What About "Smart" Credit Cards?

Platypii writes "After seeing many ads on TV and around the Internet for the "smart" credit cards (both major companies now have them I believe), I became curious about them. The Visa website was rather vague about it, and only proclaimed dreams of merging all your cards -- of whatever type -- into one. Anyone know the technical details of these cards? The privacy aspects?"

The Card knows...

[BiggestPOS]

When you are about to make a stupid purchase, and then renders the numbers invalid. For example, if you try and pick up the Waterworld DVD, now only will the card not work, it will also kick your ass. Really handy if I say so :)

Re:The Card knows...

[Swaffs]

Are you kidding me? Stupid purchases are how credit card companies make money. The whole idea is that you can buy whatever you want without worrying about whether or not you actually have the money to pay for it, and without committing the actual act of forking over cash and emptying your wallet, which might cause you to think twice.

Re:The Card knows...

[drsoran]

Then along came someone else with a devious scheme of giving you the convenience and speed of making stupid purchases like a credit card bundled with the wallet-emptying feeling of a check or cash. All hail the debit/check card!!! :-)

Re:The Card knows...

[abrents]

the oil field services company called schlumberger makes these cards. their link is www.slb.com

Re:The Card knows...

Please! How bad was Waterworld? Was it as bad as Howard The Duck ?

Was Armageddon better? I don't see how it was any worse than a lot of the movies the people rave about every day. Cmon was Waterworld worse that Escape From LA? Could it be worse than any slasher movie.

Is it possible that it's worse that a movie where sharks are smarter than LL Cool J? I think not!

Re:The Card knows...

[ncc74656]

Then along came someone else with a devious scheme of giving you the convenience and speed of making stupid purchases like a credit card bundled with the wallet-emptying feeling of a check or cash. All hail the debit/check card!!! :-)

I don't know about you (or most other people), but I sure as hell know the source of the $$$ linked to my check card. It doesn't get treated like a credit card. (Then again, I'm nowhere near as care[less|free] with my credit cards as before...there's a huge balance I want to get out from under.)

I thought the big deal with "smart cards," though, was that they were supposed to be usable as stored-value cards. I've never seen a good reason for their existence. Having one is touted as being not much different than carrying cash. Carrying a large wad of money—or the equivalent in a "smart card"—is the last thing I want to do. I carry as little cash as possible...typically no more than $20. I pay for nearly everything with a check card; the cash pays for those few places (fast-food joints and such) that either don't take check cards or charge a fee for their use. If I lose a check card or a credit card, I call the bank. They invalidate the old card and send a new one. If I lose a "smart card," it's just like losing cash—I'm fscked. I'd love to hear someone attempt to explain how this could possibly be a Good Thing.

Re:The Card knows...

[Mahonrimoriancumer]

I think that the credit card companies are already drooling over this, you give them money, lose the card, then fork over money to replace the card.

Re:The Card knows...

[Mahonrimoriancumer]

I bet the credit card companies are already drooling over this. You pay money for the card, and after you lose it, fork over more money just to replace it.

Re:The Card knows...

[sjwt]

im almost never in debt more then one weeks pay
on my credit card..

and that never takes more then 3 weeks to clear
off..

I cant understand ppl who can run up huge amounts.
I know a family that earns $150K.AU($70+K.US) a
year, there card is $30K.AU!!!!

allways...

Re:The Card knows...

Exactly. God knows I got myself into enough trouble with plain ol' stupid credit cards - couple of months with a smart one and the next thing I know I'll be an indentured servant to Visa for the next 30 years.

Did you know that Visa's corporate motto is "One World - One Currency: Visa." Dunno about you but to me that sounds like a declaration of war on, well, everybody.

Re:The Card knows...

It just happens. I ran up my debt during college when I was only making about $8-$10/hour US. I had a computer addiction and needed to buy shit so I would charge it. I always hovered around $5k-$7k in debt. Thankfully I've gotten that straightened out with a full time well paying job and can pay off what I charge from month to month without needing to get hit with finance charges.

Smart Cards wont stop stupid users

[ConsumedByTV]

As long as these cards are useable in a store of today it wont create any extra security. This will only create more to expolit all at one time.

Re:Smart Cards wont stop stupid users

[acrhemeied]

"I've never seen that happen."

"His body rejected the 'smart card'."

(From the Dilbert of 3/21/97, third panel: after a card flees for its life from the grasp of the pointy-haired boss.)

2600

[I_redwolf]

2600 had an article about this some time ago. I can't remember exactly what issue but it discussed the technical details of the card and what the chip does. Towards the end of the article the author sums it up by saying only time will tell whether this new chip is friend or foe but I digress.. I'll follow up with some more information if I find the issue.. somewhere.

Re:2600

[EvlPenguin]

As a long-time idler on irc.2600.net, believe you me: you shouldn't trust anything you read in that rag >:)

Re:2600

The issue of 2600 was Volume Fourteen, Number Four

Re:2600

[alexandre]

hrm, i have it in front of me and the only thing i see closly related to smartcards is the article about "The argentinian phone system" ?

Re:2600

Its Volume Eighteen Number one "The future of PKI"

Smart?

[Gunnery+Sgt.+Hartman]

These cards may be smart, but they won't keep you out of debt. They will probably drive you furthur into debt because you won't be afraid to use it because it is "secure". How smart is that?

Re:Smart?

[ZxCv]

If you ask me, it's incredibly smart from the credit card company's perspective...

And exactly who does smart refer to?

[xcomputer_man]

Are these cards called smart because somebody put a little electrical circuit in them, or is there a lot more going on with these "smart" credit cards than the average consumer knows? Credit cards are have always been evil - luring innocent and naive consumers and sinking them in irrecoverable debt. Perhaps they've just gotten cleverer at that.

Re:And exactly who does smart refer to?

[cheebie]

Actually, I make money off of my credit cards. I have one that give me 1% back for a $10/year fee. I pay for everything I can on that card and pay it off every month. Amount of fees I pay: $10/year. Amount of 1% kickback I get: about $100/year. Plus, I get to use their money for a month or so until the payment is due.

Then there's the 0% interest card I was offered. I put some of my other loans onto that card. When it comes due, I'll just pay it off. In the meantime, I get to use their money for free.

Credit cards are not evil. Using them unwisely is what is evil.

Re:And exactly who does smart refer to?

In short yes... but those little circuits do 3DES, Blowfish etc and also contains your private keys which means people can't swipe your cards (when they finally dump the magnetic strip anyway).

Basically the PDQ (CC machine) sends a challenge response and public key to the card from VISA etc... then it encrypts your details and sends them back to the processing house. It doesn't matter if the data is intercepted then finally decrypted since they contain time sensitive one time codes.

You also have PIN numbers which means they no longer have to rely on flaky signatures. If somebody gets their hands on your card it will be useless to them without the PIN. Of course, this only makes sense when the old system is phased old, since today you have the Chip and also the anachronistic swipe.

They've been using a similar system in France for years and their fraud rates are less than one tenth of the UK's, who went with the swipe system.

You find these cards used for all sorts of stuff in Europe, all GSM phones need one of these SIM cards to function, and of course you can put that SIM into another handset and that then becomes your phone. BT phone boxes also use them on Phone Cards, you can also stick your credit cards into these phones, even the swipe ones.

They've been used for analogue satellite for years and more recently the DVB digital satellites, I believe DirecTV use DVB. Digital Terrestrial uses them too (DVB-T), in the UK you need a card to watch the free-to-air digital channels, a way of enforcing TV licensing no doubt. Like the swipe, this only makes sense when they kill off the analogue signals in 2006.

I've seen them used for general security on EPOS systems and the like, I've even seen them on 'pay as you' go gas/electric meters, they fit these to houses where the occupant has trouble paying bills, no card, no electric, so it stops the utility companies getting shafted.

Re:And exactly who does smart refer to?

Is that a mastercard/visa? Discover Card, of course, gives you a 1% kickback with no fee, but there's quite a few places where it can't be used.

Re:And exactly who does smart refer to?

[drDugan]

amex membership rewards is the best rewards program I've found. its free on gold cards (which are $75 a year) and I think you can add it to any other amex card. We've gone to disneyworld a few times on membership rewards points.

Re:And exactly who does smart refer to?

Not many places these days don't take Discover if they take Mastercard and Visa.

Re:And exactly who does smart refer to?

(which are $75 a year))

How can that be good?

Re:And exactly who does smart refer to?

[Nugget94M]

It's a good deal as long as you get more than $75 worth of value from the benefits provided by carrying the card. The Amex Gold and Amex Platinum (which runs $300/year in annual fee) can return tenfold this amount in value to some people.

From what I've seen, the majority of perks and benefits associated with the premium American Express cards seem targeted at consumers who travel frequently. If you travel for work, these cards can be a great deal.

Re:And exactly who does smart refer to?

Citibank Dividend cards offer 1% cash back with no annual fee. If you have good credit you can probably get a decent APR too, I got 8.9% when I threatened to leave them. That's less than my margin interest!

Re:And exactly who does smart refer to?

Oh yeah, another cool thing is you can get your credit line increased online without talking to anyone, and they have autopay which can automatically pay the entire balance every month. When you're shopping for a credit card don't forget that credit card companies make money even if you don't keep a balance, they get a % from the merchant every time you make a purchase.

Re:And exactly who does smart refer to?

The smartness is, that You cannot make a working copy of the card. Ordinary magnete stripe a easy to copy with equipment costing less the 20 $.

Re:And exactly who does smart refer to?

The touted advantage that one would only have to carry one card, has failed to appear though.

Re:And exactly who does smart refer to?

Indeed... but it's not required some time, I don't want to take my 2cm x 2cm SIM card out my phone every time I want to make a purchase.

If only the sales reps were as smart as the cards

[EvlPenguin]

Just last week I recieved a phone call from a young lady quite eager to sign me up for a new Vis a card with a built in smart chip. But first, I had a question:

Me: "Yes, well, before I sign up, I'd like to know; is that smart chip silicon based or germanium based?"
Her: "...uhm... excuse me?"
Me: "Well, if a company doesn't know this kind of basic information about the products they are selling, that's not a company I would do buisness with. Good day."

Needless to say, they have yet to call back.

good info at gemplus.com

[dgp]

gemplus.com, a leading smartcard manufacturer, has some good info on smartcard technology.

It's a gimmick

[Logic+Bomb]

As far as I can tell, these "smart cards" do nothing at all. Keep in mind that reader hardware is needed for the little embedded chips, and until such hardware becomes ubiquitous no one can do anything with any data that someone bothered to put on there. My university actually tried doing this exact thing with its student ID cards for a couple years, and the only use it could find for it was as a rechargeable stored value system. They dropped it because it wasn't all that useful and it raised the cost of the cards from like $7 to $20 to replace. I guess that these cards might be a good way to use small amounts of electronic money, but considering one is already doing just that -- it's a credit card, remember? -- I don't see the point. I guess people could store basic commonly-needed information like a health insurance policy number on them, but again, unless access technology is widely available this is just a gimmick.

Re:It's a gimmick

[acrhemeied]

I had always assumed that the little chip did something to dynamically change the value of the magstripe (by the way, does anyone know how much data a standard-sized stripe can hold?)..

What's the point of storing data in a little easily-lost plastic sliver when you can instead store it in big redundant mainframes?

Re:It's a gimmick

[Logic+Bomb]

Er... from reading other comments I've noticed that the "smart card" approach goes in two directions. American Express' "Blue" program and some others I've seen put little memory chips in the middle of their cards and call them "smart," and then there are companies who attach various services to the existing credit card number. I was obviously referring to the memory chip cards in my first comment. As for the other kind, well, I'd say it's pretty much Microsoft Passport with a better existing infrastructure when it comes to uses in non-Internet situations.

Re:It's a gimmick

[aka-ed]

My smart card came with a free reader and serial cable, so I could use it on the internet - use the card occasionally in the real world cause of the low intro APR...haven't done anything with the reader yet, still in the box... Any suggestions?

Re:It's a gimmick

[phillymjs]

As far as I can tell, these "smart cards" do nothing at all.

Sure they do, they make a bunch of unwashed Windows users think they're 31337 because they have a credit card with a computer chip in it.

That's right, just Windows users. Oh you thought Macs and Linux might be supported? Fat chance! AmEx Blue has been promising Mac support Real Soon Now since their card debuted two years ago, but now they don't even mention it on their system requirements page anymore. The promised Mac support was one of the reasons I got the Blue card, along with the 'added security'-- but their security is a joke in general. There was significant fraud perpetrated with my account number before I even got the card, and it did not involve identity fraud or interception of my postal mail.

VISA's smart cards also offer bupkis in the way of non-Windows support.

~Philly

Re:It's a gimmick

[NetGuruFL]

"(by the way, does anyone know how much data a standard-sized stripe can hold?).."

About 140 bytes. "Smart cards" typically have anywhere from 1KB to 32KB. Not counting those newer optical ones which hold about 5MB.

Re:It's a gimmick

[dave256]

My VISA Smart Card came with a reader. The pcsc packages, happily found at Freshmeat and RPM'd for my lazy butt, worked fine. That's right. I could put my card in. Type in the little access key (I presume the entire authentication method is a public key / private key thing) and got back my CC number.

It was very thrilling.

Re:It's a gimmick

[stueyb]

"I guess that these cards might be a good way to use small amounts of electronic money, but considering one is already doing just that -- it's a credit card, remember? -- I don't see the point."

The point is that you dont require a data network to authorise a transaction, which means that transaction processing costs are reduced.

Re:It's a gimmick

[Mojojojo+Monkey+Inc.]

Does it come with windows-only software? If it does, lose that zero and get yoself a hero, honey!

Re:It's a gimmick

I do some development work with SmartCards in Australia, one of the big benifits that we find is that you can conduct transactions without a connection to the bank/credit card company etc. Your system records it, and the card records it. Next time either one comes into contact with a connected machine, everything is synchronised.

Re:It's a gimmick

[aozilla]

The point is that you dont require a data network to authorise a transaction, which means that transaction processing costs are reduced.

You certainly need a data network unless you intend to eat the cost if it turns out the card was stolen.

Gee, that sounds exactly the same way it is now.

Re:It's a gimmick

i seem to recall back in the eighties they didn't require a data network either! instead they used those funky things about 4 in wide and 11 in long that you stuck the card in, put a couple peices of paper in and then ran a nother thing over them. you know what i'm talkind about? i don't remember what they are called but i'm sure that they can still be used today.

to bad i don't remember what there called....

Re:It's a gimmick

[eric17]

Well, they'll need the PIN, which I assume they can get by beating it out of you in a dark alley. When the cards get smart, the robbers get brutal....

Re:It's a gimmick

[aozilla]

Or by looking over your shoulder when you type it in, or by using a trojan device when you purchase something, etc. Hopefully your card self-destructs after X failed attempts, or it will be trivial to brute force the PIN out of it with a hacked up POS terminal.

Don't get me wrong, this is a somewhat useful incremental improvement. I only hope that it isn't trusted too much. I carry around credit cards because I know that I'm limited to a $50 loss in the worst case scenario. In theory if the authentication is done offline your (the merchant? the credit card company? the card holder?) potential loss is unlimited.

Re:It's a gimmick

Think "cash card" not "credit card". Having
a card like this $100-$200 will rock provided
you have point-of-sale systems in enough places.

Cash cards are anonymous. Credit cards aren't. For transactions that I don't want tracked, I'd use
cash or its card equivalent.

The problem I have with cash-cards is the inability
to have anonymous card-to-card transfers.
Europe is so far ahead of us in this area its
silly.

ciao

Europe

[crankyspice]

has had smartcard technology for quite some time. Their civilization has yet to crumble because of it. A friend of mine was working on the Java code for a certain smartcard implementation while he was at RSA, and though he was never able to reveal specifics, he didn't feel it was too sinister. Corporate yes, and therefore sinister to most, but not anymore so than the rest of today's world...

Perhaps someone who was at the HAL workshop can give the hacker's perspective?

my opinion

[unformed]

Anyone know the technical details of these cards? The privacy aspects?

Simple answer: More convience = less privacy = less security (for most cases)

What I find really interesting is the credit card one-time deals (don't know a link to information, if anybody does, please help out) but the gist of it was that: you'd sign up with a credit card with, say, Visa. Then when you're about to buy something on the internet you get a temporary credit card number from Visa that only has a certain amount available on its balance.

Security-wise it's great, since if anybody gets that number, no big deal, since they can't use it. Privacy-wise it wouldn't be hard to make it not require any personal details. (Since it's a temporary number issued on deman, it's almost safe to assume it's not stolen (possibly ask for a name or something like that))

Re:my opinion

[Syberghost]

OTOH, smart cards have to become ubiquitous before it will be possible to build the ultimate private solution:

A smart card that you buy in your local store for cash, which has a pre-encoded amount built in and a small identification system (even a PIN would be fine for this) that allows you to secure it so only you can use it.

No point in anybody stealing it because they can't use it, and nobody can see how much cash is in it, so no more profiling you based on how much cash is in your wallet.

Re:my opinion

[omega9]

You're on the right track, but not quite there. When you're about to make an online purchase (actually, it doesn't only apply to online purchasing), you first have VISA create a temporary number which is only valid for a single purchase. Once you've used it it doesn't matter who gets their hands on it.

Re:my opinion

[unformed]

Right, that's what I said.
Then when you're about to buy something on the internet you get a temporary credit card number from Visa that only has a certain amount available on its balance.

Guess you explained it better though.

Re:my opinion

[gorf]

It isn't so simple, because when the card becomes widespread (if it becomes widespread), then someone will figure out how to make these cards, and will be able to purchase things for nothing.

Then the information will get distributed on the internet, and the company who made the `technology' will start suing everyone in sight (VISAA? American Express AA? :-)

Of course, the technology currently exists to use encryption to make this impossible, but how do we know that the card uses it?

Re:my opinion

[Jace+of+Fuse!]

The privacy aspects?

If you have any uncertainty about your privacy, you should check out this statement.

Re:my opinion

[clevershark]

Actually shouldn't it be "just because you are paranoid doesn't mean they're not watching you"?

Re:my opinion

That statement changes from time to time. But, yes. Think you are right.

Re:my opinion

[SumDeusExMachina]

In regards to your sig linking to OpenBSD ISOs: the OpenBSD project doesn't distribute ISOs for a reason. They need the money to continue their work on new hardware, and that kind of money comes mainly from CD sales. Please don't be an open source leech and take without giving. Show a little consideration.

Re:my opinion

[roju]

Of course, if someone has a gun to your head, you're gonna tell them your PIN. And assuming they can remember 4 digits, then you're still just as fucked if it was cash.

Re:my opinion

[aozilla]

Huh? This doesn't require encryption if the numbers are stored in a central database.

Re:my opinion

[stantron77]

American Express was the first to do this I think. They have an option called private payments where you go to their site and get a number for one time use.

Re:my opinion

[meldroc]

If the credit card companies were smart enough to hire decent cryptographers, they could put together a standard using public key crypto & digital signatures. If done right, it would be very difficult to forge cards or make purchases with stolen cards (key revocation protocol could make a compromised card unusable.) Of course, that assumes that the credit card companies wanted to take the trouble to do it right, rather than using ROT-13.

I don't see why the credit card companies start putting together a scary ad campaign showing people with conventional credit cards getting ripped of, then saying "Don't let this happen to you, get our ultra secure smartcards." Then they could show an "evil hacker" trying to use the new cards, and getting nothing but "TRANSCATION DENIED." messages.

