Slashdot Mirror
What About "Smart" Credit Cards?
Platypii writes "After seeing many ads on TV and around the Internet for the "smart" credit cards (both major companies now have them I believe), I became curious about them. The Visa website was rather vague about it, and only proclaimed dreams of merging all your cards -- of whatever type -- into one. Anyone know the technical details of these cards? The privacy aspects?"
What, me worry?
As long as these cards are useable in a store of today it wont create any extra security. This will only create more to expolit all at one time.
"Not my manner of thinking but the manner of thinking of others has been the source of my unhappiness." - M
Just last week I recieved a phone call from a young lady quite eager to sign me up for a new Vis a card with a built in smart chip. But first, I had a question:
Me: "Yes, well, before I sign up, I'd like to know; is that smart chip silicon based or germanium based?"
Her: "...uhm... excuse me?"
Me: "Well, if a company doesn't know this kind of basic information about the products they are selling, that's not a company I would do buisness with. Good day."
Needless to say, they have yet to call back.
--
#nohup cat
gemplus.com, a leading smartcard manufacturer, has some good info on smartcard technology.
As a long-time idler on irc.2600.net, believe you me: you shouldn't trust anything you read in that rag >:)
--
#nohup cat
As far as I can tell, these "smart cards" do nothing at all. Keep in mind that reader hardware is needed for the little embedded chips, and until such hardware becomes ubiquitous no one can do anything with any data that someone bothered to put on there. My university actually tried doing this exact thing with its student ID cards for a couple years, and the only use it could find for it was as a rechargeable stored value system. They dropped it because it wasn't all that useful and it raised the cost of the cards from like $7 to $20 to replace. I guess that these cards might be a good way to use small amounts of electronic money, but considering one is already doing just that -- it's a credit card, remember? -- I don't see the point. I guess people could store basic commonly-needed information like a health insurance policy number on them, but again, unless access technology is widely available this is just a gimmick.
Anyone know the technical details of these cards? The privacy aspects?
Simple answer: More convience = less privacy = less security (for most cases)
What I find really interesting is the credit card one-time deals (don't know a link to information, if anybody does, please help out) but the gist of it was that: you'd sign up with a credit card with, say, Visa. Then when you're about to buy something on the internet you get a temporary credit card number from Visa that only has a certain amount available on its balance.
Security-wise it's great, since if anybody gets that number, no big deal, since they can't use it. Privacy-wise it wouldn't be hard to make it not require any personal details. (Since it's a temporary number issued on deman, it's almost safe to assume it's not stolen (possibly ask for a name or something like that))
Sales Rep = Someone earning $8.50 an hour, just trying to do his/her job.
You = A genuine rapier-witted genius who must feel really good about himself for demeaning the sales-rep.
Well-Done!
If you sign up for a "smart card" you are supposed to be able obtain a desktop reader from your issueing bank (looks similar to the desktop compact flash readers) that plugs into the back of your PC. When you're making an online purchase you slide your card into the reader which authenticates you as the card holder.
I'm in a hurry or I'd throw up links. I just noticed this hadn't been explained yet. Ta Ta!
I'm against picketing, but I don't know how to show it.
Actually, I make money off of my credit cards. I have one that give me 1% back for a $10/year fee. I pay for everything I can on that card and pay it off every month. Amount of fees I pay: $10/year. Amount of 1% kickback I get: about $100/year. Plus, I get to use their money for a month or so until the payment is due.
Then there's the 0% interest card I was offered. I put some of my other loans onto that card. When it comes due, I'll just pay it off. In the meantime, I get to use their money for free.
Credit cards are not evil. Using them unwisely is what is evil.
Yes the attractive transparent card with the smart chip on it http://www.providian.com/mysmartservices/index.htm
looked like it would be a wonderful edition to the small collection of cards i rotate through my wallet over the months to build up an extensive credit history.
The problem with this card is it seems the entire company and everything about it is entirely automated.
I first received a call from them to activate the card from a very rude operator who demanded all this information about me which was entirely unnecessary and completely unrelated to the card. They also gave me a pathetic $1,000 limit making it the most useless card in my collection and I had cancelled a platinum discover card with an $8,000 limit for this stupid pretty-looking card.
Over the following two months I was still on the mailinglist and received three more notices to signup for the card.I tried to then use the card by charging a chartitable donation and it appeared to go through at first until I went to some stores tried to buy an item and it didnt go through. So I called to have the card activated again and after the process was complete it STILL wasnt activated making a total of 2 times.
At this point I was very frustrated so I tried to cancel it only to find absolutely every phone number was automated voicemail with no access to a human being and no option to cancel the card. There are multiple phone numbers which loop between each other so you can call one number and wind up selecting an option that will transfer you to one of the other numbers. I was just about to call the better business bureau when I FINALLY found an obscure number listed in a dark corner of their website and immediately cancelled it. Until Providian gets their act together AVOID THIS CARD. Besides Providian is already so nosy about all your personal details just to activate the card just think of how nosey they'll be when they finally activate the smart chip once enough get into circulation.
http://www.livejournal.com/users/cixel
ISO 7816 is the smart card standard. Almost every smart card available today uses that standard, including credit cards, and the cards DirecTV uses for subscriber authentication. Litronic has some useful information on their site about Smart Cards and smart card readers.
