Slashdot Mirror
What About "Smart" Credit Cards?
Platypii writes "After seeing many ads on TV and around the Internet for the "smart" credit cards (both major companies now have them I believe), I became curious about them. The Visa website was rather vague about it, and only proclaimed dreams of merging all your cards -- of whatever type -- into one. Anyone know the technical details of these cards? The privacy aspects?"
gemplus.com, a leading smartcard manufacturer, has some good info on smartcard technology.
From what I remember, reading about the chips awhile ago (no idea what website), the danger doesn't really seem any more than that of the magnetic stripe as far as privacy goes. The chip pretty much behaves the same as the magnetic stripe, but with a greater capacity. One thing the chip can do which the magnetic stripe cannot however is store algorithms for something along the lines of encryption, which would seem to only make the card more secure. The actual functionality of the chips varies though, most of the major chip manufacturers make them with different specs. The beefiest I remember seeing was a mitsubishi chip which pretty much had the same capabilities as a microcontroller when inserted into the correct reader.
Yes the attractive transparent card with the smart chip on it http://www.providian.com/mysmartservices/index.htm
looked like it would be a wonderful edition to the small collection of cards i rotate through my wallet over the months to build up an extensive credit history.
The problem with this card is it seems the entire company and everything about it is entirely automated.
I first received a call from them to activate the card from a very rude operator who demanded all this information about me which was entirely unnecessary and completely unrelated to the card. They also gave me a pathetic $1,000 limit making it the most useless card in my collection and I had cancelled a platinum discover card with an $8,000 limit for this stupid pretty-looking card.
Over the following two months I was still on the mailinglist and received three more notices to signup for the card.I tried to then use the card by charging a chartitable donation and it appeared to go through at first until I went to some stores tried to buy an item and it didnt go through. So I called to have the card activated again and after the process was complete it STILL wasnt activated making a total of 2 times.
At this point I was very frustrated so I tried to cancel it only to find absolutely every phone number was automated voicemail with no access to a human being and no option to cancel the card. There are multiple phone numbers which loop between each other so you can call one number and wind up selecting an option that will transfer you to one of the other numbers. I was just about to call the better business bureau when I FINALLY found an obscure number listed in a dark corner of their website and immediately cancelled it. Until Providian gets their act together AVOID THIS CARD. Besides Providian is already so nosy about all your personal details just to activate the card just think of how nosey they'll be when they finally activate the smart chip once enough get into circulation.
http://www.livejournal.com/users/cixel
ISO 7816 is the smart card standard. Almost every smart card available today uses that standard, including credit cards, and the cards DirecTV uses for subscriber authentication. Litronic has some useful information on their site about Smart Cards and smart card readers.
I worked for SCM Microsystems in France, a company that made smart card hardware for set-top boxes and PCs. I worked on firmware for a CANAL+ (pay-per-view) decoder box that used a smart card for authentication.
What the credit card companies want is what they have in France (the rest of Europe? I don't know): when you use a credit card at a restaurant or store, you have to enter a PIN. All the credit cards in France are smart cards, and they store your pin (encrypted IIRC). This saves them lots of money in fraud charges.
However, you can't sell that in the US, because US consumers are already protected against credit card fraud by law. What's the value to consumers or merchants? They don't have to pay anyway (except through higher interest rates, but do you think the credit card companies are going to promise to lower interest rates? hell no, they want to increase PROFIT).
So the card companies are stuck with a hard marketing job: how do they get the merchants to pay up for new hardware to read the smart cards so they can start putting PIN protection on all the cards? well, they have to make it so that consumers are bringing smart cards into the store. If consumers are using the smart cards, the merchants will be forced to buy readers that can deal with them.
So how are they selling it to consumers? Badly. They're promising stuff that nobody really cares about... marginally easier admin of freq flyer miles, intangible future bonuses in "integrated" consumer information. Bleah.
Why don't they just frigging lower the interest rates on PIN protected cards? That would sell like hotcakes, and reducing fraud lossage is the card companies ONLY real concern. Because they are greedy fucks, that's why. They want to decrease their fraud lossage and keep the diff.
France was only able to railroad this through by subsidizing smart card development. Schlumberger et al got some big bank by developing the smart card system for the pay phones, which only happened due to some big time pork barrel action.
The US smart card folks just don't have their act together ATM. Too bad... I think the cards are cute. Don't really care as long as my liability on a credit card is just $50, though.
Bill Gribble -- grib@linuxdevel.com
Linux Developers Group
As far as I can tell, these "smart cards" do nothing at all.
Sure they do, they make a bunch of unwashed Windows users think they're 31337 because they have a credit card with a computer chip in it.
