I'm currently working on a Smart-card based application, we're worried about users sniffing the communication between the card and reader by inserting a skimming type device into our hardware and an actual card into this device (since it will be placed in a public location). Can anyone think of a cost effective way of eliminating this type of attack? (ie, making something like the link below harder)
http://life-is-a-hack.blogspot.com/2010/07/free-laundry-for-everybody.html
1) Encrypt the traffic.
This is actually quite a pain, as you either need to authenticate the card and reader to one another or use a pre-shared key that you keep very careful watch over.
You're best off buying in a solution here; SIM cards seem to have been very successful, and MIFARE contactless payment cards I know offer a DES-based secure system.
2) Watch the insertion point.
ATMs are classically vulnerable to this, and are acquiring more security cameras to watch for skimmers and other attacks at or near the ATM.
Trying to detect a passive skimmer by its electrical properties is almost certainly not going to work, as the electrical variation due to dirty contacts is much larger than that of a well-designed skimmer.
The attack you've shown relies on the card not being at all smart. Properly designed smart cards can still be dismantled for their keys, it's just much harder and more expensive: http://people.cs.uchicago.edu/~dinoj/smartcard/security.html
As the others have said: Assume it will be skimmed, and encrypt the data.
The next thing would be to store as little as possible in the card itself. Maybe all that is stored is a serial number plus a "last transaction number". This wouldn't help you prevent skimming, but would help you identify any cloned cards. When a transaction is performed, the reader would compare the "last transaction number" with what it has stored in it's database. If it doesn't match, then something weird is going on. Someone faking a card might get away with one fraudulent use, but not two.
This method should be used in addition to encryption, not instead of it.
If its important enough to worry about, simply sssume the data will be hacked, and encrypt it.
