Friday, August 11, 2006

Blink Technology - New Credit Card System

Tired of all that time-consuming swiping? Credit cards using "contactless" technology allow users to pay for merchandise by holding the card near a special reader instead of swiping it or handing it to a clerk. The announcement of new "blink" cards by JPMorgan Chase & Co. marks the first push to introduce the cards to U.S. consumers on a wide scale. This technology is already in use to some extent in Europe and Asia.

What is Blink?

The new blink credit card is just like a regular credit card in many ways. It has the account holder's name and the account number embossed on the front of the card. On the back is a magnetic strip containing the account information, so the card can be used anywhere regular credit cards can be used. The key difference is inside the card.

Embedded within the blink card is a small RFID (radio frequency identification) microchip. When the chip is close enough to the right kind of terminal, the terminal can get information from the chip -- in this case, the account number and name. So instead of swiping the magnetic strip on the card through a standard credit-card reader, card holders simply hold their card a few inches from the blink terminal. The card never leaves the card holder's hand.

As with standard credit-card transactions, the terminal then sends the information via phone line to the bank that issued the card and checks the account balance to see if there is room on the card for the purchase. If there is, the bank issues a confirmation number to the terminal, the sale is approved and the card holder is on his or her way.

RFID and Blink
Credit cards using blink technology employ RFID. There are many forms of RFID. For example, Wal-Mart has experimented with putting RFID chips on their merchandise so they can track inventory automatically.

Blink uses a specific kind of RFID developed under International Standard 14443. ISO 14443 has certain features that make it particularly well-suited to applications involving sensitive information, such as credit-card account numbers:

* Data transmitted by ISO 14443 chips is encrypted.
* The transmission range is designed to be very short, about 4 inches (10 cm) or less.

As a result, ISO 14443 is used in more than 80 percent of contactless credit-card transactions worldwide. Recent additions to the standard allow ISO 14443 technology to store biometric data such as fingerprints and face photos for use in passports and other security documents.

To understand how the contactless card and terminal work together, first we have to talk about induction. In 1831, it was already known that an electric current produced a magnetic field. That year, Michael Faraday discovered that it worked the other way around as well -- a magnetic field could produce an electric current in wires that passed through the field. He called this induction, and the law that governs it is known as Faraday's Law.

In some cases, induction is something electrical engineers try to avoid. For instance, if the electric lines in your neighborhood run too close to the phone lines, the magnetic field produced by the electric lines can generate voltage in the phone lines. This voltage shows up as "noise" in the signal passing through the phone lines. Shielding and proper orientation of the lines can prevent this interference.

For RFID devices such as blink cards, engineers have harnessed induction. Each blink card contains a small microchip as well as a wire loop. The blink terminal gives off a magnetic field in the area around it. When a blink card gets close enough, the wire loop enters the terminal's field, causing induction. The voltage generated by the induction powers the microchip. Without this process, called inductive coupling, each blink card would have to carry its own power supply in the form of a battery, which would add bulk and weight and could eventually run out of power. Because the power is supplied by the terminal, the blink system is known as a passive system.

Once the blink card has power flowing to it from the terminal, the processor then transmits information to the terminal at a frequency of 13.56 MHz. This frequency was chosen for its suitability for inductive coupling, it's resistance to environmental interference and its low absorption rate by human tissue. Instruction sets built into the processor encrypt the data during transmission.

About Security

Whenever credit cards are involved, people are worried about security. Sending the credit-card data to a terminal via a radio signal might not seem very secure. But when the process operates properly, it's actually more secure than using a magnetic-strip credit card. The information on a magnetic strip can be read, altered or duplicated using a variety of devices that have been available for years. The encryption built into a blink card make this particular form of theft impossible. Also, using the blink card allows the user to keep the card in his or her hand the entire time. This could prevent someone from seeing the account number and name on the card.

A signature is not required when using a blink card, which leads to security concerns. Chase feels that the encryption and other security features built into blink make the card secure without the need for a signature, which would slow down the transaction and defeat the purpose of blink altogether. They even suggest that it makes the transaction safer, since the clerk never sees the card or account number. The problem, of course, is that if someone gets his or her hands on your blink card, there's no need to verify anything at all in order to use it in a store. But Blink users are no more accountable for fraudulent charges than any other credit-card user.

There have been reports of problems in the testing of contactless RFID credit cards, however, that lead to additional security concerns. In some cases, if two or more terminals were close together, not only did both terminals read the card, but the read range of each terminal increased to as much as 30 feet (9 m). Even if the terminal is operating within the proper range of 4 inches, some people are worried that they could accidentally walk too close to a terminal and end up paying for someone else's purchase. The simplest safeguard against this is probably merchants positioning the terminals in such a way as to make this unlikely.

The worst case scenario involves someone getting their hands on a blink terminal and modifying it to increase the range. Potentially, someone could set up the terminal at a crowded location and collect the credit-card data of anyone who came within the terminal's read range. This probably won't be a concern at first, since few terminals will be available, but if the technology matures, blink terminals could fall into the hands of criminals.

There is a way to protect blink cards from giving out their information to unauthorized terminals, either accidentally or due to criminal activity. If the card is placed in a sleeve lined with metal, it will not function. If contactless credit cards become popular, expect to see "RFID blocking" wallets and purses on the market.

No comments: