- Email: [email protected]
Industry told “don't panic” over ePassport clone
news health care rebates and other government benefits will be required to hold the card.
contactless
100 million Americans say yes to contactless More than 100 million Americans would use contactless cards to pay for inexpensive, everyday items such as fast food, convenience store items and transit fares, according to a new survey. A large number of consumers would also use contactless cards to pay for parking, video games and vending items, according to the research which was conducted by Ipsos Insight and Peppercoin. According to Matt Kleinschmit, vice president, Ipsos Insight: “This research shows that consumers are open to embracing the convenience of contactless cards and many of them are willing to use them to buy everyday items. And this is particularly true for younger Americans, reinforcing the long-term growth potential of contactless card technology and the payment card industry.” Looking at the specific results, more than 50% of the 1001 respondents, which translates into more than 100 million Americans, would use contactless cards to buy gasoline, items from fast food restaurants or corporate cafeterias, or groceries. More than 40%, meanwhile, would use contactless cards to pay for convenience store items and transit fares (subway and bus fares and tolls). Almost 40% said they would use contactless cards to buy coffee or pay for parking, and 30% (60 million Americans) would use contactless cards for video games or at a vending machine or kiosk. There was a greater acceptance with young consumers, while high income consumers (greater than US$50,000/year) are more likely to use contactless cards. Security and ease of use were seen as the top obstacles surrounding contactless card acceptance. Depending on the specific market, between 13 and 22% of respondents indicated security concerns would keep them from using contactless cards. According to Ipsos the data indicates a need for companies leading contactless roll-outs to educate consumers about the cards’ safety and how easy they are to use. Contact: Julie Goldman for Peppercoin, Tel: +1 781 684 0770, Email: [email protected]
contactless
Chase announces ‘blink’ success In just one year, Chase Bank has issued almost seven million ‘Blink’ contactless credit cards to
Card Technology Today July/August 2006
card members in Connecticut, Colorado, Delaware, Florida, Georgia, New Jersey, New York, Pennsylvania and Texas. Meanwhile, the cards can be used at more than 25,000 merchant locations nationwide, ranging from convenience stores to sports stadiums. Partnering with Visa U.S.A. and MasterCard International, Chase was the first issuer to broadly offer contactless credit cards to consumers. The company says that merchants and consumers have benefited from the speed, convenience and easyto-use contactless payment method. In particular, the company attributes blink for: • •
•
•
increasing the average ticket sale for some merchants by 40% more than cash purchases; increasing the frequency of everyday purchases at many contactless-enabled merchants by 35% over credit cards with traditional magnetic stripes; reducing consumers’ waiting time in line by 15 to 20% in stores and 40% at the drivethrough for quick service restaurants; reducing consumers’ average transaction time by 10 to 40%.
As a possible extension of contactless payments, Chase participated in the first large-scale Near Field Communication (NFC) trial by blinkenabling mobile phones to deliver mobile phone contactless payments to Atlanta Hawks and Thrasher fans at Philips Arena. Erik Michielsen, director of ABI Research’s RFID and M2M practice commented: “Contactless commerce has experienced tremendous growth. We expect contactless payments to continue to grow, and companies like Chase contribute to making merchant and consumer adoption a reality.”
epassport
Industry told “don’t panic” over ePassport clone News that electronic passport chips can be “cloned”, supposedly making them a waste of time, effort and money, sent ripples of concern through the industry. However, this was not because the announcement was surprising per se, but because of the potential damage it could do from a public relations perspective. The announcement was made by Lukas Grunwald, a security consultant with DNSystems in Germany, during a security conference in the USA (see How the passport was cloned). While the content sounds shocking – and certainly made good headline material for hundreds of publications worldwide – it turned out to be completely irrelevant in the real world.
in brief • LaserCard Corporation has secured a US$2 million order for a sports membership card project in the European Union. The project will be implemented by MCB Company, a LaserCard value added reseller based in Ljubljana, Slovenia. The card order was received from Prevent, a local Slovenian company supporting the program. Slovenia currently has a paper based sports association membership booklet, which contains information related to the holder’s membership and sports history. According to MCB, these paper booklets will be replaced over the coming year and could contain health information, securely stored on the optical memory, in addition to the existing basic data. Shipments were expected to be completed in July. • According to local press reports, the Thai Government is speeding up its smart card issuance process to cover all provinces nationwide by 2008. The smart card will contain all personal data for Thai citizens, such as date of birth, marriage and education. • The French Groupement des Cartes Bancaires (GCB) is granting approval for the immediate release of Visa and MasterCard cards equipped with the EMV DDA mask developed by Sagem Orga. The mask, which is already in use by France’s largest banks, enables all bank applications typically found in France. It has been awarded the EAL 4+ certificate and features a cryptoprocessor with improved Dynamic Data Authentication (DDA) for enhanced security. Delivery of the cards to French banks began in May this year. • Thales is to provide the city of Dubai in the United Arab Emirates with a secure fare collection system for its first rail network. During the project, Thales will equip all the stations with access gates, ticket vending machines, station computers and a central controlling system. The first line is due for completion in 2009, the second in 2010. It is predicted that the network will carry 1.2 million passengers a day. The system is expected to relieve private vehicle traffic on the city’s congested roads. • 3M as entered into a definitive agreement with German company authentos to acquire Secure Printing and Systems Limited (SPSL), the UK-based producer of passports and secure cards. The transaction was expected to close by the end of the July 2006. SPSL has provided passports to the UK government for more than 40 years and it is expected that the company’s portfolio would complement 3M’s expertise in RFID, security laminates for passports and secure document issuing systems.
5
news
in brief • ActivIdentity Corporation has announced the appointment of Robert Brandewie as senior vice president of the company’s new Public Sector Solutions group. Brandewie will be responsible for driving the company’s relationships with government customers to address the challenges of planning and implementing their large-scale, multi-function smart card programmes. ActivIdentity is involved in numerous identity assurance programmes, including the US Department of Defense’s Common Access Card program, which is one of the world’s largest multi-function smart card deployments. • Irdeto, a company specialising in content security for digital TV, IPTV and mobile networks, is to provide one million smart cards to Shaanxi Broadcasting & TV Information Network Co. to secure the migration to digital TV of the country’s first unified provincial cable TV network. According to the company the agreement marks the single largest contract for smart cards awarded to any content protection vendor in China to date. Irdeto will provide its Epsilon smart cards to Shaanxi in what is believed to be one of China’s largest digitalization projects covering an area of 4 million TV households. • Omnikey, a provider of smart card readers, has joined the NFC Forum to help to expand the connectivity of NFC credentials and devices to personal computers. The Near Field Communication (NFC) Forum is a non-profit industry association formed to advance the use of NFC short-range wireless interaction in consumer electronics, mobile devices and PCs. Interoperability between all NFC devices, which are based on 13.56 MHz technology, and easy consumer interaction with those devices are the major goals of the Forum. NFC technology evolved from a combination of contactless identification and interconnection technologies. It combines the functions of a contactless reader, a contactless card and peerto-peer communication. • Hong Kong supplier Advanced Card Systems (ACS) has launched the ACR88 handheld portable smart card reader and Software Development Kit (SDK). The ACR88 has a built-in keypad, LCD display, bi-colour LED and buzzer features, and is designed for multiple applications. According to the company, it is capable of performing secure authentication, displaying rich information from the card and conducting online and offline transactions. The reader is programmable through ACR88 ScriptBuilder, which enables users to build their own standalone applications according to script commands provided by ACS. The company says its ACR99 SDK enables development of customised applications and systems using smart cards, card readers and PCs.
6
Weighing in with comments from the smart card industry, Randy Vanderhoof, executive director of the Smart Card Alliance (SCA), explained succinctly why there is little to be worried about: “Even if someone could copy the information on your e-passport chip, it doesn’t achieve anything, because all of the information is locked together in such a way that it can’t be changed. It’s no different than someone stealing your electronic passport and trying to use it. No one else can use it because your photo is on the chip and they’re not you.” SCA contends that the global electronic passport program makes passports virtually impossible to counterfeit and prevents anyone other than the passport owners from using them. The layered security features also prevent anyone from spying on e-passports as you walk by with a passport in your purse or pocket. Vanderhoof explained how the passport verification process works to prevent fraud: •
•
•
First, the information on the printed page, including the bearer’s photograph, is stored on the chip and displayed on a screen at passport control. By comparing the digital information, the printed passport and the person, passport control can confirm everything matches. They will immediately see a discrepancy if someone is attempting to use someone else’s e-passport chip information. Second, the information on the chip is digitally signed by the issuing country’s passport authority. That information is locked together and any changes to it would be detected at passport control. It also means any attempt to create false data and a fake passport credential would be detected. Unlike paper passports, where a photo can potentially be replaced, the digital photo and other information on the epassport chip cannot be changed. Third, the e-passport book design requires that it be handed over and opened before any information stored on the chip is communicated. Then, a unique code printed inside the cover must be optically scanned and presented to the e-passport chip before it will communicate the passport information. All information exchanged between the reader and the e-passport chip is encrypted.
