If you've been issued an American Express Blue card or one of the fancy-ass new Visa cards recently, you've noticed a chip to the left of the center of the front of the card. Each card's issuer's chips' interface looks a bit different, but they're all a small little rectangle divvied up into smaller areas; either gold or silver. These cards market themselves as SmartCards.

SmartCards are a big hit with consumers. American Express reports that over 60% of its Blue cardholders claim they would charge less to the card if it didn't have that trendy little chip. Consumer response for SmartCards has been much higher than for traditional cards with similar benefits. This is funny, because most people don't know what that little chip does. Just as well, really, because the answer is: not much, yet.

Traditional credit and debit cards work via a magnetic strip on the back. That's the magic black stripe that makes the money come. It's also 40 year old technology, and nothing very special: it's a two-dimensional magnetic encoding of a large number. This is the same technology that powered your 8-track tapes; only when you swipe the card the reader sees a long number instead of Bohemian Rhapsody. This is so your ATM or Point-of-Sale device doesn't have to read the numbers off the front of your card; there's no extra information on there. This number is then sent to a central processing center, with a PIN if its a debit card, and the processing center then talks back, saying yes the card is good, and for how much money. It's simple. It works. It's very, very vulnerable.

Take a look at this Slashdot article or this warning from the University of Texas at Austin. Basically, its now very easy to read off that magnetic strip off the back of your card without you knowing. Magnetic cards are now used for every two-bit operation what wants an ID card; this means that card readers have become commoditized, miniaturized, and cheap. You can make a little device that fits over the card reader at your ATM and looks just like it without seeming out of place and a hidden camera to watch you punching in your PIN for only £800. The card reader is a passthrough; it will read the strip off the back of your card but not do anything with it but store it; your ATM will still see the card and your transaction will go on without any hiccup. Then, next week the placer of the device will come back, pick up the passthrough and camera, and have a copy of the cards of everyone who used that ATM in the last week. Voila; unlimited, untraceable credit card fraud. This is possible because the number on the back of your card is just that; a number. Copy the number, and you've got the card. It's then a simple task to encode that number back onto a blank card, and use it.

Hell, even that's a lot of trouble. Just offer kickbacks to the local bodega owner. Install the cardreader inside of his machine; everyone who uses his ATM gets their card copied. You can then use those cards at your leisure, any time before they expire.

This is why online and phone retailers will ask you for the expiration date of the card; it increases the degree of difficulty of copying it; one more piece of information. High-end online retailers now ask for another number, too: That 3-digit 'security code' printed onto the signature area on the back of the card. However, now all you need is the stripe, perhaps a pin, and a low-res photo of the front and back of the card; easy with today's digital camera technology. All of these are stopgap measures aimed at propping up an old technology that's way out of its depth.

Which brings us to SmartCards. That little chip on the edge of your new translucent gateway to lifelong debt is a completely new way of doing business. It's an entire little computer, complete with a processor, memory, and an interface. That little computer has little applications and programs which are installed on it and can be run, accessed, updated, installed, removed, et cetera. As a matter of fact, simple, point-of-service transactions meant to replace credit cards and debit cards are some of the simplest things that they are capable of, but we'll start there.

No number is ever simply read off of a SmartCard, instead, the communication happens on a public-private key challenge-response system. Warning: incoming technicalisms. Similar to how PGP or any other cryptographic system worth is salt works, each end of the transaction has two numerical keys; the Public Key and the Private Key. The math involved here is complex, but it works out like this: A message encoded with someones Public Key can only be decoded with the Private Key. So I hand out my Public Key to everyone I know, and they can encode messages to me using it. I never let anyone see my Private Key; with it I, and only I, can read the messages written to me.

Right, well how does that impact SmartCards? Well, each SmartCard has a Public/Private keypair. When you insert it into the reader, the card broadcasts the public key. The reader relays this key across whatever transmission network its using all the way back to your bank's central processing center. The bank then sends back its own public key back to the ATM network, which sends it back tot he reader, and finally to the card itself. The card can now talk to the bank privately.

That should be all of the technical stuff for now.

