ITSO to phase out vulnerable smart card
UK: Smart card specification body ITSO announced on November 4 that it is to 'phase out Mifare Classic 1k and 4k customer media from the ITSO environment' as a precautionary measure in response to the 'theoretical risk posed by Mifare Classic security issues'.
Last month Radboud University Nijmegen published details of the proprietary workings of Mifare Classic at the European Symposium on Research in Computer Security. NXP Semiconductors had been unable to delay the release of details which had been gleaned from reverse-engineering the RFID technology. According to the manufacturer, publication would 'reduce the barrier to carry-out actual attacks' on ticketing systems which use Mifare Classic.
ITSO compliant smart card ticketing is now a requirement of a number of UK rail franchises agreements, as well as being used for other transport and smart card-based services. ITSO said there was 'no immediate threat to the ITSO environment' from Mifare Classic, and cards will be withdrawn over their natural life. The specification offers a range of alternative media types for future card issue, allowing operators to migrate to another platform whilst still remaining compliant.
ITSO members are required to stop issuing Mifare Classic customer media by December 31 2009. Support will be removed from the ITSO specification once the last ITSO Mifare Classic card has either expired or been withdrawn, with the latest date being December 31 2016.
ITSO said this will not affect the functionality or validity of cards currently in circulation in Britain and they will not be recalled.
As well as some ITSO compliant cards, Mifare Classic is used in numerous other applications including London's Oyster, Boston's Charlie Card and disposable versions of the Dutch OV-Chipkaart.