The Phone Bank Blog

Being that the name of the blog is “the phone bank” I figured that I should a first post on phone specific NFC functions.  The NFC (near field communication) phone is made up of a few extra components than a normal phone.  The first extra component is the 13.56 MHz radio interface chip.  The first product I ever worked on that  was an NFC radio interface chip was an NXP component.  The chip is pretty simple in that it was simply a bridge for a few different NFC activities.  It had the ability to make the phone act as if it was a card (card emulation mode), it had the ability to read an RFID tag or card (card reader mode), and it had the ability to communicate with another active NFC device (NFC mode). 

The most powerful of these modes from an application perspective is by far the card emulation mode, so that is all I’m going to talk about.  This mode allows the phone to take advantage of all the current reader infrastructure that currently exists.  The killer application in this scenario is the ability to make the phone act as a payment card. i.e. a mastercard paypass, visa contactless, or AMEX express pay card. 

I mentioned that an NFC phone had two additional components to a normal phone in order to make in function.  The second component is referred to as the “secure element”.  This piece is essentially a hardware chip that is normally accessed with single wire protocol, and to get technical, this single wire protocol is usually the 7816 smart card standard.  For those of us in north America, we have seen these type of cards being used as some payment or security cards and I’m sure many of us would recognize them as the card we use to secure our access to some media like DirecTV box.  Another huge use case for 7816 single wire protocol is in a phone card SIM.  The SIM in a mobile phone is the controlling gateway to the service of the phone.  It is the way the service provider governs how and where the handset it is being used in works.  And more than that, it also ties the service to a particular customer.  Anyway, the point of the separate secure element is to house customer information about the credential itself.  Because this has already been done for years in smart cards, there is no reason to make and test and get the industry to approve a completely new device for NFC.  So the plan is to use the age old smart card secure element design for storing credentials and simply couple it to a separate NFC chip in order for contactless card emulation functionality. 

It is important to note that some smart card chips DO have contactless interfaces built in to them, but in the case of a mobile phone where the NFC function needs to also form a bridge other application such as reading a tag or performing 2 way commucation with another phone, it is necessary to separate this contactless functionality into a separate chip.  Basically, a simple NFC radio chip.  This chip will have an antenna connected to one end, a baseband controller (mobile phone) connected to the other end, and possible a secure element connection aswell.

In that first NFC chip that I worked with, the interface to the NFC controller was a proprietary between the NFC chip and the secure element.   It was not single wire 7816 protocol, it was referred to as S2C protocol.  This scenario nearly assures that if a mobile carrier manufacturer used this NFC chip from NXP, it would almost certainly choose an S2C secure element to couple with it for this precious card emulation mode function.  This proprietary interface will most likely go the way of the dinosaur in an event to further standardize NFC card emulation.  Because S2C is proprietary to NXP, and there are similar existing industry standards, it probably won’t be the go forward standard for NFC secure element connectivity.

There has been the advent of the single wire protocol to be used with all NFC chips.  This means that the secure element is now the focus of the NFC handset, not so much NFC radio chip itself, because it now simply becomes a radio conduit to move the sacred data from the secure element over its radio to a receiving party.  Because the secure element interface for contactless card credentials is now defined to be 7816 protocol, this blends in very nicely to the existing SIM card infrastructure.  Now it is only necessary for the SIM card to have software capability to house payment applications that can then be served over the NFC radio through their single wire interface.  LET THE GAMES BEGIN!, the standard NFC phone has arrived!

In subsequent posts I will talk a lot about the idea of Over The Air provisioning of payment credentials (OTA).  The next effort of industry standardization will most likely be focused in this area.  By doing so, it will give issuers the piece of mind to issue their credentials over a secure platform to a remote card, or in this case a phone.

Here is a quick overview of contactless security.  It involves, essentially, the OTP (One Time Password) theory.  Basically, because the root infrastructure of payment in north America does not have to change in order to support new contactless standards, the security of the new chip cards and the specifications that define them have opted to use one time password theory to secure them.  For at least the last 20 years, a credential that is used to authorize a card payment has begun on the magnetic stripe of a plastic card.  When this card is swiped at the reader terminal, the raw data that is extracted from the card is in the format of what the industry refers to as Track 1 and Track 2 data.  An example of the ascii representation of this data is this:

 => track 2 data: 5413123456784808=05081019094998990013

=> track 1 data:  

          B5413123456784808^SMITH/JOHN^0508101331633330942222289911113

For financial transactions, only track 2 is needed in order to authenticate.  Track 1 can be used for some other nifty tricks like extracting or attaching a customer name to an airplane ticket or something like that.  You can find out what all the details of Track 1 and Track 2 data are through wikipedia if you want to dive into the details.

