- Email: [email protected]
New applications for contactless technology
feature
Technology in action
New applications for contactless technology With two billion smart cards shipping each year, a large percentage of the world’s population uses them one way or another. Today, 97% of those units are ‘contact’ smart cards, cards that must be inserted into a device of some kind – a phone, a payment terminal or a reader attached to a PC – in order to be used. But all that is about to change. The three percent minority represents an up and coming alternative – contactless smart card technology. As the name implies, these cards do not need to go into a reader to function. These cards work by simply coming near a reading device, usually about three inches or less. Contactless smart cards may be a small part of the market today, but there are market forces already at work that guarantee they will play a much bigger role in the near future. The underlying technology for contactless smart cards, radio frequency identification (RFID), has been around for a long time. The British first developed it during World War II as a means of identifying aircraft returning from mainland Europe. In the late 1970s experimentation began on tracking cattle using implanted RFID tags. By the mid 1980s, companies began embedding RFID chips and antennas into employee cards for physical access control. By 1986, RFID fish tags were used for tracking salmon. RFID tagging has grown into a major industry, used for animal tracking, baggage tagging, laundry identification, asset and inventory control, car immobilisation and truck and cargo tracking, and access control.
Just the same? Contactless and earlier RFID products both work the same way. They are typically contained in credit-card sized plastic card body, although they can be packaged in many different formats such as tags, tokens and more recently pages inside passport booklets. Unlike contact cards, contactless technology is completely inside the plastic card and nothing is visible on the card surface. Inside the card a contactless chip is wired to an antenna; when the card is brought near the
10
reader, a high frequency radio field makes a connection providing power to, and exchanging information with, the chip. In recent years contactless cards have grown in sophistication and come down in size and cost, creating new applications. There are three types of contactless cards or tokens: memory, wired logic and microprocessor cards. Memory cards use a chip or other electronic device to store authentication information. In their most secure form, memory cards store a unique serial number and include the ability to permanently lock sections of memory or allow write access only through password-protected mechanisms. Wired logic cards have a special purpose electronic circuit designed on the chip and use a fixed method to authenticate themselves to readers, verify that readers are trusted, and encrypt communications. Wired logic cards lack the ability to be modified after manufacturing or programming. Microprocessor cards are smart cards with a small computer inside, and are, generally speaking, more robust in features than either wired logic or memory cards. Special circuits are often built into the chip hardware for intensive operations like encryption, and the microprocessor itself can be programmed for different tasks. Contactless microprocessor cards also have greater memory capability and run card operating systems. Contactless smart cards with an embedded microprocessor are capable of more sophisticated on-card security operations, such as the ability to perform encryption; store and verify biometric and digital signatures; and interact intelligently with the card reader. Often hardware and software-based tamper resistance features actively protect card contents.
One of the sectors to embrace contactless technology worldwide is the transit industry. In 1997, Hong Kong launched the Octopus card, a contactless smart card-based fare payment system that is now accepted in merchant locations as well. Over nine million Octopus cards and 150,000 smart watches have been issued, and over seven million transactions are recorded on a daily basis. According to the Asia Pacific Smart Card Association, 25% of Octopus card transactions are unrelated to transit. This is the most successful and mature implementation of contactless smart cards used for mass transit payment, and includes over 100 service providers, and all of the major transport operators for bus, taxi, subway, train, tram and ferry services. Since then, other leading world cities have implemented contactless fare payment systems. In the US, a once-in-a-generation upgrade of fare-collection systems is taking place to contactless smart cards. “This industry is spending US$1.2 billion on smart card projects over the next five years for transit,” Tom Parker of the Bay Area Rapid Transit System (BART) told attendees at the Smart Card Alliance annual meeting in October 2004. “10 years from now the de facto transit fare card in the USA will be a smart card,” he added.” But there is another major factor pushing contactless technology – security. After the tragic terrorist incident in the US on 11 September 2001, the US federal government asked 27 visa waiver countries to develop passports including biometric data. Under the auspices of the International Civil Aviation Organization (ICAO), 130 countries worked together to define and develop standards for ePassports and corresponding readers based on contactless technology. Two goals of the programme are to ensure that those passports cannot be copied or altered, and that a biometric would be available to help confirm that the person using the ePassport is the same person to whom it was issued.
