Tag Archives: Danielle Morgan

MSc thesis: Security of Loyalty Cards Used in Estonia

Abstract
This thesis identifies the card technologies used in loyalty programs across Estonia. These technologies include magnetic-stripe cards, contactless cards (in the form of MIFARE Classic, MIFARE Ultralight, MIFARE DESFire EV1 and low frequency RFID cards) and a smart card known as the Estonian electronic identification card (ID card). Each card type implements its own security features to prevent cloning and/or unauthorized access to the content stored on the card. The contents of each card was read and the method in which it was used in the system analysed. In the cases where possible a clone of the card was created and tested against the real system to verify that it passed the authentication procedures.

This is MSc thesis from TUT Cyber Security curriculum. The thesis was defended in June 2017.

The thesis analyzed cloneability aspects of the loyalty cards used in Estonia. While the magnetic-stripe cards are known to be trivially cloneable, the study also analyzed bunch of contact-less cards: MyFitness, Elron, Tallinn Bus Card, ISIC, SEB ISIC, Tartu Bus Card, Rimi Card. Only the Rimi and Elron card was found to withstand known cloning attacks.

Links:
http://kodu.ut.ee/~arnis/loyalty_thesis.pdf
http://kodu.ut.ee/~arnis/loyalty_slides.pdf

Using the Estonian Electronic Identity Card for Authentication to a Machine

Abstract: The electronic chip of the Estonian ID card is widely used in Estonia to identify the cardholder to a machine. For example, the electronic ID card can be used to collect rewards in customer loyalty programs, authenticate to public printers and self-checkout machines in libraries, and even unlock doors and gain access to restricted areas.
This paper studies the security aspects of using the Estonian ID card for this purpose. The paper shows that the way the ID card is currently being used provides little to no assurance to the terminal about the identity of the cardholder. To demonstrate this, an ID card emulator is built, which emulates the electronic chip of the Estonian ID card as much as possible and is able to successfully impersonate the real ID card to the terminals deployed in practice. The exact mechanisms used by the terminals to authenticate the ID card are studied and possible security improvements for the Estonian ID card are discussed.

The TLDR; of the paper is that when the ID card is used to authenticate to a machine (unless PIN1/PIN2 is involved), the ID card does not provide additional authentication factor. This is not a surprise to anyone who is familiar with the technology, but some still believe that ID card provides some security over the magnetic-stripe card.

The paper describes proof-of-concept implementation of non-cryptographic “ID card emulator” and demonstrates transplantation of the fake chip to a real ID card.

Links:
https://eprint.iacr.org/2017/880.pdf
https://kodu.ut.ee/~arnis/EstEID_keycard_slides.pdf

Cyber Security master’s theses defense in Tallinn University of Technology (May 2017)


Monday, May 29, 2017, Akadeemia Tee 15a, Room ICT-315.

Grades received (random order): 5, 4, 4, 3, 3, 3, 2, 2.

Time: 10:00
Student: Kristjan Oja
Title: Cyber Security Awareness For IT Students Through Practical Assignments
Supervisor: Sten Mäses
Reviewer: Tiia Sõmer

Time: 10:40
Student: Sander Arnus
Title: Providing guaranteed log delivery and proof value of logs
Supervisor: Risto Vaarandi
Reviewer: Tiit Hallas

Time: 11:20
Student: Bolaji Ayoola Ladokun
Title: An Analytical Approach to Characterization of Targeted and Untargeted Attack in Critical Infrastructure Honeypot
Supervisor: Hayretdin Bahsi
Reviewer: Risto Vaarandi

Time: 12:00-13:00 – Lunch

Time: 13:00
Student: Iryna Bondar
Title: LUDROID: Evaluation of Android Malware Detection Tools and Techniques and Development of a First Line of Defense For the User
Supervisor: Emin Caliskan
Reviewer: Toomas Lepik

Time: 13:40
Student:  Seifollah Akbari
Title: A New Method for the SYNful Knock Attack Implementation
Supervisor: Truls Ringkjob
Reviewer: Bernhards Blumbergs

Time: 14:20
Student: Safak Tarazan
Title: GPS Spoofing/Jamming Resilient Mini UAV Implementation Strategy
Supervisor: Truls Ringkjob
Reviewer: Juhan Ernits

Time: 15:20
Student: Danielle Morgan
Title: Security of Loyalty Cards Used in Estonia
Supervisor: Rain Ottis, Arnis Paršovs
Reviewer: Aleksandr Lenin

Time: 16:00
Student: Katrin Kukk
Title: Ensuring the digital continuity of e-Estonia in different crisis scenarios
Supervisor: Rain Ottis
Reviewer: Jaan Priisalu

Tuesday, May 30, 2017, Akadeemia Tee 15a, Room ICT-315.

Grades received (random order): 4, 4, 3, 3, 2, 1.

Time: 10:00
Student: Christopher David Raastad
Title: Euro 2.0 – Securing an Ethereum Crypto Fiat Currency System
Supervisor: Alex Norta
Reviewer: Raimundas Matulevicius

Time: 10:40
Student: Mobolarinwa Taofeek Balogun
Title: Comparative Analysis of Industrial IoT and HealthCare System IoT for Cyberterrorism
Supervisor: Hayretdin Bahsi
Reviewer: Ahto Buldas

Time: 11:20
Student: Chengxiang Wang
Title: Classification of Black-Box Security Reductions and Oracle Separation Techniques
Supervisor: Ahto Buldas
Reviewer: Peeter Laud

Time: 12:00-13:00 – Lunch

Time: 13:00
Student: Celik Neslisah
Title: Anomaly Detection Using Locked Shields Logs
Supervisor: Olaf Maennel
Reviewer: Mauno Pihelgas

Time: 13:30
Student: Sophio Sakhokia
Title: Developing a Cyber Security Master Programme for Georgia
Supervisor: Tiia Sõmer
Reviewer: Olaf Maennel

Time: 14:20
Student: Zaghum Awan
Title: Analytical Comprehensive Approach to Cyber Laundering and its Solutions
Supervisor: Tiia Sõmer
Reviewer: Andro Kull