Contactless smart card
Encyclopedia
- This article is regarding smart cards that use radioRadioRadio is the transmission of signals through free space by modulation of electromagnetic waves with frequencies below those of visible light. Electromagnetic radiation travels by means of oscillating electromagnetic fields that pass through the air and the vacuum of space...
to transmit data. For smart cards that use electrical conductors see smart cardSmart cardA smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...
.
A contactless smart card is any pocket-sized card with embedded integrated circuits that can process and store data, and communicate with a terminal via radio waves
Radio waves
Radio waves are a type of electromagnetic radiation with wavelengths in the electromagnetic spectrum longer than infrared light. Radio waves have frequencies from 300 GHz to as low as 3 kHz, and corresponding wavelengths from 1 millimeter to 100 kilometers. Like all other electromagnetic waves,...
. There are two broad categories of contactless smart cards. Memory card
Memory card
A memory card or flash card is an electronic flash memory data storage device used for storing digital information. They are commonly used in many electronic devices, including digital cameras, mobile phones, laptop computers, MP3 players, and video game consoles...
s contain non-volatile memory storage components, and perhaps some specific security logic. Contactless smart cards do not contain an ordinary read-only RFID, but they do contain a re-writeable smart card microchip that can be transcribed via radio waves.
The first contactless smart card in production use for fare payment was the Octopus card
Octopus card
The Octopus card is a rechargeable contactless stored value smart card used to transfer electronic payments in online or offline systems in Hong Kong...
, introduced in Hong Kong
Hong Kong
Hong Kong is one of two Special Administrative Regions of the People's Republic of China , the other being Macau. A city-state situated on China's south coast and enclosed by the Pearl River Delta and South China Sea, it is renowned for its expansive skyline and deep natural harbour...
in 1997 for the territory's mass transit system
MTR
Mass Transit Railway is the rapid transit railway system in Hong Kong. Originally opened in 1979, the system now includes 211.6 km of rail with 155 stations, including 86 railway stations and 69 light rail stops...
.
Overview
A "contactless smart card" is also characterized as follows:- Dimensions are normally credit cardCredit cardA credit card is a small plastic card issued to users as a system of payment. It allows its holder to buy goods and services based on the holder's promise to pay for these goods and services...
size. The ID-1 of ISO/IEC 7810 standard defines them as 85.60 × 53.98 mm. Another popular size is ID-000 which is 25 × 15 mm. Both are 0.76 mm thick. - Contains a security system with tamper-resistantTamper resistanceTamper resistance is resistance to tampering by either the normal users of a product, package, or system or others with physical access to it. There are many reasons for employing tamper resistance....
properties (e.g. a secure cryptoprocessorSecure cryptoprocessorA secure cryptoprocessor is a dedicated computer on a chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance....
, secure file system, human-readable features) and is capable of providing security services (e.g. confidentiality of information in the memory). - Asset managed by way of a central administration system which interchanges information and configuration settings with the card through the security system. The latter includes card hotlisting, updates for application data.
- Card data is transferred via radio waves to the central administration system through card reading devices, such as ticket readers, ATMAutomated teller machineAn automated teller machine or automatic teller machine, also known as a Cashpoint , cash machine or sometimes a hole in the wall in British English, is a computerised telecommunications device that provides the clients of a financial institution with access to financial transactions in a public...
s etc.
Benefits
Contactless smart cards can be used for identification, authentication, and data storage. They also provide a means of effecting business transactions in a flexible, secure, standard way with minimal human intervention.History
Since first deployed for the Octopus cardOctopus card
The Octopus card is a rechargeable contactless stored value smart card used to transfer electronic payments in online or offline systems in Hong Kong...
scheme in Hong Kong in 1997, smart cards with contactless interfaces have been increasingly popular for payment and ticketing applications such as mass transit. Globally, contactless fare collection is being employed for efficiencies in public transit. The various standards emerging are local in focus and are not compatible, though the MIFARE
MIFARE
MIFARE is the NXP Semiconductors-owned trademark of a series of chips widely used in contactless smart cards and proximity cards. According to the producers, billions of smart card chips and many millions of reader modules have been sold...
Classic card from Philips has a large market share in the US and Europe.
