Regarding ID Winter 2009

Winter 2009

Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

Changing Perspectives?

NATIONAL

IDs

Contents 20

Cover Story

National ID cards: Changing perspectives?

32

Contactless

Industry group sees contactless alternative to secure payments

36

Transit

Bay Area’s TransLink sees its 16-year one card goal within reach

40

Technology

Public Key Infrastructure Primer: Why is PKI important?

58

Events

CARTES event brings world’s ID community to Paris for top notch education and expo

32 58 36 40

6 | OPINION | Will the U.S. have a national ID? 8 | PODCAST | Conversations on end-toend encryption, online ID and national ID programs 10 | ID SHORTS | Key news items from AVISIAN’s online ID technology sites

Winter 2009 32 | CONTACTLESS | Industry group sees contactless alternative to secure payments

INDEX OF ADVERTISERS Blackboard www.blackboard.com/contactless

55

CARTES www.cartes.com

19

36 | TRANSIT | Bay Area’s TransLink sees its 16-year one card goal within reach

2

38 | INNOVATION | New PIV-compliant, dual-interface card

CPI Card Group www.cpicardgroup.com

47

39 | APPLICATIONS | Indiana blood bank uses biometrics for donor ID

Cryptography Research www.cryptography.com

25

40 | TECHNOLOGY | Public Key Infrastructure Primer

CSCIP www.smartcardalliance.org

61

CoreStreet www.corestreet.com/TWIC

Gemalto

3

www.gemalto.com/enterprise/smartguardian

Digital Identification Solutions www.dis-usa.com/Re-ID

42 | HEALTH CARE | Fingerprint biometric sensors secure medication cabinets

13

44 | STANDARDS | Improving contactless security is goal of emerging PLAID project

Entrust www.entrust.com/epassport

23

46 | ON CAMPUS | Is the future of campus cards contactless?

Evolis www.evolis.com

63

50 | MOBILE | BYU students take first crack at replacing ID card with phone

FIPS201.com www.fips201.com

54

52 | PROFILE | A merger of convergence: SCM, Hirsch and BlueHill

HID Global www.hidglobal.com

68

56 | STANDARDS | Group working on standards for identity vetting

IEEE www.IEEEBiometricsCertification.org

49

57 | GOVERNMENT | Advisory Committee: “Comprehensive ID management” needed in U.S.

ILegic Identsystems www.legic.com

7

Smart Card Alliance www.smartcardalliance.org

35

58 | EVENTS | CARTES event brings world’s ID community to Paris

XceedID www.xceedid.com

67

60 | INITIATIVES | Education tops list for Smart Card Alliance industry councils 62 | BIOMETRICS | Voice biometrics: Using speech for access

17 | CALENDAR | Industry events from the identity and security worlds

27 | ONLINE ID | Feds partner with private sector on ID management

20 | COVER STORY | National ID cards: Changing perspectives?

28 | REGISTERED TRAVELER | Registered traveler preparing for take off ... again

65 | RFID | RFID enables courts, law firms to track files

30 | PAYMENTS | Different technologies vie to protect payments

66 | BIOMETRICS | Test shows iris interoperability

26 | PRIVACY | Privacy analysis necessary for access control systems

64 | NFC | NFC and social media applications

Winter 2009

5

Perspective EXECUTIVE EDITOR & PUBLISHER Chris Corum, chris@AVISIAN.com EDITOR Zack Martin, zack@AVISIAN.com ASSOCIATE EDITOR Andy Williams, andy@AVISIAN.com CONTRIBUTING EDITORS Daniel Butler, Ryan Clary, Liset Cruz, Seamus Egan, Ryan Kline, Ed McKinley, Jay Swift, David Wyld ART DIRECTION TEAM Darius Barnes, Ryan Kline ADVERTISING SALES Chris Corum, chris@AVISIAN.com Sales Department, advertise@AVISIAN.com SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit www.regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit http://subscriptions.avisian.com and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2009 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to info@AVISIAN.

Will the U.S. have a national ID? Seeds are being planted but opposition is strong Zack Martin Editor, AVISIAN Publications National IDs are one of the many third rails of U.S. politics. The mention conjures up images of a police state where citizens are asked for their papers at every street corner. The U.S. is actually in the minority of countries that don’t have a national ID card. This month’s cover story gave me the opportunity to chat with some individuals about the types of programs that countries have in place or are getting ready to deploy. And while I’m sure there are programs out there that require citizens to hand over an ID card on demand and have nefarious underpinnings, that wasn’t what I found. Instead I heard how these IDs are being used to enable citizens to access services and better protect their identity. Belgium’s kids ID is one program in particular that intrigued me. The card is issued to children 12-years and younger and it is primarily used for travel around Europe. But the smart card can also be used to log in to restricted chat rooms protecting them from predators.

The new generation of national ID cards enables citizens to access government services, log in to government Web sites, apply for social benefits and file taxes.

The new generation of national ID cards enables citizens to access government services, log in to government Web sites, apply for social benefits and file taxes. Some countries are enabling the private sector to take advantage of the ID as well. In Finland financial institutions use the card to add an additional layer of security as customers access banking sites. But while a national ID card may curb some of the identity theft issues in the U.S., I don’t see a mandatory card coming about any time soon. There isn’t enough political will to make it happen and the backlash would be extreme. But a voluntary national ID? That I can see happening. There are many initiatives underway that will set the stage for such a card. The move to electronic health records and the need to effectively identify patients is one.

Identifying citizens to establish their right to work is another. This one is a bit trickier, however, because every U.S. citizen needs to be able and prove they are eligible to work and it could seem like a mandatory ID. The key to any type of government ID program is to benefit its citizenry. We need to get something out of having this ID, whether it be protection from identity theft or easier access to services. There needs to be a value to the card. If not the program will most likely fade and not fulfill its intended purpose.

How do you prove who you are? Typically most people pull out a driver license or passport. But beyond that how does anyone know your identity? (And please, I’m not trying to start an existential discussion.) Another interesting initiative going on is the efforts to standardize identity vetting (Page 52). The North American Security Products Organization is working on standards for identity vetting that could be used throughout the U.S. and even potentially on a world stage. The project is trying to create identity resumes for individuals, built off of a birth certificate and other public records, so they can prove whom they are. It’s an interesting, and challenging, task. There are hundreds of different types of birth certificates and other source documents in circulation. The project calls for training a new type of notary who would be used to investigate the identity of individuals. I’m curious to see how the project unfolds and how the vetting is put in place. Does the future entail building an identity resume and then being issued a smart card to verify employment?

Do you have an idea for a topic you would like to hear discussed on an re:ID Podcast? Contact podcasts@AVISIAN.com

Episode 41: New technology for securing payment card data Regarding ID Editor Zack Martin talked with Sid Sidner from ACI Worldwide about some of the different technology options for improving payment data security. EMV, end-to-end encryption and contactless are all being considered but is there one technology or technique with an inside track? Highlights: “End-to-end encryption uses a form of cryptography that hasn’t been blessed yet. People would feel better if there were a standardized form.

Episode 40: Securing payments with contactless smart cards There are a variety of solutions being proposed to better protect payment information to prevent breaches. In this podcast Randy Vanderhoof, executive director of the Smart Card Alliance, talks to Zack Martin, editor of Regarding ID magazine, about the group’s latest recommendation that the U.S. use contactless smart cards using dynamic cryptograms to secure payment data.

“In some ways EMV is inevitable. European issuers still have to put mag stripes on the back of the cards because of the U.S. There’s lots of card not present fraud in the U.S., and because we don’t use it the power of chip and PIN is diluted.”

Highlights: “Some of the folks we’ve been working with and have been examining the challenges with implementing EMV cite the cost of chip and pin continue to be a major obstacle. Other look at the U.S. market and say we don’t need to implement a full chip and PIN. There are other technology that exist in our contactless payment products that would solve a lot of the problems.”

“Heartland and the people who are working on end-to-end encryption are trying to get something out there pretty quickly, more so than the three to five year time frame that most other technologies take.”

