| #hack FAQ Home | Computers | Data Networks | Wireless Networks | Telephony | Mobile Telephony |
| Radio | Television | Resources | 2600 | Smart Cards and Magnetic Cards | Miscellaneous |
A Smart Card is a plastic card the size of a credit card with an integrated circuit built into it. This integrated circuit may consist only of EEPROM in the case of a memory card, but may also contain ROM, RAM and a CPU.
Smart cards are defined by the ISO 7816 standards.
| Standard | Description |
|---|---|
| ISO 7816-1 | Physical characteristics |
| ISO 7816-2 | Dimensions and location of the contacts |
| ISO 7816-3 | Electronic signals and transmission protocols |
| ISO 7816-4 | Industry commands for interchange |
| ISO 7816-5 | Number system and registration procedure for application identifiers |
| ISO 7816-6 | Interindustry data elements |
ISO standard documents are available for purchase from ISO: International Organization for Standardization.
In the U.S., smart cards are utilized in GSM mobile telephones, in DirecTV and EchoStar satellite receivers, and in the American Express Blue card.
Smart cards designed for specific applications may run proprietary operating systems. Smart cards designed with the capability to run multiple applications usually run MULTOS or Java Card.
For more information on Smartcard security, visit Bo Lavare's Smartcard securit information page.
| Card | EEPROM Storage | Features |
|---|---|---|
| SLE4418 | 1024KB | Write protect |
| SLE4428 | 1024KB | Write protect, 2 byte security code |
| SLE4432 | 256B | 32B write-once memory |
| SLE4436 | 221b | 24 bit ROM, 40 bit PROM |
| SLE4442 | 256B | 3 byte security code, 32B write-once memory |
| ACOS1 - 1k | 1024KB | Triple DES, Authentication, 8 byte PIN |
| ACOS1 - 8k | 8192KB | Triple DES, Authentication, 8 byte PIN |
This FAQ answer was written largely with information supplied by wea$el:
Data is laid out on a standard magnetic car in three tracks. A card may have any of these tracks, or a combination of these tracks.
Track 1 was the first track standardized. It was developed by the International Air Transportation Association (IATA) and is still reserved for their use. It is 210bpi with room for 79 7-bit characters.
Track 1 is encoded with a 7-bit scheme (6 data bits plus one parity bit) that's based on ASCII. If your reader does not perform the ASCII conversion, all you have to do is add 0x20 to each byte to turn it into ASCII (there are no "control" characters). The seventh bit is an odd parity bit at the end of each byte.
| Start sentinel | 1 byte (the % character) |
| Format code | 1 byte alpha (The standard for financial institutions specifies format code is "B") |
| Primary Account number | Up to 19 characters. American Express inserts space
characters in here in the same places the digits are broken up on the face of your card. |
| Separator | 1 byte (the ^ character) |
| Country code | 3 bytes, if used. (The United States is 840) This is only used if the account number begins with "59." |
| Surname | |
| Surname separator | (the / character) |
| First name or initial | |
| Space | (when followed by more data) |
| Middle name or initial | |
| Period | (when followed by a title) |
| Title | (when used) |
| Separator | 1 byte (^) |
| Expiration date or separator | 4 bytes (YYMM) or the one byte separator if a non-expiring card. |
| Discretionary data |
Optional data can be encoded here by the issuer. |
| End Sentinel | 1 byte (the ? character) |
| Longitudinal Redundancy Check (LRC) | 1 byte. The LRC is made up of parity bits for each "row" of bytes, making the total even. That means that the total of all the bit 1s of each byte has to come out to an even number. Same for bit 2, etc. The LRC's parity bit is not the sum of the parity bits of the message, but only the parity bit for the LRC character itself. (It's odd, just like any other single byte's parity bit.) |
Track 2 was developed by the American Bankers Association (ABA) for
on-line financial transactions. It is 75bpi with room for 40 5-bit
numeric characters.
