Highlights from Cardist 2010

Posted by on May 17, 2010 No comments

3rd Cardist Card & Smart Technologies Exhibition & Summit is held in Istanbul between 12-14 May 2010 with the main sponsorships of BKM, Visa and MasterCard.

Here are my highlights from the exhibition:

Garanti & Avea announced a mobile payment product based on mobile phones. Payment is processed by the application running on SIM card and the SIM card has an external antenna attached. This way, there’s no need for an NFC based handset, all handsets can be used with. it. Garanti Bank already has more than 1 million contactless credit cards issued and clearly the market leader in contactless payments in Turkey.

BKM, the national switch of Turkey announced the pilot project to run on NFC handsets in which BKM acts as the TSM. 6 banks are attending the pilot project.

Oytek demonstrated their NFC solutions running on Nokia 6212. The application has a paid balance, ticketing and couponing extensions. There’s also a kiosque with a contactless reader and an NFC poster application to complete the NFC picture.

Banksoft was awarded with the contactless pre-paid card program which was developed for Halk Bank’s Bank 24 Visa contactless card. Smartsoft is also awarded with their pre-paid platform as well.

Payment Cards&Mobile, which I think the best magazine on contactless systems was also present in the exhibition as they were in the last two ones.

Belbim, the technology provider of Istanbul Municipality -including the electronic ticketing for public transport- exhibited their validators and surrounding devices. Belbim has developed a DesFire application for Istanbul public transport but somehow it’s still not been released for public use.

KentKart was also present and demonstrated contactless only validators and vehicle tracking systems.

Mifare Plus, a migration chip to more secure times

Posted by on April 29, 2010 4 comments

After the infamous Mifare hack, there’s been a lot of talk on Mifare Classic chips. Some governments even issued laws for banning Mifare Classic in the future for using some specific purposes.

So what did NXP do? Actually NXP was already aware of the upcoming issues and was working on next generation of Mifare. There has been two outputs of this study, as fas as I know. One of them is Mifare Plus and the other is Mifare EV1, which is to be announced soon.

What is Mifare Plus and how does it overcome the security issue? More importantly, how does it help to migrate the current installation of devices working with Mifare Classic only? I think NXP did a great job to respond to the security and migration questions with Mifare Plus.

Mifare Plus is actually the update of Crypto1 to AES while the memory organization of the chip remaining the same. Mifare Plus comes with 4 security levels, each of them having a different authentication levels.

  • Level 0 is the personalization level.
  • Level 1 is Mifare Classic level, where the chip acts exactly as Mifare Classic. This level helps start issuing more secure cards while the reader infrastructure is still the same.
  • Level 2 is only valid for Mifare Plus X cards, I will come to that later.
  • And Level 3 is where good old Crypto1 ends its journey and AES is being used for authentication.

There are 2 types of Mifare Plus chips; S and X. With Mifare Plus S, you can only utilize the AES alghoritm and MAC’ing while X comes with much more features like encryption of exchanged data and proximity check. X is an export controlled product. With Mifare Plus X, there is the option of using both Crypto1 and AES at the Security Level 2.

Another big update of Mifare Plus is the 7 bytes unique id. Since the 4 byte unique ids are almost at the end of its limit, Mifare Plus chips has 7 bytes unique ids. Mifare Plus also has a very important implementation; now you can read and write multiple blocks instead of one at a time. This will dramatically improve the trransaction speed, if implemented correctly. The last of the updates is that Mifare Plus supports random uid, which responds to again some security issues.

I think that Mifare Plus is a very solid product for migrating from Mifare Classic to a more secure platform with minimal infrastructure updates. If you need more features that this you can go for Mifare DesFire which provides much more flexibility in terms of file integrity and flexibility.

Calypso the ticketing master

Posted by on April 5, 2010 No comments

When we talk about transport ticketing, Calypso is the technology we must discuss first. Calypso is a transport ticketing system built by the transport operators. It was designated to match the transport ticketing requirements from functional flow to security mechanisms. The main identifier of Calypso is that it requires a micro processor card. This enables all the security required by complex transportation environment.

So, what is Calypso?

Calypso is a ticketing application developed and maintained by Calypso Association. Calypso Association, based in Brussels, Belgium, was established by RATP and technology provider Innovatron in 1993. Later on, group of European transport operators from Belgium, Germany, France, Italy and Portugal joined the association. Calypso ticketing application is currently being used by various European public transport systems.

In the Calypso world, you can define various players into a single card (now the term “portable object” is used though, rather than “the card”) and they can share the same balance. The technical design of the application supports multi-application by nature. Different contracts can be installed on to a single card which are protected by different key sets. Each Calypso chip has a set of derived keys from master keys. DES and DESX (an implementation of DES against brute force attacks) can be used for authentication. Calypso requires its own SAM card for authentication which is a pre-requisite of modifying the data in the chip.