The merchants have enough motivation to want a more secure solution - every time a credit card transaction is rejected, they get slapped with a stiff chargeback fee and have to eat the loss. Consumers are only liable for fifty dollars if the report the card as stolen promptly, so they would find that having to switch to a new card is a big pain. The credit card companies have no motivation to do this, since that pass the fraud losses to the merchants, and collect chargeback fees on top.

Re:my opinion

[Syberghost]

It isn't so simple, because when the card becomes widespread (if it becomes widespread), then someone will figure out how to make these cards, and will be able to purchase things for nothing.

So? The amounts will be encoded like a check. You'll only be able to cash a given packet once, and the central authority that clears them will have a record of which ones are valid. They'll be digitally signed. This problem was solved decades ago. Read Applied Cryptography.

Of course, the technology currently exists to use encryption to make this impossible, but how do we know that the card uses it?

By the lack of the issuing company going bankrupt from the massive losses. Anybody who doesn't know better than to do this wrong deserves what will happen to them in production.

Re:my opinion

[Syberghost]

In regards to your sig linking to OpenBSD ISOs: the OpenBSD project doesn't distribute ISOs for a reason. They need the money to continue their work on new hardware, and that kind of money comes mainly from CD sales. Please don't be an open source leech and take without giving. Show a little consideration.

Information wants to be free. It doesn't want to be $30.

If the project can't survive without selling a proprietary component, perhaps it should look at the other projects that are doing just fine without this restriction and ask what they're doing right.

Re:my opinion

[thogard]

I used to work for a CC comapny on the SET project. It had great crypto. The best you could get (RSA stuff) and it even had the NSA's blessing. Off thing is theres a bit of a hole in the system. In fact its a big enough hole that you could steal a truck with it. The end result is SET is dead and they bad crypto will be recycled.

Chip cards aren't fast enough to do real crypto and still be useable to the American consumer.

Re:my opinion

[spudnic]

Unless they're going to hold you hostage until they try it, just lie.

Re:my opinion

[RFC959]

This is why certain high-security systems have a "panic code" - an alternate code that will authorize the user, but will also set off an alarm somewhere else. (Of course, as a sysadmin, I'm inclined to sourly suspect that 99% of the alarms end up with the user saying, "Well, I forgot my passcode, so I just used the alternate one...")

If you were smart...

[Ridge]

You would not use a credit card.

The average family in credit card debt carries a balance of $4000 on several cards from month to month.

I like to replace the words 'credit card' with 'loan shark'.

Re:If you were smart...

If you were actually smart, you would use them and pay off your balance in full each month. That results in the CC company giving *you* an interest-free loan.

Running a balance is definitely a sucker bet, though, and stay away from cards with an annual fee.

Re:If you were smart...

[langer8191]

The average family...

Don't be an average family.

Re:If you were smart...

[jroysdon]

In addition to the comments other have made about not carrying a balance, I'll add:

Have you tried to do anything lately without a credit card? Order an airline ticket, buy something online, reserve a hotel room, rent a car.

Yes, there are ways around some of it, but it's a *major* hassle.

Re:If you were smart...

that's cause its the MARK OF THE BEAST! 666! first we eat the pig and then together we BUUURRRRNNNNN!!!!

Re:If you were smart...

It feels odd to read text like this. I use a bank card to all most everythink I buy. And it's the normal way here in Finland. The basic bank card is not a credit card, Your account is charged abt immediately, and You've better have a positive saldo. The Visa can also be included in the card and then you must deside which to use on every time you pay.

Re:If only the sales reps were as smart as the car

Sales Rep = Someone earning $8.50 an hour, just trying to do his/her job.
You = A genuine rapier-witted genius who must feel really good about himself for demeaning the sales-rep.

Well-Done!

Run...

[SpaceLifeForm]

Just runaway now!
It's those damn marketing folks out of control again.
They just want to track all of your habits via cross-referencing to a central database.
It's just like tracking your IP across websites, except they'll know for certain that you really will spend money at those businesses.

Smart Cards

[neurovish]

From what I remember, reading about the chips awhile ago (no idea what website), the danger doesn't really seem any more than that of the magnetic stripe as far as privacy goes. The chip pretty much behaves the same as the magnetic stripe, but with a greater capacity. One thing the chip can do which the magnetic stripe cannot however is store algorithms for something along the lines of encryption, which would seem to only make the card more secure. The actual functionality of the chips varies though, most of the major chip manufacturers make them with different specs. The beefiest I remember seeing was a mitsubishi chip which pretty much had the same capabilities as a microcontroller when inserted into the correct reader.

Re:Smart Cards

Actually, from what I've heard/read, the smart cards do not have any sort of power source on the card. Therefore the card must draw it's power from the terminal it is being used on. This in turn makes the card VERY suceptible to clandestine attacks that monitor the power consumption of the card. Using this kind of attack, and watching the minute fluctuations in power usage, the terminal can actually determine which type of operations are being performed and as a result can extrapolate your private key. It only takes approxiamtely 10000 encryption/decryptions to determine your private key ( which can be done within a matter of seconds ).

Therefore, the encryption on the smart card is completely insecure.

Realistically, the security of the card is only as strong as your trust in the vendor that you are purchasing from ( how much you trust that the vendor is not attempting this kind of clandestine attack ).

Since the security is only based on trust, then placing encryption algorithms on the card is somewhat redundant.

So my conclusion is : BUYER BEWARE.

Online security

[omega9]

If you sign up for a "smart card" you are supposed to be able obtain a desktop reader from your issueing bank (looks similar to the desktop compact flash readers) that plugs into the back of your PC. When you're making an online purchase you slide your card into the reader which authenticates you as the card holder.

I'm in a hurry or I'd throw up links. I just noticed this hadn't been explained yet. Ta Ta!

Providian Visa. Do not fall for it!

[CiXeL]

Yes the attractive transparent card with the smart chip on it http://www.providian.com/mysmartservices/index.htm
looked like it would be a wonderful edition to the small collection of cards i rotate through my wallet over the months to build up an extensive credit history.

The problem with this card is it seems the entire company and everything about it is entirely automated.

I first received a call from them to activate the card from a very rude operator who demanded all this information about me which was entirely unnecessary and completely unrelated to the card. They also gave me a pathetic $1,000 limit making it the most useless card in my collection and I had cancelled a platinum discover card with an $8,000 limit for this stupid pretty-looking card.

Over the following two months I was still on the mailinglist and received three more notices to signup for the card.I tried to then use the card by charging a chartitable donation and it appeared to go through at first until I went to some stores tried to buy an item and it didnt go through. So I called to have the card activated again and after the process was complete it STILL wasnt activated making a total of 2 times.

At this point I was very frustrated so I tried to cancel it only to find absolutely every phone number was automated voicemail with no access to a human being and no option to cancel the card. There are multiple phone numbers which loop between each other so you can call one number and wind up selecting an option that will transfer you to one of the other numbers. I was just about to call the better business bureau when I FINALLY found an obscure number listed in a dark corner of their website and immediately cancelled it. Until Providian gets their act together AVOID THIS CARD. Besides Providian is already so nosy about all your personal details just to activate the card just think of how nosey they'll be when they finally activate the smart chip once enough get into circulation.

Re:Providian Visa. Do not fall for it!

[Cainam]

I have a standard non-smart Providian Visa Gold card and I've had no problems with it ever. The toll-free number on the back of the card gives you some automated information with the chance to hold for a real, live operator. The on-line account information is useful and you can make quick wire payments from your bank account. I started out with a $1000 limit but I had just turned 18 and had no credit history. Giving me a bigger limit would've been silly. Now I have a $1600 limit (after having the card about 6 months) and it's as painless to use as ever.
Like I said, my card isn't the smart variety, but it's a Providian card and I've never had any trouble with it. In fact I'd recommend Providian.
Just my $0.02. Sorry it's offtopic.

Re:Providian Visa. Do not fall for it!

They suck. I have had them for the last year and they keep sending me these checks through the mail so I can get cash because I am such a wonderfully responsible cardholder. I ask them to lower my interest rate a scant few percent and they won't do it. Jerks!

Re:Providian Visa. Do not fall for it!

[RedOregon]

Providian is scum of the earth anyway, and clueless to boot.

When I was stationed overseas with the Air Force, I had a $5000 limit providian card. When I sent in my change of address (to an APO address, which is a US Post Office zip code denoting overseas military), I received a letter from them telling me that I couldn't use my card anymore since I was overseas. Seems they don't have any confidence in their ability to collect from overseas users.

I wrote them a letter, and even called them, explaining that mail sent to an APO address never leaves the control of USPS, and that being in the military, I can be tracked down anywhere in the world to satisfy bad debt claims.

Didn't matter to them... I was still overseas (serving my country no less) so the card was cut off until I returned to the good old US of A where their goons can find me easier if I default.
Took me a good 30 seconds to turn that card into confetti....

Re:Providian Visa. Do not fall for it!

[bad-badtz-maru]

Providian has the WORST interest rates...

maru
www.mp3.com/pixal

Re:Providian Visa. Do not fall for it!

[shave]

Gee I thought I was the only one! Those jerkwads aquired my prior credit card company a few years back when I was AF stationed in Germany, I called them because of some conflicting info they sent me, they told me all was well, no problems, took care of me. So I went on a trip to Turkey, while I was there they cancelled my card. Stuck me in the middle of Turkey with their piece of crap service and a useless credit card. When I got home I went through the whole mess with them and got the same story about being outside of the US, but when I came back they would welcome the chance to serve me. I went on a 2 month letter writing thing with them and just kept getting the same canned answers. No more Providian for me EVER. Jerks...

Re:Providian Visa. Do not fall for it!

It's not just the smart card... avoid Providian at all costs.

Re:Providian Visa. Do not fall for it!

[n-baxley]

Wait a minute. You canceled an $8k card in order to get a "cool" new card that was transparent? I think the only thing that is transparent is your inate stupidity.

Re:Providian Visa. Do not fall for it!

Really? Funny, my Providian Visa has a fixed 5.99% APR, by far the lowest of my credit cards or those of most people I know. Not that it matters since I pay it off in full every month...

Re:Providian Visa. Do not fall for it!

[bad-badtz-maru]

Are you sure that it's 5.99 and not prime+5.99? 5.99 is below prime, which is a rate you most likely aren't going to get unless you are like 55 years old with perfect credit since age 18.

maru
www.mp3.com/pixal

ISO 7816

[jerw134]

ISO 7816 is the smart card standard. Almost every smart card available today uses that standard, including credit cards, and the cards DirecTV uses for subscriber authentication. Litronic has some useful information on their site about Smart Cards and smart card readers.

Re:ISO 7816

[garcia]

it's not working too too well w/DirecTV. I know of plenty of people that are using cards that are a) stolen b) hacked or c) known to be not legal.

Re:ISO 7816

[rot26]

ISO 7816 is the smart card standard. Almost every smart card available today uses that standard, including credit cards, and the cards DirecTV uses for subscriber authentication.

It doesn't say anything about how the smart card is used, though... ISO7816 is basically just the specification for the card size, contact placement, and electrical interface. What is on the chip and how it is used is entirely dependent on the manufacturer and, to an extent, the individual developers. Most of them have at least 3DES encryption built in, with the facility to lock up the card PERMANENTLY if the incorrect password is used more than a certain number of times, etc.

There aren't really any ubiquitous standards for how they're used, although the EMV (Europay-Mastercard-Visa) is currently being used in Europe and may or may not eventually see use in the US. Microsoft is also (surprise) pushing a "standard" of their own... some version of CE, I think.

Re:ISO 7816

[jerw134]

Sure, I know plenty of people too. But the thing you have to realize is that the card itself is not the problem. It's DirecTV/NDS's weak security. The real heart of the card (the audio/video decryption system) has not, and most likely will not, be cracked. True people learned how to read and write the cards, but the really important stuff is still safe.

Re:If only the sales reps were as smart as the car

[EvlPenguin]

Hey, I just sat down to eat dinner when they called. They could atleast have the decency not to call people between 17:00-21:00. Or just don't call in the first place. But until that day, I may as well have some fun with them.

New Jersey

[Tazzy531]

I remember years ago the NJ DMV was talking about putting all this information onto the Drivers license...like credit card, medical records, and social security info.

Last that I have heard anything about it was that it went through the state legislator and was shot down because of the whole privacy issue.

Re:New Jersey

it went through the state legislator? ouch, that must have hurt. And through his privates to boot? I'm glad they shot it down after that!

Smart cards

[fillurboots]

Heard about this outfit on the radio in the past week. Sounds like interesting technology. Don't know how far they will get.
http://www.chameleonnetwork.com

Not what they are cracked up to be...

[paleck]

Currently my university has been using these same smart chips in our University IDs for the past year. It has been a costly switch over and ridden with problems. Most likely much of the information would be stored on the smart chip with these new cards just as our accounts are stored on it. Unfortunately if a card is lost or stolen there is no way to get money back on your id card as as there is not much of a paper trail to follow. The chips in the cards are also easily worn, as my card will attest to from sitting in my wallet, and I often have problems using my cards in many of the readers accros campus. Unfortunately the administration will not release much about our cards and they continue to say that there is no vital information stored on the cards. But I ceertainly don't regard my university account with which I use for printing, copying, buying food and supplies as not vital.

Police bait men looking for love online

In what can only be described as, nothing more than a quota machine, online Law enforcement officers have become more net savvy, learning tricks that include ways to destroy the evidence of innocence victims who fall prey to rogue officers. In a shocking investigation of online police activities, we uncovered one of many techniques used by officers to bait online males into appearing as though they are planning to meeting young females and arranging to have sex with them. AOL/TimeWarner's deal with the DOJ allows them to continue monopolistic moves in exchange for free run of AOL's network.

ICQ started as a venture in Israel and gained worldwide popularity before being purchased by the Media Giant AOL/Time Warner. Since then, ICQ has seen continued growth and benefit from it's new parent.

AOL has been long known as a haven for the less than savvy Internet user and a controlled environment subject to the codes of conduct setup by it's founders. On the Internet, a user can go into a chatroom or messageboard and say pretty much anything they want and not have to worry about some authority figure breathing down their back. On AOL, you can be turned over to the authorities in a split second for making a threat you can't possibly carry out. This has happen on several occasions over the last few years. It's been long know that AOL has catered to law enforcement in order for them to meet their pending quotes of perverts, raging lunatics and whatever else they can dig up. This, I'm sorry to say, has spilled over to ICQ as well.

Over the last six months, I've notice a tremendous increase in both adult women and 13 year old girls sending messages to me for no apparent reason. Most would shake this off as random porn solicitors or first time users looking for people with similar interests. I left several of these people (Adult and 13 year old girls) on my list, but didn't reply to them. Just let them send me messages. I'd noticed that many of these adults would always appear at the same time as a 13-year-old. Then I discover a patch that allows a user to run more than one ICQ program at the same time. I would receive a message from the adult, shortly after; I'd receive one from the child.

After dealing with this for a few months, I decided to interact with one of the adults. I sent her a link to my website (which logs all visitor domains), she looked at it, made no comments about it, but tried to drum up a sexual conversation, I ignored the sexual tones and only talk about my website. I checked to see where this person was at by checking my website logs (CA.GOV). OK, some government employee with lots of time on her hands. Suddenly, I received a message from one of the 13-year-old girls. OK, innocent Hello's, I replied to her with a link to my website. I checked my logs, and damn was I surprised CA.GOV again. Not sure if the adult had just revisited my site or what; I ran an ICQ hack that detects users unique IP address. The result was that the Adult and the minor where at the same location.

Well, I wasn't all that surprised, but what followed were not the actions of a bored employee, but that of a state or federal agent trying to destroy evidence. I took several screen shots of the users information and logs,(Which I will save incase these bandits try to frame me) then confronted the suspected officer. The response was; "Yeah, you caught me" hmmm, ok, honest cop. I left the room for a few minutes to drain or something, when I came back, I looked at the history on ICQ to refresh my aged and failing memory, only to find all my logs from that user and the minor had been deleted remotely. There is a hack that allows you to do this.

Apparently, the scam works like this, the agent starts a random conversation with an adult male, they later start a conversation with the same male as a 13 year old girl. If you bite the Cybersex bait, they keep you going faster and faster. Then, out of the blue, the 13-year-old will slip in a quick comment along the same lines as the conversation with the adult. Hoping that you didn't notice it was from a different person. (Everyone has sent a message to the wrong person at least once) You may reply with a sexual comment to a minor. You've been baited; they will continue this over several months until they have enough conversation to make you look like a pervert.

Now, If you don't byte the Cybersex pill, you're safe, right? WRONG, If agents are below the quota for investigations they will likely use the method they tried on me, Say you don't reply to the child, but you do carry on a conversation with the adult. Say after several months, you allow that conversation to get sexual. Now the officer takes your conversation with said adult and appends it to the log files of the minor. Walla, your now a pervert. Using this hack tool that deletes your log files leaves you with no defense other than your word against the Cops. Guess who wins that 99.9% of the time? The Cops.

Some people might say "Dan, your paranoid" claiming this was just some random porn spammer or just plan coincidence. I don't buy it. Given the current environment of Feminist that labels most men perverts and molesters and these Feminists' infiltration of our Government Agency's over the last eight years, I'd say that the Government is just doing what it thinks it can get away with.

Using vulgar language with a 13 year old girl has serious legal ramifications, far worse than with a girl just one year older. 13 will get you 20+ and a cop an excellent record of catching perverts and hella good promotion. ICQ is haven for Cops; they've learned the rules of the game and how to break them. The Judges aren't bright enough on this subject to even comprehend how much wool has been pulled over their eyes.

Until you can protect yourself on ICQ I don't recommend men use it, in fact, I'd support an all out boycott of ICQ just on the principle of invasion of privacy and harassment by authorities. If you can't have a private conversation on the Internet without the fear of this person or that person being a cop, Then I say we need restraints on officers online.

Oh, I almost forgot. I do have one last use for ICQ, forward a link to this article to everyone on your ICQ list until hell freezes over, this way, we can use ICQ the way it was meant to be used. Mass communications and fun.

Smart Card Offerings

[Michael+Wardle]

It's nice to see some card companies finally moving towards smart cards in the hope that one day we may not need to carry cash.

The two major offerings are currently Visa's smart Visa and American Express's Blue. At this stage, it seems that MasterCard does not have a combined smart card/credit card.

There have also been various smart card only cards including MasterCard's Mondex and Visa's Visa Cash, but neither of these seems to have gained wide acceptance, despite being backed (however weakly) by the major credit card companies. Let's hope these new combined cards don't suffer the same fate.

They're all over Europe

[HaeMaker]

A friend of mine told me a story about going to Europe and having to explain to a clerk that his credit card didn't have a smart chip in it, she would have to slide it in the other thingie. He ended up having to slide the card for her.

For some things, the US is way behind.

Re:They're all over Europe

[Mobster75]

Where was this??

I spend almost every summer in Italy and I've never

seen a SmartCard reader in any retail stores anywhere

in Italy.. Although, the Italians are usually a bit behind.

