Don’t put all your faith in smart cards

Many companies react to APT (advanced persistent threat) attacks by implementing smart cards and/or other two-factor authentication mechanisms. Unfortunately, these schemes do nothing to stop APT. In fact, in my experience as a consultant, every organization that tried closing the barn door in this manner was successfully attacked again, despite putting two-factor authentication in place.

If they’d only talked to me first, I could have saved them a lot of time and money.

What makes smart cards so special?

A smart card is a piece of specialized cryptographic hardware that contains its own CPU, memory, and operating system. Smart cards are especially good at protecting cryptographic secrets, like private keys and digital certificates.

Smart cards may look like credit cards without the stripe, but they’re far more secure. They store their secrets until the right interfacing software accesses them in a predetermined manner, and the correct second factor PIN is provided. Smart cards often hold users’ personal digital certificates, which prove a user’s identity to an authentication requestor. Even better, smart cards rarely hand over the user’s private key. Instead, they provide the requesting authenticator “proof” that they have the correct private key.

After a company is subjected to a pass-the-hash attack, it often responds by jettisoning weak or easy password hashes. On many occasions, smart cards are the recommended solution, and everyone jumps on board. Because digital certificates aren’t hashes, most people think they’ve found the answer.

Why smart cards aren’t infallible

Smart cards may not use hashes as authenticators alone, but behind the scenes, a password hash representation is almost always involved. This is true in most Microsoft Windows systems where smart cards are accepted. That password hash can be stolen — which means a smart card user’s identity can be lifted and reused.

This surprises people. I don’t blame them — much of the world, including self-appointed experts, get it wrong all the time. For example, a few weeks ago a new client (and now friend) of mine texted me that a presenter at a well-known Chicago security conference was telling attendees to use smart cards because they don’t need hashes to defeat APT. I wish I could have debated the presenter in person.

It’s not that smart cards fail to reduce risk or add security to an environment. They do — but not as much as most people think. For one thing, a very small percentage of successful attacks care about authentication. If you add up all the attacks that involve bypassing authentication (password guessing, cracking, MitM attacks, replay attacks, and so on) as the initial compromise, they probably amount to less than 1 percent of total breaches.

Most successful attacks happen because of unpatched software or because the user is tricked into running something they shouldn’t. Smart cards won’t help there at all. In the majority of effective attack scenarios, the bad guy gains access to the user’s computer and can then authenticate as the user as if they had the smart card. Smart cards prevent access by fraudsters during the user’s legitimate logon session, but after that (when most attacks happen), it’s game over. Thanks for playing.

Once the smart card user’s computer is compromised, it is highly possible for bad guys to steal the user’s credentials and do whatever they want with them. This can be accomplished a number of ways, including by manipulating the card’s client software (known as a cryptographic service provider in Windows), copying the digital certificate out of the local cache (if present), and keylogging the user’s PIN (if requested).

Smart card risks and rewards

Despite all this, I’m a big believer in smart cards.

Smart cards are better authenticators than passwords. They’re two-factor (which defeats some attacks), they’re easier to work with than long and complex passwords, and the underlying representative hash is usually formed from a very long and complex password (which prevents cracking). In general, smart card users are more knowledgeable about computer security risks.

But don’t give smart cards more protection than they’ve earned. As with any computer security mechanism, there are trade-offs. Smart cards aren’t accepted by every application and can’t be used on every computer or computing device. They’re also expensive to implement and maintain. I haven’t looked at the latest figures, but in the recent past I’ve read that every lost or broken smart card costs about $70 to $80 to replace (including support and physical expenses).

You can also blame smart cards for unique attacks. As an example, most smart cards are tied to a user’s email address or perhaps logon name. An attacker can often change their email address, logon name, or universal principal name (UPN) in the underlying namespace (DNS, Active Directory, and so on) and “become” that person to the authenticating operating system.

If I were an insider with the appropriate permissions, I’d change my UPN to match an innocent person’s UPN (you’d have to change that person’s UPN temporarily). Then, when I logged on using my own smart card and PIN, the underlying namespace would see my smart card as successfully attesting to someone else’s identity. I could then wreak havoc using that identity. The security logs would attribute all the ensuing events to the innocent user, and after I’ve done all my damage, I could change everything back. Nobody, including the innocent user, would suspect a thing. It could be the perfect crime.

To do the same using a traditional username and password, the villain (in most authentication systems) would have to reset the user’s password in order to steal their identity. Then the original user would know something is up because their original password would no longer be recognized. In this particular (rare and extreme) scenario, a simple username and password actually has benefits over a smart card.

That’s why I always tell enterprises using smart cards to strictly limit and audit who can change the identity attributes of smart card users. In some environments, a ton of people can do that, and each one is a risk.

What works better?

What’s more effective at preventing attacks than two-factor authentication? Almost everything else. I always tell clients to start by analyzing how they were successfully compromised (usually either poor patching or social engineering), then implement solutions that directly address the attack vectors.

If you do your homework, you’ll see that smart cards are good, but not great defenders of the enterprise. Nearly everything I’ve said here applies to most other forms of two-factor authentication. They have their pluses and minuses. If you’re involved in a similar project, don’t let anyone oversell the solution.