The upshot of this is that no intermediate party can snoop in on this conversation because the Private Key never leaves the card. Even if I developed an interface passthrough that could read everything said between the card and the reader (difficult), or even if I made an ATM specifically designed to rip you off, I couldn't do it. The communication is secure between the bank and the card is private; the card can't be copied because its unique key never leaves it. If I made my own card that had your public key it wouldn't matter, because the bank would talk to it using your public key; and I wouldn't have your private key, so I couldn't understand what it was saying. Once the bank verifies that the card really is what it claims to be, it tells the reader "this guy is legit, and good for so much money".

Of course, this opens the door for all kinds of new exploits. In the past, the card was passive; now it's got real stuff going on. A card can be destroyed by pumping too much electricity through it, or sitting on it the wrong way; but not compromised. However, as computer viruses and worms have taught us, it takes a lot of work to make secure software. Card writers will need to make sure that their cards are clear of buffer overflows and back doors, to keep them from being exploited. However, the possibility for a secure system is now there.

However, SmartCards are still a long way off from being used like this. Sure, you've got a Smart Visa card. How do you use it? You swipe it, like any other card. This is because there's a black strip on the back; just another long number. It's there for backwards compatibility, so you can use it as a regular credit card. There are very few Point-of-Sale SmartCard readers out there right now (Target's rolling some out, as is Virgin Megastore, Rite Aid, and a few others), and almost no SmartATMs. If you swipe it or insert it all the way, it's not Smart, and its not secure. However, we're getting there. It might be decades before ever bodega ATM is a SmartATM, though. So don't hold your breath.

Of course, with every new technology comes compatibility issues. While the physical interface for a SmartCard is governed by ISO 7816, the software and application interfaces vary by card vendor. For example, Visa is using a system called EMV (Europay MasterCard Visa, which is further complicated by being divided into level 1 and 2 capabilities), while Amex uses a different system. Sun is pushing their JavaCard standard for applications and SmartCard OSes, while Microsoft is pushing a different concept. A group called MULTOS (used by MasterCard) allows multiple operating systems to reside on a single card, while GlobalPlatform is trying to standardize the interface.

SmartCards are capable of a lot more. A secure cryptographic system backing up a stored-data card means you can securely store cash and identification data on a card. Here in New York City we use old-style MetroCards with a magnetic strip, but transit systems in London and Hong Kong are moving to SmartCards. Contactless smart cards communicate with the reader via a wireless radio signal; it doesn't even need to leave your pocket. Mobile Speedpass is a SmartCard in a different form (and with very poor encryption, apparently (edit: see addendum). I wouldn't put too much cash on one). SmartCards can encrypt and store biometric data on the card, say a fingerprint or retina scan. This way the card can authenticate not only that it is valid and unique, but that it belongs to you, and that you are who you say you are. The US Government is already using Smart Card technology for identification. Most of the post 9/11 calls for a national identification system revolved around SmartCards.

Computers with SmartCard readers can use it instead of, or in conjunction with, traditional passwords for user identification and authentication. Very useful for encrypting information on laptops to prevent lossage from theft.

A secure encrypting card also allows for the possibility of 'digital cash', bringing to mind science-fiction visions of paper and coin money being a thing of the past, with value stored on cards and transmitted back and forth directly between people. Such a digicash system could be completely anonymous or completely traceable, depending on how its designed.

Wow, I just wrote a lot. I'm done. Maybe I'll write some more later. Here are some sources and links:
A SmartCard-at-Retail whitepaper from the Smart Card Alliance
Dell now offers laptops with internal SmartCard readers
The EE Times reports on the need for SmartCard software auditing tools

Addendum: a number of credit card companies are now testing contactless credit cards. These are NOT to be confused with contactless SmartCards, or SmartCards at all. These, like Mobil SpeedPass, use RFID (Radio Frequency Identification) systems much like the contactless security cards which many office buildings now use. There is no or little computational power onboard these cards, and a maximum of 128-bit encryption (really quite weak). I don't trust these things, and wouldn't use one. The communication chain is no more secure than a credit card, and perhaps even less, as things are being transmitted wirelessly with little or no encryption.