Teacher
Professional
- Messages
- 2,670
- Reaction score
- 791
- Points
- 113
For several decades, plastic cards have been widely used in everyday life. Having appeared long before the proliferation of personal computers and cell phones, they replace paper bills, passes and IDs.
But obvious advantages hide less obvious disadvantages. If, in order to deprive you of cash, a fraudster needs to pull your wallet out of your bag or pocket, then for theft with the help of plastic cards it can be in the next room, or maybe on another continent.
The problem of identity theft has become one of the most discussed topics in recent years. Although this term is understood as both forgery of checks and theft of passwords, and with the proliferation of alternative authentication mechanisms (in particular, biometrics), more and more opportunities for the abuse of personal information have to be taken into account, it is plastic cards that are in the center of attention.
Students, businessmen, and housewives have them - debit and credit, for travel by public transport, payment for telephone calls, Internet access, etc. It got to the point that plastic calling cards became collectible - at any online auction you can find a section dedicated to this "philately of the XXI century." Even polyclinics now issue plastic cards instead of a paper insurance policy!
All this "plastic" can be divided into three main categories according to the method of information storage: cards with a magnetic stripe, scratch cards and smart cards. Plastic business cards and other souvenir products are distinguished into a separate group, the types of offenses with their use are allegedly unknown. Although on the subway, I walked past ferocious old women several times, showing them a plastic calendar, and last year's.
Magnetic stripe cards
The first thing that comes to mind when you hear the term "plastic card" is the classic magnetic stripe cards. They appeared in the 50s of the last century. The Diners Club pioneered the use of the new technology, and then American Express joined the company. During this time, the cards have spread all over the world, and they also account for the largest percentage of illegal actions, or, simply put, cases of fraud and theft.
According to the ISO-7810 standard, a plastic card is a rectangular plate 85.6x54 mm in size and 0.76 mm thick. To protect this tiny piece of plastic, the latest technologies are used in a variety of fields: printing, chemical industry, software development, etc.
Usually the card carries the following information:
On the front side:
- a unique 16-digit number;
- validity period (from and to);
- Owner's name.
On the back side:
- magnetic stripe;
- signature of the owner.
In addition, many images can be printed on the card: a photograph of the owner, reference information for bank customers, etc.
Letters and numbers on the front side can be embossed with a special embosser, or they can simply be printed, for example, as on Visa Electron cards.
The main data storage on the card is the magnetic stripe. Its properties are similar to the film used in audio cassettes. Information can be recorded on three tracks, differing in format:
- the first has a recording density of 210 bits per inch (BPI) and can contain 79 7-bit (6 bits + parity) alphanumeric characters (read-only);
- the second - 75 BPI, contains 40 5-bit (4 bits + parity) digits;
- the third - 210 BPI, contains 107 5-bit (4 bits + parity) digits.
On bank cards, the following are recorded on the tracks: account number, currency code, country code of issue, owner's name, validity period (in principle, the same information that is printed on the card itself, but in digital form). In addition, any company can use its own data format. For example, for use as an internal pass there, instead of the account number, the owner's level of authority, etc. can be indicated.
Each time the system initiates an authentication process to conduct monetary transactions using bank cards - the correctness of the information recorded on the card is checked. Authentication can be of the following types:
- voice authorization - the simplest case, carried out using a tone-dialing telephone;
- electronic terminal - reading information from a magnetic stripe, for example, in ATMs or POS-terminals;
- virtual terminal - data verification when paying via the Internet.
In any case, on one side there is a cardholder, and on the other - a specialized organization (aquirer), which establishes a connection with the bank that issued the card to verify the data:
- card number;
- limit (for a credit card);
- card expiry date;
- availability of money in the account.
If all the necessary conditions are met, and the requested amount does not exceed the account balance, the same organization provides guarantees for the transfer of money to another participant in the transaction.
Data transfer between the terminal and the testing organization takes place via telephone networks or via Internet channels. Encryption is used to protect the transmitted data. For example, an ATM encrypts the entered PIN-code and sends it for verification with what is stored in the database of the bank that issued the card. For encryption, a one-way cryptographic method is used. It is easy to calculate their value in one direction using the bank key and the typed PIN-code, and the reverse transformation (inversion) is very inefficient in practice, even if the bank key has become known. This protection was introduced to protect the cardholder from the actions of a bad uncle who gained access to bank databases.
