Talk:Smart card/Archives/2014

Chipknip
"Smart-card-based electronic purse systems (in which value is stored on the card chip, not in an externally recorded account) were tried throughout Europe from the mid-1990s, most notably in Germany (Geldkarte), Belgium (Proton), the Netherlands (Chipknip and Chipper), Switzerland ("Cash"), Sweden ("Cash"), UK ("Mondex") and Denmark ("Danmønt"). None of these programs attracted any notable public interest, and usage levels remained low to negligence."

What is this statement based on? I know it isn't true for the Netherlands (I don't know about the other countries). The Chipknip is used by a very large percentage of the Dutch population ever since it's introduction in 1996. Usage has never been "low to neglible". For example, if you ever visit this country you might notice that you can't even pay for car parking in some cities without having a Chipknip. Almost every shop here offers the possibility of paying with Chipknip. I suspect it is used more often than creditcards (of the non-PIN type).

The Chipknip was in fact a big failure in the Netherlands, where i happen to live. Even though most shops and such did provide the possibility to pay with Chipknip hardly anybody ever used this. A possible explanation for the wide availability is the fact that often the same device is used to pay with both Chipknip and PIN. (one device with a swipe card reader for PIN payments, and a Smart card reader for Chipknip). It is true that often you can only pay for parking through your chipknip, but this is actually a relatively new thing and most parking meters accept cash aswell. The Chipper was a (supposidly) chear alternative to the Chipknip which was released simultaniously by two Chipknip competitors: Postbank and KPN. This card however used different technology and was therefore imcompatible with the dutch bank system. Furthermore, the Chipknip is currently going out of use, and using it to pay in shops is usually no longer a possibility. In general, the Chipknip was found to be a impractical way of paying, as it requires you to transfer money to it first, after which you can spend it later. (it's basically a digital wallet). Also, it's a relatively unsafe way of using your money, since paying with a CHipknip does not require a PIC-code or any other kind of verification. (it merely requires the customer to press the 'OK' button on the payment-device, therefore anybody can use any card and spend the money on it. The Chipknip is not going to dissapear completely, bit will be still used on a smaller scale such as payments in office cantinas and hospitals. (vending machines and such) The dutch banks and the company exploiting the Chipknip (Currence) however have expressed their doubt about the future of the Chipknip, and with vending machines and parking meters (aswell as other appliances where the Chipknip was used) being equiped with other methods of payment (PIN, Credit card, mobile phone) it is very likely that the Chipknip will die out within the next few years or so. —Preceding unsigned comment added by 80.100.165.105 (talk) 13:46, 17 October 2007 (UTC)

GlobalPlatform (talk) 13:12, 29 July 2008 (UTC) SIM (GSM Smart card for 2G and 3G market) is the main smart card market (90 % of the total smart card market) and is not even introduced in this article. I suggest to split the article in 4 main articles : Roland Moreno is known as the inventor of the smart card (patent in 1974). is there a German appropriation here ?
 * smart card technology
 * financial smart card
 * ID smart card (including new biometrics passport)
 * and GSM smart card

Problem with picture
The picture shown to give an idea of the scale of a smartcard chip is deceiving because not everyone would recognize that as a penny, because of the ambiguous colour, and because people from other countries with different currencies would also not recognize it.
 * Done!. Problem solved! (I think so...) Cfr the article page, I've written (at that picture TEXT): --- (cfr: it's a penny). --PLA y Grande Covián (talk) 12:08, 22 January 2009 (UTC)

