Digital Transactions Authoritative, insightful and timely information for payments professionals
By Digital Transactions News Staff
Gemalto NV, one of the largest manufacturers of SIM cards for mobile phones and a key vendor for U.S. payment card producers as the nation converts to the EMV chip card standard, suddenly has found itself in the middle of a spy scandal involving the National Security Agency and its British equivalent, the Government Communications Headquarters (GCHQ).
An online news site devoted to divulging information from NSA whistleblower Edward Snowden published a report Thursday saying that in a joint operation begun in 2010, the GCHQ, with support from the NSA, remotely penetrated Gemalto’s computer network and stole the encryption keys that secure SIM cards that run mobile phones. With those keys, the electronic spy agencies reportedly would be able to monitor much of the world’s cellular voice and data communications.
But Amsterdam-based Gemalto on Monday issued a brief statement saying that its products “are secure.”
“Gemalto…is devoting the necessary resources to investigate and understand the scope of such sophisticated techniques,” the statement says. “Initial conclusions already indicate that Gemalto SIM products (as well as banking cards, passports and other products and platforms) are secure and the company doesn’t expect to endure a significant financial prejudice.”
Gemalto said it will have more to say on Wednesday, when it will have a press conference at 10:30 a.m. Paris time.
The allegations came in a story by The Intercept, a unit of First Look Media, dubbed “The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle.”
“With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments,” the story says. “Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.”
Gemalto was “totally oblivious” to the hack, according to The Intercept, which quoted a company executive saying he was “disturbed, quite concerned.”
The Intercept said the GCHQ would not comment specifically about the alleged Gemalto incident, but said its broader terrorism-tracking operations comply with British law and the European Convention on Human Rights. The NSA declined to make any comment.
Though the report does not address the payments implications of the hack, SIM cards act as the secure element in a number of mobile-payments services, including those offered by Apple Inc.'s Apple Pay and the Softcard venture from AT&T Inc., Verizon Communications, and T-Mobile USA.
