Digital card

(Redirected from Magnetic stripe card)

The term digital card[1] can refer to a physical item, such as a memory card on a camera,[2][3] or, increasingly since 2017, to the digital content hosted as a virtual card or cloud card, as a digital virtual representation of a physical card. They share a common purpose: Identity Management, Credit card, or Debit card. A non-physical digital card, unlike a Magnetic stripe card can emulate (imitate) any kind of card.[4] Other common uses include loyalty card and health insurance card; physical driver's license and Social Security card are still mandated by some government agencies.[1]

Front side of the first Magnetic Stripe plastic credit card. Note that the narrow magnetic stripe is on the front of the card. It was later switched to the back side.

A smartphone or smartwatch can store content from the card issuer; discount offers and news updates can be transmitted wirelessly, via Internet These virtual cards are used in very high volumes by the mass transit sector, replacing paper based tickets and earlier MagStrip cards.[5]

HistoryEdit

Magnetic recording on steel tape and wire was invented by Valdemar Poulsen in Denmark around 1900 for recording audio.[6] In the 1950s, magnetic recording of digital computer data on plastic tape coated with iron oxide was invented. In 1960, IBM used the magnetic tape idea to develop a reliable way of securing magnetic stripes to plastic cards,[7] under a contract with the US government for a security system. A number of International Organization for Standardization standards, ISO/IEC 7810, ISO/IEC 7811, ISO/IEC 7812, ISO/IEC 7813, ISO 8583, and ISO/IEC 4909, now define the physical properties of the card, including size, flexibility, location of the magstripe, magnetic characteristics, and data formats. They also provide the standards for financial cards, including the allocation of card number ranges to different card issuing institutions.

In 1960 IBM used the magnetic tape to develop a reliable way of securing magnetic stripes to plastic cards, the most common identification and payment method to date. As technological progress emerged in the form of highly capable and always carried smartphones, handhelds and smartwatches, the term "digital card" was introduced.[1]

On May 26, 2011 Google released its own version of a cloud hosted Google Wallet which contains digital cards - cards that can be created online without having to have a plastic card in first place, although all of its merchants currently issue both plastic and digital cards.[8] There are several virtual card issuing companies located in different geographical regions, such as Weel in Australia and Privacy in the USA.

Magnetic stripe cardEdit

 
An example of the reverse side of a typical credit card: Green circle #1 labels the magnetic stripe.
 
Visualization of magnetically stored information on a magnetic stripe card (recorded with CMOS-MagView, dark colors correspond to magnetic north, light colors correspond to magnetic south)

A magnetic stripe card is a type of card capable of storing data by storing it on magnetic material attached to a plastic card. A computer device can update the card's content. The magnetic stripe is read by swiping it past a magnetic reading head. Magnetic stripe cards are commonly used in credit cards, identity cards, and transportation tickets. They may also contain a radio frequency identification (RFID) tag, a transponder device and/or a microchip mostly used for access control or electronic payment.

Magnetic storageEdit

 
The first prototype of magnetic stripe card created by IBM in the late 1960s. A stripe of cellophane magnetic tape is fixed to a piece of cardboard with clear adhesive tape

Magnetic storage was known from World War II and computer data storage in the 1950s.[7]

In 1969 an IBM engineer had the idea of attaching a piece of magnetic tape, the predominant storage medium at the time, to a plastic card base. He tried, unsuccessfully, and produced unacceptable results. The tape strip either warped or its characteristics were negativelty affected by the adhesive. After a frustrating day in the laboratory, trying to get the right adhesive, he came home with several pieces of magnetic tape and several plastic cards. As he entered his home his wife was ironing clothing. When he explained the source of his frustration, inability to get the tape to "stick" to the plastic in a way that would work, she suggested that he use the iron to melt the stripe on. He tried it and it worked.[9][10] The heat of the iron was just high enough to bond the tape to the card.

 
Front side of the first magnetic stripe plastic credit card. Note that the narrow magnetic stripe is on the front of the card. It was later switched to the back side.
 
Back side of the first magnetic stripe plastic credit card
 
Back of early magnetic striped encoded paper card. The narrow magnetic stripe in the center of the card was applied using a magnetic slurry paint.

