- Email: [email protected]
Card manufacturers create payment alliance
news
in brief • French smart card manufacturer Gemplus International has entered into a partnership with Digigreffe, the registry office of the commercial court of Paris, and Sigillum Technologies. The aim of the partnership is to develop secure online transaction solutions using electronic certificates. Smart cards from Gemplus will act as an " electronic key " that will be used to sign for and encrypt the transfer of electronic documents from Digigreffe. Combined with Sigillum's Keysign software, this key will sign all documents with the extensions .doc, .pdf, .rtf, .txt and .tiff. • Secure electronic transaction solutions provider Keycorp and Thales have said that they will work together to leverage their complementary strengths in development, manufacture and sale of secure payment systems. Keycorp believes the relationship with Thales will enable it to expand the range of products it offers to customers as well as broaden the capabilities of both companies through the exchange of technology expertise. The first milestone in the agreement is for Keycorp to distribute and install Thales Artema payment terminals for specific opportunities in its markets. The second milestone will be the conclusion of a broader agreement covering close technical, sales and marketing cooperation for the development of future terminal products. This involves Keycorp becoming the Centre of Excellence for software architecture, with Thales managing the development of hardware and system software.
Before the problem came to light, the EU had been about to sign off on plans which would have seen fingerprint and facial biometric identifiers loaded onto contactless chips which would have been embedded within the visa. The idea, now known to be flawed, was to then attach these visas to travellers’ passports. The incoming Luxembourg Council presidency has accepted the problems, and has recommended two possible ways forward that were deemed feasible by the technical group. The first option would be to issue a separate smart card with the visa sticker, as a storage medium for the biometric data. The second option would be to store the biometric data in the EU’s Visa Information System (VIS), which is currently expected to be operational in 2007 (see Box). A majority of countries seem to be in favour of the latter, which would require immigration officials to perform a live match of the visa holder’s biometrics against the VIS – a move which some critics say could create longer queues for travellers. This option would also cut out the card industry from this potentially lucrative market. Proponents of the direct database solution dispute the longer-queue argument, telling CTT that this type of solution has been proven effective in the US VISIT programme. They also counter
arguments against the perceived increased cost of a centralised system, pointing out that an online solution would have been implemented in any case, for instances when travellers’ smart cards were unreadable. They also say that the expense of rolling out a smart card solution and associated readers would not be sensible. It was reported that France and Italy were unhappy at having just two options but several delegations supported the presidency’s idea and some also said they would prefer to wait for the VIS system to be implemented, rather than seek any costly intermediary solutions. An EC-insider hinted to Ctt that the work on a centralised biometric system could be accelerated by one year if the go ahead is given, meaning a biometrically-enabled VIS system ready by the end of 2006, rather than 2007. If all the delegations approve this suggestion, the commission will be invited to amend its proposal. The new visa system does not currently apply to the UK and Ireland, which opted out of cooperation on visa rules.
The two visa solutions
In a bid to try and stimulate the market for multi-application smart banking cards four of the world’s leading smart card manufacturers – Axalto, Gemplus International, Giesecke & Devrient (G&D) and Oberthur Card Systems – have teamed up to create the Smart Payment Alliance (SPA). The primary objective of the alliance is to foster and facilitate the use of smart cards to make payments, but clearly there will be an emphasis on trying to promote the idea of using higher specification cards, which could allow value-added applications, such as loyalty programmes. In a statement the alliance said its wants to accelerate the transition from traditional magnetic stripe cards to chip-based cards by:
Option 1 The solution – avisa sticker would be accompanied by a separate smart card. There would be one card issued with every visa. Chip ‘collisions’ could then be avoided as the card can be separated from the passport and be read individually.
• Smart card manufacturers Gemplus and Axalto have entered into a non-exclusive cross-licensing agreement, granting each other broad rights under their respective patents in the areas of smart cards and related devices. The agreement will enable each company to continue developing their respective technologies and to compete more freely in the growing markets for their products. The terms of the agreement are confidential.
Possible problems: Increased cost of rolling out a smart card with associated infrastructure at embassies worldwide. Measures would have to be established to deal with travellers that had lost their biometric-based smart card (probably through interrogation of the central VIS database). Durability of the card solution would also have to be ensured.
• Market forecaster Celent has said that smart cards will have a significant presence in the USA by 2012, despite their slow adoption to date. According to a recent report by the group, several factors will determine the development of smart cards, including the threat of fraud, EMV, and the overall migration of smart cards across the world. Other factors, such as the elimination of cashbased systems, radio frequency technology, and the proliferation of smart technology in other industries, are also spurring the renewed interest in smart cards in the US.
