Product Code Database
A smart card ( SC), chip card, or integrated circuit card ( ICC or IC card), is a card used to control access to a resource. It is typically a plastic credit card-sized card with an Embedded system integrated circuit (IC) chip. Many smart cards include a pattern of metal contacts to electrically connect to the internal chip. Others are contactless, and some are both. Smart cards can provide personal identification, authentication, data storage, and application processing. Applications include identification, financial, public transit, computer security, schools, and healthcare. Smart cards may provide strong security authentication for single sign-on (SSO) within organizations. Numerous nations have deployed smart cards throughout their populations.
The universal integrated circuit card (UICC) for mobile phones, installed as pluggable SIM card or embedded eSIM, is also a type of smart card. , 10.5billion smart card IC chips are manufactured annually, including 5.44billion SIM card IC chips.
Independently, Kunitaka Arimura of the Arimura Technology Institute in Japan developed a similar idea of incorporating an integrated circuit onto a plastic card, and filed a smart card patent in March 1970. The following year, Paul Castrucci of IBM filed an American patent titled "Information Card" in May 1971.
In 1974 Roland Moreno patented a secured memory card later dubbed the "smart card". In 1976, Jürgen Dethloff introduced the known element (called "the secret") to identify gate user as of USP 4105156.
In 1977, Michel Ugon from Groupe Bull invented the first microprocessor smart card with two chips: one microprocessor and one computer memory, and in 1978, he patented the self-programmable one-chip microcomputer (SPOM) that defines the necessary architecture to program the chip. Three years later, Motorola used this patent in its "CP8". At that time, Bull had 1,200 patents related to smart cards. In 2001, Bull sold its CP8 division together with its patents to Schlumberger, who subsequently combined its own internal smart card department and CP8 to create Axalto. In 2006, Axalto and Gemplus, at the time the world's top two smart-card manufacturers, merged and became Gemalto. In 2008, Dexa Systems spun off from Schlumberger and acquired Enterprise Security Services business, which included the smart-card solutions division responsible for deploying the first large-scale smart-card management systems based on public key infrastructure (PKI).
The first mass use of the cards was as a telephone card for payment in French , starting in 1983.
Smart-card-based "electronic purse" systems store funds on the card, so that readers do not need network connectivity. They entered European service in the mid-1990s. They have been common in Germany (Geldkarte), Austria (Quick Wertkarte), Belgium (Proton), France (Moneo Moneo's website (in French).), the Netherlands (Chipknip Chipper (decommissioned in 2015)), Switzerland ("Cash"), Norway ("Mondex"), Spain ("Monedero 4B"), Sweden ("Cash", decommissioned in 2004), Finland ("Avant"), UK ("Mondex"), Denmark ("Danmønt") and Portugal ("Porta-moedas Multibanco"). Private electronic purse systems have also been deployed such as the Marines corps (USMC) at Parris Island allowing small amount payments at the cafeteria.
Since the 1990s, smart cards have been the subscriber identity modules (SIMs) used in GSM mobile-phone equipment. Mobile phones are widely used across the world, so smart cards have become very common.
Historically, in 1993 several international payment companies agreed to develop smart-card specifications for debit card and credit cards. The original brands were MasterCard, Visa, and Europay. The first version of the EMV system was released in 1994. In 1998 the specifications became stable.
EMVCo maintains these specifications. EMVco's purpose is to assure the various financial institutions and retailers that the specifications retain backward compatibility with the 1998 version. EMVco upgraded the specifications in 2000 and 2004.
EMV compliant cards were first accepted into Malaysia in 2005 and later into United States in 2014. MasterCard was the first company that was allowed to use the technology in the United States. The United States has felt pushed to use the technology because of the increase in identity theft. The credit card information stolen from Target in late 2013 was one of the largest indicators that American credit card information is not safe. Target made the decision on 30 April 2014 that it would try to implement the smart chip technology to protect itself from future credit card identity theft.
