What About "Smart" Credit Cards?

Platypii writes "After seeing many ads on TV and around the Internet for the "smart" credit cards (both major companies now have them I believe), I became curious about them. The Visa website was rather vague about it, and only proclaimed dreams of merging all your cards -- of whatever type -- into one. Anyone know the technical details of these cards? The privacy aspects?"

Re:And exactly who does smart refer to?

[cheebie]

Actually, I make money off of my credit cards. I have one that give me 1% back for a $10/year fee. I pay for everything I can on that card and pay it off every month. Amount of fees I pay: $10/year. Amount of 1% kickback I get: about $100/year. Plus, I get to use their money for a month or so until the payment is due.

Then there's the 0% interest card I was offered. I put some of my other loans onto that card. When it comes due, I'll just pay it off. In the meantime, I get to use their money for free.

Credit cards are not evil. Using them unwisely is what is evil.

Here's a decent primer on SmartCards

[hillct]

The current generation of SmartCards are java based. The idea is that they provide more than memory, but a full Java Runtime Enviroment, and a set of base applications, under the theory that processing transactions in a known (secure) enviroment is preferable to simply swiping the card through a reader/writer which might otherwise simply increment or decrement a number (of dollars or whatever) stored on the card. These cards have a great deal of potential that remains largely untapped. I have yet to see a smartcard transaction processor which takes any real advantage to these capabilities.

--CTH

Europe's had it for 15 years!

[Max+von+H.]

I don't want to sound mean or anything, but we've had "smart cards" for ages over here...

In France, there's a ubiquitous system which requires you to type your code for every purchase you do with it. AFAIK, nobody ever complained about it, considering you can't use a stolen French card anywhere in France. If it's combined with a Visa card, you can still use it outside the country where there's no direct way to check its validity.

Here, in Switzerland, my bank card is combined with Visa, and I can set limits for withdrawals and purchases done with the (post)bank part of the card (with a chip), or use the Visa function with equal flexibility.

I suppose it just results from a different banking system between the USA and Europe. In Europe, banks contract the credit card provider (visa, mastercard, etc) and merge their cards. Plus, in most countries, banks have merged their ATM services so you can use any card to pump money from any "hole in the wall".

What strikes me is that Americans see smart cards as a really new things, whereas here we use them for absolutely everything, from e-wallets to bus-pass or phone cards. Smart-card readers are available and cost something around $20...

Bah, real standards have always had hard times getting to the USA, and that's no news!

/max

Smart Card Capabilities and Protocols

[braddock]

Newer Smart Cards are capable of public key cryptography. They are not just an information store, like a magnetic stripe, but actually perform public key crypto on an embedded processor on the card which is powered by the reader. This way your public key never leaves the card.

Some of the better manufacturers of Smart Cards add all sorts of physical security to the chips as well...to the point where you can't even take the chip apart and scan the die with a electron microsope or special probes to try to read or trick the bits out of memory.

My guess is that the current Visa cards do NOT use onboard cryptography yet...that these are general purpose cards which for now store your credit card number and address for convenience because the infrastructure is not yet in place AFAIK to support public key credit card transactions. They may or may not already have crypto software onboard that could be used with a PKCS#11 driver, but the credit card companies just want to get them and the readers deployed, and then will provide a software update or something to actually add crypto features in your transaction in the next couple years. See the PKCS#11 standard written by RSA (on their web site) for the standard crypto API which has been adopted for smartcards.

Note that smart cards have been around for a while in europe, although they were typically not used in a cryptographically sophistically way.

See www.pki-page.org and http://www.rsasecurity.com/rsalabs/pkcs/pkcs-11/

Braddock Gaskill
Security Consultant
braddock@braddock.com