The solution – store the biometric data in the central Visa Information System (VIS) and not on the sticker itself.
4
alliance
Card manufacturers create payment alliance
•
promoting the benefits of smart cards for financial institutions;
•
ensuring optimal interoperability between all system components, for both payment and value-added applications;
•
being represented on standardisation committees and payment associations;
•
describing potential value-added applications and, whenever necessary, establishing joint industry specifications for them.
Option 2
Possible problems: The VIS is not currently operational and the biometric element to it won’t be until 2007 (unless this action speeds up its introduction). At this point in time the central part of the VIS will be operational, but it is unlikely that all Member States would have rolled out the biometric enrolment infrastructure at their embassies worldwide in order to collect the required biometric data. Once operational, possible problems envisaged are that the live checking procedure could be lengthier than an offline system leading to longer queues.
The alliance’s strategy will be to position itself as a partner of EMVCo and help to bolster Visa and MasterCard’s actions on EMV specifications and their implementation.
Card Technology Today February 2005
news According to Marie-Jane Denis, director of Finance Marketing and Solutions at Oberthur Card Systems, interoperability will be one of the key messages: “To improve interoperability between all the elements of a payment card system, e.g. cards and terminals, the SPA will devise joint industry specifications – especially for value-added applications – whenever necessary and not already covered by the payment associations.” The association is open to additional members from the industry, especially card vendors, terminal vendors and payment associations. Contact: Smart payment Alliance, email: [email protected]
company news
Vasco snaps up smart card reader outfit Vasco Data Security International, a provider of user authentication products to the financial sector, has acquired smart card reader provider AOS-Hagenuk. The deal will see Vasco purchase all of AOS-Hagenuk’s stock for Euro 5 million (US$6.5 million) in a cash and stock deal that saw Vasco pay 3.75 million euros in cash and the remainder in Vasco common stock, the company said. AOS-Hagenuk is an established player in the card related e-banking market with an installed base of more than 2.5 million card based authentication devices. It generated revenues of Euro 4.4 million in 2004 (US$5.4 million), an 85% increase over 2003. In particular AOSHagenuk has a strong market position in the Netherlands and its customers include Fortis and ABN-Amro. The company made operating profits in both 2004 and 2003 and is debt free. Through the acquisition Vasco hopes to strengthen its product line and position in the card enabled secure e-banking and e-commerce market. Vasco believes that the combination will allow it to take advantage of opportunities in a variety of markets, particularly the emerging EMV (Europay-Mastercard-Visa) environment. In a company statement Vasco said: “Although before today Vasco and AOS-Hagenuk were competitors, there is hardly any overlap in the current product offerings.” Vasco said it will centralize its smart card related R&D activities in AOS-Hagenuk’s offices in The Netherlands, so creating a secure smart card reader research and development centre. According to Jan Valcke, Vasco’s president and COO: “AOS-Hagenuk brings us a number of highly experienced smart card developers, which allows us to accelerate the development of Vasco’s smart card reader offerings and to be confident about future evolutions in the smart card market.
Card Technology Today February 2005
We believe that there are important synergies between Vasco’s Digipass and AOS-Hagenuk’s PocketID unconnected smart card reader.” Contact: Jochem Binst at Vasco, Tel: +32 2 456 9810, email: [email protected]
rfid
Common RFID tags cracked by researchers The encryption used in certain radiofrequency ID (RFID) microchips, particularly those that are used to deter car thefts and as a convenience device for the purchase of petrol, have been defeated with low-cost technology by scientists at The Johns Hopkins University and RSA Laboratories in the USA. Using an inexpensive (US$200) electronic device, the researchers said that criminals could wirelessly probe a car key tag or payment tag in close proximity, and then use the information to crack the secret cryptographic key on the tag. By obtaining this key, criminal could more easily circumvent the auto theft prevention system in that person's car or potentially charge their own petrol purchases to the tag owner’s account. The researchers uncovered the vulnerability while studying Texas Instruments’ Registration and Identification System, a low-power RFID transponder used worldwide. The researchers said that more than 150 million of these transponders are embedded in keys for newer vehicles built by at least three leading manufacturers. The transponders are also inside more than six million key chain tags used for wireless gasoline purchases, the researchers claimed. It would have taken more than two weeks for the researchers to find the encryption key when running on 10 very fast PCs. They therefore implemented a key-search using a field programmable gate array (FPGA). FPGA evaluation boards are available for under US$200 each with all of the necessary development software and cabling. A single FPGA is expected to crack a key in just over 10 hours. To decrease this key-cracking time even further, the scientists connected 16 FPGAs together at a total cost of under US$3,500. Using five SpeedPass tokens, the system was able to recover all five keys in well under two hours. “In cars as in commerce, RFID is becoming a lynchpin for security in day-to-day life,” said Ari Juels, principal research scientist of RSA Laboratories. “It is important that RFID devices offer a level of security commensurate with the value of the assets they protect. Our aim is to help the industry achieve this standard.” In SpeedPass’ favour, the SpeedPass network has on-line fraud detection mechanisms, loosely
