Arizona Summer Wildcat June 24, 1998
CatCard's armor could be chipped
Arizona Summer Wildcat
It all started with a couple of guys, just out of college, who got together and cracked major credit card companies' smart card codes - just like the security on the newly developed CatCard.
Paul Kocher, 25, runs the four-man San Francisco-based company in that has credit card companies and Smart Chip vendors taking a close look at their card security.
"We haven't seen a smart card on the market that can resist the type of attack we have here," said Joshua Jaffe of Cryptography Research, a firm built around hacking to assist companies improve their security measures.
The UA CatCard has its own tiny Smart Chip that holds a personal identification number (PIN) and a purse of prepaid "electronic money." Students can use their prepaid accounts to purchase books, vending machine goodies, laundry and food on campus.
Smart Chips and cards recently took money-moving companies by storm, with banks and charge-card companies vying for the market. The chips store the amount of money that the customer has solely on the card, not in a database.
Kocher said a University of Arizona student with the right electronic and computer equipment could likely crack the encryption code.
"It's probably available in your engineering lab," Kocher said, adding that the software involved in fairly sophisticated.
The process involves reading the electronic output of the card when attached to a modified reader. He said the peaks of the data can be deciphered to read the digital code on the cards.
"It would be a lot of effort to do that for a free meal, but it's possible," Kocher said.
A spokesman for Cybermark, the company that produced the CatCard, said card providers would take Kocher's discovery "to heart," but downplayed the cards' vulnerability.
"Even the guys in San Franciso couldn't do it today," said spokesman Chris Corum. "Certainly no system is impenetrable, but the smart card technically is incredibly secure."
Kocher's breach of major credit card chips, reported in the New York Times June 22, has smart technology vendors on their toes.
The transactions with the new cards are toted to be more cost-efficient, running only one or two cents per transaction as compared to credit and debit cards' roughly 25-cent transaction fee. The smarter technology moves faster because all the information is stored on the chip, and vendors with certain readers need only insert the card to find out how much money is available.
Gemplus, manufactures of the CatCard Smart Chip, touted the hacking as "piracy attempts" that require an unusual amount of knowledge.
Jilles Lisimaque, a founder of the Smart Chip giant, said the system was "not completely immune," but said he was not afraid for the future of the technology.
"The owner of the card has to be in on the attack," Lisimaque said. "There is an electronic purse, but it will point immediately to the card owner as being part of the scheme."
The CatCard Office also allows students and faculty to disable the chip, eliminating potential fraudulent activity on the chip. With the unprimed chips, students would be unable to use the card as cash.
If a CatCard is lost or stolen, the fee for replacing it is $25 and th CatCard office is in the process of considering a policy that will transfer the balance from the old card to a new one.
The newly-appointed Information Security Council will tangle with data-protection issues for the university in months to come. Mely Tynan, vice president for information technology, held the first meeting for the group recently.
"Every piece of technology we have has vulnerabilities," said Sharon Kha, a UA spokeswoman.
She said the important factor is to weigh, "how much risk is a reasonable risk."