Specifications The technical requirements defined by ICAO in May 2004 stated that the electronically stored data in the ePassport would be basically similar to what is ‘visually’ printed on the passport or on a visa, that is a picture of the individual, name, address and other standard passport information. Today, the primary biometric is the facial image, the same as today’s passport. The standard also allows for the future use of other digitally stored globally interoperable biometrics, such as a fingerprint or iris scan, although at this time these are optional
Card Technology Today April 2005
feature depending on the preferences of individual countries. What makes this ePassport secure is that the information and photo inside the chip can’t be changed or falsified. The first added security layer is that the passport chip is machine-verified by a contactless smart card reader to show a legitimate passport authority issued it. This verification, based on checking the digital signature of the information stored in the ePassport chip, relies on common public key cryptographic methods and computer verification, instead of relying on an agent visually checking each passport to try to determine if it is counterfeit or falsified. However, the European Union is determined to go further than this minimum specified by ICAO and has stated its goal to achieve additional security levels for data protection, encryption of communications and higher levels of authentication between the ePassport and the contactless reader.
High security? With today’s ePassport, the passport control officer provides the second security layer. He or she compares the image and information on the chip with the printed information in the book and confirms that they match, and then compares both to the individual to make sure it is the person to whom the ePassport was issued. The significance of this increase in security to passport documents should not be missed. Put somewhat simply, making false passports today is not much more involved than high-end printing, cutting and pasting. Counterfeiting the new ePassports would require breaking the public key cryptography system used to make the chips, something that is not even in the chip itself. This puts counterfeiting in the realm of something that has never been done. In addition, since the system is based on public key cryptography the ePassport contactless readers and the passports themselves do not have any information that could be used to create falsified passports. Making this evolution of the passport happen globally is no small feat. Modifying contactless technology for the passport books and creating readers for personalising and verifying is underway. Despite the fact that contactless products are based on ISO standards and are in widespread use globally, each has its own ‘flavour,’ which results in a huge interoperability and integration issue. In a meeting in 2004, around 25 passport and smart card manufacturers and 15 reader manufacturers including SCM Microsystems met with ICAO to advance the project and wrestle with the standards issues. Some of the
Card Technology Today April 2005
other barriers included extending the data handling for the biometric, achieving reliable high-speed data communications and consistency. A further challenge for reader manufacturers are technical challenges of the highly complicated passport readers like metal shielding, ElectroMagnetic Capability (EMC) radiation and integrated scanners that visually read other information in the passports. The first interoperability tests took place in the US and Australia in July 2004. These were followed by an interoperability test at Baltimore-Washington International Airport (BWI) late last year. The next step is an interoperability test in Japan, beginning March 2005. This will include a definitive test measurement of a ‘Common Interface’ that has been designed for communicating between test applications and reader devices. Current plans call for the first full-scale implementation in October 2005. While significant progress has been made, there are still important open standardisation issues, such as the placement of the tag within the passport and which tag to read first – personal information, visa 1, visa 2, visa 3,...visa n. SCM Microsystems has been working with other companies to address this global interoperability issue. Working with several of the leading contactless ePassport technology suppliers, SCM has developed an OEM reader module that reads all of the various contactless standards, resolving a problem that is a major blocking point for global interoperability. In addition, the technology has been applied to solve problems such as reading multiple visas, and proposed amendments to the ICAO standards to resolve these issues. As events unfold in the coming year, certainly these and other issues will be answered.