In addition to technical means, organizational and administrative methods of protection are of great importance. They include a whole range of measures at various levels: from special locks on ATM booths and emergency call centers, which should be contacted in case of loss or theft of a card, to government control over the sale of equipment for the production of cards themselves.
It would seem that in the process of paying with a plastic card, everything is so stipulated, and each operation undergoes so many different checks that it would probably be easier to infiltrate foreign intelligence than to steal money from an account. And although the statistics of detecting spies are hidden from us, judging by the available information on cases of fraud, everything turns out to be far from as rosy as we would like. With successful attacks, hackers prey on information about millions of bank cards. And such cases occur often enough to make everyone who keeps their money "on the card" anxious.
But the problems people face when using plastic cards with magnetic tape are not limited to illegal actions. Like any other technology half a century ago, they have a number of drawbacks. For example, a lot of inconvenience is caused by the fact that any magnet can simply erase all stored information, and even simple scratches can affect its integrity. And this is not the worst thing in comparison with other "birth trauma".
Smart cards
Smart card technology has been around for a long time to correct these shortcomings. They were first used by the French in 1984. But until now they have not received widespread distribution. Although there were plans according to which all payment systems were going to switch to using smart cards by 2004, banks continue to issue good old "plastic".
Outside, both types of cards (magnetic and smart cards) look almost the same, but inside ... To begin with, ordinary cards don't have any "inside" at all, while smart cards have a microchip hidden under the gold-plated contacts. It can contain up to a kilobyte of RAM, 24KB of ROM, and 16KB of flash ROM. It also has an 8-bit microprocessor operating at a frequency of about 5 MHz. And all this in a package thinner than a millimeter! It is clear that with such a wealth, the magnetic stripe disappears as unnecessary.
The computational capabilities of the processor allow you to move from basic authentication to full-fledged cryptography. And although the procedure looks familiar to the user who withdraws money (entered the PIN-code and you're done), a complex mechanism of encrypted data exchange works inside the system.
In order to ensure maximum protection of these algorithms, a "secret" is laid at each stage of the life cycle of smart cards. Thus, even if attackers penetrate directly into the technological process, the cards themselves will not be compromised.
The processor inside each card runs an operating system that provides a fairly user-friendly interface for the developer. It is thanks to this system that it is possible to execute programs, write and read files, encrypt and verify cryptographic data. Its flexibility is so great that Sun Corporation even developed the Java Card platform, which allows its highly popular Java technology to be used to develop specialized applications.
The significantly increased (in comparison with a magnetic card) media capacity and easy access to stored data allow using one card for several types of operations. For example, as a pass to receive a salary and access to the company's computer network. Thus, you get rid of a tight pile of cards in your wallet, getting instead of them one universal one.
What prevents the implementation of this wonderful technology in practice? No matter how trite, everything again comes down to money. And the point here is not only and not so much in the difference in the cost of the finished cards. The whole point is, first of all, in the huge infrastructure, an extensive network of ATMs, POS terminals and other equipment that has swept the entire planet. Replacement and modification of equipment, development and implementation of software, training of personnel - it is difficult to even imagine how much it will cost.
Because of these complexities, smart cards are still being adopted in narrower markets. For example, many modern computers, especially those designed for corporate customers, have built-in reading devices. Since most operating systems support user authorization using hardware, this can significantly increase the security in the company's computer network. Now, careless users will not stick a piece of paper with a password on the monitor or put it under the keyboard. It will be enough to insert your personal (no vulgarity) card into the slot and you're done.
The news regularly reports that governments of different countries plan to use the capabilities of smart cards to create a new generation of passports, placing in memory a whole file of data for each citizen: biometric information, medical and insurance history, personal "electronic signature" keys, etc. .NS.
Scratch cards
Prepaid or scratch card scams are the most common. Indeed, it would not be serious to waste time and money on the development of some clever technologies for reading information under a protective layer. In addition, profits here are incomparably smaller and limited. It is much more interesting to purchase equipment and organize the production of a large batch of "doubles", as much as possible similar to the cards of popular payment systems, telecommunications companies, etc.
Due to the specifics of scratch cards, special attention is paid to their graphic design. Usually, the differences between the "twins" from the original are manifested precisely in the details, when it is impossible to repeat a more complex technological process or miniature elements of the drawing. Thus, in the well-known incident with the spread of counterfeit BI + cards, they could be identified by the wider lines of the barcode and the method of its application (not above the protective layer of the laminate, but below it). Another difference (more noticeable) was the duplicate serial number.
In the simplest case, the numbers are generated randomly. If the criminals somehow manage to get hold of the databases of valid numbers and PIN-codes, and then throw such fakes on the market ... These are the nightmares that the heads of security services of large Internet providers and mobile operators dream about.
That is why many large firms prefer to take the production of "plastic" into their own hands. To do this, they buy equipment for hundreds of thousands of dollars, train personnel and set up their own production. However, it is often enough to buy ready-made cards from specialized companies, and then apply numbers and a protective layer on them at our own facilities.
WHAT'S NEXT
The three categories described do not cover the whole variety of cards. For passes and insurance policies, for example, only bar codes are often used, and in discount and club systems, cards may not carry any information at all, except for a unique number and full name. In most cases, a relatively low level of protection can be increased by applying a photograph of the owner (both at the checkpoint and in the store, the accuracy is additionally checked by a person). And sophisticated printing, for example, applying a holographic drawing, helps to protect the card from counterfeiting.
In general, there are a lot of technologies, and tomorrow there will be even more. Is it good? Yes, just wonderful! But the classic was right: they steal ...
CARD NUMBER
The card number is the primary source of information about it: it can be used to find out the type of card, the issuing bank, and also the account number. The structure may differ (for example, there are Visa cards with 13 and 16-digit numbers), but by the first digit you can always determine which system it belongs to:
3 - American Express, Diners Club and some other systems
4 - Visa
5 - MasterCard
6 - DiscoverCard
LIFE OF THE CARD
First stage: production of components
After assembly, a special key (fabrication key, KF) is embedded in the chip. It does not allow changes to be made to it until it is directly sealed in plastic. KF is created using special algorithms and using the manufacturer's master key, which is unique for each issued card.
Second step: before personalization of the card The
finished chip is shipped to the company that produces blank smart cards. On site, it is installed on a plastic base and tested. FK is replaced by the personalization key (KP). For additional security, a Vper (personalization lock) block is installed on the KP. Physical access to memory is completely closed, and only the software method is used to write and change information. After that, the system areas, which contain the pledged keys, are inaccessible for reading and writing.
Stage three: card personalization
This stage is performed by the issuing company (for example, a bank). Special software is written into the memory, data files are generated containing information about the cardholder, PIN-code, etc. Finally, the data is closed with a Vutil (utilization lock) block. After that, the card can be issued to its new owner.
The fourth stage: using the card
During use, programs are activated, they access the logical file system, start encryption mechanisms, etc. Access to data is determined by a built-in security policy.
Stage five: expiration
The transition to the final stage can be initiated in two ways. The first is done by a program that writes the last block (invalidation lock) to the master file. After that, any write operations become unavailable, but read operations can be performed, for example, to analyze the stored information. Another way is to set the block to a PIN code and an additional unblocking PIN code. In this case, all operations become impossible, even reading.
Many of us may not even know that we are smart card users. For example, the SIM-card of your cell phone is the same "smart card", but without the "extra" plastic.
Students, businessmen, and housewives have them - debit and credit, for travel by public transport, payment for telephone calls, Internet access, etc.
According to the ISO-7810 standard, a plastic card is a rectangular plate 85.6x54 mm in size and 0.76 mm thick.
On bank cards, the following are recorded on the tracks: account number, currency code, country code of issue, owner's name, validity period (in principle, the same information that is printed on the card itself, but in digital form).
For encryption, a one-way cryptographic method is used. It is easy to calculate their value in one direction using the bank key and the typed PIN-code.
And although the procedure looks familiar to the user who withdraws money (entered the PIN-code and you're done), a complex mechanism of encrypted data exchange works inside the system.
Now, careless users will not stick a piece of paper with a password on the monitor or put it under the keyboard. It will be enough to insert your personal (no vulgarity) card into the slot and you're done.
