operating with the cardholder's PIN privilege) without the cardholder's knowledge or consent.
Cheers, Scott -----Original Message----- From: Scott Guthery Sent: Thursday, March 11, 2004 12:08 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [Muscle] Wireless Wallet - Already in Korea Hello, Russel: Since the backdoor is mandated by the SIM standards, it is true of all standards-compliant Java Card SIMs. ETSI TS 102 226 states: "The access rights granted to an application and defined in the access domain parameter shall be independent from the access rights granted at the UICC/Terminal interface. NOTE: This implies in particular that the status of a secret code (e.g. disabled PIN1, blocked PIN2, etc.) at the UICC/Terminal interface does not affect the access rights granted to an application. If an application with Access Domain Parameter 'FF' (i.e. No Access to the File System) tries to access a file the framework shall throw an exception. If an application has Access Domain Parameter '00' (i.e. Full Access to the File System), all actions can be performed on a file except the ones with NEVER access condition." As you point out this may not be true of non-standards compliant SIMs but I suspect there are few of those in use. You can imagine the surprise of a subscriber when PIN-protected data shows up on the screen courtesy of a Java applet and the subscriber knows that they haven't entered their PIN. Cheers, Scott -----Original Message----- From: Dr Russel Winder [mailto:[EMAIL PROTECTED] Sent: Thursday, March 11, 2004 11:56 AM To: MUSCLE_List Cc: [EMAIL PROTECTED] Subject: RE: [Muscle] Wireless Wallet - Already in Korea On Thu, 2004-03-11 at 12:26, Scott Guthery wrote: [ . . . ] > Did you know, for example, that the telecom operator can load an > applet into the SIM that can read PIN protected files even when the > PIN has not been entered? This is because of a backdoor in the smart > card operating system provided by the smart card manufacturers that > lets the Java Virtual Machine access files without access control checking. This is only true of some smart cards systems. Surely this is a reason to not use certain operating systems rather than a reason not to use a SIM at all? -- Russel. ==================================================================== Dr Russel Winder, Chief Technology Officer Tel: +44 20 8680 8712 OneEighty Software Ltd Fax: +44 20 8680 8453 Cygnet House, 12-14 Sydenham Road [EMAIL PROTECTED] Croydon, Surrey CR9 2ET, UK http://www.180sw.com _______________________________________________ Muscle mailing list [EMAIL PROTECTED] http://lists.musclecard.com/mailman/listinfo/muscle _______________________________________________ Muscle mailing list [EMAIL PROTECTED] http://lists.musclecard.com/mailman/listinfo/muscle
