Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Privacy

What About "Smart" Credit Cards? 333

Posted by Hemos from the anything-known dept.
Platypii writes "After seeing many ads on TV and around the Internet for the "smart" credit cards (both major companies now have them I believe), I became curious about them. The Visa website was rather vague about it, and only proclaimed dreams of merging all your cards -- of whatever type -- into one. Anyone know the technical details of these cards? The privacy aspects?"
This discussion has been archived. No new comments can be posted.

What About "Smart" Credit Cards? More

What About "Smart" Credit Cards?

Comments Filter:

  • The Card knows... (Score:4, Funny)

    by BiggestPOS ( 139071 ) on Sunday August 26, 2001 @07:12PM (#2219460) Homepage
    When you are about to make a stupid purchase, and then renders the numbers invalid. For example, if you try and pick up the Waterworld DVD, now only will the card not work, it will also kick your ass. Really handy if I say so :)

    • Re:The Card knows... (Score:2, Redundant)

      by Swaffs ( 470184 )
      Are you kidding me? Stupid purchases are how credit card companies make money. The whole idea is that you can buy whatever you want without worrying about whether or not you actually have the money to pay for it, and without committing the actual act of forking over cash and emptying your wallet, which might cause you to think twice.
    • Ok, as it seems that this thread has just turned into a big steaming pile of uninformed crud, I'm gonna post some sites that are a good place to start. www.oberthurcs.com and www.gemplus.com are two samrt card vendors. As for sun's JavaCard, its not the only type of smart card environment out there. Another good stopping off point to learn about one type of cards system is www.cepsworld.com. Thats VISA's Common Electronic Purse System and, unlike credit cards, does have money stored on the card. Its a pity some people on this site don't shut their mouths instead of just posting crap!
  • As long as these cards are useable in a store of today it wont create any extra security. This will only create more to expolit all at one time.
    • "I've never seen that happen."

      "His body rejected the 'smart card'."

      (From the Dilbert of 3/21/97, third panel: after a card flees for its life from the grasp of the pointy-haired boss.)
    • The current generation of SmartCards are java based [sun.com]. The idea is that they provide more than memory, but a full Java Runtime Enviroment, and a set of base applications [fusioncard.com], under the theory that processing transactions in a known (secure) enviroment is preferable to simply swiping the card through a reader/writer which might otherwise simply increment or decrement a number (of dollars or whatever) stored on the card. These cards have a great deal of potential that remains largely untapped. I have yet to see a smartcard transaction processor which takes any real advantage to these capabilities.

      --CTH
  • 2600 had an article about this some time ago. I can't remember exactly what issue but it discussed the technical details of the card and what the chip does. Towards the end of the article the author sums it up by saying only time will tell whether this new chip is friend or foe but I digress.. I'll follow up with some more information if I find the issue.. somewhere.
    • As a long-time idler on irc.2600.net, believe you me: you shouldn't trust anything you read in that rag >:)
  • These cards may be smart, but they won't keep you out of debt. They will probably drive you furthur into debt because you won't be afraid to use it because it is "secure". How smart is that?


  • Are these cards called smart because somebody put a little electrical circuit in them, or is there a lot more going on with these "smart" credit cards than the average consumer knows? Credit cards are have always been evil - luring innocent and naive consumers and sinking them in irrecoverable debt. Perhaps they've just gotten cleverer at that.

    • Re:And exactly who does smart refer to? (Score:5, Insightful)

      by cheebie ( 459397 ) on Sunday August 26, 2001 @07:30PM (#2219517)
      Actually, I make money off of my credit cards. I have one that give me 1% back for a $10/year fee. I pay for everything I can on that card and pay it off every month. Amount of fees I pay: $10/year. Amount of 1% kickback I get: about $100/year. Plus, I get to use their money for a month or so until the payment is due.

      Then there's the 0% interest card I was offered. I put some of my other loans onto that card. When it comes due, I'll just pay it off. In the meantime, I get to use their money for free.

      Credit cards are not evil. Using them unwisely is what is evil.
      • Already we have ATMs and vending machines that talk to mobile phones. A large bank here in Australia just bought into a mobile phone company. Unlike a credit card, a phone will cease working if stolen or forged (since you know exacly how many instance of a phone should be on the network). The absense of a physical connection means you won't spend time buffing worn out magnetic strips against your shirt trying to get it to read. Eventually you won't need to buy a train ticket, the carriage will just bill your phone as you travel from station to station. And we'll know exactly where you are at any given time, people in public places without valid phones will be investigated by the police and everyone else's movments will belogged to prove their innocence.

        Xix.

  • If only the sales reps were as smart as the cards (Score:3, Funny)

    by EvlPenguin ( 168738 ) on Sunday August 26, 2001 @07:16PM (#2219474) Homepage
    Just last week I recieved a phone call from a young lady quite eager to sign me up for a new Vis a card with a built in smart chip. But first, I had a question:

    Me: "Yes, well, before I sign up, I'd like to know; is that smart chip silicon based or germanium based?"
    Her: "...uhm... excuse me?"
    Me: "Well, if a company doesn't know this kind of basic information about the products they are selling, that's not a company I would do buisness with. Good day."

    Needless to say, they have yet to call back.

    • Re:If only the sales reps were as smart as the car (Score:2, Insightful)

      by Anonymous Coward
      Sales Rep = Someone earning $8.50 an hour, just trying to do his/her job.
      You = A genuine rapier-witted genius who must feel really good about himself for demeaning the sales-rep.

      Well-Done!

  • good info at gemplus.com (Score:2, Informative)

    by dgp ( 11045 )
    gemplus.com, a leading smartcard manufacturer, has some good info [gemplus.com] on smartcard technology.

  • It's a gimmick (Score:3, Interesting)

    by Logic Bomb ( 122875 ) on Sunday August 26, 2001 @07:21PM (#2219485)
    As far as I can tell, these "smart cards" do nothing at all. Keep in mind that reader hardware is needed for the little embedded chips, and until such hardware becomes ubiquitous no one can do anything with any data that someone bothered to put on there. My university actually tried doing this exact thing with its student ID cards for a couple years, and the only use it could find for it was as a rechargeable stored value system. They dropped it because it wasn't all that useful and it raised the cost of the cards from like $7 to $20 to replace. I guess that these cards might be a good way to use small amounts of electronic money, but considering one is already doing just that -- it's a credit card, remember? -- I don't see the point. I guess people could store basic commonly-needed information like a health insurance policy number on them, but again, unless access technology is widely available this is just a gimmick.
    • I had always assumed that the little chip did something to dynamically change the value of the magstripe (by the way, does anyone know how much data a standard-sized stripe can hold?)..

      What's the point of storing data in a little easily-lost plastic sliver when you can instead store it in big redundant mainframes?

      • Re:It's a gimmick (Score:2, Informative)

        by NetGuruFL ( 28160 )
        "(by the way, does anyone know how much data a standard-sized stripe can hold?).."

        About 140 bytes. "Smart cards" typically have anywhere from 1KB to 32KB. Not counting those newer optical ones which hold about 5MB.
    • Er... from reading other comments I've noticed that the "smart card" approach goes in two directions. American Express' "Blue" program and some others I've seen put little memory chips in the middle of their cards and call them "smart," and then there are companies who attach various services to the existing credit card number. I was obviously referring to the memory chip cards in my first comment. As for the other kind, well, I'd say it's pretty much Microsoft Passport with a better existing infrastructure when it comes to uses in non-Internet situations.

    • Re:It's a gimmick (Score:2, Informative)

      by phillymjs ( 234426 )
      As far as I can tell, these "smart cards" do nothing at all.

      Sure they do, they make a bunch of unwashed Windows users think they're 31337 because they have a credit card with a computer chip in it.

      That's right, just Windows users. Oh you thought Macs and Linux might be supported? Fat chance! AmEx Blue has been promising Mac support Real Soon Now since their card debuted two years ago, but now they don't even mention it on their system requirements page [americanexpress.com] anymore. The promised Mac support was one of the reasons I got the Blue card, along with the 'added security'-- but their security is a joke in general. There was significant fraud perpetrated with my account number [home.net] before I even got the card, and it did not involve identity fraud or interception of my postal mail.

      VISA's smart cards also offer bupkis in the way of non-Windows support. [visa.com]

      ~Philly
  • has had smartcard technology for quite some time. Their civilization has yet to crumble because of it. A friend of mine was working on the Java code for a certain smartcard implementation while he was at RSA, and though he was never able to reveal specifics, he didn't feel it was too sinister. Corporate yes, and therefore sinister to most, but not anymore so than the rest of today's world...

    Perhaps someone who was at the HAL workshop [hal2001.org] can give the hacker's perspective?

  • my opinion (Score:4, Interesting)

    by unformed ( 225214 ) on Sunday August 26, 2001 @07:25PM (#2219492)
    Anyone know the technical details of these cards? The privacy aspects?

    Simple answer: More convience = less privacy = less security (for most cases)

    What I find really interesting is the credit card one-time deals (don't know a link to information, if anybody does, please help out) but the gist of it was that: you'd sign up with a credit card with, say, Visa. Then when you're about to buy something on the internet you get a temporary credit card number from Visa that only has a certain amount available on its balance.

    Security-wise it's great, since if anybody gets that number, no big deal, since they can't use it. Privacy-wise it wouldn't be hard to make it not require any personal details. (Since it's a temporary number issued on deman, it's almost safe to assume it's not stolen (possibly ask for a name or something like that))
    • OTOH, smart cards have to become ubiquitous before it will be possible to build the ultimate private solution:

      A smart card that you buy in your local store for cash, which has a pre-encoded amount built in and a small identification system (even a PIN would be fine for this) that allows you to secure it so only you can use it.

      No point in anybody stealing it because they can't use it, and nobody can see how much cash is in it, so no more profiling you based on how much cash is in your wallet.
    • The privacy aspects?

      If you have any uncertainty about your privacy, you should check out this statement [tagor.com].
    • I work for a smart-card solutions company in India and was the technical lead for a team that wrote software for India's largest installation of smart-cards [bharatpetroleum.com] which in India is larger than most credit cards. I have also been asked to present my views in front of RBI (India's fedral bank) sponsered committee to create standards for smart-card use in the country. Coming to technical details, a smart card basically acts like a secure computer with a secure filesystem and operating system of its own. It exposes a limited set of "system calls" that you can call from inside your program which are supposed to be secure (at least in theory). For example, the system calls may allow you to "write" a private key to a "file" in smart card froma program but having once written the private key you are not allowed to modify or read it back. There will be a seprate set of "system calls" that will allow you to decrypt or sign messages using this key however (after giving one or more PIN(s)). As a card is small and can be easily hidden or transported under rugged enviroments this allows a very secure and convenient place to keep critical private keys. Such cards are commercially available [slb.com] and are programmable from Windows [microsoft.com] and Java [sun.com] (A free linux version in C is being done by MUSCLE [linuxnet.com] guys). There is nothing more or nothing less to smartcard technology. As you can imagine one can leverage this simple use and storage of assymetric (and also symetric) keys to design wonderful credit-card (or other financial) solutions that can provide almost complete privacy and fraud-control. However,it is not technology but the corporates and government which are limiting the use of smart cards. For example, in India a large number of people (especially with money from dubious sources) used to spend by buying stored value smart cards which were available off the counter for cash. Till income-tax department decided to make it compulsory to record identification details for each such transaction. One can argue that it was a blow to privacy but does the govt has an option in front of brazen money laundry? This is not bound to change any time in near future. As soon as you make financial transactions anonymous, guys who got "bad money" get in and start using the system for their own laundry. However, fraud-control is on everybody's list and one should expect VISA and MasterCard to move in this direction. As somebody else pointed out, there is a lot of investment done by merchants and banks in current terminals and rest of the credit-card infrastructure so one should not expect new technology to come out overnight. however, over next 5-10 years I would expect a lot more credit cards to be chip-based with at least PIN protection on them
  • You would not use a credit card.

    The average family in credit card debt carries a balance of $4000 on several cards from month to month.

    I like to replace the words 'credit card' with 'loan shark'.
  • Just runaway now!
    It's those damn marketing folks out of control again.
    They just want to track all of your habits via cross-referencing to a central database.
    It's just like tracking your IP across websites, except they'll know for certain that you really will spend money at those businesses.

  • Smart Cards (Score:1, Informative)

    by neurovish ( 315867 )
    From what I remember, reading about the chips awhile ago (no idea what website), the danger doesn't really seem any more than that of the magnetic stripe as far as privacy goes. The chip pretty much behaves the same as the magnetic stripe, but with a greater capacity. One thing the chip can do which the magnetic stripe cannot however is store algorithms for something along the lines of encryption, which would seem to only make the card more secure. The actual functionality of the chips varies though, most of the major chip manufacturers make them with different specs. The beefiest I remember seeing was a mitsubishi chip which pretty much had the same capabilities as a microcontroller when inserted into the correct reader.
  • If you sign up for a "smart card" you are supposed to be able obtain a desktop reader from your issueing bank (looks similar to the desktop compact flash readers) that plugs into the back of your PC. When you're making an online purchase you slide your card into the reader which authenticates you as the card holder.

    I'm in a hurry or I'd throw up links. I just noticed this hadn't been explained yet. Ta Ta!

  • Providian Visa. Do not fall for it! (Score:4, Informative)

    by CiXeL ( 56313 ) on Sunday August 26, 2001 @07:30PM (#2219519) Homepage
    Yes the attractive transparent card with the smart chip on it http://www.providian.com/mysmartservices/index.htm
    looked like it would be a wonderful edition to the small collection of cards i rotate through my wallet over the months to build up an extensive credit history.

    The problem with this card is it seems the entire company and everything about it is entirely automated.

    I first received a call from them to activate the card from a very rude operator who demanded all this information about me which was entirely unnecessary and completely unrelated to the card. They also gave me a pathetic $1,000 limit making it the most useless card in my collection and I had cancelled a platinum discover card with an $8,000 limit for this stupid pretty-looking card.

    Over the following two months I was still on the mailinglist and received three more notices to signup for the card.I tried to then use the card by charging a chartitable donation and it appeared to go through at first until I went to some stores tried to buy an item and it didnt go through. So I called to have the card activated again and after the process was complete it STILL wasnt activated making a total of 2 times.

