Slashdot Mirror
What About "Smart" Credit Cards?
Platypii writes "After seeing many ads on TV and around the Internet for the "smart" credit cards (both major companies now have them I believe), I became curious about them. The Visa website was rather vague about it, and only proclaimed dreams of merging all your cards -- of whatever type -- into one. Anyone know the technical details of these cards? The privacy aspects?"
What, me worry?
Just last week I recieved a phone call from a young lady quite eager to sign me up for a new Vis a card with a built in smart chip. But first, I had a question:
Me: "Yes, well, before I sign up, I'd like to know; is that smart chip silicon based or germanium based?"
Her: "...uhm... excuse me?"
Me: "Well, if a company doesn't know this kind of basic information about the products they are selling, that's not a company I would do buisness with. Good day."
Needless to say, they have yet to call back.
--
#nohup cat
As far as I can tell, these "smart cards" do nothing at all. Keep in mind that reader hardware is needed for the little embedded chips, and until such hardware becomes ubiquitous no one can do anything with any data that someone bothered to put on there. My university actually tried doing this exact thing with its student ID cards for a couple years, and the only use it could find for it was as a rechargeable stored value system. They dropped it because it wasn't all that useful and it raised the cost of the cards from like $7 to $20 to replace. I guess that these cards might be a good way to use small amounts of electronic money, but considering one is already doing just that -- it's a credit card, remember? -- I don't see the point. I guess people could store basic commonly-needed information like a health insurance policy number on them, but again, unless access technology is widely available this is just a gimmick.
Anyone know the technical details of these cards? The privacy aspects?
Simple answer: More convience = less privacy = less security (for most cases)
What I find really interesting is the credit card one-time deals (don't know a link to information, if anybody does, please help out) but the gist of it was that: you'd sign up with a credit card with, say, Visa. Then when you're about to buy something on the internet you get a temporary credit card number from Visa that only has a certain amount available on its balance.
Security-wise it's great, since if anybody gets that number, no big deal, since they can't use it. Privacy-wise it wouldn't be hard to make it not require any personal details. (Since it's a temporary number issued on deman, it's almost safe to assume it's not stolen (possibly ask for a name or something like that))
Actually, I make money off of my credit cards. I have one that give me 1% back for a $10/year fee. I pay for everything I can on that card and pay it off every month. Amount of fees I pay: $10/year. Amount of 1% kickback I get: about $100/year. Plus, I get to use their money for a month or so until the payment is due.
Then there's the 0% interest card I was offered. I put some of my other loans onto that card. When it comes due, I'll just pay it off. In the meantime, I get to use their money for free.
Credit cards are not evil. Using them unwisely is what is evil.
Yes the attractive transparent card with the smart chip on it http://www.providian.com/mysmartservices/index.htm
looked like it would be a wonderful edition to the small collection of cards i rotate through my wallet over the months to build up an extensive credit history.
The problem with this card is it seems the entire company and everything about it is entirely automated.
I first received a call from them to activate the card from a very rude operator who demanded all this information about me which was entirely unnecessary and completely unrelated to the card. They also gave me a pathetic $1,000 limit making it the most useless card in my collection and I had cancelled a platinum discover card with an $8,000 limit for this stupid pretty-looking card.
Over the following two months I was still on the mailinglist and received three more notices to signup for the card.I tried to then use the card by charging a chartitable donation and it appeared to go through at first until I went to some stores tried to buy an item and it didnt go through. So I called to have the card activated again and after the process was complete it STILL wasnt activated making a total of 2 times.
At this point I was very frustrated so I tried to cancel it only to find absolutely every phone number was automated voicemail with no access to a human being and no option to cancel the card. There are multiple phone numbers which loop between each other so you can call one number and wind up selecting an option that will transfer you to one of the other numbers. I was just about to call the better business bureau when I FINALLY found an obscure number listed in a dark corner of their website and immediately cancelled it. Until Providian gets their act together AVOID THIS CARD. Besides Providian is already so nosy about all your personal details just to activate the card just think of how nosey they'll be when they finally activate the smart chip once enough get into circulation.
http://www.livejournal.com/users/cixel
ISO 7816 is the smart card standard. Almost every smart card available today uses that standard, including credit cards, and the cards DirecTV uses for subscriber authentication. Litronic has some useful information on their site about Smart Cards and smart card readers.
I worked for a major valley computer company in 2000, and we had evaluated American Express's Blue as a possible companion to some of the ecommerce solutions we had wanted to develop.
Blue, and everything else I've seen since then aren't real solutions, they're just gimmicks. They need to support real SmartCards which offer strong encryption onboard and payment approval. The half-assed crap that they're pushing now is next to useless. The only benefit that I can see of Blue and its ilk is that they might have the opportunity to make SmartCard readers ubiquitous. From there, they could maybe begin to support SmartCards with the features that I mentioned above.