For passes and insurance policies, for example, only bar codes are often used, and in discount and club systems, cards may not carry any information at all, except for a unique number and full name.
But obvious advantages hide less obvious disadvantages. If, in order to deprive you of cash, a fraudster needs to pull your wallet out of your bag or pocket, then for theft with the help of plastic cards it can be in the next room, or maybe on another continent.
The problem of identity theft has become one of the most discussed topics in recent years. Although this term is understood as both forgery of checks and theft of passwords, and with the proliferation of alternative authentication mechanisms (in particular, biometrics), more and more opportunities for the abuse of personal information have to be taken into account, it is plastic cards that are in the center of attention.
Students, businessmen, and housewives have them - debit and credit, for travel by public transport, payment for telephone calls, Internet access, etc. It got to the point that plastic calling cards became collectible - at any online auction you can find a section dedicated to this "philately of the XXI century." Even polyclinics now issue plastic cards instead of a paper insurance policy!
All this "plastic" can be divided into three main categories according to the method of information storage: cards with a magnetic stripe, scratch cards and smart cards. Plastic business cards and other souvenir products are distinguished into a separate group, the types of offenses with their use are allegedly unknown. Although on the subway, I walked past ferocious old women several times, showing them a plastic calendar, and last year's.
Magnetic stripe cards
The first thing that comes to mind when you hear the term "plastic card" is the classic magnetic stripe cards. They appeared in the 50s of the last century. The Diners Club pioneered the use of the new technology, and then American Express joined the company. During this time, the cards have spread all over the world, and they also account for the largest percentage of illegal actions, or, simply put, cases of fraud and theft.
According to the ISO-7810 standard, a plastic card is a rectangular plate 85.6x54 mm in size and 0.76 mm thick. To protect this tiny piece of plastic, the latest technologies are used in a variety of fields: printing, chemical industry, software development, etc.
Usually the card carries the following information:
On the front side:
- a unique 16-digit number;
- validity period (from and to);
- Owner's name.
On the back side:
- magnetic stripe;
- signature of the owner.
In addition, many images can be printed on the card: a photograph of the owner, reference information for bank customers, etc.
Letters and numbers on the front side can be embossed with a special embosser, or they can simply be printed, for example, as on Visa Electron cards.
The main data storage on the card is the magnetic stripe. Its properties are similar to the film used in audio cassettes. Information can be recorded on three tracks, differing in format:
- the first has a recording density of 210 bits per inch (BPI) and can contain 79 7-bit (6 bits + parity) alphanumeric characters (read-only);
- the second - 75 BPI, contains 40 5-bit (4 bits + parity) digits;
- the third - 210 BPI, contains 107 5-bit (4 bits + parity) digits.
On bank cards, the following are recorded on the tracks: account number, currency code, country code of issue, owner's name, validity period (in principle, the same information that is printed on the card itself, but in digital form). In addition, any company can use its own data format. For example, for use as an internal pass there, instead of the account number, the owner's level of authority, etc. can be indicated.
Each time the system initiates an authentication process to conduct monetary transactions using bank cards - the correctness of the information recorded on the card is checked. Authentication can be of the following types:
- voice authorization - the simplest case, carried out using a tone-dialing telephone;
- electronic terminal - reading information from a magnetic stripe, for example, in ATMs or POS-terminals;
- virtual terminal - data verification when paying via the Internet.
In any case, on one side there is a cardholder, and on the other - a specialized organization (aquirer), which establishes a connection with the bank that issued the card to verify the data:
- card number;
- limit (for a credit card);
- card expiry date;
- availability of money in the account.
If all the necessary conditions are met, and the requested amount does not exceed the account balance, the same organization provides guarantees for the transfer of money to another participant in the transaction.
Data transfer between the terminal and the testing organization takes place via telephone networks or via Internet channels. Encryption is used to protect the transmitted data. For example, an ATM encrypts the entered PIN-code and sends it for verification with what is stored in the database of the bank that issued the card. For encryption, a one-way cryptographic method is used. It is easy to calculate their value in one direction using the bank key and the typed PIN-code, and the reverse transformation (inversion) is very inefficient in practice, even if the bank key has become known. This protection was introduced to protect the cardholder from the actions of a bad uncle who gained access to bank databases.
In addition to technical means, organizational and administrative methods of protection are of great importance. They include a whole range of measures at various levels: from special locks on ATM booths and emergency call centers, which should be contacted in case of loss or theft of a card, to government control over the sale of equipment for the production of cards themselves.
It would seem that in the process of paying with a plastic card, everything is so stipulated, and each operation undergoes so many different checks that it would probably be easier to infiltrate foreign intelligence than to steal money from an account. And although the statistics of detecting spies are hidden from us, judging by the available information on cases of fraud, everything turns out to be far from as rosy as we would like. With successful attacks, hackers prey on information about millions of bank cards. And such cases occur often enough to make everyone who keeps their money "on the card" anxious.
But the problems people face when using plastic cards with magnetic tape are not limited to illegal actions. Like any other technology half a century ago, they have a number of drawbacks. For example, a lot of inconvenience is caused by the fact that any magnet can simply erase all stored information, and even simple scratches can affect its integrity. And this is not the worst thing in comparison with other "birth trauma".
Smart cards
Smart card technology has been around for a long time to correct these shortcomings. They were first used by the French in 1984. But until now they have not received widespread distribution. Although there were plans according to which all payment systems were going to switch to using smart cards by 2004, banks continue to issue good old "plastic".
Outside, both types of cards (magnetic and smart cards) look almost the same, but inside ... To begin with, ordinary cards don't have any "inside" at all, while smart cards have a microchip hidden under the gold-plated contacts. It can contain up to a kilobyte of RAM, 24KB of ROM, and 16KB of flash ROM. It also has an 8-bit microprocessor operating at a frequency of about 5 MHz. And all this in a package thinner than a millimeter! It is clear that with such a wealth, the magnetic stripe disappears as unnecessary.
The computational capabilities of the processor allow you to move from basic authentication to full-fledged cryptography. And although the procedure looks familiar to the user who withdraws money (entered the PIN-code and you're done), a complex mechanism of encrypted data exchange works inside the system.
In order to ensure maximum protection of these algorithms, a "secret" is laid at each stage of the life cycle of smart cards. Thus, even if attackers penetrate directly into the technological process, the cards themselves will not be compromised.
The processor inside each card runs an operating system that provides a fairly user-friendly interface for the developer. It is thanks to this system that it is possible to execute programs, write and read files, encrypt and verify cryptographic data. Its flexibility is so great that Sun Corporation even developed the Java Card platform, which allows its highly popular Java technology to be used to develop specialized applications.
The significantly increased (in comparison with a magnetic card) media capacity and easy access to stored data allow using one card for several types of operations. For example, as a pass to receive a salary and access to the company's computer network. Thus, you get rid of a tight pile of cards in your wallet, getting instead of them one universal one.
What prevents the implementation of this wonderful technology in practice? No matter how trite, everything again comes down to money. And the point here is not only and not so much in the difference in the cost of the finished cards. The whole point is, first of all, in the huge infrastructure, an extensive network of ATMs, POS terminals and other equipment that has swept the entire planet. Replacement and modification of equipment, development and implementation of software, training of personnel - it is difficult to even imagine how much it will cost.
Because of these complexities, smart cards are still being adopted in narrower markets. For example, many modern computers, especially those designed for corporate customers, have built-in reading devices. Since most operating systems support user authorization using hardware, this can significantly increase the security in the company's computer network. Now, careless users will not stick a piece of paper with a password on the monitor or put it under the keyboard. It will be enough to insert your personal (no vulgarity) card into the slot and you're done.
The news regularly reports that governments of different countries plan to use the capabilities of smart cards to create a new generation of passports, placing in memory a whole file of data for each citizen: biometric information, medical and insurance history, personal "electronic signature" keys, etc. .NS.
Scratch cards
Prepaid or scratch card scams are the most common. Indeed, it would not be serious to waste time and money on the development of some clever technologies for reading information under a protective layer. In addition, profits here are incomparably smaller and limited. It is much more interesting to purchase equipment and organize the production of a large batch of "doubles", as much as possible similar to the cards of popular payment systems, telecommunications companies, etc.
