Smart cards aren't perfect. Intruders can attack them despite their design and tamper-resistant features. Smart cards are still subject to human carelessness primarily with regard to the personal identification number (PIN). The risks are similar to those of passwords. For example, some people keep their PINs in their wallet, and some people simply lose them. Some people choose poor PINs that a savvy attacker can guess in three tries. But smart cards remain an improvement over passwords because of their two-factor authentication—you need the physical card in addition to the password. People are accustomed to protecting plastic cards, and they typically appreciate the risks involved because those risks affect their pocketbooks.
But more esoteric ways to attack smart cards exist. For example, by analyzing the power usage of a smart card while using its functions, researchers have learned how to steal a smart card's supposedly secret key. Smart card usage involves many entities: cardholder, card issuer, PC/terminal, and manufacturer. Depending on the usage scenario, these entities can attack one another by taking advantage of certain necessary assumptions. For more information about smart card vulnerabilities, see Bruce Schneier's and A. Shostack's article "Breaking Up Is Hard to Do: Modeling Security Threats for Smart Cards" at http://www.counterpane.com/ smart-card-threats.html.
One exciting development in the smart card arena involves the potential to combine biometrics and smart cards. Biometrics, such as fingerprint authentication, doesn't readily lend itself to PKI the way smart cards do because biometrics is inherently linked to a private key. But vendors are promoting readers and smart cards that will use biometrics instead of a PIN to authenticate the user. Coupling these two technologies replaces the human error factor with something much more reliable. With PIN-based smart cards, the cardholder can gain entry by simply knowing or guessing the legitimate user's PIN. With biometric-based smart cards, the cardholder must be the legitimate user or must coerce the user to perform his or her wishes.
