Attacks on smart cards are a current issue in the media, but are not news to Gemplus

Delivering security - i.e. ensuring access is granted only for authorized usage by authorized cardholders - is the fundamental attribute of smart cards. The effectiveness of smart cards in delivering security is one of the reasons they have been so widely adopted, especially in financial services and mobile phones, why the growth of smart cards has been explosive, and why their usage is expected to expand rapidly for other applications such as personal identity cards, health, transport and access to pay TV/entertainment.

As in any field, security standards do not stand still. There will always be those who for fraudulent, ethical or experimental reasons seek to break security shields. As in any field, it is also true that the notion of eternal security against every conceivable (and inconceivable) situation may be impracticable and that there is a trade-off between the last fraction of a percent security and cost.

That said, Gemplus is a global leader in smart cards and, from its launch, has devoted substantial research to imagining, devising and protecting against attacks on security. It has consequently been aware of such attacks for some time, and has implemented effective countermeasures notably against side channel and fault attacks.

Two articles have appeared in the press recently focusing on two different types of smart card attacks. They have generated considerable interest in the media. The two attacks and the issues surrounding each are distinct.

The first article appeared in the WSJE on 7 May and focussed on side channel attacks. These are nothing new in the smart card industry and do not represent a new and additional security risk for GSM SIM cards. This attack affects early type SIMs which use what is considered (by the industry) to be an outdated algorithm (COMP128-1). The GSM Association has recommended against using this algorithm in current generation SIM cards and many operators no longer use it. In addition, Gemplus has effective countermeasures against many types of side-channel attacks.

The WSJE article actually states "…its impact on consumers is expected to be limited." The article also points out that "IBM has an interest sounding the alarm. It developed technology to protect against the kind of hacker attack it is outlining and will offer to license that to cellphone makers."

The light attack publicized by Cambridge University researchers is a type of fault attack, which has been widely studied for years, but about which Gemplus is also well aware. An article appeared in the New York Times on 13 May, describing the research and quoting the researchers as saying that this vulnerability may pose a big problem for the industry, and that the industry will need to add countermeasures to increase the card's security.

Some claim that this attack is more serious than the one publicized by IBM. The attack presented shows how a fault can be generated, but not how sensitive information can actually be recovered. This is not straightforward. The attacker must adapt his or her attack to any one of more than 60 chips designs used in smart cards.

Recent products benefit from the most advanced countermeasures, but earlier products in the field may prove vulnerable.

Smart cards remain the most efficient and cost-effective device to protect privacy and security of access to digital information and electronic transactions. It has proven, over many years and with broad use, to offer the strongest security at the most competitive price.

Key Messages

• Security is a never-ending battle. Attacks are an expected event in the security industry, but academic review must not be confused with real-life hacking.
  
  
• For Gemplus, security is a fundamental priority. It is a world leader in smart cards, thanks to its lead in anticipating security attacks and developing hardware and software solutions.
  
  
• Gemplus defines and implements countermeasures that keep real-world fraud at far lower levels than systems based on any competing technology.
  
  
• Different applications require different levels of security. Smart cards and their surrounding infrastructure will offer different levels of security according to such requirements and to cost / benefit trade-offs associated with total system security. Security should indeed be considered from a global viewpoint.
  
  
• An aspect to bear in mind is that, in the banking world, each creditcard is issued with an expiry date that enables the bank to ensure that,every two years, their clients receive the latest technology with which
  to safe guard their personal data. There is no such protocol in the telecom world, but this would ensure that all end-users were always one step ahead of the hackers. As the role of the SIM expands to support and enable secure mobile data services, the security technology developed and tested in Gemplus R&D laboratories today will likely become the de facto standard for next generation cards.
  
  
• The type of attacks given recent publicity have been known to Gemplus for a number of years.
  
  

About Gemplus
Gemplus helps its clients offer an exceptional range of portable, personalized solutions that bring security and convenience to people's lives. These include mobile Internet access, inter-operable banking facilities, e-commerce and a wealth of other applications.
Gemplus is the only completely dedicated, truly global player in the Smart Card industry, with the largest R&D team, unrivalled experience, and an outstanding track record of technological innovation.
In 2001, Gemplus was the world number one in smart card shipments according to Gartner-Dataquest, IDC, Frost and Sullivan, Datamonitor and The Nilson Report.
Gemplus trades its shares on Euronext Paris S.A. First Market and on the NASDAQ Stock Market as GEMP in the form of ADSs. Its revenue in 2001 was 1.0 billion Euros.
Gemplus: Beyond Smart www.gemplus.com