Smart cards typically include an integrated circuit providing both memory and processing functions, have words or pictures printed on it, and control who uses information stored in the integrated circuit and how the information is used.
Some smart cards have length and width dimensions corresponding to those of credit cards. The size of such smart cards is determined by an international standard (ISO 7816). ISO 7816 also defines the physical characteristics of the plastic, including temperature tolerance and flexibility. ISO 7816 also defines the position of electrical contacts and their functions, and a protocol for communications between the integrated circuit and readers (vending machines, payphones, etc.). The term "smart card," as used herein, is meant to include cards that include microprocessors but that do not necessarily conform to ISO 7816.
Several types of plastic are used for the casings or housings of smart cards. PVC and ABS are typical. PVC can be embossed, but is not readily recyclable. ABS is not readily embossed, but is recyclable.
Smart cards have many different applications. For example, smart cards can be prepaid cards used instead of money for making purchases from vending machines, gaming machines, gas stations, car washes, photocopiers, laundry machines, cinemas, fast food restaurants, retail outlets, or anywhere where cash is used. For example, they are commonly used in Europe with public telephones. A timer is used to deduct a balance from the card automatically while a conversation continues. Smart cards can be used as food stamps, or for redeeming other government provided benefits. Because the transaction is electronic, the telephone, vending machine, etc. does not need to store cash, so risk of loss due to theft can be reduced. Change does not need to be stored and disbursed, and received payment can be directly wired to a bank. Prepaid cards can be a form of advertising, because they can have logos or other information printed on them. The user will typically carry the card for weeks before using up the value on the card.
To authenticate a conventional credit card, a telephone call must be made to verify that funds are available. Smart cards permit such verification to be performed off line, thus saving telecommunication charges. Smart cards thus provide an advantage over conventional credit cards. Smart cards can also be used as keys to gain access to restricted areas, such as secure areas of buildings, or to access parking lots.
Radio frequency identification devices can also be considered to be smart cards if they include an integrated circuit. Radio frequency identification devices are described in detail in U.S. patent application Ser. No. 08/705,043, filed Aug. 29, 1996, and incorporated herein by reference.
One specific application for smart cards is as an access key for communications systems. Smart cards are employed in a GSM (Global System for Mobile Communications) radio telephone system in Europe. A GSM subscriber is issued a smart card, and when that smart card is inserted into any GSM telephone, that telephone becomes the user's own personal phone after activation using a PIN (personal identification number). Calls to the user's phone number will reach the activated phone with the smart card. The smart card is an access key, and the PIN impedes use of stolen or lost credit cards. Smart cards are similarly used as access keys in satellite or cable television descramblers for receiving pay-tv channels or shows. Smart cards can be similarly used for renting computer programs.
Use of smart cards can be an effective way to combat payment fraud. Smart cards can also be used to store and transport medical data to increase convenience to the holder, and reduce errors and cost of handling information. Data can be accessed efficiently without compromising personal privacy.
One of the features of some smart cards is that they can hold data securely. Traditional smart cards store private information in persistent memory. The persistent memory is provided by nonvolatile forms of memory such as ROM, PROM, EPROM, or EEPROM. Access to information on such smart cards is controlled. For example, nobody can add units to a telephone card. On the other hand, a smart card holding medical records may allow everybody to access information such as blood type and patient's name, but access to other data may be restricted. Access control built into smart cards determines who can access the information on the card, and how the information on the card can be accessed (read, modified or augmented, erased). Some smart cards will only provide access if a correct password is given. If the information is of a type that the user will be able to access, the password will be one that the user must remember and use to access the information. Otherwise, the password may be hidden in a sales terminal, telephone, or card reader that accepts the smart card.
Different information in a smart card can be designated to be accessed in different ways. For example, some information may only be capable of being read, some information may be capable of only being added to or only subtracted from, some information may be capable of being modified or erased, and some information may never be accessed. Examples of information that typically can only be read include a unique serial number for each card, the number of units in the card when new, the name of the manufacturer of the card, etc. An example of information that only be subtracted from includes cash units or other indicia of value. Such information may also be tallied by adding spent units instead of subtracting from available units. Simple smart cards such as photocopy cards, are inexpensive to produce, but can be used by others if lost. More sophisticated smart cards have a password to restrict use to one person or machine that knows the password.
A smart card can be designed to restrict some or all of the information it stores (private information) for access only by an authorized person with a password. If the information will be transmitted over the telephone or by radio, additional protection is desirable. One form of protection is ciphering or encryption. Some smart cards hold private information in the form of cryptographic keys that are used in a variety of cryptographic protocols. These keys must be protected from direct disclosure. When the smart card is used in its intended application, the cryptographic protocols confirm that the card holds the key or keys, but do not disclose the key.
Many smart cards do not store private information in a readily readable form on the smart card. Instead, they use a PIN (personal identification number) to encrypt the private information. Thus, even if the private information is obtained by an unauthorized individual, it must still be deciphered. However, PIN encryption is a weak link in a cryptographic scheme. PIN numbers must be easy to remember, so are typically short and have some significance to the owner. Because of this, PIN numbers are relatively to determine.
Various tamper detection mechanisms are in present use with respect to smart cards. However, there are problems with such tamper detection mechanisms and many card providers routinely disable the tamper detection mechanisms.
Traditional smart cards obtain power from the reader with which they are used. This makes information in the smart cards subject to attacks based on bad power.