Smart Card Applications for Business and Public Service
The fundamental role of a smartcard is to store secret information that allows the card to be used as an authentication token.
The card issuer or another other party can then challenge the card and, if the card is able to supply the correct response, the
card is deemed as authentic. Often the card will require the cardholder to supply enabling code for example, a PIN or password.
The major development in card markets today is the push to replace magnetic stripe cards with smart cards. In the financial world, this development is driven primarily by the EMV mandates from MasterCard and Visa. Smart cards are also being increasingly introduced in other market sectors like government, transportation and healthcare.
Smart cards can be used to carry med-alert information or for health insurance ID, ATM and related bank access, drivers licenses and credit cards. Other potential uses included prescriptions, money for small purchases, medical records, other ID, discount shopping, money for larger purchases, frequent flyer information and other membership cards.
Japanese corporations are developing company cards to serve as identification badges and time-and-attendance records. Employees use the cards to withdraw cash, reconcile travel expenses, pay for purchases in the company cafeteria and stores, and manage resources like power, light, heat and air conditioning.
Many Japanese already flash their smart cards at station gates to get on commuter trains. New cell-phone models in Japan let people use the cards to buy soda at vending machines, pay restaurant bills and play games at a Tokyo arcade.
NTT, Japan's national telephone company, and Nissan Motors are placing Smartcards in automobiles in order to maintain a birth-to-death record of component part types and serial numbers, warranty conditions and maintenance.
For years people have looked at smart technology and its potential, but have hesitated due to the traditionally high cost. Historically, smart card applications were reserved for industries that had either high-margin businesses, a need for strict security, or products for which a one-time fee could be charged to cover the cost of the chip.
However, the cost of manufacturing smart technology has dropped significantly over the last few years. The reduction in cost has led managers in low-margin businesses to realistically consider the potential and applicability of smart card technology.
The use of smart technology across applications and industries will begin to create familiarity with the technology, not only among managers, but also consumers. This familiarity will come as an epiphany to some as they discover that they have been surrounded by the technology without realizing it.
Among the advanced services First National Bank Omaha will deliver at no extra cost to its customers is fileIt(SM), a
"Convenience Storage" application that allows
individuals to store personal data -- birthdays, a social security number or frequent flyer details, for example -- securely
in the card's memory. In addition, the card can be
updated online from First National Bank Omaha's web site, ensuring the customers have the latest, most secure smart card
applications without having to receive a new
see section on that topic
see section on that topic
Parking and Road Toll Collection Cards
Today, we are facing a global trend towards road tolling. The basic concept of all such schemes involves stopping at a toll booth, paying and driving on. More advanced freeflow systems do not require the driver to stop and these are often combined with 'stop and go' lanes in individual schemes.
Identification products which may be used in road tolling applications include smart card ICs and contact controller ICs for e-purse cards and On-Board Units (OBUs) or transponders.
02/05 - Bangkok's notorious traffic problems could be in for some much needed help, with the Bangkok Metropolitan
Administration (BMA) planning to introduce a number of projects as part of an intelligent traffic system.
While the concept of the BMA's intelligent parking building sounds promising, some have questioned whether an electro-hydraulic lift system is feasible because the machines are expensive and the BMA would have to pass on the cost to drivers in the form of higher parking fees.
Piya Chindapradist, CEO of Smart Traffic, a system integrator of toll collection systems, said that technology for parking systems had two major functions: revenue collection and for safety and traffic management.
see section on that topic
Access Management - Controlling entry to buildings and facilities
Smart cards protect against unauthorised entry into high security zones, or as a spare key for forgetful hotel guests. Cards both with and without contacts can be used to ensure that only those people can enter a building or room who are positively identified. When read-only cards are used, it is not even necessary for the user to show his identity card, as long as he is within one metre of the reading device. However, this is when the problem of tailgating can occur. Other badges or cards in the vicinity are not picked up by the reader; therefore, the system doesn't know there are other people entering at the same time — whether or not they actually possess a badge or card.
At the same time, the chips can be used as a reliable way of recording employees work times. Students or workers can use contact or contactless media to gain access to buildings, facilities, computers and networks. This provides protection against unauthorised access to places and data.