Let’s look at Track 2, you will notice that the first 16 digits of the example above (before the ‘=’ sign) is the PAN or the Personal Account Number.  The expiration date follows the ‘=’ sign and that is followed by the service code (101) and then some issuer discretionary data.  The Track information is defined with this terminology because the magnetic strip on the card has a few tracks on it that are read simultaneously by the reader head and then formatted into the data you see above as “Track” data.  Once the data is extracted from the card by the terminal, it is sent to the processor who puts this data into a packet format that can be placed onto the payment network.  Once this packet is put onto the payment network, it makes its way back to the issuing bank of this particular card so that that bank can check the authenticity of the data.  FYI, the first 6-8 digits of the PAN are commonly known as the bank identifier number (BIN) and serves as an address for the data packet to be sent to during this authorization process.  After the issuing bank has authenticated the Track data and confirmed that the funds can be debited or credited by the account holder, the bank with “Authorize” the transaction to the merchant.  This process usually takes a few seconds and is conducted over regular phone lines or high speed internet lines.

Now as you can imagine, there is quite a bit of infrastructure in place for this type of authorization process and it would probably measure like a Richter 10 in the financial industry to change this system and allow more of a bi-directional authorization process. 

Now, the chip card!  Chip cards or smart cards bring an entirely new functionality to the payment industry.  The card itself has the ability to do calculations on known and unknown data.  They have the ability to encrypt and decrypt data, store secret keys, authentication users, store PINs, create hashes, etc.  Most of these functions, however, are not used in order to make a typical north American contactless payment authorization. 

A north American AMEX, MasterCard or Visa transaction is built around the idea of track 2 equivalent data.  This means that the format of the data that the terminal builds will be the same format as your typical magnetic stripe card so that the same POS, processor networks, and authenticating banks can process this data with their same old systems that have been in place for years.  The layer of added security the track 2 equivalent data has the ability to add is in the issuer discretionary data field.  This means that nobody else on the network except the issuing bank is ultimately responsible for securing their own contactless cards.  Here is a look at a Track 2 equivilent data set that comes from a demonstration MasterCard contactless chip:

=> track 2 data: 54 13 12 34 56 78 48 08 =0 50 81 01

9 094  99  899  001  3

↑↑↑        ↑↑↑  ↑↑↑  ↑

  ATC           UN   CVC3   nUN

You can see that the data can pass to the authenticating bank in the same field as the old magtetic track 2 data can pass.  The one major difference in the data itself is in the issuer discretionary data.  There are 3 dynamic values:

ATC  ->  automatic transaction counter. 

UN ->  unpredictable number

dCVC3 ->  dynamic card verification value

each time a transaction is made with this card, the following things happen:

• 1) ATC is incremented
• 2) A new UN is passed from the terminal to the reader and then is placed back into the Track 2 equivalent data
• 3) A dCVC3 number is calculated on the card using an algorithm that encompasses the ATC, UN, and the shared private key that is specific the particular card

In this way, every single transaction made with a card is a unique transaction.  i.e. the discretionary data in the track 2 equivalent field is always changing.  This prevents the ability to store the track 2 equivalent data in any database between the terminal and issuing bank with intent of using the same track 2 data for more than one transaction.

The security mechanism is pretty strong if implemented correctly, but fails catastrophically if it is not.  What I mean by this is that any contactless implementation should use a separate PAN for it’s contactless chip than for the magnetic stripe or printed PAN on the face of the card.  The reason this is so important is because the number on the face of the card can be used for 2 types of transactions:

• 1) card present transaction in which the entire Track 2 data is retrieved and submitted for authorization
• 2) card not present transaction (for things like phone purchases) in which the PAN, expiration date, and maybe a number from the back of the card are used

the security risk of using the card face PAN as the contactless chip PAN is that it makes it impossible to distinguish card not present transaction being used from information being retrieved from a contactless transaction.