According to Vanderhoof, taken together these capabilities mean that no one could use a lost or stolen passport – or even a copy of one – to illegally enter the country. One argument put forward by Grunwald was that a cloned document, such as his ePassport, would be useful in an unattended automated border control scenario. However, most industry experts told CTT that the ePassport is not designed for such use, and if it were, then there would have to be a biometric system in place to verify that the biometric image stored on the passport matched the person presenting the document. This sort of
system is in place in Australia through its Smart Gate project.
Anti cloning possible? Although there is no clear advantage to having a cloned passport there are ways to prevent it from happening. ICAO’s MRTD documents clearly state that an encryption process known as Active Authentication can counteract cloning attempts. Richard Conway, CTO at Temporal S. told CTT that Active Authentication is based on a challenge-response protocol, and a cloned passport would never be able to adhere to this protocol. This is because the required private key is stored in a special part of the passport chip that cannot be accessed for cloning. Most countries have steered clear of Active Authentication because it can increase ePassport reading times and costs. However, fingerprintbased ePassports, such as those to be launched by EU Member States from 2009, will use a process known as Extended Access Control. According to Conway, this process has parallels with Active Authentication, but goes even further because it also proves the passport reader is a valid reader.
How the passport was cloned It took Grunwald two weeks to clone the electronic passport chip. He tested the attack on the German ePassport, but claims the method would work on any country’s ePassport, because all of them adhere to the same ICAO standard. (This is not true of countries using Active Authentication, which is an encryption process that could optionally be used by countries to prevent cloning.) Grunwald placed his passport on top of an ACG Identification Technologies’ passport reader. He then used secunet Security Networks’ Golden Reader Too to read the data on the passport chip. Grunwald then put a sample blank passport page embedded with an RFID tag onto the reader/writer and burnt in the ICAO-specified layout. Finally he used a bespoke piece of software to program the new chip with the copied information.
healthcare
Smart healthcare for Algeria The Algerian national health insurance authority (Caisse Nationale de la Sécurité Sociale des Travailleurs Salariés, CNAS) has selected French smart card manufacturer Gemalto to design, build and implement the country’s first card-based healthcare system. The contract calls for the issuance of seven million smart cards over three years, for which Gemalto will be the sole provider. As prime contractor, Gemalto will also manage the entire project, which is expected to roll out in 2007. Under the contract, Gemalto will provide CNAS with a system that authenticates both
Card Technology Today July/August 2006
contactless
100 million Americans say yes to contactless More than 100 million Americans would use contactless cards to pay for inexpensive, everyday items such as fast food, convenience store items and transit fares, according to a new survey. A large number of consumers would also use contactless cards to pay for parking, video games and vending items, according to the research which was conducted by Ipsos Insight and Peppercoin. According to Matt Kleinschmit, vice president, Ipsos Insight: “This research shows that consumers are open to embracing the convenience of contactless cards and many of them are willing to use them to buy everyday items. And this is particularly true for younger Americans, reinforcing the long-term growth potential of contactless card technology and the payment card industry.” Looking at the specific results, more than 50% of the 1001 respondents, which translates into more than 100 million Americans, would use contactless cards to buy gasoline, items from fast food restaurants or corporate cafeterias, or groceries. More than 40%, meanwhile, would use contactless cards to pay for convenience store items and transit fares (subway and bus fares and tolls). Almost 40% said they would use contactless cards to buy coffee or pay for parking, and 30% (60 million Americans) would use contactless cards for video games or at a vending machine or kiosk. There was a greater acceptance with young consumers, while high income consumers (greater than US$50,000/year) are more likely to use contactless cards. Security and ease of use were seen as the top obstacles surrounding contactless card acceptance. Depending on the specific market, between 13 and 22% of respondents indicated security concerns would keep them from using contactless cards. According to Ipsos the data indicates a need for companies leading contactless roll-outs to educate consumers about the cards’ safety and how easy they are to use. Contact: Julie Goldman for Peppercoin, Tel: +1 781 684 0770, Email: [email protected]
contactless
Chase announces ‘blink’ success In just one year, Chase Bank has issued almost seven million ‘Blink’ contactless credit cards to
Card Technology Today July/August 2006
card members in Connecticut, Colorado, Delaware, Florida, Georgia, New Jersey, New York, Pennsylvania and Texas. Meanwhile, the cards can be used at more than 25,000 merchant locations nationwide, ranging from convenience stores to sports stadiums. Partnering with Visa U.S.A. and MasterCard International, Chase was the first issuer to broadly offer contactless credit cards to consumers. The company says that merchants and consumers have benefited from the speed, convenience and easyto-use contactless payment method. In particular, the company attributes blink for: • •
•
•
increasing the average ticket sale for some merchants by 40% more than cash purchases; increasing the frequency of everyday purchases at many contactless-enabled merchants by 35% over credit cards with traditional magnetic stripes; reducing consumers’ waiting time in line by 15 to 20% in stores and 40% at the drivethrough for quick service restaurants; reducing consumers’ average transaction time by 10 to 40%.