Conventional access point security systems employ high-frequency RFID (Radio Frequency IDentification) badges or smart cards to allow authorized people to open doors and enter secure zones.
Tailgating: denotes a breach by which one individual closely follows another through a door or other access point secured by the use of electronic identification cards.
The Accsys Peopleware Time Manager (APTM) solution from South Africa was designed to allow access control and shop floor data collection for employee time and attendance management.
While many companies already have clocking systems in place, biometrics provides a more secure and reliable option because with a normal card or PIN-based option, employees are able to bypass the system by, say, allowing a colleague to clock in for them. With a biometrics solution, there is no way of someone getting around it.
Computer Network Security
The smart card can be used for login, digital signing and decryption of email, digital signing of documents, web authentication, secure login for corporate LANs as well remote login for branch offices, field service and customers along with other work flow applications which need secure identification and strong authentification for the protection of network resources.
In the business customer sector there are also solutions which are designed to increase security. The user of a computer keyboard can be identified by means chip programmed with a biometric key, while he is logging on to the computer or shopping in the Internet. And the reading device mounted in or near the keyboard checks the identity of the business partner who is requesting entry into the protected area of the intranet. The user's biometric data, such as his fingerprint, can also be stored on a card, thus preventing its use by any other card holders. This represents a considerable increase in security.
Used for securing the desktop, remote network access and access to web services, via digital signatures stored upon a smartcard or security token. A network security application that provides strong (two-factor) authentication for remote, VPN and web access.
Potential use of the associated chip cards could range from simple intranet/internet secure login, to a full blown certificate-based enterprise deployment for local and remote access, physical access control and other related applications.
The concept of the Smart Login is simple enough. The user creates one or more aliases, each of which is associated with a specific user name and password to be used to access a service. These user name and password pairs are stored on the chip card accordingly. Smart Login may then be configured to automatically login to the service, to automatically fill in the user name and password in the service login dialog, or revert to a manual drag and drop method of completing the login information.
For corporations whose intranet plays a large part in day-to-day operations, the use of such a token would be very pertinent, as would it be for remote access across VPNs, secure email communications and a host of other situations where personal identity verification and data encryption are considered valuable.
Smartcards offer an alternative to one-time passwords, providing a less bullet-proof but more flexible authentication solution. Using a Java platform, the card can be loaded with multiple identities or custom applications, keyed to specific users and providing strong authentication. The flexibility also extends to physical security, with smartcards well suited for integration into physical access control or ID badges.
The big problem with smart cards has been the hassle of installing a reader and related software. Two kinds of hardware tokens that avoid those problems are being used by financial institutions: USB tokens and one-time password generators.
USB tokens are inserted into one of the USB slots now standard on personal computers for authorization along with a logon and password. That requires the user to have a token, as well as knowing the user name and password. RSA Security Inc. and Aladdin Knowledge Systems are among the providers of these tokens.
A security token device combines the functions of a Smart Card and its reader, allowing you to generate and store safely your digital certificates. These certificates, which guarantee the digital identity of users, are extremely secure and portable and provide “double factor” authentication of users within the corporate domain and support Smart Card Logon by Microsoft or Novell authentication solutions.
The USB Smart key, also known as a key-shaped Token, contains a cryptographic chip for securely storing a user's personal ID. The USB form factor is technologically identical to Smart Cards, with the exception of the interface to the computer. USB Smart Keys are about the size of a house key and are designed to interface with the universal standard bus (USB) ports found on millions of computers and peripheral devices.
USB-based two-factor authentication tokens provide a very cost-effective and easy-to-use control for multiple applications and network services, as in Virtual Private Networks (VPN), and can control Intranet, Extranet, and Internet access. Some variants can also be used in Public Key Infrastructure (PKI) environments.
The Windows 2000 Active Directory supports Public Key Infrastructure using Digital Certificates. Security tokens can store these Certificates which are then used for Secure Windows Logon, Secure Web Authentication/Access and Secure eMail.