    At this point I was very frustrated so I tried to cancel it only to find absolutely every phone number was automated voicemail with no access to a human being and no option to cancel the card. There are multiple phone numbers which loop between each other so you can call one number and wind up selecting an option that will transfer you to one of the other numbers. I was just about to call the better business bureau when I FINALLY found an obscure number listed in a dark corner of their website and immediately cancelled it. Until Providian gets their act together AVOID THIS CARD. Besides Providian is already so nosy about all your personal details just to activate the card just think of how nosey they'll be when they finally activate the smart chip once enough get into circulation.
    • I have a standard non-smart Providian Visa Gold card and I've had no problems with it ever. The toll-free number on the back of the card gives you some automated information with the chance to hold for a real, live operator. The on-line account information is useful and you can make quick wire payments from your bank account. I started out with a $1000 limit but I had just turned 18 and had no credit history. Giving me a bigger limit would've been silly. Now I have a $1600 limit (after having the card about 6 months) and it's as painless to use as ever.
      Like I said, my card isn't the smart variety, but it's a Providian card and I've never had any trouble with it. In fact I'd recommend Providian.
      Just my $0.02. Sorry it's offtopic.

  • ISO 7816 (Score:5, Informative)

    by jerw134 ( 409531 ) on Sunday August 26, 2001 @07:33PM (#2219522)
    ISO 7816 is the smart card standard. Almost every smart card available today uses that standard, including credit cards, and the cards DirecTV uses for subscriber authentication. Litronic [litronic.com] has some useful information on their site about Smart Cards and smart card readers.
    • it's not working too too well w/DirecTV. I know of plenty of people that are using cards that are a) stolen b) hacked or c) known to be not legal.
  • A friend of mine told me a story about going to Europe and having to explain to a clerk that his credit card didn't have a smart chip in it, she would have to slide it in the other thingie. He ended up having to slide the card for her.

    For some things, the US is way behind.
    • The smart-cards are used as a sort of electronic-wallet:

      You load it with money from your account (usually at an automathic teller machine) and then you can go around buying things with that card until it's empty (and then you load it again).
      • If you loose the card: It's the same as if you loose your cash - whoever finds it can use it.
      • If you damage your card: For you it's the same as if you destroy some cash - for the bank is nicer 'cause they get to keep your money


      Is it used?


      The two situations i know best are Portugal and Holland.

      Most banks introduced it in Portugal some years ago (a country wide standard) and went around offering cards, providing stores with card readers and advertising the cards. It was a total fiasco - they spent loads of money promoting it and in the end nobody uses it. Then again, the only advantage it had compared with hard cash was that it made it easier to pay for car-parking (instead of using coins).

      In Holland they're doing the exact same thing as in Portugal except they are 1 or 2 years behind (they just recently stopped promoting it). Again a total fiasco.


      So what's the problem with these cards?


      For one they've been positioned as an electronic wallet. This means they have to compete with the ease of use of hard cash. (Accepted everywhere; physically more resistent; well known; widelly deployed).


      Also the currently deployed solution doesn't offer many advantages over hard cash (you can used it in some (few) parking metters instead of coins - that's about it)


      Finally, you can't use it to pay things in the Net (you need special equipment to use one of those cards) - this means they can't compete with the existing standard (credit cards).

  • Real solutions aren't here yet (Score:4, Interesting)

    by osgeek ( 239988 ) on Sunday August 26, 2001 @07:40PM (#2219542) Homepage Journal
    I worked for a major valley computer company in 2000, and we had evaluated American Express's Blue as a possible companion to some of the ecommerce solutions we had wanted to develop.

    Blue, and everything else I've seen since then aren't real solutions, they're just gimmicks. They need to support real SmartCards which offer strong encryption onboard and payment approval. The half-assed crap that they're pushing now is next to useless. The only benefit that I can see of Blue and its ilk is that they might have the opportunity to make SmartCard readers ubiquitous. From there, they could maybe begin to support SmartCards with the features that I mentioned above.

  • What you're seeing is bad marketing. (Score:5, Informative)

    by Anonymous Coward on Sunday August 26, 2001 @07:46PM (#2219557)

    I worked for SCM Microsystems in France, a company that made smart card hardware for set-top boxes and PCs. I worked on firmware for a CANAL+ (pay-per-view) decoder box that used a smart card for authentication.

    What the credit card companies want is what they have in France (the rest of Europe? I don't know): when you use a credit card at a restaurant or store, you have to enter a PIN. All the credit cards in France are smart cards, and they store your pin (encrypted IIRC). This saves them lots of money in fraud charges.

    However, you can't sell that in the US, because US consumers are already protected against credit card fraud by law. What's the value to consumers or merchants? They don't have to pay anyway (except through higher interest rates, but do you think the credit card companies are going to promise to lower interest rates? hell no, they want to increase PROFIT).

    So the card companies are stuck with a hard marketing job: how do they get the merchants to pay up for new hardware to read the smart cards so they can start putting PIN protection on all the cards? well, they have to make it so that consumers are bringing smart cards into the store. If consumers are using the smart cards, the merchants will be forced to buy readers that can deal with them.

    So how are they selling it to consumers? Badly. They're promising stuff that nobody really cares about... marginally easier admin of freq flyer miles, intangible future bonuses in "integrated" consumer information. Bleah.

    Why don't they just frigging lower the interest rates on PIN protected cards? That would sell like hotcakes, and reducing fraud lossage is the card companies ONLY real concern. Because they are greedy fucks, that's why. They want to decrease their fraud lossage and keep the diff.

    France was only able to railroad this through by subsidizing smart card development. Schlumberger et al got some big bank by developing the smart card system for the pay phones, which only happened due to some big time pork barrel action.

    The US smart card folks just don't have their act together ATM. Too bad... I think the cards are cute. Don't really care as long as my liability on a credit card is just $50, though.

    Bill Gribble -- grib@linuxdevel.com
    Linux Developers Group

    • However, you can't sell that in the US, because US consumers are already protected against credit card fraud by law.


      And whether you realize it or not, we pay through the nose for it in the form of high interest rates and taxes. Yes, the government prosecutes credit card fraud, and it's rampant in the US. The credit card companies have no interest in implementing more secure methods of transaction because the costs of their lacking security are shouldered by the government.

      I want secure, encrypted electronic money, and I want it now. There's no reason we couldn't have had this 20 years ago. It won't happen in the private sector though, they have to make money. And I don't want to have to pay money in order to use my money. And then there's the chicken-and-egg problem with elecronic money you mention. It's going to take government action to make it happen. I'm not holding my breath.

      --Bob

      • Comment removed based on user account deletion
        • You're right, your credit card agency and the police won't care. The credit card agency has massive insurance policies and doesn't prosecute fraud, and the police aren't going to pursue and inter-state crime.

          The organizations that prosecute credit card fraud are the FBI and Secret Service. Weird, huh? And they generally don't go after crimes unless they involve a large dollar amount -- i.e. large scam operations. If some kid just found your card, you're basically SOL. But it might be worthwhile to call them and hound them into taking a report.

          I did a few web searches, and was unable to find any kind of instructions for reporting fraud to the FBI or secret service. There are a few dead links out there for some FBI reporting form, but it appears to be gone. I wonder if the situation has changed in the last few years? The Secret Service's page on the subject [ustreas.gov] says to contact your CC company, the three credit reporting agencies, and the police. But that obviously will go nowhere as far as criminal prosecution of the theif.

          The FTC has a page [ftc.gov] but it says at the top "the FTC does not resolve individual consumer problems"...looks like the page is just for gathering statistics. I'm sure it's really fucking effective. The FTC also has an Identity theft complaint form [ftc.gov] and has a checkbox for credit card theft, but again it says "the FTC does not resolve individual consumer problems...".

          So, it appears that the government quietly approves of credit card fraud. This sucks. This really sucks. We need a new system so badly...

          --Bob

    • What's the value to consumers or merchants?


      The value to consumers seems to mainly be convenience (everyone has had to replace a lost/stolen cc, right?). The value to merchants goes further, specifically in "card not present" transactions (e.g. online transactions). In these cases, if the consumer later claims that the charge is fraudulent, the cc will charge-back the merchant for the amount of the transaction: the consumer wins, the cc wins, the theif wins, and the merchant loses. It amounts to a significant portion of expenses for online businesses. Progress in this area will greatly benefit these businesses (especially small, online-only businesses).

    • My understanding is that all credit cards have this feature! It is just up to the shopkeeper to have equipment to validate your card with the pin.

      I have a european credit card but currently live in the states. If I want to take a cash advance (which i do a lot) from any atm machine I have to punch in my credit cards pin number. In some places in Europe I can use this same pin number to authorize my card at a shop. In USA I cannot. Most places in scandinavia, however, do require my signature since they do not have pin verification equipment. I've always thought of the pin number as a standard feature on any visa card and my primary use for it has been taking a cash advance from an american atm..

      The point of this was that if american atms offer cash advances from a credit card the only way to authorize this is the pin number. That means that american credit cards that can do cash advances from atms(all?) could also be verified at a shop with the same pin number. However, since none of the shops offer pin-verification, and it has not been made a federal law to exclusively require this, hopes of getting such a system as in france in use (remember, usa still primarily relies on checks - with signature) are about the same as me winning last nights 280mil powerball..

      p.s. out of the three pb-tickets I bought not a single one had a single correct number.. there should be a price for that since the odds are against it..

    • In Canada, the most popular form of payment these days is Interac (aka. the ATM card.)* It's accepted almost everywhere. Interac is the name of the network that connects all of the bank machines (ATMs) in this country -- the banks just extended the existing network by putting terminals in retail outlets. The card takes funds directly from your bank account, meaning you don't have to worry about bills or high interest rates -- as long as you've got the cash. Like the cards in France, you need to enter your PIN number before completing a purchase. It's just like withdrawing money from a bank machine, except instead of giving you cash, the funds are transferred directly to the merchant's account.

      The bank, naturally, takes a service charge from each transaction. As a result, some retailers don't allow Interac purchases below a certain limit (usually $5.) But it's pretty rare these days to go to a place that doesn't take the card. A few years ago, I was passing through the U.S., and almost ran into trouble when I tried paying for lunch at McDonald's with my bank card. The cashier just gave me a funny look. (Fortunately, I had a bit of cash on me at the time.) That shows how much we take it for granted.

      (*) According to a study [cbc.ca] that was conducted about a year ago, 21% use credit cards as their primary method of payment, 35% use cash, and 42% use Interac. People aged 18-24 were at 61% in favour of Interac.
      • Further, because of the national Interac network, Canadians were able to take advantage of the single system quickly, and took to it in a big way. In contrast, the U.S. has Visa and MasterCard running their debit card systems, and it's not as popular. You'd be amazed at the number of people in the US who still write checks for stuff in stores.


        A few years ago, a study found that there were more direct debit transactions in Canada than the US. That's total, not per capita.


        The US is widely concidered to have the least efficient banking system in the world.

    • If Joe Sixpacks learns that he's going to have to remember another stupid four didgit number, he's never ever going to use it. If that's all there is to this, I don't want it either. Thank you for clearing the fog created by all those negative computer fraud comercials.

      If the goofey thing would store an image of authorized users that the cashier would have to press to continue the transaction, it might be worth something. You could make the program fun by displaying several unauthorized users as well, say ten of them. Think a crook can remember your face that well?

  • Credit Card + Cue Cat (Score:2, Interesting)

    by Slayback ( 12197 )
    I have 2 smartcards in my wallet right now; an American Express Blue, and a Fusion. When I first hooked up the reader, I dreamed of being able to go to thinkgeek.com, hit checkout, put my card in, type my pin, and then having my goodies a few days later. Unfortunately, the support is just not there. With American Express, you use their software and it gives you a list of supported online stores, none of which interest me. The fusion is the same exact way. Both use VERY similar software that runs in the system tray of a Windows computer and launches your little magic cart when it detects a card. Bah...who cares?

    Also, one of the main reasons I got them was that both where giving away free card readers which look pretty cool. They're gemstar (I think) and are the same ones that are supported by Win2k for authentication. Not a bad deal, I bet they retail for about $30 a peice. The card reader was also able to tell me a bit of info about the smart card used in my Dish Network reciever. Cool geek toy...nothing more. Next Cue Cat perhaps?

    I did see some cool uses such as an electronic card punch that would stay on the card, i.e., you by 9 cups of coffee, you get the 10th free, the card keeps track instead of using a paper punch or other similar device. Alas, this was only a flash demo of what it could do, but I have yet to see any real world examples.

  • Europe's had it for 15 years! (Score:5, Insightful)

    by Max von H. ( 19283 ) on Sunday August 26, 2001 @07:52PM (#2219575)
    I don't want to sound mean or anything, but we've had "smart cards" for ages over here...

    In France, there's a ubiquitous system which requires you to type your code for every purchase you do with it. AFAIK, nobody ever complained about it, considering you can't use a stolen French card anywhere in France. If it's combined with a Visa card, you can still use it outside the country where there's no direct way to check its validity.

    Here, in Switzerland, my bank card is combined with Visa, and I can set limits for withdrawals and purchases done with the (post)bank part of the card (with a chip), or use the Visa function with equal flexibility.

    I suppose it just results from a different banking system between the USA and Europe. In Europe, banks contract the credit card provider (visa, mastercard, etc) and merge their cards. Plus, in most countries, banks have merged their ATM services so you can use any card to pump money from any "hole in the wall".

    What strikes me is that Americans see smart cards as a really new things, whereas here we use them for absolutely everything, from e-wallets to bus-pass or phone cards. Smart-card readers are available and cost something around $20...

    Bah, real standards have always had hard times getting to the USA, and that's no news!

    /max

    • In France, there's a ubiquitous system which requires you to type your code for every purchase you do with it. AFAIK, nobody ever complained about it, considering you can't use a stolen French card anywhere in France. If it's combined with a Visa card, you can still use it outside the country where there's no direct way to check its validity.

      As far as I understand it, the French system has been cracked, although to what extent I'm not sure (see Bruce Schneier's Secrets and Lies, he mentions it).

      Apparantely the first guy who figured it out went to the card company, who asked him to prove it, which he did by buying a metro ticket. They then had him arrested, and forced him to sign an NDA to avoid prosecution.