“End-to-end encryption is another attempt to mask the static number. If you take the value out of the data you don’t have to go the extreme efforts to protect it. A better approach would be to look at contactless.” “We need to shift the conversation from contactless being a convenience product to have it also be considered a strategy to improve security and reduce fraud.”

To listen, visit SecureIDNews.com/tag/Podcasts and select “Episode 41”

To listen, visit SecureIDNews.com/tag/Podcasts and select “Episode 40”

Episode 39: U.S. partners with private sector for online ID The Obama Administration has made it clear that online identity is a priority. Multiple reports cite the importance of identifying individuals online. In the administration’s latest announcement it has partnered with ten private sector companies to enable better access and use of government Web sites. Nico Popp, vice president for VeriSign’s Innovation Group, talks with Regarding ID Editor Zack Martin about the announcement and how it’s the first step to bringing better identification to the Internet. Highlights: “This administration sees the Web as an important medium for participation. The intent of this is to enable the government Web sites to unleash the information.” “The idea is to be able to interact and reuse the same credential.” “This is an opportunity to educate and train the user. Non-technical users don’t know they can use the same identity across multiple Web sites and it’s fairly seamless.”

To listen, visit SecureIDNews.com/tag/Podcasts and select “Episode 39”

Episode 37: Overview of National ID card benefits and concerns In many countries national ID cards are a way of life. In this two-part discussion on the credentials, Zack Martin, editor of Regarding ID, talks to Neville Pattinson, vice president of government affairs and business development at Gemalto North America about what some European countries are doing with the ID cards. Part two, discusses some initiatives in the U.S. Highlights: “National IDs are very common around Europe and the Middle East. They exist to create efficiencies in how governments deal with their citizens and for access to entitlements and health care. “Countries in Europe and the Middle East need to know who they’re dealing with and by giving citizens an identity document it brings them a lot of benefits and services and provides efficiencies to the government. And once you have an ID in the hands of citizens that’s founded on a government identity scheme others can take advantage of that.” “This is going to require a lot beyond user name and password. You need hardware-based authentication, biometrics and smart cards for people to prove who they are. If we don’t include a higher standard of authentication for our citizens and people accessing financial services we’ll keep hearing about disasters.”

To listen, visit SecureIDNews.com/tag/Podcasts and select “Episode 37”

Winter 2009

9

ID SHORTS SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

U.S. State Department renews passport contract with L-1

L-1 Identity Solutions Inc. announced it was awarded a new contract to continue providing production systems for U.S. passports. The indefinite quantity contract has a potential value of up to $195 million and was awarded by the Department of State Bureau of Consular Affairs, Consular Systems and Technology Directorate to Trans Digital Technologies Corporation (TDT), a wholly owned subsidiary of L-1. The new contract, a one year base and four option years, follows the completion of the previous contract agreement and encompasses ongoing support of the State Department in 22 domestic passport agencies and production centers through the continued use of the MP300US printing system. Additionally, TDT will provide security products, technical support, and maintenance needed to sustain U.S. passport production operations at all current and future passport facilities. For more than a decade TDT has supported the State Department with the Toppan MP300US passport printing system as part of the Travel Documents Issuance System for the issuance of U.S. passport books.

MXI offers USB security for PIV users MXI Security announced the availability of USB drive authentication technology leveraging Common Access Card and Personal Identity Verification cards. Used in conjunction with secure portable storage devices from the two companies, the new technology provides the U.S. government protection for portable data. MXI Security’s new technology, available as a module for McAfee’s ePolicy Orchestrator, enables organizations to use existing or planned 10

Winter 2009

CAC/PIV infrastructure as a way of identifying their users to MXI Security or McAfee encrypted USB drives using their government issued smart cards. Aside from the new CAC/PIV technology, McAfee’s offers organizations a central network management solution that enables government IT departments full control over their secure portable storage devices.

Other MXI Security modules deliver features such as granular security policies, user selfprovisioning, and user self-rescue that greatly enhance deployability and scalability. In addition, the ability to restrict devices to trusted networks, remotely kill rogue devices, and have USB drives perform antivirus self-scans provides additional security.

London Olympic site secured via biometrics Due to its size and importance for the area, the London Olympic Park has been set as a potential target for terrorist activity, according to a Guardian article. Due to this, biometric security for those working at and around the construction site has been implemented at each of the entrances to the area. The biometric scanners will utilize hand and iris biometrics as well as photographic smart cards for worker authentication. While the new technology has roughly 4,500 workers enrolled, by the end of 2010 when the project increases, that number is expected to reach 9,000. Many have begun to express worries that the cutting edge technology will end up putting the London 2012 Olympic Committee’s £354 million security budget over and cost the tax payers more than they were expecting. In response to the worries, Security Minister Lord West has announced that the security measures in place are appropriate with their need to keep the 2012 Olympic games safe while also keeping them under budget.

Other capabilities the biometrics systems have and utilize include checking for legality of workers to keep illegal aliens from working on the site and time and attendance for paychecks wherein they are eliminating buddy punching. In addition to the biometric scanners agents from the UK Border Agency are checking workers’ identification and CCTV has been installed around the Olympic Park.

NXP’s chip powers Egyptian welfare program NXP Semiconductors’ SmartMX contact security chip has been chosen by the Egyptian government to power its Family Card, a welfare program which offers subsidies on goods such as food to low-income families. The joint project, run by the Ministry of Social Solidarity and the Ministry of Administrative Development, is working with Egyptian card manufacturer Misr Security Systems, to deploy the smart cards. NXP’s SmartMX security chip protects cardholder information such as address details and national ID numbers, which permanently link the card to its holder and cannot be changed. The device also offers cryptographic protection of sensitive data at both a hardware and software level along. The Family Card will enable users to verify their eligibility for the program at point-of-sale, and enable retailers to more easily recoup funds back from the government. Started in 2005 in the Suez region, the Family Card program was designed to offer lowincome families financial support when purchasing basic foodstuffs such as rice and sugar. The infrastructure supporting the Family Card, consisting of cards, point-of-sale units and the related applications designed by Misr Security Systems, have been rolled out throughout the country. When completed, some ten million Egyptian households will be participating in the program.

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

Gemalto launches USB token with smart card tech Gemalto announced the launch of Protiva Smart Guardian, a smart card enabled personal security USB device that offers digital data integrity and data loss prevention for enterprises. Smart Guardian provides nomad workforces with a platform to securely access corporate resources. The product combines endpoint control and secure data storage for protecting sensitive information since the encrypted data never leaves the Smart Guardian. Attempts to tamper with the device are detectable and intrusion attempts will cause the token to erase its contents. In addition to providing security, Smart Guardian is designed to be easy and convenient to use. Users insert the authorized portable token and enter a passphrase to unlock the device so that any data transferred to it is encrypted automatically. Smart Guardian provides two-factor authentication based on something the user has – the USB token – and something the user knows – the passphrase. This ensures that only authorized users have access to encrypted data, even if the device is lost or stolen. Smart Guardian tokens are easy for IT administrators to deploy and manage, and require no user training. The Smart Guardian device combines smart card technology from Gemalto and secure flash technology from Lexar. Its management options make it easy for end-users and administrators to register new devices, update software on the devices, deploy protected corporate applications, and remotely block a lost or stolen token and destroy its contents.

Dynamic Card Solutions partners with Threshold to deliver Canadian EMV cards Dynamic Card Solutions, an Englewood, Colo.based provider of instant issuance solutions, has partnered with Ontario-based Threshold Financial Technologies to give financial institutions access to Dynamic’s CardWizard software. Threshold provides payment processing, ATM and card issuing solutions to more than 65 financial institutions throughout Canada. This new partnership allows Threshold’s card issuing clients to transition from magnetic stripe cards to chip and PIN cards, offering their cardholders in-branch PIN selection, PIN change and personalized chip cards. Additional benefits include the ability to replace lost or stolen cards on the spot. The CardWizard software can personalize cards, program the chip, encode the magnetic stripe, and print or emboss cardholder details while optionally activating the card for immediate use.

