ACTion Newsletter Archives

Welcome to the May edition of ACTion News. Our newsletter is distributed each month in order to keep you up to date with events in the advanced card industry. This complimentary service is provided by ACT Canada; "building an informed marketplace". It is also available in the Industry Information section of our web site www.actcda.com. Please feel free to forward this to your colleagues.

IN THIS ISSUE:
1. Editorial Comment
2. Smart Card Vulnerability?
3. Thai Gov't to Introduce E-Citizen Cards
4. MasterCard Rolls Out Interoperable API for Storing Personal Data on Smart Cards
5. Singapore Smart Card Transport System Begins Operations
6. Visa U.S.A. Makes Multiple Announcements at CTST
7. PKI Forum Publishes New Papers on Smart Cards, PKI
8. Smart Card Alliance to Host Smart Cards in Government
9. U.S. Congressmen Propose Smart Card Driver's License
10. Cubic, EDS & Siemens to Develop Smart Card Ticketing System
11. SchlumbergerSema Becomes Key Smart Card Supplier for MasterCard
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ACT CANADA WOULD LIKE TO THANK OUR NEW & RENEWING MEMBERS:

GENERAL
Credit Union Central of Canada
Infineon
Interac Association
KaSys (new)
Metaca Corporation
TDCT

ASSOCIATION
Canadian Life & Health Insurance Association

ACT is pleased to announce Catherine Johnston, President & CEO, has been appointed to the newly enshrined Stakeholders Advisory Council of the Canadian Payments Association. Ms Johnston has also been elected as Vice- Chair of the Council for the next two years. Ron Matthews of Imperial Oil will serve as the council chair.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. EDITORIAL COMMENT
Source: Catherine Johnston, President & CEO, ACT Canada

CardTech/SecurTech (CTST) has always been a barometer of the global market place and this year we saw a somber, but positive, reflection of growth. In prior years, we heard about all the magical things smart cards would do in the future. This year the focus was on the present; rollouts underway, pilots in place and plans proceeding.

Most importantly, CTST took us to a new phase, where we actually learned from each other's successes and failures. There has always been an element of that in the past, but this year I sensed that projects have become more serious in terms of scope, objectives and support. Governments seem to be moving more quickly than financial bodies, but that is appropriate in light of terrorism. Indeed, it will be easier for financial institutions to put cards into wallets that already carry other smart card applications.

In this newsletter, we will focus on applications and advancements that continue to move the technology forward. We must all continue to focus on the achievable. On that foundation we can build everything else.

ACT Canada - Register Of Achievements
In this past month we have made advancements on behalf of our members. We invite you to join us so that we can ACT on your behalf.

The National Infrastructure Forum - The group met and has started to add major retailers to its roster. The forum identified topics to be covered by the next three ACT Canada symposiums. Each deals with a matter that faces advanced card issuers. By focusing a symposium on each, the audience will learn how others have dealt with the issue, where cards fit into the solution and other valuable information.

E-TERRORISM AND PROTECTING YOUR CUSTOMER'S PRIVACY
On June 14th, our symposium takes a sobering look at e-terrorism. Recent Canadian and US studies indicate that government and business are vulnerable to costly and dangerous data attacks. ACT Canada has secured an expert who will tell delegates how to minimize their risk.

Following this session, all those who have an interest in the development of a national smart card infrastructure are invited to a briefing on ACT Canada's National Infrastructure Forum. They will learn about the forum's mandate, plans, work to date and how to become involved. There is no charge, but seating is limited. If you are interested, please contact ACT Canada at info(AT)actcda.com for further details.

