Contraste de los riesgos valorados para los tipos de tarjetas que han sido utilizadas como medio de pago en el sistema integrado de transporte público

Trabajo de InvestigaciónEl sistema integrado de transporte público SITP, es uno de los sistemas más grandes y sofisticados de transporte en Colombia; el ingreso a este se hace mediante tarjetas inteligentes sin contacto entre las cuales se encuentran: tarjeta monedero, cliente frecuente y tullave bajo la licitación de recaudo Bogotá. Debido a diferentes sucesos presentados, vulneración del medio de pago, se realizó una valoración de riesgos por medio de la norma ISO 27005,seguridad de la información de activos, basándose en la identificación de amenazas, vulnerabilidades y riesgos de las tarjetas utilizadas en el sistema.RESUMEN ABSTRACT INTRODUCCIÓN 1. GENERALIDADES 2. ESTABLECIMIENTO DEL CONTEXTO 3. IDENTIFICACIÓN DE RIESGOS 4. ESTIMACIÓN DE RIESGOS 5. EVALUACIÓN DE RIESGOS 6. CONCLUSIONES 7. RECOMENDACIONES Y TRABAJOS FUTUROS 8. ANEXOS 9. REFERENCIASPregradoIngeniero de Sistema

A Methodology for Evaluating Security in Commercial RFID Systems

Although RFID has become a widespread technology, the developers of numerous commercial systems have not taken care of security properly. This chapter presents a methodology for detecting common security flaws. The methodology is put in practice using an open-source RFID platform (Proxmark 3), and it is tested in different fields, such as public transportation or animal identification. The results obtained show that the consistent application of the methodology allows researchers to perform security audits easily and detect, mitigate, or avoid risks and possible attacks

Strengthening Crypto-1 Cipher Against Algebraic Attacks

In the last few years, several studies addressed the problem of data security in Mifare Classic. One of its weaknesses is the low random number quality. This causes SAT solver attacks to have lower complexity. In order to strengthen Crypto-1 against SAT solver attacks, a modification of the feedback function with better cryptographic properties is proposed. It applies a primitive polynomial companion matrix. SAT solvers cannot directly attack the feedback shift register that uses the modified Boolean feedback function, the register has to be split into smaller groups. Experimental testing showed that the amount of memory and CPU time needed were highest when attacking the modified Crypto-1 using the modified feedback function and the original filter function. In addition, another modified Crypto-1, using the modified feedback function and a modified filter function, had the lowest percentage of revealed variables. It can be concluded that the security strength and performance of the modified Crypto-1 using the modified feedback function and the modified filter function are better than those of the original Crypto-1

Seguridad de las tarjetas NFC

En este Trabajo de Fin de Grado se ha realizado un estudio de la seguridad de algunas tarjetas de lectura sin contacto que incorporan una interfaz NFC. Esta tecnología es utilizada frecuentemente dentro de las organizaciones como mecanismo de autenticación y control, delimitando el acceso de personal a zonas de alta sensibilidad. También tarjetas que incorporan esta tecnología son, por ejemplo, algunos de los documentos gubernamentales para la identificación de ciudadanos, como por ejemplo la última versión del Documento Nacional de Identidad electrónico o DNIe. Una brecha de seguridad en cualquiera de estas credenciales podría conllevar un gran impacto para sus usuarios, poniendo en peligro los recursos e información sensible protegidos por los mismos. En el estudio realizado se documenta el funcionamiento de los mecanismos de seguridad implementados en varias etiquetas NFC para su protección contra vectores de ataques comunes. Además, se exploran diversos escenarios prácticos reales donde esos mecanismos son puestos a prueba a través de la realización de auditorías de seguridad.In this Final Degree Project, a study of the security status of contactless cards that incorporate an NFC interface has been carried out. This technology is frequently used within organisations as an authentication and control mechanism, limiting the access of personnel to highly sensitive areas. Also cards that incorporate this technology are, for example, some government documents for citizen identification, such as the latest version of the Spanish electronic National Identity Card. A security breach in any of these credentials could have a major impact on the final users, endangering the resources and sensitive information protected by them. This study documents the operation of the security mechanisms implemented in several NFC tags to protect them against common attack vectors. In addition, various real practical scenarios are explored where these mechanisms are put to the test through security audits

Security in RFID devices

Aquest projecte inclou una aproximació als conceptes de RFID i targetes contactless centrant-se en l'ampliament usat MIFARE Classic chip. L'objectiu principal es mostrar el seu funcionament i les seves vulnerabilitats, així com alguns exemples pràctics fent una anàlisi de diferents serveis que les utilitzen.Este proyecto incluye una aproximación a los conceptos de RFID y tarjetas contactless centrándose en el ampliamente usado MIFARE Classic chip. El objetivo principal es mostrar su funcionamiento y sus vulnerabilidades, así como algunos ejemplos prácticos haciendo un análisis de diferentes servicios que las utilizan.This project includes an introduction to the concepts of RFID and contactless cards by focusing on the widely used MIFARE Classic chip. The main objective is to show how it works and its vulnerabilities, as well as some practical examples making an analysis of different services that use it

Multidevice Authentication with Strong Privacy Protection

We propose a novel cryptographic scheme based on efficient zero-knowledge proofs and Boneh-Boyen signatures. The proposed scheme is provably secure and provides the full set of privacy-enhancing features, that is, the anonymity, untraceability, and unlinkability of user

Beware of Pickpockets: A Practical Attack against Blocking Cards

peer reviewedToday, we rely on contactless smart cards to perform several critical operations (e.g., payments and accessing buildings). Attacking smart cards can have severe consequences, such as losing money or leaking sensitive information. Although the security protections embedded in smart cards have evolved over the years, those with weak security properties are still commonly used. Among the different solutions, blocking cards are affordable devices to protect smart cards. These devices are placed close to the smart cards, generating a noisy jamming signal or shielding them. Whereas vendors claim the reliability of their blocking cards, no previous study has ever focused on evaluating their effectiveness. In this paper, we shed light on the security threats on smart cards in the presence of blocking cards, showing the possibility of being bypassed by an attacker. We analyze blocking cards by inspecting their emitted signal and assessing a vulnerability in their internal design.We propose a novel attack that bypasses the jamming signal emitted by a blocking card and reads the content of the smart card. We evaluate the effectiveness of 11 blocking cards when protecting a MIFARE Ultralight smart card and a MIFARE Classic card. Of these 11 cards, we managed to bypass 8 of them and successfully dump the content of a smart card despite the presence of the blocking card. Our findings highlight that the noise type implemented by the blocking cards highly affects the protection level achieved by them. Based on this observation, we propose a countermeasure that may lead to the design of effective blocking cards. To further improve security, we released the tool we developed to inspect the spectrum emitted by blocking cards and set up our attack