Forum › MIFARE SDK › How to determine the authenticity of a DESFire EV1 card › Reply To: How to determine the authenticity of a DESFire EV1 card
Hi CC,
First of all I have to correct my statement in the previous post. I have heard that the development team is going to include originality checking into the MIFARE SDK in one of the next releases. I do not have any details yet but it might be interesting for you to know.
I understand your concern about clone cards, but let us think a moment about the initial situation. What does this implies? If you deal with money accounts on smartcards you protect the account itself and the access conditions on the reader station against unauthorized access. This means to protect your money and has nothing to do if the card is a clone card or not.
What I want to explain in my previous post is: if you are the issuer of the card, the question whether the card is a clone or not, lays in your hands! And looked at from the other side: what would you do if you detect a clone card in an end-users hand? First answer, it was issued in your office - and the ball is now in your court again. Second answer, someone find a way to steal the credentials and creates a duplicate. If this happen you have a problem! If someone is able to do this, it is also able to make a copy to a genuine MIFARE card.
The clone card problem is really a “bad user experience problem”. Clone cards are often weak manufactured and does not fulfil the technical specifications. This can be seen in defects and spontaneous failures at the reader station. The end-user see a smartcard which sometimes works and sometime does not. Failures in booking accounts result in big trouble on your side and on end-users side. A user which made such kind of experience will relinquish your service and your business.
My advice is to spend effort to protect the credentials, use approved techniques and encrypt the data communication. Use methods which makes it difficult to damage your business, even if someone is able to duplicate one card. For instance the key diversification approach uses for each card a unique key. If someone is able to compromise the key for one card, only this dedicated card is affected but not all others.
Sorry for my long explanation today,
The MIFARE Team
First of all I have to correct my statement in the previous post. I have heard that the development team is going to include originality checking into the MIFARE SDK in one of the next releases. I do not have any details yet but it might be interesting for you to know.
I understand your concern about clone cards, but let us think a moment about the initial situation. What does this implies? If you deal with money accounts on smartcards you protect the account itself and the access conditions on the reader station against unauthorized access. This means to protect your money and has nothing to do if the card is a clone card or not.
What I want to explain in my previous post is: if you are the issuer of the card, the question whether the card is a clone or not, lays in your hands! And looked at from the other side: what would you do if you detect a clone card in an end-users hand? First answer, it was issued in your office - and the ball is now in your court again. Second answer, someone find a way to steal the credentials and creates a duplicate. If this happen you have a problem! If someone is able to do this, it is also able to make a copy to a genuine MIFARE card.
The clone card problem is really a “bad user experience problem”. Clone cards are often weak manufactured and does not fulfil the technical specifications. This can be seen in defects and spontaneous failures at the reader station. The end-user see a smartcard which sometimes works and sometime does not. Failures in booking accounts result in big trouble on your side and on end-users side. A user which made such kind of experience will relinquish your service and your business.
My advice is to spend effort to protect the credentials, use approved techniques and encrypt the data communication. Use methods which makes it difficult to damage your business, even if someone is able to duplicate one card. For instance the key diversification approach uses for each card a unique key. If someone is able to compromise the key for one card, only this dedicated card is affected but not all others.
Sorry for my long explanation today,
The MIFARE Team
+ 0
|
- 0