Well, that may change. researchers for the University of Pittsburgh’s RFID Center for Excellence have invented a on/off switch for cards, that simply requires you to put your finger on a specific spot on a contactless card to allow it to work (see a picture here).

Comment on the various articles around the topic are quite typical, ranging from the “This is very dumb because it is unpractical” to the “You have to give up some practicality for security”, and all variants in the middle. I would have liked to see the inventors’ arguments, but I haven’t found a reference to a paper/report.

From previous experience, user experience often wins, in particular when, like with contactless cards, practicality is a selling point of a technology.Also, since the idea is to protect your cards in your wallet, I would think that it is easier for security-conscious to use wallets that include some kind of wire mesh or other wave-blocking technology. Since the on/off switch requires you to actually get the card out of your wallet, it is more or less equivalent, and it only annoys security-conscious people. The other guys will still be able totap their wallet (until, of course, they start having several contactless cards in there, in which case this optimization may not work any more).

This invention does not look flexible enough. The threat of someone performing transactions without you knowing is not significant enough to justify this kind of generalized measure for payment cards. On the other hand, it sounds much better as privacy-protecting technology on ID cards, since an ID card. Ensuring that the data about your identity will not leak from your wallet is interesting, and since an ID card is typically pulled out of the wallet before to be used, the technology is not an annoyance any more. But of course, in research like in politics, the fears associated to credit card theft remain more powerful than those associated to privacy protection (although identity theft is gaining traction).

In a paper from Government Technology, we don’t get a reaction from from NXP directly, but from an industry analyst. Here are two quotes from him:

“The smart card industry is way ahead of the curve, and they have a new product available right now that is not only secure, but it fully defeats the attack that was done by these researchers,”

“MIFARE classic is like running on Windows 95, and we already have Windows Vista available. When are you going to upgrade? What’s your migration strategy to upgrade to the new system?”

These two quotes are true, and they are typical of the quotes we get when a smart card encounters a security problem. Naturally, when negotiating a new deployment, this language more or less disappears. Is that really respectful of our customers?

Of course, no. Anybody that has been in the smart card industry for a while knows that the level of security of a smart card decreases over time, sometimes rapidly. Some people in certification bodies even say that their certificates are “deprecated the day they are issued”, which reminds us that new things may happen all the time.

The issue, of course, is that nobody wants customers to think about the fact that, in a few years from now, these brand new ultra-secure cards will need to be replaced, at a cost that may not be negligible, especially if no provision has been taken for it. This means that vendors don’t only lie to their customers, they also damage them by not taking the required precautions.

Something interesting is that the cost of replacement is likely to go up with the required level of security. Banking smart cards are often changed every two years, three years in some cases. On the other hand, SIM cards can last for many years (my wife’s SIM card is getting close to 10 years old, and mine is 7 or 8 years old). I perfectly know that such SIM cards can be easily broken using today’s attack techniques. However, this doesn’t happen, so operators don’t feel the need to change them, and I feel perfectly OK with that.

Another fun thing is that the lifetime of bankinf cards is much more than 2 years, if you think of it. Think of my latest card, issued in 2009. The contract about that card may be a 2-year contract, from 2007, which took one year to negotiate, starting in 2006. Of course, the card product has been developed and evaluated, which took about a year, in 2005. That’s for the software, because the chip is older than that, and was originally certified in 2004. So, when my card is issued, it is already a 4 year-old product based on a 5 year-old chip, and at the end of its life, 2 years from now, it will be a 6-year old product on a 7 year-old chip. I don’t know about the coming years, but I can tell you that few 7 year-old products resist to today’s attacks.

Replacing smart cards brings a lot of interesting questions, for which few answers have been given over the years. Here are two that I find really interesting:

• How to know that an issued card needs to be replaced (i.e., that it doesn’t satisfy its security requirements)?
• How to deal with the data of the applications hosted in the card, especially with multi-application cards and applications from multiple issuers?

These questions are very interesting and very complex, because the solutions are not always easy. For instance, think of a signature application, based on keys generated on-card. The fact that the private key never gets out of the card is an important security argument, so how can you transfer it to another card? Should you rather revoke the certificate and issue a new key? Well, there is a question like this for every application, and the solutions are never easy.

However, having a good answer to these questions is necessary in order to be truthful to customers, and to let them know about the total cost of ownership of smart cards over several years. Such questions are often overlooked, and simpler questions, related to the introduction of newer and unproven technology, often get more effort. Not a good thing.

About contactless card, it seems that the researchers from Radboud University Nijmegen are being sued by NXP in an attempt to avoid the full disclosure of their flaw. The article I linked to contains a link to a video that shows that this attempt is pointless. The dutch research team was smart enough to identify a flaw in the cryptographic algorithm, but they are not the only capable team of researchers in the world. Suing them will buy a little time, but other teams will get on the topic, and it will be hard to avoid disclosure for very long. I hope that NXP also has other contingency plans to react to this new security issue.

On a completely different topic, a scientific study in France by Chantal Enguehard has shown that there were more errors on precincts that use voting machines than on those that don’t. I must say that I can easily believe in this, as my experience looking at voting machines being used has shown that the use of the machines is often confusing for both staffers and voters. Since confusion leads to errors, the report does not come as a surprise.

I haven’t found the report itself, just an article about it. I will get back to the issue, as I am quite happy that the file against the voting machines currently used in France is becoming thicker, and that we can hope to achieve some results there.