A friend of mine told me a story about going to Europe and having to explain to a clerk that his credit card didn't have a smart chip in it, she would have to slide it in the other thingie. He ended up having to slide the card for her.
For some things, the US is way behind.
I worked for a major valley computer company in 2000, and we had evaluated American Express's Blue as a possible companion to some of the ecommerce solutions we had wanted to develop.
Blue, and everything else I've seen since then aren't real solutions, they're just gimmicks. They need to support real SmartCards which offer strong encryption onboard and payment approval. The half-assed crap that they're pushing now is next to useless. The only benefit that I can see of Blue and its ilk is that they might have the opportunity to make SmartCard readers ubiquitous. From there, they could maybe begin to support SmartCards with the features that I mentioned above.
Why are you letting these clowns ruin our country?
I worked for SCM Microsystems in France, a company that made smart card hardware for set-top boxes and PCs. I worked on firmware for a CANAL+ (pay-per-view) decoder box that used a smart card for authentication.
What the credit card companies want is what they have in France (the rest of Europe? I don't know): when you use a credit card at a restaurant or store, you have to enter a PIN. All the credit cards in France are smart cards, and they store your pin (encrypted IIRC). This saves them lots of money in fraud charges.
However, you can't sell that in the US, because US consumers are already protected against credit card fraud by law. What's the value to consumers or merchants? They don't have to pay anyway (except through higher interest rates, but do you think the credit card companies are going to promise to lower interest rates? hell no, they want to increase PROFIT).
So the card companies are stuck with a hard marketing job: how do they get the merchants to pay up for new hardware to read the smart cards so they can start putting PIN protection on all the cards? well, they have to make it so that consumers are bringing smart cards into the store. If consumers are using the smart cards, the merchants will be forced to buy readers that can deal with them.
So how are they selling it to consumers? Badly. They're promising stuff that nobody really cares about... marginally easier admin of freq flyer miles, intangible future bonuses in "integrated" consumer information. Bleah.
Why don't they just frigging lower the interest rates on PIN protected cards? That would sell like hotcakes, and reducing fraud lossage is the card companies ONLY real concern. Because they are greedy fucks, that's why. They want to decrease their fraud lossage and keep the diff.
France was only able to railroad this through by subsidizing smart card development. Schlumberger et al got some big bank by developing the smart card system for the pay phones, which only happened due to some big time pork barrel action.
The US smart card folks just don't have their act together ATM. Too bad... I think the cards are cute. Don't really care as long as my liability on a credit card is just $50, though.
Bill Gribble -- grib@linuxdevel.com
Linux Developers Group
I have 2 smartcards in my wallet right now; an American Express Blue, and a Fusion. When I first hooked up the reader, I dreamed of being able to go to thinkgeek.com, hit checkout, put my card in, type my pin, and then having my goodies a few days later. Unfortunately, the support is just not there. With American Express, you use their software and it gives you a list of supported online stores, none of which interest me. The fusion is the same exact way. Both use VERY similar software that runs in the system tray of a Windows computer and launches your little magic cart when it detects a card. Bah...who cares?
Also, one of the main reasons I got them was that both where giving away free card readers which look pretty cool. They're gemstar (I think) and are the same ones that are supported by Win2k for authentication. Not a bad deal, I bet they retail for about $30 a peice. The card reader was also able to tell me a bit of info about the smart card used in my Dish Network reciever. Cool geek toy...nothing more. Next Cue Cat perhaps?
I did see some cool uses such as an electronic card punch that would stay on the card, i.e., you by 9 cups of coffee, you get the 10th free, the card keeps track instead of using a paper punch or other similar device. Alas, this was only a flash demo of what it could do, but I have yet to see any real world examples.
The current generation of SmartCards are java based. The idea is that they provide more than memory, but a full Java Runtime Enviroment, and a set of base applications, under the theory that processing transactions in a known (secure) enviroment is preferable to simply swiping the card through a reader/writer which might otherwise simply increment or decrement a number (of dollars or whatever) stored on the card. These cards have a great deal of potential that remains largely untapped. I have yet to see a smartcard transaction processor which takes any real advantage to these capabilities.
--CTH
--Got Lists? | Top 95 Star Wars Line
I don't want to sound mean or anything, but we've had "smart cards" for ages over here...
In France, there's a ubiquitous system which requires you to type your code for every purchase you do with it. AFAIK, nobody ever complained about it, considering you can't use a stolen French card anywhere in France. If it's combined with a Visa card, you can still use it outside the country where there's no direct way to check its validity.
Here, in Switzerland, my bank card is combined with Visa, and I can set limits for withdrawals and purchases done with the (post)bank part of the card (with a chip), or use the Visa function with equal flexibility.
