New security developments

Over the past few years, RFI has built up an impressive and multi skilled Payments and Security department. Working in the Terminal, Cards and Security areas – RFI's Smart Cards laboratory is becoming a hotly developed area.

An interview with David Ware – Security Technology Development Manager

How does RFI plan to establish and maintain "state-of-the-art’ and ‘best practice’ for security evaluation of Smart card and Payment terminal products and what are the challenges for RFI?

Our security evaluation laboratory has undergone a rigorous transformation. I joined RFI at the start of 2006 as Security Principal Engineer and was concentrating at that time primarily on delivering the actual evaluations to our customers. When I became Security Technology Manager in mid-2007, this came with a much increased budget, new site facilities, and equipment. We brought into the team new experts specialising in embedded systems security, and began collaborations with several universities. This gave me the platform to develop the core services for a suite of penetration testing approaches on cards and terminals, ranging from protocol and software analysis, eavesdropping attacks such as ‘DPA’, perturbation analysis, and reverse engineering. The big challenge- as always – is keeping abreast of a rapidly evolving industry. One has to run almost as fast as one can to stand still against developments. To this end, we’ve had to maintain a very high ratio of R&D activities versus other operational activities. The challenges are tough but I believe this strategy has paid well. For example, we have by now achieved one of the industry’s foremost capabilities for performing side channel analysis in the electromagnetic and radio frequency domains, and our development of optical fault injection attacks has provided demonstrable results.

What are the main security threats RFI can see on convergent products, such as mobile payment products?

Looking from the attackers’ perspective, the two driving motivations are either gain on one hand or recognition by the hacker community on the other. Arguably for mobile payment, these motivations have been relatively un-noticed until recently, but that won’t remain the situation for long now that the potential for bigger profits and better notoriety evolves. In either case, the ‘low hanging fruit’ principle holds. So, I anticipate that many of the emerging threats we are going to see will come from exploitations of the interfaces between technologies as they converge. That is to say, whatever the proven strength of the components in a system, it’s the strength of protocols with applications with the platform, of a product in the context of its environment that must be defended.

What are the key skills the RFI Security team applies to these convergent products so that they will be more secure?

I’m fortunate to be working amongst other specialist labs having the experience and personnel that I need for this. It’s likely that known threats that have been studied extensively in the fields I’ve worked in- say, PIN protection on banking cards and terminals- may be transferred profitably by attackers to, for example, PIN protection in the context of SIM-chips and handsets in mobile payment. This is why my lab nowadays focuses increasingly on partnership development projects with my colleagues elsewhere in RFI, investigating wireless, contact-less, and cellular technology standards. In the security evaluation laboratory we take full advantage of these specialisations.