3

Recently my organization wants to move into the smart card system instead of static password. We want to move the entire infrastructure to the smartcard system. we are looking for a single smartcard which provides physical and logical access. And also wanted to use the same smartcard for parking,cashless vending etc. (Using Javacard we can write custom apps and can read from the smartcard). All this is fine But the question arised when selecting the smartcard. Whether to select the COntactless smartcard or RFID smartcard.

RFID card will have the card detecting range is more than contactless smartcard (around 10 CM). That's why everybody wanted to move into RFID cards. But the cards will have most of the sensitive information. I have read so many articles saying the disadvantages of RFID cards and security loopholes when using RFID cards. But i am not sure any of those.

Can anybody explain in detail about the advantages and disadvantages of these cards (Contactless cards vs RFID cards)

M'vy
  • 13,033
  • 3
  • 47
  • 69
Dungeon Hunter
  • 153
  • 1
  • 7

3 Answers3

7

Have a read of the How to get into RFID auditing question as there are some very useful links there.

Contactless cards and RFID cards are just a small computing core with some limited functionality and a radio transceiver which not only powers the card when a radio signal is present, but also receives and transmits data within a small range.

The key usual difference is that RFID is usually used to refer to a card which will identify itself when queried, whereas the Contactless Card term usually refers to an RFID with some onboard storage for small payments without having to insert a card into a machine or type a pin, for example Oyster cards for travel payments on London Underground.

Risks around cloning are mitigated to a great extent by the cryptographic engine on the card - and Ross Anderson's team at Cambridge keep on finding new attacks in the lab, but the key risk over cards which have to be inserted is that an attacker only needs to be in the general proximity, and doesn't need to steal the card, reducing the difficulty of attack. The range, while supposed to be very short, can be increased by attackers using higher power equipment and higher gain antennas.

The new wave of Contactless Card functionality - enabling credit/debit card payments - just extends this risk a bit further by increasing the amount of funds which could be accessed.

Community
  • 1
Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • Really Helpful Resources ......... :) – Dungeon Hunter Aug 25 '11 at 08:54
  • 1
    We are using RFID cards here for infrastructure logins and door entry systems. The system is very powerful and as long as you follow best practices is a great system, but this means that you have a password along with the physical card. It's like on a data center door, you wouldn't just use an RFID card, you would use RFID, Biometric fingerprint scanner, and an alarm code. You follow the same logic with your logical authentication systems you will enjoy the ability to have the cards. – Mike Soule Aug 30 '11 at 16:11
2

Typically for parking and cashless vending systems, the actual funds reside on a server or IT storage database and simply reference the balance of money on an account that is linked to the card number, this way if a card is lost or stolen, the card can simply be withdrawn and blocked and a replacement card issued which would then be connected to the existing monetary account as opposed to having physical funds stored on cards.

High risk areas should be protected with multiple factor authentication, whether that be an RFID/Contactless Card to identify with Fingerprint/PIN Number or other secondary mechanism to verify that the person trying to enter is the legitimate owner of the card.

With any type of physical identification method, the procedures around card issuing and management are more critical than the technology as generally, attacks are opportunistic or through loopholes like incorrectly deactivated cards.

I work for an access control manufacturer, we also integrate with a logical security network appliance to prevent people logging onto a PC or server in the building unless they have used the access control system to enter the building, however this is only effective if methods like anti-pass back and physical single turn barriers are in place to force everyone to present a card to get in/out of the building.

Ross Bale
  • 21
  • 1
2

There's a (longish) talk about biometrics and RFID that has a discussion of some of the problems with RFID cards, including weak/broken security mechanisms, security mechanisms that aren't (i.e. that are claimed to be present by the vendor but aren't), and the fact that the contactless interface introduces new methods of attack that aren't present in contact cards.

Overall though it depends on what you want to use them for. Contactlesss cards, like biometrics, are primarily for convenience and not for security.

Dave
  • 149
  • 1