Requested move
changing title to its standard (and more common) form


 * Add *Support or *Oppose followed by an optional one sentence explanation, then sign your vote with ~ 

correct statement

Decision
Page moved. Ryan Norton T 12:11, 15 October 2005 (UTC) I inserted the original comment. I worked with almost all European banks on their electronic purse rollouts, and was as saddened as anyone by their complete failure.The person who claimed that Chipknip usage has been high in the Netherlands since its introduction is clearly misinformed. Perhaps they are confused by the large amount of advertising done by the banks for Chipknip, as well as Telecom for Chipper. Although there are some implementations that seem fairly high-profile (the parking meters in Amsterdam) the percentage of all non-cash transactions Europe-wide carried out by electronic purse is much less than 1%. Most of the banks actively involved in electronic purse schemes in Europe are Savingsbanks owned by their local city or state;(Sparkassen, sparbanken, Caixia, etc.), and are of course somewhat shy about publishing the low usage rates and, consequently, the huge waste of public funds wasted on these card programs. VisaCash(all 4, incompatible versions of it):discontinued. Mondex: Discontinued. GeldKarte: usage so low its hard to track. The others I have lost track of. When e-purse cards were conceived, costs for telecommunications and processing were high, which made smartcard off-line transactions attractive. Since then, the steep drop in prices for these services have wiped out any economic justification for contact (Iso7816)based e-purse schemes. The success in the US of Mastercard's rfid (14443)PayPass program is something of an embarassment of riches, since it finally offers what the e-purses promised, but is in fact just a contactless creditcard transaction. (Also not EMV compliant. Sorry about that, all you UK banks that just invested zillions in the switchover. This time, we promise it will work!)

Splitting contactless cards
Please Properly Mark You Motion With the Support or Oppose Text Following A Bullet It Took Me A While To Sort These Out. --Koman90 (talk) 01:07, 19 January 2009 (UTC)


 * Support - The page is a little long, and I think contact (ICC) cards and contactless (RFID) cards should have separate articles. Stifle (talk) 19:24, 20 April 2006 (UTC)


 * Oppose - There is already a short page at Contactless card that redirects to Proximity card. I think the material on the contactless cards section on this page should be used to expand that existing page, rather than creating another separate page. Zaian 09:59, 22 May 2006 (UTC)


 * Oppose - I don't think this article is that long. A well organized and sectioned article with a Table of Contents should allow this article to grow even more. In fact, I would recommend integrating other articles related to the subject (i.e., Proximity card etc), into this more general article on smart cards (i.e. cards with processor technology) because many are either evolutions or spawns of the smart card concept. HOWEVER, if you choose to separate these into separate articles -- I recommend a section called "Related card technologies," "Technologies Related to Smart Cards," or some such thing containing links to these other Wikipedia articles. (Wiki writer 22:35, 17 June 2006 (UTC))


 * Support - I think the article should be split, the subject is too big in itself 81.179.234.128 17:41, 4 February 2007 (UTC)


 * Oppose - More and more smart cards have dual-interface capabilities, with both contact and contactless data transmission leading to a single ICC. The distinguishing feature of the smart card is not the mode of transmission, but the increased capability and added information security that comes from the use of applications, data storage and cryptography.  The infrastructure and business processes required to support the smart card are signicantly different from those supporting older contact or contactless interface cards.  Splitting the smart card page on the basis of the interface lead to confusion.


 * Oppose - Keeping both contact and contactless cards in the same page is more appropriate, as they share common underlying technology. 195.195.244.11 21:42, 12 March 2007 (UTC)


 * Support There should definitely be a separate article. The contactless smart card industry is growing, and has distinct concerns. Additionally, the overlap and relationship between pages needs to be clarified (it does not seem practical or useful for "contactless smart cards" to be the section of one article while "contactless card" redirects to a short and general article about proximity cards, and all pages lack adequate clarification and linking for related pages, technologies, etc.) Thinked 08:16, 24 July 2007 (UTC)


 * Support- Contactless Smart Cards based on re-writable RFID technology are a completely different technology form traditional "Contacted Microchip" smart cards, and are being used in many areas as a form of paperless ticketing sytem. a main innovator of this technology is Cubic Transportation Systems, Inc. who have created a lot of paperless ticketing cards such as Compass Card system in San Diego, the Tap System in Los Angeles, the SmarTrip card in Washington DC, The Chicago Card in Chicago, the Go-To card in Minnesota, the Go Card In Australia, and the Oyster card On the London Underground. None of these require the use of the metal contacts of a traditional smart card. Manny Os the Smart Cards wit more than one type of transition are referred to as Hybrid Smart Cards, by Cubic So I actually Recommend a Dual Split. Because a proximity card is a different technology that is used for the security industry, and only contains a serial number, and is used only as a form of keyless entry it dose not qualify as a smart card. --Koman90 (talk) 00:55, 19 January 2009 (UTC)


