The future is still on the cards

Consumer reticence has stifled a smartcard boom, but they have quietly grown in use, writes Brian Clegg

Consumer reticence has stifled a smartcard boom, but they have quietly grown in use, writes Brian Clegg

In the early 1990s, it was predicted that the smartcard would bring the information revolution to everyone's wallet. Its progress has hardly been dynamic, but, while users have beens slow on the uptake, the technology is more widespread than you might think.

Dreamed up in 1974 by Roland Moreno, the smartcard overcomes the limitations of the magnetic stripe card. Magnetic stripes can only hold 40 characters (40 bytes) and can be easily read or rewritten. A smartcard has much greater capacity, typically 16Kbytes, with high onboard security.

Smartcards make it possible to throw away clumsy wads of plastic and paper, replacing them with a single, multi-function card. Users can not only clear their wallets but also have more effective personal documents. After all, passports, ID cards and credit cards are only as good as the link to the owner. A smartcard, on the other hand, can encrypt and store sophisticated identification data - for example, a numerical description of a fingerprint.

Similarly, smartcards can make personal information such as medical history available whenever it is required. Unfortunately, though, such applications raise civil liberties issues, and it is hard to persuade potential users that a shop checking their ID could not gain access to private data.

A less contentious application is the electronic purse. The simplest, and most common, smartcards carrying memory but no processor provide single-use purses for public telephone payment cards. But there is a much wider potential.

The Mondex purse smartcard had a large-scale trial in Swindon in the late 1990s. Retailers from department stores to newspaper kiosks accepted the card. Households and public phones were provided with card writers, giving dial-up access to downloadable cash while at home or in a phone booth.

But the real benefits of electronic cash were never felt in the trial. These only come when the card is universally accepted and it is easy to exchange money between cards, especially over the phone. Electronic cash schemes fall down on the huge initial infrastructure investment necessary to make this possible.

So far, the real growth of smartcards has been in communications. Every mobile phone contains a smartcard - the Sim - holding the telephone's personal identification and a phone book, enabling numbers and personal data to be moved between handsets.

Similarly, digital TV boxes use a smartcard for identification and decryption, tailoring a general purpose receiver for a particular consumer. Moving from these dedicated uses to multi-application cards involves jumping significant barriers.

Ovum smartcard analyst Duncan Brown says, "The technological capability of the card is not an issue, but there is a huge infrastructure cost in accepting them. We will see multi-application cards but organisations need to overcome the urge for exclusivity. No-one is going to want to use a shopping chain's premier points smartcard if it means you have to change to a particular bank to use it.

"It is a problem for the banks, which are used to having branded cards. Take Hong Kong, where there are seven million Octopus cards in use in the local transportation system. The banks keep trying to get Octopus to put its application onto a bank card but why should it? It will take a change of mindset."

Whatever the problems, the smartcard has arrived. At the moment there are at least two billion in use - twice the number of credit cards - though most are telephone payment and Sim cards. But there is little evidence that consumers want a single smartcard for all applications. For our own peace of mind it seems we are happier to continue carrying around a pocketful of cards, even if each of them may be much smarter than they appear to be.

Smartcard security attacks

Smartcards are sold on capacity and security. In the past, they have been unwisely advertised as impregnable. In reality, they are susceptible to four types of attack: electrical disruption, physical interference, reverse engineering and programming.

  • Electrical disruption involves applying an electrical charge across the card's contacts. This can switch off the card's security bit, opening the card to free access. Alternatively, it can upset the processor's clock sufficiently to make instructions execute in strange ways, sometimes freeing up data but the outcome is highly unpredictable.

  • More systematic is a direct physical attack. Exposing the chip itself requires little more than a knife and some strong acid. With appropriate probes, direct access can be gained to the memory circuits.

    Alternatively, with sophisticated tools, the chip can be reverse engineered. The Cavendish Laboratory in Cambridge has reverse engineered the much more complex Intel 80386 processor, etching away layers of the chip with corrosive gas, capturing detailed images of each surface, and computer-enhancing the results. With a complete picture of a smartcard's chip structure, the write protect bit of the memory could be reset with ultraviolet light. Even greater control could be exercised, as IBM has shown, by developing a method to monitor information flow in a chip once its layout is known.

  • The final approach is to attack smartcard security head on. Cracking the powerful DES algorithm would take many billions of attempts by brute force but, by putting the smartcard under physical stress, it is possible to introduce errors than give an encryption specialist a gateway to the key, reducing the number of attempts required to hundreds.

    An alternative to this Differential Fault Analysis (DFA) is Differential Power Analysis (DPA), monitoring the electrical activity on the security module as information is processed through it. By applying sophisticated statistical techniques, the security keys can be deduced.

    The smartcard industry is reacting to these threats. Chips are being developed with a bonding material that destroys the chip if it is removed, and new circuit designs are being constructed with misleading dummy components to fool reverse engineers. Cryptography error-checking could thwart DFA, while new designs of chips may make DPA impractical. Despite all this, the smartcard still remains the most secure vehicle for portable and accessible data - but it may never be tamper-proof.

    What makes a smartcard smart?

    Although phone cards only contain a 4Kbyte memory chip and security module, a smartcard is a computer in its own right.

    Typically, a smartcard carries an eight-bit processor running at 10MHz, with 16Kbytes of Rom, 8Kbytes of EEPRom for non-transient storage, and 512bytes of Ram, while the latest devices have 32-64Kbytes memories. Less than 20 years ago this would have constituted a desktop computer but today it is all packed into a chip less than 2cm square.

    Most smartcards have an 8.5 x 5.5cm credit card form factor, but the only function of the plastic is to make the card manageable and compatible with conventional credit card readers. Sim cards on phones have a much smaller 2.5 x 1.5cm format.

    The chip is cushioned in epoxy resin, binding it to both the plastic "card" and the smartcard's visual identifier, the contact plate. Interconnecting wires lead from the chip to these gold panels to provide the connection when the card is put into a reader.

    Some new cards have no contact plate, using short-range radio to communicate. Such cards are particularly effective for applications such as allowing users to drive through road tolls without having to stop or for building security, but they raise civil liberty issues because, in principle, they offer a means for constant surveillance.

    Early smartcards could be destroyed by bank ATMs, which ran the card over rollers through a curved path. Redesigns both of the cards and the machines have made the combination safe.

    Most current smartcards are programmed in machine code but some support programming using a Java Virtual Machine, MultOS, or Windows for Smartcards. Such smartcards can take new programs onboard on the fly - for instance over the Internet. Flexible programming increases the potential of smartcards but also gives rise to concerns over security, ownership of standards, and compatibility of hardware implementations.

  • Read more on IT risk management