ITSO: Enabling interoperable travel: Specification for multi-operator, multi-modal, multi-application smart ticketing

News

12 October 2011

Update on Mifare® DESFire smartcard (MF3ICD40)

 

ITSO is aware of the recently reported alleged hacking of the original version of the MIFARE DESFireTM smartcard (MF3ICD40).

 

Although smartcards of the same type have been certified by ITSO, deployment of the original version has been very limited and the risk of this kind of attack has been recognised throughout the development of the ITSO environment.

It should be noted that ITSO uses its own internationally recognised security system which sits over and above the security system that has reportedly been cracked. Operators using the original MIFARE DESFire card can be assured that - even if an individual card can be hacked - the ITSO products in the card still remain secure when the security seal is verified by the ITSO Secure Application Module (ISAM).

ITSO, being a multi-platform Specification and environment, also offers its members the opportunity to use alternative Customer Media types, should they be required.

MIFARE DESFire EV1 (the version currently being deployed in the ITSO environment) is not open to the same attack - even in Legacy mode. MIFARE DESFire EV1 is Common Criteria EAL 4+ certified where this kind of attack is tested during the certification assessment.

NXP has started the process to discontinue the MIFARE DESFire MF3ICD40 in June 2010 with a last time buy December 31 this year. NXP recommends that its customers and partners migrate to MIFARE DESFire EV1 for existing and new systems. See NXP's full update.