In more recent times, Visa
Visa
Visa or VISA may refer to:* Visa , a document issued by a country's government allowing the holder to enter or to leave that country...
and MasterCard
MasterCard
Mastercard Incorporated or MasterCard Worldwide is an American multinational financial services corporation with its headquarters in the MasterCard International Global Headquarters, Purchase, Harrison, New York, United States...
have agreed to standards for general "open loop" payments on their networks, with millions of cards deployed in the USA, UK, France and globally.
Smart cards are being introduced in personal identification and entitlement schemes at regional, national, and international levels. Citizen cards, drivers’ licenses, and patient card schemes are becoming more prevalent. In Malaysia, the compulsory national ID scheme MyKad
MyKad
MyKad is the compulsory identity document for Malaysian citizens aged 12 and above. Introduced by the National Registration Department of Malaysia on 5 September 2001 as one of four MSC Malaysia flagship applications and a replacement for the High Quality Identity Card , Malaysia became the first...
includes 8 different applications and is rolled out for 18 million users. Contactless smart cards are being integrated into ICAO biometric passport
Biometric passport
A biometric passport, also known as an e-passport or ePassport, is a combined paper and electronic passport that contains biometric information that can be used to authenticate the identity of travelers...
s to enhance security for international travel.
Readers
Contactless smart card readers use radio waves to communicate with, and both read and write data on a smart card. When used for electronic payment, they are commonly located near PIN pads, cash registers and other places of payment. When the readers are used for public transit they are commonly located on fare boxes, ticket machines, turnstiles, and station platforms as a standalone unit. When used for security, readers are usually located to the side of an entry door.Technology
A contactless smart card is a card in which the chip communicates with the card reader through an induction technology similar to that of an RFID (at data rates of 106 to 848 kbit/s). These cards require only close proximity to an antenna to complete a transaction. They are often used when transactions must be processed quickly or hands-free, such as on mass transit systems, where a smart card can be used without even removing it from a walletWallet
A wallet, or billfold, is a small, flat case that is used to carry personal items such as cash, credit cards, identification documents , photographs, business cards and other paper or laminated cards...
.
The standard for contactless smart card communications is ISO/IEC 14443. It defines two types of contactless cards ("A" and "B") and allows for communications at distances up to 10 cm. There had been proposals for ISO/IEC 14443 types C, D, E, F and G that have been rejected by the International Organization for Standardization. An alternative standard for contactless smart cards is ISO/IEC 15693, which allows communications at distances up to 50 cm.
Examples of widely used contactless smart cards are Taiwan's EasyCard
EasyCard
The EasyCard is a contactless smartcard system operated by the Taipei Smart Card Corporation for payment on the Taipei MRT, buses, and other public transport services in Taipei since June 2002. Its use has since been expanded to include convenience stores, department stores, supermarkets, and...
, Hong Kong's Octopus card
Octopus card
The Octopus card is a rechargeable contactless stored value smart card used to transfer electronic payments in online or offline systems in Hong Kong...
, Shanghai's Public Transportation Card
Shanghai Public Transportation Card
The Shanghai public transportation card or jiaotong yikatong is a contactless card, utilizing RFID technology, which can be used to access many forms of public transport and related services in and around the Shanghai, China area.-Uses:...
, South Korea
South Korea
The Republic of Korea , , is a sovereign state in East Asia, located on the southern portion of the Korean Peninsula. It is neighbored by the People's Republic of China to the west, Japan to the east, North Korea to the north, and the East China Sea and Republic of China to the south...
's T-money
T-Money
T-money is a rechargeable series of cards and other "smart" devices used for paying transportation fares in and around Seoul and other areas of South Korea. T-money can also be used in lieu of cash or credit cards in some convenience stores and other businesses...
(bus, subway, taxi), London's Oyster card
Oyster card
The Oyster card is a form of electronic ticketing used on public transport services within the Greater London area of the United Kingdom. It is promoted by Transport for London and is valid on a number of different travel systems across London including London Underground, buses, the Docklands...
, Beijing's Municipal Administration and Communications Card
Beijing Municipal Administration and Communications Card
The Beijing Municipal Administration and Communications Card , more commonly known as the Yikatong , is a store-value contactless smart card used in Beijing, China, for public transportation and related uses...
, Japan Rail's Suica
Suica
is a rechargeable contactless smart card used as a fare card on train lines in Japan. Launched in November 2001, the card is usable currently in the Kantō region, at JR East stations near Sendai and Niigata...
Card, which predate the ISO/IEC 14443 standard. The following tables list smart cards used for public transportation and other electronic purse applications. First Data delivers Contactless Credit and Debit cards for its customers.