Unlike typical mifare designs, you are restricted by the boundaries and transaction flow developed by Calypso, but it covers almost anything that can be expected in a transport ticketing environment. Calypso applet runs on micro processor chips, so authentication is quite strong (and fast)

Calypso Association plays an innovative role towards the NFC era and they seem to be ready for the NFC evolution. (I wish I could say revolution, by the way) Calypso applet runs on various card operating systems varying from Infineon to Watchdata chips, including NXP’s JCOP family. Of course this includes any secure element in the NFC world.

Based on my personal experience, I can say that Calypso is an equivalent of EMV in the banking payment world. Both of the applications are quite well designed, already running on millions of chips and getting ready for the future.

Gemalto joins Open Handset Alliance

Posted by on April 1, 2010 No comments

Gemalto announced that Gemalto joined the Open Handset Alliance. I find this a very good news for the NFC world.

Android platform was an initiative by the Open Handset Alliance. Almost all of the researches point out that Android will be one of the most popular mobile operating systems of (very near) future. Android runs not only on mobile phones but a range of mobile devices varying from netbooks to internet tablets. I believe Android will penetrate into more devices like running on embedded systems.

So what does Gemalto’s joining to Open Handset Alliance mean in terms of contactless systems? First of all, Gemalto is the first and only company on secure payment and identification technology in the alliance. Gemalto is clearly the biggest company that has the expertise on the application level security for payment/identification chips, which I believe will boost the NFC implementation on Android OS. Gemalto has all the necessary know how and sources for developing a generic NFC API for Android which will encourage handset manufacturers for more handsets supporting NFC. On the application level, this will lead the huge Android developer community to implement many NFC applications – and not only payment.

Since it’s now widely believed that next generation iPhone will have some kind of contactless interface, now almost all major mobile platforms (Symbian- of course, iPhone and now Android) will have native support for NFC.

First DESFire implementation on a SIM platform

Posted by on February 27, 2010 No comments

Mifare emulation has been around for some years. Mifare emulation simply refers to an application running on a chip card operating system. The application emulates the native mifare chip and responds the mifare readers as if it is a mifare chip. Of course there are some considerations when implementing a mifare emulation. First of all, it is not native mifare and the terminal software needs to be updated accordingly to recognise the chip. Secondly, mifare emulation is not as fast as a native mifare chip so some parameters must be updated to transact with the mifare emulation applet.

These have been done since some time, but Gemalto has started a new era by implementing the DESFire application on a SIM/UICC. Even the owner of the technology -NXP, does not officialy have DESFire emulation yet. It’s a huge thing in terms of innovation. However there’s still some time before a DESFire enable transportation system is to accept an NFC handset device with a Gemalto SIM/UICC.

Gemalto has been aggressive on the contactless market almost since its start and this is clearly a result of it. Read the full press release here.

NFC on Mobile World Congress 2010

Posted by on February 22, 2010 1 comment

In my perspective, NFC was the rising star of the Mobile World Congress 2010. In the first day of the event, the agenda of the session was mobile money. A balanced selection of speakers from carriers to technology companies provided a mind opening content.

The first outcome of the day for me was that NFC is something that you can not expect a single task, but there is a need for companions. I mean, a simple mobile wallet application will not be enough for people to make it a killer application. Mobile coupon style add-ons as well as making the content accesible to user through the handset is crucial. People already have credit cards, debit cards, transportation cards, etc for making the payment. Why would the user have switch it to a handset instead of a card?

Secondly, all the parties are ready to jump on the band wagon but it still needs some time for the boom. We’ve already seen many pilots and even a commercial roll out in Japan, but there’s still some more time ahead.

Mobile World Congress 2010 had also an NFC event for platinum pass holders with a Samsung handset.

It was interesting to see that SIM cards are having more and more abilities for mobile payment applications. Gemalto announced a new SIM card which is able to run a DESFire ticketing application. I also had a product presentation of a SIM platform with NFC support from Giesecke&Devrient.

Finally, BarclayCard announced an iPhone application which can accept contact EMV chip cards with the PIN support. Just like the US version running from magnetic stripe interface, Barclay’s one has a contact chip card reader attached to the iPhone and the terminal software runs on the iPhone OS.

A new dual interface smart card from ACS : ACOS7

Posted by on January 8, 2010 No comments

ACS announced its new dual interface smart card ACOS7. ACS is a Hong Kong based company working on smart cards and readers. Their product portfolio is quite strong, they almost have everything that you can imagine. I especially love the card readers of ACS.

ACOS7 seems an addition to their ACOS family optimised for transportation. It has 8 kb of application memory which is pretty suitable for a transportation applications. ACOS7 has almost every feature you’d expect from a dual interface card product positioned for transportation; from hardware based random number generator to support for ISO7816 Part 4 file structures: transparent, linear fixed, linear variable, cyclic which are essential for transportation logging mechanisms.