Now that I think of it, I didn't see any SC readers

in England either.... or in Iceland.. ;)

However, the Europeans are far more willing to embrace

technology since many of their old-fashioned systems

(i.e. utilities, govt) are so bass-ackwards that they NEED

the newer technologies. I find the Euro GSM-based cell system

to be FAR superior to our U.S. system, They have far more

advanced cell phones that are plenty cheap which is why

I picked up a tri-band Motorola GSM phone last summer there

for under $200 (and I even got my VAT tax back, woohoo!)

And all I get are compliments from everyone on how many

more options it has. But anyways.. Europe is the place to be

for Chic and High-techno... However, you have to deal with the

high taxes... (Italy has a 52% flat income tax rate).

Re:They're all over Europe

[Bitsy+Boffin]

A number of years ago I went to New Caledonia, this would have been, 8 years ago. Anyway, when there we had our standard Bank Of New Zealand Visa card, which we thought would be sweet.

However almost every store we went to they didn't know what to do - the card had no chip in the top right corner like thier french credit cards, so I ended up having to explain, in my significantly less than fluent french that they should put it through the zip-zap machine instead because New Zealand doesn't have chipped cards.

Here in New Zealand (as another poster has pointed out) we have heavily embraced EFTPOS (Electronic Funds Transfer at Point Of Sale), almost everybody uses it, basically an ATM card you can also use at the cash register.

Credit cards are also able to be used at the eftpos machines, and are generally linked to our bank accounts so we can charge our cheque/credit or savings account for the purchase.

But still we do not have the little chip like the New Caledonian (and I presume France's banks)cards. I havn't been back there but would like to sometime (if I can ever get some time off, and somebody to go with), when I do I'll certainly be checking with the bank before I go.

Re:They're all over Europe

[CSC]

A friend of mine told me a story about going to Europe and having to explain to a clerk that his credit card didn't have a smart chip in it, she would have to slide it in the other thingie. He ended up having to slide the card for her.

It must have been France. Smart cards are ubiquitous since the early 80s here.

Actually the reason it did catch on is :

• Banks did work together on this so we have a single standard (a bit like GSM vs. the American cellphone hodgepodge)
• Payments done with a smart card and its PIN number are insured by banks
• Payments certified with a plain signature (or nothing at all, eg. in some highway toll booths) are not insured by banks

Net result: every card is a smart card, every shop&co. has a smart card reader, and fraudulent charges amount to practically nothing.

Re:If only the sales reps were as smart as the car

I second this guy's comment. You're a pretty tough guy for asking a nerdy question to a kid making $8 an hour doing a crappy job.

And for calling when you have dinner, that's where caller ID comes in handy.

Real solutions aren't here yet

[osgeek]

I worked for a major valley computer company in 2000, and we had evaluated American Express's Blue as a possible companion to some of the ecommerce solutions we had wanted to develop.

Blue, and everything else I've seen since then aren't real solutions, they're just gimmicks. They need to support real SmartCards which offer strong encryption onboard and payment approval. The half-assed crap that they're pushing now is next to useless. The only benefit that I can see of Blue and its ilk is that they might have the opportunity to make SmartCard readers ubiquitous. From there, they could maybe begin to support SmartCards with the features that I mentioned above.

Re:Real solutions aren't here yet

[tommck]

They need to support real SmartCards which offer strong encryption onboard and payment approval

AFAIK, the cards that Amex uses support 1024-bit RSA Encryption. How strong is strong?

What you're seeing is bad marketing.

I worked for SCM Microsystems in France, a company that made smart card hardware for set-top boxes and PCs. I worked on firmware for a CANAL+ (pay-per-view) decoder box that used a smart card for authentication.

What the credit card companies want is what they have in France (the rest of Europe? I don't know): when you use a credit card at a restaurant or store, you have to enter a PIN. All the credit cards in France are smart cards, and they store your pin (encrypted IIRC). This saves them lots of money in fraud charges.

However, you can't sell that in the US, because US consumers are already protected against credit card fraud by law. What's the value to consumers or merchants? They don't have to pay anyway (except through higher interest rates, but do you think the credit card companies are going to promise to lower interest rates? hell no, they want to increase PROFIT).

So the card companies are stuck with a hard marketing job: how do they get the merchants to pay up for new hardware to read the smart cards so they can start putting PIN protection on all the cards? well, they have to make it so that consumers are bringing smart cards into the store. If consumers are using the smart cards, the merchants will be forced to buy readers that can deal with them.

So how are they selling it to consumers? Badly. They're promising stuff that nobody really cares about... marginally easier admin of freq flyer miles, intangible future bonuses in "integrated" consumer information. Bleah.

Why don't they just frigging lower the interest rates on PIN protected cards? That would sell like hotcakes, and reducing fraud lossage is the card companies ONLY real concern. Because they are greedy fucks, that's why. They want to decrease their fraud lossage and keep the diff.

France was only able to railroad this through by subsidizing smart card development. Schlumberger et al got some big bank by developing the smart card system for the pay phones, which only happened due to some big time pork barrel action.

The US smart card folks just don't have their act together ATM. Too bad... I think the cards are cute. Don't really care as long as my liability on a credit card is just $50, though.

Bill Gribble -- grib@linuxdevel.com
Linux Developers Group

Re:What you're seeing is bad marketing.

[mcelrath]

However, you can't sell that in the US, because US consumers are already protected against credit card fraud by law.

And whether you realize it or not, we pay through the nose for it in the form of high interest rates and taxes. Yes, the government prosecutes credit card fraud, and it's rampant in the US. The credit card companies have no interest in implementing more secure methods of transaction because the costs of their lacking security are shouldered by the government.

I want secure, encrypted electronic money, and I want it now. There's no reason we couldn't have had this 20 years ago. It won't happen in the private sector though, they have to make money. And I don't want to have to pay money in order to use my money. And then there's the chicken-and-egg problem with elecronic money you mention. It's going to take government action to make it happen. I'm not holding my breath.

--Bob

Re:What you're seeing is bad marketing.

[bluebomber]

What's the value to consumers or merchants?

The value to consumers seems to mainly be convenience (everyone has had to replace a lost/stolen cc, right?). The value to merchants goes further, specifically in "card not present" transactions (e.g. online transactions). In these cases, if the consumer later claims that the charge is fraudulent, the cc will charge-back the merchant for the amount of the transaction: the consumer wins, the cc wins, the theif wins, and the merchant loses. It amounts to a significant portion of expenses for online businesses. Progress in this area will greatly benefit these businesses (especially small, online-only businesses).

Re:What you're seeing is bad marketing.

[inburito]

My understanding is that all credit cards have this feature! It is just up to the shopkeeper to have equipment to validate your card with the pin.

I have a european credit card but currently live in the states. If I want to take a cash advance (which i do a lot) from any atm machine I have to punch in my credit cards pin number. In some places in Europe I can use this same pin number to authorize my card at a shop. In USA I cannot. Most places in scandinavia, however, do require my signature since they do not have pin verification equipment. I've always thought of the pin number as a standard feature on any visa card and my primary use for it has been taking a cash advance from an american atm..

The point of this was that if american atms offer cash advances from a credit card the only way to authorize this is the pin number. That means that american credit cards that can do cash advances from atms(all?) could also be verified at a shop with the same pin number. However, since none of the shops offer pin-verification, and it has not been made a federal law to exclusively require this, hopes of getting such a system as in france in use (remember, usa still primarily relies on checks - with signature) are about the same as me winning last nights 280mil powerball..

p.s. out of the three pb-tickets I bought not a single one had a single correct number.. there should be a price for that since the odds are against it..

Re:What you're seeing is bad marketing.

Not to be a total ass, but secure, encrypted electronic money 20 years ago? What have you been smokin'? :P

Re:What you're seeing is bad marketing.

[theancient1]

In Canada, the most popular form of payment these days is Interac (aka. the ATM card.)* It's accepted almost everywhere. Interac is the name of the network that connects all of the bank machines (ATMs) in this country -- the banks just extended the existing network by putting terminals in retail outlets. The card takes funds directly from your bank account, meaning you don't have to worry about bills or high interest rates -- as long as you've got the cash. Like the cards in France, you need to enter your PIN number before completing a purchase. It's just like withdrawing money from a bank machine, except instead of giving you cash, the funds are transferred directly to the merchant's account.

The bank, naturally, takes a service charge from each transaction. As a result, some retailers don't allow Interac purchases below a certain limit (usually $5.) But it's pretty rare these days to go to a place that doesn't take the card. A few years ago, I was passing through the U.S., and almost ran into trouble when I tried paying for lunch at McDonald's with my bank card. The cashier just gave me a funny look. (Fortunately, I had a bit of cash on me at the time.) That shows how much we take it for granted.

(*) According to a study that was conducted about a year ago, 21% use credit cards as their primary method of payment, 35% use cash, and 42% use Interac. People aged 18-24 were at 61% in favour of Interac.

Re:What you're seeing is bad marketing.

[sacrilicious]

However, you can't sell [greater fraud protection via technology] in the US, because US consumers are already protected against credit card fraud by law. What's the value to consumers or merchants?

The value is tremendous. I personally know people who have been the victims of credit card fraud, and it is a nightmare that goes on and on. On paper it may seem like the only cost to consumers is $50, but the official statistic is that the average consumers spend 175 hours of their time trying to straighten out the mess that credit fraud wreaks upon their lives. Sometimes the saga takes years to unfold, and in the meantime the impact on their abilities to purchase houses and cars is compromised significantly. In a very real sense, credit card fraud doesn't really ever stop affecting a person; it merely ebbs to a level acceptable by the weary and embittered victim.

This is all caused by credit card companies looking the other way on this issue. They don't encourage consumers to come up with a passphrase any more secure than their mothers' maiden names. The mailing address on a credit account can be fraudulently changed with a simple phone call; if you want to get any higher a level of security, you have to opt into that security by contacting all the major credit institutions and pretending that you've been a fraud victim... and even then, the added security basically amounts to a requirement that someone fraudulently write in with a forged signature to change the mailing address.

Re:What you're seeing is bad marketing.

[cybermage]

My understanding is that all credit cards have this feature!

Well, not exactly. While you can take a cash advance at an ATM if your card has a PIN, it is not the same technology. When you take a cash advance, your information, along with the pin you enter, is transmitted to the bank for verification. The Smart Cards allow for verification against the encrypted PIN stored on the card itself. It's my understanding that the magnetic strip on normal credit cards doesn't include the PIN.

Re:What you're seeing is bad marketing.

[DriceX]

However, you can't sell that in the US, because US consumers are already protected against credit card fraud by law. What's the value to consumers or merchants? They don't have to pay anyway (except through higher interest rates, but do you think the credit card companies are going to promise to lower interest rates? hell no, they want to increase PROFIT).

I do the bookwork for my parents business and this statement is not completely correct. When a consumer reports a fraudulent charge, they send a notice out to the company that charged them asking for a signed receipt. If we are unable to produce one, or the one we produce doesn't match what is on the account. We get stuck with the fraudulent charge, not the consumer, or the credit card company.

Retailers would love such technology.

Re:What you're seeing is bad marketing.

[tb3]

Further, because of the national Interac network, Canadians were able to take advantage of the single system quickly, and took to it in a big way. In contrast, the U.S. has Visa and MasterCard running their debit card systems, and it's not as popular. You'd be amazed at the number of people in the US who still write checks for stuff in stores.

A few years ago, a study found that there were more direct debit transactions in Canada than the US. That's total, not per capita.

The US is widely concidered to have the least efficient banking system in the world.

Re:What you're seeing is bad marketing.

[n-baxley]

If consumers are using the smart cards, the merchants will be forced to buy readers that can deal with them.

How do you figure this? Surely the new smart cards will work in the old readers, although you can't use the new "features". Why would the merchant go out and buy a new reader just so their customers can type in a PIN number? The only way to get merchants onboard is if you pay them, or make their customer's cards invlid to the old reader. And why would I as a consumer buy a card that won't work in half of the world wide readers?

Re:What you're seeing is bad marketing.

[austad]

Yes, the government prosecutes credit card fraud, and it's rampant in the US

Bullshit. If you steal a credit card and buy something with it online, chances are the government or the credit card companies won't give a flying fuck, even if handed the name of the person committing the fraud. Someone stole my card number and purchased a bunch of plane tickets with it, I tracked them down (names, addresses, phone numbers and even a picture of one of them), handed the info to the police and my bank (the card issuer), and they didn't even care. They said there was nothing they could do about it.

Nobody cares except the person whose card gets stolen. In fact, if I stole someone's card, I'd be more worried about some thug showing up at my house for some "punishment" than I would be worried about the police showing up.

Re:What you're seeing is bad marketing.

It significantly impacts the merchant. There is a huge difference in Txn. Fees between "Card Present" vs. "Card Not Present" Tranactions.

Re:What you're seeing is bad marketing.

[mcelrath]

You're right, your credit card agency and the police won't care. The credit card agency has massive insurance policies and doesn't prosecute fraud, and the police aren't going to pursue and inter-state crime.

The organizations that prosecute credit card fraud are the FBI and Secret Service. Weird, huh? And they generally don't go after crimes unless they involve a large dollar amount -- i.e. large scam operations. If some kid just found your card, you're basically SOL. But it might be worthwhile to call them and hound them into taking a report.

I did a few web searches, and was unable to find any kind of instructions for reporting fraud to the FBI or secret service. There are a few dead links out there for some FBI reporting form, but it appears to be gone. I wonder if the situation has changed in the last few years? The Secret Service's page on the subject says to contact your CC company, the three credit reporting agencies, and the police. But that obviously will go nowhere as far as criminal prosecution of the theif.

The FTC has a page but it says at the top "the FTC does not resolve individual consumer problems"...looks like the page is just for gathering statistics. I'm sure it's really fucking effective. The FTC also has an Identity theft complaint form and has a checkbox for credit card theft, but again it says "the FTC does not resolve individual consumer problems...".

So, it appears that the government quietly approves of credit card fraud. This sucks. This really sucks. We need a new system so badly...

--Bob

Re:What you're seeing is bad marketing.

So the card companies are stuck with a hard marketing job: how do they get the merchants to pay up for new hardware to read the smart cards so they can start putting PIN protection on all the cards? well, they have to make it so that consumers are bringing smart cards into the store. If consumers are using the smart cards, the merchants will be forced to buy readers that can deal with them.

Quite simply, they do it via incentives. Credit cards currentlty operate on a number of fee levels, which the merchant pays.

• Card-in-hand swiped at reader - lowest fee, least risk
  

• Card-in-hand manually keyed number -- higher fee, more risk
  

• Unattended terminal, card swiped in reader -- higher risk, higher fee. This is what you get when you pay for gas at the pump.
  

• Unattended terminal, card read from key tag (e.g. SpeedPass) -- higher risk, higher fee
  

• Unattended, card never seen, card number entered manually, some arbitrary form of authentication (i.e., buying over the internet). Highest fee of all, highest chance of fraud.
  

Smart cards, or anything that involves encrypted authentication for that matter, is lower risk than any of the above, and thus they can use lower fees as an incentive to merchants.

Re:What you're seeing is bad marketing.

[cheezit]

There's more to this than the legal aspect. I worked on a project attempting to introduce smartcard-based credit cards to the US. Yes, the legal aspect is important, but there are historical and technical reasons too.

* European consumer spending has historically relied on cash, not credit, and particularly not on bank-issued credit.

* The European telecommunications infrastructure is structured differently. First of all, the rates for local service are not artifically low, as they are in the US, where long distance subsidizes it. Plus there can be lots of taxes. This means that a small vendor's POS terminal can't call every transaction in to VISA/MC without impacting the profit on the sale.

* The legislative agenda in Europe empasizes consumer privacy, not consumer protection. This seems to create a bias toward technology and against contractual/business-based approaches to fraud management.

Re:If only the sales reps were as smart as the car

[Xn]

i don't expect the salesman at circuit city to be an electrical engineer, but he should be able to tell me how long it'll take to make popcorn in my new microwave.

of course, i don't expect the saleman at fry's to know how to plug in the microwave..

xn

(OT) Credit cards aren't the problem

I have a credit card. I use it frequently. My credit limit started at $500 when I was in college, and is now on its way to 5-digits. I have never carried a balance, nor purchased so much that I had any difficulty paying it off.

My point? A credit card is perfect for my shopping needs. For those who carry over a balance month-to-month, well, all I can say is thank you for supporting the company that gives me this great service.

Credit Card + Cue Cat

[Slayback]

I have 2 smartcards in my wallet right now; an American Express Blue, and a Fusion. When I first hooked up the reader, I dreamed of being able to go to thinkgeek.com, hit checkout, put my card in, type my pin, and then having my goodies a few days later. Unfortunately, the support is just not there. With American Express, you use their software and it gives you a list of supported online stores, none of which interest me. The fusion is the same exact way. Both use VERY similar software that runs in the system tray of a Windows computer and launches your little magic cart when it detects a card. Bah...who cares?

Also, one of the main reasons I got them was that both where giving away free card readers which look pretty cool. They're gemstar (I think) and are the same ones that are supported by Win2k for authentication. Not a bad deal, I bet they retail for about $30 a peice. The card reader was also able to tell me a bit of info about the smart card used in my Dish Network reciever. Cool geek toy...nothing more. Next Cue Cat perhaps?

I did see some cool uses such as an electronic card punch that would stay on the card, i.e., you by 9 cups of coffee, you get the 10th free, the card keeps track instead of using a paper punch or other similar device. Alas, this was only a flash demo of what it could do, but I have yet to see any real world examples.

Here's a decent primer on SmartCards

[hillct]

The current generation of SmartCards are java based. The idea is that they provide more than memory, but a full Java Runtime Enviroment, and a set of base applications, under the theory that processing transactions in a known (secure) enviroment is preferable to simply swiping the card through a reader/writer which might otherwise simply increment or decrement a number (of dollars or whatever) stored on the card. These cards have a great deal of potential that remains largely untapped. I have yet to see a smartcard transaction processor which takes any real advantage to these capabilities.

--CTH

Re:Here's a decent primer on SmartCards

[Isle]

Ehrmm.. Credit card don't actually have money stored on them. Thats a childrens tale.
It just has a code to send it's bank, the extra security comes from the card taking part of the transaction so a malious terminal cant store the code.

Re:Here's a decent primer on SmartCards

[hillct]

I know I shouldn't respond to this troll but, what the hell...

Duh, really? ahem. My point was, rather than being used to store data, the smartcards are designed to perform processing operations onboard - as this is considered to be more highly secure than simply shipping data off-board and recieving data back, weather that data be bankd account info, some sort of debit balance (as has been proposed for some next gen debit cards), or perhaps your complete medical history or whatever other data has been alocated to it. This is what happens when you use imprecise language I guess...

Europe's had it for 15 years!

[Max+von+H.]

I don't want to sound mean or anything, but we've had "smart cards" for ages over here...

In France, there's a ubiquitous system which requires you to type your code for every purchase you do with it. AFAIK, nobody ever complained about it, considering you can't use a stolen French card anywhere in France. If it's combined with a Visa card, you can still use it outside the country where there's no direct way to check its validity.

Here, in Switzerland, my bank card is combined with Visa, and I can set limits for withdrawals and purchases done with the (post)bank part of the card (with a chip), or use the Visa function with equal flexibility.

I suppose it just results from a different banking system between the USA and Europe. In Europe, banks contract the credit card provider (visa, mastercard, etc) and merge their cards. Plus, in most countries, banks have merged their ATM services so you can use any card to pump money from any "hole in the wall".