Panasonic offers DigitalPersona biometrics on workstation DigitalPersona, a developer of biometrics systems, has announced that their U.are.U fingerprint sensor will be available as an installed upgrade for electronics company Panasonic’s workstation desktop computers called Stingray JS-950. The sensor is in a modular case and is able to be attached to either side of the display screen of the Stingray. Although the U.are.U system comes as both an embedded and separate device, Panasonic opted to utilize the embedded option for their computers. The deal with DigitalPersona nor

the upgrade include any software necessary to operate the devices pre-installed, but many developers including DigitalPersona have software that works with the U.are.U sensor.

CPI releases new version of Card Designer CPI Card Group has released Card Designer 2.5. This latest version of the online software includes new and updated features. Card Designer now has an updated online tool, enabling customers to get their cards to market faster. These upgraded features include a design checklist, pre-set templates and the ability to design not only the front but also the back of a card. Selecting a card background, placing graphical logos, text and network bugs will complete the design and make an image that is truly worth a thousand words. The newest version of Card Designer also features the ability to upload high resolution artwork for card production. Requesting an order or pricing is a easy with updated forms that are more comprehensive, saving time as the customer places requests.

Angola rolls out national ID LaserCard Corporation, a provider of secure ID solutions, announced the launch of Angola`s new citizen ID card. Issuance of the new optical security media-based credential began last week in Luanda and is scheduled to roll out to other provinces during October. LaserCard is the provider of the credential which includes optical security media. The secure, wallet-size ID cards, which store personal and biometric identification, will be issued to Angolan citizens nationwide.

Winter 2009

11

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

Cherry receives FIPS 201 certification on smart card reader Cherry Electronic’s new SR-4300 ExpressCard reader and ST-1210 standalone smart card readers are now FIPS 201 certified by the General Services Administration for use with Personal Identification Verification smart cards. The ST-1210 is a CCID-compliant, low-profile USB contacting reader, designed for one-hand operation. At just 105mm x 70mm x 12mm high, it is easily transportable and fits in even small workspaces. The SR-4300 ExpressCard reader is being bundled with notebooks for applications in federal government agencies. The reader is also suitable for a range of non-government applications, and it is being adopted widely, as the ExpressCard interface displaces PC Cards in new laptop and notebook computers. Cherry’s new smart card readers are also PC/ SC compliant and compatible with ISO7816 (Class A, B, C), so they are suitable for typical smart card applications in single sign-on (SSO) and logical access control. Both SR-4300 and ST-1210 carry 2 year warranties and have a typical operating life of 100,000 card swipes.

Blackboard Transact meets new PCI standards Blackboard Inc., a provider of education technology, has released version 3.5 of Blackboard Transact that strengthens data and application security for campus commerce and card programs and enables institutions to process credit card transactions while meeting new industry standards. Blackboard Transact is used by colleges and universities to support campus commerce and security management. The company’s newest release complies with the Payment Application Data Security Standard both in applica12

Winter 2009

tion architecture and written operating procedures. Release 3.5 received validation from Trustwave, a top security assessor company, and acceptance from the Payment Card Industry Security Standards Council. With 3.5, institutions can host the application and process credit card transactions that complies with the PCI Data Security Standard well ahead of the July 2010 deadline for institutions to only use Payment Application-compliant applications in their payment environments. The new release also introduces new capabilities to support enterprise-wide compliance policies and risk management and adds a range of new capabilities including improved database audit logging, user account and password features including forced complex passwords, limited repeat access attempts, account deactivation after 90 days of no use and completely re-written user documentation. “Payment application security compliance is a very important initiative for our university,” said Stacie Gomm, associate vice president for Information Technology at Utah State University. “Our controller’s office is driving this initiative to ensure that all of our financial systems and processes are PCI compliant. The enhanced security features of the Blackboard Transact platform are an important step towards compliance for our campus-wide ID card solution.”

Muhlbauer tapped by De La Rue for biometrics program assistance The Mühlbauer Technology Group, a developer of technology for large ID projects, has announced that they have been chosen by De La Rue Identity Systems, a biometrics systems developer, to assist them with a biometric passport program by providing equipment to support for the production of the passports. In total, Muhlbauer is set for $10 million worth of equipment as well as $6 million in service and support for the systems. The contract is regarding a specific passport project, but the country was not disclosed.

USB releases new contactless ASK reader for home use Created by Andrew Fitzsimon

ASK announced the availability of LoGO, its contactless USB reader for home or desk usage. LoGO is a low-cost reader for any application that requires smart card transactions in a contactless environment. Multi-standards, plug and play, LoGO complies with the smart card industry standards including ISO 14443 A,B, NFC, Felica and Mifare. One of the applications the reader is designed for is online home reloading. While companies such as Paris transport company RATP launch Navigo pass online reloading, other operators wish to offer their customers USB reader at home. End users can perform various transactions for their transport or multi-application card at their desk.

GlobalPlatform unveils transportation task force GlobalPlatform has launched a Transportation Task Force to contribute to the evolution of smart ticketing solutions and to promote the benefits that GlobalPlatform’s technology can bring to the sector. The Transportation Task Force will aim to create a forum with other transportation organizations to promote the value that interoperable technology can add to smart ticketing implementations. The group will also work with the organization’s Card, Device and Systems Committees to modify and advance GlobalPlatform’s existing specifications to address specific requirements as highlighted by the industry. The aim of this activity is to develop a standard travel media that will offer multi-trans-

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com portation network ticketing solutions which provide a variety of additional services to passengers, for example bike rental or banking services. The task force’s first priority is to publish a white paper that will position GlobalPlatform’s offering to the transportation sector by detailing how its neutral and scalable technology can be adopted by the market today without customization. The paper will also explain how GlobalPlatform Specifications enable the usage of a third-party media, for example a mobile phone, to undertake e-ticketing transactions; enhance mobility by facilitating the co-existence of different local transport applications on the same media; and allow transport operators to enrich services by offering new applications throughout the lifecycle of the solution.

The Transportation Task Force will work with GlobalPlatform’s Mobile Task Force. This group has established links with associations such as StoLPaN, European Telecommunications Standards Institute, EMVCo, GSM Association, European Payments Council, Association Européenne Payez Mobile, Ulysse and the Mobey Forum.

SCM releases new version of CHIPDRIVE SCM Microsystems Inc. announced a new version of its CHIPDRIVE Time Recording solution for recording and administering employee working hours.

As in previous versions, CHIPDRIVE Time Recording 6.0 comes with everything needed to set up and manage time recording of employees and projects within small and mediumsized businesses. Smart cards or contactless chip tokens are included for employees to use as forgery-proof employee time cards; a mobile or network-based terminal serves as a time clock; and CHIPDRIVE software records and analyzes employee attendance and other data, including hours logged, status of vacation days and work absences. CHIPDRIVE Time Recording 6.0 also offers enhanced performance and new management features. Enhancements include improved personnel administration, an optimized excel export for daily reports, and improved password protection. New features include a

Winter 2009

13

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com larger user interface that can be individually configured by the user, including the ability to modify the color scheme and the navigational slide bars. To ease personnel administration, photos of employees can be imported and formatted with an integrated picture editing tool. Groups or individuals can be easily selected via the slide bar. In addition, the daily attendance log can now also be viewed and printed within the network via PC Time Clock – a special application for people working from home or satellite offices that allows users to clock in and out on the PC and transfer their timesheet data via the corporate network or Internet into the Time Recording system. CHIPDRIVE Time Recording 6.0 is available worldwide. Customers that purchased a previous software version after September 1 are eligible to receive a free licence key to upgrade.

