Smart Cards: How cards are classified Part 1

Cards differ in symbologies and standards

This is the first of the 3-part series on Smart Cards:

• Smart Cards Part 1: How cards are classified
• Smart Cards Part 2: Are the benefits of contactless cards outweigh the risks? 
• Smart Cards part 3: The ABC of Hacking and the XYZ of Protecting your cards 

Cards are classified based on the standards they bear or represent. These standards among others, are part of the International Standardization which govern cards' physical properties, electronic frequencies they carry, type of data and data structures they accept or recognize,  how data is stored and secured, and how information are read or interrogated.

The reason why I brought this information is to provide an idea how smart cards came to be AND to demonstrate the nature or extent of data AND data security these cards carry. So that card users like you and me may be aware of which card technology represents a better option in choosing the right card for your present needs. Here are the general classifications of cards according to the standard they represent:

Barcoded Cards. 

The current international barcode specification is ISO/IEC 15416 for linear barcodes and ISO/IEC 15415 for 2D barcodes, ISO/IEC 15426-1 for linear barcode verifier compliance standard, or ISO/IEC 15426-2 for 2D barcode verifier compliance standard. Barcode specifications are currently governed by at least 22 standards which covers 14 barcode symbologies.

Examples of 2D barcodes include Data Matrix
and QRCodes, among others.

Those lines and dots that you see among barcode cards (see above image) represent information we call symbologies.  They are optical machine-readable representation of data or information. Some barcoded cards are hybrid cards because they carry more than one type of data storage capability. But the standard barcode cards do not contain any form digital security enhancements and they are the least secured among all card types.

They do not contain any ciphered information other than the lines and dot they represent. But once you are able to manually decipher a symbology, you will know exactly what information they contain. They are not smart cards. For starters, here is a simple tutorial to decode the meaning of a UPC barcode.

Some barcode symbologies can be complex and hold more data. These are the 2D barcodes. Example of 2D barcodes are the PDF417, Data Matrix, and QRCodes. These barcodes are ideal for drivers' licenses, company ID's,  supply chain management, and many other applications around the world.  

Magnetic Stripe Cards.

Magstripe cards are based on the following standards most notably ISO/IEC 7811, 7813, which defines properties of magnetic stripes and magnetic data structures. Magnetic stripes reading and processing date back in 1960 and invented by IBM. These stripe cards can typically be read by most point-of-sale hardware, ATM machines, security access, transportation services, etc. 

The back of a credit card showing the magnetic stripe

Examples of cards adhering to these standards include ATM cards, bank cards (credit and debit cards including VISA, MasterCard, American Express, etc), telephone cards, gift cards, loyalty cards, driver's licenses, membership cards, food stamps cards, and nearly any application in which value or secure information is not stored on the card itself. A typical credit card uses a magnetic strip to store account information, which is only retrieved when swiped through a swipe machine. 

The strips of the cards are made of Mylar, the same material use in the production of the obsolete 1.44 floppy disks, magnetic audio and video tapes, capacitor dielectrics. Like any material with magnetic field, they can lost their magnetic properties when contact with greater magnetic field, when they are exposed to heat that past Curie point, when they are constantly being rub or made friction against the surface material. When it happens, it loses the stored data and render them unreadable and useless.

That is why credit card companies need to replace your card at regular intervals not only because they are nearing the expiration date but most importantly because of wear of the magnetic field of the striped card. They are good source of data storage but they are not secured nor reliable.

The most common information encrypted into the magstripe are cardholder number, cardholder name, name of the company if it is a corporate card, expiry date and the validation security code. It is true that these information are encrypted, but with the use of a credit card catcher or a portable reader, and a little bit of ingenuity, you can easily steal these information. Yes, there is a certain level of security, but not smart enough.