What strikes me is that Americans see smart cards as a really new things, whereas here we use them for absolutely everything, from e-wallets to bus-pass or phone cards. Smart-card readers are available and cost something around $20...

Bah, real standards have always had hard times getting to the USA, and that's no news!

/max

Re:Europe's had it for 15 years!

The real reason that Smart Cards are everywhere in Europe and Latin America is that they can authenticate locally (since the info on the card is encrypted). This is a big plus where phone services are expensive, but we have cheap phones in the US, hence we have no motivation for change.

Re:Europe's had it for 15 years!

Question: does Europe have identity theft?

No, this isn't a troll or a stupid question, in the US we have a big problem with identity theft (thanks to the overwhelming use of SSN as your primary ID), so when a few basic facts about you are snatched, the criminals can go hog wild draining your bank accounts and running up thousands with fraudulent credit card accounts.

I'm just curious to see if maybe there are elements of the european system that we can import to fight back against identity fraud.

Re:Europe's had it for 15 years!

[gorf]

In France, there's a ubiquitous system which requires you to type your code for every purchase you do with it. AFAIK, nobody ever complained about it, considering you can't use a stolen French card anywhere in France. If it's combined with a Visa card, you can still use it outside the country where there's no direct way to check its validity.

As far as I understand it, the French system has been cracked, although to what extent I'm not sure (see Bruce Schneier's Secrets and Lies, he mentions it).

Apparantely the first guy who figured it out went to the card company, who asked him to prove it, which he did by buying a metro ticket. They then had him arrested, and forced him to sign an NDA to avoid prosecution.

Then someone else independently cracked it, and posted it anonymously from a cybercafe (in Paris, IIRC)

Smart cards are fine, but they need to use proper encryption, complete with completely open standards. I won't trust them until then. I know that companies expect fraud and absorb the costs, but you still need to be able to prove that you didn't make the purchase. Without a need for the vendor to produce a signature, this could be difficult.

Re:Europe's had it for 15 years!

[discovercomics]

The big reason you havn't seen a big push for smartcards in the US is beacuse of patents...When the existing patents run out you will see smart cards all over the place.

Re:Europe's had it for 15 years!

[Cock+Knocker]

That's not a smart card, that's a dumb card. If you made everyone in the US use their CCs in ATM mode, we'd have the feature of having to type in our pin#s also.

Don't be too smug that you've got some shiny system. Its a little tougher deploying new tech in a country with over 5x the population than France, and where one state engulfs any country in Europe. Also we don't really tolerate "ubiquitous systems" via government mandate over here, and I'm guessing you end up paying for it in the end. If the cure is worse than the disease ($ wise) it may make for bragging rights but not be the right thing to do - you have added system costs & maintenance to make all the systems work together so nicely (at least on the front end). If I had to type in my pin# for each CC use, I'd waste at least an hour per year - 1 hr of my time is worth ~$50, which is coincidentally my liability if my cc gets ripped off. Since this has never happened to me, your cool new system would waste more than it would save, not even counting the added upgrade & maintenance costs.
ka-pow!

Re:Europe's had it for 15 years!

[MobyDisk]

In the US, check cards prompt for your PIN number. You don't need smart cards to do this. I am amazed that that don't require PIN # entry for credit cards. I would happily press 4 buttons (it should be more...) to protect myself from fraud. Surely the merchants would like this too. Anyone who is

Re:Europe's had it for 15 years!

[Max+von+H.]

Interresting point you're raising here, but the USA are not a solitary example of SSN ruling:

In Finland, your SSN is used for absolutely everything, and whilst I was living there, I had quite some concerns regarding privacy, since all private and public services connect to a centralized DB. I got surprised to see how many details (bank account balance, etc.) could be seen by people who have no business watching that kind of data.

The European Union is centralizing its citizen database, and in most European countries privacy is not really an issue, since we've lost it numerous times in the past. The general opinion being "if you haven't got anything to hide, you have nothing to worry about", as it seems. When I talk about data privacy, most people look at me with blank eyes (except in Switzerland due to bank secrecy etc.).

The one privacy issue Europeans are really concerned about is their political opinions and activities, for which they have fought for centuries.

Now, to answer your question, identity theft isn't an issue, maybe because we have identity cards (except in the UK) and our governments have always liked to check who's who and where. Not mentioning you need to enter a PIN for each operation. US driving licenses are a real joke as proofs if ID when it comes to security. EU countries are working on a 'smart-card' ID with high encryption (sorry, can't find link) as a response to ID falsification, and the next generation of passports are likely to include biometric identification (fingerprints, DNA sequence...), mostly at the request of the USA (they threatened to reinstate visas otherwise)!!!

IMHO, the USA are facing a rather ironic situation, in which their claims for both security and absolute privacy collide for the simple reason the american ppl don't want "too much government". Instead of having a centralized authority keeping an eye on your most personal data, the subdivision of power upon national ID records leads to huge discrepancies due to miscommunication, loss of records, corruption, alien invaders, greedy megacorporations, etc.

After that, if you're unhappy with what your government does with your data, democracy should be there to help you change this.

/max

Re:Europe's had it for 15 years!

[rprycem]

Bah, real standards have always had hard times getting to the USA, and that's no news!

Bah, anything being sold as "something the french are doing" has always had a hard time getting to the USA, and that's no news!

Re:Europe's had it for 15 years!

[Hobaird]

In the US, check cards prompt for your PIN number.

Really? That's news to me. My Visa check card requires nothing more than a signature, and that's presuming I'm somewhere where I have to present my card to a human, and not at Amazon.com or a gas pump. The only time I would have to put in a pin number is at an ATM or if I wanted cash back at the grocery store. As I understand it, there are two modes for point of purchase with check cards: Credit card and debit card. With debit cards you have to use a pin, and it goes through a different system (like the ATM network). Personally, I would have to pay a fee to use it as a debit card.

I wouldn't mind if they asked for a password/pin when I made a purchase. It sounds like a good idea to me. Particularly if they could build it in to non-attended systems like the gas stations.

BTW, in Europe, if you have to enter a pin every time, how do they do things like restaurants? Does the waiter bring a keypad to the table? Do you always pay at the counter?

Re:Europe's had it for 15 years!

[theancient1]

Oh, we have smart cards. I have a smart card for the bus, a smart card for making cash purchases, a cashcard for the payphone (and another for my calling card), a smart card for my student ID, one for the library, driver's licence, medicare card, credit cards, frequent-flyer cards, security badge, travel card, video rental cards. So that's 17 cards that I have to carry with me all the time. Hmm, I guess that's really not smart at all.

Re:Europe's had it for 15 years!

[kin_korn_karn]

After that, if you're unhappy with what your government does with your data, democracy should be there to help you change this.

Democracy no longer exists in the United States.

The experiment failed around 1952 and a feudal system, with net worth taking the place of bloodlines, is firmly entrenched. Sure, we can vote, but our elections are a joke at anything higher than the municipal level.

Prepare for the world's economy to choke sometime within the next 50 years when the USA has another civil war. I'll be somewhere fighting for the citizens and getting shot in the head by superior corporate technology...

- JW

Re:Europe's had it for 15 years!

the french smart card use some symetrical DES down to 40-bits. The main problem of that is that if you manage to steal a master key, you are able to create new unofficial cards.

Re:Europe's had it for 15 years!

the difference here is that to the contrary of your american card which only uses the magnetic tape to contain and check the pin; the cards used in france do the check on chip (mostly because the shop's terminals are offline in france) and also encryption on the wire of the operation by the chip. The chip also has some features used due to the mostly offline nature of the operations in daily life, such as payment history ..

Re:Europe's had it for 15 years!

Well that's really not the main problem. The main problem is that the magnetic tape is completly insecure and does nothing against card replication. (and not worse if the pin is not weakly encrypted on the tape)

Re:Europe's had it for 15 years!

BTW, in Europe, if you have to enter a pin every time, how do they do things like restaurants? Does the waiter bring a keypad to the table? Do you always pay at the counter?

I can only speak for myself, in Belgium. I have two cards from my bank. One is an integrated smart card, with a magnetic strip for debit-mode operations, where you have to have an online console, which verifies your pin number with the central office. This system is ubiquitous over here, even small stores and restaurants have it. So, yes, then you have to walk to a counter and pay there, most of the time on your way out. The smart part of it is for small monetary transactions (buying a candy bar, making a phonecall, ...). It's a sort of electronic money holder. You transfer money from your account to the card itself, and it remains there until you buy something with it. To make it easy on people all public phonebooths can now be used to do this. The only thing I use it for is making phonecalls, since it doesn't offer better protection against theft than cash (because there's no protecting pin to this part).

And then there's the VISA card, which is identical in operation to the VISA card in the US. Not that much people have visa cards over here, since because the other two systems are so ubiquitous, you don't need a visa card as long as you stay inside belgium. As soon as you want to buy something online though, it's a necessity, so I risk getting my money stolen, just so I can buy that cool T-shirt.

As an aside, we also have a medical card (we have a state-sponsored health insurance which actually covers most stuff) with smart card functionality, that is used to identify you in purchases in pharmacies (which I don't like), and which is planned to be used to replace subscriptions. So all doctors would have a smart card terminal, and would be able to place subscriptions straight on there. Again, there is loss of privacy, but since what you buy and who subscribed it to you eventually enters the system anyway (through pharmacies sending subscriptions in to get their money back from the health insurance) it's not that much different from the older system. And a lot handier.

And then there's the planned smart id card, which I'm very curious about. Supposedly your address will no longer be visible on the card, so you don't have to get a new card each time you move. Which will mean these cards will be for life, instead of for 3 or 4 years like they are now. That's a concept that I like.

Re:Europe's had it for 15 years!

That's the fault of the companies, not the cards themselves. Smartcards can have lots of different programs/services on them, not just one.

Re:Europe's had it for 15 years!

[trcooper]

The PIN isn't on the magnetic strip. The card number is on the strip. The PIN is stored in a central database. Smart cards are more or less a gimmick. Anything that can be done with a smart card can be done with a normal card and a central DB.

Re:Europe's had it for 15 years!

[CAVE^MAN]

that assumes you have some sort fo access to the db. one of the original reasons for "smart cards" was that they didn't require access to any sort of network during transactions, iirc. oh, btw so called "smart cards" also have the capability to store your balance and they can stop you from spending more than you've budgeted and will certianly stop you from spending more than is in your account.

Re:Europe's had it for 15 years!

Entering a PIn would actually be quicker than not entering a PIN.

The reason is there is 0 authorisation time. Once the pin and the encrypted data on the card match then your purchase is approved. thus no waiting while the reader dials, connects, waits for an answer etc. Also no signature is needed.

It's higher security but not un-breakable.
Anyway mosts scams bypass technology and just trick the staff into getting something for nothing.

PS Some readers will dial for extra security on very large transactions but in general it is quiker than a siggy.

Reminder:

[The_Zionist_Problem]

I hate Jews

Password or Signature Protection

[Michael+Wardle]

Whilst there are all sorts of risks involved with online use and tampering with the smart card readers, most of the smart cards released here in Australia don't even have a PIN or signature protection: you just press OK/ENTER. If these cards are combined with a credit card, then presumably there will at least be a signature on the back, but this also is not a guarantee (how many times does the sales clerk actually check your signature when purchasing a 5 $ item?).

To provide at least basic protection, the use of these smart cards must require entry of some code such as a PIN.

Short Article

[paulm]

Here is a little article on smart credit cards (yahoo).

Judging from that posts I have read here, there is a general lack of information about them, so I'll post a few relevent lines:

WHAT ARE SMART CARDS?

Smart cards have an embedded microchip instead of the magnetic strip used by credit cards. The cards need a special reader to transfer information from a personal computer to online merchant Web sites or at point of sale terminals at retail stores.

MOD THIS UP! (n/t)

n/t

Haven't a clue, but allow me to speculate.

[blair1q]

If the circuit on the smart card can be used as a public-key crypto engine, then you could use it to secure any interaction with the card issuer's database.

Nobody could get your private key unless they stole your physical card, since there's no need to have the key printed anywhere except in the card's circuit.

Here's the loop: Client (cardholder) sends server (issuer) a cookie encoded with Server's public key. Server decrypts it with its private key and sends it back along with its own cookie, encrypted with Client's public key. Client decrypts, compares the Client cookie it sent with its copy of it, thus validating Server's authority. Client then encrypts Server's cookie and sends it back. Server decrypts, compares with its copy, thus validating the client's authority. This is basic RSA/PGP stuff.

One simple handshake--it's about as complicated as the TCP/IP connection that was made to transport it--and your SmartCard is money.

This gets rid of the current problem of credit-card numbers being stolen ex proprio that arises because you have to copy the number itself off the card in order to use it.

--Blair
"I was speculating about the meaning of ex proprio, too. So sue me."

Re:Haven't a clue, but allow me to speculate.

[bluebomber]

The scheme you describe probably isn't as bad as what currently happens, but it is still vulnerable to "man-in-the-middle" attacks. You're wrong about the one simple handshake -- there is also a transaction needed to look up the public key for the server, and then for the client. This is wherein the vulnerability lies:

Alice wants to buy a widget from Bob. Charlie is sitting on the wire during the conversation. Alice asks for Bob's public key, Charlie intercepts the request and returns his own.

It is not as simple as it sounds: "PKI" is the buzzword here: "Public Key Infrastructure", which doesn't really exist for commercial transactions in the way that you describe.

Re:Haven't a clue, but allow me to speculate.

it is a bit false since even if you stole the media you cannot use it without the proper PIN and since the PIN is checked by the card (and not by the reader) after 3 attempts the card is lock.

Moreover the signature and encryption is not done by the PC but by the card itself and there is NO way to extract the private key even for the user

to add some more spice, some of these card have ON Board key generation which means that the CPU inside the card is able to create a couple of RSA key, thgen send the public key to the PC and keep the private inside the memory.

Re:Haven't a clue, but allow me to speculate.

unless you store the banks public key on the card. Then when the bank does its digital signature, you can be sure that you are talking directly to the bank.

Re:Haven't a clue, but allow me to speculate.

[blair1q]

Right. The client initiates the transaction, using the bank's "well-known" public key. The man in the middle can't decrypt that to get the random cookie to send back to the client, so he can't mimic the server.

The only spoof possible now is if the card is issued by the man in the middle. It's still vulnerable to physical compromise and cracking the private keys.

(BTW, when I called the card a crypto engine, I meant that the private key never leaves the card; it wouldn't be secure if it could; how you keep someone from reverse-engineering it off the chip is another story. I like the thing about the PIN, though; it improves over simple physical security. The on-card key generator will work iff the old key is used to perform the new-key-registration transaction.)

--Blair
"I can't tell what's better: pegging my karma at 50, or making people knock it down so I can peg it again..."

Re:If only the sales reps were as smart as the car

By now this is completely off topic, but I'll bite.

I don't have caller ID. Nor do I wish to pay for it. I know, it's only $10 or so more per month, but so what? I don't need it. Even if I had it in this situation, I still would have had to get up to look at the caller ID box.

Let's break it down further (I'm really bored now). Say I give them two minutes of my time. Assuming (being a consultant) my time is worth up to $150 per hour, that's $5 worth of time. So in excange for that, I mess with their feeble mind a bit. So?

More security? How?

[thogard]

They are going to replace the mag stripe with a chip. This adds security how? As far as I can tell, only about 1 in 1000 techies have a mag card writer. About 1 in 1 pc users can have a chip card writer with a few clip leads from radio shack. Once this takes off, the small time fraud level will go through the roof once someone makes a nice script kiddie tool kit. The smart cards used by the sat tv are quite complex compared to the credit cards and at one time, direct Tv was guessing that only 10% of their customer base was using craced cards.

As a merchant, I would not take ones of these new cards with out making sure I'm not taking any of the risk.

There is also the static issue. I know a few women that can not deal with electronics without some heave duty static protection. One of them has a complete surface mount static protection workstation that she uses as her desk and so far it has keep her pc working. Before that she would blow motherboards, keyboards and mice week. Since she kills digital watches, I would expect one of these cards to have a life time of less than a week with her.

Smart not Smart

[Bob+Hopeless]

The idea behind "Smart" Credit Cards is not what most people think. The common conception of a "Smart" Credit Card is of something that will protect you from internet pirates and the evil waiter that disappears with your card for 10 min. This is NOT the case and Marketing knows it. The only basis they have for calling them "Smart" Credit cards is that they "Look Smart" as in fashionable and elegant. Context is everything...

Use of SmartCards in Europe...

I noticed the widespread use of these cards last time I was in France. I guess the reason they caught on so well over there was that the way the cards are set up, they are somehow self-authenticating, that is there is no need to call a central database, at least not at the time of purchase. This was an important feature in Europe where super-expensive telephone hookups made it prohibitively expensive for the average business to authorise credit cards over the phone every time one was used.

We use them at my university for stored value as well. They were going to drop them from our IDs a few years ago, but the introduction of SunRay network appliances all over here and the hot-desking that goes with them guaranteed they'll stick around a while longer.

Although I think the coolest application I've seen is the card I can store all of my PCR programs on for our Thermal Cycler in the lab. Tres convenient!

--J

Re:Use of SmartCards in Europe...

this is not totally true : there's a call that is mandatory when the price is higher that a certain value (FRF 600 I believe).

There's another simple thing that the smartcard does well (I don't know if normal CCs do it also) : store the list of the n last transactions made with it, which can be quite convenient too.

What are you talking about

Waterworld is possibly one of the finest films ever made. It belongs on the top shelf of any cinema buff's cabinet, next to the likes of Citizen Kane and The Godfather. When Waterworld is on, I do not eat popcorn or engage in other distracting activities, and god help you if I hear you talk during this masterpiece.

Re:What are you talking about

[astr0boy]

you mean The Godfather part 3, right?

Re:What are you talking about

[garcia]

that movie was just misunderstood... You should watch more of the Sopranos ;-)

woah.

"Smart" credit cards? Imagine a Beowu....

oh.

nevermind.

Si

[goldbishop]

Well I hope they're Silicon based. Well actualy I hope they're not but that's just because it'd be really cool if they weren't. Mind if I borrow the line though? That is too tight.

--Goldbishop
371+3 1=053\/35

Re:Si

[unitron]

Some of you may not have been around long enough to know that the first solid-state devices *were* germanium based, unless you count selenium diodes.

Here's what they do

[baronben]

Basicly all the smart card is, is a mircochip on the card which has a PIN number or word on it. If a merchent has a smart card reader (which few do) can read that PIN and ask you it to make sure that you are you. Fairly useless IMOH.

Seems good to me

[nextreme]

I have a Fusion smart card which is part of Fleet Bank. I have gotten a $3000 limit and intro rate is 0% with the fixed rate after 6 months to be 11% or 12% not sure which. Anyway, it came with a smart card reader which when used with certain websites which enable the reader's use you get an extra encryption over the 128bit that your brower supports. It is pretty cool. Check out Fusion's website here: http://www.fusioncard.com/home/

first post!

girls want me

A little bit of real information

[Fusion777]

I worked for a company that specialized in smart card devices and was present while some of the technical and political discussions took place. The implementation, at that time at least, was up to the credit card company but the potential is this (read potential means this may or may not be the route your CC company chose):

A smartcard could secure your credit card number so that only the banks ever see it plaintext. That means you never see it, the merchant and his punk waiter never see it. If they get clever and intercept the transmission, they'll see encrypted traffic - it behaves very similarly to SSL. The PIN is an authorization to allow the transaction to occurr, and interestingly the entering of the PIN# becomes one of the hardest security parts to lock down. I even saw prototype smartcards with little keypads right on them!

