6.0 Card Era • credit cards have become part of our daily life as forms of plastic money since its first launch in 1960 • a magnetic card verse a smart card
6.1 Magnetic Card • composed of a layer of magnetic material for storing information • easy to carry • can be use for authentication • what is its principles?
6.1.1 Information on Magnetic Card • the stripe is 8.5cm X 1.2cm • data is constructed based on ISO 7811/2 • maximum 3 stripes • can store around 1K bits
6.1.2 ISO Standards • Based on ISO 7811 • Track 1 is developed by International Air Transportation Association (IATA) which contains adaptive 6-bit alphanumerical characters • Track 2 is used by American Bankers Association (ABA) which stores 4-bit numerical information containing identification number and control information. • Track 3 is originated by Thrift Industry which contains information which is intended to be updated with each transaction.
6.1.3 Capacity TrackRecord density bits/inchCapacity 1 210 79 (7 bits/char.) 2 75 40 (5 bits/char.) 3 210 107 (5 bits/char)
6.1.4 Fraud card activities • Stealing — A legal card may be stolen and used in ATMs or EPOSs. • Altering and re-embossing a genuine card, that is modifying the visual features of card. • Skimming or altering the original electronic data stored on the magnetic stripe, for example the expire date or the credit limit. • Buffering or re-encoding the original data to the magnetic card. This technique is commonly used in producing card counterfeits of store-value ticket.
Copying of data from a genuine card to another in an on-line fashion “white plastic fraud” • Counterfeiting — “color plastic fraud” may be prepared by reading another legal card and encoding the same information onto another fraud card in an off-line fashion.
Valid Card Fraud Card
6.1.5 Design of card protection technologies • Validation by Appearance — this is a visual mean to protect against illegal duplication of plastic card. The aim is to make the appearance of card so unique and difficult to duplicate that shopkeepers or card handlers can identify the genuine card instantly.
Verification on Access — this validation relies on the interaction with the card holder, the objective of the protection mechanism is to identify the person accessing the card is an authorized one.
Protection on Data — this is a machine readable protection to avoid data from being access and duplication illegally. The importance of stripe data protection is .to ensure the security of electronic transaction and provide an alternative verification mechanism of magnetic card.
6.5.1 Validation by Appearance Computer Chip Hologram IN GOD WE TRUST But Counterfeits Still Exists! Magnetic Stripe Logo VISB MR. B 12/95 Printed & Embossed Data Fine Printings Bar Code Authorized Signature Photo ID Signatures
Holograms • are the most notable marking for credit cards • produced by a combination of photography and laser beams • initially counterfeit holograms were crude and manufactured by stamping tin foils • recently counterfeit holograms were produced by professional technical knowledge is needed to validate the authenticity of holograms
Embossed characters • are some raised marks implemented on the plastic surface of card • the embossed information includes the user name, expiry date, card number and unique embossed symbol — VISA embossed a symbol like “CV” besides the expiry date. • However, the card material is a thermal plastic by warming the card to about 50C, it allows “debossing” of the characters and re-embossing with fraud information.
Photocards • are introduced by CitiBank Corporation • the effectiveness of photocard on marketing purposes seems to be greater than that on security • it is not an effective mean to stop card fraud because counterfeiters had the ability to imitate laser engraved photographs and signatures in rather low cost using a photomachine of around US$ 5000.
Ultra-violet dove, bank identifying number (BIN) and micro-printings • can also be duplicated under the existing technology • technical knowledge is needed to recognize a counterfeit card from a genuine one • most card reading terminals contain no visual detector to validate these visual protection features while human eyes are not a reliable mean of verification • difficult to validate a genuine card
6.5.2 Protection on Card Access • the card holder is requested to prove his identity or the authorized user will be acknowledged about the transaction • methods: • signature • biometrices • PIN
Signature • Signature is the most popular way of verification. • When a transaction is made, the card holder is requested to sign and the signature will be verified visually. • this method is simple • not useful in protection against “color plastic fraud” where the criminal can sign their own signature in the fraud card.
Biometrics • biometrics features were developed such as speed of writing, fingerprint or iris pattern • implementation cost is high • their accuracy is questionable
Personal identifying number (PIN) • PIN is a unique number given by the bank to each user which is effectively fixed by the customer account number and the cryptographic key used in the derived PIN computation. • PIN offset or password is a value that relates a derived PIN to actual PIN value.
When a card holder transfer or withdraw his money from a bank account, a 6-digits password is inputted before transaction processed. • The password will be validated by comparing with the one stored inside the magnetic card by offset or in a centralized database in the bank.
The security of password is relied on the encryption algorithm of PIN, the PIN management scheme and the secrecy of password. • PIN does not provides defense against data copied from another card which contains the correct card verification value. • Moreover, the encryption algorithm adopted in validation codes may be tampered and decoded by professional hackers with some insider information.