VeriSign rolls out new two-factor authentication for more mobile devices VeriSign announced that the latest release of VIP Access for Mobile is now available for Apple iPod touch, additional BlackBerry smartphones and devices running the Windows Mobile operating system – in addition to hundreds of mobile devices supporting J2ME, an application platform for mobile devices. The application already supports Apple iPhone, BlackBerry smartphones and mobile devices from Nokia, LG, Motorola, Samsung, Sony Ericsson, Sanyo, Pantech and more. VIP Access for Mobile is a free mobile application that transforms more than 200 different mobile devices into VIP authentication credentials. VIP Authentication Service – also known as strong or two-factor authentication – offers an additional layer of protection 14

Winter 2009

to any number of employees, partners or customers – anyone who needs secure remote access to a network.

features to an interface designed by Microsoft for Windows 7 and allows the card to be plug and play.

Two-factor authentication works by requiring each user to provide not just a username and password but also a unique one-time six-digit security code generated by a user’s VIP authentication credential.

New Schlage electronic locks protect access control investment Ingersoll Rand Security Technologies has rolled out a new electronic lock that can be upgraded without ever taking it off the door. The Schlage AD-Series locks will be introduced at the Door & Hardware Institute Exposition Sept. 1617 in Kissimmee, Fla., and at the ASIS Exposition in Ana-

The latest release of VIP Access for Mobile application features an enhanced download and activation process – with no text messaging required – making it easier to use VIP authentication on VIP-enabled Web sites. Additionally, support for simple copy/paste of a security code and credential ID into a mobile browser or application enhances the user experience. VIP Access for Mobile is available today for: • Apple iPod touch and iPhone users from the Apple App Store by searching the Business category for “VIP Access.” Users can also download from the iTunes App Store and sync their iPhone or iPod touch • BlackBerry smartphones on BlackBerry App World • Windows Mobile device users, as well as J2ME phone users.

Oberthur launches European Citizen Card integrated with Windows 7 Oberthur Technologies has rolled out ID-One, an identity card that offers an identification, authentication and electronic signature solution that can be implemented throughout Europe, meeting the specifications defined for the European Citizen Card. It is also compatible with Windows 7 scheduled for launch later this month. The card can be deployed by integrators and security application providers for both physical and logical access control in any governmental or corporate identity application. Microsoft’s mini driver translates the smart card’s

heim, Calif., Sept. 21-23. The modular design of the Schlage AD-Series lets users adapt to new technologies easily, whether changing credential technologies or networking capabilities. Without replacing the lock, users can upgrade readers and network modules to go from an offline to networked solution, change the credentials they are using at any time and use future innovative technologies as they emerge. With its open architecture platform, the AD-Series integrates with Schlage or third-party software and is able to leverage the existing network infrastructure. Users can customize door openings with options such as credential reader type, networking, finish and levers. As their business needs change, so can their access control solution. Upgrades can be as simple as interchanging a module, said Karen Keating, Schlage electronic locking portfolio marketing manager. Components that have been traditionally located around the door are now integrated into the lock itself. From large buildings to a small office with only a few openings, ADSeries locks can be configured to create a custom fit right at the lock. For instance, the locks provide multiple, interchangeable credential

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com reader modules as well as interchangeable offline, wired and wireless networking modules so that access control can now be installed at doors previously deemed unfeasible. Another advantage with the AD-Series is there is now no need to outfit the entire facility at once. Users can start small and add more openings as budgets permit.

Companies working on NFC tour guide program CO N N E C T H I N G S , INSIDE Contactless and SAGEM Wireless announced they have formed a consortium to develop the Smart Muse Mobile NFC Tour guide and deploy two pilot demonstrations in the old center of the City of Nice and at the Teen Gallery at the Centre Pompidou in Paris. Smart Muse will enable visitors to easily access location- and time-specific multimedia information on NFC-enabled mobile phones by simply “waving” the device over NFC tags. The team has been awarded a grant for this project from France’s Ministry of Economy, Industry and Employment, one of 13 such initiatives selected by the Ministry to develop and deploy new services and applications based on NFC technology. The two Smart Muse demonstration projects will be the first deployments of the Wave-Me NFC Service Platform, and the consortium expects to have them ready in early 2010. The multilingual content has been developed in conjunction with the City of Nice and Centre Pompidou to be both informative and anecdotal in nature, as well as tailored to the individual’s demographics. It has been designed to provide users with a more intimate sense of place, and will be written to encourage participation through postings of comments and stories about their visit. Smart Muse will also provide information on nearby tourist services – shops, restaurants, hotels, city services,

events, and others – and the content will be updated constantly. The consortium members will each apply their expertise in developing the Smart Muse project. INSIDE will provide its NFC technology, NFC hardware and software for the handset, NFC tags and other patented technology. CONNECTHINGS brings knowledge from its AdTag server-side contextualized content management, as well as its experience with NFC tag and mobile application life cycle management and other technologies. SAGEM Wireless is providing the NFC-enabled mobile phones that will be used in conjunction with the Centre Pompidou demonstration project, and which will be provided to visitors at no cost for use while inside the museum. The consortium received the grant based on the originality of the Smart Muse project, openness of the application and compliance with existing standards, quality of the partnership, viability of the project, project management and anticipated economic benefits. The grant covers approximately 30% of the development and deployment of a total project cost of more than $2.1 million and the remainder will be self-funded by the consortium partners.

Ulink introduces Oyster card-style system to Bristol Ulink, the bus service operated by the University of West England and Wessex Connect and originally established for students, introduced this month an Oyster-style card for passengers to make their travels across Bristol easier. Now in its second year, Ulink became the first bus service in Bristol to successfully launch the new smart card system. Modeled after London’s Oyster card, students and Bristol’s bus users can avoid the hassle of long lines and scrambling for change by taking advantage of this new scheme.

“The idea is that you get on the bus and instead of having to find the right cash to buy a ticket, you put your smart card onto the ticket machine as payment,” said Steve Ward, UWE’s travel planner. “The machine still gives you a ticket but the time wasted at the stop is reduced.” Ward hopes Bristol’s City Council will consider installing the smart card system on Bristol’s other bus services. “It’s cheaper, more convenient and you don’t have to worry about having the right money. When the balance on the smart card gets low, you can just pay the driver to top it up.”

SCM Microsystems Japan, Dai Nippon address Japanese IT and NFC security issues SCM Microsystems Japan Inc., Dai Nippon Printing Co. and Japan consultant Digital Media Research Institute have launched a new digital data security solution using cloud computing technologies. The high-security data storage system developed by Dai Nippon consists of the company’s TranC’ert DNA software, a SIM card and SCM’s @MAXX lite secure smart card reader. Digital Media is providing sales and consulting services for the implementation of the new system. Dai Nippon’s TranC’ert software splits up and encrypts sensitive or confidential data and stores it on three servers, which secures and protects the information from loss, damage or theft. The new system provided by the three offers a secure cloud computing infrastructure scheme. As the smart card in SIM form factor securely stores and processes the data, the TranC’ert software protects the data by distributing it across multiple servers while SCM’s @ MAXX lite reader allows users with the proper authorization to access and reconstruct the data. @MAXX lite includes a built-in smart card reader and on-board flash memory that enables this mobile device to handle sensitive data. Currently, the new system is being piloted but Winter 2009

15

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com is expected to be available throughout Japan beginning in December. SCM Microsystems Japan and Dai Nippon also plan to launch a new security solution utilizing NFC technology. The companies will begin selling the new solution, which allows compatibility of IC cards across the three primary contactless communication standards–FeliCa, MIFARE and ISO 14443 Type A and B–in November. Using its Endpoint Saver, user authentication and access control software, Dai Nippon will begin distributing the new security solution in combination with SCM’s SCL010 and SCL3711 contactless smart card readers. Both companies intend to promote their NFCrelated products and systems globally to business enterprises, municipalities, medical institutions and the entertainment industry.

Tyfone receives patent for mobile electronic wallet technology

Tyfone’s platform includes a neutral secure element, thereby making it an electronic container or wallet. This solution allows a TSM to securely manage different consumer credit, debit, transportation and pre-paid accounts for use in a wide range of payment and other secure transactions. A key application for Tyfone’s newly patented technology is using SideTap to conduct a contactless payment transaction. With SideTap consumers purchase goods at point of sale simply by tapping their mobile device against a POS reader.