in brief • Japan is expected to begin issuing contactless driver's licenses early in 2006. The license will replace a standard plain plastic card that is currently held by about 80 million Japanese citizens. One of the main aims is to try and prevent commonplace counterfeiting of the cards, which are also often used as ID cards. The National Police Agency has said all regions should begin rolling out cards within five years. The cards are expected to carry an 8 kbyte ‘type B’ chip and will hold the same information as is already on the front of the card, along with a digital photo of the cardholder and a digital certificate. • Gemplus International claims to have carried out the world’s first high speed Java SIM card applet download over the live 3G infrastructure of 3 Hong Kong. Using a faster communication channel based on USIM and OTA technology for 3G1, Gemplus was able to download a data applet over 3 HK’s live network onto a 3G video mobile phone at a speed of 384 kbit/s. According to the supplier, this represents a significant improvement over SMS bearer technology which is currently used for SIM OTA in 2G. Download capability at this speed means that mobile operators will be able to maximise the potential of large USIM cards sized 128 kbytes and above. • Dreifus Associates Limited has received FIPS 140-2 Level 3 security certification for its C3 Applet Suite on Axalto Cyberflex Access 64K smart cards. The supplier claims that this marks the first time that any applet suite compliant with the latest Government Smart Card – Interoperability Specification (GSCIS), version 2.1, has received this level of security certification. With the new applets Dreifus is targeting organizations interested in reaching higher levels of security for IT systems access or identity credentials in both the government and private sectors. • On Track Innovations (OTI) America has been awarded a US General Services Administration (GSA) Federal Supply Schedule Contract for OTI's SmartID suite of products for homeland security. The products have also been certified as meeting the Federal Information Processing Standards mandated for Federal government homeland security programs. The GSA contract enables US Federal agencies, as well as state and local government agencies, to purchase OTI's products and related services.
5
in brief • French smart card manufacturer Gemplus International has entered into a partnership with Digigreffe, the registry office of the commercial court of Paris, and Sigillum Technologies. The aim of the partnership is to develop secure online transaction solutions using electronic certificates. Smart cards from Gemplus will act as an " electronic key " that will be used to sign for and encrypt the transfer of electronic documents from Digigreffe. Combined with Sigillum's Keysign software, this key will sign all documents with the extensions .doc, .pdf, .rtf, .txt and .tiff. • Secure electronic transaction solutions provider Keycorp and Thales have said that they will work together to leverage their complementary strengths in development, manufacture and sale of secure payment systems. Keycorp believes the relationship with Thales will enable it to expand the range of products it offers to customers as well as broaden the capabilities of both companies through the exchange of technology expertise. The first milestone in the agreement is for Keycorp to distribute and install Thales Artema payment terminals for specific opportunities in its markets. The second milestone will be the conclusion of a broader agreement covering close technical, sales and marketing cooperation for the development of future terminal products. This involves Keycorp becoming the Centre of Excellence for software architecture, with Thales managing the development of hardware and system software.
Before the problem came to light, the EU had been about to sign off on plans which would have seen fingerprint and facial biometric identifiers loaded onto contactless chips which would have been embedded within the visa. The idea, now known to be flawed, was to then attach these visas to travellers’ passports. The incoming Luxembourg Council presidency has accepted the problems, and has recommended two possible ways forward that were deemed feasible by the technical group. The first option would be to issue a separate smart card with the visa sticker, as a storage medium for the biometric data. The second option would be to store the biometric data in the EU’s Visa Information System (VIS), which is currently expected to be operational in 2007 (see Box). A majority of countries seem to be in favour of the latter, which would require immigration officials to perform a live match of the visa holder’s biometrics against the VIS – a move which some critics say could create longer queues for travellers. This option would also cut out the card industry from this potentially lucrative market. Proponents of the direct database solution dispute the longer-queue argument, telling CTT that this type of solution has been proven effective in the US VISIT programme. They also counter
arguments against the perceived increased cost of a centralised system, pointing out that an online solution would have been implemented in any case, for instances when travellers’ smart cards were unreadable. They also say that the expense of rolling out a smart card solution and associated readers would not be sensible. It was reported that France and Italy were unhappy at having just two options but several delegations supported the presidency’s idea and some also said they would prefer to wait for the VIS system to be implemented, rather than seek any costly intermediary solutions. An EC-insider hinted to Ctt that the work on a centralised biometric system could be accelerated by one year if the go ahead is given, meaning a biometrically-enabled VIS system ready by the end of 2006, rather than 2007. If all the delegations approve this suggestion, the commission will be invited to amend its proposal. The new visa system does not currently apply to the UK and Ireland, which opted out of cooperation on visa rules.