So, in order to preserve the integrity of the added security of a contactless transaction, that transaction must be accompanied and completed with a full check on the track 2 equivalent data in order to check the issuer discretionary data field.  If it can possibly be used for a “card not present” transaction, then it defeats the purpose of chip card security, and actually makes the entire theory less secure for the simple fact that it could be possible retrieve “card not present” data from a contactless chip card using a proximity coupling device under one’s coat, or hidden in a bag in order to read the contactless chip that is inside someone’s wallet.  It makes picking a pocket much easier!!!

To my knowledge AMEX is the only card that implements this mechanism properly.  If you conduct a contactless transaction with an AMEX card, the chip PAN is different than the PAN on the face of the card.  Now don’t get this confused, the 2 different PANs should ultimately be tied to the same card holder account number.  What the unique chip PAN allows is the ability to ensure that if it is ever used for authorization, it better be accompanied by the entire track 2 data, including the discretionary field which includes the dynamic components of the transaction.  Now, that is clearly an added security benefit to the consumer + the consumer will not have to worry so much pick pockets! J

FOR THE GEEKS:

Here is an example of the data transmission between a coupling device and a contactless mastercard chip.  The data is in the clear and can be decoded pretty easy using simple ascii converstions:

 

• SELECT AID Command

>CARD: 00 A4 04 00 07 A0 00 00 00 04 10 10 00

CARD>: 6F 17 84 07 A0 00 00 00 04 10 10 A5 0C 50 0A 4D

61 73 74 65 72 43 61 72 64 90 00

• GET PROCESSING OPTIONS Command

>CARD: 80 A8 00 00 02 83 00 00

CARD>: 77 0A 82 02 00 00 94 04 08 01 01 00 90 00

• READ RECORD Command

>CARD: 00 B2 01 0C 00

CARD>: 70 81 8E 9F 6C 02 00 01 56 3C 42 35 34 31 33 31

32 33 34 35 36 37 38 34 38 30 38 5E 53 4D 49 54

48 2F 4A 4F 48 4E 5E 30 35 30 38 31 30 31 33 33

00 00 00 33 33 33 00 00 00 32 32 32 32 32 00 00

00 31 31 31 31 00 9F 64 01 03 9F 62 06 00 00 00

38 00 00 9F 63 06 00 00 00 00 E0 E0 9F 65 02 00

0E 9F 66 02 0E 70 9F 6B 13 54 13 12 34 56 78 48

08 D0 50 81 01 90 00 99 00 00 00 0F 9F 67 01 03

9F 68 0E 00 00 00 00 00 00 00 00 5E 03 42 03 1F

03 90 00

 

this is the data that can be decoded easily.  The bolded, underlined text is the PAN and expiration date from this card. 

 

• COMPUTE CRYPTOGRAPHIC CHECKSUM Command

>CARD: 80 2A 8E 80 04 00 00 08 99 00

CARD>: 77 0F 9F 61 02 90 89 9F 60 02 75 D3 9F 36 02 00

5E 90 00

Being that this is my first entry in my first blog, I figured I will start it as I intend for it to be.  For the most part I view the blog as a scratchboard to write thoughts as they come.  So don’t be too distracted by the posts and the tangents that may come from each post, or from each paragraph for that matter and remember that it’s just for fun!

 2 years ago I started following contactless payments intended for north America pretty closely.  At the time I worked for a company that makes RFID readers.  Specifically, we made HF (13.56) frequency RFID readers.  The kind used for reading the RFID transponders that are in contactless payment credit cards.

Most have probably seen advertisements about these cards from companies like MasterCard, VISA, and American Express.  The most notable, in my opinion, are from MasterCard advertising their PayPass brand.  Some of these adds involve a marathon runner making quick payments at a road side stand which is supposed to show the “quickness” of this new way to pay, while others show an elephant using the  credit card to purchase things for it’s trainer which is supposed to show the “ease of use” of this new payment method.

My fascination in contactless payment is in the area of change really.  The magnetic stripe payment has been around for a long time.  I don’t know exactly how long, but I’d guess it’s been around longer than I’ve been using computers, which would date back to when I got my first TI-99, which puts me in about the 4^th grade.  Being that I’m 35 years old now, I guess magnetic stripe is at least 25 years old.  Now things seem to be changing.  Maybe not changing, maybe the better word is “adding to”.  I’m yet to see a contactless card without a magnetic stripe on it also, unless your talking about a FOB for a key ring or a mobile phone.  For these, they almost always ship to the customer with companion card that does incorporate a magnetic stripe. 