Having worked with the technology, I have FAR more faith in a (proper) smartcard-secured credit card transaction than a normal one. Imagine being able to go to po-dunk computer supplier.com and not have to give him your CC # to make a purchase? It's a good thing.

Info on SCs

[psavo]

Well, when you talk about "smart" cards you probably mean just plain old "circuit" card. Which is usually just ISO7816-1,2,3,4 compliant card.
Those standards define electracal interface, and "command" interface. There's a lot of cards that don't abey the standards to the full extent, or extend them in weird directions.
Now, the thing VISA is offering, is that the card is totally standard -compliant, some call it EMV-part2 (part1 is again about interface...). To be VISA-SC compliant, you have to obey EMV-p2..

About privacy: You have near to zero. I know, I program this stuff (not EMV-p2, but near to it. If I'd tell about EMV-p2, they'd come and shoot me in no time ;). All transactions end up at least at VISA's servers, which may or may not (yeah, right) track you & your shopping behaviour.
But this stuff isn't new at all, it could have been done (is done) with plain old ISO-2 stripe too. The new stuff is that card can deny certain shoppings. For example you yourself can deny buying 300kg of lollipops with your card. That's just a silly example, but that's possible. You could also limit time at which card functions.. etc..

Re:Info on SCs

Don't shit your pants. The specs are available to the public and I doubt you signed a NDA for it.

Smart Card Capabilities and Protocols

[braddock]

Newer Smart Cards are capable of public key cryptography. They are not just an information store, like a magnetic stripe, but actually perform public key crypto on an embedded processor on the card which is powered by the reader. This way your public key never leaves the card.

Some of the better manufacturers of Smart Cards add all sorts of physical security to the chips as well...to the point where you can't even take the chip apart and scan the die with a electron microsope or special probes to try to read or trick the bits out of memory.

My guess is that the current Visa cards do NOT use onboard cryptography yet...that these are general purpose cards which for now store your credit card number and address for convenience because the infrastructure is not yet in place AFAIK to support public key credit card transactions. They may or may not already have crypto software onboard that could be used with a PKCS#11 driver, but the credit card companies just want to get them and the readers deployed, and then will provide a software update or something to actually add crypto features in your transaction in the next couple years. See the PKCS#11 standard written by RSA (on their web site) for the standard crypto API which has been adopted for smartcards.

Note that smart cards have been around for a while in europe, although they were typically not used in a cryptographically sophistically way.

See www.pki-page.org and http://www.rsasecurity.com/rsalabs/pkcs/pkcs-11/

Braddock Gaskill
Security Consultant
braddock@braddock.com

Re:Smart Card Capabilities and Protocols

I would like to enter my definition of a smart card -a card that works just like a $50 dollar paper note. A chip that fully authorises the transaction without online verification, AND where the cards issuer accepts unconditionally,any fraud.
Anything else is a dumb card.

The CC companies are NOT claiming their cards are better than the ones used for cable.....get the picture?
The alledged smart cards are really dumb, because they still call home, and the bank still makes the merchant wear, directly or indirectly, the cost of fraud. (actually the consumer).

Remember,the card, does not know who you are, only that someone punched in the right pin while in possession of your card - or a bloody good duplicate.

France had a popular smartcard cracked - and they made the guy silent, while the charade of security went on for 3 years? - Lets admit it - anything in silicon can be duplicated/cracked.

A smart card has zero advantages when there is a $50 credit protection in place. Given that the card costs $20 a throw, you can bet that something will give. But it won't be in the form of more cost efficient transactions, nor reduce the fee rake-off CC's get.

technical details

Smart cards come in a number of flavors, with a variety of capabilities and price tags. The simplest are memory cards (just store values, useful as "wallets"), the fanciest are (currently) JavaCards. Amex Blue is in fact a (Gemplus) JavaCard, running (default) a single applet (I believe the smart Visa cards are similar). This applet has an RSA keypair, and an X.509 digital certificate. Making a transaction with the card requires the card to generate a digital signature on the transaction info (in contrast with standard magstripe cards that just add those magic 16 digits to the data sent to the issuer). Why is this better: it's very easy to clone a magstripe card. Get any piece of paper with the card number on it, it's very simple to manufacture a card. Or for card-not-present (e.g. internet) transactions, the number itself is all you need. Steal it out of some online merchant's database, and you're good to go. With smartcard-based transactions, you have to actually have access to the private key on the card to generate a bogus transaction. Now you can rip the keys out of these cards, but it requires some time alone with the card itself -- just downloading some merchant's badly protected database is no longer sufficient. You get a poor man's version of this kind of protection with those one-off credit card numbers, but that requires the user to actually get and use those numbers. With smartcard based transactions, this all happens transparently. The really interesting thing is that the card issuers have been avoiding smartcards in the US for years because of the cost. But now that they've bitten the bullet, they've gone in all the way -- instead of a $5 smartcard capable of signing transactions and storing certificates, they've gone for the $20 32-bit JavaCards (and $15 adds up fast over all Visa subscribers in the US). Presumably the initial decision to switch to smartcards was simply based on how much they're losing to fraud. The decision to go with the JavaCard may be in the hopes of offsetting the cost by having other players pay them to add further applets to the card (e.g. loyalty programs, where you get the 10th coffee free, etc, or additional security features for environments where you can't use the chip -- e.g. applications that will generate and store one-time 16-digit credit card numbers).

Amex Prototype

[Stultsinator]

Our group at IBM did a project (it may still be operating) that put kiosks at Hiltons and United Airline (or maybe it was American Airline) terminals. The idea was that you could use your smart Amex card to check in at the terminal and at your hotel. The card would keep track of your frequent flyer miles and your "Hilton Points" or whatever they're called.

I think this was the first application of these types of cards.

Smart Cards

[Naikrovek]

Smart cards are pretty cool. They have great security, are standards-based, and are quite cheap when you think about all they do.

Most smart cards (JavaCards or OpenCards) support encryption, wired or wireless interfaces, and a bit of space on the card itself for a program of your own. www.basiccard.com offers a neat little set of cards you can program in basic, if you're just getting started. (the program on the computer can be written in any language). www.gemplus.com has cards you can program in Java, but these are much more expensive.

Each card has an onboard computer which you can program to do your bidding, from anything to securely storing cash (that only the correct program, or card reader can adjust, if you like), identity checking (imagine an ID card with your picture, signature, left thumbprint on the surface of the card, and stored securely inside the card - now there's an ID), and tons of other things that haven't been thought of yet.

You can use them as phone cards, tiny cash cards (swipe your card in front of a soda machine, push Pepsi, drink, repeat)

There are tons of cool things you can do with a tiny computer embedded in a card. Its more than just memory storage, its an entire cpu that you could use for a new TIS authentication scheme, or a new payphone card, or a key for your encrypted files. You could walk by a local ESPN store, swipe your card, then on your Palm later check out all the scores and player stats for the last week. Look, smartcards are great or evil, depending on how creative you are, but the potential for some very cool things is definately there.

Smart Cards in the USA

[GECK]

There is not yet a good application for Smart Cards in the USA yet. So far, the only application for them that I have seen at all is the savings machine at my local Virgin Megastore (Hey, they had Universal Indicator: Innovations in the Dynamics of Acid, which means I'll buy it). In other words, this is just a gimmick.

Good applications of smart card technology can be found in the BT (is that British Telecom? I'm American, I dunno) phonebooths in Great Britain. One card... easily rechargable... Electronic cash, anyone? Now, perhaps if they came out with phones with smart card readers in America, something that you could easily bill long distance to, just by inserting Brue (Crose enough!) or whatever smart chip card you have on you. Hell, eventually, someone will come out with electronic cash on those babies, and then, that'll be a lot more convenient than carrying around a wad of $20s... (look at the size of that guy's wad!)

Pretty much, though, there really isn't any useful application for smart cards right now in the USA. Perhaps it would be a little better if Amex and Visa rolled out applications and terminals to vendors before unleashing these technological wastes on us...

Ah, I miss the days when new technology was useful... and I'm only 18...

(off topic: I got some porn ad email in chinese... apparently they spidered the site, found my email, and sent it to me, because it had a link to a reply I wrote a looong time ago)

No cash?

[Wyatt+Earp]

Why would we not want cash?

I like cash and I dislike cards.

I dislike having my shopping habits tracked, and when it comes time to do work on the side, it's nice to be paid in cash and not have to worry about Federal or State Income Tax on said wages.

In a cashless society, everything is going to be tracked, and I do not like that.

Re:No cash?

[SuiteSisterMary]

Nah, there'll always be the concept of 'use once' cards. Buy a card worth, say, 500 bucks, and all your card shows is that you bought a card worth 500 bucks. The new card isn't connected to your old in any way. You hand the new card to somebody, and they get 500 bucks out of 'nowhere' as far as the tracking programs are concerned.

Re:No cash?

[tristan+f.]

So basically... in a cashless society, you won't be able to cheat on your taxes, and you don't like that. How very noble of you.

Re:No cash?

[cheeseflan]

The (not so) small problem is that in a few years time forging notes will be so easy that you won't be able to use cash efectively - hence the slow experimentation with smartcards. They aren't needed now, but most governments are keen to see the likes of Visa, Mastercard and the major banks get skilled in the use of these before they have to stop printing large denomination notes. Already, the Royal Mint in the UK doesn't print anything over £50, and trying to spend one is getting more and more difficult - most pubs won't accept them anymore. The Aussies have taken a different approach, by making their notes out of plastic (still looks like paper) which is covered in all kinds of anti-fraud technologies. Even there, large denomination notes are being printed in smaller and smaller numbers...

Smart cards don't have to be about cash though, the most successful trials I have seen have been to do with local government services. In a trial locally, one card was your bus/rail season ticket, your library card, your social security benefit book, your school meals voucher (for kids of course) and so-on. The only issue was that so many of the muppets who need these services lost the cards that the scheme was three times more expensive than estimated. It was shelved very rapidly, but with the greater acceptance of cards=cash=valuable, the people involved might take more care in future. I think what also helped to make the project fail was the fact that the people involved weren't charged for the loss - take £5 out of their benefits for each lost card and they would either starve or learn.

Re:No cash?

[Wyatt+Earp]

Cheating taxes....

Sorry, I think that the entire Income Tax system in the United States is horribly wrong and biased against lower income brackets.

Why should I have social security taken from work I do on the side when I will never see a dime from social security...

Re:No cash?

[Prior+Restraint]

Why should I have social security taken from work I do on the side when I will never see a dime from social security...

You seem to be overlooking the word "social". It's not a savings account, it's a support system for those who are already retired. Depending on who you ask, you're supposed to pay into it to either (A) reduce the level of poverty among the elderly; or (B) encourage the elderly to retire so that more job openings are made available to the young (the latter was the reason it was first created during the Depression, when unemployment reached record levels; the former is the typical argument for keeping it around today).

Re:No cash?

[Cro+Magnon]

Social Security is a pyramid scheme. As long as there's enough young fools paying into the system, Gramps gets the dough. but when we have a bunch of retirees, and not enough youngsters to support them, they're screwed!

What? little chip can rename the card to "smart"?

[kindaichi]

Smart Cards are also being used on GSM phones, since GSM Smart Cards (SIM Cards) can be cloned. This [credit card type Smart Card] will eventually be able to be cloned. NOT so secure in my point of view.

Let me get this straight...

[DAldredge]

You canceled an 8,000 credit limit card BEFORE you knew the credit limit of your new card? Are you sure you can handle a credit card?

Re:Hemos, this one's for you

[Cock+Knocker]

Ka-pow !

I'd rather have a dumb card

[Jim+Buzbee]

Exactly what problem are "smart" cards designed to solve for me, the consumer? My current credit card works fine - I really don't want a card that tracks my personal information and purchases. I'd rather have a dumb anonymous card rather than a smart "personal" card.

Re:I'd rather have a dumb card

[Apple+Acolyte]

Hear hear! I don't have any problems with my tradiitonal credit card, and while I am both bothered by skimming and aware that progress must be made, I believe it's better to wait on this technology until the public is assured of how exactly it operates. The most distressing issue concerning these cards is the privacy factor. Who wants his or her buying habits tracked every step of the way, tied to SSNs and home addresses? No sir, I don't like it. And while I understand that corporations already track traditional credit card purchases, such invasions of privacy would be worse with smart technology since it's being positioned as a replacement for currency. I'm all for smart technology, but only such techology that's good for the consumer - by protecting privacy and monetary security.

An overview of Chip-enabled Credit Cards

[helloRockview]

I work in the credit card industry, specifically focusing in the area of risk and fraud. The recent wave of chip cards (credit cards with an embedded microchip) is perhaps one of the most interesting marketing "ploys" in the recent history of the payment card industry.

The use of chip cards has tremendous potential in both the face-to-face (traditional, i.e. at the grocery store) and card-not-present (CNP, i.e. Internet) purchase mediums. For example, one day there may be a client-side and server-side standard that enables card authentication over the Internet, giving e-commerce retailers greater confidence that the person on the other end is the legitimate cardholder and not someone typing in stolen cardholder information. There are also a number of other proposals to use the chip for CRM purposes, such as electronic couponing and loyalty schemes. The potential is certainly there to greatly improve the way credit cards are used for payments today.

Despite this potential, even the card companies don't know what to do with the chips on these cards. There is a total lack of standards among the card associations (Visa, MC, Amex, Discover and other foreign schemes). To date, none of them have proposed any type of beneficial use for these embedded chips. The card associations love to use catch slogans like "The card with a brain", but mysteriously offer no explanation as to how this brain can help you.

The use of embedded-chip payment cards is not new to the world. Several card markets have experimented with chip cards in the past. Perhaps the most notable market is France, who has employed chip card technology for the last several years. If you've ever been to France, you may have noticed that there is a PIN input pad at every point-of-sale terminal. If you are at a restaurant, the waiter will bring a handheld card reader to your table. Each card issued by a French bank contains a chip, which enables this reader unit to verify if a correct secret PIN has been entered by the cardholder - without contacting a bank or any other banking network. These units also contain a traditional magnetic stripe reader used to authorize non-French issued cards.

This chip-bases system was implemented in France for two reasons: offline cardholder verification and enhanced security. Since the units are able to independently verify correct cardholder PINs, this allows merchants to authorize credit card transactions offline, without requiring a dedicted phone line. This is a nice feature for countries with telcos that take 12 months to install a phone line, which often have overly expensive telecom costs. One important thing to note: Offline PIN-based validations do not have the ability to check for basic validations like checking to see if there is open credit on the account or checking to see if the account is even valid. The offline validation also does not work on non-French issued cards. Subsequently, most retailers authorize transactions using a traditional online method, even if the card has a chip.

Despite the widespread use in France, chip-based authorization is still years away here in the US. France is a very small card market with only a handful of banks issuing credit cards. Various reports have estimated a cost between $10 and $20 billion dollars to convert the current US card authorizations systems to include chip-based authentication/authorization - a cost that card issuers, acquirers (the banks that merchants interface with) and merchants are not ready to eat. In addition, extending chip card authorization to the online world will require client-side hardware (i.e. card readers) and server-side software....more hassle than the card issuers are ready to deal with right now. AMEX tried it and failed miserably (did you actually know anyone that used the AMEX Blue smart card reader? Do you know any online merchants that support it?)

In a nutshell, your credit card may have a brain, but it is yet to have a place to use all that intelligence.

Re:An overview of Chip-enabled Credit Cards

There was also a reported case in france not so long ago of an engineer who created a card, and tried to blackmail the authorities into buying stonger encryption.. he got jail.

Re:An overview of Chip-enabled Credit Cards

All of this is true and really interesting. The smart card security is really interesting and complex. The main point is that the aim of the smart cards is that it is supposed to enable security OFFLINE by using a control through the PIN and an internal private key on the card.

Let me precise some points though:

* Smart cards have been ubiquitous for quite some times at least in France where it has been invented. I would say for at least 12 years.

* From that experience I can say that it is really reliable.

* As you may not know, the use of CREDIT in general in Europe is not so widespread in Europe as it is in the US. If, as you say, credit card are issued very often in France (I wouldn't say "very few banks issue them", though), DEBIT cards have been used regularly in France 10 years before they were in the US, where cash was used at the time (everybody had one, I have had one for 10 years, and I was too young to have one before). 20 or 15 years ago, networks were not used so widely as today.

* As a matter of fact, I think you should rethink your prejudices about telecoms in Europe. What was true about difficulties to have a line installed in the 1970's is no longer true for quite some time now. Despite what US manga-readers think, use of the wireless phones in the leading european countries (such as France) is equal or even greater than in Japan.

* It has been possible to crack the private key, because it was too small. The new models don't allow it anymore. Since for payment less than 500 FF, the system is generally offline, it was possible to emulate smart cards to pay things less than 500 FF (about $ 80). It shows that security with smart cards is not at all guaranteed.

Read: Secret & Lies

Secrets and Lies: Digital Security in a Networked World by Bruce Schneier of Crypto-Gram fame, talks about smart cards: tamper-proof, and tamper-resistant, as well as "electronic wallets" (which use smart cards). Obviously, the book is not [at least legally] online, so no direct references.

American-style credit cards did not take off in Europe so well because it was(and may be) so stinkin' difficult to get a phone line. He says Italy could throw enough red tape on the ordeal to delay install for a year. This was no way for merchants to jump on the credit bandwagon so they started using smart cards for wallet-based credit. Smart cards SOLVED A PROBLEM. That problem doesn't exist in America as phone lines are easy to come by.

The other reason, as mentioned in a different thread, is that there was/is little legal-based credit-fraud protection in Europe[generally], but such legislation has existed for a long time in the US. The point of Bruce's book applies here: different technology for credit cards won't happen until either the system get some unexpected, significant risk of fraud, or another system comes out which substantially reduces fraud risk below its current level and doesn't offend everyone for things like privacy. Repeat. The risk of credit card fraud is currently manageable. The security of the system has some, if few, countermeasures to keep the average Joe honest. It has a detection mechanism which identifies fraud. It has a response mechanism that allows them to go after all but the most sophisticated attackers. Changing technologies for credit cards must present a MAJOR improvement in: countermeasures, detection, and response. Smart cards don't provide a major step up in security nor do they simplify the speed at which I will spend money. If you don't agree, read the book first. Heck, borrow it from the library and support freedom the Stallman way.

Looks like a good idea

[suprax]

While there may be security risks and complaints about these smart cards, they sure do look interesting. Once they are used more widely and have some better uses, then they will probably catch on.

I had a customer tonight at work who had one and he didn't seem to even know what it did when I talked to him about it. He just figured it was an "upgraded credit card".