      Then someone else independently cracked it, and posted it anonymously from a cybercafe (in Paris, IIRC)

      Smart cards are fine, but they need to use proper encryption, complete with completely open standards. I won't trust them until then. I know that companies expect fraud and absorb the costs, but you still need to be able to prove that you didn't make the purchase. Without a need for the vendor to produce a signature, this could be difficult.

    • In the US, check cards prompt for your PIN number. You don't need smart cards to do this. I am amazed that that don't require PIN # entry for credit cards. I would happily press 4 buttons (it should be more...) to protect myself from fraud. Surely the merchants would like this too. Anyone who is
  • If the circuit on the smart card can be used as a public-key crypto engine, then you could use it to secure any interaction with the card issuer's database.

    Nobody could get your private key unless they stole your physical card, since there's no need to have the key printed anywhere except in the card's circuit.

    Here's the loop: Client (cardholder) sends server (issuer) a cookie encoded with Server's public key. Server decrypts it with its private key and sends it back along with its own cookie, encrypted with Client's public key. Client decrypts, compares the Client cookie it sent with its copy of it, thus validating Server's authority. Client then encrypts Server's cookie and sends it back. Server decrypts, compares with its copy, thus validating the client's authority. This is basic RSA/PGP stuff.

    One simple handshake--it's about as complicated as the TCP/IP connection that was made to transport it--and your SmartCard is money.

    This gets rid of the current problem of credit-card numbers being stolen ex proprio that arises because you have to copy the number itself off the card in order to use it.

    --Blair
    "I was speculating about the meaning of ex proprio, too. So sue me."
    • The scheme you describe probably isn't as bad as what currently happens, but it is still vulnerable to "man-in-the-middle" attacks. You're wrong about the one simple handshake -- there is also a transaction needed to look up the public key for the server, and then for the client. This is wherein the vulnerability lies:


      Alice wants to buy a widget from Bob. Charlie is sitting on the wire during the conversation. Alice asks for Bob's public key, Charlie intercepts the request and returns his own.


      It is not as simple as it sounds: "PKI" is the buzzword here: "Public Key Infrastructure", which doesn't really exist for commercial transactions in the way that you describe.

  • They are going to replace the mag stripe with a chip. This adds security how? As far as I can tell, only about 1 in 1000 techies have a mag card writer. About 1 in 1 pc users can have a chip card writer with a few clip leads from radio shack. Once this takes off, the small time fraud level will go through the roof once someone makes a nice script kiddie tool kit. The smart cards used by the sat tv are quite complex compared to the credit cards and at one time, direct Tv was guessing that only 10% of their customer base was using craced cards.

    As a merchant, I would not take ones of these new cards with out making sure I'm not taking any of the risk.

    There is also the static issue. I know a few women that can not deal with electronics without some heave duty static protection. One of them has a complete surface mount static protection workstation that she uses as her desk and so far it has keep her pc working. Before that she would blow motherboards, keyboards and mice week. Since she kills digital watches, I would expect one of these cards to have a life time of less than a week with her.

  • Use of SmartCards in Europe... (Score:4, Interesting)

    by Anonymous Coward on Sunday August 26, 2001 @08:02PM (#2219603)
    I noticed the widespread use of these cards last time I was in France. I guess the reason they caught on so well over there was that the way the cards are set up, they are somehow self-authenticating, that is there is no need to call a central database, at least not at the time of purchase. This was an important feature in Europe where super-expensive telephone hookups made it prohibitively expensive for the average business to authorise credit cards over the phone every time one was used.

    We use them at my university for stored value as well. They were going to drop them from our IDs a few years ago, but the introduction of SunRay network appliances all over here and the hot-desking that goes with them guaranteed they'll stick around a while longer.

    Although I think the coolest application I've seen is the card I can store all of my PCR programs on for our Thermal Cycler in the lab. Tres convenient!

    --J

  • A little bit of real information (Score:3, Informative)

    by Fusion777 ( 242089 ) on Sunday August 26, 2001 @08:18PM (#2219637)
    I worked for a company that specialized in smart card devices and was present while some of the technical and political discussions took place. The implementation, at that time at least, was up to the credit card company but the potential is this (read potential means this may or may not be the route your CC company chose):

    A smartcard could secure your credit card number so that only the banks ever see it plaintext. That means you never see it, the merchant and his punk waiter never see it. If they get clever and intercept the transmission, they'll see encrypted traffic - it behaves very similarly to SSL. The PIN is an authorization to allow the transaction to occurr, and interestingly the entering of the PIN# becomes one of the hardest security parts to lock down. I even saw prototype smartcards with little keypads right on them!

    Having worked with the technology, I have FAR more faith in a (proper) smartcard-secured credit card transaction than a normal one. Imagine being able to go to po-dunk computer supplier.com and not have to give him your CC # to make a purchase? It's a good thing.

  • Smart Card Capabilities and Protocols (Score:3, Insightful)

    by braddock ( 78796 ) on Sunday August 26, 2001 @08:22PM (#2219645)
    Newer Smart Cards are capable of public key cryptography. They are not just an information store, like a magnetic stripe, but actually perform public key crypto on an embedded processor on the card which is powered by the reader. This way your public key never leaves the card.

    Some of the better manufacturers of Smart Cards add all sorts of physical security to the chips as well...to the point where you can't even take the chip apart and scan the die with a electron microsope or special probes to try to read or trick the bits out of memory.

    My guess is that the current Visa cards do NOT use onboard cryptography yet...that these are general purpose cards which for now store your credit card number and address for convenience because the infrastructure is not yet in place AFAIK to support public key credit card transactions. They may or may not already have crypto software onboard that could be used with a PKCS#11 driver, but the credit card companies just want to get them and the readers deployed, and then will provide a software update or something to actually add crypto features in your transaction in the next couple years. See the PKCS#11 standard written by RSA (on their web site) for the standard crypto API which has been adopted for smartcards.

    Note that smart cards have been around for a while in europe, although they were typically not used in a cryptographically sophistically way.

    See www.pki-page.org [pki-page.org] and http://www.rsasecurity.com/rsalabs/pkcs/pkcs-11/ [rsasecurity.com]

    Braddock Gaskill
    Security Consultant
    braddock@braddock.com

  • technical details (Score:2, Informative)

    by Anonymous Coward
    Smart cards come in a number of flavors, with a variety of capabilities and price tags. The simplest are memory cards (just store values, useful as "wallets"), the fanciest are (currently) JavaCards. Amex Blue is in fact a (Gemplus) JavaCard, running (default) a single applet (I believe the smart Visa cards are similar). This applet has an RSA keypair, and an X.509 digital certificate. Making a transaction with the card requires the card to generate a digital signature on the transaction info (in contrast with standard magstripe cards that just add those magic 16 digits to the data sent to the issuer). Why is this better: it's very easy to clone a magstripe card. Get any piece of paper with the card number on it, it's very simple to manufacture a card. Or for card-not-present (e.g. internet) transactions, the number itself is all you need. Steal it out of some online merchant's database, and you're good to go. With smartcard-based transactions, you have to actually have access to the private key on the card to generate a bogus transaction. Now you can rip the keys out of these cards, but it requires some time alone with the card itself -- just downloading some merchant's badly protected database is no longer sufficient. You get a poor man's version of this kind of protection with those one-off credit card numbers, but that requires the user to actually get and use those numbers. With smartcard based transactions, this all happens transparently. The really interesting thing is that the card issuers have been avoiding smartcards in the US for years because of the cost. But now that they've bitten the bullet, they've gone in all the way -- instead of a $5 smartcard capable of signing transactions and storing certificates, they've gone for the $20 32-bit JavaCards (and $15 adds up fast over all Visa subscribers in the US). Presumably the initial decision to switch to smartcards was simply based on how much they're losing to fraud. The decision to go with the JavaCard may be in the hopes of offsetting the cost by having other players pay them to add further applets to the card (e.g. loyalty programs, where you get the 10th coffee free, etc, or additional security features for environments where you can't use the chip -- e.g. applications that will generate and store one-time 16-digit credit card numbers).