What’s next? With transit and ePassport bringing contactless technology to the fore, the question becomes ‘what’s next’? The first level to consider is extensions of the ePassport technology to other border entry related applications such as border entry control for individuals who routinely cross borders as part of their everyday activity. National ID cards are another possible use of contactless technology. Yet, even short of a national programme, once passport authorities have verified someone’s identity and issued a digital document in the form of an ePassport to them, why not use it for other purposes? The ePassport, or another similarly issued contactless card, could also be used in other document identity and data integrity verification applications for government service. For example, why not use it in conjunction with
online government transactions, like accessing personal tax information? Or to inquire or manage other government services? In private industry, contactless cards have great potential for several applications, and one that deserves mention is payment. The US financial services industry has little interest at this time in EMV standard bank cards, but several of the issuers are very excited about contactless payment cards. A white paper produced in 2004 by the Smart Card Alliance, “Contactless Payments: Delivering Merchant and Consumer Benefits” profiled leading contactless payment initiatives including MasterCard PayPass, ExpressPay from American Express, Bank of America’s QuickWave and ExxonMobil Speedpass. These programmes have demonstrated quantifiable results and a positive business case according to the report. For example, the white paper states that MasterCard PayPass cardholder transaction volumes increased 12% from the prior year at the PayPass trial merchants, and that American Express ExpressPay pilot results showed that customer average transaction size increased 2030% compared to cash spending at participating merchants. Many in the industry think contactless cards for payment will catch on in the USA. If that happens, perhaps using these cards at home for online payment would make sense. Identity theft is one of the fastest growing types of consumer fraud, according to ‘Putting an End to Account-Hijacking Identity Theft’, a report released by the US Federal Trade Commission (FTC) in December 2004. The FTC estimated that during 2003 almost 10 million Americans discovered they were the victims of identity theft, with a total cost to businesses and consumers approaching US$50 billion. The report is a call to action to the financial services industry to do something about this problem and strongly recommends some form of twofactor authentication. This could be a contactless card with biometric features for example. In conclusion, contactless technologies are just getting started. Standards, while more mature in the contact world, are now available and evolving rapidly in the contactless world too. While there will be some overlapping of the two technologies and applications, in my view over time the convenience of ‘touch and go’ operation and the better card appearance of contactless cards will move contactless cards and reader technology into much broader use. This article was supplied by Dr. Manfred Mueller, director, strategic marketing at SCM Microsystems Inc. He can be contacted at Tel: +49 89 9595 5140, Fax: +49 89 9595 5170, email: [email protected]
11
Technology in action
New applications for contactless technology With two billion smart cards shipping each year, a large percentage of the world’s population uses them one way or another. Today, 97% of those units are ‘contact’ smart cards, cards that must be inserted into a device of some kind – a phone, a payment terminal or a reader attached to a PC – in order to be used. But all that is about to change. The three percent minority represents an up and coming alternative – contactless smart card technology. As the name implies, these cards do not need to go into a reader to function. These cards work by simply coming near a reading device, usually about three inches or less. Contactless smart cards may be a small part of the market today, but there are market forces already at work that guarantee they will play a much bigger role in the near future. The underlying technology for contactless smart cards, radio frequency identification (RFID), has been around for a long time. The British first developed it during World War II as a means of identifying aircraft returning from mainland Europe. In the late 1970s experimentation began on tracking cattle using implanted RFID tags. By the mid 1980s, companies began embedding RFID chips and antennas into employee cards for physical access control. By 1986, RFID fish tags were used for tracking salmon. RFID tagging has grown into a major industry, used for animal tracking, baggage tagging, laundry identification, asset and inventory control, car immobilisation and truck and cargo tracking, and access control.
Just the same? Contactless and earlier RFID products both work the same way. They are typically contained in credit-card sized plastic card body, although they can be packaged in many different formats such as tags, tokens and more recently pages inside passport booklets. Unlike contact cards, contactless technology is completely inside the plastic card and nothing is visible on the card surface. Inside the card a contactless chip is wired to an antenna; when the card is brought near the
10
reader, a high frequency radio field makes a connection providing power to, and exchanging information with, the chip. In recent years contactless cards have grown in sophistication and come down in size and cost, creating new applications. There are three types of contactless cards or tokens: memory, wired logic and microprocessor cards. Memory cards use a chip or other electronic device to store authentication information. In their most secure form, memory cards store a unique serial number and include the ability to permanently lock sections of memory or allow write access only through password-protected mechanisms. Wired logic cards have a special purpose electronic circuit designed on the chip and use a fixed method to authenticate themselves to readers, verify that readers are trusted, and encrypt communications. Wired logic cards lack the ability to be modified after manufacturing or programming. Microprocessor cards are smart cards with a small computer inside, and are, generally speaking, more robust in features than either wired logic or memory cards. Special circuits are often built into the chip hardware for intensive operations like encryption, and the microprocessor itself can be programmed for different tasks. Contactless microprocessor cards also have greater memory capability and run card operating systems. Contactless smart cards with an embedded microprocessor are capable of more sophisticated on-card security operations, such as the ability to perform encryption; store and verify biometric and digital signatures; and interact intelligently with the card reader. Often hardware and software-based tamper resistance features actively protect card contents.