 * Split- Due To Inactivity I Herby close the poll today all signatures as ip addresses are considered invalid in a split/merge poll. To accommodate the growth of smart card technology article will be slit with suggestion at top of each article, and contactless smart cards will also cover a section on hybrid smart cards. --Koman90 (talk) 01:39, 25 January 2009 (UTC)

Cracking
It says that one reason for introducing smartcards is to cut down on fraud. Any info on why smartcards are so much more secure than normal swipe cards or whatever else? The bellman 08:39, 27 April 2006 (UTC)
 * Simple: you have to type your PIN for the transaction to be authorized! And data may be encrypted inside the chip.
 * 1)Smartcards do not automaticaly require a PIN; PIN could also be used for mag-stripe credit cards, as they are for debit.


 * 2)Most of the added security benefit comes from the fact that a smartcard is much more difficult and expensive to copy than a magstripe card.


 * "Smartcards do not automaticaly require a PIN" : perhaps, but they should, as it's done in France. So the only way to obtain the PIN is to spy the user when typing it then steal his card, or to threaten him. And when a robber uses only the card number without the PIN, for example when purchasing on Internet, the card owner has a mandatory bank insurance which compensates him up to 7600 €. Wagner51 12:51, 16 July 2006 (UTC)


 * There are several reasons smartcards are harder to crack:

--Brwna (talk) 17:20, 14 March 2011 (UTC)
 * the hardware is specifically hardened against a number of attacks, including rather sophisticated ones.
 * because a real smartcard can do crypto inside the card, there is no reason to ever expose the "secret". In good implementation, it is generated inside the card and never leaves it.
 * in the same way, cryptographic functions should take place inside the card, giving less opportunity for attacks
 * and in the end, you add a physical factor to a multi-factor authentication.

Moscow transport cards are not smart cards - only magnetic stripe
Moscow metro cards and mosgortrans cards are not smart cards. They do not have integrated circuitry and are just magnetic stripe cards. Hence these cards were removed from the list of smart transportation cards. They were also wrongly put under contactless section.
 * Moscow use both since September 1998. Elk Salmon 20:13, 21 May 2006 (UTC)

New York MetroCards are also magnetic stripe, not the chip-on smart cards described here. The MetroCard page even mentions that there are plans to convert to smart cards in the near future. I'm removing NY from the table. Pjbflynn 14:50, 31 December 2006 (UTC)

At present, Moscow metro card is Mifare and Mifare UltraLight smart card. Parer cards with a magnetic strip used and are using. MikeKn 04:51, 3 April 2007 (UTC)

Seoul contactless smart card introduction
Hi, Seoul has had a contactless smartcard system for its metro since 2001, not 2004 as the list states. It was rebranded TMoney in 2004 and more advanced cards were introduced (the new card is aware of transfers from bus to train to allow discounts). But for a while both old and new cards continued to work. --JackSeoul 01:33, 22 July 2006 (UTC)

New York City Metrocard is not smart card
New York City's Metrocard is not a smart card. Instead it is a flimsy plastic card with a magnetic strip. However, they are working on a smart card. I suggest removing this from the table until they create one. >>And doesn't Macau have a smart card bus pass they use on buses. Saw it but I think its only for residents. Herenthere 22:16, 11 September 2006 (UTC)

São Paulo card solution is multi-vendor
I was chocked reading that "Bilhete Unico" have Digicon as provider. Having being worked over 2 year providing consultancy on the project, i have to say: this is a lie.

The provider and contractor and solution integrator, is SPTrans. Digicon, and many others were supliers of hardware, software, cards, services, ideas, etc, etc.