Change is happening slow, but I’m certain it’s coming.  I’m steadily seeing more and more terminals popping up in my everyday stomping grounds when I’m out and about.  I’ve used them very rarely when I’m testing a new product, and I typically get interested looks from the clerks, or comments like “I’ve never seen anybody use that, that is pretty cool”.  But none the less, more terminals are popping up.  This slow growth is the cost of business for card associations.  They make their bread and butter with slowly putting down infrastructure in order to cash in on it at a later date.  So just as those old impression (manual “scrape”) readers were replaced by electronic magnetic stripe readers, we are in the middle of seeing technology shift yet again to the contactless chip.

What does this mean?!

It means different things for all who involved in the payment ecosystems.  For consumers, although it is a different mechanism than magnetic stripe, that offers a slightly more convenient interface, in reality it is no faster form of payment.  In reality, the bulk of the transaction is still spend in the authorization phase.  The merchant still has to call and check with the bank to make sure the funds can be used from your account.  In my opinion, the interesting change or difference with contactless payments is the unique form factor.  So, now because the physical shape of the payment instrument is not longer dictated or restricted by the instrument used to read it, it can be whatever shape it wants to be, and even embedded into everyday objects that consumers already carry with them, such as key rings or even mobile phones.

For merchants, contactless payments symbolize head aches I think.  Looking at the ecosystem, they have the least to gain by the switch, and the most to lose.  For them it represents yet another thing that they need to find a place for on their counter tops.  For someone like me who is a minimalist, my brain already gets confused at a convenience store during checkout, and this reader device won’t help the matter.  Although card associations are offering “no-signature” payments for payments under $25.00 for merchants, this platform does not seem specific to contactless payments as it applies to all card payments.  So we can’t use that at a positive point for the merchant either.  The only positive point I can see is that contactless payments don’t currently effect a merchants payment infrastructure.  In other words, nothing except for the new terminals that interfacethe POS change in order for a merchant to accept contactless payments.  The Track 1 and Track 2 data structures remain in tact for contactless payments, just as they were with the magnetic stripe.  the difference is in data that is incorporated inside these Track 1 and Track 2 data strings.

For banks, contactless payments do represent an infrastructure change, or I should say a potential infrastructure change.  I look at it this way, it is up to a bank to take advantage of the contactless payment security mechanisms.  The bank may chose to ignore this, in which case a contactless card is less secure than a magnetic stripe card.  The bank may choose to implement infrastructure changes to account for it’s contactless cards, in which case it will increase the overall security of a contactless payment so that it is above and beyond the current security mechanisms of a magnetic stripe card.  I’ll get into the details of this in my next “Blog” post.

For entrepreneurs, opportunities are huge I believe.  Anytime there is a major infrastructure change as this, there is always market fragmentation.  In this case, the market fragmentation extends past typical payment mechanisms that have been relegated to cards, and into a much larger market such as mobile phones and the personal computer.  The same standards that are making this contactless payment more secure (if applied correctly!), could be the same standards that make internet shopping, or mobile payments, both at the POS and on the internet more secure.  Remember, the payment instrument has no form factor anymore.  It can literally be the mobile phone or computer itself.  If we start thinking down that route, this opens doors to a new card distribution market as well, which incorporates Over The Air (OTA) credential distribution.  In a sense, the ability to send digital credentials to a phone or computer, instead of sending a plastic card to the house of a customer.  Don’t get too excited too fast though, I don’t want to burst your bubble but………remember, this is completely eco-system dependant.  In other words, because the payment infrastructure in north America is owned and is dependant on lots of different parties, this change tends to be slow moving, which is never good for start-ups, believe me, I’ve been involved in my share.  I believe the trick in this whole play will be timing and endurance.  So a business plan should incorporate a transitional revenue stream, both a way to make money during the growth period that can transition into a sustainable business after growth in the eco-system has happened.  Estimates on contactless payment infrastructure growth vary from year to year and marketing agency to agency, but it seems like adoption will be around 80% anywhere from 2 years to 10 years………Yeah, that’s a big help!!!  We’ll see.