I suppose it just results from a different banking system between the USA and Europe. In Europe, banks contract the credit card provider (visa, mastercard, etc) and merge their cards. Plus, in most countries, banks have merged their ATM services so you can use any card to pump money from any "hole in the wall".
What strikes me is that Americans see smart cards as a really new things, whereas here we use them for absolutely everything, from e-wallets to bus-pass or phone cards. Smart-card readers are available and cost something around $20...
Bah, real standards have always had hard times getting to the USA, and that's no news!
/max
-- It's always darker before it goes pitch black.
If the circuit on the smart card can be used as a public-key crypto engine, then you could use it to secure any interaction with the card issuer's database.
Nobody could get your private key unless they stole your physical card, since there's no need to have the key printed anywhere except in the card's circuit.
Here's the loop: Client (cardholder) sends server (issuer) a cookie encoded with Server's public key. Server decrypts it with its private key and sends it back along with its own cookie, encrypted with Client's public key. Client decrypts, compares the Client cookie it sent with its copy of it, thus validating Server's authority. Client then encrypts Server's cookie and sends it back. Server decrypts, compares with its copy, thus validating the client's authority. This is basic RSA/PGP stuff.
One simple handshake--it's about as complicated as the TCP/IP connection that was made to transport it--and your SmartCard is money.
This gets rid of the current problem of credit-card numbers being stolen ex proprio that arises because you have to copy the number itself off the card in order to use it.
--Blair
"I was speculating about the meaning of ex proprio, too. So sue me."
They are going to replace the mag stripe with a chip. This adds security how? As far as I can tell, only about 1 in 1000 techies have a mag card writer. About 1 in 1 pc users can have a chip card writer with a few clip leads from radio shack. Once this takes off, the small time fraud level will go through the roof once someone makes a nice script kiddie tool kit. The smart cards used by the sat tv are quite complex compared to the credit cards and at one time, direct Tv was guessing that only 10% of their customer base was using craced cards.
As a merchant, I would not take ones of these new cards with out making sure I'm not taking any of the risk.
There is also the static issue. I know a few women that can not deal with electronics without some heave duty static protection. One of them has a complete surface mount static protection workstation that she uses as her desk and so far it has keep her pc working. Before that she would blow motherboards, keyboards and mice week. Since she kills digital watches, I would expect one of these cards to have a life time of less than a week with her.
I noticed the widespread use of these cards last time I was in France. I guess the reason they caught on so well over there was that the way the cards are set up, they are somehow self-authenticating, that is there is no need to call a central database, at least not at the time of purchase. This was an important feature in Europe where super-expensive telephone hookups made it prohibitively expensive for the average business to authorise credit cards over the phone every time one was used.
We use them at my university for stored value as well. They were going to drop them from our IDs a few years ago, but the introduction of SunRay network appliances all over here and the hot-desking that goes with them guaranteed they'll stick around a while longer.
Although I think the coolest application I've seen is the card I can store all of my PCR programs on for our Thermal Cycler in the lab. Tres convenient!
--J
I worked for a company that specialized in smart card devices and was present while some of the technical and political discussions took place. The implementation, at that time at least, was up to the credit card company but the potential is this (read potential means this may or may not be the route your CC company chose):
A smartcard could secure your credit card number so that only the banks ever see it plaintext. That means you never see it, the merchant and his punk waiter never see it. If they get clever and intercept the transmission, they'll see encrypted traffic - it behaves very similarly to SSL. The PIN is an authorization to allow the transaction to occurr, and interestingly the entering of the PIN# becomes one of the hardest security parts to lock down. I even saw prototype smartcards with little keypads right on them!
Having worked with the technology, I have FAR more faith in a (proper) smartcard-secured credit card transaction than a normal one. Imagine being able to go to po-dunk computer supplier.com and not have to give him your CC # to make a purchase? It's a good thing.
Newer Smart Cards are capable of public key cryptography. They are not just an information store, like a magnetic stripe, but actually perform public key crypto on an embedded processor on the card which is powered by the reader. This way your public key never leaves the card.
Some of the better manufacturers of Smart Cards add all sorts of physical security to the chips as well...to the point where you can't even take the chip apart and scan the die with a electron microsope or special probes to try to read or trick the bits out of memory.
My guess is that the current Visa cards do NOT use onboard cryptography yet...that these are general purpose cards which for now store your credit card number and address for convenience because the infrastructure is not yet in place AFAIK to support public key credit card transactions. They may or may not already have crypto software onboard that could be used with a PKCS#11 driver, but the credit card companies just want to get them and the readers deployed, and then will provide a software update or something to actually add crypto features in your transaction in the next couple years. See the PKCS#11 standard written by RSA (on their web site) for the standard crypto API which has been adopted for smartcards.
Note that smart cards have been around for a while in europe, although they were typically not used in a cryptographically sophistically way.