The major difference of São Paulo solution is that the main goal was to have an provider independent solution. Most other cities (or countries like Holland) chooses one provider and buy his solution.

This was a huge and complex work coordinating many companies, with different interests to share information and help to build an new solution, different that the one that he wants to sell.

I have write one article about the project, nominating many other along Digicon. And many other, that I can´t remember now, I will try to list on it.

Mmorsello 16:28, 17 February 2007 (UTC)

No mention of...
look at ISO/IEC 7816 MikeKn 04:43, 3 April 2007 (UTC)
 * Article does not mention protocols. Smart card use protocols such as T=0 and T=1. -- Frap 11:30, 31 March 2007 (UTC)
 * Transfer speeds. I believe to be like 9,600 to 115,200 bps.
 * Amount of capacity for storage space. I believe to be like 32-64kb.
 * EEPROM
 * Microcontrollers like PIC and AVR.
 * Card operating systems (COS) like ACOS, M.O.S.T, JavaCard, MultOS, etc.

Privacy?
The sentence in the "Identification" section reading "Smart cards are a privacy-enhancing technology, for the subject carries possibly incriminating information about him all the time" is either overly opaque or nonsense, and I suggest removing it.

How does carrying "possibly incriminating evidence all the time" -- presumably referring to the information on the card -- confer greater privacy to the subject than the alternative (not carrying the information)?

If this sentence has a rational point it should be made far clearer. If not, cut it. Fenrisco 02:02, 16 November 2007 (UTC)


 * I agree that it should be removed. The sentence does not make any sense. Actually smart cards are bad for privacy as it ties every card use to a person, in contrast to cash which is much better. -- -- Frap (talk) 17:17, 16 November 2007 (UTC)


 * In regards to payment, I concur. For other uses, however, smart cards can enhance privacy - e.g. medical records, where the patient can access his own medical records and control who gets to see them, and which ones, including access tracking = who looked at what. --Brwna (talk) 00:03, 15 March 2011 (UTC)

Card Fraud in Australia
I was amazed to see the following: "For example, in Australia the consumer bears the risk of credit card fraud, possibly explaining the lack of progress the banks have made in rolling out smartcards."

Who wrote this? It is nonsense! The liability varies according to the issuing institution, but in general it is the institution that bears the risk; not the consumer.

Unless someone comes up with evidence backing that assertion, I will delete it.JimBreen (talk) 07:29, 10 December 2007 (UTC)

OK, no response, so I will remove that sentence. While I am at it, I will remove Australia from the "With the exception of countries such as the United States of America and Australia there has been significant progress...." All my recently issued cards have chips, and I am seeing increasing numbers of EMV-compliant POS machines.JimBreen (talk) 11:24, 23 December 2007 (UTC)

Dimensions / Protocols
Only ID-1 and ID-000 types are mentioned. Other available dimensions should also be listed (if possible with picture). Even non-standard card formats are in use (ID-1 with one or more strongly rounded corners).

More than the 3 listed card protocols are in use (S=8, S=9, S=10, or the one used for FeliCa cards)

Security philosophy fault totally unaddressed in the article
Smartcard is a silly idea. The very little chip in the card cannot be made resilient enough to fend off a dedicated attack done by powerful computers, expensive RF scanners and electron microscopes. If the smartcard does something important, not just miserable city bus ticket vending, it will be cracked if it is worth cracking. If the Octopus card authorized to launch a thermonuclear ICBM strikes, it would be hacked in three days. 82.131.210.162 (talk) 10:19, 13 June 2008 (UTC)

Octopus system use Mifare Classic card (Philips-> NXP). Mifare Classic "cryptogram" is based on 6 bytes "key" and use a simple polinom like Philips "secret" algoritm. As GSM "cripto" algorithm it is a private algoritm developed by ignoramus.. —Preceding unsigned comment added by 194.85.126.33 (talk) 10:01, 19 March 2009 (UTC)


 * smartcards have been designed to withstand such attacks, and the "real" ones are still holding. Whatever attacks on smartcards were possible have been done as proof-of-concept so far - if you were really concerned with the issue of SC security, you would know about the history of research in this area.