I'll look into these cards once the uses become more mainstream. I would love to be able to go to a site, click buy and plug in my card and have everything be taken care of. Thats why I'll use one. :)

Smart Card and infrastructure

I worked for Visa for a little bit in 1997 when they were launching chip cards in Europe. From what I remember, the chip cards are good for places that don't have much telco infrastructure. The chip can store the remaining balance on the card and subtract when the card user makes a purchase without dialing up. Almost every transaction performed in the US requires a dial in to "them" to authenticate the transaction.

the card is discover

[bluebomber]

The Novus/Discover people are actually a treat to deal with (a rare occurance in this industry). I haven't used their one-time-number service yet (requires Java, which is IMHO unsupported in release-quality versions of Netscape), but you can find more info at the bottom of the page here

Kiwis use EFTPOS, and its smarter

[vik]

Here in New Zealand we have Electronic Fund Transfer at Point Of Sale. It looks like a credit card, but it carries out transactions on your bank account in real time. Just about everyone uses them for anything from a car to a bottle of milk at the dairy. No chip, just a PIN and mag stripe.

Simple, effective, had it for years and it works. No need for silicon smart/dumb cards. And yes I can transfer money from my account to someone else's over the phone.

Vik :v)

Re:Kiwis use EFTPOS, and its smarter

Ummm don't act like kiwi's are special, debit cards are quite common in other parts of the world too.

Re:Kiwis use EFTPOS, and its smarter

[WasterDave]

Yes, but having them everywhere is something else.

Dave

Re:Kiwis use EFTPOS, and its smarter

As of 1995, Kiwis had the highest rate of debit card terminals per capita in the world.

What's interesting is that Canada is closely behind, while the neighbouring USA doesn't even register. Credit still rules supreme there.

Re:Kiwis use EFTPOS, and its smarter

[The-Dork]

but it carries out transactions on your bank account in real time

Isnt that a debit card ? Duh !!!

Re:Kiwis use EFTPOS, and its smarter

It's a Visa CheckCard. Spiffy little things. My credit union uses them for ATM cards. It's got 27 different little corporate logos on it, a holo, and my sig. It'll do whatever I ask it to. @ an ATM, I can do financial transactions. @ a capable merchant, I can use EFT. For archaic systems (BestBuy) it says it's a Visa card. All transactions are immediate, unless I overdraw my account, then I get X number of 'grace' credit transactions. All in all, I see no need for a credit card, smart or otherwise. That's why you choose a Credit union over a bank.

-Not at work, so no login :(

Re:Kiwis use EFTPOS, and its smarter

[aenea]

Yes, but that was six years ago. These days in the US, you'd probably have to make a specific request to get an ATM card that doesn't have debit capabilities. Also, the major issuer is VISA, so there really aren't a lot of "debit card terminals", they get processed just like a credit card transaction.

Re:More security? How?

did you happen to read the post about simple RSA encryption above?

Deets..

[Telek]

Hey, I work with that industry =)

Basically all it is is a smart card on your credit card, that contains all of the info that is on the mag stripe of the card. The only difference is that you can insert the card into a reader (end first, and only about 2" to get the chip in), it will prompt you for a pin code, and you can enter it, then the terminal has the info to make the purchase. It's not much different than normal magstripe readers, except that it has the potential in the future to be a lot neater (like replace cash entirely). It can also be used for loyalty programs (stores points on the card, for example). As for the "much more secure", that's bullshit. The information that is on the card is kept hidden and unaccessable, that's correct. It cannot be modified, that's correct. You cannot copy the card, that's correct. But on your PC any information must be passed into the browser, and over the internet, and thus it's just as vulnerable as typing it in yourself.

In the future, you will be able to do things like have a remote site talk directly to the chip on the card, using built in encryption that will be entirely secure, as well as do neat things like authorize payments from your bank, cash transfers, withdrawing money from your bank over the internet onto your card (don't need to go to an ABM anymore!) Unfortunately people aren't yet comfortable with this technology as a whole, and thus the technology trials proved that although the technology works and is available, nobody wanted to use them. Perhaps in another 3 or 4 years.

OTOH, Europe has had smart chips in their credit cards for years now, to the point at which vendors get confused when you pass them a normal mag-stripe-only credit card (I'm not joking, I've had my card refused several times because they couldn't figure out how to use it). Similarly all bank cards here have a smart card in them. It's a lot more secure for banking because you can't copy the card just by knowing the number on the card and the pin number. In North America it has happened several times where people can capture the pin code and card number, make a new card, go up to some banking machine and withdrawl money, and guess what, the legitimate card owner gets fsck'ed over because there's no protection against that. Common to happen is a video camera placed above the keypad somewhere (For example, there was a case in a supermarket where some guy placed a camera with a zoom lens in the rafters of the roof just above a checkout, had it focused on the pinpad, the camera captured the card number visually, and watched you punch in the number. He got away with it for a few months until they traced down where this was happening and finally caught him. Popular also is to put a fake ABM in a parking lot somewhere, and have it prompt you for your card and pin number, then just print out "Sorry, network failure" message, at which point you go away grumbling but they now have your card/pin... I don't use interact anymore because it is HORRIBLY insecure. Credit cards however still are insecure, but the credit card company takes the loss instead of you =)...

DMCA and smartcards

[kurt555gs]

In the US of A we dont need very elegant encryption for the smart cards. Just ROT13 the PIN and then hen some one makes something to unscramble it, throw him in jail using the DMCA

History on Visa Smart. Who & What ...

[friday2k]

OK, first of all, this thing was built by Securify, by a now defunct group which was based in Boston. They are the same guys who, btw, built American Express Blue. The program includes a full fledged PKI solution, with your credentials stored on the chip. You can use it for signing in for special services, use it to purchase online. You just have to remember a PIN. The funny thing is that Providian, the first Issuer to give out the cards, SELLS the necessary Smartcardreader for 19.95. Speaking of consumer adoption ...

Re:History on Visa Smart. Who & What ...

[TeddyR]

My question on the matter is the following: Can windows (or any other OS) use these readers and cards [specifcally the GetSmart ones] as PKI auth/ smart cards for win2k logins? [Make it so that the machine will not allow logins except if the card is inserted; or something like that...]

Smart cards can never be truly secure

[bluestar]

The chip on a smart card is a rewritable medium. As any good slashdotter knows it can therefore never be "truly secure".

When the INS wanted a new Green Card they had to choose between smart cards and optical stripes. Optical stripes function like the magnetic stripe on your current credit and bank cards but use the same medium as a write-once compact disc.

Once data is written to an optical card it can't be modified. That's why the INS chose optical storage for the Green Card, Border Crossing Card and others. Of course you can add all the passwords and encryption you want on top of that for additional security.

And optical cards store up to 4 MB of data which is certainly enough to record the transaction history of the average consumer for a couple years.

FYI, I wrote the software the INS uses to produce the new Green Card, so I have a clue on the subject ;-).

Re:Smart cards can never be truly secure

a: if you call a smartcard rewritable you are probably talking about the memory chips. Current Smartcards are actual little computers. They do computatations. Informations is often encrypted on the chip itself and it is near to impossible to get the keys out of the chips. Banks using the cards for 'electronic purses' rely on this. The term rewriteble in this sense is nonsense. It's like calling my PC rewritable. In the same comparison. My PC is as secure as the software installed on it. The same goes for Smartcards.

b: an optical stripe can not be rewritten, but it can be copied. Where is the security in that. Only in the fact the optical strip writers are not widely available?

Re:Smart cards can never be truly secure

[nobody/incognito]

since you claim to have a clue, i guess there's no point in suggesting that you get a clue ... but you seem to be unaware that smartcards can be irreversibly programmed to be read-only.

nobody

What I forgot ...

[friday2k]

What I forgot, rumours have it that the old Consulting/PKI group got all back into Charlie Waltons old/new company Caradas.

This is how I think they ork

I think they make a new number for each purchase so if they somehow found out the credit card # for that purchase they could only use it for a very short period of time, and at that store only. This may be incorrect, but I remember hearing about this some time ago.

Re:If only the sales reps were as smart as the car

[athmanb]

Well, it's not really like they have a choice. They need a way to get a living, even if it's by sitting all day long in a call-center and asking silly question to annoyed people.

And if you want to vent your agressions, do it to the manager and not the phone reps.

Uh oh!

Slashdot is teabagging again!

Up, down. Up, down. Up, down. You can almost hear the network grunting.

Smart Cards - explained

[K4GPB]

What is a Smart Card? offers a brief explanation.

AmEx Blue Killed their Chip

[cporter]

... The "Smart Chip" reader hasn't been available from AmEx for a long while. That chip isn't useful for anything. "Blue" is just a credit card, as opposed to the classic "green" charge card (and gold, and platinum)

However, AmEx has the best dang credit card feature available: Private Payments, which is basically a generate-as-you-need one time use credit card number. It bills back to your card account, but the number can't be reused, and the expiration date is the current month. No worries about stolen cards at e-commerce sites with questionable security or shifty practices.

Re:AmEx Blue Killed their Chip

[Asgard]

I thought the number could be reused, but that it expired so soon as to make hacking the cc database useless.

Use for Smart Cards

[Gonarat]

The VISA and Amex Blue are great ideas, but building the infrastructure to use them is going to be the big problem. Any Merchant who accepts credit cards already has a mag stripe reader of some sort. It can be a self contained unit or built into the cash register. For smart card transactions to become popular, chip card readers will have to be placed at retailers. Internet purchasing is another good use for chip card technology, the promise is there, but the implementation is not. Chip card technology is popular in Europe, so the market is there if the applications are forthcoming.

I work for a company that deals with chip cards (although not in the credit card arena) -- the cards themself are highly secure when compared to a mag stripe card. The fraud we have seen has not been hacks to the card itself, but fraud at either the Point-of-sale or when the card is applied for. I'm sure the card could be hacked, given enough time and money, but barring an inside job, the cost of defeating the security is higher than the benefit that would be gained. Of course, in the credit card market the benefit goes up, so there will be more attempts to crack the chip. I'm not going to reveal the exact market that we are in, but remember, google is your friend :)

One of the big advantages of the chip card (beyond fraud control) is that value can be stored on the card. For example, I put $50 dollars on my card. I can then go to locations that accept chip card purchases and I can make a purchase without the Merchant being on line. The merchant settles at the end of the day by dial up modem, and their money can be transferred to the Merchant's bank account the next day. This kind of use is great for merchants that are at Flea Markets, Hamfests, or other locations were online terminals are not practical. The credit card vendor provides all of the infrastructure to make this happen. There is a lot of potential here for this market, the cards are getting out there, but neither VISA or Amex has put the infrastructure together yet to actually make it happen.

Re:Use for Smart Cards

[SuiteSisterMary]

Here in Canada, ATM 'Interac' cards have taken off; debit cards that go directly to your bank accounts. Wireless terminals are commonplace; you can find them in taxis, grocery deliverypeople bring them to your front door, and so on. At one point, Toronto was considering giving wireless Interac terminals to homeless people, as 'I don't carry money' is a common response to panhandling. :-)

Re:Use for Smart Cards

[sql*kitten]

Any Merchant who accepts credit cards already has a mag stripe reader of some sort.

Not true. Pay by Amex in a taxi in Amsterdam, for example, and the driver will use a device that imprints your card onto a paper form, which you sign, and the paper forms are processed off line.

For example, I put $50 dollars on my card. I can then go to locations that accept chip card purchases and I can make a purchase without the Merchant being on line.

That's amazing! I wish I could do that with $50 cash in my wallet!

Sorry to be sarcastic, but the point is, if you have to visit a station to "charge" your card with money, why would you bother? Why not just go to the ATM? The real advantage of a credit card is that you don't need to worry about how much cash you have on you, you have purchasing power up to your credit limit there with you, and you are protected by law (Consumer Credit Act, 1974) against fraud or even against faulty merchandise.

I can't see regular credit cards going away anytime soon, whatever authentication mechanism is used.

reason smartcards will be used in america.......

stores want to load a buying history file and cookies onto consumer smartcards just like they do on the www, they want to track consumer's buying habits in the offline world in addition to the online. smart cards have a secret data memory which the consumer has no access to but a merchant does.
youll need your smart card just to enter the store, if you don't have a smart card you will be shot to death.

Re:If only the sales reps were as smart as the car

So, you were just trying to be a dick, huh? Congratulations!

It's the other way around

[LordCodeman]

Actually, I believe it does just the opposite. When you are about to make a stupid purchase, it praises you on your decision, by use of a popup, and suggests you add a few more of the same item to your shopping cart. Hey, they've got to make money somehow.

Re:It's the other way around

[alpinist]

When you are about to make a stupid purchase, it praises you on your decision, by use of a popup, and suggests you add a few more of the same item to your shopping cart.

Hey, wait a minute... You'd better be careful - Amazon has a patent on that technology already.

Re:It's the other way around

[then,+it+was+nigh]

Actually, I believe it does just the opposite. When you are about to make a stupid purchase, it praises you on your decision, by use of a popup, and suggests you add a few more of the same item to your shopping cart.

Sort of like this...

The Threat Of Fraud

[fdiskne1]

I don't see how secure this could be in the long run. Just imagine this scenario:

1. Thief gets his hands on a card.
2. Thief has card reader hooked to his computer.
3. Thief has gotten his hands on a piece of software that can act as the merchant.
4. Thief has another program that can reply to merchant program with PINs as the merchant program asks for it.
5. Thief now has a stolen card and the associated PIN.

Granted, a program like this would take some time to work, but I'm sure it can be cracked. Or if the card itself does the authentication, I can't see how that would be any tougher to crack.

Or am I missing something?

Re:The Threat Of Fraud

[rot26]

The pin number is combined with the credit card number (PAN) and encrypted using a master key and a session key into a block of data. This is all done in epoxy encapsulated hardware. THe pin number is never available to the programmer. To fake it, you have to have both keys, the pin number, the customers account number, and know how to grind 'em up using 3DES to create the pin block. One of the keys is sent plaintext but changed FREQUENTLY... the other key is stored in protected (epoxy encapsulated) memory in encrypted form. And to top it off, the plaintext version of the master key MUST be stored in two (or more) separate parts, protected by two (or more) separate passwords managed by two (or more) individuals. It's actually pretty heavy duty security if everybody follows the rules.

Re:The Threat Of Fraud

Well, I don't know about all the features, but I know a little bit. (Where I work we're producing VISA cards, though not with chips yet - but they are comming)

The card is supposed to be safer, just because it is a smart card. A smart card does have eeprom, ram, rom and a cpu to do some "internal" work.

The way I've understood it works it like this:

1. Terminal requests for a transaction in the card.
2. The card asks for a PIN code
3. The terminal collects the PIN code from a keyboard and transfers it to the card
4. The card does the verification of the PIN code and grants access if correct.
5. The terminal may continue with the transaction or abort.

(It is *MUCH*MORE* COMPLEX than this, but this is just so you get an idea of whats happening)

Just remember that the PIN code is not stored in plain text in an area which is readable from any card reader! And the verification of the PIN is NOT like a simple BASIC program (if PIN == VALID_PIN then RETURN OK else RETURN WRONG_PIN). The PIN er calculated from several elements stored in the so EMV software which is stored inside the chip. And EVERYTHING is encrypted.

And! The PIN code does not need to be calculated in the same way as today ... it might be a random number

I think you need to be a realy good hacker to be able to access what you need on the chip. Since all datatransferes goes thru the OS on the chip and the OS will not allow you to access all the memory areas in the chip. It actually more like a protocol data transfer between the chip than using it as a memory storage. (To simplify: Terminal -> Chip OS -> EMV software -> Chip OS -> Terminal)

To get more info, you might want to search for JavaOS, EMV, Bull, CP8 or other chip card producers like Hitachi. (EMV = Europay, MasterCard and VISA ... they cooperate a common standard for credit cards based on a chip)

But I don't think you will find to much details about it ... simply because one of the security levels in this market is ''what the crowd does not know'.

Take care

Re:If only the sales reps were as smart as the car

[198348726583297634]

While you may know about chip chemical composition, chances are good those "feeble-mindeds" know a bit more about having a life

EIU ``Panther'' Cards

[Mad+Marlin]

My college, Eastern Illinois University, uses ID cards that are also smart cards. You can put money on them, and then you get 10% off the purchase. The meal plan runs through the card, as well as ``dining dollars'', the stupid money that you can only spend on campus. You can set up a checking account, and it will act as the debit card. Supposedly they plan to set up the door locks to use the cards as the key in a few years.

I remember seeing in an old issue of Phrack the plans for a reader/writer for payphone cards used in Europe that looked identical. I have been meaning to try to find that article again, and see if I can't get me free candy for the rest of my days. Some girl's card broke last year, and the machines let her have everything for free! However, it has an ID on it too, so she eventually had to pay $400 to the university. I guess that means I would need to rewrite the magnetic strip too.

Just saw this commercial

[macdaddy]

I saw a commercial about a Visa card that's smart. It referenced a link to Visa's .

MS jumps ship on SmartCards

[mahimahi]

Was in a position where I was working with "Windows Powered" smart cards which interesting enough was recently dropped from development and existing technology sold off to other companies. Can read about the aftermath at: http://www.microsoft.com/smartcard/
One less security concern I guess :) less likely to get "Passport" on a SC now.

I worked on this for one of the issuing banks...

I did just a little programming for one of the issuing banks regarding their Visa smartcard. I don't know anything confidential, but here are the vague details:

The smart Visa is a java smartcard, and it has a fair amount of free memory on it. The card encrypts the transactions between itself and all involved parties, so the issuing company can feel safer about the transaction. This is part of why they feel comfortable about it.

The extra memory can be used for things like loyalty programs - for example, keeping track of how many cups of coffee you have purchased so you can get your 11th cup free, or whatever. This information can be stored directly on the card, so you don't have to carry the little cards around. Theoretically, this means it would be more convenient to be part of these things. However, in actuality there are relatively few of the required reader devices in stores, and who buys a cup of coffee with a credit card?

The company I worked with had a system where you could get a reader for your home computer, which would allow you to connect your card with their web site. This would let you manage the card's features. I don't know much about what it offered, but there didn't seem to be anything terribly compelling. Also, I seem to recall that the system required a plugin which was only for IE on Windows.

In general, the people at the bank who were running the smart card program wanted to target market the card at a young, tech-savvy crowd and advertise the technical features, but the upper-level suits at the bank insisted that the card be target-marketed at the middle-aged crowd and that the advertising consequently be dumbed-down. Also, they made the membership requirements fairly high. This resulted in a smaller-than-desired subscriber base.

There's nothing wrong with the card system. My coworkers who were more closely involved all said it was really cool tech (other than the Windoze IE plugin), and I trust them in that. The problem as I saw it was that it was being marketed badly. For Visa's and the banks' sakes, I hope they figure that out and start using better marketing that assumes a younger, hipper, more tech-savvy market base... and make the membership requirements match.

I got a bunch of expired smart cards

and I made a Beowulf cluster. It even runs Apache! Check it out here.

Cellphone/credit card convergence

[xixax]

Already we have ATMs and vending machines that talk to mobile phones. A large bank here in Australia just bought into a mobile phone company. Unlike a credit card, a phone will cease working if stolen or forged (since you know exacly how many instance of a phone should be on the network). The absense of a physical connection means you won't spend time buffing worn out magnetic strips against your shirt trying to get it to read. Eventually you won't need to buy a train ticket, the carriage will just bill your phone as you travel from station to station. And we'll know exactly where you are at any given time, people in public places without valid phones will be investigated by the police and everyone else's movments will belogged to prove their innocence.

Xix.

Re:Cellphone/credit card convergence

[Kutsal]

xixax says:
"And we'll know exactly where you are at any given time, people in public places without valid phones will be investigated by the police and everyone else's movments will belogged to prove their innocence."