ActivIdentity unveils capabilities for Credential Management System ActivIdentity Corp., a Fremont, Calif.-based authentication and credential management provider, has enhanced its ActivID Card Management System, adding automatic certificate renewal and smart card update capabilities as well as support for public key cryptography standards.

Tyfone, a Portland, Ore. provider of mobile NFC payments/ secure transaction capabilities, says it has received a U.S. patent for its electronic transaction card that allows a memory card to be used as an electronic wallet or for the secure transmission of financial information.

In conjunction with the company’s ActivClient, the Card Management System can also issue and manage smart cards and USB tokens in a desktop network environment, providing both logical and physical access control capabilities.

This technology is part of the company’s u4ia (euphoria) mobile financial services platform, which completed successful beta testing in June.

Omani citizens gain e-purse benefits with smart ID card

In the contactless payment marketplace, Tyfone’s patented technologies and u4ia secure memory card platform enables existing handsets to become NFC-ready. This can benefit consumers and stakeholders, such as banks, transportation companies, mobile operators and merchants, without the need to change the current ecosystem.

16

Winter 2009

The enhancements also include support for PIV-Interoperability for non-federal organizations and updated environmental support, such as with Microsoft Windows Server 2008.

Omani citizens have started activating the epurse application in their electronic ID cards which enables them to pay for administrative fees, such as birth and marriage certificates, car registration, driver licenses and visa applications. They can also reload their mobile phone prepaid subscription and make purchases at supermarkets.

In the future, the ePurse application will also enable payment at public car parks and toll gates. As prime contractor, Gemalto supplied BankMuscat and Royal Oman Police with the Coesys ePurse product, which includes the postissuance solution to activate the application and the centralized system to manage the transactions. Gemalto also provided consulting services, project management as well as support and maintenance. BankMuscat, which acts as an issuer of the e-purse, initiated and implemented the project. Going forward, the country’s Information Technology Authority will host the e-purse system in-house and expand the application to all banks in Oman. Omani citizens and residents can use the new applications without the need to renew their ID card.

DHS hiring cybersecurity experts Department of Homeland Security Secretary Janet Napolitano announced that the agency plans to recruit and hire as many as 1,000 cybersecurity professionals across DHS over the next three years. The new hiring authority, which results from a collaborative effort between DHS, the Office of Personnel Management and the Office of Management and Budget, allows the Department to staff up the positions over three years across all DHS components to fulfill critical cybersecurity roles—including cyber risk and strategic analysis; cyber incident response; vulnerability detection and assessment; intelligence and investigation; and network and systems engineering. Napolitano made the announcement in remarks marking the start of National Cybersecurity Awareness Month. She was joined by Deputy Secretary of Defense William J. Lynn III and White House National Security Staff Acting Senior Director for Cybersecurity Chris Painter.

CALENDAR

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com Although DHS does not anticipate the need to fill all 1,000 positions, this cap reflects the Obama administration’s commitment to equipping DHS with the critical tools necessary to build a cyber organization and compete for cybersecurity talent.

2010

CoreStreet, Salamander partner CoreStreet, a provider of credential validation solutions, and Salamander Technologies, a provider of personnel accountability solutions, announced they have formed a partnership to further enhance the unified incident command functionality of Salamander’s interTRAX Suite. Under terms of the agreement, Salamander Technologies has CoreStreet-Enabled its interTRAX Suite by integrating the CoreStreet PIVMAN technology throughout its new interTRAX PIV 3.0 solution, and will offer the enhanced capabilities as an add-on component. The combined solution is already installed in customer locations in Colorado, Michigan and soon in Illinois. The CoreStreet PIVMAN technology provides Salamander Technologies with an interoperability layer between local accountability and identity solutions and the federal emergency response infrastructure put in place in accordance with the mandates of HSPD-12 and H.R.-1. Salamander’s interTRAX suite integrates the elements of identification, incident, and interoperability into a solution for tracking resources at an incident, event or disaster. It also combines the latest in automatic identification technologies with standard incident command procedures under the National Incident Management System. The CoreStreet PIVMAN Solution collects attributes and qualifications from authoritative sources for Emergency Response Officials. This provides incident commanders with the most current information for utilizing the of-

February

April

Smart Card Alliance 2010 Payments Summit February 22 – 24, 2010 Marriott City Center Hotels Salt Lake City, UT

NACCU 17th Annual Conference April 18 – 21, 2010 Pointe Hilton Tapatio Cliffs Resort Phoenix, AZ May

March RSA Conference 2010 March 1 – 5, 2010 Moscone Center San Francisco, CA CARTES in Asia March 16 – 18, 2010 Asia World-Expo in Hong Kong Hong Kong, China ISC West March 23 – 26, 2010 Sands Expo and Convention Center Las Vegas, NV

Near Field Communications World Europe 2010 May 11 – 13, 2010 London, England Smart Card Alliance Annual Conference May 17 – 20, 2010 Marriott Camelback Inn Resort & Spa Scottsdale, AZ 11th Biometrics Institute Australia Conference & Exhibition May 27 – 28, 2010 Sydney, Australia September

Biometrics Institute New Zealand Conference March, 26 2010 Holiday Inn Hotel, Wellington Wellington, New Zealand

Biometric Consortium Conference Sept. 21 – 23, 2010 Tampa Convention Center Tampa, FL ASIS International 2010 Sept. 27 – 30, 2010 Philadelphia, PA

ficials and granting access to disaster sites during mutual aid response scenarios. It also utilizes National Response Framework Emergency Support Function codes and National Infrastructure Protection Plan Sector numbers for attributes, as defined by the National Preparedness Directorate within the FEMA.

Zetes tapped by Belgians for passports, visa systems Zetes, the international provider of people identification solutions, has been appointed by the Belgian Federal Public Service Foreign Affairs to supply the equipment, biometric Winter 2009

17

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com software and technical support for the registration of the biometric data of applicants for visas and passports. These are to be installed at embassies, consulates, and border crossing points. The Zetes solution is a system of “live” enrollment, which enables travelers to register a photo, the fingerprints and the digital signature (for passports) of applicants all at the same time. In order to meet the ICAO international standards on photos for travel documents, Zetes has developed booths specially designed for this purpose, as well as software that automatically detects non-complying photos. The contract with the FPS Foreign Affairs covers the delivery of 144 stations, to be installed at the end of 2009 and in the course of 2010 in 120 consulates and 13 border posts. The first posts to be installed will be in the Middle East. This project will contribute to the objectives announced for 2009.

U.S. Department of State to tag ‘mission critical’ assets The U.S. Department of State has announced that it will tag 10,000 mission critical IT assets using ODIN’s RFID turn-key IT asset tracking solution. The DoS has chosen the UHF Gen 2 passive RFID tracking system to save money, increase security, and reduce administrative burden. According to ODIN, the State Department’s agency-wide adoption of RFID is part of a growing trend within the U.S. government, as seen in the Department of Defense and other Federal agencies. The Department of State was long overdue for an asset tracking upgrade, according to Kirk Ingvoldstad. “After using bar codes and thousands of labor hours to track assets for the past 20 years, it is well past time for a new technology. Passive RFID from ODIN was the right choice for a higher level of security and cost savings.” 18

Winter 2009

Global Entry passes 650K enrolled The U.S. Department of Homeland Security’s Global Entry Trusted Traveler Program has enrolled 650,000 individuals and is planning on expanding to enable foreign traveler to take advantage of the program, said Daniel Piscopo, assistant division director for the program at the Biometric Consortium Conference. Global Entry enabled international travelers to process through U.S. border checkpoints quickly. Traveler pay $100, undergo a background check and submit their fingerprints and are then able to use a kiosk when passing through U.S. customs. When entering the U.S. the traveler swipes their passport, submits two fingerprint and fills out the declaration. A receipt is printed out after all the information is processed and the individual can grab luggage. The U.S. and Dutch have entered into a agreement where members of their respective trusted traveler programs can apply to the other programs, Piscopo says. The U.S. is also working on similar agreements with the UK and Germany. Since the program started in April 2008, 60,000 travelers have been processed through the kiosks, Piscopo says. The program is also receiving between 600 and 800 applications a week.