That's right, just Windows users. Oh you thought Macs and Linux might be supported? Fat chance! AmEx Blue has been promising Mac support Real Soon Now since their card debuted two years ago, but now they don't even mention it on their system requirements page anymore. The promised Mac support was one of the reasons I got the Blue card, along with the 'added security'-- but their security is a joke in general. There was significant fraud perpetrated with my account number before I even got the card, and it did not involve identity fraud or interception of my postal mail.
VISA's smart cards also offer bupkis in the way of non-Windows support.
~Philly
"(by the way, does anyone know how much data a standard-sized stripe can hold?).."
About 140 bytes. "Smart cards" typically have anywhere from 1KB to 32KB. Not counting those newer optical ones which hold about 5MB.
I worked for a company that specialized in smart card devices and was present while some of the technical and political discussions took place. The implementation, at that time at least, was up to the credit card company but the potential is this (read potential means this may or may not be the route your CC company chose):
A smartcard could secure your credit card number so that only the banks ever see it plaintext. That means you never see it, the merchant and his punk waiter never see it. If they get clever and intercept the transmission, they'll see encrypted traffic - it behaves very similarly to SSL. The PIN is an authorization to allow the transaction to occurr, and interestingly the entering of the PIN# becomes one of the hardest security parts to lock down. I even saw prototype smartcards with little keypads right on them!
Having worked with the technology, I have FAR more faith in a (proper) smartcard-secured credit card transaction than a normal one. Imagine being able to go to po-dunk computer supplier.com and not have to give him your CC # to make a purchase? It's a good thing.
Smart cards come in a number of flavors, with a variety of capabilities and price tags. The simplest are memory cards (just store values, useful as "wallets"), the fanciest are (currently) JavaCards. Amex Blue is in fact a (Gemplus) JavaCard, running (default) a single applet (I believe the smart Visa cards are similar). This applet has an RSA keypair, and an X.509 digital certificate. Making a transaction with the card requires the card to generate a digital signature on the transaction info (in contrast with standard magstripe cards that just add those magic 16 digits to the data sent to the issuer). Why is this better: it's very easy to clone a magstripe card. Get any piece of paper with the card number on it, it's very simple to manufacture a card. Or for card-not-present (e.g. internet) transactions, the number itself is all you need. Steal it out of some online merchant's database, and you're good to go. With smartcard-based transactions, you have to actually have access to the private key on the card to generate a bogus transaction. Now you can rip the keys out of these cards, but it requires some time alone with the card itself -- just downloading some merchant's badly protected database is no longer sufficient. You get a poor man's version of this kind of protection with those one-off credit card numbers, but that requires the user to actually get and use those numbers. With smartcard based transactions, this all happens transparently. The really interesting thing is that the card issuers have been avoiding smartcards in the US for years because of the cost. But now that they've bitten the bullet, they've gone in all the way -- instead of a $5 smartcard capable of signing transactions and storing certificates, they've gone for the $20 32-bit JavaCards (and $15 adds up fast over all Visa subscribers in the US). Presumably the initial decision to switch to smartcards was simply based on how much they're losing to fraud. The decision to go with the JavaCard may be in the hopes of offsetting the cost by having other players pay them to add further applets to the card (e.g. loyalty programs, where you get the 10th coffee free, etc, or additional security features for environments where you can't use the chip -- e.g. applications that will generate and store one-time 16-digit credit card numbers).
The use of chip cards has tremendous potential in both the face-to-face (traditional, i.e. at the grocery store) and card-not-present (CNP, i.e. Internet) purchase mediums. For example, one day there may be a client-side and server-side standard that enables card authentication over the Internet, giving e-commerce retailers greater confidence that the person on the other end is the legitimate cardholder and not someone typing in stolen cardholder information. There are also a number of other proposals to use the chip for CRM purposes, such as electronic couponing and loyalty schemes. The potential is certainly there to greatly improve the way credit cards are used for payments today.
Despite this potential, even the card companies don't know what to do with the chips on these cards. There is a total lack of standards among the card associations (Visa, MC, Amex, Discover and other foreign schemes). To date, none of them have proposed any type of beneficial use for these embedded chips. The card associations love to use catch slogans like "The card with a brain", but mysteriously offer no explanation as to how this brain can help you.
The use of embedded-chip payment cards is not new to the world. Several card markets have experimented with chip cards in the past. Perhaps the most notable market is France, who has employed chip card technology for the last several years. If you've ever been to France, you may have noticed that there is a PIN input pad at every point-of-sale terminal. If you are at a restaurant, the waiter will bring a handheld card reader to your table. Each card issued by a French bank contains a chip, which enables this reader unit to verify if a correct secret PIN has been entered by the cardholder - without contacting a bank or any other banking network. These units also contain a traditional magnetic stripe reader used to authorize non-French issued cards.