See www.pki-page.org and http://www.rsasecurity.com/rsalabs/pkcs/pkcs-11/
Braddock Gaskill
Security Consultant
braddock@braddock.com
Smart cards come in a number of flavors, with a variety of capabilities and price tags. The simplest are memory cards (just store values, useful as "wallets"), the fanciest are (currently) JavaCards. Amex Blue is in fact a (Gemplus) JavaCard, running (default) a single applet (I believe the smart Visa cards are similar). This applet has an RSA keypair, and an X.509 digital certificate. Making a transaction with the card requires the card to generate a digital signature on the transaction info (in contrast with standard magstripe cards that just add those magic 16 digits to the data sent to the issuer). Why is this better: it's very easy to clone a magstripe card. Get any piece of paper with the card number on it, it's very simple to manufacture a card. Or for card-not-present (e.g. internet) transactions, the number itself is all you need. Steal it out of some online merchant's database, and you're good to go. With smartcard-based transactions, you have to actually have access to the private key on the card to generate a bogus transaction. Now you can rip the keys out of these cards, but it requires some time alone with the card itself -- just downloading some merchant's badly protected database is no longer sufficient. You get a poor man's version of this kind of protection with those one-off credit card numbers, but that requires the user to actually get and use those numbers. With smartcard based transactions, this all happens transparently. The really interesting thing is that the card issuers have been avoiding smartcards in the US for years because of the cost. But now that they've bitten the bullet, they've gone in all the way -- instead of a $5 smartcard capable of signing transactions and storing certificates, they've gone for the $20 32-bit JavaCards (and $15 adds up fast over all Visa subscribers in the US). Presumably the initial decision to switch to smartcards was simply based on how much they're losing to fraud. The decision to go with the JavaCard may be in the hopes of offsetting the cost by having other players pay them to add further applets to the card (e.g. loyalty programs, where you get the 10th coffee free, etc, or additional security features for environments where you can't use the chip -- e.g. applications that will generate and store one-time 16-digit credit card numbers).
that movie was just misunderstood... You should watch more of the Sopranos ;-)
Smart cards are pretty cool. They have great security, are standards-based, and are quite cheap when you think about all they do.
Most smart cards (JavaCards or OpenCards) support encryption, wired or wireless interfaces, and a bit of space on the card itself for a program of your own. www.basiccard.com offers a neat little set of cards you can program in basic, if you're just getting started. (the program on the computer can be written in any language). www.gemplus.com has cards you can program in Java, but these are much more expensive.
Each card has an onboard computer which you can program to do your bidding, from anything to securely storing cash (that only the correct program, or card reader can adjust, if you like), identity checking (imagine an ID card with your picture, signature, left thumbprint on the surface of the card, and stored securely inside the card - now there's an ID), and tons of other things that haven't been thought of yet.
You can use them as phone cards, tiny cash cards (swipe your card in front of a soda machine, push Pepsi, drink, repeat)
There are tons of cool things you can do with a tiny computer embedded in a card. Its more than just memory storage, its an entire cpu that you could use for a new TIS authentication scheme, or a new payphone card, or a key for your encrypted files. You could walk by a local ESPN store, swipe your card, then on your Palm later check out all the scores and player stats for the last week. Look, smartcards are great or evil, depending on how creative you are, but the potential for some very cool things is definately there.
Why would we not want cash?
I like cash and I dislike cards.
I dislike having my shopping habits tracked, and when it comes time to do work on the side, it's nice to be paid in cash and not have to worry about Federal or State Income Tax on said wages.
In a cashless society, everything is going to be tracked, and I do not like that.
The use of chip cards has tremendous potential in both the face-to-face (traditional, i.e. at the grocery store) and card-not-present (CNP, i.e. Internet) purchase mediums. For example, one day there may be a client-side and server-side standard that enables card authentication over the Internet, giving e-commerce retailers greater confidence that the person on the other end is the legitimate cardholder and not someone typing in stolen cardholder information. There are also a number of other proposals to use the chip for CRM purposes, such as electronic couponing and loyalty schemes. The potential is certainly there to greatly improve the way credit cards are used for payments today.
Despite this potential, even the card companies don't know what to do with the chips on these cards. There is a total lack of standards among the card associations (Visa, MC, Amex, Discover and other foreign schemes). To date, none of them have proposed any type of beneficial use for these embedded chips. The card associations love to use catch slogans like "The card with a brain", but mysteriously offer no explanation as to how this brain can help you.
The use of embedded-chip payment cards is not new to the world. Several card markets have experimented with chip cards in the past. Perhaps the most notable market is France, who has employed chip card technology for the last several years. If you've ever been to France, you may have noticed that there is a PIN input pad at every point-of-sale terminal. If you are at a restaurant, the waiter will bring a handheld card reader to your table. Each card issued by a French bank contains a chip, which enables this reader unit to verify if a correct secret PIN has been entered by the cardholder - without contacting a bank or any other banking network. These units also contain a traditional magnetic stripe reader used to authorize non-French issued cards.
