A brief history of the chip based Smartcard
Chipped based phonecards were first introduced by France Telecom in the year 1983. Invented by French inventor Roland Moreno chipped based phonecards were revolutionary in terms of better security and durability compared with the previous magnetic and optical card types. Moreno had researched and developed the smartcard (chipcard) for use in banking and as a secure way to authorize transactions.
It is important to note that chipped based smart cards were not confined to just phonecards; your bank card, mobile SIM card, Cable or Satellite TV viewing card and any form of card with a chip embedded are all based on the same technology.
Moreno had established his own company Innovatron in order to market his ideas and intellectual property. The Innovatron flag logo is seen quite regularly on Irish Callcards, particularly with the very early cards. Take a look at some of your Callcards, you'll probably spot this flag somewhere on the back of one of them:
Roland Moreno pictured in 1996. Source: Wikipedia
Nine years after after the phonecard rollout in France the Carte Bleue (which was a widely used debit card in France) implemented Moreno's chip technology. It took a long time for other countries and banking systems to catch on to using chip technology for authorizing payments. In Ireland, for example, chipped based Debit and Credit Cards were introduced in March 2007 by AIB under the rollout of "Chip-And-Pin" banking. A similar trend was noticeable worldwide. Adoption of smart based chipcards for banking didn't really take off globally until the mid noughties. This is potentially as Moreno's smartcard was met with criticism from activists and privacy groups. Some concerns included the potential for security flaws in the design or the potential for the cards to be used for surveillance.
Moreno did recognize these concerns, even admitting smartcards "have the potential to become Big Brother's little helper.". In the year 2000, Moreno held a contest offering one million French Francs (about €152, 449) for anyone who could break his smartcard security in 90 days. No one was successful in this case.
In modern times contact-less authentication is more popular than chip based as it is much faster. Contact-less smartcards may or may not have a chip, but for contactless no physical chip is required. A small Radio-frequency identification (RFID) chip is molded into the plastic card during manufacture and the chip communicates with a receiving base unit if presented in the vicinity of the reader.
So just how safe were Smartcards? Compared to the alternatives of magnetic or optical storage smartcards were very safe. When we discuss smartcards we must identify that there are two different types of chips, each with their own benefits depending on requirements.
- EPROM (Electronically Programmable Read Only Memory): EPROM cards offer the least amount of flexibility as once they are programmed they cannot be reprogrammed. As a result once an EPROM chip is programmed in a factory the resulting end user cannot reprogram the chip. Phonecards in most cases utilized EPROM based chips as once the chip was factory programmed it could not be reprogrammed. This is ideal from a security perspective, as it guarantees the Telecom's company once a Phonecard is emptied of units the end user couldn't just reprogram it to have a fresh set of units.
- EEPROM (Electrically Erasable Programmable Read Only Memory): EEPROM smartcards offered more flexibility as the chip itself could be reprogrammed over and over. Generally a EEPROM chip has a limited number of read/write operations it can handle. It is suggested that after around 100, 000 read/writes a EEPROM chip will be unusable.
Now lets take a look at some examples of chip cards.
Cable/Satellite TV Viewing card
Pictured: UPC Cable TV Viewing card (circa: 2014)
The large Cable/Satellite TV providers: e.g Virgin, Sky generally provide a STB (Set-top box) the end user plugs into their television to receive television broadcast. In order for the providers to be able to handle subscriptions and who has access to what, a viewing card is inserted into the STB. These viewing cards generally utilize a chip, which contains the subscribers unique identity and enables the STB to only allow access to content the subscriber has applied for.
Mobile phone SIM card
Pictured: Eircell Ready To Go SIM Card plus Holder. View card.
The trusty SIM Card has gone through several changes and iterations over the last couple of years. We now have Nano, Micro and normal SIM cards we put into our phones. SIM cards are a classic example of EEPROM memory where a section of the chip allowed the end user to write/rewrite data which was traditionally used to store Text Messages and Phone Contacts. Remember that old Nokia phone that gave out when you had too many texts or contacts? This meant you had used up your SIMs maximum EEPROM allowance, so needed to purge content to make room for new. Over the years chip technology improved greatly, and more modern SIM cards can now hold quite a lor of text based data. A modern SIM card could hold up to 128KB (Kilobytes) of text data, which is not huge but enough for a few hundred contacts. Modern phones now have their own inbuilt storage so it would be very unlikely a modern phone is making use of SIM storage (but the option is still there).
Phonecards
Pictured: "Ireland's First Callcard". The Demonstration Card #3 was used by Telecom eireann engineers to test compatibility with the cardphone readers. View card.
Chipped based phonecards took advantage of the EPROM chip based limitations to ensure it was not possible to fraudulently replenish any consumed units. I will only provide a quick overview here how a chipped phonecard works, as I hope to write a more substantial article about these devices shortly.
In the factory a phonecard chip is factory programmed. Written to the chip will be several bytes of data, including:
- Serial number
- Country code
- Unit count
All chipped based smartcards had a country code so the reader could determine if a user was trying to use another countries phonecard in the wrong reader. A unique serial was applied and then the units added (typically: 5, 10, 20, 50, 100, 120). 120 Unit cards were never used in Ireland, except for several Test Cards, which were encoded for 120 units. 120 units was very common on France Telecom Phonecards (Telecarte).
Contrary to popular belief a cardphone never removed any units from the phonecard. As we now know why, as once a EPROM chip was programmed it could not be reprogrammed. So how then did the cardphone know when a card was used/empty? During manufacturing a certain section of the Phonecards chip was left open for writing. The so called "units area". Every time a unit was consumed, a bit in the area would be set to 1. The cardphone will count the number of bits used in this area, vs the total unit count of the card to determine the phonecards unit status. Typically the first 10 bits in this area will have been factory programmed as a test, so the cardphone would do a calculation something like below:
A 100 Unit Callcard with 35 bits written would read as having 75 Units remaining. Why 75, and not 65? Well because the cardphone will know 10 of the bits are to be discounted as they were set in the factory, so we only start reading unit consumption after bit 10.
In another followup blog post I intend going into a more detailed explanation about how phonecards and chips work.