This chip-bases system was implemented in France for two reasons: offline cardholder verification and enhanced security. Since the units are able to independently verify correct cardholder PINs, this allows merchants to authorize credit card transactions offline, without requiring a dedicted phone line. This is a nice feature for countries with telcos that take 12 months to install a phone line, which often have overly expensive telecom costs. One important thing to note: Offline PIN-based validations do not have the ability to check for basic validations like checking to see if there is open credit on the account or checking to see if the account is even valid. The offline validation also does not work on non-French issued cards. Subsequently, most retailers authorize transactions using a traditional online method, even if the card has a chip.
Despite the widespread use in France, chip-based authorization is still years away here in the US. France is a very small card market with only a handful of banks issuing credit cards. Various reports have estimated a cost between $10 and $20 billion dollars to convert the current US card authorizations systems to include chip-based authentication/authorization - a cost that card issuers, acquirers (the banks that merchants interface with) and merchants are not ready to eat. In addition, extending chip card authorization to the online world will require client-side hardware (i.e. card readers) and server-side software....more hassle than the card issuers are ready to deal with right now. AMEX tried it and failed miserably (did you actually know anyone that used the AMEX Blue smart card reader? Do you know any online merchants that support it?)
In a nutshell, your credit card may have a brain, but it is yet to have a place to use all that intelligence.
American-style credit cards did not take off in Europe so well because it was(and may be) so stinkin' difficult to get a phone line. He says Italy could throw enough red tape on the ordeal to delay install for a year. This was no way for merchants to jump on the credit bandwagon so they started using smart cards for wallet-based credit. Smart cards SOLVED A PROBLEM. That problem doesn't exist in America as phone lines are easy to come by.
The other reason, as mentioned in a different thread, is that there was/is little legal-based credit-fraud protection in Europe[generally], but such legislation has existed for a long time in the US. The point of Bruce's book applies here: different technology for credit cards won't happen until either the system get some unexpected, significant risk of fraud, or another system comes out which substantially reduces fraud risk below its current level and doesn't offend everyone for things like privacy. Repeat. The risk of credit card fraud is currently manageable. The security of the system has some, if few, countermeasures to keep the average Joe honest. It has a detection mechanism which identifies fraud. It has a response mechanism that allows them to go after all but the most sophisticated attackers. Changing technologies for credit cards must present a MAJOR improvement in: countermeasures, detection, and response. Smart cards don't provide a major step up in security nor do they simplify the speed at which I will spend money. If you don't agree, read the book first. Heck, borrow it from the library and support freedom the Stallman way.
The VISA and Amex Blue are great ideas, but building the infrastructure to use them is going to be the big problem. Any Merchant who accepts credit cards already has a mag stripe reader of some sort. It can be a self contained unit or built into the cash register. For smart card transactions to become popular, chip card readers will have to be placed at retailers. Internet purchasing is another good use for chip card technology, the promise is there, but the implementation is not. Chip card technology is popular in Europe, so the market is there if the applications are forthcoming.
I work for a company that deals with chip cards (although not in the credit card arena) -- the cards themself are highly secure when compared to a mag stripe card. The fraud we have seen has not been hacks to the card itself, but fraud at either the Point-of-sale or when the card is applied for. I'm sure the card could be hacked, given enough time and money, but barring an inside job, the cost of defeating the security is higher than the benefit that would be gained. Of course, in the credit card market the benefit goes up, so there will be more attempts to crack the chip. I'm not going to reveal the exact market that we are in, but remember, google is your friend :)
One of the big advantages of the chip card (beyond fraud control) is that value can be stored on the card. For example, I put $50 dollars on my card. I can then go to locations that accept chip card purchases and I can make a purchase without the Merchant being on line. The merchant settles at the end of the day by dial up modem, and their money can be transferred to the Merchant's bank account the next day. This kind of use is great for merchants that are at Flea Markets, Hamfests, or other locations were online terminals are not practical. The credit card vendor provides all of the infrastructure to make this happen. There is a lot of potential here for this market, the cards are getting out there, but neither VISA or Amex has put the infrastructure together yet to actually make it happen.
Beware of Sleestak
Protocols
Smartcards (and their predecessors, "chipcards") implement ISO standard 7816. As a previous writer noted, above, this largly defines the physical, mechanical, and electrical characteristics of the card. It also defines the communications protcol used by a terminal when communicating with a card.