One of the sectors to embrace contactless technology worldwide is the transit industry. In 1997, Hong Kong launched the Octopus card, a contactless smart card-based fare payment system that is now accepted in merchant locations as well. Over nine million Octopus cards and 150,000 smart watches have been issued, and over seven million transactions are recorded on a daily basis. According to the Asia Pacific Smart Card Association, 25% of Octopus card transactions are unrelated to transit. This is the most successful and mature implementation of contactless smart cards used for mass transit payment, and includes over 100 service providers, and all of the major transport operators for bus, taxi, subway, train, tram and ferry services. Since then, other leading world cities have implemented contactless fare payment systems. In the US, a once-in-a-generation upgrade of fare-collection systems is taking place to contactless smart cards. “This industry is spending US$1.2 billion on smart card projects over the next five years for transit,” Tom Parker of the Bay Area Rapid Transit System (BART) told attendees at the Smart Card Alliance annual meeting in October 2004. “10 years from now the de facto transit fare card in the USA will be a smart card,” he added.” But there is another major factor pushing contactless technology – security. After the tragic terrorist incident in the US on 11 September 2001, the US federal government asked 27 visa waiver countries to develop passports including biometric data. Under the auspices of the International Civil Aviation Organization (ICAO), 130 countries worked together to define and develop standards for ePassports and corresponding readers based on contactless technology. Two goals of the programme are to ensure that those passports cannot be copied or altered, and that a biometric would be available to help confirm that the person using the ePassport is the same person to whom it was issued.
Specifications The technical requirements defined by ICAO in May 2004 stated that the electronically stored data in the ePassport would be basically similar to what is ‘visually’ printed on the passport or on a visa, that is a picture of the individual, name, address and other standard passport information. Today, the primary biometric is the facial image, the same as today’s passport. The standard also allows for the future use of other digitally stored globally interoperable biometrics, such as a fingerprint or iris scan, although at this time these are optional
Card Technology Today April 2005
feature depending on the preferences of individual countries. What makes this ePassport secure is that the information and photo inside the chip can’t be changed or falsified. The first added security layer is that the passport chip is machine-verified by a contactless smart card reader to show a legitimate passport authority issued it. This verification, based on checking the digital signature of the information stored in the ePassport chip, relies on common public key cryptographic methods and computer verification, instead of relying on an agent visually checking each passport to try to determine if it is counterfeit or falsified. However, the European Union is determined to go further than this minimum specified by ICAO and has stated its goal to achieve additional security levels for data protection, encryption of communications and higher levels of authentication between the ePassport and the contactless reader.