Protecting your customer's privacy is good business, according to Bruce Phillips, the former Privacy Commissioner of Canada, our keynote speaker. Professor Andrew Clements of the University of Toronto, who has voiced concerns over the use of smart cards by governments, joins him. What is in the best interests of citizens and customers alike? Brian Beamish, Director of Policy and Compliance for the Office of the Information and Privacy Commissioner, Ontario and Catherine Johnston, President & CEO of ACT Canada, round out the program by teaching delegates how to do a privacy impact assessment for multi-application smart cards. This valuable procedure will help issuers build consumer confidence in their products and can be used in product marketing. For more information, see our web site at www.actcda.com

SECURITY
On May 13th the New York Times ran an article suggesting that smart card security had been breached. Within hours, ACT Canada had forewarned our members and provided an insightful response from industry guru, Jerome Svigals of the Smart Card Institute. This gave our members valuable information for their discussions with their customers and the media. For more information see the "Smart Card Vulnerability" article in this newsletter. ACT Canada also sent a letter to the editor.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

2. SMART CARD VULNERABILITY?
Source: ACT Canada (05/13)

Jerome Svigals of the Smart Card Institute provided the following response to the May 13th article in the New York Times, which claimed that two University of Cambridge computer security researchers planned to describe an ingenious and inexpensive attack that employs a $30 camera flashgun and a microscope to extract secret information contained in widely used smart cards.

Mr. Svigals, an industry guru, reviewed the article and provided the following analysis for ACT Canada.

This is a very academic attack and you would have to take the following into account.
1) You need to have the physical card.
2) The surface is destroyed - a fact easily discerned by even the most inattentive accepting clerk.
3) If you were presented with the value of each bit and bite in a smart card memory, what would they represent? Any attack that reads a smart card memory would also need to obtain the memory map indicating which bit represents which information. How did they (the hackers) get the memory address map?
4) Good card security remaps key card data routinely between transactions. How do you know the current map?
5) To use the card requires the PIN code, which is in the card logic, not the memory.
6) There are other details not accounted for in the card attack articles.
7) Assuming you are successful with the attack, you have only attacked one account successfully - you must start over with the next card.
8) Repeated attacks on one account will quickly empty that account's assets. That will put the card on the negative hot list - thus detecting it's altered state and turning off transactions for that unique smart card.

Anything designed by man is defeatable by man, but that doesn't make it economically feasible, or implementable on a practical basis. I have invited several of these attackers to take a real account and card and demonstrate their attack. None have ever taken me up on the invitation. Don't confuse academic with practical.

Our thanks to Jerry for putting this into context.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

3. THAI GOV'T TO INTRODUCE E-CITIZEN CARDS
Source: Xinhua via COMTEX (05/11)

The Thai government is to put 800 million baht (18.60 million U.S.dollars) into a pilot scheme to introduce electronic ID cards, according to a report of the Public health Ministry.

Deputy Minister of Public Health Suraphong Suebwonglee was quoted as saying that the 'e-citizen' cards would act as smart cards, enabling several types of information to be stored on a single piece of plastic.

Among the information to be included are data relating to house registration, health care rights, medical information such as blood group and any allergies, as well as the information contained on the identity cards currently held by all Thai citizens.

An initial pilot project would kick off this year to cover 8-10 million people, he disclosed. The health minister said that the project would take around two years to fully implement.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

4. MASTERCARD ROLLS OUT INTEROPERABLE API FOR STORING PERSONAL DATA ON SMART CARDS
Source: Card News/PBI Media via COMTEX (05/01)

MasterCard International took advantage of CTST conference in New Orleans to unveil a new set of interoperable specifications for the secure storage of a consumer's personal information - including passwords, frequent flier numbers and like information - on a financial institution issued smart card.

The application programming interface (API) that enables this functionality is called MasterCard Open Data Storage (MODS) and can be used for storing and retrieving data. This functionality will provide MasterCard's member financial institutions with the ability to offer cardholders more control over their personal information and greater privacy, company officials believe.

MasterCard will license this new open data specification to technology vendors and is working with them to develop products that take advantage of the benefits of MODS. The MODS specification aims to provide application developers with an API that allows them to implement interoperable solutions across multiple channels (PC, mobile phones, PDA's, etc.) using varying platforms.

