Accueil > Blog > Mifare Classic as a crisis management case

Mifare Classic as a crisis management case

Week 12, 2008

The place where the story was uncovered was already controversial as it was the Chaos Computer Club Congress, an annual meeting of the international hacker scene.

For a couple of weeks, the noise level of the story remained low, and limited to Europe. Then, some journalists realized Mifare Classic, was not just an abstract name for whatever obscure chip, but used for many public transportation systems. The Dutch government was about to decide the implementation of Mifare Classic as the base of the OV-Chipkaart, a card that will allow to pay for all public transport in the Netherlands. Controversy increased, but was still limited. Then, the crisis spread out across a sea, when some commentators realized Mifare Classic was also the basis of the Oyster Card, used for years by Transports for London, and often cited as an example of efficient and well integrated payment system.

After a while, the news crossed the ocean. The American press picked it, and first focused on Boston CharlieCard, used for mass transit payment. From the time it has been leaked to the general public press, we've seen an increasing panic level, and, as usual, several mistakes over inflating the actual issue. For instance, several articles made a confusion between the security of the memory-based Mifare Classic, and the microprocessor based payment cards and ePassports.

What did NXP, the target of all attacks, do during this time? They applied the usual crisis management techniques. At first, they did not react instantly under fire. For 10 weeks, they remained silent, declining press demands for reactions. Then they made a technology-based response by announcing a new product "Mifare Plus", a lot more secure than Mifare Classic, as it runs AES 128 bit encryption, and will be Common Criteria EAL 4+ certified. And, only this week, NXP issued two statements, "information for end users", and "Information for system integrators", in which the company sends rational technology-based messages, reaffirming the principle of security based on a systems approach, and also reassuring about the rest of its product range. A good lesson in crisis management.

Thierry Spanjaard
Chief Editor
Smart Insights