– A to Z Security Consulting from LG CNS (1) –
How many cards do you have in your wallet?
Where and how have you used your cards today?
Did you know your cards that bring great convenience to your life can also bring great security threats?
The first topic of our series, “A to Z Security Consulting from LG CNS,” deals with countermeasures to card security issues with a focus on access card duplication.
Various Types of Cards, the Modern Necessity
I believe most of our readers use cards daily.
Let’s take a look at the different types of cards we commonly use.
Cards can be roughly divided into MS cards and Chip cards.
MS cards have user information on the black magnetic strips on their back, and have been used for various credit cards, cash cards, and point cards for a long time.
Chip cards, also called IC (Integrated Circuit) cards, have an IC chip in them and can be categorized based on the chip’s role. Largely they’re divided into memory cards which simply store data and smart cards which can perform calculations.
You can see more detailed information about each type in the following table.
As we see here, cards are evolving in their types and functions, but their security plans are yet to reach the same level of perfection. One of the biggest threats is card duplication.
Why Is It So Easy to Duplicate Cards?
Sometimes certain access cards or transportation cards are hacked. There’s one thing in common among these cases: The cards are mostly contactless memory cards instead of contactless ones.
Why are memory cards under the threat of duplication, then?
This is due to the way they operate and control access.
With a memory card, you can read and copy data onto it when it’s empty. This mechanism is very similar to that of a USB, on which you can copy data from your computer.
Smart cards, on the other hand, have their own special keys which are only known by an access-controlling card reader and the card itself. They can communicate only after certifying each other through the special keys, and therefore they have a much lower risk of duplication.
If you’re using memory cards instead of smart cards, you can’t run from the risk of duplication.
These days, it’s also quite easy to find card duplicating devices on E-bay for less than $50.
Duplicating standard access cards for offices and key cards for homes is even easier than copying transportation cards. Most Access controllers simply read the CSN(Chip Serial Number) and see if it’s on the granted access list before opening the door, without looking into any other information on the memory cards.
This method is used for a majority of access controlling solutions due to the fact that the CSN can’t be easily changed and they can be processed quickly. The problem here is that the CSN itself can be copied easily with a duplication device.
Various security conferences around the globe also introduce different ways of duplication and neutralization each year. In 2008, there was a case where a hacker proved that the English transportation card (a memory card) named Oyster Card, could be duplicated.
As we see, memory cards are often duplicated and this issue has led to efforts to improve them.
The market started producing safer cards and began to understand that smart cards were safer to use. Big corporations, however, didn’t see the limits the existing memory cards had as an important threat. This is why they kept using these memory cards instead of smart cards, which were about 10 times more expensive.
The attacks on these memory cards have continued and the level of hacker attacks have also increased enough to create automated tools. Now we’ve reached a point where you can buy duplication devices easily and cheaply.
While in the past you needed professional lab-like devices to duplicate cards, now anyone who has a will to do so can create duplication tools. They can be sold and bought by anyone around the globe online. The situation we’re in is a lot more serious than we think. How then do we respond to this problem?
Safer Smart Card Security Solution
As mentioned earlier, the changing environment can be expressed as ‘increasing threats’. The attacks that were seldom committed in the past have now become easier and more common. In other words, the likelihood of your card being duplicated is increasing.
As you see from the table above, there are four types of strategies to respond to security risks. The right strategy can be chosen based on each situation and cost-effectiveness analysis. Companies didn’t see the risk of card duplication to be very likely.
The likelihood has gone up dramatically, however, since card duplication has become much easier. This means it’s time for companies to change their strategy and complement their unsafe memory cards.
Some say “security is as safe as it is vulnerable”.
The image above shows that information can leak through the weakest spot no matter how high the other areas keep their level of security. Even if a company builds a great wall of security, their general security level can be considered low as long as they have a vulnerable spot in their system.
Corporations spend a lot of money in order to adopt effective security solutions and protect their valuable assets. The effort and cost they’ve paid is basically meaningless once someone duplicates an access card to come into the office and leak all their important information. This is why corporations must continuously check current security issues and threats and to work on prevention.
One example is an access control solution from LG CNS called Safezone IDP Solution. It adopted the certification method using a smart card which is safer from the risk of card duplication. LG CNS has lead large scale smart card projects including Seoul Transportation cards, Korean e-passports, and Bogota Transportation cards in Columbia. SafeZone IDP Solution is the result of our extensive experience and the answer to our hard work for a safer and more effective security solution.
Today, we’ve learned about how easy card duplication has become and what to do to combat such serious security threats. In the next posting, we’ll take a look at what to consider when constructing Security Information and Event Management Solution.
Written by Kyu-Bok Kwak, Senior Consultant in the LG CNS Security Consulting Team