Throughout MasterCard's research, consumers repeatedly indicated an interest in carrying time-saving personal information with them on their smart card. To meet this need, MasterCard has designed a privacy-sensitive specification that will result in card-based solutions that are customizable by the cardholder. For example, cardholders may voluntarily fill out a profile of themselves with the personal information they wish to have stored on the chip. MODS will enable this data will be accessible to them at their PC, mobile phone, PDA, set-top-box, an interactive kiosk or a retail point-of-sale (POS) device.

With the information stored on the chip, consumers may choose to receive personalized, opt-in notifications that alert them to relevant sales and other targeted offerings, store warranty, size, frequent flier or other information. They also can decide whether to secure specific information with a password, and confidential data can be further protected by using the chip's advanced security features.

Meanwhile, card issuers will be able to use the new capability to enhance their own card offerings. They will be able to ensure interoperability between programs from multiple issuers, focus on business decisions rather than technology issues -- the specification is designed to support Java and MULTOS operating systems, as well as proprietary systems.

Merchants benefit from MODS-compliant solutions as well, because they will help them better know and reach frequent shoppers. MODS aims to help merchants customize services based on customer history, in cases where customers have opted-in. The capability also can enable merchants to link online and offline retail locations.

MasterCard Canada is a member of ACT Canada. For more information about MasterCard, please visit their web site at http://www.mastercard.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

5. SINGAPORE SMART CARD TRANSPORT SYSTEM BEGINS OPERATIONS
Source: AsiaPulse via Comtex (05/02)

The use of smart cards for Singapore's public transport network successfully began operations on April 13, according to smart card company ERG Ltd. The smart card ticketing system began public operations after a successful three-month trial and is currently processing more than one million transactions a day.

"The system has been enthusiastically adopted by Singaporeans, with around 30,000 new cards being issued daily," ERG said. The system is expected to process around four million transactions each day by the end of the year.

ERG's managing director Asia Pacific, Rob Noble, said the successful rollout of Singapore means the company's MASS technology now processes transit transactions in two of Asia's major cities Singapore and Hong Kong.

For more information about ERG, please visit their web site at http://www.erggroup.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

6. VISA U.S.A. MAKES MULTIPLE ANNOUNCEMENTS AT CTST
Source: Card News/PBI Media via COMTEX (05/01)

Visa U.S.A. & rewards-software developers Catuity and Welcome Real-time announced an agreement to collaboratively develop interoperable solutions for smart-card-based rewards or incentive services in the United States.

Visa International announced the launch of a multi-application smart card program in Russia. The card contains a combination of benefits and payment information and is intended for people who receive state aid --students, pensioners, members of the armed forces and others.

Launched in Moscow by the Bank of Moscow, Rosan Finance, the Moscow Metropolitan (Metro), and Visa, the card provides reduced prices for a range of services including Moscow's underground rail system. The new multi-application card stems from the introduction in 1998 of a MIFARE contactless chip card for students using the Moscow Metro system.

Other organizations, including local government groups and benefit providers, have since joined the scheme. Today, up to 1.7 million cards have been issued for transport while 21,000 cards are being used for welfare benefit collection. They are accepted in some 200 stores that are able to read the level of discount given to each cardholder, and in pharmacists and clinics for the collection of medicine. Over 100 ATMs also accept the card.

In another international development, South Korea's Hana Bank will be issuing a multi-application Visa smart card that includes a contactless mass transit application in conjunction with the city of Daejon. The Visa smart card is based on the GlobalPlatform standard.

Conforming to the EMV global chip standard for credit and debit cards, the smart card comes with a choice of Visa smart payment applications. Both applications are pre-loaded in the read-only memory (ROM) but additional memory space for other applications is available in the erasable memory (EEPROM). The chip has a dual interface that allows for fast, contactless transactions, as required in mass transit applications, and also enables a cardholder to use the card for payments at traditional store- front merchants. Hana Bank expects to issue one million cards in Korea by the end of next year, with half of these cards expected to be credit cards.