  • Smart Cards (Score:4, Interesting)

    by Naikrovek ( 667 ) <jjohnson.psg@com> on Sunday August 26, 2001 @08:30PM (#2219658)
    Smart cards are pretty cool. They have great security, are standards-based, and are quite cheap when you think about all they do.

    Most smart cards (JavaCards or OpenCards) support encryption, wired or wireless interfaces, and a bit of space on the card itself for a program of your own. www.basiccard.com [basiccard.com] offers a neat little set of cards you can program in basic, if you're just getting started. (the program on the computer can be written in any language). www.gemplus.com has cards you can program in Java, but these are much more expensive.

    Each card has an onboard computer which you can program to do your bidding, from anything to securely storing cash (that only the correct program, or card reader can adjust, if you like), identity checking (imagine an ID card with your picture, signature, left thumbprint on the surface of the card, and stored securely inside the card - now there's an ID), and tons of other things that haven't been thought of yet.

    You can use them as phone cards, tiny cash cards (swipe your card in front of a soda machine, push Pepsi, drink, repeat)

    There are tons of cool things you can do with a tiny computer embedded in a card. Its more than just memory storage, its an entire cpu that you could use for a new TIS authentication scheme, or a new payphone card, or a key for your encrypted files. You could walk by a local ESPN store, swipe your card, then on your Palm later check out all the scores and player stats for the last week. Look, smartcards are great or evil, depending on how creative you are, but the potential for some very cool things is definately there.

  • An overview of Chip-enabled Credit Cards (Score:3, Informative)

    by helloRockview ( 205000 ) <chris@nOspaM.cju.com> on Sunday August 26, 2001 @09:19PM (#2219685) Homepage
    I work in the credit card industry, specifically focusing in the area of risk and fraud. The recent wave of chip cards (credit cards with an embedded microchip) is perhaps one of the most interesting marketing "ploys" in the recent history of the payment card industry.

    The use of chip cards has tremendous potential in both the face-to-face (traditional, i.e. at the grocery store) and card-not-present (CNP, i.e. Internet) purchase mediums. For example, one day there may be a client-side and server-side standard that enables card authentication over the Internet, giving e-commerce retailers greater confidence that the person on the other end is the legitimate cardholder and not someone typing in stolen cardholder information. There are also a number of other proposals to use the chip for CRM purposes, such as electronic couponing and loyalty schemes. The potential is certainly there to greatly improve the way credit cards are used for payments today.

    Despite this potential, even the card companies don't know what to do with the chips on these cards. There is a total lack of standards among the card associations (Visa, MC, Amex, Discover and other foreign schemes). To date, none of them have proposed any type of beneficial use for these embedded chips. The card associations love to use catch slogans like "The card with a brain", but mysteriously offer no explanation as to how this brain can help you.

    The use of embedded-chip payment cards is not new to the world. Several card markets have experimented with chip cards in the past. Perhaps the most notable market is France, who has employed chip card technology for the last several years. If you've ever been to France, you may have noticed that there is a PIN input pad at every point-of-sale terminal. If you are at a restaurant, the waiter will bring a handheld card reader to your table. Each card issued by a French bank contains a chip, which enables this reader unit to verify if a correct secret PIN has been entered by the cardholder - without contacting a bank or any other banking network. These units also contain a traditional magnetic stripe reader used to authorize non-French issued cards.

    This chip-bases system was implemented in France for two reasons: offline cardholder verification and enhanced security. Since the units are able to independently verify correct cardholder PINs, this allows merchants to authorize credit card transactions offline, without requiring a dedicted phone line. This is a nice feature for countries with telcos that take 12 months to install a phone line, which often have overly expensive telecom costs. One important thing to note: Offline PIN-based validations do not have the ability to check for basic validations like checking to see if there is open credit on the account or checking to see if the account is even valid. The offline validation also does not work on non-French issued cards. Subsequently, most retailers authorize transactions using a traditional online method, even if the card has a chip.

    Despite the widespread use in France, chip-based authorization is still years away here in the US. France is a very small card market with only a handful of banks issuing credit cards. Various reports have estimated a cost between $10 and $20 billion dollars to convert the current US card authorizations systems to include chip-based authentication/authorization - a cost that card issuers, acquirers (the banks that merchants interface with) and merchants are not ready to eat. In addition, extending chip card authorization to the online world will require client-side hardware (i.e. card readers) and server-side software....more hassle than the card issuers are ready to deal with right now. AMEX tried it and failed miserably (did you actually know anyone that used the AMEX Blue smart card reader? Do you know any online merchants that support it?)

    In a nutshell, your credit card may have a brain, but it is yet to have a place to use all that intelligence.

  • While there may be security risks and complaints about these smart cards, they sure do look interesting. Once they are used more widely and have some better uses, then they will probably catch on.

    I had a customer tonight at work who had one and he didn't seem to even know what it did when I talked to him about it. He just figured it was an "upgraded credit card".

    I'll look into these cards once the uses become more mainstream. I would love to be able to go to a site, click buy and plug in my card and have everything be taken care of. Thats why I'll use one. :)
  • Here in New Zealand we have Electronic Fund Transfer at Point Of Sale. It looks like a credit card, but it carries out transactions on your bank account in real time. Just about everyone uses them for anything from a car to a bottle of milk at the dairy. No chip, just a PIN and mag stripe.

    Simple, effective, had it for years and it works. No need for silicon smart/dumb cards. And yes I can transfer money from my account to someone else's over the phone.

    Vik :v)
  • Hey, I work with that industry =)

    Basically all it is is a smart card on your credit card, that contains all of the info that is on the mag stripe of the card. The only difference is that you can insert the card into a reader (end first, and only about 2" to get the chip in), it will prompt you for a pin code, and you can enter it, then the terminal has the info to make the purchase. It's not much different than normal magstripe readers, except that it has the potential in the future to be a lot neater (like replace cash entirely). It can also be used for loyalty programs (stores points on the card, for example). As for the "much more secure", that's bullshit. The information that is on the card is kept hidden and unaccessable, that's correct. It cannot be modified, that's correct. You cannot copy the card, that's correct. But on your PC any information must be passed into the browser, and over the internet, and thus it's just as vulnerable as typing it in yourself.