This chip-bases system was implemented in France for two reasons: offline cardholder verification and enhanced security. Since the units are able to independently verify correct cardholder PINs, this allows merchants to authorize credit card transactions offline, without requiring a dedicted phone line. This is a nice feature for countries with telcos that take 12 months to install a phone line, which often have overly expensive telecom costs. One important thing to note: Offline PIN-based validations do not have the ability to check for basic validations like checking to see if there is open credit on the account or checking to see if the account is even valid. The offline validation also does not work on non-French issued cards. Subsequently, most retailers authorize transactions using a traditional online method, even if the card has a chip.
Despite the widespread use in France, chip-based authorization is still years away here in the US. France is a very small card market with only a handful of banks issuing credit cards. Various reports have estimated a cost between $10 and $20 billion dollars to convert the current US card authorizations systems to include chip-based authentication/authorization - a cost that card issuers, acquirers (the banks that merchants interface with) and merchants are not ready to eat. In addition, extending chip card authorization to the online world will require client-side hardware (i.e. card readers) and server-side software....more hassle than the card issuers are ready to deal with right now. AMEX tried it and failed miserably (did you actually know anyone that used the AMEX Blue smart card reader? Do you know any online merchants that support it?)
In a nutshell, your credit card may have a brain, but it is yet to have a place to use all that intelligence.
While there may be security risks and complaints about these smart cards, they sure do look interesting. Once they are used more widely and have some better uses, then they will probably catch on.
:)
I had a customer tonight at work who had one and he didn't seem to even know what it did when I talked to him about it. He just figured it was an "upgraded credit card".
I'll look into these cards once the uses become more mainstream. I would love to be able to go to a site, click buy and plug in my card and have everything be taken care of. Thats why I'll use one.
Here in New Zealand we have Electronic Fund Transfer at Point Of Sale. It looks like a credit card, but it carries out transactions on your bank account in real time. Just about everyone uses them for anything from a car to a bottle of milk at the dairy. No chip, just a PIN and mag stripe.
:v)
Simple, effective, had it for years and it works. No need for silicon smart/dumb cards. And yes I can transfer money from my account to someone else's over the phone.
Vik
Hey, I work with that industry =)
Basically all it is is a smart card on your credit card, that contains all of the info that is on the mag stripe of the card. The only difference is that you can insert the card into a reader (end first, and only about 2" to get the chip in), it will prompt you for a pin code, and you can enter it, then the terminal has the info to make the purchase. It's not much different than normal magstripe readers, except that it has the potential in the future to be a lot neater (like replace cash entirely). It can also be used for loyalty programs (stores points on the card, for example). As for the "much more secure", that's bullshit. The information that is on the card is kept hidden and unaccessable, that's correct. It cannot be modified, that's correct. You cannot copy the card, that's correct. But on your PC any information must be passed into the browser, and over the internet, and thus it's just as vulnerable as typing it in yourself.
In the future, you will be able to do things like have a remote site talk directly to the chip on the card, using built in encryption that will be entirely secure, as well as do neat things like authorize payments from your bank, cash transfers, withdrawing money from your bank over the internet onto your card (don't need to go to an ABM anymore!) Unfortunately people aren't yet comfortable with this technology as a whole, and thus the technology trials proved that although the technology works and is available, nobody wanted to use them. Perhaps in another 3 or 4 years.
OTOH, Europe has had smart chips in their credit cards for years now, to the point at which vendors get confused when you pass them a normal mag-stripe-only credit card (I'm not joking, I've had my card refused several times because they couldn't figure out how to use it). Similarly all bank cards here have a smart card in them. It's a lot more secure for banking because you can't copy the card just by knowing the number on the card and the pin number. In North America it has happened several times where people can capture the pin code and card number, make a new card, go up to some banking machine and withdrawl money, and guess what, the legitimate card owner gets fsck'ed over because there's no protection against that. Common to happen is a video camera placed above the keypad somewhere (For example, there was a case in a supermarket where some guy placed a camera with a zoom lens in the rafters of the roof just above a checkout, had it focused on the pinpad, the camera captured the card number visually, and watched you punch in the number. He got away with it for a few months until they traced down where this was happening and finally caught him. Popular also is to put a fake ABM in a parking lot somewhere, and have it prompt you for your card and pin number, then just print out "Sorry, network failure" message, at which point you go away grumbling but they now have your card/pin... I don't use interact anymore because it is HORRIBLY insecure. Credit cards however still are insecure, but the credit card company takes the loss instead of you =)...
If God gave us curiosity
OK, first of all, this thing was built by Securify, by a now defunct group which was based in Boston. They are the same guys who, btw, built American Express Blue. The program includes a full fledged PKI solution, with your credentials stored on the chip. You can use it for signing in for special services, use it to purchase online. You just have to remember a PIN. The funny thing is that Providian, the first Issuer to give out the cards, SELLS the necessary Smartcardreader for 19.95. Speaking of consumer adoption ...
What I forgot, rumours have it that the old Consulting/PKI group got all back into Charlie Waltons old/new company Caradas.
