Contactless smart card

This article is regarding smart cards that use radio frequencies to transmit data. For smart cards that use metal conductors see smart card

Size comparison of chip
*(compared to a Canadian one cent piece)*

Example of a radio-frequency identification tag, a similar technology used for read only transactions

A contactless smart card is in any pocket-sized card with embedded integrated circuits which can process and store data. This implies that it can receive input which is processed and delivered as an output via radio frequencies. There are two broad categories of contactless smart cards. Memory cards contain non-volatile memory storage components, and perhaps some specific security logic. Contrary to popular belief contactless smart cards do not contain an ordinary read-only RFID, but they do contain a re-writable smart card microchip that can be transcribed via radio frequencies.

Overview

A "contactless smart card" is also characterized as follows:

Dimensions are normally credit card size. The ID-1 of ISO/IEC 7810 standard defines them as 85.60 × 53.98 mm. Another popular size is ID-000^{[citation needed]} which is 25 × 15 mm. Both are 0.76 mm thick.
Contains a security system with tamper-resistant properties (e.g. a secure cryptoprocessor, secure file system, human-readable features) and is capable of providing security services (e.g. confidentiality of information in the memory).
Asset managed by way of a central administration system which interchanges information and configuration settings with the card through the security system. The latter includes card hotlisting, updates for application data.
Card data is transferred via radio waves to the central administration system through card reading devices, such as ticket readers, ATMs etc.

Benefits

Contactless Smart cards can be used for identification, authentication, and data storage.^[1]

Contactless Smart cards provide a means of effecting business transactions in a flexible, secure, standard way with minimal human intervention.

History

Universal contactless smart card reader symbol

Smart cards with contactless interfaces are becoming increasingly popular for payment and ticketing applications such as mass transit. Visa and MasterCard have agreed to an easy-to-implement version currently being deployed (2004-2006) in the USA. Globally, contactless fare collection is being employed for efficiencies in public transit. The various standards emerging are local in focus and are not compatible, though the MIFARE Standard card from Philips has a large market share in the US and Europe.

Smart cards are being introduced in personal identification and entitlement schemes at regional, national, and international levels. Citizen cards, drivers’ licenses, and patient card schemes are becoming more prevalent. In Malaysia, the compulsory national ID scheme MyKad includes 8 different applications and is rolled out for 18 million users. Contactless smart cards are being integrated into ICAO biometric passports to enhance security for international travel.

Readers

Contactless smart card readers use radio frequencies to communicate with, and both read and write data on a smart card. When used for electronic payment, they are commonly located near"PIN pads" cash registers, and other places of payment. When the readers are used for public transit they are commonly located on fare boxes, ticket machines, turnstiles, and station platforms as a standalone unit. When used for security, readers are usually located to the side of an entry door. Most readers display the card's symbol located to the right on the reader. All readers have indicator lights that indicate when a card is "tapped".

Technology

A contactless smart card, is a card in which the chip communicates with the card reader through an induction technology similar to that of an RFID (at data rates of 106 to 848 kbit/s). These cards require only close proximity to an antenna to complete transaction. They are often used when transactions must be processed quickly or hands-free, such as on mass transit systems, where a smart card can be used without even removing it from a wallet.

The standard for contactless smart card communications is ISO/IEC 14443. It defines two types of contactless cards ("A" and "B"), allows for communications at distances up to 10 cm. There had been proposals for ISO/IEC 14443 types C, D, E, F and G that have been rejected by the International Organization for Standardization. An alternative standard for contactless smart cards is ISO/IEC 15693, which allows communications at distances up to 50 cm.

Example of widely used contactless smart cards are Hong Kong's Octopus card, South Korea's T-money (bus, subway, taxi), London's Oyster card, and Japan Rail's Suica Card, which predate the ISO/IEC 14443 standard. The following tables list smart cards used for public transportation and other electronic purse applications. First Data delivers Contactless Credit and Debit cards for its customers.

A related contactless technology is RFID (radio frequency identification). In certain cases, it can be used for applications similar to those of contactless smart cards, such as for electronic toll collection. RFID devices usually do not include writeable memory or microcontroller processing capability as contactless smart cards often do.

There are dual-interface cards that implement contactless and contact interfaces on a single card with some shared storage and processing. An example is Porto's multi-application transport card, called Andante, that uses a chip in contact and contactless (ISO/IEC 14443 type B).

Like smart cards with contacts, contactless cards do not have a battery. Instead, they use a built-in inductor to capture some of the incident radio-frequency interrogation signal, rectify it, and use it to power the card's electronics.

Communication protocols

Communication protocols
Name	Description
ISO/IEC 14443	APDU transmission via contactless interface, defined in ISO/IEC 14443-4

Credit card contactless technology

These are the best known payment cards (classical plastic card):

Visa: Visa Contactless, Quick VSDC - "qVSDC", Visa Wave, MSD, payWave
MasterCard: PayPass Magstripe, PayPass MChip
American Express: Express Pay
Chase: Blink (credit and debit cards)

Roll-outs started in 2005 in USA (Asia and Europe - 2006). Contactless (non PIN) transactions cover a payment range of ~$5–50. There is an ISO/IEC 14443 PayPass implementation. All PayPass implementations may be separated on EMV and non EMV.

