Mifare, Oyster and ITSO Cards Hacked Smart Card & Identity News
Mifare, Oyster and ITSO Cards Hacked Smart Card & Identity News
Mifare, Oyster and ITSO Cards Hacked Smart Card & Identity News
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Carl-Otto Künnecke<br />
Growing market for PIN applications<br />
By Carl-Otto Künnecke Managing Director, OK systems<br />
Personal Identification Numbers (PINs) are very versatile <strong>and</strong> can be used for<br />
manifold applications. They are not only utilized in the banking sector (mostly for<br />
debit <strong>and</strong> with an increasing number also for credit cards), but also become more <strong>and</strong><br />
more important for health insurance funds, where secure data are protected with a<br />
password on the chip of a health card. PINs are also employed for ID cards as for<br />
example the new German ID card. In this case PIN <strong>and</strong> chip form a digital signature<br />
which can be applied in the field of e-government, signing of contracts or secure entry<br />
into public facilities.<br />
In general, the PIN consists mostly of four characters (like they are used to access ATMs). However, some<br />
applications require PINs with more characters. The PIN is generated via an encryption procedure using<br />
different algorithms such as DES (symmetric Data Encryption St<strong>and</strong>ard), RSA (asymmetric encryption<br />
system) or ISO 9564-1.<br />
The entire PIN h<strong>and</strong>ling is situated in rooms with highest security levels. If PINs <strong>and</strong> cards are personalized<br />
in the same building, the processes must be physically disconnected from each other. Due to this risk, PIN<br />
personalization is mostly completely separated from card personalization. The outsourcing trend visible in the<br />
card personalization sector does not have the same momentum for the PIN personalization process.<br />
Even though PINs have become indispensable in bank applications, there is no Visa/ Mastercard<br />
certification for PINs. This affects the products itself as well as PIN generation <strong>and</strong> transportation to the end<br />
customer. More than ever, transportation is an extremely insecure element when PINs are forwarded to the<br />
end customer or bank agency. In countries where bank cards are sent directly to the customers the PIN is<br />
dispatched delayed by a few days or sent prior to the card mailing. The common underst<strong>and</strong>ing is that PIN<br />
<strong>and</strong> card should never meet in the same post box on the same day. In cases of indirect distribution where the<br />
card holders have to fetch their card <strong>and</strong> PIN at the local branch office packages of cards <strong>and</strong> PINs are often<br />
sent by separate courier to the branch. In just a few cases cards <strong>and</strong> PINs go together with the same carrier<br />
<strong>and</strong> in the same envelope. What seems to be a high risk can be discounted when PIN <strong>and</strong> card are not<br />
activated yet. In case of stolen or opened envelopes the cards <strong>and</strong> PINs are of no use at all. Either by<br />
activating the package at the bank office or by special telephone verification the issuer activates PIN <strong>and</strong> card<br />
<strong>and</strong> the customer can use it. The reason for financial institutes to use this approach is reducing dispatch costs<br />
because postage is the biggest portion of the whole product in most cases. By sending only one product the<br />
banks save production costs as well as costs for dispatch <strong>and</strong> courier services. And the costumer will get one<br />
product instead of two.<br />
Besides this classic process where a printed PIN is used with paper, there are some cases where electronic<br />
transmission is employed like in China. Or – like in Korea – the PIN is generated through the application<br />
form when a card holder applies for a new card. However, due to high security risks these are only<br />
exceptions. Traditionally, PIN letters have been generated on 3-layered carbon copy paper, <strong>and</strong> have been<br />
labelled with address <strong>and</strong> PIN on needle printers. Due to visual aspects <strong>and</strong> security risks this process is not<br />
contemporary any more for many banks. <strong>Card</strong> carriers <strong>and</strong> enclosures convey the marketing ideas of the<br />
financial institute <strong>and</strong> the PIN stills looks like in the beginning of the computerized era. So the change in<br />
dem<strong>and</strong>s for a new product which fits the overall corporate design of a financial institute is mostly based on<br />
new marketing needs, but also on the fact that in many countries banks issue several PINs for each customer:<br />
one for ATM, one for electronic banking <strong>and</strong> sometimes even a third one for ATMs abroad. The oldfashioned<br />
“dot.matrix” makes this impossible <strong>and</strong> thus application <strong>and</strong> layout have to be changed.<br />
Therefore, some new processes have been established on the market. All these processes use laser printers to<br />
print the information on the PIN letter. The advantage is that significantly more information can be<br />
forwarded to the end customer. As another benefit the issuers can also use their own color logos <strong>and</strong> thus<br />
make the PIN letter a means of advertising.<br />
The foundation for all processes currently available on the market is the issuers’ need for corporate design,<br />
secure products <strong>and</strong> production processes as well as costs for the consumables.<br />
<strong>Smart</strong> <strong>Card</strong> & <strong>Identity</strong> <strong>News</strong> • January 2008<br />
9