A card reader is a data input device that reads data from a card-shaped storage medium. The first were punched card readers, which read the paper or cardboard punched cards that were used during the first several decades of the computer industry to store information and programs for computer systems. Modern card readers are electronic devices that can read plastic cards embedded with either a barcode, magnetic strip, computer chip or another storage medium.
A memory card reader is a device used for communication with a smart card or a memory card. A magnetic card reader is a device used to read magnetic stripe cards, such as credit cards.[1] A business card reader is a device used to scan and electronically save printed business cards.
Smart card readers
A smart card reader is an electronic device that reads smart cards and can be found in the following form:
- Keyboards with a built-in card reader
- External devices and internal drive bay card reader devices for personal computers (PC)
- Laptop models containing a built-in smart card reader and/or using flash upgradeable firmware.
External devices that can read a Personal identification number (PIN) or other information may also be connected to a keyboard (usually called "card readers with PIN pad"). This model works by supplying the integrated circuit on the smart card with electricity and communicating via protocols, thereby enabling the user to read and write to a fixed address on the card.
Name | Description |
---|---|
T=0 | Asynchronous half-duplex byte-level transmission protocol, defined in ISO/IEC 7816-3 |
T=1 | Asynchronous half-duplex block-level transmission protocol, defined in ISO/IEC 7816-3. |
T=2 | Reserved for future use. |
T=3 | Reserved for future use. |
Contactless | APDU transmission via contactless interface ISO/IEC 14443. |
If the card does not use any standard transmission protocol, but uses a custom/proprietary protocol, it has the communication protocol designation T=14.[2]
The latest PC/SC CCID specifications define a new smart card framework. This framework works with USB devices with the specific device class 0x0B
. Readers with this class do not need device drivers when used with PC/SC-compliant operating systems, because the operating system supplies the driver by default.
PKCS#11 is an API designed to be platform-independent, defining a generic interface to cryptographic tokens such as smart cards. This allows applications to work without knowledge of the reader details.
Memory card readers
A memory card reader is a device, typically having a USB interface, for accessing the data on a memory card such as a CompactFlash (CF), Secure Digital (SD) or MultiMediaCard (MMC). Most card readers also offer write capability, and together with the card, this can function as a pen drive.
Access control card reader
Access control card readers are used in physical security systems to read a credential that allows access through access control points, typically a locked door. An access control reader can be a magnetic stripe reader, a bar code reader, a proximity reader, a smart card reader, or a biometric reader.
Access control readers are classified by functions they are able to perform and by identification technology:
Barcode
A barcode is a series of alternating dark and light stripes that are read by an optical scanner. The organization and width of the lines is determined by the bar code protocol selected. There are many different protocols, such as the prevalent Code 39.[3] Sometimes the digits represented by the dark and light bars are also printed to allow people to read the number without an optical reader.
The advantage of using barcode technology is that it is cheap and easy to generate the credential and it can easily be applied to cards or other items. However the same affordability and simplicity makes the technology susceptible to fraud, because fake barcodes can also be created cheaply and easily, for example by photocopying real ones. One attempt to reduce fraud is to print the barcode using carbon-based ink, and then cover the bar code with a dark red overlay. The barcode can then be read with an optical reader tuned to the infrared spectrum, but can not easily be copied by a copy machine. This does not address the ease with which barcode numbers can be generated from a computer using almost any printer.
Biometric
Media type | Internet Protocol |
---|---|
Capacity | 10000 templates |
Usage | fingerprint identification, access control |
There are several forms of biometric identification employed in access control: fingerprint, hand geometry, iris, Voice Recognition, and facial recognition.
All biometric readers work similarly, by comparing the template stored in memory to the scan obtained during the process of identification. If there is a high enough degree of probability that the template in the memory is compatible with the live scan (the scan belongs to the authorized person), the ID number of that person is sent to a control panel. The control panel then checks the permission level of the user and determines whether access should be allowed. The communication between the reader and the control panel is usually transmitted using the industry standard Wiegand interface. The only exception is the intelligent biometric reader, which does not require any panels and directly controls all door hardware.
Biometric templates may be stored in the memory of readers, limiting the number of users by the reader memory size (there are reader models that have been manufactured with a storage capacity of up to 50,000 templates). User templates may also be stored in the memory of the smart card, thereby removing all limits to the number of system users (finger-only identification is not possible with this technology), or a central server PC can act as the template host. For systems where a central server is employed, known as "server-based verification", readers first read the biometric data of the user and then forward it to the main computer for processing. Server-based systems support a large number of users but are dependent on the reliability of the central server, as well as communication lines.
1-to-1 and 1-to-many are the two possible modes of operation of a biometric reader:
- In the 1-to-1 mode a user must first either present an ID card or enter a PIN. The reader then looks up the template of the corresponding user in the database and compares it with the live scan. The 1-to-1 method is considered more secure and is generally faster as the reader needs to perform only one comparison. Most 1-to-1 biometric readers are "dual-technology" readers: they either have a built-in proximity, smart card or keypad reader, or they have an input for connecting an external card reader.
- In the 1-to-many mode a user presents biometric data such as a fingerprint or retina scan and the reader then compares the live scan to all the templates stored in the memory. This method is preferred by most end-users, because it eliminates the need to carry ID cards or use PINs. On the other hand, this method is slower, because the reader may have to perform thousands of comparison operations until it finds the match. An important technical characteristic of a 1-to-many reader is the number of comparisons that can be performed in one second, which is considered the maximum time that users can wait at a door without noticing a delay. Currently most 1-to-many readers are capable of performing 2,000–3,000 matching operations per second.
