Digital card

The term digital card[1] can refer to a physical item, such as a memory card on a camera,[2][3] or, increasingly since 2017, to the digital content hosted as a virtual card or cloud card, as a digital virtual representation of a physical card. They share a common purpose: identity management, credit card, debit card or driver's license. A non-physical digital card, unlike a magnetic stripe card, can emulate (imitate) any kind of card.[4][1]

A smartphone or smartwatch can store content from the card issuer; discount offers and news updates can be transmitted wirelessly, via Internet. These virtual cards are used in very high volumes by the mass transit sector, replacing paper-based tickets and the earlier magnetic strip cards.[5]

History

[edit]
Front side of the first Magnetic Stripe plastic credit card. Note that the narrow magnetic stripe is on the front of the card. It was later switched to the back side.

Magnetic recording on steel tape and wire was invented by Valdemar Poulsen in Denmark around 1900 for recording audio.[6] In the 1950s, magnetic recording of digital computer data on plastic tape coated with iron oxide was invented. In 1960, IBM built upon the magnetic tape idea and developed a reliable way of securing magnetic stripes to plastic cards,[7] as part of a contract with the US government for a security system. A number of International Organization for Standardization standards, ISO/IEC 7810, ISO/IEC 7811, ISO/IEC 7812, ISO/IEC 7813, ISO 8583, and ISO/IEC 4909, now define the physical properties of such cards, including size, flexibility, location of the magstripe, magnetic characteristics, and data formats. Those standards also specify characteristics for financial cards, including the allocation of card number ranges to different card issuing institutions.

As technological progress emerged in the form of highly capable and always carried smartphones, handhelds and smartwatches, the term "digital card" was introduced.[1]

On May 26, 2011 Google released its own version of a cloud hosted Google Wallet which contains digital cards - cards that can be created online without having to have a plastic card in first place, although all of its merchants currently issue both plastic and digital cards.[8] There are several virtual card issuing companies located in different geographical regions, such as Weel in Australia and Privacy in the USA.

Magnetic stripe card

[edit]
An example of the reverse side of a typical credit card: Green circle #1 labels the magnetic stripe.
Visualization of magnetically stored information on a magnetic stripe card (recorded with CMOS-MagView, dark colors correspond to magnetic north, light colors correspond to magnetic south)

A magnetic stripe card is a type of card capable of storing data by storing it on magnetic material attached to a plastic card. A computer device can update the card's content. The magnetic stripe is read by swiping it past a magnetic reading head. Magnetic stripe cards are commonly used in credit cards, identity cards, and transportation tickets. They may also contain a radio frequency identification (RFID) tag, a transponder device and/or a microchip mostly used for access control or electronic payment.

Magnetic storage

[edit]
The first prototype of magnetic stripe card created by IBM in the late 1960s. A stripe of cellophane magnetic tape is fixed to a piece of cardboard with clear adhesive tape

Magnetic storage was known from World War II and computer data storage in the 1950s.[7]

In 1969 an IBM engineer had the idea of attaching a piece of magnetic tape, the predominant storage medium at the time, to a plastic card base. He tried it, but the result was unsatisfactory. Strips of tape warped easily, and the tape's function was negatively affected by adhesives he used to attach it to the card. After a frustrating day in the laboratory trying to find an adhesive that would hold the tape securely without affecting its function, he came home with several pieces of magnetic tape and several plastic cards. As he entered his home his wife was ironing clothing. When he explained the source of his frustration – inability to get the tape to "stick" to the plastic so that it would not come off, but without compromising its function – she suggested that he use the iron to melt the stripe on. He tried it and it worked.[9][10] The heat of the iron was just high enough to bond the tape to the card.

Front side of the first magnetic stripe plastic credit card. Note that the narrow magnetic stripe is on the front of the card. It was later switched to the back side.
Back side of the first magnetic stripe plastic credit card
Back of early magnetic striped encoded paper card. The narrow magnetic stripe in the center of the card was applied using a magnetic slurry paint.

Incremental improvements from 1969 through 1973 enabled developing and selling implementations of what became known as the Universal Product Code (UPC).[11][12][13] This engineering effort resulted in IBM producing the first magnetic striped plastic credit and ID cards used by banks, insurance companies, hospitals and many others.[11][14]

Initial customers included banks, insurance companies and hospitals, who provided IBM with raw plastic cards preprinted with their logos, along with a list of the contact information and data which was to be encoded and embossed on the cards.[14] Manufacturing involved attaching the magnetic stripe to the preprinted plastic cards using the hot stamping process developed by IBM.[15][16]

Further developments and encoding standards

[edit]

IBM's development work, begun in 1969, but still needed more work. Steps required to convert the magnetic striped media into an industry acceptable device included:

Front and back of a card from the late 1980s used in food vending machines in the UK
  1. Creating the international standards for stripe record content, including which information, in what format, and using which defining codes.
  2. Field testing the proposed device and standards for market acceptance.
  3. Developing the manufacturing steps needed to mass-produce the large number of cards required.
  4. Modifying available equipment to enable it to issue and accept stripes and the data associated with them.

These steps were initially managed by Jerome Svigals of the Advanced Systems Division of IBM, Los Gatos, California, from 1966 to 1975.

In most magnetic stripe cards, the magnetic stripe is contained in a plastic-like film. The magnetic stripe is located 0.223 inches (5.7 mm) from the edge of the card, and is 0.375 inches (9.5 mm) wide. The magnetic stripe contains three tracks, each 0.110 inches (2.8 mm) wide. Tracks one and three are typically recorded at 210 bits per inch (8.27 bits per mm), while track two typically has a recording density of 75 bits per inch (2.95 bits per mm). Each track can either contain 7-bit alphanumeric characters, or 5-bit numeric characters. Track 1 standards were created by the airlines industry (IATA). Track 2 standards were created by the banking industry (ABA). Track 3 standards were created by the thrift-savings industry.

Magstripes following these specifications can typically be read by most point-of-sale hardware, which are simply general-purpose computers that have been programmed to perform the required tasks. Examples of cards adhering to these standards include ATM cards, bank cards (credit and debit cards including Visa and MasterCard), gift cards, loyalty cards, driver's licenses, telephone cards, membership cards, electronic benefit transfer cards (e.g. food stamps), and nearly any application in which monetary value or secure information is not stored on the card itself. Many video game and amusement centers now use debit card systems based on magnetic stripe cards.

Magnetic stripe cloning can be detected by the implementation of magnetic card reader heads and firmware that can read a signature of magnetic noise permanently embedded in all magnetic stripes during the card production process. This signature can be used in conjunction with common two-factor authentication schemes utilized in ATM, debit/retail point-of-sale and prepaid card applications.[17]

Some types of cards intentionally ignore the ISO standards regarding which kind of data is recorded in each track, and use their own data sequences instead; these include hotel key cards, most subway and bus cards, and some national prepaid calling cards (such as for the country of Cyprus) in which the balance is stored and maintained directly on the stripe and not retrieved from a remote database.

Financial cards

[edit]

There are up to three tracks on magnetic cards known as tracks 1, 2, and 3. Track 3 is virtually unused by the major worldwide networks [citation needed], and often is not even physically present on the card by virtue of a narrower magnetic stripe. Point-of-sale card readers almost always read track 1, or track 2, and sometimes both, in case one track is unreadable. The minimum cardholder account information needed to complete a transaction is present on both tracks. Track 1 has a higher bit density (210 bits per inch vs. 75), is the only track that may contain alphabetic text, and hence is the only track that contains the cardholder's name.

Track 1 is written with code known as DEC SIXBIT plus odd parity. The information on track 1 on financial cards is contained in several formats: A, which is reserved for proprietary use of the card issuer, B, which is described below, C-M, which are reserved for use by ANSI Subcommittee X3B10 and N-Z, which are available for use by individual card issuers:

Track 1
[edit]

Format B:

  • Start sentinel — one character (generally '%')
  • Format code="B" — one character (alpha only)
  • Primary account number (PAN) — up to 19 characters. Usually, but not always, matches the credit card number printed on the front of the card.
  • Field Separator — one character (generally '^')
  • Name — 2 to 26 characters, surnames separated by space if necessary, Surname separator: /
  • Field Separator — one character (generally '^')
  • Expiration date — four characters in the form YYMM.
  • Service code — three characters
  • Discretionary data — may include Pin Verification Key Indicator (PVKI, 1 character), PIN Verification Value (PVV, 4 characters), Card Verification Value or Card Verification Code (CVV or CVC, 3 characters)
  • End sentinel — one character (generally '?')
  • Longitudinal redundancy check (LRC) — it is one character and a validity character calculated from other data on the track.
Track 2
[edit]

This format was developed by the banking industry (ABA). This track is written with a 5-bit scheme (4 data bits + 1 parity), which allows for sixteen possible characters, which are the numbers 0–9, plus the six characters  : ; < = > ? . (It may seem odd that these particular punctuation symbols were selected, but by using them the set of sixteen characters matches the ASCII range 0x30 through 0x3f.) The data format is as follows:

  • Start sentinel — one character (generally ';')
  • Primary account number (PAN) — up to 19 characters. Usually, but not always, matches the credit card number printed on the front of the card.
  • Separator — one character (generally '=')
  • Expiration date — four characters in the form YYMM.
  • Service code — three digits. The first digit specifies the interchange rules, the second specifies authorization processing and the third specifies the range of services
  • Discretionary data — as in track one
  • End sentinel — one character (generally '?')
  • Longitudinal redundancy check (LRC) — it is one character and a validity character calculated from other data on the track. Most reader devices do not make the LRC available for display, but use it to verify the input internally to the device.

Service code values common in financial cards:

First digit

1: International interchange OK
2: International interchange, use IC (chip) where feasible
5: National interchange only except under bilateral agreement
6: National interchange only except under bilateral agreement, use IC (chip) where feasible
7: No interchange except under bilateral agreement (closed loop)
9: Test

Second digit

0: Normal
2: Contact issuer via online means
4: Contact issuer via online means except under bilateral agreement

Third digit

0: No restrictions, PIN required
1: No restrictions
2: Goods and services only (no cash)
3: ATM only, PIN required
4: Cash only
5: Goods and services only (no cash), PIN required
6: No restrictions, use PIN where feasible
7: Goods and services only (no cash), use PIN where feasible

United States and Canada driver's licenses

[edit]

The data stored on magnetic stripes on American and Canadian driver's licenses is specified by the American Association of Motor Vehicle Administrators. Not all states and provinces use a magnetic stripe on their driver's licenses. For a list of those that do, see the AAMVA list.[18][19]

The following data is stored on track 1:[20]

  • Start Sentinel - one character (generally '%')
  • State or Province - two characters
  • City - variable length (seems to max out at 13 characters)
  • Field Separator - one character (generally '^') (absent if city reaches max length)
  • Last Name - variable length
  • Field Separator - one character (generally '$')
  • First Name - variable length
  • Field Separator - one character (generally '$')
  • Middle Name - variable length
  • Field Separator - one character (generally '^')
  • Home Address (house number and street) - variable length
  • Field Separator - one character (generally '^')
  • Unknown - variable length
  • End Sentinel - one character (generally '?')

The following data is stored on track 2:

  • ISO Issuer Identifier Number (IIN) - 6 digits[21]
  • Drivers License / Identification Number - 13 digits
  • Field Separator - generally '='
  • Expiration Date (YYMM) - 4 digits
  • Birth date (YYYYMMDD) - 8 digits
  • DL/ID# overflow - 5 digits (If there is no information to put in this field, a field separator is used instead.)
  • End Sentinel - one character ('?')

The following data is stored on track 3:

  • Template V#
  • Security V#
  • Postal Code
  • Class
  • Restrictions
  • Endorsements
  • Sex
  • Height
  • Weight
  • Hair Color
  • Eye Color
  • ID#
  • Reserved Space
  • Error Correction
  • Security

Note: Each state has a different selection of information they encode, not all states are the same. Note: Some states, such as Texas,[22] have laws restricting the access and use of electronically readable information encoded on driver's licenses or identification cards under certain circumstances.

Other card types

[edit]

Smart cards are a newer generation of card that contain an integrated circuit. Some smart cards have metal contacts to electrically connect the card to the reader; there are also contactless cards that use a magnetic field or radio frequency (RFID) for proximity reading.

Hybrid smart cards include a magnetic stripe in addition to the chip—this combination is most commonly found in payment cards, to make them usable at payment terminals that do not include a smart card reader.