 * The cheap rip-offs to a real smartcard like the ones you mentioned are of course vulnerable, that's why they are never to be used for serious things. If you buy "fake" stuff, you cannot expect full quality. But that is no "philosophy fault", that's how things are for every type of product. --Brwna (talk) 17:36, 14 March 2011 (UTC)

Examples para needs fixing
Under Contactless smart card, this paragraph needs fixing:
 * Examples of widely used contactless smart cards are Hong Kong's Octopus card, South Korea's T-money (Bus, Subway, Taxi), London's Oyster card, Japan Rail's Suica Card and Mumbai Bus transportation service BEST uses smart cards for bus pass, which predate the ISO/IEC 14443 standard. All of them are primarily designed for public transportation payment and other electronic purse applications.

It's not clear how many of the listed examples "predate [...] 14443". Mitch Ames (talk) 11:15, 24 March 2009 (UTC)

Contactless protocol - not "T=CL"
I have reverted the name of the contactless communications protocol from "T=CL" to "ISO/IEC 14443" (again). I have copies of both ISO/IEC 7816-3:2006(E) -- which defines T=0, T=1 -- and ISO/IEC 14443-4:2008(E), and neither of them mention "T=CL". 14443-4 doesn't actually give a "name" to the protocol, it merely refers to (clause 7) "the half-duplex block transmission protocol".

Before anyone changes it back to T=CL, please provide an appropriate reputable reference that defines a protocol of that name. If citing an ISO/IEC standard, please include the version and clause number for easier verification. Mitch Ames (talk) 10:52, 31 March 2009 (UTC)

Problem with Contact Images
The description on the image at the top right says "Many different pad layouts can be found on a contact Smart card". Meanwhile the image under Contact smart card: Electrical signals description, it says "A smart card pinout". These descriptions strongly imply differing pinouts (and correspondingly differing protocols). The actual situation is in many implementations contacts C7 and C8 are left unused; on many cards for those situations, those pins are completely omitted from the cards, making it appear they have 2x3 contacts, instead of the 2x4 contacts shown under "Electrical signals description". There should be an emphasis that in these circumstances contacts C1-C6 are in the same position of the physical card, thus as long as the card/reader isn't in a circumstance that require the extra contacts they are interoperable. —Preceding unsigned comment added by 75.101.123.180 (talk) 10:47, 8 February 2010 (UTC)