6.6 Smart Card • Integrated Circuit - chip • originated from France • invented in 70 and matured in 90 • Magnetic Card replacement
Types of Smart Card • Memory Card • MPU IC card • Crypto- processor card • Contactless card
Memory Card • Primitive type • composed of EEPROM/PROM • simple function • as prepay card
Cypto-processor IC Cards • composed of cypto-processor & PROM • a powerful MPU • can recognise illegal signal and security features
MPU IC Smart Card • Composed of MCU/MPC • software driven • have flexibility and primitive intelligence • some security features
Contactless Smart Card • similar to contact smart card • with RF transceiver to increase robustness and security
6.6.1 Advantages of Smart Card • Large storage capacity • more security features • multiple functions • flexibility in use - intelligent, lower power consumption, effective packaging • as access card, electronic purse, debit/credit cards, ID card etc. - particular off-line applications
6.6.2 Hardware Technologies • new memory technologies - EEPROM and flash-EPROM • new silicon technologies - 1.3 m to 0.8 m for more storage and security, lower power consumption • new packaging technologies - against breakage, rubbing and bending
6.6.3 Smart Card Software • Intelligent Chip Operating System -COS • Encryption techniques - RSA & DES • Multiple Application OS (MAOS) • Mondex, EMV, GSM, Loyalty • New requirements • hot list, trust key management
6.6.4 Smart Card Worldwide • Use Distribution 40% Western Europe, 25% Asia, 15% North America, 8% South America and 12% others • Major user is France over 130M cards • Germany 80 M health insurance • over 20 countries use GSM and electronic purse
Smart Card Project Worldwide • Mondex - UK • Barclay/Mercury one-2-one project (UK) • Detemobil Toll Collection (UK) • Advantages Card in RSA • ID card in Taiwan • Mastercard &Visa + Netscape and Microsoft - COS project • Credit Card in USA
Some Difficulties Worldwide • Bank card project cancellation - Taiwan • Mondex tampering slow down bank sector development - RSA and New Zealand • Mastercard - year 2000 delay of massive launching • Visa - adoption of magnetic card in RSA debit card project • Major concern - COST EFFECTIVENESS
6.6.5 Smart Card in Hong Kong • Mondex • Visa Cash • City Smart • Octopus - smart travelling card • Jockey Club -pre-pay card • New airport - access control card • HKT - telephone card • Parking Meter - prepay card project • HKID
6.6.6 Smart Card in Electronic Commerce • Electronic Data Interchange (EDI) • Tradelink • Electronic Purchasing • Home Banking • Internet Shopping
6.6.7 New Technologies Required • Data Storage Management - information protection • authentication process - • biometric: fingerprint, facial features, iris identification, dynamic signature recognition, speech recognition • encryption methods - • Elliptic Curve Cryptography, chaotic techniques
6.6.8 Governing Body • The Hong Kong Monetary Authority will set rules on use of smart card for financial applications • only banks may issue general purpose cards • HKMA can authorize other non-bank issuer • core use relating to business of the issuer • needs to establish a business case an non-core uses • non-core uses subject to limits determined by HKMA
Exemptions • Risk to payment system and card holders is slight • replace an existing non-regulated payment instrument like travelers’ cheques • soundness of issuer • max. of HK$1000 limits on card • only allow 15% for non core uses • use in a limited and distinct areas
6.6.9 Examples • Mondex : equivalent to bank note, and no audit trail • Visa Cash: equivalent to cheques, link to accounts and have audit trails
Mondex scheme Issue of Bank Notes Origination of Mondex Value Notes Issuing Bank Mondex Originator Adjustment to interbank A/C Adjustment to interbank A/C Bank notes Mondex value Other Banks Member Banks Adjustment to customer A/C Adjustment to customer A/C Bank notes Mondex value Notes holder A Cardholder A Goods/Services Bank notes Goods/Services Mondex value Transfer of Mondex value Transfer of bank notes Bank notes Goods/Services Mondex value Goods/Services Notes holder B Merchant Cardholder B Merchant Note : There is no clearing system for the transfer to Mondex value (in the same way as transfer of bank notes).
VisaCash scheme Cheques VisaCash Bank Bank Debit Customer A/C (once value is uploaded) Debit Customer A/C (after cheque is cleared) Issue of cheques Uploading value onto card Bank Customer Cheque Clearing System Cardholder VisaCash Clearing System Presentation of cheque received from customer Redemption of value received from cardholder Payment by cheque Payment by card Goods/ Services Goods/ Services Credit Merchant A/C Merchant Merchant Credit Merchant A/C Note : Transfer of VisaCash value would go through a clearing system in same way as clearing for cheques.
Smart Card in Mobile Phone Applications • Wireless Application Protocol (WAP) emerges for a mobile Internet access • Research work launched in Japan indicates a good market if available. • Mobile operators will provide add on WAP gateways and WAP services to enable wireless internet services: • Banks, financial institutions, restaurants, retailers, • Utilities, transit operators, hotels, • entertainment and media, selling goods and information
Limitation, the SIM card inside the WAP phone cannot provide complicated the PKI authentication process thus security is an issue. • A possible solution is to introduce an additional smart card interface (either contact or contactless) to enable the authentication process. (MasterCard – dual card phone)
New technologies requirements: • The development of m-PKI (mobile PKI) in the multiple-application OS is more essential and practical • The development of high security low power card modules • A better interface to new wireless internet platform, other ancillary technologies, such as Bluetooth and Wireless Wallets are also important
Multos • Backs by Mastercard • Most Secure Hardware/software available • Security Level Common Standard Level 6 for Hitachi & Infineon cards • Requires secured terminals and approved software for downloading • Accepted by Amercian Express for Amexblue project
Overview • Single OS • API and virtual machine • Standard I/O • Security • Dynamic application management • Advantage: mature & stable • Disadvantage: not flexible & independent security certification