Mifare, Oyster and ITSO Cards Hacked Smart Card & Identity News

card in Hong Kong has gained over 11 million cardholders, is used in nearly nine million transactions a day and,
in addition to transport and parking, is accepted in payment for groceries. In the UK, Transport for London
has already issued over 10 million Oyster cards and currently reports that just three per cent of payments on
London Underground and buses are made in cash.
Changing user behaviours
The use of contactless cards in mass transit environments has become almost ubiquitous; transit system
contactless smart cards are now in use in major cities worldwide — including Hong Kong, Tokyo, Seoul,
Washington DC and Shanghai — and the majority of planned new transit fare payment systems are electing to
use contactless smart cards as the primary ticket media. From a user perspective, the simplicity and familiarity
of the ‘tap-and-go’ transit payment systems are proving to be key to wider scale acceptance and adoption in
other payment or usage scenarios.
As a result contactless smart cards are now making the transition into retail environments as transit agencies
and card associations work together to extend the use of contactless payment devices. Transport for London
(TfL), in partnership with Barclaycard, recently launched its co-branded multiple application card for both
transit and retail payment, OnePulse. The 3-in-1 card combines Oyster, credit and cashless facilities and aims to
effortlessly extend Oyster’s functionality to existing customers. Retailers already signed up to the new
technology include Books Etc, Chop’d, Coffee Republic, EAT, Krispy Kreme, Threshers and Yo! Sushi.
In the UK, an initial 2,000-strong retailer roll-out of contactless payment in London in autumn 2007 will
dovetail into a series of full scale national implementation programmes throughout 2008. London commuters,
who are already familiar with contactless technology through TfL’s Oyster card, will be able to take advantage
of improved customer experience in new retail payment environments, while the planned point-of-sale
deployments across the rest of the UK are expected to widely establish contactless payment. By the end of
2008, the UK payments association APACS estimates that over five million contactless cards will have been
issued and will be accepted in at least 100,000 merchants across the country.
Making the leap
The UK contactless payment initiatives aim to capitalise on the benefits of simplicity, convenience and speed,
combined with existing consumer familiarity with a proven and well-established EMV structure.
In terms of deployment, a key advantage of implementing contactless solutions is that the technology can be
readily adapted to current payment systems. Existing EFTPoS terminals can be easily modified with an interface
to a contactless RF (radio frequency) reader, enabling retailers to leverage their existing payment structure and
providing a future proofed solution to support full-scale contactless rollouts.
The contactless interface can also be deployed with EMV chip-based cards, or in magnetic stripe card
environments. In EMV scenarios, PIN data entry can be used to verify contactless transactions, while in non-
EMV transactions, data derived from Track 2 magnetic stripe-related information and secret data is transmitted
by the contactless chip in response to a signal from an EFTPoS device; in some instances this data undergoes
authorisation in a manner similar to a magnetic stripe transaction.
Securing the transaction
In the self-service applications that today’s consumers now demand, ensuring the highest security at the point
of payment is a critical challenge. Contactless payments use the international ISO/IEC14443 standard for
contactless reader-card communication, and leverage the existing payments infrastructure, which has supported
card payments for the past 40 years.
Although the use of a contactless interface does not routinely require the consumer to enter a PIN, the card’s
chip tracks activity, and after a consecutive number of transactions may prompt the user to enter a PIN.
This security feature provides options that re-affirm card possession and deter potential fraudulent use, should
the card be lost or stolen. Additional security features include a unique in-build 128-bit encrypted key on each
contactless card for verification. At a system level, payment networks can automatically detect and reject any
attempt to use the same transaction information more than once.
Contactless payments are fast approach the tipping point of adoption within retail environments. In the UK,
the collaboration between TfL and Barclaycard signals the first mass deployment of a bank-controlled
contactless payment application with an operational transit application, and may well prove transformational for
contactless payment adoption in many countries.
Smart Card & Identity News • January 2008
20