Why are you letting these clowns ruin our country?
I worked for SCM Microsystems in France, a company that made smart card hardware for set-top boxes and PCs. I worked on firmware for a CANAL+ (pay-per-view) decoder box that used a smart card for authentication.
What the credit card companies want is what they have in France (the rest of Europe? I don't know): when you use a credit card at a restaurant or store, you have to enter a PIN. All the credit cards in France are smart cards, and they store your pin (encrypted IIRC). This saves them lots of money in fraud charges.
However, you can't sell that in the US, because US consumers are already protected against credit card fraud by law. What's the value to consumers or merchants? They don't have to pay anyway (except through higher interest rates, but do you think the credit card companies are going to promise to lower interest rates? hell no, they want to increase PROFIT).
So the card companies are stuck with a hard marketing job: how do they get the merchants to pay up for new hardware to read the smart cards so they can start putting PIN protection on all the cards? well, they have to make it so that consumers are bringing smart cards into the store. If consumers are using the smart cards, the merchants will be forced to buy readers that can deal with them.
So how are they selling it to consumers? Badly. They're promising stuff that nobody really cares about... marginally easier admin of freq flyer miles, intangible future bonuses in "integrated" consumer information. Bleah.
Why don't they just frigging lower the interest rates on PIN protected cards? That would sell like hotcakes, and reducing fraud lossage is the card companies ONLY real concern. Because they are greedy fucks, that's why. They want to decrease their fraud lossage and keep the diff.
France was only able to railroad this through by subsidizing smart card development. Schlumberger et al got some big bank by developing the smart card system for the pay phones, which only happened due to some big time pork barrel action.
The US smart card folks just don't have their act together ATM. Too bad... I think the cards are cute. Don't really care as long as my liability on a credit card is just $50, though.
Bill Gribble -- grib@linuxdevel.com
Linux Developers Group
The current generation of SmartCards are java based. The idea is that they provide more than memory, but a full Java Runtime Enviroment, and a set of base applications, under the theory that processing transactions in a known (secure) enviroment is preferable to simply swiping the card through a reader/writer which might otherwise simply increment or decrement a number (of dollars or whatever) stored on the card. These cards have a great deal of potential that remains largely untapped. I have yet to see a smartcard transaction processor which takes any real advantage to these capabilities.
--CTH
--Got Lists? | Top 95 Star Wars Line
I don't want to sound mean or anything, but we've had "smart cards" for ages over here...
In France, there's a ubiquitous system which requires you to type your code for every purchase you do with it. AFAIK, nobody ever complained about it, considering you can't use a stolen French card anywhere in France. If it's combined with a Visa card, you can still use it outside the country where there's no direct way to check its validity.
Here, in Switzerland, my bank card is combined with Visa, and I can set limits for withdrawals and purchases done with the (post)bank part of the card (with a chip), or use the Visa function with equal flexibility.
I suppose it just results from a different banking system between the USA and Europe. In Europe, banks contract the credit card provider (visa, mastercard, etc) and merge their cards. Plus, in most countries, banks have merged their ATM services so you can use any card to pump money from any "hole in the wall".
What strikes me is that Americans see smart cards as a really new things, whereas here we use them for absolutely everything, from e-wallets to bus-pass or phone cards. Smart-card readers are available and cost something around $20...
Bah, real standards have always had hard times getting to the USA, and that's no news!
/max
-- It's always darker before it goes pitch black.
I noticed the widespread use of these cards last time I was in France. I guess the reason they caught on so well over there was that the way the cards are set up, they are somehow self-authenticating, that is there is no need to call a central database, at least not at the time of purchase. This was an important feature in Europe where super-expensive telephone hookups made it prohibitively expensive for the average business to authorise credit cards over the phone every time one was used.
We use them at my university for stored value as well. They were going to drop them from our IDs a few years ago, but the introduction of SunRay network appliances all over here and the hot-desking that goes with them guaranteed they'll stick around a while longer.
Although I think the coolest application I've seen is the card I can store all of my PCR programs on for our Thermal Cycler in the lab. Tres convenient!
--J
I worked for a company that specialized in smart card devices and was present while some of the technical and political discussions took place. The implementation, at that time at least, was up to the credit card company but the potential is this (read potential means this may or may not be the route your CC company chose):
A smartcard could secure your credit card number so that only the banks ever see it plaintext. That means you never see it, the merchant and his punk waiter never see it. If they get clever and intercept the transmission, they'll see encrypted traffic - it behaves very similarly to SSL. The PIN is an authorization to allow the transaction to occurr, and interestingly the entering of the PIN# becomes one of the hardest security parts to lock down. I even saw prototype smartcards with little keypads right on them!
