What About "Smart" Credit Cards?

Platypii writes "After seeing many ads on TV and around the Internet for the "smart" credit cards (both major companies now have them I believe), I became curious about them. The Visa website was rather vague about it, and only proclaimed dreams of merging all your cards -- of whatever type -- into one. Anyone know the technical details of these cards? The privacy aspects?"

Re:And exactly who does smart refer to?

[cheebie]

Actually, I make money off of my credit cards. I have one that give me 1% back for a $10/year fee. I pay for everything I can on that card and pay it off every month. Amount of fees I pay: $10/year. Amount of 1% kickback I get: about $100/year. Plus, I get to use their money for a month or so until the payment is due.

Then there's the 0% interest card I was offered. I put some of my other loans onto that card. When it comes due, I'll just pay it off. In the meantime, I get to use their money for free.

Credit cards are not evil. Using them unwisely is what is evil.

ISO 7816

[jerw134]

ISO 7816 is the smart card standard. Almost every smart card available today uses that standard, including credit cards, and the cards DirecTV uses for subscriber authentication. Litronic has some useful information on their site about Smart Cards and smart card readers.

What you're seeing is bad marketing.

I worked for SCM Microsystems in France, a company that made smart card hardware for set-top boxes and PCs. I worked on firmware for a CANAL+ (pay-per-view) decoder box that used a smart card for authentication.

What the credit card companies want is what they have in France (the rest of Europe? I don't know): when you use a credit card at a restaurant or store, you have to enter a PIN. All the credit cards in France are smart cards, and they store your pin (encrypted IIRC). This saves them lots of money in fraud charges.

However, you can't sell that in the US, because US consumers are already protected against credit card fraud by law. What's the value to consumers or merchants? They don't have to pay anyway (except through higher interest rates, but do you think the credit card companies are going to promise to lower interest rates? hell no, they want to increase PROFIT).

So the card companies are stuck with a hard marketing job: how do they get the merchants to pay up for new hardware to read the smart cards so they can start putting PIN protection on all the cards? well, they have to make it so that consumers are bringing smart cards into the store. If consumers are using the smart cards, the merchants will be forced to buy readers that can deal with them.

So how are they selling it to consumers? Badly. They're promising stuff that nobody really cares about... marginally easier admin of freq flyer miles, intangible future bonuses in "integrated" consumer information. Bleah.

Why don't they just frigging lower the interest rates on PIN protected cards? That would sell like hotcakes, and reducing fraud lossage is the card companies ONLY real concern. Because they are greedy fucks, that's why. They want to decrease their fraud lossage and keep the diff.

France was only able to railroad this through by subsidizing smart card development. Schlumberger et al got some big bank by developing the smart card system for the pay phones, which only happened due to some big time pork barrel action.

The US smart card folks just don't have their act together ATM. Too bad... I think the cards are cute. Don't really care as long as my liability on a credit card is just $50, though.

Bill Gribble -- grib@linuxdevel.com
Linux Developers Group

Europe's had it for 15 years!

[Max+von+H.]

I don't want to sound mean or anything, but we've had "smart cards" for ages over here...

In France, there's a ubiquitous system which requires you to type your code for every purchase you do with it. AFAIK, nobody ever complained about it, considering you can't use a stolen French card anywhere in France. If it's combined with a Visa card, you can still use it outside the country where there's no direct way to check its validity.

Here, in Switzerland, my bank card is combined with Visa, and I can set limits for withdrawals and purchases done with the (post)bank part of the card (with a chip), or use the Visa function with equal flexibility.

I suppose it just results from a different banking system between the USA and Europe. In Europe, banks contract the credit card provider (visa, mastercard, etc) and merge their cards. Plus, in most countries, banks have merged their ATM services so you can use any card to pump money from any "hole in the wall".

What strikes me is that Americans see smart cards as a really new things, whereas here we use them for absolutely everything, from e-wallets to bus-pass or phone cards. Smart-card readers are available and cost something around $20...

Bah, real standards have always had hard times getting to the USA, and that's no news!

/max

some smartcard info

[wfmcwalter]

Here's some technical background info on smartcards. I hope it's of value to y'all.

Protocols

Smartcards (and their predecessors, "chipcards") implement ISO standard 7816. As a previous writer noted, above, this largly defines the physical, mechanical, and electrical characteristics of the card. It also defines the communications protcol used by a terminal when communicating with a card.

