Nowadays, smart cards are an essential relief in daily life, providing numerous advantages.
As portable devices, they ensure individual access to different services, whether in finance, communication, civil registration, healthcare or public transport. Security and comfort are always
the focus of smart-card providers and users. Biometrics and multifunctionality can make an important contribution to improving the key benefits of the cards, as a project in the Maldives shows.

The global demand for smart cards has been increasing for years. According to Eurosmart, a European asso­ciation representing the digital security industry, the threshold of 10 billion shipments of so-called secure elements was exceeded for the first time in 2018 – a new record. Secure elements include SIM cards but also payment cards and official documents such as identity cards and passports.[1]

As each card is usually connected to only one service or service provider, the drawback of the smart card’s success is that cardholders often have to carry multiple cards in order to use a corresponding number of services. So-called multi-application smart cards offer a solution to this problem. These cards include several programmes that are loaded into the card’s memory, which can be run separately from each other. This way, a card can be used for example as a credit card and as an insurance card at the same time.[2]

Smart-card facts

A smart card is a pocket-sized device that has embedded integrated circuits. Most smart cards
– also called chip cards or integrated circuit cards – comply with international standards ISO/IEC 7816 and ISO/IEC 14443, which define various aspects of the card and its interfaces, including the card’s physical dimensions, the electrical interface, and the communications protocols. The standard format for smart cards is the ID-1 format, which is also defined in ISO/IEC 7816.

Smart cards can have a contact or contactless inter­face. Cards with contact interfaces are connected through a set of contacts on the front of the card, which ensure communication between the card and a card reader device. Communication of contactless smart cards, however, is achieved via radio wave connection. Contact and contactless interfaces can also be combined on the same card, the so-called dual-interface cards. In the past few years, the use of contactless smart cards has increased significantly.

The use of smart cards – particularly in card-based payments – is connected with a discussion about security. In 2016 alone, global economic damage from card fraud amounted to USD 22.8 billion.[3] Although compared to a total transaction volume of around USD 31.9 trillion for the same year, the number of fraud cases is marginal, the image of credit and debit cards on the consumer side suffers significantly. Biometrics can make a decisive contribution to additional security here.

The rise of biometrics

Biometric technologies are automated methods of identifying or verifying the identity of a living person based on unique measurable characteristics – the so-called biometric identifiers – such as fingerprints, iris patterns, face shapes or speech patterns. Enrolment and matching are the integral parts of any biometric system. To initiate enrolment, a biometric sample, such as an individual’s fingerprint, is captured. The unique features of the sample are determined to create a so-called biometric template, which is stored digitally and forms the basis for the second step, the matching. Again, a sample is taken and a ‘live’ template is generated, which is compared with the template already stored. The more the two templates match, the more likely it is that they are samples of the same person.

Since fingerprint or face recognition can unlock mobile devices such as smartphones and tablets, biometric methods are present in the daily lives of millions of people, and therefore the willingness to apply these increases. This development was recently confirmed by an IBM study in which 67% of respondents stated that they are comfortable with biometric authentication, and 87% replied they are considering using different types of biometric authentication in the future.[4]Biometrics also has the significant advantage regarding trust, as common practices are increasingly discredited by security fraud. In the IBM study, only one in four respondents (27%) rated the PIN method as a secure authentication method.

Smart cards and biometrics: a perfect match

Biometric data improve a smart card’s security. Cur­rently, when authenticating the cardholder, two-factor authentication is the most common method. An example is the withdrawal of money at an ATM. The process requires something the cardholder has (their smart card) and something he knows (their PIN). Bio­metrics extends these two factors by ‘something the cardholder is’. This so-called three-factor authentication increases the security and improves the accuracy, speed and control of the authentication process.[5]

When implementing biometrics in smart cards, there are two approaches: on-card matching and off-card matching. With off-card matching, the initial biometric template is stored on the card. If matching is required, the template is retrieved from the card by an external reading device that also captures the ‘live’ template. With on-card matching, the ‘live’ template is uploaded onto the card to perform a match, which requires the card to have a microcontroller to compute the comparison.

GE_21881_Fig1
Figure 1: The multi-purpose passport card, issued since October 2017.

Use case Republic of Maldives

Since October 2017, the Maldivian Immigration Office issues a multipurpose smart card (Figure 1) to its citizens, the so-called Passport Card. Maldivians can use the card as a passport for domestic travel, as an identity card, a driving licence, a health and insurance card, and a debit/credit card. The card complies with international standards, including ICAO requirements and EMV (Europay, MasterCard, and Visa) specifications for smart payment cards.

Unlike other payment cards, the new Maldives Passport Card combines the security of a passport with the payment functionality of a bank card. While passport security features are essential to using the card as a travel document, they also provide additional security for the payment functionality and the other purposes of the card. The stored biometric data, which include a photo and fingerprints of the cardholder, can be used, for example, for secure authentication of the card­holder.

All applications are stored separately in the memory of the card. As a dual-interface card, the device is capable of both contactless and contact communication with corresponding reading devices. Besides biometrics, the card has numerous security features that are common for passports and identity cards. These include optical features such as the signature and photo of the card­holder, laser engravings, rainbow printings, holographic overlays, embossings, and microprint.

Today, most bank cards have a maximum card life of three years. The new Maldives Passport Card is the world’s first bank card which is made of polycarbonate material that can last up to 10 years, as long as a regular passport.

Next steps in smart-card evolution

The card solution in the Maldives shows how technical innovation creates advantages for users and providers in the field of smart cards. Biometrics contributes greatly to the card’s security, which is of the utmost importance for customer acceptance, especially when one card combines several services.

Multimodal biometric systems or multibiometric systems are the next step to improve the security of smart cards. They provide simultaneous matching of different biometric features, to prevent and complicate card fraud. In addition to fingerprints, other biometric characteristics such as facial features or iris patterns can be stored on the smart card and compared.

Another example of improved security are so-called biometric smart cards. They are equipped with a finger­print sensor, which enables enrolment and matching to be carried out directly on the card. This eliminates the need to transfer biometric data to other devices. As a result, biometric smart cards make unauthorised access to data such as man-in-the-middle attacks more difficult. The first examples of use for biometric smart cards can already be found in the financial sector.[6]

References

  1. Eurosmart – The voice of the smart security industry. Facts & Figures. [Accessed 19 November 2018].
  2. Hendry, M. (2007). Multi-application Smart Cards – Technology and Applications. Cambridge University Press, New York
  3. Jackson, L. (2017) Card Fraud Losses Reach $ 22.80 Billion, The Nilson Report, Issue 1118/October 2017.[Accessed 9 March 2018].
  4. Kessem, L. (2018). IBM Security: Future of Identity Report.[Accessed 19 November 2018].
  5. Smart Card Alliance. (2011). Smart Cards and Biometrics:
    A Smart Card Alliance Physical Access Council White Paper. [Accessed 19 November 2018].
  6. D’Albore, A. (2017). The Rise of Biometric Cards. [Accessed 19 November 2018].