Some of you may not have been around long enough to know that the first solid-state devices *were* germanium based, unless you count selenium diodes.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
The VISA and Amex Blue are great ideas, but building the infrastructure to use them is going to be the big problem. Any Merchant who accepts credit cards already has a mag stripe reader of some sort. It can be a self contained unit or built into the cash register. For smart card transactions to become popular, chip card readers will have to be placed at retailers. Internet purchasing is another good use for chip card technology, the promise is there, but the implementation is not. Chip card technology is popular in Europe, so the market is there if the applications are forthcoming.
I work for a company that deals with chip cards (although not in the credit card arena) -- the cards themself are highly secure when compared to a mag stripe card. The fraud we have seen has not been hacks to the card itself, but fraud at either the Point-of-sale or when the card is applied for. I'm sure the card could be hacked, given enough time and money, but barring an inside job, the cost of defeating the security is higher than the benefit that would be gained. Of course, in the credit card market the benefit goes up, so there will be more attempts to crack the chip. I'm not going to reveal the exact market that we are in, but remember, google is your friend :)
One of the big advantages of the chip card (beyond fraud control) is that value can be stored on the card. For example, I put $50 dollars on my card. I can then go to locations that accept chip card purchases and I can make a purchase without the Merchant being on line. The merchant settles at the end of the day by dial up modem, and their money can be transferred to the Merchant's bank account the next day. This kind of use is great for merchants that are at Flea Markets, Hamfests, or other locations were online terminals are not practical. The credit card vendor provides all of the infrastructure to make this happen. There is a lot of potential here for this market, the cards are getting out there, but neither VISA or Amex has put the infrastructure together yet to actually make it happen.
Beware of Sleestak
I saw a commercial about a Visa card that's smart. It referenced a link to Visa's .
It's a good deal as long as you get more than $75 worth of value from the benefits provided by carrying the card. The Amex Gold and Amex Platinum (which runs $300/year in annual fee) can return tenfold this amount in value to some people.
From what I've seen, the majority of perks and benefits associated with the premium American Express cards seem targeted at consumers who travel frequently. If you travel for work, these cards can be a great deal.
Already we have ATMs and vending machines that talk to mobile phones. A large bank here in Australia just bought into a mobile phone company. Unlike a credit card, a phone will cease working if stolen or forged (since you know exacly how many instance of a phone should be on the network). The absense of a physical connection means you won't spend time buffing worn out magnetic strips against your shirt trying to get it to read. Eventually you won't need to buy a train ticket, the carriage will just bill your phone as you travel from station to station. And we'll know exactly where you are at any given time, people in public places without valid phones will be investigated by the police and everyone else's movments will belogged to prove their innocence.
Xix.
"Everything is adjustable, provided you have the right tools"
Hmm, I wonder if you overclock the chip in a smart card if you get more cash?
;)
-- Dan
But it doesn't work that way because merchants don't want it to.
I work for a smart-card solutions company in India and was the technical lead for a team that wrote software for India's largest installation of smart-cards which in India is larger than most credit cards. I have also been asked to present my views in front of RBI (India's fedral bank) sponsered committee to create standards for smart-card use in the country. Coming to technical details, a smart card basically acts like a secure computer with a secure filesystem and operating system of its own. It exposes a limited set of "system calls" that you can call from inside your program which are supposed to be secure (at least in theory). For example, the system calls may allow you to "write" a private key to a "file" in smart card froma program but having once written the private key you are not allowed to modify or read it back. There will be a seprate set of "system calls" that will allow you to decrypt or sign messages using this key however (after giving one or more PIN(s)). As a card is small and can be easily hidden or transported under rugged enviroments this allows a very secure and convenient place to keep critical private keys. Such cards are commercially available and are programmable from Windows and Java (A free linux version in C is being done by MUSCLE guys). There is nothing more or nothing less to smartcard technology. As you can imagine one can leverage this simple use and storage of assymetric (and also symetric) keys to design wonderful credit-card (or other financial) solutions that can provide almost complete privacy and fraud-control. However,it is not technology but the corporates and government which are limiting the use of smart cards. For example, in India a large number of people (especially with money from dubious sources) used to spend by buying stored value smart cards which were available off the counter for cash. Till income-tax department decided to make it compulsory to record identification details for each such transaction. One can argue that it was a blow to privacy but does the govt has an option in front of brazen money laundry? This is not bound to change any time in near future. As soon as you make financial transactions anonymous, guys who got "bad money" get in and start using the system for their own laundry. However, fraud-control is on everybody's list and one should expect VISA and MasterCard to move in this direction. As somebody else pointed out, there is a lot of investment done by merchants and banks in current terminals and rest of the credit-card infrastructure so one should not expect new technology to come out overnight. however, over next 5-10 years I would expect a lot more credit cards to be chip-based with at least PIN protection on them
You load it with money from your account (usually at an automathic teller machine) and then you can go around buying things with that card until it's empty (and then you load it again).
Is it used?
The two situations i know best are Portugal and Holland.