The two visa solutions
In a bid to try and stimulate the market for multi-application smart banking cards four of the world’s leading smart card manufacturers – Axalto, Gemplus International, Giesecke & Devrient (G&D) and Oberthur Card Systems – have teamed up to create the Smart Payment Alliance (SPA). The primary objective of the alliance is to foster and facilitate the use of smart cards to make payments, but clearly there will be an emphasis on trying to promote the idea of using higher specification cards, which could allow value-added applications, such as loyalty programmes. In a statement the alliance said its wants to accelerate the transition from traditional magnetic stripe cards to chip-based cards by:
Option 1 The solution – avisa sticker would be accompanied by a separate smart card. There would be one card issued with every visa. Chip ‘collisions’ could then be avoided as the card can be separated from the passport and be read individually.
• Smart card manufacturers Gemplus and Axalto have entered into a non-exclusive cross-licensing agreement, granting each other broad rights under their respective patents in the areas of smart cards and related devices. The agreement will enable each company to continue developing their respective technologies and to compete more freely in the growing markets for their products. The terms of the agreement are confidential.
Possible problems: Increased cost of rolling out a smart card with associated infrastructure at embassies worldwide. Measures would have to be established to deal with travellers that had lost their biometric-based smart card (probably through interrogation of the central VIS database). Durability of the card solution would also have to be ensured.
• Market forecaster Celent has said that smart cards will have a significant presence in the USA by 2012, despite their slow adoption to date. According to a recent report by the group, several factors will determine the development of smart cards, including the threat of fraud, EMV, and the overall migration of smart cards across the world. Other factors, such as the elimination of cashbased systems, radio frequency technology, and the proliferation of smart technology in other industries, are also spurring the renewed interest in smart cards in the US.
The solution – store the biometric data in the central Visa Information System (VIS) and not on the sticker itself.
4
alliance
Card manufacturers create payment alliance
•
promoting the benefits of smart cards for financial institutions;
•
ensuring optimal interoperability between all system components, for both payment and value-added applications;
•
being represented on standardisation committees and payment associations;
•
describing potential value-added applications and, whenever necessary, establishing joint industry specifications for them.
Option 2
Possible problems: The VIS is not currently operational and the biometric element to it won’t be until 2007 (unless this action speeds up its introduction). At this point in time the central part of the VIS will be operational, but it is unlikely that all Member States would have rolled out the biometric enrolment infrastructure at their embassies worldwide in order to collect the required biometric data. Once operational, possible problems envisaged are that the live checking procedure could be lengthier than an offline system leading to longer queues.
The alliance’s strategy will be to position itself as a partner of EMVCo and help to bolster Visa and MasterCard’s actions on EMV specifications and their implementation.
Card Technology Today February 2005
news According to Marie-Jane Denis, director of Finance Marketing and Solutions at Oberthur Card Systems, interoperability will be one of the key messages: “To improve interoperability between all the elements of a payment card system, e.g. cards and terminals, the SPA will devise joint industry specifications – especially for value-added applications – whenever necessary and not already covered by the payment associations.” The association is open to additional members from the industry, especially card vendors, terminal vendors and payment associations. Contact: Smart payment Alliance, email: [email protected]
company news
Vasco snaps up smart card reader outfit Vasco Data Security International, a provider of user authentication products to the financial sector, has acquired smart card reader provider AOS-Hagenuk. The deal will see Vasco purchase all of AOS-Hagenuk’s stock for Euro 5 million (US$6.5 million) in a cash and stock deal that saw Vasco pay 3.75 million euros in cash and the remainder in Vasco common stock, the company said. AOS-Hagenuk is an established player in the card related e-banking market with an installed base of more than 2.5 million card based authentication devices. It generated revenues of Euro 4.4 million in 2004 (US$5.4 million), an 85% increase over 2003. In particular AOSHagenuk has a strong market position in the Netherlands and its customers include Fortis and ABN-Amro. The company made operating profits in both 2004 and 2003 and is debt free. Through the acquisition Vasco hopes to strengthen its product line and position in the card enabled secure e-banking and e-commerce market. Vasco believes that the combination will allow it to take advantage of opportunities in a variety of markets, particularly the emerging EMV (Europay-Mastercard-Visa) environment. In a company statement Vasco said: “Although before today Vasco and AOS-Hagenuk were competitors, there is hardly any overlap in the current product offerings.” Vasco said it will centralize its smart card related R&D activities in AOS-Hagenuk’s offices in The Netherlands, so creating a secure smart card reader research and development centre. According to Jan Valcke, Vasco’s president and COO: “AOS-Hagenuk brings us a number of highly experienced smart card developers, which allows us to accelerate the development of Vasco’s smart card reader offerings and to be confident about future evolutions in the smart card market.