Before 2014, the consensus in America was that there were enough security measures to avoid credit card theft and that the smart chip was not necessary. The cost of the smart chip technology was significant, which was why most of the corporations did not want to pay for it in the United States. The debate finally ended when Target sent out a notice stating unauthorized access to magnetic strips costing Target over 300 million dollars along with the increasing cost of online credit theft was enough for the United States to invest in the technology. The adaptation of EMV's increased significantly in 2015
Use of "Contactless" smart cards in transport has also grown through the use of low cost chips NXP Mifare Ultralight and paper/card/PET rather than PVC. This has reduced media cost so it can be used for low cost tickets and short term transport passes (up to 1 year typically). The cost is typically 10% that of a PVC smart card with larger memory. They are distributed through vending machines, ticket offices and agents. Use of paper/PET is less harmful to the environment than traditional PVC cards.
Smart cards are also being introduced for identification and entitlement by regional, national, and international organizations. These uses include citizen cards, drivers’ licenses, and patient cards. In Malaysia, the compulsory national ID MyKad enables eight applications and has 18 million users. Contactless smart cards are part of ICAO biometric passports to enhance security for international travel.
The Complex Card pilot, developed by AudioSmartCard, was launched in 2002 by Crédit Lyonnais, a French financial institution. This pilot featured acoustic tones as a means of authentication. Although Complex Cards were developed since the inception of the smart card industry, they only reached maturity after 2010.
Complex Cards can accommodate various peripherals including:
While first generation Complex Cards were battery powered, the second generation is battery-free and receives power through the usual card connector and/or induction .
Sound, generated by a buzzer, was the preferred means of communication for the first projects involving Complex Cards. Later, with the progress of displays, visual communication is now present in almost all Complex Cards.
Developers of Complex Cards target several needs when developing them:
One-Time Passwords generation is based either on incremental values (event based) or on a real time clock (time based). Using clock-based One-Time Password generation requires the Complex Card to be equipped with a Real-time clock.
Complex Cards used to generate One Time Password have been developed for:
For additional security, features such as requiring the user to enter an identification or a security value such as a PIN can be added to a Complex Card.
Complex Cards used to provide account information have been developed for:
The latest generation of battery free, button free, Complex Cards can display a balance or other kind of information without requiring any input from the card holder. The information is updated during the use of the card. For instance, in a transit card, key information such as the monetary value balance, the number of remaining trips or the expiry date of a transit pass can be displayed.
The Card Security Code (CSC) is to be given to the merchant by the cardholder to complete a card-not-present transaction. The CSC is transmitted along with other transaction data and verified by the card issuer. The Payment Card Industry Data Security Standard (PCI DSS) prohibits the storage of the CSC by the merchant or any stakeholder in the payment chain. Although designed to be a security feature, the static CSC is susceptible to fraud as it can easily be memorized by a shop attendant, who could then use it for fraudulent online transactions or sale on the dark web.
This vulnerability has led the industry to develop a Dynamic Card Security Code (DCSC) that can be changed at certain time intervals, or after each contact or contactless EMV transaction. This Dynamic CSC brings significantly better security than a static CSC.
The first generation of Dynamic CSC cards, developed by NagraID Security required a battery, a quartz and Real Time Clock (RTC) embedded within the card to power the computation of a new Dynamic CSC, after expiration of the programmed period.
The second generation of Dynamic CSC cards, developed by Ellipse World, Inc., does not require any battery, quartz, or RTC to compute and display the new dynamic code. Instead, the card obtains its power either through the usual card connector or by induction during every EMV transaction from the Point of Sales (POS) terminal or Automated Teller Machine (ATM) to compute a new DCSC.
The Dynamic CSC, also called dynamic cryptogram, is marketed by several companies, under different brand names:
The advantage of the Dynamic Card Security Code (DCSC) is that new information is transmitted with the payment transactions, thus making it useless for a potential fraudster to memorize or store it. A transaction with a Dynamic Card Security Code is carried out exactly the same way, with the same processes and use of parameters as a transaction with a static code in a card-not-present transaction. Upgrading to a DCSC allows cardholders and merchants to continue their payment habits and processes undisturbed.
To implement user authentication using a fingerprint enabled smart card, the user has to authenticate himself/herself to the card by means of the fingerprint before starting a payment transaction.