Up until the release of Windows 2000, Interactive Logon used Windows Basic, or Windows NT Challenge-Response mechanisms,
with Username and Password based authentication. Now with Windows 2000 Active Directory networks, a 'smart-card' logon can be
deployed, enabling smart tokens to be used for User certificates and private keys.
Some handle digital signing features and generation of the public/private keys directly on-board which ensures the integrity and non-rejection of information subject to digital signing (single files or e-mail messages).
They allow you to store the encryption keys used to secure the confidential information through file and disk encryption which protect the information from being accessed by unauthorized persons.
You can also secure e-mail exchanges thanks to the encryption functions and digital signing of messages available in the most common applications (Outlook, Lotus Notes and Netscape).
The adoption of an all-in-one device for the secure distribution of digital certificates issued by the PKI provide integration with security applications functions which support encryption technology based on public/private keys and distribution of digital certificates (Entrust, Baltimore, Microsoft, Cryptomathic, Novell, VeriSign and others).
“Double factor” authentication (something you have + something you know) is extremely secure in comparison to just username & password features.
Organizations implementing security tokens can enable their users to simply plug in the token and enter one password to securely log on to the company network, VPN, or any other application, including customized and home-grown applications. The use of the identity token adds an additional security level to the authentication process – requiring the physical presence of the token device as well as the token password to allow access for strong two-factor authentication.
In a future scenario in which mobility will be an essential component in the information technology users' activities, and where an insufficient spread of readers is still very much the norm, results have demonstrated that Smart Cards prove to be strongly penalized in terms of usability, costs, mobility and usage security, as compared with USB tokens.
Those with built-in storage capabilities appear to be the best device to use to get a back-up of confidential data as they are easy to use and guarantee the reserved nature of confidential information. They also allow for safe management of encrypted files protected by password as well as the ability to save, archive and transfer data making them perfect for handling accounting data, images, CAD files and other documents.
About the size of an average house key, the award-winning Aladdin eToken is easy to use and highly portable, providing users with powerful authentication by requiring something they have, the tamper-proof eToken, and something they know, a PIN. It is used for secure network logon, secure VPN, Web Sign On, Simple Sign On, secure email, and numerous other applications. eToken is available in smart card and USB form factors featuring proximity capabilities and one-time password technology.
KoolSpan, Inc. (Bethesda, MD) develops easy-to-install and operate network-device independent solutions for user authentication, network security and remote access over wired and wireless networks. KoolSpan's standards-compliant products leverage the tried and true, tamper-resistant Smart Card used in more than half a billion mobile phones worldwide.
Secure Remote Access
Ensuring secure access to enterprise information is essential as companies continue to move their business processes online and
extend the enterprise boundary beyond the corporate firewalls.
Replacing static passwords with strong two-factor authentication is an essential step for securing corporate networks, applications, and information assets. ActivCard® delivers this capability in the form of easy-to-use tokens.
Hotel Electronic Door Locks
According to CISA of Italy, their SmartKeys issued by Hilton hotels are nearly impossible to duplicate, and the technology
owners to maintain a unique record of anyone who enters a room. Some guests already possess a multifunction Smartcard that will
be presented upon check-in for encoding to be used as their guestroom
The Internet and e-commerce are the emerging drivers for smartcard use. What is the logic behind issuance of these cards? Online transactions are perceived as a higher risk than traditional physical transactions.
The smart chip will simplify online shopping, it can digitally encrypt every transaction for enhanced security. When you use a "regular" credit card, you have to give out your card number every time you place an order online. With a smart chip equipped card, however, each and every transaction is done by transferring a unique code from your smart chip equipped credit card to the merchant. That unique code contains your card information in an encrypted form. One such code is only good for one purchase. So even if someone somehow intercepted the communications between you and the merchant, they cannot re-use this code to make fraudulent purchases. Smart chip assisted shopping is only available at merchants who accept this payment form.
The reason that the EMV smart card is not already used within consumer e-transactions is the difficulty in including the card within the transaction process. The solution for this, an unconnected reader, is not new. However, the barrier has always been around cost. In other words, is it more cost effective for the bank to accept low levels of fraud rather than the expense of rolling out millions of unconnected readers to consumers? The continuing rise of CNP fraud is beginning to tilt the argument in favour of the rollout option.
