ROANOKE TIMES 
                      Copyright (c) 1996, Roanoke Times

DATE: Friday, September 27, 1996             TAG: 9609270036
SECTION: BUSINESS                 PAGE: A-7  EDITION: METRO 
SOURCE: The New York Times


POTENTIAL SECURITY FLAW SEEN IN `SMART' CARD

IT'S A LONG SHOT, but the credit card touted as the key to the cashless society might be as easy to counterfeit as cash is.

A potential security flaw has been discovered that might make it possible to counterfeit many types of the electronic-cash ``smart'' cards that already are widely used in Europe and are being tested in this country by banks and credit card companies.

A cash card from Visa International Inc. was demonstrated in a highly publicized trial at the Olympic Games in Atlanta. Chase Manhattan Corp.; Citibank, a unit of Citicorp; Mastercard International Inc.; and Visa plan a test this year with 50,000 customers in New York City.

Touted as the key to the cashless society of the near future, smart cards are credit card-size packets that contain a microprocessor chip and a small amount of computer memory for storing bits of electronic information that represent money. At businesses equipped with the computerized devices that accept smart-card payments, the cards are supposed to be as good as cash - and as vulnerable to theft or loss as a $100 bill.

But the cards have been promoted as tamper-proof, which is why computer scientists at Bell Communications Research, one of the nation's leading information-technology laboratories, are now sounding the alarm, saying that a sophisticated criminal might be able to tweak a smart-card chip to make a counterfeit copy of the monetary value on a legitimate card.

``If you're deploying these smart-card devices in a business or government electronic-payment system, then I think you need to look carefully at their actual security,'' said Richard Lipton, chief scientist at Bell Communications and a professor of computer science at Princeton University.

Lipton and two colleagues at Bell Communications Research - or Bellcore - are about to publish a research paper on the potential smart-card flaw, which they recently discovered through theoretical research on the technology. No smart-card counterfeiting has been discovered yet, but Lipton and his team believe that such crimes are inevitable unless the technology is redesigned.

Despite the Bellcore warning, not all executives at companies using smart cards consider the theoretical threat a real danger.

``This is very speculative,'' said Chris Jarman, vice president of chip card technology at Mastercard, who had seen a draft of the Bellcore research paper. ``I have yet to see a smart-card scheme with a vulnerability.''

And even some industry executives, who said it was conceivable that individual smart cards might be at risk, contended that the vulnerability was not a threat to smart-card technology in general - any more than the occasional passing of a counterfeit $20 bill undermines the U.S. currency system.

The Bellcore researchers, however, consider the potential flaw significant because it could short-circuit the data-scrambling software contained in many types of smart cards. The software is used to protect the card's secret code, which is designed to prevent counterfeiting.

In theory, at least, the Bellcore researchers said a smart card's security could be breached by forcing the microchip in the card to make a calculation error. This could be done in a number of ways, the researchers said, whether through sophisticated means such as bombarding the card with radiation, or cruder methods such as placing it in a microwave oven.

Once the card can be forced to make even a small calculating error, the researchers said a mathematical formula they derived could use this error to extrapolate the secret data that authenticate the card when it is inserted in a merchant's card reader.


LENGTH: Medium:   67 lines



























































by CNB