HID Global’s Edge enhances Software House access control solution HID Global’s Edge family of IP-based access control solutions will be integrated into the C-CURE 9000 access control platform from Software House, a Tyco International company. The move means Software House will be able to provide products that address industry demands for more IP-centric solutions by

expanding the breadth of its portfolio of door controllers and readers. Recently, Software House added HID’s Edge solutions and its iSTAR Edge two-reader intelligent IP door controller to its product family. Now, with an expanded product line, C-CURE 9000 customers can choose from a wider range of solutions to fit any size application, budget or security protocol. Since its introduction in 2007, the Edge product line is a solution that meets the demands of open architecture and IP-centric environments.

Toshiba unveiling new e-passport printer Toshiba Corp. announced that it has developed a fullcolor, automated electronic passport printer, VP-P450, that integrates all functions for e-passport personalization. The company will be demonstrating the printer at the Fifth Symposium and Exhibition on ICAO, CARTES & Identification and CARTES in Asia before it official launches in the spring 2010. With the cabinet-sized VP-P450 Toshiba introduces an e-passport solution that supports the functions and throughput required in central passport printing offices while achieving a size that makes it suitable for installation in consulates. The printer outputs in full color and automates a series of processes including: feeding blank passports into the printer, lamination, encoding of IC-chips with the passport holder’s biometric data; and confirmation of encoded IC data.

SECURE SOLUTIONS

BIOMETRICS CITIZEN ID

ID MANAGEMENT STRONG AUTHENTICATION CONTACTLESS

E-ID

ACCESS CONTROL

SECURITY

Showtime for IDentification

17-19 November 2009 Paris-Nord Villepinte Exhibition Centre - France Come to IDentification - the major exhibition for pioneering identification technology companies - which gives you the opportunity to meet and make business with professionals from around the world.

Register for FREE* at www.cartes.com or

t in

gt

he Smart Tec

hn

*Pre registration fee:  50 incl. taxes - On site:  70 incl. taxes ol

og Indu s tr y

•

•

••

••

•••••• ••• ••

••

•

•

An event organized by

The World Leading Event of Digital Security and Smart Technologies

•

•

••

••

••

••

•••

2009

•••

Co-located with

24 Years

Su

ie s

pp

Promotional code: REIDK1

CARTES & IDentification 2009 70 avenue du Général de Gaulle 92058 Paris la Défense Cedex - France cartes-id@comexposium.com

www.cartes.com

National ID cards: Changing perspectives? Countries are deploying advanced ID technologies so citizens can access services

National identity cards are a fact of life for citizens of some countries but elsewhere the credentials are the focus of ire. Citizens of countries that don’t have national IDs fear it will lead to a police state and a loss of personal freedoms. But the countries that have had them in place don’t necessarily have those problems. More and more countries are deploying national IDs and are using smart cards and other advanced technologies. In some instances the cards are also being used to drive multiple applications. The idea of a national ID card in the U.S. has always been a non-starter. Even though many admit the Social security number and driver licenses 20

Winter 2009

are de facto national IDs, when there are discussions of making changes to those documents the potential evils of national ID programs rise to the surface. Some experts say this may be changing, however, as efforts are underway to better identify U.S. citizens online and within health care environments. “National IDs are very common around Europe and the Middle East,” says Neville Pattinson, vice president of government affairs and business development at Gemalto North America. “They exist to create efficiencies in how governments deal with their citizens and for access to entitlements and health care.”

Photos for this article courtesy of Fedict & Gemalto.

Zack Martin Editor, AVISIAN Publications

Depending on the country the reason for the ID program may be different, says Randy Vanderhoof, executive director of the Smart Card Alliance. Many countries issue the credentials to help save money and make sure only those eligible for services, such as health care, receive them. “It’s more economic because the countries are trying to control their costs for social programs, like education,” he says. “There’s a need to eliminate fraud.” Brazil is a country that has deployed a national ID program in order to become more efficient, Vanderhoof says. Citizens use the digital certificates on the card to file taxes, apply for federal programs and access services. Because it’s such a large country with people living in large cities and rural areas, using paper for access to services can be time consuming and inefficient, Vanderhoof adds.

Examples of national ID card programs around the globe Albania

Malta

Argentina

Morocco

Belarus

Montenegro

Belguim

Mozambique

Bolivia

Netherlands

Bosnia

Pakistan

Brazil

Peru

Bulgaria

Poland

Chile

Portugal

China

Romania

Croatia

Saudi Arabia

Cuba

Serbia

Cyprus

Singapore

Czech Republic

Slovakia

Egypt

Slovenia

Estonia

South Africa

Germany

South Korea

Greece

Spain

Hungary

Sri Lanka

India

Thailand

Indonesia

Turkey

Jordan

Ukraine

Kenya

Venezuela

Lithuania

Vietnam

Luxembourg Latvia Madagascar Malaysia

Lack of standards hamper national ID programs There are many issues facing countries considering a national ID card program, but one of the bigger issues is the standards surrounding the technologies involved. Countries deploying national ID programs want to use card systems that are open, interoperable, scalable and backwards compatible, says Kevin Gillick, executive director at GlobalPlatform, a smart card standards organization. “The limiting factor is that the governments around the world want to be able to quote known standards in their tender,” he says. “They want to point to documents in their tender so they’re doing it from a common perspective.” GlobalPlatform is trying to step in to fill this gap and is committing resources toward this in 2010, Gillick says. “We want to have a common framework for them to work from,” he says. “If we eliminate confusion by mapping GlobalPlatform standards to ISO and regional standards, such as NIST, then we have something governments can point to and say they want to follow.” Winter 2009

21

Belgium rolls out IDs specifically for kids Belgium’s kids-ID can be used as an official travel document in most European countries as well as for traveling to some countries outside Europe, replacing the current Belgian ID certificate. The child must be traveling with a parent in possession of a valid ID card. The cards also serve to protect the child if he runs into danger. Printed on the card body is a special hotline number used to notify the next of kin or a friend if the child is lost or is the victim of an accident. When the card is issued, the parent or guardian goes on the Web or dials the hotline number and supplies a list of up to seven contact telephone numbers of adults who will take responsibility for the child. These could include parents’ cell phone, office and home numbers. The emergency notification system hotline number is called, the caller is required to enter the child’s 11-digit National Registry number. They are then put through to the first person on the list – normally the child’s parent or guardian. If this person is not available, the caller is immediately connected to the second number on the list, and so on until somebody is located. If, in the unlikely event nobody on the list is available, the call is then immediately transferred to the 24-hour Belgian Child Focus hotline. Thanks to an integrated PIN, the kids-ID card can also be used on the Internet for safer access to online chat rooms and to use online services that require ID. This authentication certificate can be issued at the age of six. The cards are available to all Belgian children aged 12 and under and open up a whole range of future possibilities. Other potential uses could include accessing library books, sport club memberships or health care benefits.