There are two major catagories of card, each with its own characteristics and generally its own communications method. These are:
These use ISO7814 part 4 S=0 ("synchronous") mode communications. They're essentially dumb memory devices, which are serially strobed synchronous data (a bit like an i2C chip in your PC) by the terminal. They don't rise to the level of "smart"cards - other than some very basic (password) authentication, they're just dumb memory devices. Most include a suicide mechanism, whereby they blow their own internal fuse (and thus become permanently dead) if you send them too many wrong passwords. Typically these are used for applications that store and manage a few values - e.g. phonecards, loyalty tokens and utility meter tokencards.
These use ISO7416 part 4 T=0 (character asynchronous mode) and T=1 (block asynchronous mode) communications. They're real computer devices in their own right, typically with either an 8051 or Hitachi H8 8-bit microcontroller as a brain and a surprising amount of memory - several Kbytes of RAM and up to 64Kbytes of flash or EEPROM storage - pretty impressive for a chip that's 2x3mm, I think.
T=0 is a simple, half-duplex, master-clocked serial protocol - you could _almost_ use a regular UART to talk to the card, except the card's initial message (its ATR - Answer To Reset) is sent synchronously, and the UARTS in regular PCs don't have a raw/USART mode that would allow them to receive this correctly. The actual communication speed varies between cards (the card tells the terminal how fast it can go in its ATR), but its generally very slow, around 300baud max. T=1 is just a simple packet format layed on T=0. Both T=0 and T=1 are, IMHO, rather crappy protocols.
True smartcards aren't just dumb memory devices - they run actual programs, and often have built in special functions, generally cryptography stuff (GemPlus makes DES and RSA enabled cards).
Major players
Security
As a replacement technology for regular magnetic swipe cards, smartcards are _much_ more secure, mostly because magnetic swipe cards are totally insecure - you can write one yourself with a reader you paid a few hundred dollars for - there's no magic and no cryptography at all.
As real security devices, smartcards aren't terribly secure. They're designed to be tamper-proof, but their form-factor ensures that this will never be very effective. Current implementations leak information from various sidechannels (EMF, heat-dissipation, elapsed-time to perform crypto operations), some of which are pretty easily fixed and some of which aren't. They're never going to be super secure (you're never going to put the launch codes for nuclear missiles on one), but they're probably fine for real-world use for their current and proposed applications.
Writing code yourself
GEMplus sells (for a pretty reasonable price) an evaluation kit with a few demo cards, some programming info and a card interface that plugs into your PC's serial port.
You can get limited JavaCard stuff from java.sun.com, but you typically need more stuff that pertains to the specific card - you get this from the card's manufacturer. The JDK's javac compiler is used to compile code for the javacard.
Sun also has (or at least used to) a pretty comprehensive software framework for the terminal (PC/server) end of the equation - it's called OpenCardFramework. It simplifies a lot of the pain-in-the-ass features terminal programmers have to put up with when talking to smartcards.
Privacy concerns
When used as a replacement for existing magnetic cards, there's no more privacy concern than with the magnetic cards - the credit card company knows all about all your transactions either way, and with the smartcard you're less likely to find out that some enterprising folks in the Far East have cloned your card and tried to buy an airplane with it.
There are privacy concens when you consider that the card can host multiple applications. In practice, you as a consumer (note: consumer is the new word for citizen, apparently) have little to no knowledge of what is being stored, run, or communicated to/from your card. The card's crypto means you can't just open the card up yourself and hunt around to see, so you'll have to trust the issuer of the card (and their agents, etc.).
## W.Finlay McWalter ## http://www.mcwalter.org ##
Ok, as it seems that this thread has just turned into a big steaming pile of uninformed crud, I'm gonna post some sites that are a good place to start. www.oberthurcs.com and www.gemplus.com are two samrt card vendors. As for sun's JavaCard, its not the only type of smart card environment out there. Another good stopping off point to learn about one type of cards system is www.cepsworld.com. Thats VISA's Common Electronic Purse System and, unlike credit cards, does have money stored on the card. Its a pity some people on this site don't shut their mouths instead of just posting crap!
Serge Humpich, a french engineer, broke into these cards last year. When he contacted "GIE Cartes Bancaires" (french banks association in charge of these cards) to inform them of the security breach, their only answer was a lawsuit... Doesn't this remind you of something ?
You can find more details here.
I interviewed for a contract with one of the big credit card companies for writing the specification for systems validating these smart cards. As they explained it, the smart cards offer nothing in the way of extra capability from their end. It's simply a new way of validating the card for the vendor who is accepting payment. The ID and validation token is stored in the chip. The vendor's hardware validates using that. Both ID and validation tokens are sent to the card company to approve payment. It's nothing more than a security blanket for those vendors who are accepting cards.
- Sig this!