The battle between online threats and chip card technologies |
Threat comes from trojans, phishing, pharming, and the man-in-the-middle - perhaps somewhat innocent ways to describe someone who is out to get your money or misuse your identity. Malicious online tricks come in an unending flow of ingenuity during online attempts to disrupt payments, communication, and contacts with banks, companies, and authorities.
Counter attacks on the man without a name and his vicious deeds are called encryption, authentication methods, security standards, chip cards, and chip card readers. REINER SCT, a German company in Furtwangen, offers chip card readers to protect citizens and society as an increasing number of critical day-to-day activities go online. |
| REINER SCT has two main product lines: (1) chip card readers and (2) time recording and access management systems. While the chip card reader is the top-selling line, the time recording and access management line is the fastest growing. Germany, Austria, and Switzerland make up the company’s main market. And business is booming; recruitment of six engineers necessitated a move to larger facilities. |
An evolving market |
| Typical applications for chip cards and chip card readers are found in e-banking, e-health, e-government, and other areas in which security is business-critical for protecting money and sensitive personal information and for avoiding misuse of personal identities. |
| |
 |
REINER SCT developed the cyberJack e-com plus, a class 3 smartcard reader for home banking, digital signing, and Internet payment applications. For protection during transportation, you can remove, turn and slip the metal stand over the unit. The cyberJack e-com plus won the red dot award for its product design during the 2009 competition.
www.red-dot.de |
|
|
| |
| According to Thomas Weeber, REINER SCT development manager, chip card technologies, products, and applications are skyrocketing: “Germany has several new security standards for home banking. Use of the upcoming german electronic ID card will be gaining popularity, and an e-health card is about to be launched. Consequently, the smartcard reader market is growing.” |
| |
Online threats
Trojans
This threat contains worms or viruses that run hidden in harmless computer applications. A trojan may be capable of unknowingly passing on sensitive information to an outside computer via the Internet.
Phishing
This threat involves (1) stealing sensitive user information by falsely claiming to be a legitimate organization or company and (2) persuading users to surrender information such as bank account numbers or passwords. A common technique is to direct users (via e-mail links) to fake web sites from which the information is requested.
Pharming
This threat is similar to phishing, but it doesn’t rely on victims clicking e-mail links. A legitimate web address is completely hi-jacked, for example, via an attack on Internet DNS servers. These servers convert web site names (www.thenameofmybank.com) to the corresponding IP address (a series of digits). Through the attack, users are directed to a fake web site instead of a legitimate site.
Man-in-the-middle
The attacker relays messages between two systems that are communicating with each other. The messages are being read, modified, and passed on in both directions. In a successful attack, both systems are made to believe that messages and requested actions are legitimate. |
| |
The e-passport looks like a regular passport but contains additional radio frequency identification (RFID)-based functionality. Biometric data, such as a picture of a face and a fingerprint, are stored in the e-passport. The primary purpose is to fight passport counterfeit. The e-passport works throughout Europe.
The electronic ID card, introduced in November 2010, is valid in Germany only; European efforts for harmonization are undertaken, but this will take time.
“The technology is in place for the e-passport,” says Lutz Kettenhofen, REINER SCT product manager, “but I think the idea of a common European electronic ID card must achieve maturity before enabling harmonization and interoperability. Right now, everything varies from country to country.” |
Standardizing to increase security |
| Security is achieved via product development as per official security guidelines and standards. cyberJack®, REINER SCT’s smartcard reader line, complies with guidelines and standards—depending on a product’s intended use. |
| |
 |
| cyberJack biometric is a full-grade, class-3, chip card reader with an integrated sensor for identifying finger print data. Finger prints replace PIN codes and passwords to increase security and facilitate usability for home banking and electronic signature applications, among others. |
|
|
| |
Protocols and standards specify requirements for secure online communication. These and other standards help to resist attacks: (1) the home banking computer interface (HBCI) standard, (2) the financial transaction services (FinTS, successor of the HBCI) standard and (3) the electronic banking internet communication standard (EBICS). The HBCI and FinTS are for bank transactions via the Internet. The EBICS is for transactions in secured business client banking. These are just a few of many standards applicable to smartcards and smartcard readers.
“Everything is standardized,” says Kettenhofen. “Many guidelines and standards exist; consequently, we’re legally obligated to integrate security into our products.” |
Speeding up execution |
| Security technologies in REINER SCT’s products all use one or more cryptographic methods. The more security from cryptographic algorithms implemented in the product, the more computations are required from the application software. Security tends to come at a cost—execution speed. Typically slightly restless modern users usually don’t appreciate slow operation. |
| |
Cryptographic methods—a few examples
Symmetric (private key) coding and encryption
The same key is used by the sender for encryption and by the receiver for decryption of data. Fast execution but often low level of security.
Asymmetric (public key) coding and encryption
Separate keys for encryption and decryption. Higher level of security but typically 100 to 1000 times slower.
Digital signatures via hash algorithms
Applying a hash algorithm on an arbitrary block of data will return a fixed-size bit string, the hash value. Minor changes to the block of data drastically change the hash value. The hash value is signed by encrypting it with the private key called digital signature. |
| |
Throughout its cyberJack product line, REINER SCT uses ARM processors and the C programming language—except in cases when assembler is necessary to increase speed. The development environment (compiler and debugger) plays a key role in increasing security without introducing unnecessary execution delays.
IAR Embedded Workbench for ARM was chosen after careful evaluation.
“We’ve run comparisons with other compilers on the market,” says Weeber, “and we’ve found that the generated code is highly optimized for our applications.”
Engineers at REINER SCT also appreciate IAR Embedded Workbench for its ease of use, clearly arranged user interface, and reliability. |
Testing for approval |
The IAR C-SPY Debugger is used in software development to ensure that the product works—but that’s not enough. Security standards take requirements one step further...
“When we developed a new chip card reader,” says Weeber, “we had to debug the application to prove the specification due to its complexity.”
The documented results from successful sessions that run IAR C-SPY are used to prove that a product works as per applicable guidelines and standards. Independent institutes, such as Bundesamt fur Sicherheit in der Informationstechnik (BSI) and Zentralen Kredituasschuss (ZKA), test and approve REINER SCT’s products. |
Future trends |
| Kettenhofen and Weeber predict that going forward, we will see multiple functionality integrated into one card. In their scenario, a single chip card is needed for e-health, e-passport, and ID applications. A trend in REINER SCT’s existing product range is increased use of RFID technology in contactless cards. |
| |
 |
| TimeCard is a time recording and access control product line from REINER SCT; these products use radio frequency identification (RFID) technology for contactless communication between chip cards and card readers. |
|
|
| |
RFID has improved a lot lately. The technology is user-friendly because no card insertion is needed—users just hold wallets that contain cards close to the readers for connection.
“Today’s standards are very secure, and we believe that security standards will improve even more in coming years,” says Weeber.
The battle continues and the man-in-the-middle will always be a most unwelcome guest when online or otherwise connected for communicating, making payments or requesting services from authorities. |
| |
| |
| |
| Shortcut to this page: http://www.iar.com/reiner_sct |
| |
| |