Most banks introduced it in Portugal some years ago (a country wide standard) and went around offering cards, providing stores with card readers and advertising the cards. It was a total fiasco - they spent loads of money promoting it and in the end nobody uses it. Then again, the only advantage it had compared with hard cash was that it made it easier to pay for car-parking (instead of using coins).
In Holland they're doing the exact same thing as in Portugal except they are 1 or 2 years behind (they just recently stopped promoting it). Again a total fiasco.
So what's the problem with these cards?
For one they've been positioned as an electronic wallet. This means they have to compete with the ease of use of hard cash. (Accepted everywhere; physically more resistent; well known; widelly deployed).
Also the currently deployed solution doesn't offer many advantages over hard cash (you can used it in some (few) parking metters instead of coins - that's about it)
Finally, you can't use it to pay things in the Net (you need special equipment to use one of those cards) - this means they can't compete with the existing standard (credit cards).
Protocols
Smartcards (and their predecessors, "chipcards") implement ISO standard 7816. As a previous writer noted, above, this largly defines the physical, mechanical, and electrical characteristics of the card. It also defines the communications protcol used by a terminal when communicating with a card.
There are two major catagories of card, each with its own characteristics and generally its own communications method. These are:
These use ISO7814 part 4 S=0 ("synchronous") mode communications. They're essentially dumb memory devices, which are serially strobed synchronous data (a bit like an i2C chip in your PC) by the terminal. They don't rise to the level of "smart"cards - other than some very basic (password) authentication, they're just dumb memory devices. Most include a suicide mechanism, whereby they blow their own internal fuse (and thus become permanently dead) if you send them too many wrong passwords. Typically these are used for applications that store and manage a few values - e.g. phonecards, loyalty tokens and utility meter tokencards.
These use ISO7416 part 4 T=0 (character asynchronous mode) and T=1 (block asynchronous mode) communications. They're real computer devices in their own right, typically with either an 8051 or Hitachi H8 8-bit microcontroller as a brain and a surprising amount of memory - several Kbytes of RAM and up to 64Kbytes of flash or EEPROM storage - pretty impressive for a chip that's 2x3mm, I think.
T=0 is a simple, half-duplex, master-clocked serial protocol - you could _almost_ use a regular UART to talk to the card, except the card's initial message (its ATR - Answer To Reset) is sent synchronously, and the UARTS in regular PCs don't have a raw/USART mode that would allow them to receive this correctly. The actual communication speed varies between cards (the card tells the terminal how fast it can go in its ATR), but its generally very slow, around 300baud max. T=1 is just a simple packet format layed on T=0. Both T=0 and T=1 are, IMHO, rather crappy protocols.
True smartcards aren't just dumb memory devices - they run actual programs, and often have built in special functions, generally cryptography stuff (GemPlus makes DES and RSA enabled cards).
Major players
Security
As a replacement technology for regular magnetic swipe cards, smartcards are _much_ more secure, mostly because magnetic swipe cards are totally insecure - you can write one yourself with a reader you paid a few hundred dollars for - there's no magic and no cryptography at all.
As real security devices, smartcards aren't terribly secure. They're designed to be tamper-proof, but their form-factor ensures that this will never be very effective. Current implementations leak information from various sidechannels (EMF, heat-dissipation, elapsed-time to perform crypto operations), some of which are pretty easily fixed and some of which aren't. They're never going to be super secure (you're never going to put the launch codes for nuclear missiles on one), but they're probably fine for real-world use for their current and proposed applications.
Writing code yourself
GEMplus sells (for a pretty reasonable price) an evaluation kit with a few demo cards, some programming info and a card interface that plugs into your PC's serial port.
You can get limited JavaCard stuff from java.sun.com, but you typically need more stuff that pertains to the specific card - you get this from the card's manufacturer. The JDK's javac compiler is used to compile code for the javacard.
Sun also has (or at least used to) a pretty comprehensive software framework for the terminal (PC/server) end of the equation - it's called OpenCardFramework. It simplifies a lot of the pain-in-the-ass features terminal programmers have to put up with when talking to smartcards.
Privacy concerns
When used as a replacement for existing magnetic cards, there's no more privacy concern than with the magnetic cards - the credit card company knows all about all your transactions either way, and with the smartcard you're less likely to find out that some enterprising folks in the Far East have cloned your card and tried to buy an airplane with it.
There are privacy concens when you consider that the card can host multiple applications. In practice, you as a consumer (note: consumer is the new word for citizen, apparently) have little to no knowledge of what is being stored, run, or communicated to/from your card. The card's crypto means you can't just open the card up yourself and hunt around to see, so you'll have to trust the issuer of the card (and their agents, etc.).
## W.Finlay McWalter ## http://www.mcwalter.org ##
Ok, as it seems that this thread has just turned into a big steaming pile of uninformed crud, I'm gonna post some sites that are a good place to start. www.oberthurcs.com and www.gemplus.com are two samrt card vendors. As for sun's JavaCard, its not the only type of smart card environment out there. Another good stopping off point to learn about one type of cards system is www.cepsworld.com. Thats VISA's Common Electronic Purse System and, unlike credit cards, does have money stored on the card. Its a pity some people on this site don't shut their mouths instead of just posting crap!