In Europe the national ID cards being issued by many countries can also be used for travel within the European Union, says Manfred Muller, executive vice president strategic sales and business development, at SCM Microsystems. Germany will issue a contactless national ID that will use the electronic passport technical specification, Muller says. Citizens will be able to use the credential with a reader to access government sites online and other nongovernmental potential applications as well. “A range of pilots are being supported by the German government,” Muller says. “The kinds of applications people are pushing for involve e-commerce.” German citizens want to be able to use the credential to log in to sites like Amazon and eBay and would include a form fill application. But more importantly citizens would be using the site to access and file government forms, Muller says. Citizens would use a PIN and the credential to file taxes and file other government information. Germany is expecting to start issuing the new IDs at the end of 2010. Employers would also be using the cards to check employment eligibility, Muller says. This is a popular application for national ID cards. Poland is planning on deploying a smart card for its Social Security card that employers will use to check employment eligibility. “Each employer needs to have a reader to check the cards,” he says. While Germany is going with a contactless interface, most other countries are using a contact card for their national ID. In Spain SCM is working with Telefonica to get 600,000 readers into the hands of citizens. Individuals can go to electronic stores and purchase a reader, hook it up to a computer and access the sites and benefits of the card. SCM is also supplying the reader for Belgium’s electronic ID program. The e-ID cards, valid for five years, contain an embedded microchip storing the holder’s personal data, including date of birth, family tree, civil status,

22

Winter 2009

current and past addresses and military situation. Zetes is the systems integrator on the project and Gemalto supplied the Java-based operating system, ID and digital signature applications. The chip also contains a digital certificate that enables remote access authentication. Users can access e-government applications and attach an electronic signature to certify the authenticity of data transmitted when needed. In addition, private companies, such as those offering financial services, expect to develop programs that will leverage the ID card. Belgium has also created a special card for children. The size of a credit card, the new kids-ID mainly serves as an electronic national ID document for Belgian children, containing all necessary ID information as well as a photo of the child, both visible on the card and stored on the microprocessor. It can also be used for emergency notifications and online identification. Simplifying services The idea of using one card for access to multiple types of systems can create better access to government services, says Gemalto’s Pattinson.

“These countries in Europe and the Middle East need to know who they’re dealing with and by giving citizens an identity document it brings them a lot of benefits and services and provides efficiencies to the government,” he says. “And once you have an ID in the hands of citizens that’s founded on a government identity scheme others can take advantage of that.” Pattinson points to Finland, where the national ID program with PKI enables citizens to use the certificates on the credential to access their bank accounts. A strong credential like this is needed in the U.S., Pattinson says. “We have poor identity documents,” he says. “The lengths and depths to which people have to go to prove who they are is broken.” First, however, there is a need to define the four levels of assurance and the type of credential that’s necessary for each level, Pattinson says. “This is going to require a lot beyond user name and password. You need hardware-based authentication, biometrics and smart cards for people to prove who they are. If we don’t include a higher standard of authentication for our citizens and people accessing financial services we’ll keep hearing about disasters.”

Winter 2009

23

Federal projects around preventing identity theft, securing the Internet and health care may all lead to separate credentialing programs, Pattinson says. With the Obama administration pushing health care providers to deploy electronic health records there is a need for identification on that front. “A missing element of health care is how do we authenticate an individual and make sure he is connected to the correct record,” Pattinson says. There are also discussions about upgrading the Social Security card as well, Pattinson says. Sen. Chuck Schumer (D-N.Y.) had held hearings that would link an individual’s employment eligibility to a biometric. There is a possibility that a smart card could be involved in that project (See Fall 2009 Re:ID).

ty. “The public sentiment may be to keep the identities confined rather than go with an umbrella over them,” he adds. The political issues surrounding a national ID card in the U.S. will most likely keep it at bay for awhile longer, says the Smart Card Alliance’s Vanderhoof. “The political third rail that is a national ID card is pretty strong and there’s a long way to go before there will be enough trust to manage and protect a citizen’s personal information,” he says. But if people are given an option and the private sector steps in it also might make a difference. “If implemented correctly the government could provide guidance for what the standards of identity are and the citizens would decide whether or not they have a benefit in having that form of identification. Then it would be a market-driven decision to develop multiple forms of citizen IDs rather than have something that is issued and managed by the federal government,” Vanderhoof says.

To begin with, there may be multiple, siloed programs, Pattinson admits, noting health care, employment verification and Internet securi-

Future of UK ID scheme questionable The UK hadn’t had a national ID program in more than 50 years, but after a series of terrorist attacks at the start of the decade the country decided it was time to introduce the ID once again. The UK Home Office stated that the cards would help protect people from identity fraud and theft, tackle illegal working and immigration abuse, disrupt the use of false and multiple identities by criminals and those involved in terrorist activity, ensure free public services are only used by those entitled to them and enable easier access to public services. The program was originally planned to be mandatory for all citizens and foreign nationals but opposition lead to change. Now it looks like the program will only be mandated for foreign nationals and voluntary for everyone else. In early October, British Prime Minister Gordon Brown seemed to clear up some confusion saying the compulsory ID cards wouldn’t be rolled out before 2015. There was speculation that if Brown’s Labour Party was voted out of office the program would most likely be scrapped by the Conservatives. 24

Winter 2009

The program originally was supposed to collect fingerprint, face and iris biometrics from individuals, says John Elliott, head public sector practice and principal consultant at UK-based Consult Hyperion. But because of the economic downturn, the use of iris was eliminated to save money. “But now we are confused because their original reasoning for needing iris in the database was that you can’t do this with fingerprint alone because you might not be able to distinguish between 60 million people,” he says. As a minimum, the card will store the ICAO application that’s used in electronic passports so it could be used for travel around Europe, It may store other applications, as well, but this has still not been decided, despite the several years the program has been in development. Elliott says the program will most likely advance but slowly. Political parties out of power are against it and those in power are for it. The parties changed opinions several times over the past years but despite political opposition to the program public polls show support for it. “The government has done a poor job of selling it,” he says, “but polls show there isn’t a big public resistance.”

Winter 2009

25

Privacy analysis necessary for access control systems One of the clues that lead the New Haven, Conn. Police Department to the murderer of a Yale lab technician was the audit logs of the physical access control system in place at the research facility. The card swipe logs showed that Raymond Clark III was the last person to access the lab where Annie Le’s body was discovered and proved to be a key piece of evidence that lead to his arrest. This is an example of how a physical access control system can be used for good, but corporations deploying such systems also need to make sure employees know how information in the system is being used and stored and what’s on the card itself, says Kathleen Carroll, director of government relations at HID Global. “As use of these cards expand the issue comes to the forefront a lot more,” she says. Corporations need to keep abreast of any state legislation that may impact the use of different ID technologies, Carroll suggests. States often use RFID to define any technology that communicates via radio waves, which affects contactless smart cards. California and Washington state have passed legislation that bans surreptitious reading of RFID. “The good news is legislators have banned the wrong behavior instead of the technology,” Carroll says. Multi-national companies also need to keep up with legislation from all states in which they

26

Winter 2009

have offices. The European Commission has recommendations regarding the implementation of privacy and data protection principles in applications supported by RFID that would affect smart card applications as well. After making sure the system is in compliance with any laws the next step is to conduct a privacy impact analysis, Carroll says. Corporations can find templates for the survey on the U.S. Department of Homeland Security Web site. Overall, however, corporations will want to make sure to: • Minimize use of personally identifiable information • Limit the length of time that data is retained • Use available technology solutions such as encryption to protect personally identifiable information • Control access to data collected and make sire an audit trail is in place in case of a breach • Establish mitigation procedures if a breach occurs Depending on what information is stored in the ID management database employers will want to take steps to protect that as well, Carroll says. Some contain an employee’s name, phone number, license plate number and oth-

er data. Employers want to limit access to this information and encrypt it. Employees should also know what information is being stored, how it may be used and if they are monitored, Carroll says. If the information is used to monitor employees the employer should get their consent as well. Here are guidelines an employer should consider before deploying a system: • Use of physical access control systems data for employee monitoring should be based on the employer’s legitimate business justification. • If a third-party service provider stores the information generated through system monitoring, the service contract should prohibit any use or disclosure of said information without the employer’s consent or by force of law. • Policy should be drafted on use of the system by both by the employer and the employee and communicated to all parties. Many employers already notify employees that they track their computer usage so this would be an additional step. As physical access control converges credentials with logical access control employers need to make employees aware. “If you’re up front you avoid any problems down the road,” Carroll says.

Feds partner with private sector on ID management The U.S. government is testing the use of OpenID to enable citizens to easily access information on government Web sites. The intent of the project is to get individuals familiar with using online ID technology and then potentially add more functionality.