High security? With today’s ePassport, the passport control officer provides the second security layer. He or she compares the image and information on the chip with the printed information in the book and confirms that they match, and then compares both to the individual to make sure it is the person to whom the ePassport was issued. The significance of this increase in security to passport documents should not be missed. Put somewhat simply, making false passports today is not much more involved than high-end printing, cutting and pasting. Counterfeiting the new ePassports would require breaking the public key cryptography system used to make the chips, something that is not even in the chip itself. This puts counterfeiting in the realm of something that has never been done. In addition, since the system is based on public key cryptography the ePassport contactless readers and the passports themselves do not have any information that could be used to create falsified passports. Making this evolution of the passport happen globally is no small feat. Modifying contactless technology for the passport books and creating readers for personalising and verifying is underway. Despite the fact that contactless products are based on ISO standards and are in widespread use globally, each has its own ‘flavour,’ which results in a huge interoperability and integration issue. In a meeting in 2004, around 25 passport and smart card manufacturers and 15 reader manufacturers including SCM Microsystems met with ICAO to advance the project and wrestle with the standards issues. Some of the
Card Technology Today April 2005
other barriers included extending the data handling for the biometric, achieving reliable high-speed data communications and consistency. A further challenge for reader manufacturers are technical challenges of the highly complicated passport readers like metal shielding, ElectroMagnetic Capability (EMC) radiation and integrated scanners that visually read other information in the passports. The first interoperability tests took place in the US and Australia in July 2004. These were followed by an interoperability test at Baltimore-Washington International Airport (BWI) late last year. The next step is an interoperability test in Japan, beginning March 2005. This will include a definitive test measurement of a ‘Common Interface’ that has been designed for communicating between test applications and reader devices. Current plans call for the first full-scale implementation in October 2005. While significant progress has been made, there are still important open standardisation issues, such as the placement of the tag within the passport and which tag to read first – personal information, visa 1, visa 2, visa 3,...visa n. SCM Microsystems has been working with other companies to address this global interoperability issue. Working with several of the leading contactless ePassport technology suppliers, SCM has developed an OEM reader module that reads all of the various contactless standards, resolving a problem that is a major blocking point for global interoperability. In addition, the technology has been applied to solve problems such as reading multiple visas, and proposed amendments to the ICAO standards to resolve these issues. As events unfold in the coming year, certainly these and other issues will be answered.
What’s next? With transit and ePassport bringing contactless technology to the fore, the question becomes ‘what’s next’? The first level to consider is extensions of the ePassport technology to other border entry related applications such as border entry control for individuals who routinely cross borders as part of their everyday activity. National ID cards are another possible use of contactless technology. Yet, even short of a national programme, once passport authorities have verified someone’s identity and issued a digital document in the form of an ePassport to them, why not use it for other purposes? The ePassport, or another similarly issued contactless card, could also be used in other document identity and data integrity verification applications for government service. For example, why not use it in conjunction with
online government transactions, like accessing personal tax information? Or to inquire or manage other government services? In private industry, contactless cards have great potential for several applications, and one that deserves mention is payment. The US financial services industry has little interest at this time in EMV standard bank cards, but several of the issuers are very excited about contactless payment cards. A white paper produced in 2004 by the Smart Card Alliance, “Contactless Payments: Delivering Merchant and Consumer Benefits” profiled leading contactless payment initiatives including MasterCard PayPass, ExpressPay from American Express, Bank of America’s QuickWave and ExxonMobil Speedpass. These programmes have demonstrated quantifiable results and a positive business case according to the report. For example, the white paper states that MasterCard PayPass cardholder transaction volumes increased 12% from the prior year at the PayPass trial merchants, and that American Express ExpressPay pilot results showed that customer average transaction size increased 2030% compared to cash spending at participating merchants. Many in the industry think contactless cards for payment will catch on in the USA. If that happens, perhaps using these cards at home for online payment would make sense. Identity theft is one of the fastest growing types of consumer fraud, according to ‘Putting an End to Account-Hijacking Identity Theft’, a report released by the US Federal Trade Commission (FTC) in December 2004. The FTC estimated that during 2003 almost 10 million Americans discovered they were the victims of identity theft, with a total cost to businesses and consumers approaching US$50 billion. The report is a call to action to the financial services industry to do something about this problem and strongly recommends some form of twofactor authentication. This could be a contactless card with biometric features for example. In conclusion, contactless technologies are just getting started. Standards, while more mature in the contact world, are now available and evolving rapidly in the contactless world too. While there will be some overlapping of the two technologies and applications, in my view over time the convenience of ‘touch and go’ operation and the better card appearance of contactless cards will move contactless cards and reader technology into much broader use. This article was supplied by Dr. Manfred Mueller, director, strategic marketing at SCM Microsystems Inc. He can be contacted at Tel: +49 89 9595 5140, Fax: +49 89 9595 5170, email: [email protected]
11