I got the impression that ACOS7 is especially targeting the Chinese market, but I think they could do quite well in Europe, too.

Chinese are coming

Posted by on November 29, 2009 No comments

China is a huge country. When you have the population of that much, it’s not logical to pay license fees, but better to develop your own standards. They did it on blueray equivalent media and on payment card applications. China has a payment system of its own, called CUP and NFC World’s latest article says that they will do the NFC on their own way too.

There’s also an interesting card manufacturer company in China, Watchdata. I have personally been following the products of Watchdata for a few years and they are really coming. When I first met with Watchdata dual interface cards, they did not had the EMV, so I was unable to use it. In time, they got the EMV certification and much more. I have seen their chip products replacing many competitors around the world. I saw Watchdata presenting their products around Europe in many respectable events.

Sim Pass is especially an interesting product of Watchdata. Instead of waiting for handset manufacturers to release NFC complaint devices, they developed a SIM card with an embedded antenna. This way, people have a handset which is capable of contactless payment transactions regardless of the handset they have. It’s a very innovative product of its kind, but I don’t think it will reach Europe, since it’s not the European way. But it’s quite a successful implementation step for the mobile contactless payments, that’s for sure.

my-d move from Infineon against NXP’s Mifare Ultralight

Posted by on November 15, 2009 No comments

Contactless chips for limited use have been popular in public transportation for some years. NXP, just like in mifare case, has been leading this market with mifare ultralight. Ultralight chips have limited memory and no crypto support, but have OTP (one time programmable) memory area which is perfect for enabling the restriction the limited use of the ticket. Later on NXP developed a next generation of Ultralight, which is called Ultralight C. Ultralight C supports 3DES in addition to its elder brother Ultralight. Good.

Of course, Ultralight is not the only product in the market. Infineon, as one of the strongest players in the semi-conductor manufacturers have a great product as a competitor to NXP’s Ultralight family called my-d move. my-d move is a member of my-d family of Infineon and has 128 bytes of memory for application and supports 32 bit password for authentication. It also supports password re-try counter feature against brute force attacks. Unlike Ultralight C, my-d move does not have any keys stored in the chip, but has a secure code which is written at the time of issuing the chip. Secure code is authenticated at the time of using the chip along with the password.

One great future of my-d move is, just like Mifare Ultralight, the support for NFC Type 2 Tag Operations. This practically means that my-d move can interact with NFC devices like handsets or other contactless readers. This opens a whole new world for these products. Infineon positions the product as a limited use media like single trip ticket for transportation or event ticketing. Imagine tickets for a rock music event being formatted by a cell phone on an over-the-air service. my-d move and Ultralight opens a gate for enabling projects like this. You can create the ticket with a mobile phone and then send the ticket data to central host over GPRS/3G connection of the mobile handset. You can also validate/invalidate tickets via NFC handsets. Great opportunity. One great addition to this would be the usage of the ticket for buying a drink inside the event. Or think of voting for polls displayed on kiosks with contactless readers and people voting and identifying themselves with the contactless ticket.

Basicly, my point is that these chips are great for any type of ticketing, not limited to limited use for transportation.

Apple’s implementation of NFC

Posted by on November 12, 2009 No comments

My previous post on Apple’s NFC support on iPhone got the most hits among all the content here. Luckily, it turns out that next generation iPhone will have the NFC support. Near Field Communications World.com’s post was linking the Apple Insider’s post, which has all the details of the patent application of Apple on sharing data between NFC enabled devices. Apple’s understanding of NFC is to syncronise devices over a contactless interface. Sounds logical.

In every NFC promo video, you can see people exchanging contacts and some other information by touching their phones to each other. It seems iPhone will be the first commercially available device to actually do this. I can imagine the ads of the next generation iPhone; how people will be touching their shiny iPhones to other iPhones, Mac Books, iPod Touchs and Apple TVs. This is a very good news for the NFC world.Think of people sending each other files between their iPhones. Banks, fast food restaurants, online stores, almost all types of businesses already have their own iPhone applications. I can imagine how the NFC chip will extend their applications into contactless loyalty schemes or secure identification media. My forecast is that payment will come later, possibly after people are convenient with their iPhone’s contactless ability. Of course the TSM context needs to be stabilised in the minds of decision makers of the payments industry. I hope this happens before the iPhone’s “possible” NFC boom.

On the other hand, just like touch screens, I think this move will lead to many handset manufacturers to follow the lead and integrate NFC chips into their products. Eventually this will lead MNOs to create their value added services on NFC hardware. Banks, transport operators, loyalty schemes, etc will have much more creative products. I think, and strongly believe that current NFC hardware and software developers will be securing their future -hopefully not in a long time.