Hatnote: "radio freqencies" vs "radio waves"
I changed the hatnote to say "radio waves" (as the communication channel) for contactless cards, but that change was reverted on the grounds that the industry uses the term "radio frequency" (RF). While I acknowledge that the industry (in which I worked for several years) uses the term RF - and in fact ISO/IEC 14443-2 is titled "Radio frequency power and signal interface" - I still maintain that RF is incorrect in this context. In particular the hatnote includes a link to the radio frequency/frequencies article which states in the lead sentence that "RF is a rate of oscillation in the range 30 kHz to ...." Ie RF is defined as a frequency, not a communication medium. Contact cards (using ISO/IEC 7816-3) can and do communicate at frequencies above 30 kHz on a piece of wire. The use of the term "RF" to mean "radio" (rather than "... frequency") may be common, but it is still imprecise and misleading (if not actually wrong), and I don't think we should do follow that poor practice - we should strive to be accurate and unambiguous. If "radio waves" is not agreeable, perhaps we should just say "radio" - either of them is accurate, and both have suitable articles as targets for the link. Mitch Ames (talk) 12:42, 7 September 2010 (UTC)
 * You are correct, but the primary reason why I pulled your changes was an attempt to use the exact same terms as it is called in the specification. The thing that I find the most confusing when trying to learn about a new engineering topic or specification is when multiple people (authors) use different names for the exact same thing. Sometimes you read along and then say "oh...those mean the same thing". Many times authors or companies or advertisers use the wrong naming or description, then once that term becomes popular or well known, whether correct or not, then we are stuck with it. :( Sbmeirow (talk) 05:13, 8 September 2010 (UTC)
 * You might want to create a new section that talks about this controversy, so at least people are aware of it. I have zero experience with ISO/IEC 14443 but my last 3 project involved up to 48 SIMs ISO/IEC 7816 on one PCB. In addition to edits, I am currently watching for spam and crazy changes on 500+ articles. Recently I added this wiki article to my watch list, so I didn't mean to pick on you, and look forward to your changes! Sbmeirow (talk) 05:27, 8 September 2010 (UTC)
 * I've created a new section "RF as a synonym for wireless" in the radio frequency article, to help clarify the common "abuse" of the term. I agree with you 100% about the need to use the same terminology, and the confusion created by using different terms for the same thing. The problem we have here is: which is correct. If someone were to follow the radio frequency link they will find an explicit definition that is different - and as I pointed with reference to the comms speed of contacted cards - contradictory to the context (the hatnote) in which the term appeared. I accept that "RF" now has a second usage (as a synonym for "radio"), but because it still has a well-defined primary meaning, I don't think we should use it here. "Radio" is accurate. Given the context, I don't think anybody will be confused. If they're looking for contactless smart cards they're going to follow the link and find them. Do you still object to my changing the hatnote from "radio frequency" to "radio"? Does anyone else have any opinions on this matter? Mitch Ames (talk) 06:24, 11 September 2010 (UTC)
 * In the absence of any further objections, I've changed the hatnote again, this time to "radio".

RAM
Can somebody add a note on RAM capacity and what this memory is and could be used for. For example, when my EFTPOS card was first issued there was talk of embedding an ID photo, nothing ever came of this but is something like this possible? E x nihil (talk) 21:50, 30 January 2011 (UTC)


 * There is little to none RAM (0.5-8k usually), because RAM loses its contents after power disconnect - and power loss happens every time you take a card out of the reader or reader field. So there is no good reason to put much RAM in them.

The storage capacities for the NVRAMs however has been climbing up from a few kByte to several MByte now. Of course this affects the price; for the cheapest types (as used for ticketing), this would be a waste, so the actual amount of NVRAM depends on the chip type. --Brwna (talk) 23:58, 14 March 2011 (UTC)

Australia circa 1985 ?
I took a clipping of a newspaper article "Smart cards fight fraud" circa 1985 in QLD, Australia - does anyone know how to check that actual date (or recover the article, I've since lost it)? I'm especially amused how it took Aussie banks 25 years to incorporate these things on cards, and it's only the last 1 or 2 years that we've been able to actually use them.

I think some deep commentary on the reason why chipcards have been so fiercely resisted in commerce needs to be added to this article. My suspicion is that banks and card companies are making billions out of fraud (paid for by the merchants, who cover the problem via increased prices). Preventing it is a bad business decision for them. 120.151.160.158 (talk) 08:03, 31 October 2011 (UTC)

Smart Card Web Server (SCWS)
The Smart Card Web Server (SCWS) is currently discussed in WP:AfD. As this topic might be worth mentioning in this article, I dump it verbatim here:Dmitrij D. Czarkoff (talk) 19:46, 19 March 2012 (UTC)
 * I have added an appropriate paragraph about SCWS here to the Smart card article. Zad68 (talk) 16:17, 20 March 2012 (UTC)

Merge from Smart Card Security
Suggested merge because there's not much content on the other page (Smart_card_security), it has only one reference, and its history suggests it was originally created as an advertorial page anyways.Cheolsoo (talk) 02:58, 6 January 2014 (UTC) +1 2620:0:1000:1900:4D03:1482:64C2:DEF6 (talk) 18:32, 20 October 2014 (UTC)
 * Agree The other article doesn't add much, and what it does, could easily be merged into this article. 68.110.104.114 (talk) 20:58, 26 December 2014 (UTC)