Several companies offer cards with fingerprint sensors, including:
While separate keys have been used on prototypes in the early days, capacitive keyboards are the most popular solution now, thanks to technology developments by AudioSmartCard International SA.
The interaction with a capacitive keyboard requires constant power, therefore a battery and a mechanical button are required to activate the card.
Companies that offered cards with buzzers include:
Displays can be made using two technologies:
First generation Complex Cards require a power supply even in standby mode. As such, product designers generally included a battery in their design. Incorporating a battery creates an additional burden in terms of complexity, cost, space and flexibility in an already dense design. Including a battery in a Complex Card increases the complexity of the manufacturing process as a battery cannot be hot laminated.
Second generation Complex Cards feature a battery-free design. These cards harvest the necessary power from external sources; for example when the card interacts in a contact or contactless fashion with a payment system or an NFC-enabled smartphone. The use of a bistable display in the card design ensures that the screen remains legible even when the Complex Card is unconnected to the power source.
One of the most popular manufacturing processes in the smart card industry is lamination. This process involves laminating an inlay between two card faces. The inlay contains the needed electronic components with an antenna printed on an inert support.
Typically battery-powered Complex Cards require a cold lamination manufacturing process. This process impacts the manufacturing lead time and the whole cost of such a Complex Card.
Second generation, battery-free Complex Cards can be manufactured by existing hot lamination process. This automated process, inherited from traditional smart card manufacturing, enables the production of Complex Cards in large quantities while keeping costs under control, a necessity for the evolution from a niche to a mass market.
As Complex Cards bring more functionalities than standard smart cards and, due to their complexity, their personalization can take longer or require more inputs. Having Complex Cards that can be personalized by the same machines and the same processes as regular smart cards allows them to be integrated more easily in existing manufacturing chains and applications.
First generation, battery-operated Complex Cards require specific recycling processes, mandated by different regulatory bodies. Additionally, keeping battery-operated Complex Cards in inventory for extended periods of time may reduce their performance due to Capacity loss.
Second-generation battery-free technology ensures operation during the entire lifetime of the card and eliminates self-discharge, providing extended shelf life, and is more eco-friendly.
The Complex Card concept began in 1999 when Cyril Lalo and Philippe Guillaud, its inventors, first designed a smart card with additional components. The first prototype was developed collaboratively by Cyril Lalo, who was the CEO of AudioSmartCard at the time, and Henri Boccia and Philippe Patrice, from Gemplus. The prototype included a button and audio functions on a 0.84mm thick ISO 7810-compliant card .
Since then, Complex Cards have been mass-deployed primarily by NagraID Security.
AudioSmartCard was founded in 1993 and specialized in the development and marketing of acoustic tokens incorporating security features. These acoustic tokens exchanged data in the form of sounds transmitted over a phone line. In 1999, AudioSmartCard transitioned to a new leadership under Cyril Lalo and Philippe Guillaud, who also became major shareholders. They made AudioSmartCard evolve towards the smart card world. In 2003 Prosodie, a subsidiary of Capgemini, joined the shareholders of AudioSmartCard.
AudioSmartCard was renamed nCryptone, in 2004.
Coin was acquired by Fitbit in May 2016 and all Coin activities were discontinued in February 2017.
The Ellipse patented technologies enable smart card manufacturers to use their existing dual interface payment card manufacturing process and supply chain to build battery-free, second generation Complex Cards with display capabilities. Thanks to this ease of integration, smart card vendors are able to address banking, transit and prepaid cards markets.
Nagra ID manufactures Complex Cards that can include a battery, buttons, displays or other electronic components.
NagraID Security quickly became a leading player in the adoption of Complex Cards due, in large part, to its development of MotionCode cards that featured a small display to enable a Card Security Code (CVV2).
NagraID Security was the first Complex Cards manufacturer to develop a mass market for payment display cards. Their customers included:
NagraID Security also delivered One-Time Password cards to companies including:
In 2014, NagraID Security was sold to Oberthur Technologies (now IDEMIA).
nCryptone display card assets were acquired by Innovative Card Technologies in 2006.