We have already had a telco using SMS to spam their customers (and billing them for the privilege). Imagine not being able to walk down the street without your phone being assailed with multimedia spam from each and every shop that you pass.
No! My shoe lace came undone and I happened to be out the front of Victoria's Secret. Honest honey...
Xix.
"Everything is adjustable, provided you have the right tools"
Serge Humpich, a french engineer, broke into these cards last year. When he contacted "GIE Cartes Bancaires" (french banks association in charge of these cards) to inform them of the security breach, their only answer was a lawsuit... Doesn't this remind you of something ?
You can find more details here.
Quoting http://www.mastercard.com/education/shoppingtips/:
Will payment by credit card still be the safest way if there is a computer on the card? After all, computers don't err, and if the technology makes it harder to use the card unauthorized, it may also become harder to dispute transactions, just because the technology is believed to be secure.
Recommended reading:
both by Ross Anderson.
The traditional credit card system may be smarter than the smart card, because it accepts the possibility of failure and distributes the risk over all customers of the card issuer.
http://erichsieht.wordpress.com/category/english/
You only pay interest if you carry a balance. And if you were going to pay with an ATM card or cash, why would you carry a balance?
I interviewed for a contract with one of the big credit card companies for writing the specification for systems validating these smart cards. As they explained it, the smart cards offer nothing in the way of extra capability from their end. It's simply a new way of validating the card for the vendor who is accepting payment. The ID and validation token is stored in the chip. The vendor's hardware validates using that. Both ID and validation tokens are sent to the card company to approve payment. It's nothing more than a security blanket for those vendors who are accepting cards.
- Sig this!
Ok, I'm not sure if this is the one you talk about, but here in Sherbrooke, Quebec, Canada, we just finished a one year test-drive of a smart card mastercard call Mondex. In fact, Mondex is the name of the whole system, but the cards are said to have a "mondex chip". I dont consider this a credit card really, but more an electronic wallet. You can put no more than 500$ (that was in cdn dollars btw) on the card, for security reason, and then you can spend it just as with a credit card. It is better than interact (also called ATM cards) because the system doesn't need to call a central office by phone. everything is done local. And also, when you say they hope to put everything in one card, that's because since it is a chip, they put it on a regular ATM card so it can do both. You could also put it on a credit card.
As I learn more and more, I realize I don't know much.
The capabilities range from simple memory storage cards (3KB to 16KB), which are a high tech equalivant of the magnetic stripe on "swipe cards" to high end crypto processors which are tamper resistant and/or tamper evident. These crypto cards can generate a private key that never leaves the card, and can securely performing digitial signind decryption using the private key. Such cards typically support DES, Triple DES, RSA 512-1024 bit and SHA-1. E.g. CryptoFlex from Schlumberger, Gemplus Public Key
Smart cards are already far more common in Europe, are used in satellite TV, Mondex (an electronic wallet scheme that never seems to get off the ground), and in a different form factor, the SIM cards of GSM mobile phones are smart cards. Because of Sat-TV, Pay-TV, and GSM phones there are hundreds of millions of smart cards in use today.
There is also Linux support via MUSCLE which supports the PC/SC API made popular under Windows, and most vendors support.
If the goofey thing would store an image of authorized users that the cashier would have to press to continue the transaction, it might be worth something. You could make the program fun by displaying several unauthorized users as well, say ten of them. Think a crook can remember your face that well?
Friends don't help friends install M$ junk.
Actually -
"This note is legal tender for all debts, public and private"
Yes it does have a unique number, but it's not nearly as traceable as a credit card or smart card. If I use a dollar to buy beer, CD-Rs or cocaine, there's no record that John Doe used 100 dollar bill X12345678Z at 10:12:14 on Jan 1, 2002 at Bob's House of Crank, Beer and Blank CDs.
If I use a smart card or some other "cashless" solution...it's all tracked.
Yes. I am overlooking the word "social".
It's a failing support system that at the current rate of funding and payouts...will never be seen by anyone under the age of 30.
I will never see a dime of it, nor will anyone born since the Vietnam War ended.
I don't buy the "it makes more jobs open so the young can have work", because 16 million new jobs have been created in the US since 1991, and the majority of positions vacated by a retiring person isn't filled by a young high school or college graduate.
And...at the time of creation in the US, the median life expectancy was 65.5...and the Social Security age was set at 65, it was not and retirement or poverty assistance tool.
To sum up so I sort of kinda stay on topic.
Smart Card that track spending and income - Bad.
Social Security - Worthless for Me
Talk about a technology looking for a solution. My favorite anecdote is about American Express Blue - a recent article in the NY Times (I think) said that at one point they asked their vendor if they could make the card with a picture of the chip on it, instead of an actual chip. Why? Because it would have the same functionality at a significant cost savings!
sulli
RTFJ.