A related contactless technology is RFID (radio frequency identification). In certain cases, it can be used for applications similar to those of contactless smart cards, such as for electronic toll collection
Electronic toll collection
Electronic toll collection , an adaptation of military "identification friend or foe" technology, aims to eliminate the delay on toll roads by collecting tolls electronically. It is thus a technological implementation of a road pricing concept...
. RFID devices usually do not include writeable memory or microcontroller processing capability as contactless smart cards often do.
There are dual-interface cards that implement contactless and contact interfaces on a single card with some shared storage and processing. An example is Porto
Porto
Porto , also known as Oporto in English, is the second largest city in Portugal and one of the major urban areas in the Iberian Peninsula. Its administrative limits include a population of 237,559 inhabitants distributed within 15 civil parishes...
's multi-application transport card, called Andante
Andante ticket
Andante is a public transport ticketing system used in and around Porto, Portugal.It started operation in November 2002 at Metro do Porto stations and is now a cross-network ticket used on the Porto Metro, selected bus and train routes and the Funicular dos Guindais cable railway.Two types of card...
, that uses a chip in contact and contactless (ISO/IEC 14443 type B) mode.
Like smart cards with contacts, contactless cards do not have a battery. Instead, they use a built-in inductor
Inductor
An inductor is a passive two-terminal electrical component used to store energy in a magnetic field. An inductor's ability to store magnetic energy is measured by its inductance, in units of henries...
, using the principle of resonant inductive coupling
Resonant inductive coupling
Resonant inductive coupling or electrodynamic induction is the near field wireless transmission of electrical energy between two coils that are highly resonant at the same frequency. The equipment to do this is sometimes called a resonant or resonance transformer. While many...
, to capture some of the incident electromagnetic signal, rectify
Rectifier
A rectifier is an electrical device that converts alternating current , which periodically reverses direction, to direct current , which flows in only one direction. The process is known as rectification...
it, and use it to power the card's electronics.
Communication protocols
Name | Description |
---|---|
ISO/IEC 14443 | APDU transmission via the protocol defined in ISO/IEC 14443-4 |
Transportation
Since the Octopus CardOctopus card
The Octopus card is a rechargeable contactless stored value smart card used to transfer electronic payments in online or offline systems in Hong Kong...
in 1997, numerous cities have moved to the use of a contactless smart card as the fare media in an Automated Fare Collection System
Automated Fare Collection System
The Sydney automated fare collection system is the name given to three interoperable automated ticketing systems for buses, trains and government-run ferries in and around Sydney, Australia.The system was introduced between 1988 and 1993...
. See this comprehensive list of such systems.
In a number of cases these cards carry an electronic wallet as well as fare products, and can be used for low-value payments, often at merchants located in the vicinity of transit routes, and further afield.
Contactless Bank Cards
Starting around 2005, a major application of the technology has been contactless paymentContactless payment
Contactless payment systems are credit cards and debit cards, key fobs, smartcards or other devices which use RFID for making secure payments. The embedded chip and antenna enable consumers to wave their card or fob over a reader at the point of sale. Some suppliers claim that transactions can be...
credit and debit cards. Some major examples include:
- ExpressPay - American Express
- PayPass - MasterCard
- Zip - DiscoverDiscover CardThe Discover Card is a major credit card, issued primarily in the United States. It was originally introduced by Sears in 1985, and was part of Dean Witter, and then Morgan Stanley, until 2007, when Discover Financial Services became an independent company. Novus, a major processing center, used to...
- payWave - Visa
Roll-outs started in 2005 in USA, and in 2006 in some parts of Europe (England) and Asia (Singapore). In USA, contactless (non PIN) transactions cover a payment range of ~$5–$100.
In general there are two classes of contactless bank cards. Magnetic Stripe Data (MSD) and Contactless EMV.
Contactless MSD cards are similar to magnetic stripe cards in terms of the data they share across the contactless interface. They are only distributed in the USA. Payment occurs in a similar fashion to mag-stripe, without a PIN and often in off-line mode (depending on parameters of the terminal). The security level of such a transaction is better than a mag-stripe card, as the chip cryptographically generates a code which can be verified by the card issuer's systems.