Magnetic stripe
Magnetic stripe technology, usually called mag-stripe, is so named because of the stripe of magnetic oxide tape that is laminated on a card. There are three tracks of data on the magnetic stripe. Typically the data on each of the tracks follows a specific encoding standard, but it is possible to encode any format on any track. A mag-stripe card is cheap compared to other card technologies and is easy to program. The magnetic stripe holds more data than a barcode can in the same space. While a mag-stripe is more difficult to generate than a bar code, the technology for reading and encoding data on a mag-stripe is widespread and easy to acquire. Magnetic stripe technology is also susceptible to misreads, card wear, and data corruption. These cards are also susceptible to some forms of skimming where external devices are placed over the reader to intercept the data read.
Wiegand card
Wiegand card technology is a patented technology using embedded ferromagnetic wires strategically positioned to create a unique pattern that generates the identification number. Like magnetic stripe or barcode technology, this card must be swiped through a reader to be read. Unlike the other technologies, the identification media is embedded in the card and not susceptible to wear. This technology once gained popularity because it is difficult to duplicate, creating a high perception of security. This technology is being replaced by proximity cards, however, because of the limited source of supply, the relatively better tamper resistance of proximity readers, and the convenience of the touch-less functionality in proximity readers.
Proximity card readers are still referred to as "Wiegand output readers", but no longer use the Wiegand effect. Proximity technology retains the Wiegand upstream data so that the new readers are compatible with old systems.
Proximity card
Usage | access control |
---|
A reader radiates a 1" to 20" electrical field around itself. Cards use a simple LC circuit. When a card is presented to the reader, the reader's electrical field excites a coil in the card. The coil charges a capacitor and in turn powers an integrated circuit. The integrated circuit outputs the card number to the coil, which transmits it to the reader.
A common proximity format is 26-bit Wiegand. This format uses a facility code, sometimes also called a site code. The facility code is a unique number common to all of the cards in a particular set. The idea is that an organization will have their own facility code and a set of numbered cards incrementing from 1. Another organization has a different facility code and their card set also increments from 1. Thus different organizations can have card sets with the same card numbers but since the facility codes differ, the cards only work at one organization. This idea worked early in the technology, but as there is no governing body controlling card numbers, different manufacturers can supply cards with identical facility codes and identical card numbers to different organizations. Thus there may be duplicate cards that allow access to multiple facilities in one area. To counteract this problem some manufacturers have created formats beyond 26-bit Wiegand that they control and issue to organizations.
In the 26-bit Wiegand format, bit 1 is an even parity bit. Bits 2–9 are a facility code. Bits 10–25 are the card number. Bit 26 is an odd parity bit. 1/8/16/1. Other formats have a similar structure of a leading facility code followed by the card number and including parity bits for error checking, such as the 1/12/12/1 format used by some American access control companies.
1/8/16/1 gives as facility code limit of 255 and 65535 card number
1/12/12/1 gives a facility code limit of 4095 and 4095 card number.
Wiegand was also stretched to 34 bits, 56 bits and many others.
Smart card
There are two types of smart cards: contact and contactless. Both have an embedded microprocessor and memory. The smart card differs from the proximity card in that the microchip in the proximity card has only one function: to provide the reader with the card's identification number. The processor on the smart card has an embedded operating system and can handle multiple applications such as a cash card, a pre-paid membership card, or an access control card.
The difference between the two types of smart cards is the manner with which the microprocessor on the card communicates with the outside world. A contact smart card has eight contact points, which must physically touch the contacts on the reader to convey information between them. Since contact cards must be inserted into readers carefully in the proper orientation, the speed and convenience of such a transaction is not acceptable for most access control applications. The use of contact smart cards as physical access control is limited mostly to parking applications when payment data is stored in card memory, and when the speed of transactions is not as important.
A contactless smart card uses the same radio-based technology as the proximity card, with the exception of the frequency band used: it uses a higher frequency (13.56 MHz instead of 125 kHz), which allows the transfer of more data, and communication with several cards at the same time. A contactless card does not have to touch the reader or even be taken out of a wallet or purse. Most access control systems only read serial numbers of contactless smart cards and do not utilize the available memory. Card memory may be used for storing biometric data (i.e. fingerprint template) of a user. In such case a biometric reader first reads the template on the card and then compares it to the finger (hand, eye, etc.) presented by the user. In this way biometric data of users does not have to be distributed and stored in the memory of controllers or readers, which simplifies the system and reduces memory requirements.
Smartcard readers have been targeted successfully by criminals in what is termed a supply chain attack, in which the readers are tampered with during manufacture or in the supply chain before delivery. The rogue devices capture customers' card details before transmitting them to criminals.[4]
Banking card readers
Some banks have issued hand-held smartcard readers to their customers to support different electronic payment applications:
- Chip Authentication Program (CAP) uses EMV banking cards to authenticate online transactions as a phishing countermeasure.
- Geldkarte is a German electronic purse scheme where card readers are used to allow the card holder to verify the amount of money stored on the card and the details of the last few transactions.
See also
References
- ↑ "Mobile Credit Card Readers Grow with IOS as Foundation". Macworld.com. Retrieved March 22, 2012.
- ↑ ISO/IEC 7816-3:2006 Identification cards — Integrated circuit cards — Part 3: Cards with contacts — Electrical interface and transmission protocols, clause 8.2.3
- ↑ "Bar Code Basics". Online Conveyor Parts. Archived from the original on January 16, 2012. Retrieved March 22, 2012.
- ↑ Henry Samuel (2008-10-10). "Chip and pin scam 'has netted millions from British shoppers'". The Telegraph. Archived from the original on 2008-10-11. Retrieved 2008-10-13.