Incremental improvements from 1969 through 1973 enabled developing and selling implementations of what became known as the Universal Product Code (UPC).[11][12][13] This engineering effort resulted in IBM producing the first magnetic striped plastic credit and ID cards used by banks, insurance companies, hospitals and many others.[11][14]

Initial customers included banks, insurance companies and hospitals, who provided IBM with raw plastic cards preprinted with their logos contact information and the data which was to be encoded and embossed on the cards.[14] Manufacturing involved attaching the magnetic stripe to the preprinted plastic cards using the hot stamping process developed by IBM.[15] and 1973.[16]

Further developments and encoding standardsEdit

IBM's development work, begun in 1969, still needed more work. Steps required to convert the magnetic striped media into an industry acceptable device included:

 
Example of a card from the late 1980s used in food vending machines in the UK
  1. Creating the international standards for stripe record content, including which information, in what format, and using which defining codes.
  2. Field testing the proposed device and standards for market acceptance.
  3. Developing the manufacturing steps needed to mass-produce the large number of cards required.
  4. Adding stripe issue and acceptance capabilities to available equipment.

These steps were initially managed by Jerome Svigals of the Advanced Systems Division of IBM, Los Gatos, California, from 1966 to 1975.

In most magnetic stripe cards, the magnetic stripe is contained in a plastic-like film. The magnetic stripe is located 0.223 inches (5.66 mm) from the edge of the card, and is 0.375 inches (9.52 mm) wide. The magnetic stripe contains three tracks, each 0.110 inches (2.79 mm) wide. Tracks one and three are typically recorded at 210 bits per inch (8.27 bits per mm), while track two typically has a recording density of 75 bits per inch (2.95 bits per mm). Each track can either contain 7-bit alphanumeric characters, or 5-bit numeric characters. Track 1 standards were created by the airlines industry (IATA). Track 2 standards were created by the banking industry (ABA). Track 3 standards were created by the thrift-savings industry.

Magstripes following these specifications can typically be read by most point-of-sale hardware, which are simply general-purpose computers that can be programmed to perform specific tasks. Examples of cards adhering to these standards include ATM cards, bank cards (credit and debit cards including Visa and MasterCard), gift cards, loyalty cards, driver's licenses, telephone cards, membership cards, electronic benefit transfer cards (e.g. food stamps), and nearly any application in which value or secure information is not stored on the card itself. Many video game and amusement centers now use debit card systems based on magnetic stripe cards.

Magnetic stripe cloning can be detected by the implementation of magnetic card reader heads and firmware that can read a signature of magnetic noise permanently embedded in all magnetic stripes during the card production process. This signature can be used in conjunction with common two-factor authentication schemes utilized in ATM, debit/retail point-of-sale and prepaid card applications.[17]

Counterexamples of cards which intentionally ignore ISO standards include hotel key cards, most subway and bus cards, and some national prepaid calling cards (such as for the country of Cyprus) in which the balance is stored and maintained directly on the stripe and not retrieved from a remote database.

Financial cardsEdit

There are up to three tracks on magnetic cards known as tracks 1, 2, and 3. Track 3 is virtually unused by the major worldwide networks[citation needed], and often is not even physically present on the card by virtue of a narrower magnetic stripe. Point-of-sale card readers almost always read track 1, or track 2, and sometimes both, in case one track is unreadable. The minimum cardholder account information needed to complete a transaction is present on both tracks. Track 1 has a higher bit density (210 bits per inch vs. 75), is the only track that may contain alphabetic text, and hence is the only track that contains the cardholder's name.

Track 1 is written with code known as DEC SIXBIT plus odd parity. The information on track 1 on financial cards is contained in several formats: A, which is reserved for proprietary use of the card issuer, B, which is described below, C-M, which are reserved for use by ANSI Subcommittee X3B10 and N-Z, which are available for use by individual card issuers:

Track 1Edit

Format B:

  • Start sentinel — one character (generally '%')
  • Format code="B" — one character (alpha only)
  • Primary account number (PAN) — up to 19 characters. Usually, but not always, matches the credit card number printed on the front of the card.
  • Field Separator — one character (generally '^')
  • Name — 2 to 26 characters, surnames separated by space if necessary, Surname separator: /
  • Field Separator — one character (generally '^')
  • Expiration date — four characters in the form YYMM.
  • Service code — three characters
  • Discretionary data — may include Pin Verification Key Indicator (PVKI, 1 character), PIN Verification Value (PVV, 4 characters), Card Verification Value or Card Verification Code (CVV or CVC, 3 characters)
  • End sentinel — one character (generally '?')
  • Longitudinal redundancy check (LRC) — it is one character and a validity character calculated from other data on the track.
Track 2Edit