Major references in the Complex Cards business include:
In 2017 Stratos was acquired by CardLab Innovation, a company headquartered in Herlev, Denmark.
Qvivr raised US$5 million in January 2017 and went out of business in November 2017.
Complex Card technology is used by numerous financial institutions including:
In cards with microprocessors, the microprocessor sits inline between the reader and the other components. The operating system that runs on the microprocessor mediates the reader's access to those components to prevent unauthorized access.
The ISO/IEC 7810 and ISO/IEC 7816 series of standards define:
Because the chips in financial cards are the same as those used in subscriber identity modules (SIMs) in mobile phones, programmed differently and embedded in a different piece of PVC, chip manufacturers are building to the more demanding GSM/3G standards. So, for example, although the EMV standard allows a chip card to draw 50 mA from its terminal, cards are normally well below the telephone industry's 6 mA limit. This allows smaller and cheaper financial card terminals.
Communication protocols for contact smart cards include T=0 (character-level transmission protocol, defined in ISO/IEC 7816-3) and T=1 (block-level transmission protocol, defined in ISO/IEC 7816-3).
APDU transmission by a contactless interface is defined in ISO/IEC 14443-4.
Dual-interface cards implement contactless and contact interfaces on a single chip with some shared storage and processing. An example is Porto's multi-application transport card, called Andante ticket, which uses a chip with both contact and contactless (ISO/IEC 14443 Type B) interfaces. Numerous payment cards worldwide are based on hybrid card technology allowing them to communicate in contactless as well as contact modes.
Smart cards may also be used as electronic wallets. The smart card chip can be "loaded" with funds to pay parking meters, vending machines or merchants. Cryptographic protocols protect the exchange of money between the smart card and the machine. No connection to a bank is needed. The holder of the card may use it even if not the owner. Examples are Mondex (1993), Proton, Geldkarte, Chipknip and Moneo. The German Geldkarte is also used to validate customer age at for cigarettes.
These are the best known payment cards (classic plastic card):
Roll-outs started in 2005 in the U.S. Asia and Europe followed in 2006. Contactless (non-PIN) transactions cover a payment range of ~$5–50. There is an ISO/IEC 14443 PayPass implementation. Some, but not all, PayPass implementations conform to EMV.
Non-EMV cards work like magnetic stripe cards. This is common in the U.S. (PayPass Magstripe and Visa MSD). The cards do not hold or maintain the account balance. All payment passes without a PIN, usually in off-line mode. The security of such a transaction is no greater than with a magnetic stripe card transaction.
EMV cards can have either contact or contactless interfaces. They work as if they were a normal EMV card with a contact interface. Via the contactless interface they work somewhat differently, in that the card commands enabled improved features such as lower power and shorter transaction times. EMV standards include provisions for contact and contactless communications. Typically modern payment cards are based on hybrid card technology and support both contact and contactless communication modes.
Smart cards are not always privacy-enhancing, because the subject may carry incriminating information on the card. Contactless smart cards that can be read from within a wallet or even a garment simplify authentication; however, criminals may access data from these cards.
Cryptographic smart cards are often used for single sign-on. Most advanced smart cards include specialized cryptographic hardware that uses algorithms such as RSA and Digital Signature Algorithm (DSA). Today's cryptographic smart cards generate key pairs on board, to avoid the risk from having more than one copy of the key (since by design there usually isn't a way to extract private keys from a smart card). Such smart cards are mainly used for digital signatures and secure identification.
The most common way to access cryptographic smart card functions on a computer is to use a vendor-provided PKCS#11 library. On Microsoft Windows the Cryptographic Service Provider (CSP) API is also supported.
The most widely used cryptographic algorithms in smart cards (excluding the GSM so-called "crypto algorithm") are Triple DES and RSA. The key set is usually loaded (DES) or generated (RSA) on the card at the personalization stage.
Some of these smart cards are also made to support the National Institute of Standards and Technology (NIST) standard for Personal Identity Verification, FIPS 201.
