I'm entertained by this type of news and article ledes that read: "New research that shows smart cards with encrypted RFID chips might not be as secure as previously thought is raising concerns in Boston, where the subway CharlieCards use just such technology."
My first thought after reading the paragraph: It's really the best way to start the article. My second, well, who, besides the product manufacturer, says these chips are secure? [My third: Is near field communications (NFC) technology found in cellular phone transactions more secure?]
Certainly not University of Virginia graduate student Karsten Nohl, who along with several colleagues listened to the data broadcast from chips using off-the-shelf RFID readers and dissected layers of the chip with custom optical recognition software to deduce the algorithm and encryption keys.
Several young computer experts say they demonstrated encryption used in more than a billion smart cards is not secure. The cards are manufactured by Philips Semiconductors spin-off NXP Semiconductors.
The research from the experts demonstrates that a tech-savvy thief with a personal computer and about $1,000 worth of readily available equipment could make fake access cards to gain entry into high-security areas, produce counterfeit mass-transit fare cards, and gain entry to cars by cloning certain wireless car keys that can open or lock the car from 20 feet away by clicking a button.
Of course, an NXP spokesman disputed the claim.
So, I asked the University of Virginia grad student, in his opinion, does he see encryption technologies for smart card transactions improving in the near future? In an email to RFID World, Nohl wrote, similar with any new technology, "it is difficult to say the type of attacks that will eventually be possible. No sufficient solution has been found that protects against some of the known attacks."
This pertains to proxy attacks, in particular, where an attacker relays data between a legitimate card and reader. Nohl says good cryptography offers strong protection from a number of simple attacks. "This level of security is available in all but the cheapest smartcards," he says. "In the Mifare family of cards, for example, the DESfire card is based on good crypto while the Classic is not."
Wired also recently published an article on hacking RFID-enabled credit cards.