Your company implements a physical access control system (PACS) that authenticates employees through ID credentials of contactless smart cards. As a security professional, you are conducting threat modeling. Which of the following threats least entails a legitimate ID card in terms of personal identification verification? (Source: Wentz QOTD)
D. Social engineering
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Counterfeiting.
There are two significant threats to contactless smart cards: cloning and counterfeiting. The following are definitions from NIST SP 800-116 R1:
- Cloning is “a process to create a verbatim copy of a PIV Card, or a partial copy sufficient to perform one or more authentication mechanisms as if it were the original card.”
- Counterfeiting is “the creation of a fake ID card that can perform one or more authentication mechanisms, without copying a legitimate card (see Cloning).”
For example, the fake driver’s licenses in the following story may or may not be produced based on acquired personal data: Fake driver’s licenses flooding into US from China, other countries, US says. They can be cloned or counterfeited.
Methods of Attack
NISP SP 800-116 R1 identifies a couple of threats to personal identification verification (PIV) cards: Identifier Collisions, Revoked PIV Cards, Skimming, Sniffing, Social Engineering, Electronic Cloning, Visual Counterfeiting, Electronic Counterfeiting, etc.
- Skimming and sniffing can capture or copy all or part of the PIV data to clone a PIV card.
- Social engineering can deceive PIV cardholders to disclose PIV data or hand over the PIV card to the attacker.
- Counterfeiting can create fake PIV cards on the fly without copying data from legitimate cards.
Most people must have heard of the ATM skimming that clones a bank customer’s ATM card and steals his or her PIN code by a hidden fake reader and camera or keypad. However, skimming can also be applied to contactless cards.
According to NIST SP 800-116 R1, skimming is “surreptitiously obtaining data from a contactless smart card, using a hidden reader that powers, commands, and reads from the card within the maximum read distance (reported as about 25 cm with [ISO/IEC 14443] smart cards like the PIV Card).”
According to NIST SP 800-116 R1, sniffing is “surreptitiously obtaining data from a contactless smart card, using a hidden reader that receives RF signals from a legitimate reader and smart card when they perform a transaction. Sniffing is a form of electronic eavesdropping. Sniffing is possible at greater distances than skimming.”
- If an attacker persuaded the cardholder to give them possession of the PIV Card, the attacker could quickly copy all of the information that was not protected by the PIN.
- An attacker could also attempt a remote attack similar to well-known phishing attacks by creating a web page that asks the subject to “insert PIV Card and enter PIN” for an apparently legitimate purpose. If the cardholder complies, under some assumptions the attacker could capture the cardholder’s PIN and all of the PIV data objects.
Source: NIST SP 800-116 R1
How can a counterfeit card work? Yes, it can, especially in the environment that employs visual (VIS) authentication. PIV Cards used in the VIS authentication mechanism are visually inspected by a security guard. The inspection process can be vulnerable because of negligence.
- A visual counterfeit mimics the appearance, but not the electronic behavior, of an actual PIV Card. A PIV replica may be created by color photocopying or graphic illustration methods and color printing to blank stock.
- Because of the required presence of one or more security features on the PIV Card, a visual counterfeit is unlikely to pass close examination, provided guards are trained to recognize security features.
- However, ID cards may receive only cursory examination when used as “flash passes.”
- An attacker could construct a battery-powered, microprocessor-based device that emulates a PIV Card for purposes of the CHUID authentication mechanism.
- The attacker could program the microprocessor to generate and test CHUIDs repetitively against a PACS reader, changing the FASC-N credential identifier on each trial.
- This approach would not require prior capture of a valid CHUID, but since the counterfeit CHUIDs would not possess valid issuer signatures, a successful exploit depends on the absence of signature verification in the CHUID processing done by the reader.
Source: NIST SP 800-116 R1
HSPD-12 (Homeland Security Presidential Directive-12) mandated the establishment of a government-wide standard (FIPS 201-2) for identity credentials to improve physical security in federally-controlled facilities. Credentials issued by an accredited PIV Card Issuer are called PIV Cards.
- FIPS 201-2 is the federal information processing standard for “Personal Identity Verification (PIV) for Federal Employees and Contractors.”
- NISP SP 800-116 R1 provides “Guidelines for the Use of PIV Credentials in Facility Access.”
Source: NISP SP 800-116 R1
Federal employees and contractors use Personal Identity Verification (PIV) credentials to physically access federal facilities and logically access federal information systems.
Physical Access Control System (PACS)
- Access point: e.g., turnstiles, gates, and locking doors
- PIV credential: to physically access facilities and logically access information systems.
- Credential reader and keypad
- Biometric reader
- Control panel (Controller)
- Access control server
- Credential holder data repository
- Auxiliary Systems
- Deployment Models
- Standalone PACS
- Enterprise PACS
- Homeland Security Presidential Directive 12
- FIPS PUB 201-2
- NIST SP 800-116 R1
- Card skimming
- Fake driver’s licenses flooding into US from China, other countries, US says
- What is a Physical Access Control System?
- PACS: What is Physical Access Control?
- DHS/ALL/PIA-039 Physical Access Control System (PACS)
- IP Access Control Systems for Small to Enterprise Systems
- Field Guide to Access Control: Access Control: Technology Overview
- Access control (Wikiwand)
- How does ATM skimming work?
您的公司實施了一個實體存取控制系統(PACS)，該系統通過非接觸式智能卡的ID識別證對員工進行身份驗證。 作為安全專家，您正在進行威脅建模。 就個人身份驗證而言，下列哪些威脅最不需要用到合法的ID識別證？ (來源：Wentz QOTD)
A. 略讀 (Skimming)
B. 嗅探 (Sniffing)
C. 假造 (Counterfeiting)
D. 社交工程 (Social engineering)
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.