Turkey implemented the first smart card driver's license system in 1987. Turkey had a high level of road accidents and decided to develop and use digital tachograph devices on heavy vehicles, instead of the existing mechanical ones, to reduce speed violations. Since 1987, the professional driver's licenses in Turkey have been issued as smart cards. A professional driver is required to insert his driver's license into a digital tachograph before starting to drive. The tachograph unit records speed violations for each driver and gives a printed report. The driving hours for each driver are also being monitored and reported. In 1990 the European Union conducted a feasibility study through BEVAC Consulting Engineers, titled "Feasibility study with respect to a European electronic drivers license (based on a smart-card) on behalf of Directorate General VII". In this study, chapter seven describes Turkey's experience.
Argentina's Mendoza province began using smart card driver's licenses in 1995. Mendoza also had a high level of road accidents, driving offenses, and a poor record of recovering fines. Smart licenses hold up-to-date records of driving offenses and unpaid fines. They also store personal information, license type and number, and a photograph. Emergency medical information such as blood type, allergies, and biometrics (fingerprints) can be stored on the chip if the card holder wishes. The Argentina government anticipates that this system will help to collect more than $10 million per year in fines.
In 1999 Gujarat was the first Indian state to introduce a smart card license system. As of 2005, it has issued 5 million smart card driving licenses to its people.
In 2002, the Estonian government started to issue smart cards named ID Kaart as primary identification for citizens to replace the usual passport in domestic and EU use. As of 2010 about 1 million smart cards have been issued (total population is about 1.3 million) and they are widely used in internet banking, buying public transport tickets, authorization on various websites etc.
By the start of 2009, the entire population of Belgium was issued eID cards that are used for identification. These cards contain two certificates: one for authentication and one for signature. This signature is legally enforceable. More and more services in Belgium use eID for authorization.
Spain started issuing national ID cards (DNI) in the form of smart cards in 2006 and gradually replaced all the older ones with smart cards. The idea was that many or most bureaucratic acts could be done online but it was a failure because the Administration did not adapt and still mostly requires paper documents and personal presence.
On 14 August 2012, the ID cards in Pakistan were replaced. The Smart Card is a third generation chip-based identity document that is produced according to international standards and requirements. The card has over 36 physical security features and has the latest encryption codes. This smart card replaced the NICOP (the ID card for overseas Pakistani).
Smart cards may identify emergency responders and their skills. Cards like these allow first responders to bypass organizational paperwork and focus more time on the emergency resolution. In 2004, The Smart Card Alliance expressed the needs: "to enhance security, increase government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification". emergency response personnel can carry these cards to be positively identified in emergency situations. WidePoint Corporation, a smart card provider to FEMA, produces cards that contain additional personal information, such as medical records and skill sets.
In 2007, the Open Mobile Alliance (OMA) proposed a new standard defining V1.0 of the Smart Card Web Server (SCWS), an HTTP server embedded in a SIM card intended for a smartphone user. The non-profit trade association SIMalliance has been promoting the development and adoption of SCWS. SIMalliance states that SCWS offers end-users a familiar, operating system-independent, browser-based interface to secure, personal SIM data. As of mid-2010, SIMalliance had not reported widespread industry acceptance of SCWS. The OMA has been maintaining the standard, approving V1.1 of the standard in May 2009, and V1.2 was expected to be approved in October 2012.
Smart cards are also used to identify user accounts on arcade machines.
The UK's Department for Transport mandated smart cards to administer travel entitlements for elderly and disabled residents. These schemes let residents use the cards for more than just bus passes. They can also be used for taxi and other concessionary transport. One example is the "Smartcare go" scheme provided by Ecebs. The UK systems use the ITSO Ltd specification. Other schemes in the UK include period travel passes, carnets of tickets or day passes and stored value which can be used to pay for journeys. Other concessions for school pupils, students and job seekers are also supported. These are mostly based on the ITSO Ltd specification.
Many smart transport schemes include the use of low cost smart tickets for simple journeys, day passes and visitor passes. Examples include Glasgow Glasgow Subway. These smart tickets are made of paper or PET which is thinner than a PVC smart card e.g. Confidex smart media. The smart tickets can be supplied pre-printed and over-printed or printed on demand.
