The following sets of questions are relevant to your analysis. Is the data on the card transmitted in the clear or is it encrypted? If the transmission is sniffed, is each session secured with a different key? Does the data move from the reader to the PC in the clear? Does the PC or client transmit the data in the clear? If the packet is sniffed, is each session secured with a different key? Does the Operating System have a back door? Is there a mechanism to upload and download functioning code? How secure is this system? Does the OS provider have a good security track record? Does the card manufacturer have precautions in place to secure your data? Do they understand the liabilities? Can they provide other security measures that can be implemented on the card and or module? When the card is subjected to Differential Power attacks and Differential Thermal attacks does the OS reveal any secrets? Will the semiconductor utilized meet this scrutiny? Do your suppliers understand these questions?
Other types of problems that can be a threat to your assets include:
• Improperly secured passwords (writing them down, sharing)
• Assigned PINs and the replacement mechanisms
• Delegated Authentication Services
• Poor data segmentation
• Physical Security (the physical removal or destruction of your computing hardware)
