Quenching authentication expectations

April 21, 2008 at 11:16 pm 6 comments

Today I went through the whole hot-expectations-followed-by-quenching-reality to re-learn some authentication basics.

First, hot expectations were set off thanks to furious thinking triggered by an article in the Dom Post today Snapper to make a splash.

The article says that, “From June, people will be able to pay for bus tickets and everyday items in shops using the Snapper card, a stored-value smartcard that NZX-listed infrastructure investor Infratil hopes will become more widely used than conventional eftpos cards… Cardholders will be able to top up Snapper cards by credit card over the Internet by clipping their card to a USB device that plugs into a computer… Snapper will also be available in the form of a USB stick, that can be plugged directly into a computer and topped up…Snapper is similar in concept to London’s Oyster cards and the Octopus card in Hong Kong.”

Now the last sentence should have rung loud warning bells but it didn’t. Maybe it was Monday morning and the coffee hadn’t kicked in. Whatever.

Instead, the old brain took off. This could be the key for ubiquitous two-factor authentication in NZ, right? After all, if everyone was carrying a smartcard that could be plugged into a computer, or a smartcard in a USB form factor, surely that would make the perfect second factor for two-factor authentication? Nothing extra to carry around; no extra reader costs; and familiarity with everyday use. Perfect. Heaven. Nirvana.

And then, the quenching reality.

The warning bells finally penetrated this evening. A quick Google search confirmed what the subconscious was trying to tell me. The Oyster card- more specifically, smartcards based on MiFare Classic chips- use MiFare Crypto 1, a lightweight stream cipher which researchers had cracked and concluded, “The security of this cipher is therefore close to zero.”

There are lots of articles about this, including The Register about the Dutch cards, One billion RFID cards vulnerable to hacks (engadget), and Bruce Schneier’s blog.

The critical question of course is whether or not Snapper is based on MiFare Classic chips. There is no publicly available information that I could find which confirms or denies this. It is “similar in concept” but might be based on a stronger version of the chip. That is something I’ll have to find out.

But the point is that reality can be very effective in quenching authentication expectations. And, like quenching, one emerges stronger and remembers authentication basics, such as always check for known vulnerabilities before getting too excited about any authentication method.


Entry filed under: 2FA, authentication, NZ, security.

igovt public consultation Why igovt?

6 Comments Add your own

  • […] Quenching authentication expectations …become more widely used than conventional eftpos cards… Cardholders will be able to top up Snapper cards by credit card over the Internet by… […]

  • 2. Alan  |  April 22, 2008 at 8:15 am

    I don’t think it is intended as anything other than a convenient-for-small-purchases stored value card with a $300 limit. I’d have to think about buying one of those RF-proof wallets to keep it in if there was any more to it than that.

  • 3. Vikram  |  April 22, 2008 at 8:53 am

    You’re right Alan, there is the cash limit. I would use Snapper as a consumer but, as a deployer of online authentication solutions, that’s where concerns rise.

  • 4. David French  |  April 22, 2008 at 9:05 am

    …With this innovation you pay in advance for the discount, pay for the snapper, pay for reloading, pay for reloader device on your computer. I am tempted to move back to Christchurch where they have had the free metrocard and larger discount for years. That is without worrying about the leakage facilitated by unproven security of the card.

  • 5. Paul  |  August 1, 2008 at 10:54 pm

    Fortunately Infratil chose a more modern and secure card, at least according to http://www.captimes.co.nz

  • 6. Vikram  |  August 2, 2008 at 6:42 pm

    Thanks Paul.

    Yes, on further investigation it turns out that the Snapper chip is a good one.

    Still, Paul Madsen’s comment about openness & transparency is valid- why not talk the talk? Why make people figure this out?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter

Error: Twitter did not respond. Please wait a few minutes and refresh this page.


%d bloggers like this: