File :CARD.TXT Author :Iceman BBS :The Banana Republic BBS A Brief Guide to Magnetic Strip and Smart Cards -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Magnetic Strip Cards ==================== These are based on the IS 7810 and IS 7811 standards. The IS 7810 standard covers the physical standards, the IS 7811 standard covers the embossing of characters. Based on IS 7811 is the system of three parallel tracks, which are numbered in relation to their distance from the cards top edge with track 1 being closest to the edge. Each track holds a string of magnetically encoded data bits which are read sequentially by the read head of the magnetic strip reader. The table below summarises the track information: Track 1 210 bpi; 79 alphanumeric characters (Read only) Used mainly by its airline developers (IATA). First field for account number (up to 19 digits) Second field for name (up to 26 alphanumerics) Track 2 75 bpi; 40 digits (numeric only) (Read only) Developed by American Bankers Association for online use First field for account number (up to 19 digits) Track 3 210 bpi; 107 digits (numeric only) (Read/Write) Higher density achieved by later technology. Rewritten after each use. Suitable for off-line, ie fallback from offline. Uses PIN verification value (encoded). Track 2 is usually written prior to the card being passed to the card holder, and is subsequently interrogated by the card-reading terminal each time it is presented. The contents, including the cardholders account number, are transferred irectly to the card issuers computer centre for identification and verification purposes. This online process enables the centre to confirm or deny the terminals response to the presenter of the card. Track 3 was introduced some time after the other tracks and is the only read/write track on the card. Its contents are re-written each time it is used and it contains an encoded version of the PIN which is unique to each cardholder and is keyed in whenever the card is presented. This encoded format or PIN verification value (PVV) is compared with the PIN by the terminal to verify a correct match and thereby avoids the need to involve a check being carried out by the central computer. Such a process is described as offline, ie there is no necessity for the terminal to transmit to a distant centre and await confirmation to proceed. VISA has enhanced the basic card with its Member-Controlled Authorisation Service (MCAS), which exploits the unused data areas on track 1 to give the following enhancements: - Extra magnetic stripe security designed to prevent counterfeiting and alteration. - In-terminal authorisation, ie offline for lower value transactions or during online failures. - Additional encoded data providing credit worthiness cirteria and designed to provide local PIN verification. There are also a few other attempts at greater security such as EMI/Malco's Watermark system which won't be discussed here since they are at present only experimental and are beyind the scope of the average hacker. Smart Cards =========== Standards for these are still in the draft stage, and very few are currently in circulation (one of the developers, Intamic, established a "Physical and Electrical Characteristics Working Group" back in 1981, and shortly thereafter it obtained "liason member" status (non-voting) on the appropriate ISO technical committee (TC 97) - which has responsibility for information processing and data security standards - and its Subcommittee (SC 17) which has specific responsibility for ID and credit cards. In turn, SC 17 created Working Group 4 to tackle the title "Integrated circuit(s) card with contacts", which then established a subcommittee to report back .... well you get the picture. Anyway, much of this work has now reached the Draft International Standard stage (DIS 7816). It includes not only the original physical characteristics specified under ISO 7810, but also additional requirements such as the surface profile of the contacts, mechanical strength, electrical resistance of the contacts etc etc which aren't really of much interest. This is covered in Part 1 of the standard. Part 2 covers the electrical contacts, which are assigned as follows: +--+ +--+ |C1| Vcc - Circuit supply voltage |C5| GND - zero voltage reference +--+ +--+ +--+ +--+ |C2| Reset |C6| Vpp - prog.supply voltage +--+ +--+ +--+ +--+ |C3| Clock |C7| Serial data I/O +--+ +--+ +--+ +--+ |C4| Currently unassigned |C8| Unassigned +--+ +--+ The two unassigned pins will probably used in reprogrammable cards. Part 3 of the Draft Standard is concerned with electronic signals and exchange protocols and covers power/signal voltages; start-up functions including power-on, reset, and data exchange; clocking rates, parity checking, and other transmission-related activities as well as the data tansfer itself. At the time of this document "going to press" these standards were still under debate. Since these cards are at present quite scarce this information is not of much practical interest anyway........ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Well, that's about it. I hope this has given all you hackers something to think about. Remember that anybody can buy a magnetic strip reader for around NZ$500 or so, which is certainly money well invested, especially if several people chip in with $100 each. Peace and Free Software, The Iceman. ------------------------------------------------------------------------------- AUTHOR :Iceman ------------------------------------------------------------------------------- Brought to the WORLD by The Banana Republic BBS, Auckland, New Zealand -------------------------------------------------------------------------------