Visa International also is working with The International Air Transport Association (IATA) to encourage the development of a global interoperable smart card standard for the airline industry. The announcement demonstrates renewed commitment to cross industry standards for smart card applications. It means the airline industry will ensure compatibility with standards already put in place by the payments industry, such as the EMV standard for credit and debit applications.

IATA and Visa will work together to establish a work plan and priorities for a new smart card working group consisting of member airlines and partners. The group will develop a global smart card specification that will take into account new requirements in commercial aviation for the sharing of data between airline applications, such as electronic ticketing and biometrics.

Visa Canada is a member of ACT Canada. For more information about Visa, please visit their web site at http://www.visa.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

7. PKI FORUM PUBLISHES NEW PAPERS ON SMART CARDS, PKI
Source: Card News, Vol. 17, No. 9 (05/01)

The PKI Forum, Inc., a multi-vendor and end-user industry consortium created to accelerate the adoption of public-key infrastructure (PKI) technologies, April 23 announced the public release of two new papers entitled "PKI Note: Smart Cards" And "PKI Basics -- A Business Perspective." The papers were developed by the PKI Forum's Business Working Group and are first being made available to the public at last week's CardTech/SecurTech 2002 in New Orleans. Publication of the "PKI Note: Smart Cards" reflects a significant
shift in approaches to security.

For many years, particularly in the United States, smart cards were considered a technology solution in search of a business problem. However, noting the recent increasing use of smart cards with certificates, the PKI Forum determined that it was important to provide an overview of authentication tokens in the context of a discussion on smart card technology. The "PKI Note: Smart Cards" also presents the overall benefits of deploying smart card technology.

For more information about the PKI Forum, please visit their web site at http://www.pkiforum.org.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

8. SMART CARD ALLIANCE TO HOST SMART CARDS IN GOVERNMENT
Source: PRNewswire via COMTEX (05/01)

The Smart Card Alliance is hosting a two-day symposium to introduce smart card technology to identification security professionals, including government employees, on June 4-5, 2002 in Washington, DC.

"Smart Cards in Government -- A Symposium on Secure Identification Initiatives" will provide a comprehensive view of how smart cards are used in secure identification systems. The symposium will feature speakers from industry and the federal government who will explain how smart cards work, what makes them secure and how multiple applications and technologies such as biometrics work together. Speakers will also discuss implementation and best practices.

The symposium will be held on June 4-5, 2002 at the Hilton Washington & Towers, 1919 Connecticut Avenue, NW, Washington, DC. The Alliance's Educational Institute will present a one-day course "Smart Cards 101" as a pre-conference program on June 3. This course features industry-renowned expert speakers and provides an interactive classroom setting where the basics of smart card standards, security, emerging applications, biometrics, and business issues are presented.

For more information about the symposium and "Smart Cards 101," please visit: http://www.smartcardalliance.org/alliance_activities/event_information.htm

For more information about the Smart Card Alliance, please visit their web site at http://www.smartcardalliance.org
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

9. U.S. CONGRESSMEN PROPOSE SMART CARD DRIVER'S LICENSE
Source: CardTechnology (05/02)

Two Virginia Congressmen proposed that all U.S. states issue driver's licenses with a smart card chip and an identifying biometric, the first such proposal introduced since the Sept. 11 terrorist attacks set off a debate on national ID cards. The bill authorizes $315 million to link the computers of state licensing agencies in an effort to prevent individuals from obtaining duplicate licenses. By adding a biometric, such as a fingerprint or iris scan, agencies could detect if an individual had obtained a license in another state under a different name, argue the bill's sponsors, Democrat James Moran and Republican Tom Davis. The bill suggests the smart card chip could be used for other applications, and $15 million of the appropriation would fund pilot programs allowing citizens to use the chip card to identify themselves to government agencies via the Internet. The bill was drafted largely by the Progressive Policy Institute, a think tank associated with the Democratic party. Shane Ham, a senior policy analyst at the institute, says major legislation like this is unlikely to win approval in less than a year, but he expects there will be hearings on the bill this year. Ham says the driver's license would not be a national ID card, because U.S. residents are not required to carry driver's licenses. Nonetheless, policy fellow Mihir Kshirsagar of the Electronic Privacy Information Center opposes the bill and says the license would quickly become a de facto national ID. "The mandatory part doesn't do a whole lot when you need it everywhere you go," he says.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