That's fine and dandy, but, have you considered the fact that they can, in all actuality, track all your movement with that phone, and instead of proving your innocence, use that information for marketing purposes? :)

And then you'll start getting catalogs from Victoria's Secret, just because you stayed in front of the store to look at the bra ad more than 30 seconds...

Yes, it'll really be cool.

Smart Card Chip?

[mESSDan]

Hmm, I wonder if you overclock the chip in a smart card if you get more cash?

;)

All the smarts benefits the merchant

[Animats]

The way this ought to work is that when you buy something on-line, the transaction info (seller and amount) goes to the smart card, which, when you approve it, signs the transaction. The merchant then can't change the amount or bill you again later.

But it doesn't work that way because merchants don't want it to.

Smart Cards Thrived in Europe for a Reason

[asv108]

Smart card technology has thrived in Europe for over ten years and lagged in the US for a reason, infrastructure. The current model for credit cards in the US works fine because of our standardized telcom infrastructure. Europe has a variety of systems so the centralized server model for checking credit cards wasn't a viable option 10 years ago so that's where smart cards came in to play. The most visible US credit card with "smart card" technology is Amex's blue. An Amex blue card has been sitting in my wallet since their debut, but I have yet to use its "smart card" technology yet.

Re:If only the sales reps were as smart as the car

if you work for Evil; don't be suprised when people treat you as if you yourself were Evil

Both? Amex and Visa have them, discover does not

There are THREE major credit card companies.

Re:If only the sales reps were as smart as the car

[TheOnlyCoolTim]

Well, it's not really like hitmen have a choice. They need a way to get a living, even if it's by sitting all day long outside someone's house and shooting sniper bullets at their employer's enemies.

A big exagerration, telemarketing vs murder, but just because someone does something to make a living doesn't make it alright. There are plenty of other jobs they could get... maybe they would have to do some work or use their intelligence instead of sitting around on their ass annoying people...

Tim

What about disputes?

[Matt+Lee]

In the US, we're instructed not to pay for anything significant with a bank/ATM (check) card, since the money is immediately transferred from consumer to merchant. There's no chance to dispute charges (in the case of faulty merchandise, for example). Credit cards also give you the option of receiving special benefits on certain purchases, like automatic insurance on airline tickets, cash back bonuses, etc - these are all things that check cards normally don't do. Also, let's not forget that check cards don't allow people to get into heaps of debt, which the credit card companies profit off of.

Re:What about disputes?

[theancient1]

The issue is simply one of perception. The debit card, while card-like in appearance, is really the modern-day equivalent of cash, with all the same advantages and disadvantages. You don't have to worry about getting into debt trouble, but in return, you lose out on the extended warranties, air miles, and whatnot -- those bonuses, naturally, are paid for by the interest.

I believe that some banks are even starting to roll out incentive plans for debit cards. If I remember correctly, Bank of Montreal has a program where you collect Air Miles each time you use a debit card at certain retailers.

The banks make their money from the merchants in the form of transaction fees. With the volume of purchases that are made via Interac, the banks make a significant amount of profit (without driving their customers into debt.) Banks also typically charge the consumer a small transaction fee, or a flat monthly service charge for unlimited transactions. (I'm not sure if banks in the U.S. nickel and dime you to death like they do here in Canada, but here there's a service fee for absolutely everything.)

They're not really trying to replace credit cards, but they'd rather you use a debit card than cash. After all, banks can't charge a transaction fee when you pay by cash.

Re:What about disputes?

[kaisyain]

You only pay interest if you carry a balance. And if you were going to pay with an ATM card or cash, why would you carry a balance?

Good for ATMs

The reason VISA (and also Mastercard) will
replace magnetic band cards to smart Cards is
that it is very easy to copy the current
cards. Plans are both will issue only
smart cards in 2003 therafter.

Clerks would promply recognize a copied
card, but ATMs rely only on the information
on the mag band. It is not difficult at all
to get the mag info, and then all you need
is a PIN. (Seach for ATM and fraud and you
may be suprised how easy it is.)

smart cash

[athagon]

I know a guy who was one of the main designers of the "Smart Card" from visa (as recently advertised tirelessly on daytime TV). According to him, one of the primary audiences of the Smart Card would be college students. The use of the card, they hope, would be to "make deals" with vendors on or near the college campus, allowing the students to utilize the Smart Card like cash at the vendors stores even if the vendor didn't have credit card machines. Hence, easier buying for students, more money for Visa. Additionally, to the average user, the card could, or would, be used just like cash instead of a traditional credit card. Whether or not this information is completely true is up to your discretion, but I thought it might make a valuable speculation, at least, to the discussion.

techinical details of the card and privacy aspects

[tarun]

I work for a smart-card solutions company in India and was the technical lead for a team that wrote software for India's largest installation of smart-cards which in India is larger than most credit cards. I have also been asked to present my views in front of RBI (India's fedral bank) sponsered committee to create standards for smart-card use in the country. Coming to technical details, a smart card basically acts like a secure computer with a secure filesystem and operating system of its own. It exposes a limited set of "system calls" that you can call from inside your program which are supposed to be secure (at least in theory). For example, the system calls may allow you to "write" a private key to a "file" in smart card froma program but having once written the private key you are not allowed to modify or read it back. There will be a seprate set of "system calls" that will allow you to decrypt or sign messages using this key however (after giving one or more PIN(s)). As a card is small and can be easily hidden or transported under rugged enviroments this allows a very secure and convenient place to keep critical private keys. Such cards are commercially available and are programmable from Windows and Java (A free linux version in C is being done by MUSCLE guys). There is nothing more or nothing less to smartcard technology. As you can imagine one can leverage this simple use and storage of assymetric (and also symetric) keys to design wonderful credit-card (or other financial) solutions that can provide almost complete privacy and fraud-control. However,it is not technology but the corporates and government which are limiting the use of smart cards. For example, in India a large number of people (especially with money from dubious sources) used to spend by buying stored value smart cards which were available off the counter for cash. Till income-tax department decided to make it compulsory to record identification details for each such transaction. One can argue that it was a blow to privacy but does the govt has an option in front of brazen money laundry? This is not bound to change any time in near future. As soon as you make financial transactions anonymous, guys who got "bad money" get in and start using the system for their own laundry. However, fraud-control is on everybody's list and one should expect VISA and MasterCard to move in this direction. As somebody else pointed out, there is a lot of investment done by merchants and banks in current terminals and rest of the credit-card infrastructure so one should not expect new technology to come out overnight. however, over next 5-10 years I would expect a lot more credit cards to be chip-based with at least PIN protection on them

Smart ok, but also profitable

Here's what I know about smart cards .... I worked for a company called ECP, they are developing programs based on smart cards. The only ones that benefit from this cards are Visa and Amex. They are smarter because they keep track of everything on the micro processor that is on the card .... It holds upto 1K worth of information. The merchants will have to replace their current terminals if they want to accept this cards without having to pay for "manual processing fees" which could add upto $ 0.75 per transaction. This fees will apply once Visa, MC, & Amex decide to remove the magnetic strip on the back of the credit cards. Credit card companies are just reinventing the wheel, and making a bundle of money in the process. The information kept on the cards could be gathered and sold to the highest bidders. smart cards have in place in europe for a long time now ....... the possibilities are endless..... they claim to improve security, but there's nothing on this new technology that would stop a stolen credit card from being used the same way that today's stolen cards are used ..... Here's a website for a project using smart card technology in the US. http://www.smartcardproject.org/

In Europe

[Aceticon]

The smart-cards are used as a sort of electronic-wallet:

You load it with money from your account (usually at an automathic teller machine) and then you can go around buying things with that card until it's empty (and then you load it again).

• If you loose the card: It's the same as if you loose your cash - whoever finds it can use it.
  
• If you damage your card: For you it's the same as if you destroy some cash - for the bank is nicer 'cause they get to keep your money

Is it used?

The two situations i know best are Portugal and Holland.

Most banks introduced it in Portugal some years ago (a country wide standard) and went around offering cards, providing stores with card readers and advertising the cards. It was a total fiasco - they spent loads of money promoting it and in the end nobody uses it. Then again, the only advantage it had compared with hard cash was that it made it easier to pay for car-parking (instead of using coins).

In Holland they're doing the exact same thing as in Portugal except they are 1 or 2 years behind (they just recently stopped promoting it). Again a total fiasco.

So what's the problem with these cards?

For one they've been positioned as an electronic wallet. This means they have to compete with the ease of use of hard cash. (Accepted everywhere; physically more resistent; well known; widelly deployed).

Also the currently deployed solution doesn't offer many advantages over hard cash (you can used it in some (few) parking metters instead of coins - that's about it)

Finally, you can't use it to pay things in the Net (you need special equipment to use one of those cards) - this means they can't compete with the existing standard (credit cards).

Branch Providian!

[Nathdot]

I can't help but get this funny image:

A solitary CSR bunkered down in a fortress on the outskirts of Waco, TX, surrounded by a hoarde of auto-diallers/answering-machines and stolen guns, laughing maniacally. And not one of his customers aware that they are part of a cult

Okay so there's not that much free love, but there's definitely enough user-information power to feed his later-day-Jesus charisma.

:)

some smartcard info

[wfmcwalter]

Here's some technical background info on smartcards. I hope it's of value to y'all.

Protocols

Smartcards (and their predecessors, "chipcards") implement ISO standard 7816. As a previous writer noted, above, this largly defines the physical, mechanical, and electrical characteristics of the card. It also defines the communications protcol used by a terminal when communicating with a card.

There are two major catagories of card, each with its own characteristics and generally its own communications method. These are:

• chipcards

  These use ISO7814 part 4 S=0 ("synchronous") mode communications. They're essentially dumb memory devices, which are serially strobed synchronous data (a bit like an i2C chip in your PC) by the terminal. They don't rise to the level of "smart"cards - other than some very basic (password) authentication, they're just dumb memory devices. Most include a suicide mechanism, whereby they blow their own internal fuse (and thus become permanently dead) if you send them too many wrong passwords. Typically these are used for applications that store and manage a few values - e.g. phonecards, loyalty tokens and utility meter tokencards.

• smartcards

  These use ISO7416 part 4 T=0 (character asynchronous mode) and T=1 (block asynchronous mode) communications. They're real computer devices in their own right, typically with either an 8051 or Hitachi H8 8-bit microcontroller as a brain and a surprising amount of memory - several Kbytes of RAM and up to 64Kbytes of flash or EEPROM storage - pretty impressive for a chip that's 2x3mm, I think.

  T=0 is a simple, half-duplex, master-clocked serial protocol - you could _almost_ use a regular UART to talk to the card, except the card's initial message (its ATR - Answer To Reset) is sent synchronously, and the UARTS in regular PCs don't have a raw/USART mode that would allow them to receive this correctly. The actual communication speed varies between cards (the card tells the terminal how fast it can go in its ATR), but its generally very slow, around 300baud max. T=1 is just a simple packet format layed on T=0. Both T=0 and T=1 are, IMHO, rather crappy protocols.

  True smartcards aren't just dumb memory devices - they run actual programs, and often have built in special functions, generally cryptography stuff (GemPlus makes DES and RSA enabled cards).

Major players

• The leader in this space is undoubtedly GEMplus inc. of Lyon in France, a company founded by the inventors of the chipcard.
• I believe Hitachi itself also makes cards. When you get a card from an institution (from DeLaRue, Visa, AMEX etc.) it's probably come either from Hitachi or GEMplus.
• GSM cellphone manufacturers and wireless service-providers. The little ID chip in a GSM phone is just a regular smartcard chip, same contacts and everything. On better phones it's customer-swappable (so you could have a plan in the U.K., one in France and an Italian prepaid card - you'd just use the appropriate one depending on which country you're in - hence no roaming). The GSM folks are particulaly excited about the future of smartcards - they want to add new (non telephony apps) to the cards, so they can be used for stuff like purchases, gambling, etc.
• Somewhat surprisingly, Sun Microsystems is doing very well in getting its JavaCard technology adopted for most real smartcard deployments - most GEMplus cards, most recent GSM chips, and both AMEX(blue) and VISA cards feature this super-reduced java runtime environment. Application developers like this, mostly because coding for the individual chips themselves is as crufty as hell.
• The physical connector to the smartcard (in the terminal) is most often made by Amphenol. The little microcontroller that talks T=0/1 to the card is generally from GEMplus, Hitachi or Philips.

Security

As a replacement technology for regular magnetic swipe cards, smartcards are _much_ more secure, mostly because magnetic swipe cards are totally insecure - you can write one yourself with a reader you paid a few hundred dollars for - there's no magic and no cryptography at all.

As real security devices, smartcards aren't terribly secure. They're designed to be tamper-proof, but their form-factor ensures that this will never be very effective. Current implementations leak information from various sidechannels (EMF, heat-dissipation, elapsed-time to perform crypto operations), some of which are pretty easily fixed and some of which aren't. They're never going to be super secure (you're never going to put the launch codes for nuclear missiles on one), but they're probably fine for real-world use for their current and proposed applications.

Writing code yourself

GEMplus sells (for a pretty reasonable price) an evaluation kit with a few demo cards, some programming info and a card interface that plugs into your PC's serial port.

You can get limited JavaCard stuff from java.sun.com, but you typically need more stuff that pertains to the specific card - you get this from the card's manufacturer. The JDK's javac compiler is used to compile code for the javacard.

Sun also has (or at least used to) a pretty comprehensive software framework for the terminal (PC/server) end of the equation - it's called OpenCardFramework. It simplifies a lot of the pain-in-the-ass features terminal programmers have to put up with when talking to smartcards.

Privacy concerns

When used as a replacement for existing magnetic cards, there's no more privacy concern than with the magnetic cards - the credit card company knows all about all your transactions either way, and with the smartcard you're less likely to find out that some enterprising folks in the Far East have cloned your card and tried to buy an airplane with it.

There are privacy concens when you consider that the card can host multiple applications. In practice, you as a consumer (note: consumer is the new word for citizen, apparently) have little to no knowledge of what is being stored, run, or communicated to/from your card. The card's crypto means you can't just open the card up yourself and hunt around to see, so you'll have to trust the issuer of the card (and their agents, etc.).

Re:some smartcard info

[nobody/incognito]

your comments about t=0 are a little off the mark. linux and openbsd smartcard libraries don't do anything special, they just talk to the serial port. also, speeds up to 115.2 kbps are not uncommon; most cards can do > 50 kbps.

the big problem with smartcard comms is that is half-duplex -- only a single transmit/receive pad on the card. in practice, this forces a master/slave (or "simplex") protocol.

nobody

Re:some smartcard info

[wfmcwalter]

linux and openbsd smartcard libraries don't do anything special, they just talk to the serial port

Wow, cool. I'd love to see the code for that - do you know where I'd find it?

Re:some smartcard info

[nobody/incognito]

http://www.linuxnet.com/smartcard/software.html and http://www.citi.umich.edu/projects/smartcard/ have tons of free software.

nobody

Some proper information....

[noelmc]

Ok, as it seems that this thread has just turned into a big steaming pile of uninformed crud, I'm gonna post some sites that are a good place to start. www.oberthurcs.com and www.gemplus.com are two samrt card vendors. As for sun's JavaCard, its not the only type of smart card environment out there. Another good stopping off point to learn about one type of cards system is www.cepsworld.com. Thats VISA's Common Electronic Purse System and, unlike credit cards, does have money stored on the card. Its a pity some people on this site don't shut their mouths instead of just posting crap!

Re:NOT SECURE AT ALL

In France, we have smart cards for a while.
And they are not secure:
- 320 bits RSA encryption !!!!
- The secret key was discovered in 1998
- Easy to build at home a 'smart card' which
will draw money from non existing bank accounts !!!
And the 1st credit card hacker, Serge Humpich, is
now in jail !!!!

more info (in french) at:

http://www.parodie.com/monetique/

SMS spam

[xixax]

We have already had a telco using SMS to spam their customers (and billing them for the privilege). Imagine not being able to walk down the street without your phone being assailed with multimedia spam from each and every shop that you pass.

No! My shoe lace came undone and I happened to be out the front of Victoria's Secret. Honest honey...

Xix.

Yeah, smart cards....

[ishark]

..."no, Dave, you will not buy this."

Smart cards are based on public standards

[hodsonr]

If you want to know what is going on in these things, check out www.emvco.com for all of the relevant standards. Dull reading, but nothing is hidden or secret (just the next evolutionary step for credit cards).

As others have said no system is totally secure, but this ups the bar from needing a few household items to clone a mag stripe card to needing millions worth of electron microscopy to clone a smart card.

Re:They're all over Europe:

That's crap of course. All of the POS terminals have a magnetic stripe readers and it's the kind where you insert the card and not the cheap shit I've seen in the US where you have to swipe your card and say what kind of card you have. What's more, the majority of terminals we have out there all have an integrated smart card reader in addition to the stripe reader in order to process the Geldkarte (a national electronic purse) and it'll be a snap for us to do EMV purses (oh, btw that's what's on these credit card smartcards) as the software release on our hosts been able to handle that for a long time and all we need to do is enable that purchase options in the terminal by remote. Oh and one more thing: Over here you can use your ATM card, your Geldkarte and your Credit Card in a POS terminal...

Amazon Zero-Click Technology

[COAngler]

When you bring up amazon.com, the smart card looks though the inventory. It then selects the entire goddamn Oprah Winfrey Reading List, O'Reilly's "MSCE in a Nutshell," and about thirty-seven out-of-print Danielle Steele titles that have been sitting in the warehouse taking up valuable space for six years, and orders them for you but gives a delivery address of some guy in the Republic of Chad who's very literate but not in English. You then receive the festive non-denominational holiday giftwrap which should have been wrapped around the books that I sent to my sister last year, along with a second shipping charge.

Seriously, though, it's a way to store more information on the card and to make it more easily-accessable. There are readers on the market that will read the card from several inches away. The privacy implications should be obvious: How long until the card can be read WHILE IT'S STILL IN YOUR BILLFOLD? At any rate, the "smart card" chip does not necessarily need to actually be inserted into a card reader the way the magnetic stripes do.

There's talk of using them on driver's licenses to store fingerprints[1] and blood type and so forth. The purpose of this should be obvious, but unfortunately, it isn't. At least not to me.

Re:AmEx Blue Killed their Chip (meta)

Not bitching at you, but at the people who created the URL you pointed at.

Why would any company that's trying to look "net-savvy" use JavaScript redirects in their HTML for something like that? I load it up and get a nice blank screen. OK, I'm clueful enough to view the source and sort it out for myself, but that's the minority.

Lame.

Re:NOT SECURE AT ALL

The problem is the French system doesn't check back home like their swipe cousins, I hear the French network is being upgraded to the new SmartCard network like the rest of the countries. However France had the advantage of having experience with the old SmartCards... now you just need the new system and linked up PDQ's.

Re:If only the sales reps were as smart as the car

That's because VISA let alone any of its compliant card companies don't even make the cards, now if somebody from Gemplus phoned up trying to sell you SmardCards then I expect they would accommodate your pedantic questions. Otherwise you're just being an idiot, even though you obviously think you're a laugh a minute to yourself.

