Security issues with smartcards

It's entirely possible for security cards to be hacked. It's no secret. It's so simple in fact that a judge in Boston recently had to sign a gagging order to stop MIT students from showing everyone how it was done. As you'd expect, the slides from the MIT students presentation were all over the internet in a matter of minutes.

It appeared to be possible to delete information from the smartcards and replace it with whatever the hell they liked. That meant being able to ride the subway for hours without ever having to pay. Despite the gagging order issued by the courts, every one of the thousands of people who registered for Defcon received a CD with the students' 87-page presentation titled "Anatomy of a Subway Hack." It recounts, in detail, how they wrote code to generate fake magcards. Also, it describes how they were able to use software they developed and 0 worth of hardware to read and clone the RFID-based CharlieCards. Security, in the case of the Boston smart card travel system.

So does that mark the end of the world for smart cards and more specifically, the UK Governments plans for ID cards? Not necessarily, but there does need to be a change in attitude towards security. It recently emerged that Adam Laurie, an IT security expert in the UK, had hacked into the government planned ID card and changed its data to entitle the holder to state benefits. Laurie even claimed he'd inserted the information "I'm a terrorist - shoot on sight" into the ID card, immediately raising concerns about just how secure the proposed ID cards were. Maybe the government wanted to appear as strong as possible when they wrote the claims off as nonsense. You'd hope that quietly, they approached Laurie and learned from the work he put together. In an ideal world, you'd hope that the government drops the plans all together.