Contactless EMV cards have two interfaces (contact and contactless) and work as a normal EMV card via their contact interface. The contactless interface provides similar data to a contact EMV transaction, but usually a subset of the capabilities (e.g. usually issuers will not allow balances to be increased via the contactless interface, instead requiring the card to be inserted into a device which uses the contact interface). EMV cards may carry an "offline balance" stored in their chip, similar to the electronic wallet or "purse" that users of transit smart cards are used to.
Identification
A quickly growing application is in digital identification cards. In this application, the cards are used for authenticationAuthentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
of identity. The most common example is in conjunction with a PKI
Public key infrastructure
Public Key Infrastructure is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate...
. The smart card will store an encrypted digital certificate issued from the PKI along with any other relevant or needed information about the card holder. Examples include the U.S. Department of Defense
United States Department of Defense
The United States Department of Defense is the U.S...
(DoD) Common Access Card
Common Access Card
The Common Access Card is a United States Department of Defense smart card issued as standard identification for active-duty military personnel, reserve personnel, civilian employees, other non-DoD government employees, state employees of the National Guard, and eligible contractor personnel.The...
(CAC), and the use of various smart cards by many governments as identification cards for their citizens. When combined with biometrics, smart cards can provide two- or three-factor authentication. Smart cards are not always a privacy-enhancing technology, for the subject carries possibly incriminating information about him all the time. By employing contactless smart cards, that can be read without having to remove the card from the wallet or even the garment it is in, one can add even more authentication value to the human carrier of the cards.
Other
The Malaysian government uses smart card technology in the identity cards carried by all Malaysian citizens and resident non-citizens. The personal information inside the smart card (called MyKadMyKad
MyKad is the compulsory identity document for Malaysian citizens aged 12 and above. Introduced by the National Registration Department of Malaysia on 5 September 2001 as one of four MSC Malaysia flagship applications and a replacement for the High Quality Identity Card , Malaysia became the first...
) can be read using special APDU commands.
Security
Smart cards have been advertised as suitable for personal identification tasks, because they are engineered to be tamper resistant. The embedded chip of a smart card usually implements some cryptographic algorithmCryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
. There are, however, several methods of recovering some of the algorithm's internal state.
Differential power analysis
Differential power analysisinvolves measuring the precise time and electrical current required for certain encryption or decryption operations. This is most often used against public key algorithms such as RSA in order to deduce the on-chip private key, although some implementations of symmetric ciphers can be vulnerable to timing or power attacks as well.
Physical disassembly
Smart cards can be physically disassembled by using acid, abrasives, or some other technique to obtain direct, unrestricted access to the on-board microprocessor. Although such techniques obviously involve a fairly high risk of permanent damage to the chip, they permit much more detailed information (e.g. photomicrographs of encryption hardware) to be extracted.Problems
Another problem of smart cards may be the failure rate. The plastic card in which the chip is embedded is fairly flexible, and the larger the chip, the higher the probability of breaking. Smart cards are often carried in wallets or pockets — a fairly harsh environment for a chip. However, for large banking systems, the failure-management cost can be more than offset by the fraud reduction. A card enclosureCard enclosure
A card enclosure is a container for smart cards, credit cards, debit cards, telephone cards, visiting cards, business cards and other cards of similar size. Most cards have dimensions that follow the ID-1 format of the ISO/IEC 7810 standard which specify the physical dimensions for cards to be...
may be used as an alternative to help prevent the smart card from failing.
Using a smart card for mass transit presents a risk for privacy
Privacy
Privacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively...
, because such a system enables the mass transit operator (and the authorities) to track the movement of individuals. In Finland, the Data Protection Ombudsman
Ombudsman
An ombudsman is a person who acts as a trusted intermediary between an organization and some internal or external constituency while representing not only but mostly the broad scope of constituent interests...
prohibited the transport operator YTV
Helsinki Metropolitan Area Council
The Helsinki Metropolitan Area Council was a co-operation agency operating in the Helsinki Metropolitan Area, now replaced by HSL and HSY. The organisation had a few responsibilities, most notably regional public transport and waste management. It was subordinated to the city councils of the four...
from collecting such information, in spite of YTV's argument that the owner of the card has the right to get a list of journeys paid with the card. Prior to this, such information was used in the investigation of the Myyrmanni bombing
Myyrmanni bombing
The Myyrmanni bombing took place on October 11, 2002, in Myyrmäki, Vantaa, Finland, in Greater Helsinki, at the Myyrmanni shopping mall. The bomb killed seven, including two teenagers, a 7-year-old child and the presumed bomber. 166 people were injured, including 10 children. 66 victims required...