Having worked with the technology, I have FAR more faith in a (proper) smartcard-secured credit card transaction than a normal one. Imagine being able to go to po-dunk computer supplier.com and not have to give him your CC # to make a purchase? It's a good thing.
Newer Smart Cards are capable of public key cryptography. They are not just an information store, like a magnetic stripe, but actually perform public key crypto on an embedded processor on the card which is powered by the reader. This way your public key never leaves the card.
Some of the better manufacturers of Smart Cards add all sorts of physical security to the chips as well...to the point where you can't even take the chip apart and scan the die with a electron microsope or special probes to try to read or trick the bits out of memory.
My guess is that the current Visa cards do NOT use onboard cryptography yet...that these are general purpose cards which for now store your credit card number and address for convenience because the infrastructure is not yet in place AFAIK to support public key credit card transactions. They may or may not already have crypto software onboard that could be used with a PKCS#11 driver, but the credit card companies just want to get them and the readers deployed, and then will provide a software update or something to actually add crypto features in your transaction in the next couple years. See the PKCS#11 standard written by RSA (on their web site) for the standard crypto API which has been adopted for smartcards.
Note that smart cards have been around for a while in europe, although they were typically not used in a cryptographically sophistically way.
See www.pki-page.org and http://www.rsasecurity.com/rsalabs/pkcs/pkcs-11/
Braddock Gaskill
Security Consultant
braddock@braddock.com
Smart cards are pretty cool. They have great security, are standards-based, and are quite cheap when you think about all they do.
Most smart cards (JavaCards or OpenCards) support encryption, wired or wireless interfaces, and a bit of space on the card itself for a program of your own. www.basiccard.com offers a neat little set of cards you can program in basic, if you're just getting started. (the program on the computer can be written in any language). www.gemplus.com has cards you can program in Java, but these are much more expensive.
Each card has an onboard computer which you can program to do your bidding, from anything to securely storing cash (that only the correct program, or card reader can adjust, if you like), identity checking (imagine an ID card with your picture, signature, left thumbprint on the surface of the card, and stored securely inside the card - now there's an ID), and tons of other things that haven't been thought of yet.
You can use them as phone cards, tiny cash cards (swipe your card in front of a soda machine, push Pepsi, drink, repeat)
There are tons of cool things you can do with a tiny computer embedded in a card. Its more than just memory storage, its an entire cpu that you could use for a new TIS authentication scheme, or a new payphone card, or a key for your encrypted files. You could walk by a local ESPN store, swipe your card, then on your Palm later check out all the scores and player stats for the last week. Look, smartcards are great or evil, depending on how creative you are, but the potential for some very cool things is definately there.
The use of chip cards has tremendous potential in both the face-to-face (traditional, i.e. at the grocery store) and card-not-present (CNP, i.e. Internet) purchase mediums. For example, one day there may be a client-side and server-side standard that enables card authentication over the Internet, giving e-commerce retailers greater confidence that the person on the other end is the legitimate cardholder and not someone typing in stolen cardholder information. There are also a number of other proposals to use the chip for CRM purposes, such as electronic couponing and loyalty schemes. The potential is certainly there to greatly improve the way credit cards are used for payments today.
Despite this potential, even the card companies don't know what to do with the chips on these cards. There is a total lack of standards among the card associations (Visa, MC, Amex, Discover and other foreign schemes). To date, none of them have proposed any type of beneficial use for these embedded chips. The card associations love to use catch slogans like "The card with a brain", but mysteriously offer no explanation as to how this brain can help you.
The use of embedded-chip payment cards is not new to the world. Several card markets have experimented with chip cards in the past. Perhaps the most notable market is France, who has employed chip card technology for the last several years. If you've ever been to France, you may have noticed that there is a PIN input pad at every point-of-sale terminal. If you are at a restaurant, the waiter will bring a handheld card reader to your table. Each card issued by a French bank contains a chip, which enables this reader unit to verify if a correct secret PIN has been entered by the cardholder - without contacting a bank or any other banking network. These units also contain a traditional magnetic stripe reader used to authorize non-French issued cards.
This chip-bases system was implemented in France for two reasons: offline cardholder verification and enhanced security. Since the units are able to independently verify correct cardholder PINs, this allows merchants to authorize credit card transactions offline, without requiring a dedicted phone line. This is a nice feature for countries with telcos that take 12 months to install a phone line, which often have overly expensive telecom costs. One important thing to note: Offline PIN-based validations do not have the ability to check for basic validations like checking to see if there is open credit on the account or checking to see if the account is even valid. The offline validation also does not work on non-French issued cards. Subsequently, most retailers authorize transactions using a traditional online method, even if the card has a chip.