There are two major catagories of card, each with its own characteristics and generally its own communications method. These are:

• chipcards

  These use ISO7814 part 4 S=0 ("synchronous") mode communications. They're essentially dumb memory devices, which are serially strobed synchronous data (a bit like an i2C chip in your PC) by the terminal. They don't rise to the level of "smart"cards - other than some very basic (password) authentication, they're just dumb memory devices. Most include a suicide mechanism, whereby they blow their own internal fuse (and thus become permanently dead) if you send them too many wrong passwords. Typically these are used for applications that store and manage a few values - e.g. phonecards, loyalty tokens and utility meter tokencards.

• smartcards

  These use ISO7416 part 4 T=0 (character asynchronous mode) and T=1 (block asynchronous mode) communications. They're real computer devices in their own right, typically with either an 8051 or Hitachi H8 8-bit microcontroller as a brain and a surprising amount of memory - several Kbytes of RAM and up to 64Kbytes of flash or EEPROM storage - pretty impressive for a chip that's 2x3mm, I think.

  T=0 is a simple, half-duplex, master-clocked serial protocol - you could _almost_ use a regular UART to talk to the card, except the card's initial message (its ATR - Answer To Reset) is sent synchronously, and the UARTS in regular PCs don't have a raw/USART mode that would allow them to receive this correctly. The actual communication speed varies between cards (the card tells the terminal how fast it can go in its ATR), but its generally very slow, around 300baud max. T=1 is just a simple packet format layed on T=0. Both T=0 and T=1 are, IMHO, rather crappy protocols.

  True smartcards aren't just dumb memory devices - they run actual programs, and often have built in special functions, generally cryptography stuff (GemPlus makes DES and RSA enabled cards).

Major players

• The leader in this space is undoubtedly GEMplus inc. of Lyon in France, a company founded by the inventors of the chipcard.
• I believe Hitachi itself also makes cards. When you get a card from an institution (from DeLaRue, Visa, AMEX etc.) it's probably come either from Hitachi or GEMplus.
• GSM cellphone manufacturers and wireless service-providers. The little ID chip in a GSM phone is just a regular smartcard chip, same contacts and everything. On better phones it's customer-swappable (so you could have a plan in the U.K., one in France and an Italian prepaid card - you'd just use the appropriate one depending on which country you're in - hence no roaming). The GSM folks are particulaly excited about the future of smartcards - they want to add new (non telephony apps) to the cards, so they can be used for stuff like purchases, gambling, etc.
• Somewhat surprisingly, Sun Microsystems is doing very well in getting its JavaCard technology adopted for most real smartcard deployments - most GEMplus cards, most recent GSM chips, and both AMEX(blue) and VISA cards feature this super-reduced java runtime environment. Application developers like this, mostly because coding for the individual chips themselves is as crufty as hell.
• The physical connector to the smartcard (in the terminal) is most often made by Amphenol. The little microcontroller that talks T=0/1 to the card is generally from GEMplus, Hitachi or Philips.

Security

As a replacement technology for regular magnetic swipe cards, smartcards are _much_ more secure, mostly because magnetic swipe cards are totally insecure - you can write one yourself with a reader you paid a few hundred dollars for - there's no magic and no cryptography at all.

As real security devices, smartcards aren't terribly secure. They're designed to be tamper-proof, but their form-factor ensures that this will never be very effective. Current implementations leak information from various sidechannels (EMF, heat-dissipation, elapsed-time to perform crypto operations), some of which are pretty easily fixed and some of which aren't. They're never going to be super secure (you're never going to put the launch codes for nuclear missiles on one), but they're probably fine for real-world use for their current and proposed applications.

Writing code yourself

GEMplus sells (for a pretty reasonable price) an evaluation kit with a few demo cards, some programming info and a card interface that plugs into your PC's serial port.

You can get limited JavaCard stuff from java.sun.com, but you typically need more stuff that pertains to the specific card - you get this from the card's manufacturer. The JDK's javac compiler is used to compile code for the javacard.

Sun also has (or at least used to) a pretty comprehensive software framework for the terminal (PC/server) end of the equation - it's called OpenCardFramework. It simplifies a lot of the pain-in-the-ass features terminal programmers have to put up with when talking to smartcards.

Privacy concerns

When used as a replacement for existing magnetic cards, there's no more privacy concern than with the magnetic cards - the credit card company knows all about all your transactions either way, and with the smartcard you're less likely to find out that some enterprising folks in the Far East have cloned your card and tried to buy an airplane with it.

There are privacy concens when you consider that the card can host multiple applications. In practice, you as a consumer (note: consumer is the new word for citizen, apparently) have little to no knowledge of what is being stored, run, or communicated to/from your card. The card's crypto means you can't just open the card up yourself and hunt around to see, so you'll have to trust the issuer of the card (and their agents, etc.).