This format was developed by the banking industry (ABA). This track is written with a 5-bit scheme (4 data bits + 1 parity), which allows for sixteen possible characters, which are the numbers 0-9, plus the six characters  : ; < = > ? . The selection of six punctuation symbols may seem odd, but in fact the sixteen codes simply map to the ASCII range 0x30 through 0x3f, which defines ten digit characters plus those six symbols. The data format is as follows:

  • Start sentinel — one character (generally ';')
  • Primary account number (PAN) — up to 19 characters. Usually, but not always, matches the credit card number printed on the front of the card.
  • Separator — one char (generally '=')
  • Expiration date — four characters in the form YYMM.
  • Service code — three digits. The first digit specifies the interchange rules, the second specifies authorization processing and the third specifies the range of services
  • Discretionary data — as in track one
  • End sentinel — one character (generally '?')
  • Longitudinal redundancy check (LRC) — it is one character and a validity character calculated from other data on the track. Most reader devices do not return this value when the card is swiped to the presentation layer, and use it only to verify the input internally to the reader.

Service code values common in financial cards:

First digit

1: International interchange OK
2: International interchange, use IC (chip) where feasible
5: National interchange only except under bilateral agreement
6: National interchange only except under bilateral agreement, use IC (chip) where feasible
7: No interchange except under bilateral agreement (closed loop)
9: Test

Second digit

0: Normal
2: Contact issuer via online means
4: Contact issuer via online means except under bilateral agreement

Third digit

0: No restrictions, PIN required
1: No restrictions
2: Goods and services only (no cash)
3: ATM only, PIN required
4: Cash only
5: Goods and services only (no cash), PIN required
6: No restrictions, use PIN where feasible
7: Goods and services only (no cash), use PIN where feasible

United States and Canada driver's licensesEdit

The data stored on magnetic stripes on American and Canadian driver's licenses is specified by the American Association of Motor Vehicle Administrators. Not all states and provinces use a magnetic stripe on their driver's licenses. For a list of those that do, see the AAMVA list.[18][19]

The following data is stored on track 1:[20]

  • Start Sentinel - one character (generally '%')
  • State or Province - two characters
  • City - variable length (seems to max out at 13 characters)
  • Field Separator - one character (generally '^') (absent if city reaches max length)
  • Last Name - variable length
  • Field Separator - one character (generally '$')
  • First Name - variable length
  • Field Separator - one character (generally '$')
  • Middle Name - variable length
  • Field Separator - one character (generally '^')
  • Home Address (house number and street) - variable length
  • Field Separator - one character (generally '^')
  • Unknown - variable length
  • End Sentinel - one character (generally '?')

The following data is stored on track 2:

  • ISO Issuer Identifier Number (IIN) - 6 digits[21]
  • Drivers License / Identification Number - 13 digits
  • Field Separator - generally '='
  • Expiration Date (YYMM) - 4 digits
  • Birth date (YYYYMMDD) - 8 digits
  • DL/ID# overflow - 5 digits (If no information is used then a field separator is used in this field.)
  • End Sentinel - one character ('?')

The following data is stored on track 3:

  • Template V#
  • Security V#
  • Postal Code
  • Class
  • Restrictions
  • Endorsements
  • Sex
  • Height
  • Weight
  • Hair Color
  • Eye Color
  • ID#
  • Reserved Space
  • Error Correction
  • Security

Note: Each state has a different selection of information they encode, not all states are the same. Note: Some states, such as Texas,[22] have laws restricting the access and use of electronically readable information encoded on driver's licenses or identification cards under certain circumstances.

Other card typesEdit

Smart cards are a newer generation of card that contain an integrated circuit. Some smart cards have metal contacts to electrically connect the card to the reader, and contactless cards use a magnetic field or radio frequency (RFID) for proximity reading.

Hybrid smart cards include a magnetic stripe in addition to the chip—this is most commonly found in a payment card, so that the cards are also compatible with payment terminals that do not include a smart card reader.