Cards that contain all three features (magnetic stripe, smart card chip, and RFID chip) are also becoming common as more activities require the use of such cards.[citation needed]

Vulnerabilities

[edit]

DEF CON 24

[edit]

During DEF CON 24, Weston Hecker presented Hacking Hotel Keys, and Point Of Sales Systems. In the talk, Hecker described the way magnetic strip cards function and utilised spoofing software,[23] and an Arduino to obtain administrative access from hotel keys, via service staff walking past him. Hecker claims he used administrative keys from POS systems on other systems, effectively providing access to any system with a magnetic stripe reader, providing access to run privileged commands.[citation needed]

Usage

[edit]

Identification with a digital card is usually done in several ways:

  1. Displaying a QR code on the customer's smartphone to the identifying host (a cashier i.e.). The unique QR code ensures privacy for every customer.
  2. Engaging an NFC protocol connection by placing the smartphone near the NFC Reader (using host card emulation method).
  3. Using IoB (Identification over Bluetooth, an obsolete method which is rarely used) or PoB (Payment over Bluetooth).

See also

[edit]

References

[edit]
  1. ^ a b c Brian X. Chen (December 1, 2021). "How to Carry Your Covid Health Data on a Smartphone". The New York Times. Retrieved August 29, 2022.
  2. ^ "Q & A for a digital world". The New York Times. November 8, 2007. Retrieved August 29, 2022.
  3. ^ J. D. Biersdorfer (October 10, 2002). "Memory Cards as Kin That Can't Get Along". The New York Times. Retrieved August 29, 2022.
  4. ^ "Digital credit card replacement Coin is almost ready to swipe — the Coin Beta begins today". August 22, 2014.
  5. ^ "MTA Looks to Replace MetroCard With System Using 'Contactless Media'". CNBC NBC New York. April 13, 2016. Retrieved November 30, 2016.
  6. ^ "AES Historical Committee". www.aes.org.
  7. ^ a b Jerome Svigals, The long life and imminent death of the mag-stripe card, IEEE Spectrum, June 2012, p. 71
  8. ^ "Google Pay - Learn What the Google Pay App is & How to Use It".
  9. ^ "IBM100 - Click on "View all icons". Click on 8th row from the bottom titled "Magnetic Stripe Technology"". IBM. February 3, 2011. Retrieved February 3, 2011.
  10. ^ "Article on Forrest Parry, pages 3-4" (PDF). Archived from the original (PDF) on October 27, 2011. Retrieved November 29, 2011.
  11. ^ a b "IBM Archives: DPD chronology - page 4". 03.ibm.com. January 23, 2003. Archived from the original on October 23, 2009. Retrieved October 25, 2015.
  12. ^ Kennedy, Pagan (January 4, 2013). "Who Made That Universal Product Code". The New York Times. Retrieved October 25, 2015.
  13. ^ "IBM100 - UPC". 03.ibm.com. March 7, 2012. Archived from the original on April 3, 2012. Retrieved October 25, 2015.
  14. ^ a b "IBM100 - System 360". 03.ibm.com. April 7, 1964. Archived from the original on April 3, 2012. Retrieved October 25, 2015.
  15. ^ U.S. patent 3,685,690, "Credit card automatic currency dispenser"; Thomas Barnes, George Chastain, and Marion Karecki; issued August 22, 1972
  16. ^ U.S. patent 3,761,682, "Credit card automatic currency dispenser"; Thomas Barnes, George Chastain, and Don Wetzel; issued September 25, 1973
  17. ^ "Welcome to MagnePrint®: What is MagnePrint?". Magneprint.com. Retrieved November 29, 2011.
  18. ^ "ID Security Technologies". AAMVA. Retrieved October 25, 2015.
  19. ^ [1] Archived December 2, 2010, at the Wayback Machine
  20. ^ 2010 AAMVA DL/ID Card Design Standard Ver 1.0, Annex F.6, Aamva.org, June 2010, retrieved August 9, 2010
  21. ^ "AAMVA - IIN and RID". www.aamva.org. Archived from the original on September 1, 2017. Retrieved July 19, 2017.
  22. ^ "Texas statutes, section 521.126, restricting use of electronically readable information from driver's licenses or personal identification certificates". Texas Legislature Online, State of Texas. June 2015. Retrieved April 4, 2016.
  23. ^ "Samy Kamkar: MagSpoof - credit card/magstripe spoofer". samy.pl. Retrieved December 2, 2016.
[edit]