    In the future, you will be able to do things like have a remote site talk directly to the chip on the card, using built in encryption that will be entirely secure, as well as do neat things like authorize payments from your bank, cash transfers, withdrawing money from your bank over the internet onto your card (don't need to go to an ABM anymore!) Unfortunately people aren't yet comfortable with this technology as a whole, and thus the technology trials proved that although the technology works and is available, nobody wanted to use them. Perhaps in another 3 or 4 years.

    OTOH, Europe has had smart chips in their credit cards for years now, to the point at which vendors get confused when you pass them a normal mag-stripe-only credit card (I'm not joking, I've had my card refused several times because they couldn't figure out how to use it). Similarly all bank cards here have a smart card in them. It's a lot more secure for banking because you can't copy the card just by knowing the number on the card and the pin number. In North America it has happened several times where people can capture the pin code and card number, make a new card, go up to some banking machine and withdrawl money, and guess what, the legitimate card owner gets fsck'ed over because there's no protection against that. Common to happen is a video camera placed above the keypad somewhere (For example, there was a case in a supermarket where some guy placed a camera with a zoom lens in the rafters of the roof just above a checkout, had it focused on the pinpad, the camera captured the card number visually, and watched you punch in the number. He got away with it for a few months until they traced down where this was happening and finally caught him. Popular also is to put a fake ABM in a parking lot somewhere, and have it prompt you for your card and pin number, then just print out "Sorry, network failure" message, at which point you go away grumbling but they now have your card/pin... I don't use interact anymore because it is HORRIBLY insecure. Credit cards however still are insecure, but the credit card company takes the loss instead of you =)...
  • OK, first of all, this thing [getsmart.com] was built by Securify [securify.com], by a now defunct group which was based in Boston. They are the same guys who, btw, built American Express Blue. The program includes a full fledged PKI solution, with your credentials stored on the chip. You can use it for signing in for special services, use it to purchase online. You just have to remember a PIN. The funny thing is that Providian [providian.com], the first Issuer to give out the cards, SELLS the necessary Smartcardreader for 19.95. Speaking of consumer adoption ...

  • Use for Smart Cards (Score:2, Informative)

    by Gonarat ( 177568 )

    The VISA and Amex Blue are great ideas, but building the infrastructure to use them is going to be the big problem. Any Merchant who accepts credit cards already has a mag stripe reader of some sort. It can be a self contained unit or built into the cash register. For smart card transactions to become popular, chip card readers will have to be placed at retailers. Internet purchasing is another good use for chip card technology, the promise is there, but the implementation is not. Chip card technology is popular in Europe, so the market is there if the applications are forthcoming.


    I work for a company that deals with chip cards (although not in the credit card arena) -- the cards themself are highly secure when compared to a mag stripe card. The fraud we have seen has not been hacks to the card itself, but fraud at either the Point-of-sale or when the card is applied for. I'm sure the card could be hacked, given enough time and money, but barring an inside job, the cost of defeating the security is higher than the benefit that would be gained. Of course, in the credit card market the benefit goes up, so there will be more attempts to crack the chip. I'm not going to reveal the exact market that we are in, but remember, google is your friend :)


    One of the big advantages of the chip card (beyond fraud control) is that value can be stored on the card. For example, I put $50 dollars on my card. I can then go to locations that accept chip card purchases and I can make a purchase without the Merchant being on line. The merchant settles at the end of the day by dial up modem, and their money can be transferred to the Merchant's bank account the next day. This kind of use is great for merchants that are at Flea Markets, Hamfests, or other locations were online terminals are not practical. The credit card vendor provides all of the infrastructure to make this happen. There is a lot of potential here for this market, the cards are getting out there, but neither VISA or Amex has put the infrastructure together yet to actually make it happen.

    • Here in Canada, ATM 'Interac' cards have taken off; debit cards that go directly to your bank accounts. Wireless terminals are commonplace; you can find them in taxis, grocery deliverypeople bring them to your front door, and so on. At one point, Toronto was considering giving wireless Interac terminals to homeless people, as 'I don't carry money' is a common response to panhandling. :-)
    • Any Merchant who accepts credit cards already has a mag stripe reader of some sort.

      Not true. Pay by Amex in a taxi in Amsterdam, for example, and the driver will use a device that imprints your card onto a paper form, which you sign, and the paper forms are processed off line.

      For example, I put $50 dollars on my card. I can then go to locations that accept chip card purchases and I can make a purchase without the Merchant being on line.


      That's amazing! I wish I could do that with $50 cash in my wallet!

      Sorry to be sarcastic, but the point is, if you have to visit a station to "charge" your card with money, why would you bother? Why not just go to the ATM? The real advantage of a credit card is that you don't need to worry about how much cash you have on you, you have purchasing power up to your credit limit there with you, and you are protected by law (Consumer Credit Act, 1974) against fraud or even against faulty merchandise.

      I can't see regular credit cards going away anytime soon, whatever authentication mechanism is used.

  • I saw a commercial about a Visa card that's smart. It referenced a link to Visa's . [visa.com]
  • Hmm, I wonder if you overclock the chip in a smart card if you get more cash?

    ;)
  • The way this ought to work is that when you buy something on-line, the transaction info (seller and amount) goes to the smart card, which, when you approve it, signs the transaction. The merchant then can't change the amount or bill you again later.


    But it doesn't work that way because merchants don't want it to.

  • some smartcard info (Score:5, Informative)

    by wfmcwalter ( 124904 ) on Monday August 27, 2001 @03:25AM (#2220363) Homepage
    Here's some technical background info on smartcards. I hope it's of value to y'all.

    Protocols

    Smartcards (and their predecessors, "chipcards") implement ISO standard 7816. As a previous writer noted, above, this largly defines the physical, mechanical, and electrical characteristics of the card. It also defines the communications protcol used by a terminal when communicating with a card.

    There are two major catagories of card, each with its own characteristics and generally its own communications method. These are:

    • chipcards

      These use ISO7814 part 4 S=0 ("synchronous") mode communications. They're essentially dumb memory devices, which are serially strobed synchronous data (a bit like an i2C chip in your PC) by the terminal. They don't rise to the level of "smart"cards - other than some very basic (password) authentication, they're just dumb memory devices. Most include a suicide mechanism, whereby they blow their own internal fuse (and thus become permanently dead) if you send them too many wrong passwords. Typically these are used for applications that store and manage a few values - e.g. phonecards, loyalty tokens and utility meter tokencards.

    • smartcards

      These use ISO7416 part 4 T=0 (character asynchronous mode) and T=1 (block asynchronous mode) communications. They're real computer devices in their own right, typically with either an 8051 or Hitachi H8 8-bit microcontroller as a brain and a surprising amount of memory - several Kbytes of RAM and up to 64Kbytes of flash or EEPROM storage - pretty impressive for a chip that's 2x3mm, I think.

      T=0 is a simple, half-duplex, master-clocked serial protocol - you could _almost_ use a regular UART to talk to the card, except the card's initial message (its ATR - Answer To Reset) is sent synchronously, and the UARTS in regular PCs don't have a raw/USART mode that would allow them to receive this correctly. The actual communication speed varies between cards (the card tells the terminal how fast it can go in its ATR), but its generally very slow, around 300baud max. T=1 is just a simple packet format layed on T=0. Both T=0 and T=1 are, IMHO, rather crappy protocols.