As a possible extension of contactless payments, Chase participated in the first large-scale Near Field Communication (NFC) trial by blinkenabling mobile phones to deliver mobile phone contactless payments to Atlanta Hawks and Thrasher fans at Philips Arena. Erik Michielsen, director of ABI Research’s RFID and M2M practice commented: “Contactless commerce has experienced tremendous growth. We expect contactless payments to continue to grow, and companies like Chase contribute to making merchant and consumer adoption a reality.”
epassport
Industry told “don’t panic” over ePassport clone News that electronic passport chips can be “cloned”, supposedly making them a waste of time, effort and money, sent ripples of concern through the industry. However, this was not because the announcement was surprising per se, but because of the potential damage it could do from a public relations perspective. The announcement was made by Lukas Grunwald, a security consultant with DNSystems in Germany, during a security conference in the USA (see How the passport was cloned). While the content sounds shocking – and certainly made good headline material for hundreds of publications worldwide – it turned out to be completely irrelevant in the real world.
in brief • LaserCard Corporation has secured a US$2 million order for a sports membership card project in the European Union. The project will be implemented by MCB Company, a LaserCard value added reseller based in Ljubljana, Slovenia. The card order was received from Prevent, a local Slovenian company supporting the program. Slovenia currently has a paper based sports association membership booklet, which contains information related to the holder’s membership and sports history. According to MCB, these paper booklets will be replaced over the coming year and could contain health information, securely stored on the optical memory, in addition to the existing basic data. Shipments were expected to be completed in July. • According to local press reports, the Thai Government is speeding up its smart card issuance process to cover all provinces nationwide by 2008. The smart card will contain all personal data for Thai citizens, such as date of birth, marriage and education. • The French Groupement des Cartes Bancaires (GCB) is granting approval for the immediate release of Visa and MasterCard cards equipped with the EMV DDA mask developed by Sagem Orga. The mask, which is already in use by France’s largest banks, enables all bank applications typically found in France. It has been awarded the EAL 4+ certificate and features a cryptoprocessor with improved Dynamic Data Authentication (DDA) for enhanced security. Delivery of the cards to French banks began in May this year. • Thales is to provide the city of Dubai in the United Arab Emirates with a secure fare collection system for its first rail network. During the project, Thales will equip all the stations with access gates, ticket vending machines, station computers and a central controlling system. The first line is due for completion in 2009, the second in 2010. It is predicted that the network will carry 1.2 million passengers a day. The system is expected to relieve private vehicle traffic on the city’s congested roads. • 3M as entered into a definitive agreement with German company authentos to acquire Secure Printing and Systems Limited (SPSL), the UK-based producer of passports and secure cards. The transaction was expected to close by the end of the July 2006. SPSL has provided passports to the UK government for more than 40 years and it is expected that the company’s portfolio would complement 3M’s expertise in RFID, security laminates for passports and secure document issuing systems.
5
news
in brief • ActivIdentity Corporation has announced the appointment of Robert Brandewie as senior vice president of the company’s new Public Sector Solutions group. Brandewie will be responsible for driving the company’s relationships with government customers to address the challenges of planning and implementing their large-scale, multi-function smart card programmes. ActivIdentity is involved in numerous identity assurance programmes, including the US Department of Defense’s Common Access Card program, which is one of the world’s largest multi-function smart card deployments. • Irdeto, a company specialising in content security for digital TV, IPTV and mobile networks, is to provide one million smart cards to Shaanxi Broadcasting & TV Information Network Co. to secure the migration to digital TV of the country’s first unified provincial cable TV network. According to the company the agreement marks the single largest contract for smart cards awarded to any content protection vendor in China to date. Irdeto will provide its Epsilon smart cards to Shaanxi in what is believed to be one of China’s largest digitalization projects covering an area of 4 million TV households. • Omnikey, a provider of smart card readers, has joined the NFC Forum to help to expand the connectivity of NFC credentials and devices to personal computers. The Near Field Communication (NFC) Forum is a non-profit industry association formed to advance the use of NFC short-range wireless interaction in consumer electronics, mobile devices and PCs. Interoperability between all NFC devices, which are based on 13.56 MHz technology, and easy consumer interaction with those devices are the major goals of the Forum. NFC technology evolved from a combination of contactless identification and interconnection technologies. It combines the functions of a contactless reader, a contactless card and peerto-peer communication. • Hong Kong supplier Advanced Card Systems (ACS) has launched the ACR88 handheld portable smart card reader and Software Development Kit (SDK). The ACR88 has a built-in keypad, LCD display, bi-colour LED and buzzer features, and is designed for multiple applications. According to the company, it is capable of performing secure authentication, displaying rich information from the card and conducting online and offline transactions. The reader is programmable through ACR88 ScriptBuilder, which enables users to build their own standalone applications according to script commands provided by ACS. The company says its ACR99 SDK enables development of customised applications and systems using smart cards, card readers and PCs.
