The plastic card in which the chip is embedded is fairly flexible. The larger the chip, the higher the probability that normal use could damage it. Cards are often carried in wallets or pockets, a harsh environment for a chip. However, for large banking systems, failure-management costs can be more than offset by fraud reduction.
If the account holder's computer hosts
malware, the smart card security model may be broken. Malware can override the communication (both input via keyboard and output via application screen) between the user and the application.
Man-in-the-browser malware (e.g. the trojan
Silentbanker) could modify a transaction, unnoticed by the user. Banks like
Fortis and
Belfius in Belgium and
Rabobank ("
random reader") in the Netherlands combine a smart card with an unconnected card reader to avoid this problem. The customer enters a challenge received from the bank's website, a PIN and the transaction amount into the reader, The reader returns an 8-digit signature. This signature is manually entered into the personal computer and verified by the bank, preventing malware from changing the transaction amount.
Smart cards have also been the targets of security attacks. These attacks range from physical invasion of the card's electronics, to non-invasive attacks that exploit weaknesses in the card's software or hardware. The usual goal is to expose private encryption keys and then read and manipulate secure data such as funds. Once an attacker develops a non-invasive attack for a particular smart card model, he is typically able to perform the attack on other cards of that model in seconds, often using equipment that can be disguised as a normal smart card readerWhile manufacturers may develop new card models with additional security, it may be costly or inconvenient for users to upgrade vulnerable systems.
Tamper-evident and audit features in a smart card system help manage the risks of compromised cards.
Another problem is the lack of standards for functionality and security. To address this problem, The Berlin Group launched the ERIDANE Project to propose "a new functional and security framework for smart-card based Point of Interaction (POI) equipment".
