Introduction to Smart Cards

by Jeffrey Jonas

for Pervasive Computing NJIT CIS 786

June 2003

What are smartcards?

Smartcards contain a processor and nonvolatile memory so they perform dynamic data processing capabilities in addition to data storage.
The chip is so small that it's often embedded in something larger to make it easy to carry, such as credit card or key shape.
Unlike memory cards, it actively participates in the secure conversation from the host, so even eavesdropping cannot clone the card or reply the transaction.

Some are Java based so the internal processor runs downloadable Java applets instead of just using pre-defined functions. This means the smartcard becomes a computational element of the protocol, not just a storage device.

While that doesn't sound very exciting, it's a big step up from cards with just a magnetic strip with limited storage capacity. With a magnetic card, you can't "write protect" specific areas. With a smartcard, memory contents can be read/write, read-only, or accessed only via well defined interfaces.

Smart Card issuers are exploring ways to use the "spare" memory, to make the card more pleasant and desirable to use over other methods.

Some already save the user's preferences.
Perhaps such preferences will be standardized so settings for
  • language
  • left/right handed
  • special needs
would be honored by all machines using the card (atm, vending machine, ...).

"Loyalty" programs are exploring such features so there's no need to carry a separate card for CVS, Pathmark, ShopRite, etc. That way, I would be encouraged to use the same credit card for all purchases to get the preferred customer prices.

BUT: there are privacy concerns because all the data about my buying habits are consolidated too!
A related note: until smart cards are widely accepted, a clever kid patented the idea of adding more magnetic strips to your current card for loyalty programs instead of issuing additional cards. While that's better than the keyring-of-many-cards, most of those cards are barcoded so this doesn't help much.


Smart cards already deployed

  • Cellular phones call their SmartCard the SIM (Subscriber Identity Module) [see the small blue card on the barcode of the Dish Network card]. The permanent ID is protected, but the phone list, user preferences, calendar, etc are stored in it too. Some phones differentiate things stored in the SIM insecurely, securely (important if the phone is stolen) or in the phone's own memory (useful for pre-paid SIMs).

    Here's a SIM reader for the PC to read/sync the non-secure phone list from phones with no PC link (USB, serial, I-R, Bluetooth).

  • The Segway Human Transporter (HT) is the 2 wheel scooter-like mobile
    that's occasionally in the news (police, mail carriers are trying them).

    Note that multiple DSPs (digital signal processors: specialized CPUs) are used for sensing the tilt (using gyros), controlling the motors, etc. This would not be possible if not for ubiquitous computing!



    Each Segway comes equipped with a 64-bit encrypted magnetic key to prevent theft.
    The key sets the Segway's profile that governs speed, turning radius, and battery life.
    For example, a "new user" profile limits the speed of the Segway until the rider feels comfortable to unlock its full capabilities.

    Imagine such a smart card for your car:
    - valet profile: limits speed, no access to trunk or glove box
    - student driver profile: limits speed, nags user to phone home, etc.


  • vending machines use prepaid "stored value" cards (the laundry room in my apartment building too!)

  • American Express's "Blue" card has both the magnetic strip and a smartcard.
    Smartcard readers are free for home use for secure online ordering,
    and for obtaining a secure, temporary transaction number instead of your actual card number for otherwise insecure payments.

  • Military: personal ID smart-cards augment dogtags, used for authentication and multi-level security access (they play well with printed cards, magstripes, barcodes). Wireless smard-cards (RFID) track supplies (civilian uses: reduce theft).


So why don't I see them everywhere?

The first obstacle is justifying the cost of installing the new readers, particularly if the existing system works!

Subway systems such as
  • New York MTA's Metrocard
  • NY/NJ PATH's QuickCard
  • NJ/PA Patco
  • The Washington Metropolitan Area Transit Authority Metro
still use magstripe cards very successfully and securely.


There are many opportunities but false starts have made people cautious and slow to deploy new technologies.
An large installed base of readers is needed for them to succeed:

  • in terminals / PCs
    The smartcard reader can be built directly into USB keyboards so the card's used in lieu of typing userid/password (or augmented with a PIN to prove who's at the keyboard). The card can also help securely manage other keys and private data, but would compete with existing technologies such as USB-drives and memory cards.
    Microsoft's technet advocates smartcard technology, saying
    Windows Powered Smart Cards can be customized for each user, And they can be programmed with multiple keys. The cards can be used to log on to a PC or to one or more networks and to perform remote logons. By storing all of a user's authentication information, one Windows Powered Smart Card can gain for a user admittance to all of his or her accounts - on the corporate network, within Internet chat rooms, or within financial institutions.


  • in payphones
    NYNEX/NY Telephone once had special yellow phones that only accepted their pre-paid cards, but I don't see them anywhere anymore, and despite the spread of phone-fraud, few phones have any sort of card reader.

  • at merchants
    I fear there is no incentive since so few customers have smartcards, the current equipment works well and credit card fraud detection depends on other factors now. Incentives to convert to SmartCards could include
    • stronger guarantee against fraud
    • free equipment
    • lower transaction fee
    • links to "loyalty" programs


  • Ethical, privacy and security concerns

    • Does the cardholder have the right to examine all the contents of the card?
      What about controlling the content and delivery?
      Will laws guarantee that (there are already laws concerning privacy, data accuracy, disclosure and sharing)
    • Is each content provider required to disclose the data, when and how it's used?
    here's an analogy:
    web browsers (Netscape, Internet Explorer, Mozilla, Konqueror) handle "cookies" but
    • there's security and control: you can only get your own cookies, can't spy and take others
      ex: B&N can't get Amazon's cookies
    • I can manage the cookies
      • filter what cookies are accepted/rejects: per cookie, per site
      • I can view/edit/delete the saved cookies
    I see no such guarantee with the smart cards, as if I don't have the right to know what's stored on the card or manage it

    Visa and AmEx had contests for folks to write applications for the smart cards. NOWHERE in the rules did they mention ANY guidelines for privacy or security. I'm concerned about the attitude they're conveying about uses for such capabilities.



    To learn more

    http://www.compinfo-center.com/smart_cards.htm
    FAQ, links

    http://www.smartcardfocus.com/
    FAQ, links, news, suppliers

    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/smrtcard/smrtcdcb/sec1/smartc01.asp
    Introduction to Windows for Smart Cards

    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/smrtcard/smrtcdcb/default.asp
    The Smart Card Deployment Cookbook for deploying smart cards in an enterprise that is deploying Microsoft Windows 2000 Active Directory. The white papers in this series will help you understand the principal smart card concepts and guide you through the planning tasks.

    http://www.cyberfone.com/
    yet another "smartphone", an attempt at an internet appliance similar to the already abandoned 3com Audrey, Netpliance's i-opener, etc. Citing the web site:
    The CyberFone, with the optional smart card/swipe card reader, will have the capability of taking orders by use of a smart card, credit card or debit card.


    http://www.smartcardbasics.com/
    industry PR site

    http://www.smartcardbasics.com/cardtypes.html
    lists types of cards, price/performance tradeoff

    http://www.opencard.org/
    The OpenCard Framework provides a common interface for both the smart card reader and the application on the card. Basing the architecture on Java technology ...

    http://www.segway.com/
    The Segway Human Transporter (HT)


    Smartcard Manufacturers

    http://www.smartcardfocus.com/links.shtml
    lists many smartcard makers

    http://www.gemplus.com/
    the leading maker of smartcards and readers