6
Weighing in with comments from the smart card industry, Randy Vanderhoof, executive director of the Smart Card Alliance (SCA), explained succinctly why there is little to be worried about: “Even if someone could copy the information on your e-passport chip, it doesn’t achieve anything, because all of the information is locked together in such a way that it can’t be changed. It’s no different than someone stealing your electronic passport and trying to use it. No one else can use it because your photo is on the chip and they’re not you.” SCA contends that the global electronic passport program makes passports virtually impossible to counterfeit and prevents anyone other than the passport owners from using them. The layered security features also prevent anyone from spying on e-passports as you walk by with a passport in your purse or pocket. Vanderhoof explained how the passport verification process works to prevent fraud: •
•
•
First, the information on the printed page, including the bearer’s photograph, is stored on the chip and displayed on a screen at passport control. By comparing the digital information, the printed passport and the person, passport control can confirm everything matches. They will immediately see a discrepancy if someone is attempting to use someone else’s e-passport chip information. Second, the information on the chip is digitally signed by the issuing country’s passport authority. That information is locked together and any changes to it would be detected at passport control. It also means any attempt to create false data and a fake passport credential would be detected. Unlike paper passports, where a photo can potentially be replaced, the digital photo and other information on the epassport chip cannot be changed. Third, the e-passport book design requires that it be handed over and opened before any information stored on the chip is communicated. Then, a unique code printed inside the cover must be optically scanned and presented to the e-passport chip before it will communicate the passport information. All information exchanged between the reader and the e-passport chip is encrypted.
According to Vanderhoof, taken together these capabilities mean that no one could use a lost or stolen passport – or even a copy of one – to illegally enter the country. One argument put forward by Grunwald was that a cloned document, such as his ePassport, would be useful in an unattended automated border control scenario. However, most industry experts told CTT that the ePassport is not designed for such use, and if it were, then there would have to be a biometric system in place to verify that the biometric image stored on the passport matched the person presenting the document. This sort of
system is in place in Australia through its Smart Gate project.
Anti cloning possible? Although there is no clear advantage to having a cloned passport there are ways to prevent it from happening. ICAO’s MRTD documents clearly state that an encryption process known as Active Authentication can counteract cloning attempts. Richard Conway, CTO at Temporal S. told CTT that Active Authentication is based on a challenge-response protocol, and a cloned passport would never be able to adhere to this protocol. This is because the required private key is stored in a special part of the passport chip that cannot be accessed for cloning. Most countries have steered clear of Active Authentication because it can increase ePassport reading times and costs. However, fingerprintbased ePassports, such as those to be launched by EU Member States from 2009, will use a process known as Extended Access Control. According to Conway, this process has parallels with Active Authentication, but goes even further because it also proves the passport reader is a valid reader.
How the passport was cloned It took Grunwald two weeks to clone the electronic passport chip. He tested the attack on the German ePassport, but claims the method would work on any country’s ePassport, because all of them adhere to the same ICAO standard. (This is not true of countries using Active Authentication, which is an encryption process that could optionally be used by countries to prevent cloning.) Grunwald placed his passport on top of an ACG Identification Technologies’ passport reader. He then used secunet Security Networks’ Golden Reader Too to read the data on the passport chip. Grunwald then put a sample blank passport page embedded with an RFID tag onto the reader/writer and burnt in the ICAO-specified layout. Finally he used a bespoke piece of software to program the new chip with the copied information.
healthcare
Smart healthcare for Algeria The Algerian national health insurance authority (Caisse Nationale de la Sécurité Sociale des Travailleurs Salariés, CNAS) has selected French smart card manufacturer Gemalto to design, build and implement the country’s first card-based healthcare system. The contract calls for the issuance of seven million smart cards over three years, for which Gemalto will be the sole provider. As prime contractor, Gemalto will also manage the entire project, which is expected to roll out in 2007. Under the contract, Gemalto will provide CNAS with a system that authenticates both
Card Technology Today July/August 2006