Mifare, Oyster and ITSO Cards Hacked Smart Card & Identity News
Mifare, Oyster and ITSO Cards Hacked Smart Card & Identity News
Mifare, Oyster and ITSO Cards Hacked Smart Card & Identity News
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
card in Hong Kong has gained over 11 million cardholders, is used in nearly nine million transactions a day <strong>and</strong>,<br />
in addition to transport <strong>and</strong> parking, is accepted in payment for groceries. In the UK, Transport for London<br />
has already issued over 10 million <strong>Oyster</strong> cards <strong>and</strong> currently reports that just three per cent of payments on<br />
London Underground <strong>and</strong> buses are made in cash.<br />
Changing user behaviours<br />
The use of contactless cards in mass transit environments has become almost ubiquitous; transit system<br />
contactless smart cards are now in use in major cities worldwide — including Hong Kong, Tokyo, Seoul,<br />
Washington DC <strong>and</strong> Shanghai — <strong>and</strong> the majority of planned new transit fare payment systems are electing to<br />
use contactless smart cards as the primary ticket media. From a user perspective, the simplicity <strong>and</strong> familiarity<br />
of the ‘tap-<strong>and</strong>-go’ transit payment systems are proving to be key to wider scale acceptance <strong>and</strong> adoption in<br />
other payment or usage scenarios.<br />
As a result contactless smart cards are now making the transition into retail environments as transit agencies<br />
<strong>and</strong> card associations work together to extend the use of contactless payment devices. Transport for London<br />
(TfL), in partnership with Barclaycard, recently launched its co-br<strong>and</strong>ed multiple application card for both<br />
transit <strong>and</strong> retail payment, OnePulse. The 3-in-1 card combines <strong>Oyster</strong>, credit <strong>and</strong> cashless facilities <strong>and</strong> aims to<br />
effortlessly extend <strong>Oyster</strong>’s functionality to existing customers. Retailers already signed up to the new<br />
technology include Books Etc, Chop’d, Coffee Republic, EAT, Krispy Kreme, Threshers <strong>and</strong> Yo! Sushi.<br />
In the UK, an initial 2,000-strong retailer roll-out of contactless payment in London in autumn 2007 will<br />
dovetail into a series of full scale national implementation programmes throughout 2008. London commuters,<br />
who are already familiar with contactless technology through TfL’s <strong>Oyster</strong> card, will be able to take advantage<br />
of improved customer experience in new retail payment environments, while the planned point-of-sale<br />
deployments across the rest of the UK are expected to widely establish contactless payment. By the end of<br />
2008, the UK payments association APACS estimates that over five million contactless cards will have been<br />
issued <strong>and</strong> will be accepted in at least 100,000 merchants across the country.<br />
Making the leap<br />
The UK contactless payment initiatives aim to capitalise on the benefits of simplicity, convenience <strong>and</strong> speed,<br />
combined with existing consumer familiarity with a proven <strong>and</strong> well-established EMV structure.<br />
In terms of deployment, a key advantage of implementing contactless solutions is that the technology can be<br />
readily adapted to current payment systems. Existing EFTPoS terminals can be easily modified with an interface<br />
to a contactless RF (radio frequency) reader, enabling retailers to leverage their existing payment structure <strong>and</strong><br />
providing a future proofed solution to support full-scale contactless rollouts.<br />
The contactless interface can also be deployed with EMV chip-based cards, or in magnetic stripe card<br />
environments. In EMV scenarios, PIN data entry can be used to verify contactless transactions, while in non-<br />
EMV transactions, data derived from Track 2 magnetic stripe-related information <strong>and</strong> secret data is transmitted<br />
by the contactless chip in response to a signal from an EFTPoS device; in some instances this data undergoes<br />
authorisation in a manner similar to a magnetic stripe transaction.<br />
Securing the transaction<br />
In the self-service applications that today’s consumers now dem<strong>and</strong>, ensuring the highest security at the point<br />
of payment is a critical challenge. Contactless payments use the international ISO/IEC14443 st<strong>and</strong>ard for<br />
contactless reader-card communication, <strong>and</strong> leverage the existing payments infrastructure, which has supported<br />
card payments for the past 40 years.<br />
Although the use of a contactless interface does not routinely require the consumer to enter a PIN, the card’s<br />
chip tracks activity, <strong>and</strong> after a consecutive number of transactions may prompt the user to enter a PIN.<br />
This security feature provides options that re-affirm card possession <strong>and</strong> deter potential fraudulent use, should<br />
the card be lost or stolen. Additional security features include a unique in-build 128-bit encrypted key on each<br />
contactless card for verification. At a system level, payment networks can automatically detect <strong>and</strong> reject any<br />
attempt to use the same transaction information more than once.<br />
Contactless payments are fast approach the tipping point of adoption within retail environments. In the UK,<br />
the collaboration between TfL <strong>and</strong> Barclaycard signals the first mass deployment of a bank-controlled<br />
contactless payment application with an operational transit application, <strong>and</strong> may well prove transformational for<br />
contactless payment adoption in many countries.<br />
<strong>Smart</strong> <strong>Card</strong> & <strong>Identity</strong> <strong>News</strong> • January 2008<br />
20