Non-EMV cards work like magnetic stripe cards. This is a typical card technology in the USA (PayPass Magstripe and VISA MSD). The cards do not control amount remaining. All payment passes without a PIN and usually in off-line mode. The security level of such a transaction is no greater than with classical magnetic stripe card transaction.

EMV cards have two interfaces (contact and contactless) and they work as a normal EMV card via contact interface. Via contactless interface they work almost like an EMV (card command sequence adopted on contactless features as low power and short transaction time).

Applications

Financial

The applications of Contactless smart cards include their use as credit or ATM cards, in a fuel card, authorization cards for pay television, pre-pay utilities in household, high-security identification and access-control cards, and public transport payment cards.

Smart cards may also be used as electronic wallets. The smart card chip can be loaded with funds which can be spent in vending machines or at various merchants. Cryptographic protocols protect the exchange of money between the Contactless smart card and the accepting machine.

Identification

A quickly growing application is in digital identification cards. In this application, the cards are used for authentication of identity. The most common example is in conjunction with a PKI. The smart card will store an encrypted digital certificate issued from the PKI along with any other relevant or needed information about the card holder. Examples include the U.S. Department of Defense (DoD) Common Access Card (CAC), and the use of various smart cards by many governments as identification cards for their citizens. When combined with biometrics, smart cards can provide two- or three-factor authentication. Smart cards are not always a privacy-enhancing technology, for the subject carries possibly incriminating information about him all the time. By employing contactless smart cards, that can be read without having to remove the card from the wallet or even the garment it is in, one can add even more authentication value to the human carrier of the cards.

Other

The Malaysian government uses smart card technology in identity cards carried by all Malaysian citizens and resident non-citizens. The personal information inside the smart card (called MYKAD) can be read using special APDU commands.MYKAD SDK

Security

Smart cards have been advertised as suitable for personal identification tasks, because they are engineered to be tamper resistant. The embedded chip of a smart card usually implements some cryptographic algorithm. There are, however, several methods of recovering some of the algorithm's internal state.

Differential power analysis

Differential power analysis^[2] involves measuring the precise time and electrical current required for certain encryption or decryption operations. This is most often used against public key algorithms such as RSA in order to deduce the on-chip private key, although some implementations of symmetric ciphers can be vulnerable to timing or power attacks as well.

Physical disassembly

Smart cards can be physically disassembled by using acid, abrasives, or some other technique to obtain direct, unrestricted access to the on-board microprocessor. Although such techniques obviously involve a fairly high risk of permanent damage to the chip, they permit much more detailed information (e.g. photomicrographs of encryption hardware) to be extracted.

Problems

Another problem of smart cards may be the failure rate. The plastic card in which the chip is embedded is fairly flexible, and the larger the chip, the higher the probability of breaking. Smart cards are often carried in wallets or pockets — a fairly harsh environment for a chip. However, for large banking systems, the failure-management cost can be more than offset by the fraud reduction. A card enclosure might be a good idea.

Using a smart card for mass transit presents a risk for privacy, because such a system enables the mass transit operator (and the authorities) to track the movement of individuals. In Finland, the Data Protection Ombudsman prohibited the transport operator YTV from collecting such information, in spite of YTV's argument that the owner of the card has the right to get a list of journeys paid with the card. Prior to this, such information was used in the investigation of the Myyrmanni bombing.

Proper disposal

While many contactless smart card users are unaware they are carrying a computer chip in their card and dispose of it by simply throwing it away, it is recommended by most manufacturers and RFID technology experts^[who?] that these cards be disposed of by shredding them in a paper shredder, or cutting into pieces smaller than 1cm, to avoid identity theft and/or fraudulent use.

Terminology

ATR: Answer to reset
BCD: Binary-coded decimal
CHV: Card holder verification
COS: Card operating system
DF: Dedicated file
IC: Integrated circuit
PC/SC: Personal computer / smart card
MF: Master File
PPS: Protocol and Parameter Select
RFU: Reserved for Future Use

Notes

^ Multi-application Smart Cards. Cambridge University Press.
^ Power Analysis Attacks. Springer.

References

Rankl, W. (1997). Smart Card Handbook. John Wiley & Sons. ISBN 0-471-96720-3. {{cite book}}: Unknown parameter |coauthors= ignored (|author= suggested) (help)
Guthery, Scott B. (1998). SmartCard Developer's Kit. Macmillan Technical Publishing. ISBN 1-57870-027-2. {{cite book}}: Unknown parameter |coauthors= ignored (|author= suggested) (help)

External links

[1] Multi-application Smart Cards. Cambridge University Press.

[2] Power Analysis Attacks. Springer.

[1]

[2]