Cards with all three features: magnetic stripe, smart card chip, and RFID chip are also becoming common as more activities require the use of such cards.[23]

VulnerabilitiesEdit

DEF CON 24Edit

During DEF CON 24, Weston Hecker presented Hacking Hotel Keys, and Point Of Sales Systems. In the talk, Hecker described the way magnetic strip cards function and utilised spoofing software,[24] and an Arduino to obtain administrative access from hotel keys, via service staff walking past him. Hecker claims he used administrative keys from POS systems on other systems, effectively providing access to any system with a magnetic stripe reader, providing access to run privileged commands.[citation needed]

UsageEdit

Identification with a digital card is usually done in several ways:

  1. Displaying a QR code on the customer's smartphone to the identifying host (a cashier i.e.). The unique QR code ensures privacy for every customer.
  2. Engaging an NFC protocol connection by placing the smartphone near the NFC Reader (using host card emulation method).
  3. Using IoB (Identification over Bluetooth, an obsolete method which is rarely used) or PoB (Payment over Bluetooth).

See alsoEdit

ReferencesEdit

  1. ^ a b c Brian X. Chen (December 1, 2021). "How to Carry Your Covid Health Data on a Smartphone". The New York Times. Retrieved August 29, 2022.
  2. ^ "Q & A for a digital world". The New York Times. November 8, 2007. Retrieved August 29, 2022.
  3. ^ J. D. Biersdorfer (October 10, 2002). "Memory Cards as Kin That Can't Get Along". The New York Times. Retrieved August 29, 2022.
  4. ^ "Digital credit card replacement Coin is almost ready to swipe — the Coin Beta begins today". August 22, 2014.
  5. ^ "MTA Looks to Replace MetroCard With System Using 'Contactless Media'". CNBC NBC New York. April 13, 2016. Retrieved November 30, 2016.
  6. ^ "AES Historical Committee". www.aes.org.
  7. ^ a b Jerome Svigals, The long life and imminent death of the mag-stripe card, IEEE Spectrum, June 2012, p. 71
  8. ^ "Google Pay - Learn What the Google Pay App is & How to Use It".
  9. ^ "IBM100 - Click on "View all icons". Click on 8th row from the bottom titled "Magnetic Stripe Technology"". IBM. February 3, 2011. Retrieved February 3, 2011.
  10. ^ "Article on Forrest Parry, pages 3-4" (PDF). Archived from the original (PDF) on October 27, 2011. Retrieved November 29, 2011.
  11. ^ a b "IBM Archives: DPD chronology - page 4". 03.ibm.com. January 23, 2003. Retrieved October 25, 2015.
  12. ^ Kennedy, Pagan (January 4, 2013). "Who Made That Universal Product Code". The New York Times. Retrieved October 25, 2015.
  13. ^ "IBM100 - UPC". 03.ibm.com. March 7, 2012. Retrieved October 25, 2015.
  14. ^ a b "IBM100 - System 360". 03.ibm.com. April 7, 1964. Retrieved October 25, 2015.
  15. ^ U.S. Patent 3,685,690, "Credit card automatic currency dispenser"; Thomas Barnes, George Chastain, and Marion Karecki; issued August 22, 1972
  16. ^ U.S. Patent 3,761,682, "Credit card automatic currency dispenser"; Thomas Barnes, George Chastain, and Don Wetzel; issued September 25, 1973
  17. ^ "Welcome to MagnePrint®: What is MagnePrint?". Magneprint.com. Retrieved November 29, 2011.
  18. ^ "ID Security Technologies". AAMVA. Retrieved October 25, 2015.
  19. ^ [1] Archived December 2, 2010, at the Wayback Machine
  20. ^ 2010 AAMVA DL/ID Card Design Standard Ver 1.0, Annex F.6, Aamva.org, June 2010, retrieved August 9, 2010
  21. ^ "AAMVA - IIN and RID". www.aamva.org. Retrieved July 19, 2017.
  22. ^ "Texas statutes, section 521.126, restricting use of electronically readable information from driver's licenses or personal identification certificates". Texas Legislature Online, State of Texas. June 2015. Retrieved April 4, 2016.
  23. ^ "ID Card Supply Now Offers Triple-Secure ID Cards With Magnetic Strip, RFID and Smart Chip - Press Release". Digital Journal. July 9, 2014. Retrieved October 25, 2015.
  24. ^ "Samy Kamkar: MagSpoof - credit card/magstripe spoofer". samy.pl. Retrieved December 2, 2016.

External linksEdit