Due to the specifics of scratch cards, special attention is paid to their graphic design. Usually, the differences between the "twins" from the original are manifested precisely in the details, when it is impossible to repeat a more complex technological process or miniature elements of the drawing. Thus, in the well-known incident with the spread of counterfeit BI + cards, they could be identified by the wider lines of the barcode and the method of its application (not above the protective layer of the laminate, but below it). Another difference (more noticeable) was the duplicate serial number.
In the simplest case, the numbers are generated randomly. If the criminals somehow manage to get hold of the databases of valid numbers and PIN-codes, and then throw such fakes on the market ... These are the nightmares that the heads of security services of large Internet providers and mobile operators dream about.
That is why many large firms prefer to take the production of "plastic" into their own hands. To do this, they buy equipment for hundreds of thousands of dollars, train personnel and set up their own production. However, it is often enough to buy ready-made cards from specialized companies, and then apply numbers and a protective layer on them at our own facilities.
WHAT'S NEXT
The three categories described do not cover the whole variety of cards. For passes and insurance policies, for example, only bar codes are often used, and in discount and club systems, cards may not carry any information at all, except for a unique number and full name. In most cases, a relatively low level of protection can be increased by applying a photograph of the owner (both at the checkpoint and in the store, the accuracy is additionally checked by a person). And sophisticated printing, for example, applying a holographic drawing, helps to protect the card from counterfeiting.
In general, there are a lot of technologies, and tomorrow there will be even more. Is it good? Yes, just wonderful! But the classic was right: they steal ...
CARD NUMBER
The card number is the primary source of information about it: it can be used to find out the type of card, the issuing bank, and also the account number. The structure may differ (for example, there are Visa cards with 13 and 16-digit numbers), but by the first digit you can always determine which system it belongs to:
3 - American Express, Diners Club and some other systems
4 - Visa
5 - MasterCard
6 - DiscoverCard
LIFE OF THE CARD
First stage: production of components
After assembly, a special key (fabrication key, KF) is embedded in the chip. It does not allow changes to be made to it until it is directly sealed in plastic. KF is created using special algorithms and using the manufacturer's master key, which is unique for each issued card.
Second step: before personalization of the card The
finished chip is shipped to the company that produces blank smart cards. On site, it is installed on a plastic base and tested. FK is replaced by the personalization key (KP). For additional security, a Vper (personalization lock) block is installed on the KP. Physical access to memory is completely closed, and only the software method is used to write and change information. After that, the system areas, which contain the pledged keys, are inaccessible for reading and writing.
Stage three: card personalization
This stage is performed by the issuing company (for example, a bank). Special software is written into the memory, data files are generated containing information about the cardholder, PIN-code, etc. Finally, the data is closed with a Vutil (utilization lock) block. After that, the card can be issued to its new owner.
The fourth stage: using the card
During use, programs are activated, they access the logical file system, start encryption mechanisms, etc. Access to data is determined by a built-in security policy.
Stage five: expiration
The transition to the final stage can be initiated in two ways. The first is done by a program that writes the last block (invalidation lock) to the master file. After that, any write operations become unavailable, but read operations can be performed, for example, to analyze the stored information. Another way is to set the block to a PIN code and an additional unblocking PIN code. In this case, all operations become impossible, even reading.
Many of us may not even know that we are smart card users. For example, the SIM-card of your cell phone is the same "smart card", but without the "extra" plastic.
Students, businessmen, and housewives have them - debit and credit, for travel by public transport, payment for telephone calls, Internet access, etc.
According to the ISO-7810 standard, a plastic card is a rectangular plate 85.6x54 mm in size and 0.76 mm thick.
On bank cards, the following are recorded on the tracks: account number, currency code, country code of issue, owner's name, validity period (in principle, the same information that is printed on the card itself, but in digital form).
For encryption, a one-way cryptographic method is used. It is easy to calculate their value in one direction using the bank key and the typed PIN-code.
And although the procedure looks familiar to the user who withdraws money (entered the PIN-code and you're done), a complex mechanism of encrypted data exchange works inside the system.
Now, careless users will not stick a piece of paper with a password on the monitor or put it under the keyboard. It will be enough to insert your personal (no vulgarity) card into the slot and you're done.
For passes and insurance policies, for example, only bar codes are often used, and in discount and club systems, cards may not carry any information at all, except for a unique number and full name.
