As a security evaluator, I often hear vendors complaining that the security requirements are too high, and that they cost them a lot for nothing. These complaints are easy to dismiss on the grounds that they apply equally to all vendors, but there are other consequences, which are more difficult to dismiss:
- Issuers with higher security requirements may have less choice, since fewer products meet their requirements. In addition, they can expect higher prices. If no attack occurs to support the requirements, the position is difficult to sustain business-wise.
- High security requirements globally raise the price of smart cards, and may favor competing technologies
The issue therefore becomes to figure out which level of security is required, which is not an easy task. It basically depends on the available vulnerabilities, and on the level of risk that is acceptable. We can consider the current situation in three vertical domains:
- Pay-TV. In this field, the level of vulnerability is quite high, in particular because the cards are usually offline. The same content is broadcast to all customers, and the card is used to make this content available. The level of acceptable risk is quite high, since it only represents a loss of business. Nevertheless, the security requirements are high, most likely the highest in the smart card market. The reason is that the Pay-TV industry faces organized attackers, with a sound business model (make fake cards and sell them).
- Banking. In this field, the level of vulnerability is average, because the transactions performed with cards are verified in the backend. The level of acceptable risk is low, because banking card fraud usually implies stealing money from somebody. However, there have been very few actual attacks on banking smart cards, and it is therefore difficult to assess the profile of potential attackers. The level of security remains quite high, but it varies greatly from issuer to issuer.
- Telecom. For SIM cards, the level of vulnerability is quite low, because all cards are connected constantly, and many verifications are performed at the network level. In addition, the level of acceptable risk is quite high, since the main attack considered consist in using the network for free. The level of security for SIM cards is therefore quite low.
This all looks quite nice and consistent: Pay-TV operators are paranoid because they are under constant attack; bankers don’t take risks; telecom operators favor performance until a problem occurs. The problem is that the situation may not remain like that forever, and smart cards are not like Windows: generally, no patching is possible after issuance. Banking cards are often issued for two years, but products can be issued two or three years after their initial certification: this means that the products must resist to attacks available four or five years after their certification. The issues are similar, or even worse in the other domains: SIM cards are usually never changed, unless you switch operator, and pay-TV operators are reluctant to change their cards because of the cost. Overall, it is reasonable to believe that smart card products should remain secure for at least five years. So let’s take a quick look at what the markets will look like five years from now:
- Pay-TV. In this field, things may look a bit better. First, set-top boxes are more and more likely to be connected (think of all the people receiving TV through DSL), which means that controls are possible on the network. Then, there may be some diverification, for instance through Mobile TV, which is also connected. In both cases, the security requirements may go down. Of course, standard satellite/cable products may still be vistims of organized fraudsters.
- Banking. One reason why banking smart cards are not attacked is that it is so much easier to attack magstripe cards. Once the migration to EMV smart cards will be more general, there will be less magstripe cards to attack, and smart cards may become interesting targets. If attackers find good business models, they can hire the guys who used to crack Pay-TV cards and do some damage.
- Telecom. With convergence, SIM cards are becoming multiapplicative platforms, and they may host things like mobile payment or mobile TV applications. Of course, they will remain connected, but attackers may discover business models that use the SIM card without trying to make free calls, and this is likely to increase the level of risk.
Overall, it is very difficult for issuers to figure out what level of security requirements is requirred, and it remains an individual decision. Every company has security guys rambling about upcoming catastrophies, and business guys rambling about useless security measures. However, very few take the time to frequently review their security requirements, and more importantly to confront them with their five-year business plan. So the definition of security requirements will remain a guessing game, and vendors will have to complain again.
No Comments