[kxo]

TOTP and HOTP have been standards for how long now? (HMAC has been in papers since 1997 or earlier, HOTP since 2005)

We have 2FA devices like the Yubikey (https://www.yubico.com/prodcts/yubikey-hardware/)

that are so incredibly small. Why is this not something you'd implement via RFID challenge/response to stop any attack?

[kw71]

I was puzzled by this too, and surprised at how simple it was. Remember during the 90's we had ISO7816 cards that were a lot more difficult to attack (for instance, payphone cards permuted a challenge from the phone with a shared secret and a secret algorithm, and additionally had some good anti-reading protection, and an irreversible counter)

As far as I know all the technology able to fit in a 7816 card has been put into contactless cards too.

I think that carmakers are lazy, they go to a vendor who designs a system with off the shelf parts and implements it poorly, and we end up with our $30,000 car secured by a PCF7930 or something weaker and if it has security features they are not fully utilized.

I think they also have to design these things within the constraints of being able to service them in the field and not upsetting the customer. Vendor doesn't want to be responsible for a bunch of cars not working if reliability is low, and carmakers wouldn't want the bad press. On the other hand, when criminal activity is involved, it's real easy to blame the criminal.