The shift in liability associated with EMV is driving many banks to issue smart cards. Under many EMV rules, responsibility for liability fraud that could have been prevented by chip technology will fall on the party that has not made the upgrade. Aside from the threat of increased liability, merchants and banks are being incentivized by lower or higher interchange rates for transactions made with chip cards or POS systems.
The Canadian Bankers Association report that $44-million (U.S.) in unauthorized debit card transactions was reimbursed to
consumers in 2003, a mere drop in the ocean to financial institutions, and no incentive for a costly migration to the more secure
smartcard (chip and PIN) system up and running in the UK and much of Europe — and not likely to be seen in Canada before 2010 when
Visa Canada have committed to rolling it out.
In 1996, Europay, MasterCard and Visa first released flexible specifications for smart card-based debit and credit payments. In
1999, the three card associations founded EMVCo, an independent organization, to manage and enhance EMV specifications as technology
advances and the implementation of chip card programs become more prevalent.
The majority of consumers are still more than hesitant when it comes to online shopping. Most people are very unsure about passing on credit card details online. The solution is the integration of a smart card plus a reading device, whereby the customer is identified positively at the so called point of entry, with the card reader which is coupled to the computer. Since the encrypted data is stored inside the reading device and the latter is accessed off-line, there is no risk of unauthorised persons coming in contact with the data.
The Smart Card Reader uniquely identifies you as the Card member by connecting to your PC's serial or Universal Serial BUS (USB)
port, depending on which Reader you choose. The same Reader will also be able to load new applications to the Smart Chip as
technology is developed in the near future.
Store your Certificates on a physical card or USB token! Smart cards or tokens allow you to take your Verisign certificate with you. As well as being portable, smart cards and tokens enhance security as they - and hence the certificate - can be securely stored (eg. locked in a safe) rather than just being left installed on an individual PC.
see section on that topic
Smart card based credit cards work along similar lines to the traditional credit cards with magnetic strips. However they possess greatly improved security against credit card fraud. For this reason, smart card based credit cards are set to replace magnetic strip based cards in future, since the former type is technically superior. The USA is the country in which the credit card is the most widespread, however the smart card is virtually unknown.
Smart cards provide banks with very high security; enabling additional services such as e-purse and Internet payment as well as a credit or debit facility, allowing secure access to e-commerce and online transactions.
Ironically, CNP (card not present) fraud is on the increase because of the advent of EMV smart cards – a technology that was
introduced to tackle counterfeit fraud. The major advantage of smart cards is the increased security they provide. The chip
technology uses sophisticated processing techniques to identify authentic cards and make counterfeiting extremely difficult and
expensive. Combining this with a PIN is a proven system for combating fraud as it provides the two-factor authentication of
‘something you have’ (the smart card) and ‘something you know’ (the PIN). This makes the probability of fraudulent transactions
taking place in an ordinary retail environment extremely low.
Airline Passenger Ticketing
Electronic Ticketing is a radical step towards introducing new processes that will help to relieve airport congestion. However to be successful, these must be aligned with common airport practices and technology. Smart card technology can play a part in this process provided that all parties in the chain are integrated. Contactless smart cards can be used for passenger tracking, boarding passes, access cards, loyalty functions at airports and airlines.
see section on that topic
Automobile Vehicle Access
Around the world, more than 100 million transponder-based keys are protecting vehicles against car theft using immobilizer
technology. Since they were first introduced to the market, car immobilization systems have helped reduce car theft by more than
see section on that topic
see section on that topic
Tourism Attraction Daily Pass Smart Cards
02/05 - Smart Destinations, a provider of all-inclusive unlimited admission attraction passes in top U.S. travel destinations, has announced its newest offering: the Go Chicago Card, available to people interested in Chicago tourism with over 20 top Chicago attractions participating.
The Go Chicago Card will be available for an introductory price starting at $39.00 for a one-day pass.
1, 2, 3, 5 and 7-day passes are available.