I hope VISA has marked your Credit record suitably as "pedantic, sarcastic techie guy, much like the fat (and lonely) comic collector in the Simpson's, this guy does not appear to have a life and therefore would not value a CC. Note: Also lacks any social skills when it comes to dealing with women"

French smart cards have already been cracked

[c_ollier]

Serge Humpich, a french engineer, broke into these cards last year. When he contacted "GIE Cartes Bancaires" (french banks association in charge of these cards) to inform them of the security breach, their only answer was a lawsuit... Doesn't this remind you of something ?
You can find more details here.

Not so smart?

[Sven+Tuerpe]

Quoting http://www.mastercard.com/education/shoppingtips/:

Pay the safest way

Credit cards are generally the best way to pay because you have legal rights to dispute the charges if the product or service is misrepresented or never delivered.

Will payment by credit card still be the safest way if there is a computer on the card? After all, computers don't err, and if the technology makes it harder to use the card unauthorized, it may also become harder to dispute transactions, just because the technology is believed to be secure.

Recommended reading:

• Liability and Computer Security - Nine Principles
• Why Cryptosystems Fail

both by Ross Anderson.

The traditional credit card system may be smarter than the smart card, because it accepts the possibility of failure and distributes the risk over all customers of the card issuer.

Re:Not so smart?

Somebody mod this up. The poster makes a good point.

I haven't seen anyone point out that these cards a re still reverse-compatible with regural credit card validation (for the time being). This means that they're still vulnerable to all the ld scams, and may be vulnerable to new scams (nothing is 100% unclonable, some things are just prohibitively expensive in time and money to do so.)

Re:In Europe - Yes, they've been cracked

[_Eric]

Yes, they were cracked. See: http://parodie.com/monetique/ (In French, but with the full explaination.) This site covers many possible VISA frauds.

I Know the Details

[radsoft]

Yes, I know the details. All the cc info everywhere will be collated by Bill Gates and Microsoft with their Passport authentication system. This choice was arrived at when an independent organ studying the various alternatives reached the unanimous conclusion that Microsoft technology is the most secure technology in the whole wide world. So there is absolutely no risk of leakage or other system compromise. Please remain calm.

Re:In Europe - Yes, they've been cracked

[Aceticon]

I actually didn't knew about the french cards.

From what i read in other articles they seem to be something different from the e-wallet cards deployed in Portugal and Holland.

Altough the Portuguese and Dutch e-wallet smartcard-chips come embebed in a normal ATM card, they are actually used independently - any ATM/Shop Payment transaction uses the information in the magnetic strip of the card (plus a PIN and an online checking mechanism) while using the e-wallet allows you to transfer "virtual money" from your card to the store/Parking Meter card (this will only use the "money" stored in your card and has nothing to do with your bank account or whatever).

Also these seem to be more recent than the French ones (they were introduced in Portugal about 7 years ago)

From the descriptions i read in this thread, the french cards seem to contain a smartcard-chip so that an ATM transaction can be authenticated offline. This is a totally different application.

From a hacking point of view, the main difference is that if you hack an e-wallet chip you can produce money out of thin air (that is, you can mislead the card into thinking you have loaded it with money), while in if you hack one of those french cards you can pass yourself as the owner of some bank account (or maybe use an unexisting bank account number)

Well we should encourage debt...

[jawtheshark]

Now I know this may sound as flamebait (it isn't, it is just stating the obvious) but actually we should be glad the average credit card debt is 40000$ per familiy. You know why? Because it is those people who keep the credit card companies profitable.
Yes, you read that right: I do have a credit card but I "play by the rules", this means I just never have to pay any interest until I breach the magical wall of 2500$ per month, which of course I never do (it covers food + fuel expenses each month easily). This means that the credit card company never ever earned any dime from me. (Except perhap on exchange rates when in a foreign country)
If everyone did this, no credit card company could stay in business for a long time. So let the "average familiy" be in debt: they pay for you and that is good.

Re:Well we should encourage debt...

[Prior+Restraint]

This means that the credit card company never ever earned any dime from me. ... If everyone did this, no credit card company could stay in business for a long time.

Not so. Credit card companies take a percentage of every transaction from the merchant. To be sure, their profits would be smaller, but there's no guarantee they couldn't stay afloat.

Re:Well we should encourage debt...

Credit card companies take a percentage of every transaction from the merchant.

Not only that, how do you think the merchant offsets the cost of the transactions?

Re:No cash? No Problem?

[Petrus]

Also, you won't be able to resist false accusations. You may not be imprisoned without just trial. But all your cards, linked via SSN or equivalent number may be anytime blocked, just like internet access because of suspect DMCA violation. That's just. The cards are not your property, but Bank's.

With all cards blocked and no cash in existence, you and your children are condemnded to loose home, stay hungry and eventual death.

And remember, cash is already no money. Read it: It is "legal tender" and each has a unique number to preven abuse and to make them traceable.

No big deal

[pkesel]

I interviewed for a contract with one of the big credit card companies for writing the specification for systems validating these smart cards. As they explained it, the smart cards offer nothing in the way of extra capability from their end. It's simply a new way of validating the card for the vendor who is accepting payment. The ID and validation token is stored in the chip. The vendor's hardware validates using that. Both ID and validation tokens are sent to the card company to approve payment. It's nothing more than a security blanket for those vendors who are accepting cards.

Re:NOT SECURE AT ALL

[olivieradam]

A card like the Visa "electron" checks back, to know if your bank account is feed, but perhaps it's a smart card anyway ? Is it ?

Re:If only the sales reps were as smart as the car

[plague3106]

Sales Rep = Someone earning $8.50 an hour, just trying to do his/her job.

Me = Someone just trying to enjoy dinner uninterrupted after working all day!

MasterCard smart card

[C_Evident]

Ok, I'm not sure if this is the one you talk about, but here in Sherbrooke, Quebec, Canada, we just finished a one year test-drive of a smart card mastercard call Mondex. In fact, Mondex is the name of the whole system, but the cards are said to have a "mondex chip". I dont consider this a credit card really, but more an electronic wallet. You can put no more than 500$ (that was in cdn dollars btw) on the card, for security reason, and then you can spend it just as with a credit card. It is better than interact (also called ATM cards) because the system doesn't need to call a central office by phone. everything is done local. And also, when you say they hope to put everything in one card, that's because since it is a chip, they put it on a regular ATM card so it can do both. You could also put it on a credit card.

you tell em

"DAMN KIDS!!! Quit joking and laughing like a bunch of dag-nabit hyenas, I'm trying to concentrate here and can't post serious links while ANYONE is being silly"

Smart cards, and Linux support

[plcurechax]

Smart cards are microprocessors embedded in a flexible plastic credit card sized card. (ISO 7816)

The capabilities range from simple memory storage cards (3KB to 16KB), which are a high tech equalivant of the magnetic stripe on "swipe cards" to high end crypto processors which are tamper resistant and/or tamper evident. These crypto cards can generate a private key that never leaves the card, and can securely performing digitial signind decryption using the private key. Such cards typically support DES, Triple DES, RSA 512-1024 bit and SHA-1. E.g. CryptoFlex from Schlumberger, Gemplus Public Key

Smart cards are already far more common in Europe, are used in satellite TV, Mondex (an electronic wallet scheme that never seems to get off the ground), and in a different form factor, the SIM cards of GSM mobile phones are smart cards. Because of Sat-TV, Pay-TV, and GSM phones there are hundreds of millions of smart cards in use today.

There is also Linux support via MUSCLE which supports the PC/SC API made popular under Windows, and most vendors support.

now I think it's good marketing

[twitter]

If Joe Sixpacks learns that he's going to have to remember another stupid four didgit number, he's never ever going to use it. If that's all there is to this, I don't want it either. Thank you for clearing the fog created by all those negative computer fraud comercials.

If the goofey thing would store an image of authorized users that the cashier would have to press to continue the transaction, it might be worth something. You could make the program fun by displaying several unauthorized users as well, say ten of them. Think a crook can remember your face that well?

Re:No cash? No Problem?

[Wyatt+Earp]

Actually -
"This note is legal tender for all debts, public and private"

Yes it does have a unique number, but it's not nearly as traceable as a credit card or smart card. If I use a dollar to buy beer, CD-Rs or cocaine, there's no record that John Doe used 100 dollar bill X12345678Z at 10:12:14 on Jan 1, 2002 at Bob's House of Crank, Beer and Blank CDs.

If I use a smart card or some other "cashless" solution...it's all tracked.

MUL-TI-PASS

Yes, she KNOWS its a multipass

Chick-un GOOD

don't believe the hype

[nobody/incognito]

as usual, any time smart cards are mentioned on /., a bunch of europeans jump in to praise the wonders of the electronic wallet, to announce that everyone uses and loves them over there, and to suggest that americans are stupid for not embracing them as well.

it's all bullshit. no one uses electronic wallets in europe.

this is from the economost, may 2001: "According to 1999 figures collected by the European Central Bank, for every 1,000 cardholders, only 20 made a virtual-cash transaction on any day in Belgium, two in Finland, and just one in Germany. "

note that belgium is regarded as the country with the most loyal e-purse customer base.

what europeans DON'T have is access to credit that americans take for granted. who wants a stored value card that gives all the float to the bank when you can have a credit card that gives the float to the consumer? we're not stupid, you know.

nobody

Re:don't believe the hype

[t_allardyce]

Too right, e-money (forgive me for using the e-word, only email should have an e on it, anything else is just wrong) is a pointless gimmick that only dumb marketing people and hyped-up press could be impressed by. It serves no real purpose (i don't see carrying some paper and metal coins around as a big problem). What it does do is put all your eggs into one basket, one very fragile basket. Probably allows people to track your purchases more easily and fake money. On behalf of the UK i would like to say that we are not part of Europe, either politically or geographically, and do not share their views on the euro or e-money. Theres a reason why we live on an island. :)

-tfga

Re:Social

[Wyatt+Earp]

Yes. I am overlooking the word "social".

It's a failing support system that at the current rate of funding and payouts...will never be seen by anyone under the age of 30.

I will never see a dime of it, nor will anyone born since the Vietnam War ended.

I don't buy the "it makes more jobs open so the young can have work", because 16 million new jobs have been created in the US since 1991, and the majority of positions vacated by a retiring person isn't filled by a young high school or college graduate.

And...at the time of creation in the US, the median life expectancy was 65.5...and the Social Security age was set at 65, it was not and retirement or poverty assistance tool.

To sum up so I sort of kinda stay on topic.

Smart Card that track spending and income - Bad.
Social Security - Worthless for Me

smart cards

[CoreyG]

They remind me of my college id. Use it to get snacks from the vending machines, swipe it for the laundry machines, go to restaurants and pay with it, buy books with it, buy alcohol at the grocery store. Use it to get into electronically-locked rooms. Make long distance phone calls with it. I just wish I was back in college.

the chip breaks

[sklib]

I go to umich and our student ID cards have a so-called "cash chip" which on the surface looks a whole lot like those things on the smart cards. The chip on my ID card can hold up to $20, redeemable at soda machines and the like. Anyway, the problem with them is that after a year of lugging the card around in my pocket, I tried to use the chip and it failed to function. I later got a new ID card, and again the chip failed after a few months. I would be reluctant to trust anything important to a technology that ceases to funciton after a few months of sitting in my pocket, so this smart-card thing sounds like a terrible idea to me.

Re:the chip breaks

[C_Evident]

My college here in Canada had also a smart card system, in fact it was the Mondex thing. Same thing as you probably. It was particularly useful for vending machines, coffee or a hot chocolate(my favorite). The targeted use is indeed small-amount payments. The long-term goal was to replace all coins-related transactions.

The chip on my ID card could hold up to 500$ CDN, so it was a lot more than your 20$, although I dont know anybody who would put more than 100$ or so. It is a fact that these little chip are too fragile. Mine never broke, but after a few months the machines have problems reading it.

Re:the chip breaks

[SuiteSisterMary]

Georgian?

Re:the chip breaks

[nobody/incognito]

sometime this summer, umich abandoned the schlumberger payflex card and now issues old fashioned id cards (i.e., sans chip).

nobody

Re:the chip breaks

[nobody/incognito]

the umich card was good up to $50, not $20.

as if that makes a difference ...

nobody

Re:the chip breaks

I always have problems with the mag stripes on regular cards so this problem with having to replace cards is nothing new.

I Got Mine

[waldoj]

I got a $500 credit limit. I'm so excited.

-Waldo

Mac/Linux support?? HAHAHA...

[Teko]

I had Blue for awhile, dumped it...worthless...and looked into the new Visa Smart Cards...also worthless. None of them have any support for non-Windows systems, so their cardreaders are useless to me. Standards in the USA? Bah. I want European standards NOW.

phone calls

I had a really fun conversation with a telemarketer offering me a card with a smart chip. I said I just had surgery on my ankle, and they went ahead and put a smart chip in then, so I don't need one, unless yours is fancier. What all does it do again? This went on for a full five minutes. Quite fun.

Re:If only the sales reps were as smart as the car

Me = Someone just trying to enjoy dinner uninterrupted after working all day!

You = Shouldn't have answered the phone then!

Merchant fees

[jawtheshark]

Of course I am very well aware of that fact. That is the reason why some merchants do not support credit cards.
The AC replying to you states that those costs are -of course- billed over to me. That last is not true: I never got a price cut because I paid cash. Perhaps I'm just not lucky ;-) This could have two causes: the merchant increases his prices seen globally to count credit card transactions in, which screws the cash-paying client, or those fees are minimal and can be declared as business expenses (taxes off etc...every merchant loves that)...either way: I don't feel as if I personally paid anything for the service. I know it is kind of pychological thing but I didn't get billed. Get the point?

Re:Merchant fees

[Prior+Restraint]

Get the point?

Sure. I was just pointing out that interest isn't the only source of income for a credit card company (just the largest). A lot of people probably don't know about the merchant fees (though this audience isn't typical).

[Merchant fees] is the reason why some merchants do not support credit cards.

It's also partly why Discover is less-widely accepted than its competitors (they make up the cost of Cash Back Bonuses [TM] by gouging merchants).

I never got a price cut because I paid cash.

I always got the impression that merchants were contractually obligated to charge the same amount regardless of whether the customer chose paper or plastic. ;-) As you said, either the cash-payers pay more, or the merchant swallows the cost.

[perhaps] those fees are minimal and can be declared as business expenses...

I read once (too young to remember, sorry) that credit card interest was originally tax-deductable, to encourage people to use plastic. Just a little trivia I picked up.

Re:Merchant fees

[skullY]

That last is not true: I never got a price cut because I paid cash.

That's because the merchant is contractually prohibited from charging extra for credit sales. Some try to get away with it, but will usually back down if you threaten to report them to visa. (One merchant locally now tells me the visa machine is broken on a regular basis. The 3rd time this happened to me in as many weeks, I walked out of his store with my $20 of merchandise still sitting on his counter)

Cluster

[Rebar]

Since the card readers are so cheap, and the cards themselves actually have CPUs, can you imagine a Beowulf clust... Aw, nevermind.

It's not another 4 digit code

[^BR]

In Europe at least you use the same PIN in shops
that you use in ATMs. So Joe Sixpack can rest in
his drunken stupor, no need to learn another
thing.

Choose one...

Simple / Secure / Private

Choose one... :-)

I didn't realize this was unique in Canada

[aoeuid]

Are you saying that they don't have a similar network in the United States?

Judging from all the posts saying America needs to abolish cash payments asap, I'm inclined to think its true. There's no doubt, Interac is what I would conisder ubiquitus. Plus, if you use a financial instution like PC Finacial, there is no service fee at all. Though my question is, what are the Plus & Cirrus networks that our bank cards say they are compatible with? I thought they were US Interac equivalents...

In response to the comment about Americans being instructed not to use debit cards for significant purchases, I must say, I have never ever heard of that being a concern here in Ontario.

Re:I didn't realize this was unique in Canada

I thought chargebacks were frowned upon severely by banks and retailers alike. The encouraged dispute resolution method in my country is to talk to the retailer themselves, not get the bank to forcibly yank the moeny back.

"Smart" (Dumb) cards

[sulli]

Talk about a technology looking for a solution. My favorite anecdote is about American Express Blue - a recent article in the NY Times (I think) said that at one point they asked their vendor if they could make the card with a picture of the chip on it, instead of an actual chip. Why? Because it would have the same functionality at a significant cost savings!

article about smart cards

[koollegged]

there was an article about the uselessness of smart cards in the nytimes (unfortunately, it appeared on august 12, so now it is premium - read pay - content). visa and american express rushed to issue cards with smart chips, but have not found a use for them. the result - it cost a lot more to manufacture with no added benefit.

Re:NOT SECURE AT ALL

The whole purpose of the magnetic stripe was so the PDQ could phone home, the system has done it for years.

E Purse and E Wallets

[Macfox]

What VISA and Mastercard hope to offer is really of of little use to the average Joe. Specially in the US where fraud is covered by the bank.

Sure there is more security but what does that translate into? Certainly not cheaper transaction costs.

Potentially the next biggest market for smart card is the the area of E-Purse/E-Wallet systems. Operators of these systems hold the float, earning interest to maintain the POS terminals and related systems.

In simple terms the value is store on the card securely (PIN) and in some implementations allow a nominal amount to be deducted without a pin for fast transactions. (Toll boths/vending machines etc)

Unfortunately this model has been around for a number of years and many have attempted to enter the market. In 99% of the cases the scheme doesn't have enough market(store) penetration and flops.

The most successful scheme yet is the multos based system which I beleive is making a number of in roads in europe. Another is in Mayalsia, where the goverment is sponsoring the deployment of a National ID card which doubles as a E-Purse.

It's only a matter of time when VISA or Mastercard make leverage there market share and make the transition from credit to E-Purse.

Rob.

Re:If only the sales reps were as smart as the car

[plague3106]

You = Shouldn't have answered the phone then!

I see. So its my fault someone is calling me. I guess i should ignore friends and family calling me too. There are some interrupts to my dinner i don't mind; calls from friends and family are one. But someone using my phone to try and sell me something is one i mind greatly.

Re:AmEx Blue Killed their Chip (meta)

[skullY]

Why would any company that's trying to look "net-savvy" use JavaScript redirects in their HTML for something like that?

Not only that, but they resized my browser to 1280x1168. Yuck! I can't stand a brower wider than 800 pixels. (My eyes get strained otherwise, and I lose my place)

Ot rant: What the fuck is with people who insist on making their page 1000+ pixels wide? It's been proven that narrower text columns are better on your eyes, easier to read, and allow you to read quicker. A brower doesn't have to be as big as your screen.

number of society

You're only talking about creditcard type of things... but in the NEAR future we will have only one card for everything: even yer identity card/medical-stuff card will get a chip... or/and it will be combined with yer bankcards.

And this will be safe!!

Why?

You've probably heard about PGP(pretty good privacy) and what the basics are: public and private key system....

so everyone will get one pair of those...

This will make it easier to pay on the internet and to make sure you are who who you tell you are ("everyone will get/be a personal number")..

And a multi-to-one card...: why should it be difficult to make that...??? Proton chips can store a lot.... and like we have frequency bands, we can have datasections for every bank/institution....

**fatnotic**

Were?

[digitalunity]

Ahem, where have you been? Germanium devices have gained popularity in the last few years because of their favorable operating chracteristics. New processes have given us g transistors and diodes with higher heat dissipation abilities, as well as higher frequency operation.

Germanium is popular again. Take a look through an electronics catalog or something.

The Only Smart Credit Card...

[jdevons]

The only smart credit card is one that says "Noooo!" when you try to buy something.... ;-)