.
See also
- Access badgeAccess badgeAn access badge is a credential used to gain entry to an area having automated access control entry points. Entry points may be doors, turnstiles, parking gates or other barriers....
- Access controlAccess controlAccess control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
- Disk encryptionDisk encryptionDisk encryption is a special case of data at rest protection when the storage media is a sector-addressable device . This article presents cryptographic aspects of the problem...
- Keycard
- Physical securityPhysical securityPhysical security describes measures that are designed to deny access to unauthorized personnel from physically accessing a building, facility, resource, or stored information; and guidance on how to design structures to resist potentially hostile acts...
- Disk encryption
- BasicCardBasicCardBasicCard is a smart card programmable in the ZC-Basic language. The BasicCard Toolkit offers an API to quickly program the terminal side and the card side of the application. The API hides the complexity of ISO/IEC 7816 protocols. It also provides APIs for Java and .NET...
- BiometricsBiometricsBiometrics As Jain & Ross point out, "the term biometric authentication is perhaps more appropriate than biometrics since the latter has been historically used in the field of statistics to refer to the analysis of biological data [36]" . consists of methods...
- Common Access CardCommon Access CardThe Common Access Card is a United States Department of Defense smart card issued as standard identification for active-duty military personnel, reserve personnel, civilian employees, other non-DoD government employees, state employees of the National Guard, and eligible contractor personnel.The...
- CredentialCredentialA credential is an attestation of qualification, competence, or authority issued to an individual by a third party with a relevant or de facto authority or assumed competence to do so....
- Electronic moneyElectronic moneyElectronic money is money or scrip that is only exchanged electronically. Typically, this involves the use of computer networks, the internet and digital stored value systems...
- Electronic passport
- EMVEMVEMV stands for Europay, MasterCard and VISA, a global standard for inter-operation of integrated circuit cards and IC card capable point of sale terminals and automated teller machines , for authenticating credit and debit card transactions.It is a joint effort between Europay, MasterCard and...
- GlobalPlatformGlobalPlatformGlobalPlatform is an independent, not-for-profit organization concerned with a standardized infrastructure for development, deployment and management of smart cards...
- ID card
- Java CardJava CardJava Card refers to a technology that allows Java-dd applications to be run securely on smart cards and similar small memory footprint devices. Java Card is the tiniest of Java targeted for embedded devices. Java Card gives the user ability to program the device and make them application...
- Magnetic stripe cardMagnetic stripe cardA magnetic stripe card is a type of card capable of storing data by modifying the magnetism of tiny iron-based magnetic particles on a band of magnetic material on the card...
- MULTOSMULTOSMULTOS is a multi-application smart card operating system, that enables a smart card to carry a variety of applications, from chip & pin application for payment to on-card biometric matching for secure ID and ePassport...
- PCI DSSPCI DSSThe Payment Card Industry Data Security Standard is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards....
- Proximity cardProximity cardProximity card is a generic name for contactless integrated circuit devices used for security access or payment systems. The standard can refer to the older 125 kHz devices or the newer 13.56 MHz contactless RFID cards, most commonly known as contactless smartcards.Modern proximity cards...
- Radio-frequency identification
- Resonant energy transferResonant energy transferResonant energy transfer may refer to:*Förster resonance energy transfer*Resonant inductive coupling...
- Security engineeringSecurity engineeringSecurity engineering is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts...
- Single sign-onSingle sign-onSingle sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
- Smart cardSmart cardA smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...
- SNAPISnapiSNAPI is a system that allows a user to record their preferences onto a smart card or other security token.When a card, mobile phone, key fob token or similar portable object containing SNAPI data is put into public or share IT equipment, or moved into the field of the equipment’s sensor, it...
- Subscriber Identity ModuleSubscriber Identity ModuleA subscriber identity module or subscriber identification module is an integrated circuit that securely stores the International Mobile Subscriber Identity and the related key used to identify and authenticate subscriber on mobile telephony devices .A SIM is held on a removable SIM card, which...
- Swipe card
- Telephone cardTelephone cardA telephone card, calling card or phone card for short, is a small plastic card, sized and shaped like a credit card, used to pay for telephone services. It is not necessary to have the physical card except with a stored-value system; knowledge of the access telephone number to dial and the PIN is...