Smart card reader
Chip card readers or chip card readers are devices that control chip cards . In doing so, data is not only read but also written or applications on the chip card are controlled; therefore one speaks of a chip card terminal .
The devices supply the chip card with power, clock it and establish communication according to the parameters supported by the card, which the card communicates to the reader via the ATR (Answer to Reset). The host software determines whether read, write or arithmetic commands, so-called APDUs , are sent to the card. Nevertheless, the chip card readers offered are often differentiated according to their main area of application. In addition to the models for administration and finance, the market also offers models for mobile communications , which usually also have contacting devices for the small types of chip cards (ISO 7816, ID-000).
The control can take place via current signals applied to the contacts. In areas of application in which contact-based chip cards are not advantageous, they are linked with RFID to form transponder cards .
For security-relevant applications, such as internet banking , card readers are divided into four security classes according to a DK specification:
- Security class 1
- Devices of this class have no special security features. The card reader only serves as a contact unit for the chip card.
- Security class 2
- These chip card readers have a keyboard that can be used to enter the PIN for home banking, for example . This practically prevents the PIN from being spied on (for example by keyloggers or Trojans ). However, it is possible to change the data of a home banking process before signing with a Trojan horse .
- Security class 3
- In addition to the keyboard, these devices have a display and firmware that can also be used to pay with a cash card on the Internet, for example . Secoder- enabled devices also allow the tamper-proof display of the signature data in the device display.
- Security class 4
- These readers also have at least one additional card slot. This contains an authentication module ( Secure Access Module or SAM) that uniquely identifies the reader or the operator. SAM modules (mostly) have an ID-000 form factor and are (often) housed inside the device to prevent unauthorized removal. Compare also: POS terminals (point of sale) (e.g. electronic cash , dealer terminal for cash cards). These readers are mostly so-called hybrid devices that can also read and process cards with magnetic strips.
Card readers come in both external and internal forms. The external form is a small box that is usually connected to the PC with a USB cable and is addressed via the CCID protocol ( English chip card interface device ). Connection via a serial interface is also possible, depending on the design. The internal form is located in the PC case and is connected to the main board of the PC via a cable . In the meantime, some normal household appliances have an integrated card reader: all cell phones speak to SIM cards , and digital cameras or MP3 players read and write to memory cards .
Card readers can also be implemented in a card printer . This has the advantage that chip cards, RFID transponders or even smart cards can be printed or personalized as well as read out and encoded within a single work step. Selective reading or coding is also possible with the appropriate map software. Card printers with built-in card reader modules are widespread for local personalization (e.g. for the production of visitor badges with restricted movement permission) and for payment applications.
Examples of functions
- Online banking (e.g. via HBCI )
- Time recording in the workplace
- Authentication of a user on the computer
- Reading of contact data on a SIM card
- Reading out the amount of money on a money card ; see also Makatel
- Reading out the data stored on a health insurance card (Germany) / eCard (Austria)
- Signing with the citizen card (Austria)
- Authorization to receive encrypted broadcasts
- Reading from memory cards ; Main article memory card reader
For a long time, card readers could only be addressed via proprietary interfaces. This made it difficult for software developers, as they had to take into account not only the special features of the chip card , but also those of the reader. For the user it meant that he was bound to a certain combination of reader and chip card.
The CT API
A first approach for a standardized application interface ( API ) was the CT-API (Card Terminal Application Programming Interface). This was developed within the framework of the German health insurance card and consists of a dynamic library ( DLL ) with a defined uniform interface, which must be provided by the manufacturer of the card reader. The CT-API has not caught on internationally; it remained essentially limited to the German market.
The PC / SC standard
The PC / SC standard is an internationally successful approach to standardization. It was developed by the PC / SC Workgroup and is available under GNU / Linux , macOS , and Microsoft Windows . With this approach, the manufacturer has to provide a device driver , which the operating system then accesses and provides the uniform application interface. All function names of this API begin with the prefix text “SCard”. One of the disadvantages of popular PC / SC implementations is the lack of support for memory smart cards.
The Secoder standard
The Secoder standard developed by the German Central Credit Committee (ZKA) allows the loading of money cards via the Internet. The Secoder is characterized by special security features that distinguish it from conventional card readers: It has a built-in firewall that protects the card and the user's secret number, as well as a display that shows the transaction data for control, making any manipulation noticeable. The Secoder extension for HBCI allows the tamper-proof display of the Secoder visualization texts (transaction data such as payee and amount) on the device display. However, this must be actively supported by the respective bank and the home banking software. It is also mandatory to enter the PIN on the reader. Attack attempts by malware such as Trojans or keyloggers should be fended off by the Secoder through the firewall, which means that the application software itself does not have direct access to the device. Since the Secoder standard requires a keyboard and display, such card readers always correspond to at least security class 3.
- ↑ Heiner Herkenhoff, Melanie Schmergal, Dr. Stephan Rabe, Stefan Marotzke, Dr. Helga Bender: New generation of chip card readers. Press releases. In: The German banking industry. Federal Association of German Volksbanks and Raiffeisenbanks eV, Federal Association of German Banks, Federal Association of German Public Banks, German Savings Banks and Giro Association, Association of German Pfandbrief Banks. V., March 3, 2008, archived from the original on September 28, 2013 ; accessed on May 28, 2016 .
- ↑ Number or card - secure access to your online account
- ↑ Secoder 2.0 standard in StarMoney ( memento of the original from November 18, 2015 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. starmoney.de, Star Finanz-Softwareentwicklung und Vertriebs GmbH, accessed on November 18, 2015.
- ↑ ZKA: Specification FinTS 3.0 Alternative ZKA security procedures (PDF; 1.2 MB)
- PC / SC workgroup
- MUSCLE homepage , a PC / SC interface and a CCID driver for unixoid systems
- Press release on Secoder
- Specification CT-API 1.1.1 (PDF; 56 kB)