Understand the authentication processes with cards: smart, proximity and magnetic stripe

Key Terms:

  • Authentication
  • Two-factor authentication
  • Multi-factor authentication
  • PIN
  • smart card reader
  • RF
  • embedded processor
  • Integrated circuit
  • landing contact
  • friction contact
  • biometric data

The smart card is quickly becoming an important component in the world of information technology. The size of a conventional credit card, the smart card includes an embedded microchip that stores data and programs. A smart card is a small plastic card, about the size of a credit card, containing an embedded microchip that can be programmed to store specific user authentication information. The chip on a smart card can store multiple identification factors of a specific user (i.e. password and fingerprint). When the user swipes his or her card into a smart card reader, the card implements multiple factors of authentication, making the smart card system a viable option for two-factor or multi-factor authentication.

Smart cards help to eliminate the threat of hackers stealing stored or transmitted information from a computer. The information is processed on the smart card, so it never has to leave the card or be transmitted to another machine. On the downside, only a limited amount of information can be stored on a smart card's small microchip. For that reason, smart card encryption options are limited.

The chip utilizes advanced security features that cannot be used on conventional magnetic media. There are two types of smart cards: contact smart cards and contactless smart cards. Both have an embedded microprocessor and memory.

  • Contact smart cards require a smart card reader. A small gold-colored chip replaces the conventional credit card magnetic strip using electrical contacts to transfer data to and from the chip when inserted into a smart card reader.
  • Contactless smart cards use antenna technology to carry out a transaction. These cards look like a standard credit card, yet have a microchip and an antenna embedded inside that allow the card to communicate with a coupler unit (antenna) without any physical contact. Contactless cards are best suited for fast, simple transactions making them well-suited for applications such as mass-transit or toll collection.
  • The smart card differs from the card typically called a proximity card in that the microchip in the proximity card has only one function: to provide the reader with the card’s identification number.

The processor on the smart card has an operating system and can handle multiple applications such as a cash card, a pre-paid membership card, and even an access control card. The difference between the two types of smart cards is found in the manner with which the microprocessor on the card communicates with the outside world.

A contact smart card has eight contacts, which must physically touch contacts on the reader to convey information between them. Since contact cards must be inserted into readers carefully and the orientation has be observed the speed and convenience of such transaction is not acceptable for most access control applications. The use of contact smart cards is physical access control is limited mostly to parking applications when payment data is stored in card memory and when the speed of transactions is not important.

A contactless smart card uses the same radio-based technology as the proximity card with the exception of the frequency band used: higher frequency (13.56Mhz instead of 125kHz) allows to transferring more data and communicating with several cards at the same time. A contactless card does not have to touch the reader or even be taken out from a wallet or purse. Most access control systems only read serial numbers of contactless smart cards and do not utilize the available memory.

Card memory may be used for storing biometric data (i.e. fingerprint template) of a user. In such case a biometric reader first reads the template on the card and then compares it to the finger (hand, eye, etc.) presented by the user. This way biometric data of users does not have to be distributed and stored in the memory of controllers or readers, which simplifies the system and reduces memory requirements.

Smartcard readers have been targeted successfully by criminals in what is termed a supply chain attack, in which the readers are tampered with during manufacture or in the supply chain before delivery. The rogue devices capture customers' card details before transmitting them to criminals.