Many companies react to APT (advanced persistent threat) attacks by implementing smart cards and/or other two-factor authentication mechanisms. Unfortunately, these schemes do nothing to stop APT. In fact, in my experience as a consultant, every organization that tried closing the barn door in this manner was successfully attacked again, despite putting two-factor authentication in place.
If they'd only talked to me first, I could have saved them a lot of time and money.
What makes smart cards so special?
A smart card is a piece of specialized cryptographic hardware that contains its own CPU, memory, and operating system. Smart cards are especially good at protecting cryptographic secrets, like private keys and digital certificates.
Smart cards may look like credit cards without the stripe, but they're far more secure. They store their secrets until the right interfacing software accesses them in a predetermined manner, and the correct second factor PIN is provided. Smart cards often hold users' personal digital certificates, which prove a user's identity to an authentication requestor. Even better, smart cards rarely hand over the user's private key. Instead, they provide the requesting authenticator "proof" that they have the correct private key.
After a company is subjected to a pass-the-hash attack, it often responds by jettisoning weak or easy password hashes. On many occasions, smart cards are the recommended solution, and everyone jumps on board. Because digital certificates aren't hashes, most people think they've found the answer.
Why smart cards aren't infallible
Smart cards may not use hashes as authenticators alone, but behind the scenes, a password hash representation is almost always involved. This is true in most Microsoft Windows systems where smart cards are accepted. That password hash can be stolen -- which means a smart card user's identity can be lifted and reused.
This surprises people. I don't blame them -- much of the world, including self-appointed experts, get it wrong all the time. For example, a few weeks ago a new client (and now friend) of mine texted me that a presenter at a well-known Chicago security conference was telling attendees to use smart cards because they don't need hashes to defeat APT. I wish I could have debated the presenter in person.
It's not that smart cards fail to reduce risk or add security to an environment. They do -- but not as much as most people think. For one thing, a very small percentage of successful attacks care about authentication. If you add up all the attacks that involve bypassing authentication (password guessing, cracking, MitM attacks, replay attacks, and so on) as the initial compromise, they probably amount to less than 1 percent of total breaches.
Most successful attacks happen because of unpatched software or because the user is tricked into running something they shouldn't. Smart cards won't help there at all. In the majority of effective attack scenarios, the bad guy gains access to the user's computer and can then authenticate as the user as if they had the smart card. Smart cards prevent access by fraudsters during the user's legitimate logon session, but after that (when most attacks happen), it's game over. Thanks for playing.
Once the smart card user's computer is compromised, it is highly possible for bad guys to steal the user's credentials and do whatever they want with them. This can be accomplished a number of ways, including by manipulating the card's client software (known as a cryptographic service provider in Windows), copying the digital certificate out of the local cache (if present), and keylogging the user's PIN (if requested).