Card Technology Today February 2005
We believe that there are important synergies between Vasco’s Digipass and AOS-Hagenuk’s PocketID unconnected smart card reader.” Contact: Jochem Binst at Vasco, Tel: +32 2 456 9810, email: [email protected]
rfid
Common RFID tags cracked by researchers The encryption used in certain radiofrequency ID (RFID) microchips, particularly those that are used to deter car thefts and as a convenience device for the purchase of petrol, have been defeated with low-cost technology by scientists at The Johns Hopkins University and RSA Laboratories in the USA. Using an inexpensive (US$200) electronic device, the researchers said that criminals could wirelessly probe a car key tag or payment tag in close proximity, and then use the information to crack the secret cryptographic key on the tag. By obtaining this key, criminal could more easily circumvent the auto theft prevention system in that person's car or potentially charge their own petrol purchases to the tag owner’s account. The researchers uncovered the vulnerability while studying Texas Instruments’ Registration and Identification System, a low-power RFID transponder used worldwide. The researchers said that more than 150 million of these transponders are embedded in keys for newer vehicles built by at least three leading manufacturers. The transponders are also inside more than six million key chain tags used for wireless gasoline purchases, the researchers claimed. It would have taken more than two weeks for the researchers to find the encryption key when running on 10 very fast PCs. They therefore implemented a key-search using a field programmable gate array (FPGA). FPGA evaluation boards are available for under US$200 each with all of the necessary development software and cabling. A single FPGA is expected to crack a key in just over 10 hours. To decrease this key-cracking time even further, the scientists connected 16 FPGAs together at a total cost of under US$3,500. Using five SpeedPass tokens, the system was able to recover all five keys in well under two hours. “In cars as in commerce, RFID is becoming a lynchpin for security in day-to-day life,” said Ari Juels, principal research scientist of RSA Laboratories. “It is important that RFID devices offer a level of security commensurate with the value of the assets they protect. Our aim is to help the industry achieve this standard.” In SpeedPass’ favour, the SpeedPass network has on-line fraud detection mechanisms, loosely
in brief • Japan is expected to begin issuing contactless driver's licenses early in 2006. The license will replace a standard plain plastic card that is currently held by about 80 million Japanese citizens. One of the main aims is to try and prevent commonplace counterfeiting of the cards, which are also often used as ID cards. The National Police Agency has said all regions should begin rolling out cards within five years. The cards are expected to carry an 8 kbyte ‘type B’ chip and will hold the same information as is already on the front of the card, along with a digital photo of the cardholder and a digital certificate. • Gemplus International claims to have carried out the world’s first high speed Java SIM card applet download over the live 3G infrastructure of 3 Hong Kong. Using a faster communication channel based on USIM and OTA technology for 3G1, Gemplus was able to download a data applet over 3 HK’s live network onto a 3G video mobile phone at a speed of 384 kbit/s. According to the supplier, this represents a significant improvement over SMS bearer technology which is currently used for SIM OTA in 2G. Download capability at this speed means that mobile operators will be able to maximise the potential of large USIM cards sized 128 kbytes and above. • Dreifus Associates Limited has received FIPS 140-2 Level 3 security certification for its C3 Applet Suite on Axalto Cyberflex Access 64K smart cards. The supplier claims that this marks the first time that any applet suite compliant with the latest Government Smart Card – Interoperability Specification (GSCIS), version 2.1, has received this level of security certification. With the new applets Dreifus is targeting organizations interested in reaching higher levels of security for IT systems access or identity credentials in both the government and private sectors. • On Track Innovations (OTI) America has been awarded a US General Services Administration (GSA) Federal Supply Schedule Contract for OTI's SmartID suite of products for homeland security. The products have also been certified as meeting the Federal Information Processing Standards mandated for Federal government homeland security programs. The GSA contract enables US Federal agencies, as well as state and local government agencies, to purchase OTI's products and related services.
5