Despite the widespread use in France, chip-based authorization is still years away here in the US. France is a very small card market with only a handful of banks issuing credit cards. Various reports have estimated a cost between $10 and $20 billion dollars to convert the current US card authorizations systems to include chip-based authentication/authorization - a cost that card issuers, acquirers (the banks that merchants interface with) and merchants are not ready to eat. In addition, extending chip card authorization to the online world will require client-side hardware (i.e. card readers) and server-side software....more hassle than the card issuers are ready to deal with right now. AMEX tried it and failed miserably (did you actually know anyone that used the AMEX Blue smart card reader? Do you know any online merchants that support it?)
In a nutshell, your credit card may have a brain, but it is yet to have a place to use all that intelligence.
Protocols
Smartcards (and their predecessors, "chipcards") implement ISO standard 7816. As a previous writer noted, above, this largly defines the physical, mechanical, and electrical characteristics of the card. It also defines the communications protcol used by a terminal when communicating with a card.
There are two major catagories of card, each with its own characteristics and generally its own communications method. These are:
These use ISO7814 part 4 S=0 ("synchronous") mode communications. They're essentially dumb memory devices, which are serially strobed synchronous data (a bit like an i2C chip in your PC) by the terminal. They don't rise to the level of "smart"cards - other than some very basic (password) authentication, they're just dumb memory devices. Most include a suicide mechanism, whereby they blow their own internal fuse (and thus become permanently dead) if you send them too many wrong passwords. Typically these are used for applications that store and manage a few values - e.g. phonecards, loyalty tokens and utility meter tokencards.
These use ISO7416 part 4 T=0 (character asynchronous mode) and T=1 (block asynchronous mode) communications. They're real computer devices in their own right, typically with either an 8051 or Hitachi H8 8-bit microcontroller as a brain and a surprising amount of memory - several Kbytes of RAM and up to 64Kbytes of flash or EEPROM storage - pretty impressive for a chip that's 2x3mm, I think.
T=0 is a simple, half-duplex, master-clocked serial protocol - you could _almost_ use a regular UART to talk to the card, except the card's initial message (its ATR - Answer To Reset) is sent synchronously, and the UARTS in regular PCs don't have a raw/USART mode that would allow them to receive this correctly. The actual communication speed varies between cards (the card tells the terminal how fast it can go in its ATR), but its generally very slow, around 300baud max. T=1 is just a simple packet format layed on T=0. Both T=0 and T=1 are, IMHO, rather crappy protocols.
True smartcards aren't just dumb memory devices - they run actual programs, and often have built in special functions, generally cryptography stuff (GemPlus makes DES and RSA enabled cards).
Major players
Security
As a replacement technology for regular magnetic swipe cards, smartcards are _much_ more secure, mostly because magnetic swipe cards are totally insecure - you can write one yourself with a reader you paid a few hundred dollars for - there's no magic and no cryptography at all.
As real security devices, smartcards aren't terribly secure. They're designed to be tamper-proof, but their form-factor ensures that this will never be very effective. Current implementations leak information from various sidechannels (EMF, heat-dissipation, elapsed-time to perform crypto operations), some of which are pretty easily fixed and some of which aren't. They're never going to be super secure (you're never going to put the launch codes for nuclear missiles on one), but they're probably fine for real-world use for their current and proposed applications.
Writing code yourself
GEMplus sells (for a pretty reasonable price) an evaluation kit with a few demo cards, some programming info and a card interface that plugs into your PC's serial port.
You can get limited JavaCard stuff from java.sun.com, but you typically need more stuff that pertains to the specific card - you get this from the card's manufacturer. The JDK's javac compiler is used to compile code for the javacard.
Sun also has (or at least used to) a pretty comprehensive software framework for the terminal (PC/server) end of the equation - it's called OpenCardFramework. It simplifies a lot of the pain-in-the-ass features terminal programmers have to put up with when talking to smartcards.
Privacy concerns
When used as a replacement for existing magnetic cards, there's no more privacy concern than with the magnetic cards - the credit card company knows all about all your transactions either way, and with the smartcard you're less likely to find out that some enterprising folks in the Far East have cloned your card and tried to buy an airplane with it.
There are privacy concens when you consider that the card can host multiple applications. In practice, you as a consumer (note: consumer is the new word for citizen, apparently) have little to no knowledge of what is being stored, run, or communicated to/from your card. The card's crypto means you can't just open the card up yourself and hunt around to see, so you'll have to trust the issuer of the card (and their agents, etc.).
## W.Finlay McWalter ## http://www.mcwalter.org ##