In Sweden, as of 2018–19, the old SL Access smart card system has started to be phased out and replaced by smart . The phone apps have less cost, at least for the transit operators who don't need any electronic equipment (the riders provide that). The riders are able buy tickets anywhere and don't need to load money onto smart cards. New NFC smart cards are still in use for foreseeable future (as of 2024).
In 2018, in an effort to make arcade game IC cards more user friendly, Konami, Bandai Namco and Sega have agreed on a unified system of cards named Amusement IC. Thanks to this agreement, the three companies are now using a unified card reader in their arcade cabinets, so that players are able to use their card, no matter if a Banapassport, an e-Amusement Pass or an Aime, with hardware and ID services of all three manufacturers. A common logo for Amusement IC cards has been created, and this is now displayed on compatible cards from all three companies. In January 2019, Taito announced that their Nesica card was also joining the Amusement IC agreement with the other three companies.
Mozilla's Firefox web browser can use smart cards to store certificates for use in secure web browsing.//www.mozilla.org/projects/security/pki/pkcs11/
Some disk encryption systems, such as VeraCrypt and Microsoft's BitLocker, can use smart cards to securely hold encryption keys, and also to add another layer of encryption to critical parts of the secured disk.
GnuPG, the well known encryption suite, also supports storing keys in a smart card. smartcard howto for GNUPG
Smart cards are also used for single sign-on to log on to computers.
Differential power analysis involves measuring the precise time and electric current required for certain encryption or decryption operations. This can deduce the on-chip private key used by public key algorithms such as RSA. Some implementations of can be vulnerable to timing or power analysis as well.
Smart cards can be physically disassembled by using acid, abrasives, solvents, or some other technique to obtain unrestricted access to the on-board microprocessor. Although such techniques may involve a risk of permanent damage to the chip, they permit much more detailed information (e.g., of encryption hardware) to be extracted.
The secondary advantage is security. Smart cards can be electronic key rings, giving the bearer ability to access information and physical places without need for online connections. They are encryption devices, so that the user can encrypt and decrypt information without relying on unknown, and therefore potentially untrustworthy, appliances such as ATMs. Smart cards are very flexible in providing authentication at different level of the bearer and the counterpart. Finally, with the information about the user that smart cards can provide to the other parties, they are useful devices for customizing products and services. Smart cards can also have multiple credentials for different applications. This encourages better security as the user only has to manage a single card which is not only less cognitive load and more convenient.
The tertiary advantage is reduced cost. Smart cards are easily produced and have vastly improved security allowing institutions to reduce their security spending.
Other general benefits of smart cards are:
The production, use and disposal of PVC plastic is known to be more harmful to the environment than other plastics. Alternative materials including chlorine free plastics and paper are available for some smart applications.
If the account holder's computer hosts malware, the smart card security model may be broken. Malware can override the communication (both input via keyboard and output via application screen) between the user and the application. Man-in-the-browser malware (e.g., the Trojan Silentbanker) could modify a transaction, unnoticed by the user. Banks like Fortis and Belfius in Belgium and Rabobank ("random reader") in the Netherlands combine a smart card with an unconnected card reader to avoid this problem. The customer enters a challenge received from the bank's website, a PIN and the transaction amount into the reader. The reader returns an 8-digit signature. This signature is manually entered into the personal computer and verified by the bank, preventing point-of-sale-malware from changing the transaction amount.
Smart cards have also been the targets of security attacks. These attacks range from physical invasion of the card's electronics, to non-invasive attacks that exploit weaknesses in the card's software or hardware. The usual goal is to expose private encryption keys and then read and manipulate secure data such as funds. Once an attacker develops a non-invasive attack for a particular smart card model, he or she is typically able to perform the attack on other cards of that model in seconds, often using equipment that can be disguised as a normal smart card reader. While manufacturers may develop new card models with additional information security, it may be costly or inconvenient for users to upgrade vulnerable systems. Tamper-evident and audit features in a smart card system help manage the risks of compromised cards.
Another problem is the lack of standards for functionality and security. To address this problem, the Berlin Group launched the ERIDANE Project to propose "a new functional and security framework for smart-card based Point of Interaction (POI) equipment".
|
|