Contact Smart Cards.
These smart cards are made under ISO/IEC 7816 standard particularly Parts 4 and above. They are have built in chips like ISO/IEC 14443 proximity cards. One cool feature of these of cards is that they can act both as contact and contactless cards using 13.56MHz frequency. Some bank cards and security cards are made with this standards. Companies that issue these cards are AMEX, CCETT, ECBS, Ecma International, IATA, ICAO, ICMA, ILO, MasterCard, UNECE, VISA.

Proximity Cards.

Credit cards with the wave icon as shown
above are contactless and use the
"wave and go" technology

These are the contactless or swipeless smart cards. They are governed by ISO/IEC 14443 set of international standards covering proximity smart cards. Unlike barcode cards and magstripe cards, proximity cards operate using radio frequency (RF) via the miniature IC, capacitor, and thin coiled antenna embedded within the them. They are called proximity cards because the information built into them can only be read within 3 inches distance.  Older proximity cards operate using a low frequency mode at 125KHz while the newer ones operate at 13.56MHz. 

A common internal architecture of a
smart card showing the embedded IC,
capacitor, and antenna coiled around it.

This is the reason why you need to wave your contactless smart card over a smart card reader close enough to excite the coiled antenna from your card and fires up the capacitor, which in turn energizes the IC to proceed with the process. Some common example of proximity cards are the RF-based credit cards. 

As early as 2002, MasterCard had tested RF cards know as Paypass and it was later offered to card users thereafter. All other credit card companies also have endorsed ISO 14443 as the most appropriate interface protocol for contactless payments because it supports encryption and a very short read range between the card and reader, both of which allow for secure transactions. 

There are other form factors of ISO 14443 aside from the standard 3.375x2.125 cards. These are the key fobs and SIM cards for mobile phones. More examples of proximity cards aside from credit cards are the HID access cards, the Oyster cards that are used for public transportation access within Greater London Area.

This card is a contactless credit card bearing the wave icon.

Credit Card companies tell us that contactless card are more secure than ever. They said that information being transmitted are subject to 128-bit encryption, that the card would never leave from your hands when making a transaction, that these cards do not transmit your credit card number, that even if it get intercepted by fraudulent means, issuers normally extend fraud protection to their users. Well, in a way, yes. But that is according to them. In reality one can easily hack these RF-based credit cards using an under $50 gadget that you can buy from eBay or Craigslit, a software and some inventiveness.

Vicinity Cards.
This is the ISO/IEC 15693 standard. They are also RF-based cards and operate on 13.56 MHz frequency. They are called vicinity cards because their reading distance is within 1 to 1.5 meters or 4.3 feet. They are very appropriate in applications such as National ID system, e-Passport card, e-drivers license, etc. The US used RF-based passport in 2006 but it was only the year after when it became available to the public. It is more secured in the sense that it was designed to incorporate a thin metal lining to make it more difficult for fraudulent skimming when the passport is closed. RF-based e-Passports are sometimes called biometric passports.

The image on the left is an example of a biometric passport. The image on the top right shows the embedded
RFID  of a British passport. The enlarged image bottom right is the logo of an RFID-based passport.

There are 2 types of  security standards currently implemented for e-Passports booklet: BAC and EAC. The BAC (Basic Access Control) is a first-generation ePassport RF chip which contain simple biometric information of the passport holder. The EAC is the enhanced version of BAC which allows a stronger biometric information that makes impersonation or forgery of a legitimate passport holder nearly impossible.

But, the electronic passport card version use to cross a border, say US to Canada, have found serious security vulnerabilities. In fact you can clone it in less than $250.00.

Q&A:
Is contactless smart card technology the same as RFID technology?

NO. Although both technologies are radio frequency enabled, each technology uses different operational parameters, uses different frequencies, and level of security and privacy features. The most common use of RFID technology is product identification for manufacturing, shipping, and merchandise tracking in supply chain. Contactless smart cards use RF technology but they operate a very short range frequency, with read/write capabilities and can contain multiple security features and they are mainly use with cards that contain secured information and sensitive identification.

So, what are the benefits of contactless smart cards and the security risks associated with them? Well, that would be the next topic for the Smart Card Series.