Track 2 is encoded with a 5-bit scheme (4 data bits plus one parity bit.) To convert this data into ASCII, add 0x30 to each byte.
| Start sentinel | 1 byte (0x0B, or a ; in ASCII) |
| Primary Account Number | Up to 19 bytes |
| Separator | 1 byte (0x0D, or an = in ASCII) |
| Country code | 3 bytes, if used. (The United States is 840) This is only used if the account number begins with "59." |
| Expiration date or separator | 4 bytes (YYMM) or the one byte separator if a non-expiring card |
| Discretionary data | Optional data can be encoded here by the issuer. |
| End Sentinel | 1 byte (0x0F, or a ? in ASCII) |
| Longitudinal Redundancy Check (LRC) | 1 byte. |
Track 3 is also used for financial transactions. The difference is its
read/write ability. It is 210bpi with room for 107 numeric digits.
Track 3 is used to store the enciphered PIN, country code, currency
units, amount authorized, subsidiary account information, and other
account restrictions.
Track 3 has the same properties as track 1 (start and end sentinels and an LRC byte), except that there is no standard for the data content or format. Track 3 is not currently used by any national bank card issuer.
In those rare systems where the PIN is stored on the card, this is the track where it is stored.
For more information of this topic, read the ANSI/ISO 7811/1-5 standard.
This document is available from the American Bankers Association.
Other standards documents covering related topics include:
- ANSI X3.92 Data Encryption Algorithm (DEA)
- ANSI X3.106 Modems of DEA Operation
- ANSI X4.16 American National Standard for financial services, financial transaction cards, magnetic stripe encoding
- ANSI X9.8 Personal Identification Number (PIN) Management and Security
- ANSI X9.19 Financial Institution Retail Message Authentication (MAC)
- ISO 7810
- ISO 7811
- ISO 7812
- ISO 8583 Bank card originated messages; Interchange message specifications; Content for financial transactions.
- ISO 8731-1 Banking: Approved algorithms for message authentication
Part 1 - DEA
Part 2 - Message Authentication algorithms
- ISO 7816 Identification cards, Integrated circuit(s) with contacts
Part 1 - Physical Characteristics
Part 2 - Dimensions and locations of the contacts
Part 3 - Electronic signals and transmission protocols
Credit cards use the Luhn Check Digit Algorithm. The main purpose of this algorithm is to catch data entry errors, but it does double duty here as a weak security tool.
For a card with an even number of digits, double every odd numbered digit (1st digit, 3rd digit, 5th digit, etc...) and subtract 9 if the product is greater than 9. Add up all the even digits (2nd digit, 4th digit, 6th digit, etc...) as well as the doubled-odd digits, and the result must be a multiple of 10 or it's not a valid card. If the card has an odd number of digits, perform the same addition doubling the even numbered digits instead.
This program, presented in C source code form, will perform this math for you. Feed it all but the last digit of your credit card number, and it will give you the last digit. If it gives you a last digit different from the one you have, you have an invalid credit card number.
#include <stdio.h>
/*
* Return last digit of a bank card (e.g. credit card)
* Receives all the digits, but the last one as input
* By Diomidis Spinellis <dds@doc.ic.ac.uk>
*/
int bank (u)
char *u;
{
register i, s = 0;
int l, t;
l = strlen(u);
for(i = 0; i < l ; i++)
{
t = (u[l - i - 1] - '0') * (1 + ((i + 1) % 2));
s += t < 10 ? t : t - 9;
}
return 10 - s % 10;
}
void main (argc, argv)
int argc;
char **argv;
{
while (--argc)
printf ("%d\n", bank (*++argv));
}
| #hack FAQ Home | Computers | Data Networks | Wireless Networks | Telephony | Mobile Telephony |
| Radio | Television | Resources | 2600 | Smart Cards and Magnetic Cards | Miscellaneous |
| © 1994 - 2003 HackFAQ.org
All Rights Reserved |