10. CUBIC, EDS & SIEMENS TO DEVELOP A SMART CARD TICKETING SYSTEM
Source: epayment news (05/20)

Cubic Corp., EDS and Siemens announced they have signed a Letter of Intent, agreeing to cooperate closely on the development of a national electronic ticketing system for public transportation in The Netherlands.

This agreement is the first step in building a consortium between the three major companies -- specialists in transportation systems and integrated computer technology solutions -- to bid on a contract which will be issued by Trans Link Systems.

Trans Link Systems, a combination of NS, Connexxion, HTM, GVB and RET, is asking for a proposal for the design, delivery and implementation of a new smart ticketing system for the Netherlands. The objective of Trans Link Systems is to develop and introduce a public transportation ticket that is valid for all transportation modes. It will contribute to the safety on stations, enhance passenger comfort and collect a high amount of anonymous traffic data on a daily basis, allowing public transportation operators to enhance customer service.

EDS is a member of ACT Canada. For more information on EDS, please visit their web site at http://www.eds.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

11. SCHLUMBERGERSEMA BECOMES KEY SMART CARD SUPPLIER FOR MASTERCARD
Source: MasterCard (05/02)

SchlumbergerSema announced a multi-year agreement with MasterCard International to supply MasterCard's member financial institutions with smart card manufacturing services to support them in accelerating their EMV smart card migrations. SchlumbergerSema will provide the smart card manufacturing services to MasterCard members at a competitive rate.

In order to meet the varying needs of diverse financial institutions and regional conditions, SchlumbergerSema will offer a full range of EMV-compliant cards to MasterCard's members, complete with the M/Chip� debit/credit application and additional space available for highly sophisticated value-added applications.

"With our recent launch of the OneSMART� MasterCard initiative and more than 100 million MasterCard�-, Maestro�-, Mondex�-, and Clip�-branded smart cards around the world, MasterCard demonstrates to the marketplace how and why we are the best partner for smart cards," said Toni Merschen, Sr. VP, Chip and Mobile Commerce/Wireless, MasterCard International.

Under the agreement, SchlumbergerSema, which has just been named the world's leading provider of micro-processor smart cards by Gartner Dataquest, will manufacture the cards to a standard finish. Members will have their choice of chip capacity, ranging from 16Kbytes to 64Kbytes, as well as selecting either the MULTOS or the SchlumbergerSema Palmera� Protect Java-based platform for their cards. All of the cards will feature M/Chip�, MasterCard's EMV debit/credit application.

MasterCard Canada and SchlumbergerSema are members of ACT Canada. For more information about either company, please visit their web site: http://www.mastercard.com and http://www.slb.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ACT Canada is an international non-profit association for the advancement of card technologies. We work on behalf of our members to promote the awareness, understanding and use of all advanced card technologies; including optical, smart, capacitive and emerging technologies. If you would like to learn more about ACT Canada membership please visit http://www.actcda.com or contact our office at (905) 426-6360 ext. 22.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please forward any comments, suggestions, questions or articles to andrea(AT)actcda.com. If you would like to be removed from our newsletter distribution list please reply to this email with the word "REMOVE" in the subject field. Please note that articles contained in this newsletter have been edited for length.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Andrea McMullen
AVP
ACT Canada
tel: 905 426-6360 ext. 24
fax: 905 619-3275
email: andrea(AT)actcda.com
web: www.actcda.com
mail: 85 Mullen Drive, Ajax, ON, L1T 2B3