      True smartcards aren't just dumb memory devices - they run actual programs, and often have built in special functions, generally cryptography stuff (GemPlus makes DES and RSA enabled cards).

    Major players

    • The leader in this space is undoubtedly GEMplus inc. of Lyon in France, a company founded by the inventors of the chipcard.
    • I believe Hitachi itself also makes cards. When you get a card from an institution (from DeLaRue, Visa, AMEX etc.) it's probably come either from Hitachi or GEMplus.
    • GSM cellphone manufacturers and wireless service-providers. The little ID chip in a GSM phone is just a regular smartcard chip, same contacts and everything. On better phones it's customer-swappable (so you could have a plan in the U.K., one in France and an Italian prepaid card - you'd just use the appropriate one depending on which country you're in - hence no roaming). The GSM folks are particulaly excited about the future of smartcards - they want to add new (non telephony apps) to the cards, so they can be used for stuff like purchases, gambling, etc.
    • Somewhat surprisingly, Sun Microsystems is doing very well in getting its JavaCard technology adopted for most real smartcard deployments - most GEMplus cards, most recent GSM chips, and both AMEX(blue) and VISA cards feature this super-reduced java runtime environment. Application developers like this, mostly because coding for the individual chips themselves is as crufty as hell.
    • The physical connector to the smartcard (in the terminal) is most often made by Amphenol. The little microcontroller that talks T=0/1 to the card is generally from GEMplus, Hitachi or Philips.

    Security

    As a replacement technology for regular magnetic swipe cards, smartcards are _much_ more secure, mostly because magnetic swipe cards are totally insecure - you can write one yourself with a reader you paid a few hundred dollars for - there's no magic and no cryptography at all.

    As real security devices, smartcards aren't terribly secure. They're designed to be tamper-proof, but their form-factor ensures that this will never be very effective. Current implementations leak information from various sidechannels (EMF, heat-dissipation, elapsed-time to perform crypto operations), some of which are pretty easily fixed and some of which aren't. They're never going to be super secure (you're never going to put the launch codes for nuclear missiles on one), but they're probably fine for real-world use for their current and proposed applications.

    Writing code yourself

    GEMplus sells (for a pretty reasonable price) an evaluation kit with a few demo cards, some programming info and a card interface that plugs into your PC's serial port.

    You can get limited JavaCard stuff from java.sun.com, but you typically need more stuff that pertains to the specific card - you get this from the card's manufacturer. The JDK's javac compiler is used to compile code for the javacard.

    Sun also has (or at least used to) a pretty comprehensive software framework for the terminal (PC/server) end of the equation - it's called OpenCardFramework. It simplifies a lot of the pain-in-the-ass features terminal programmers have to put up with when talking to smartcards.

    Privacy concerns

    When used as a replacement for existing magnetic cards, there's no more privacy concern than with the magnetic cards - the credit card company knows all about all your transactions either way, and with the smartcard you're less likely to find out that some enterprising folks in the Far East have cloned your card and tried to buy an airplane with it.

    There are privacy concens when you consider that the card can host multiple applications. In practice, you as a consumer (note: consumer is the new word for citizen, apparently) have little to no knowledge of what is being stored, run, or communicated to/from your card. The card's crypto means you can't just open the card up yourself and hunt around to see, so you'll have to trust the issuer of the card (and their agents, etc.).

    • your comments about t=0 are a little off the mark. linux and openbsd smartcard libraries don't do anything special, they just talk to the serial port. also, speeds up to 115.2 kbps are not uncommon; most cards can do > 50 kbps.

      the big problem with smartcard comms is that is half-duplex -- only a single transmit/receive pad on the card. in practice, this forces a master/slave (or "simplex") protocol.

      nobody
  • Serge Humpich, a french engineer, broke into these cards last year. When he contacted "GIE Cartes Bancaires" (french banks association in charge of these cards) to inform them of the security breach, their only answer was a lawsuit... Doesn't this remind you of something ?
    You can find more details here [parodie.com].

  • Quoting http://www.mastercard.com/education/shoppingtips/ [mastercard.com]:

    Pay the safest way


    Credit cards are generally the best way to pay because you have legal rights to dispute the charges if the product or service is misrepresented or never delivered.

    Will payment by credit card still be the safest way if there is a computer on the card? After all, computers don't err, and if the technology makes it harder to use the card unauthorized, it may also become harder to dispute transactions, just because the technology is believed to be secure.

    Recommended reading:

    both by Ross Anderson [cam.ac.uk].

    The traditional credit card system may be smarter than the smart card, because it accepts the possibility of failure and distributes the risk over all customers of the card issuer.

  • No big deal (Score:2, Informative)

    by pkesel ( 246048 )
    I interviewed for a contract with one of the big credit card companies for writing the specification for systems validating these smart cards. As they explained it, the smart cards offer nothing in the way of extra capability from their end. It's simply a new way of validating the card for the vendor who is accepting payment. The ID and validation token is stored in the chip. The vendor's hardware validates using that. Both ID and validation tokens are sent to the card company to approve payment. It's nothing more than a security blanket for those vendors who are accepting cards.
  • Ok, I'm not sure if this is the one you talk about, but here in Sherbrooke, Quebec, Canada, we just finished a one year test-drive of a smart card mastercard call Mondex. In fact, Mondex is the name of the whole system, but the cards are said to have a "mondex chip". I dont consider this a credit card really, but more an electronic wallet. You can put no more than 500$ (that was in cdn dollars btw) on the card, for security reason, and then you can spend it just as with a credit card. It is better than interact (also called ATM cards) because the system doesn't need to call a central office by phone. everything is done local. And also, when you say they hope to put everything in one card, that's because since it is a chip, they put it on a regular ATM card so it can do both. You could also put it on a credit card.

  • Smart cards are microprocessors embedded in a flexible plastic credit card sized card. (ISO 7816)


    The capabilities range from simple memory storage cards (3KB to 16KB), which are a high tech equalivant of the magnetic stripe on "swipe cards" to high end crypto processors which are tamper resistant and/or tamper evident. These crypto cards can generate a private key that never leaves the card, and can securely performing digitial signind decryption using the private key. Such cards typically support DES, Triple DES, RSA 512-1024 bit and SHA-1. E.g. CryptoFlex from Schlumberger [slb.com], Gemplus Public Key [gemplus.com]


    Smart cards are already far more common in Europe, are used in satellite TV, Mondex (an electronic wallet scheme that never seems to get off the ground), and in a different form factor, the SIM cards of GSM mobile phones are smart cards. Because of Sat-TV, Pay-TV, and GSM phones there are hundreds of millions of smart cards in use today.


    There is also Linux support via MUSCLE [linuxnet.com] which supports the PC/SC API made popular under Windows, and most vendors support.

  • Talk about a technology looking for a solution. My favorite anecdote is about American Express Blue - a recent article in the NY Times (I think) said that at one point they asked their vendor if they could make the card with a picture of the chip on it, instead of an actual chip. Why? Because it would have the same functionality at a significant cost savings!

Slashdot Top Deals

Software production is assumed to be a line function, but it is run like a staff function. -- Paul Licker

Close