The user has control of the personal information revealed to a particular site. Some sites may ask the user to supply personal data and the user will determine if he is willing to share in order to save personal preferences.

VeriSign, Yahoo, PayPal, Google, Equifax, AOL, Acxiom, Citi, Privo and Wave Systems are participating in the project, called the Open Identity for Open Government initiative. The companies are being certified under open trust frameworks developed in collaboration with the OpenID Foundation and the Information Card Foundation and reviewed by the federal government.

For this pilot, Popp says users will be able to use one login to access government sites, store documents, access message boards and send messages. “The idea is to be able to interact and reuse the same credential,” he says.

They will act as digital identity providers using OpenID and Information Card technologies. The pilot programs are being conducted by the Center for Information Technology, National Institutes of Health, the U.S. Department of Health and Human Services and related agencies. The impetus for the projects comes out of President Obama’s call for an open government and access to information, says Nico Popp, vice president for VeriSign’s Innovation Group. “This administration sees the Web as an important medium for participation,” he says. “The intent of this is to enable the government Web sites to unleash the information.” OpenID is a federated identity scheme that enables an individual to register at one Web site and have that same login information accepted at other sites. For example, someone with a Yahoo OpenID will be able to use that same login information to access government sites.

If successful the project could trickle down to the states and could be used on those sites too, Popp says. There isn’t any type of identity vetting involved with this project, Popp says. The individual setting up the OpenID account is self asserting his identity. “This is an opportunity to educate and train the user,” he says. “Non-technical users don’t know they can use the same identity across multiple Web sites and it’s fairly seamless.” Identity vetting could be added down the road if the program is successful, Popp says, but he stressed that low assurance identities are a start. That’s because security is often viewed as a hassle and an inconvenience. But with user centric identity the individual takes control, Popp says. “They are taking charge of the level of security and as it becomes more popular and you have more levels of interaction they will want something to protect them,” he says. “Once you have identity in place you add security.”

Winter 2009

27

Registered traveler preparing for take off … again TSA, vendors deflect blame for past failures Zack Martin Editor, AVISIAN Publications

There are many opinions as to why registered traveler programs at more than 20 airports across the country failed, but nobody is stepping up to take the blame quite yet.

pating RT passengers. Without these threat assessments to determine lower-risk passengers, TSA effectively rendered this risk-based security program impotent.”

Fingers were pointing between the Transportation Security Administration and the vendors who provided the service at a hearing of the U.S. House of Representative’s Committee on Homeland Security’s Subcommittee on Transportation Security and Infrastructure Protection.

Jackson is referring to the 2008 TSA decision to stop doing government background checks on registered traveler applicants. It was at that point that the agency stopped collecting the $28 background check fee and it stopped being referred to as a security program. “TSA determined that this private-sector program did not provide any additional level of security,” said John Sammon, assistant administrator for transportation sector network management at the TSA.

But even though Clear, the largest of the three vendors, failed in June the program looks to be getting a second chance. A new group intends to resurrect Clear and FLO said it will restart operations before the end of the year. “Clear failed its customers and other registered traveler providers, such as FLO, failed their customers because they were too reliant on Clear,” said Sheila Jackson Lee (D-Texas), the subcommittee’s chairwoman. “This panel will lay a marker for all stakeholders as the process for resuscitating registered traveler moves forward, and we expect to remain an integral part of the ongoing registered traveler dialogue.” Jackson also faults the TSA for the program’s failure. “To carry out its duties under the Aviation and Transportation Security Act, TSA worked with industry to establish technical and interoperability standards for service providers, such as Clear,” Jackson said. “However, after these initial actions, TSA stopped conducting security threat assessments and criminal history background checks on partici-

28

Winter 2009

Some say this is where the problems began. “Lacking the security threat assessment component, critics called registered traveler a ‘head-of-the-line’ program,” Jackson said. Michael McCormick, executive director and chief operating officer at the National Business Travel Association, testified that this led to the demise of the program. “As month after month went by with registered traveler acting essentially as a competitor ‘front-of-the-line’ program to airline first-class and TSA experienced traveler offerings, investors supporting registered traveler vendors opted to pull their financial support for the largest vendor, Verified Identity Pass,” he said.

Adding the security element to registered traveler would help the program and the vendors offering the services, McCormick says. He urged the committee to enact pending legislation that would require the TSA to perform the background checks on individuals in the registered traveler program. The association would also like to see domestic registered traveler programs combined with Homeland Security’s Global Entry, a program that expedites citizen processing through customs checkpoints. McCormick said that discussion of joining the programs have been unproductive thus far. That’s not the only area where the TSA has been unhelpful, said Fred Fischer, Managing Partner, FLO Corp. The agency has not been accepting of new technology. Clear at one point wanted to deploy shoe scanner so travelers would not have to remove their shoes but the TSA nixed the idea. “The TSA has told us on many occasions that the technology that could allow travelers to leave their shoes and coats on and keep their laptops in their bags does not exist,” Fischer said. “The fact that more than 90% of the world’s airports, utilizing the latest technology, do not require such divesting is evidence that technology does exist.” But registered traveler’s failing is not just the TSA’s fault, Fischer said. “Since the inception of the registered traveler program, the TSA was constantly challenged, undermined, bullied and publicly berated by one of FLO’s competitors,” he said. “Understandably, this created a partnership that was at best strained. This has resulted in TSA having an unfavorable opinion of both registered traveler and its providers, and has compromised TSA’s support for this essential program.”

Fischer says the business model for registered traveler needs to be rethought. “Clear’s failure was brought on by a number of issues: overstaffing at airports, exorbitant overhead, excessive advertising and revenue share components to airports including national revenue share, local revenue share and minimum annual guarantees that were not required but used primarily to discourage and eliminate competition,” he said “In the end, it was not a lack of capital that killed Clear, it was poor management and an unsustainable business plan. All of these issues can and will be addressed and controlled under a re-launch by FLO, or any competitor.” And a re-launch of Clear is coming. Alison Townley, principal at Henry Inc., an Emeryville, Calif.-based venture capital firm, told the subcommittee that the firm plans to take over the program. A survey of Clear members, conducted a month ago, found that 70% of customers would return to the service when re-launched and an additional 20% would return depending on which airports were reopened, Townley said. The new management would also make some changes to the program that involve two parallel paths, Townley said. “On one path, we will ready ourselves to install and implement the secure biometric infrastructure required to support a robust, risk management vision,” she said. “Simultaneously, we intend to launch a streamlined ‘fast pass’ process which would allow innovations like ‘same day’ in-airport sales and more pricing options, while still providing certain non-security-related conveniences for members.” The fast pass will address one of the criticisms of the program, Townley said. Travelers wanted to sign up and be able to use the program in the same day. “And, once they sign up for a ‘fast pass,’ it will become much easier to invite them to join the secure, biometric risk management program and to take the additional enrollment steps that entails,” she said.

Winter 2009

29

Different technologies vie to protect payments End-to-end encryption, dynamic cryptograms and EMV are all options being considered to protect payment transaction data in the U.S. The goal is to prevent data breaches, such as the one with Heartland Payment Systems in 2008, and make it easier for merchants and processors to secure the information. It’s estimated that tens of million of payment card numbers were compromised when hackers planted malicious software in Heartland’s system. Processors and merchants are supposed to comply with the Payment Card Industry Data Security Standard, a specification that many say is confusing, onerous and doesn’t do enough to protect payment card information. End-to-end encryption End-to-end encryption is the technology being discussed most often as a solution to payment card woes. The problem though is that there are no standards around it and definition of what it is vary. “End-to-end encryption uses a form of cryptography that hasn’t been blessed yet,” says Sid Sidner, director of security engineering and master engineer at ACI Worldwide, a payment card software provider. “People would feel better if there were a standardized form.” But providers are working on standardizing an encryption solution. Heartland Payment Systems, which handles about 20% of the U.S. transactions market, has started piloting a product that it hopes the industry will accept, says Steve Elefant, chief information officer and architect of Heartland’s E3, it’s end-to-end encryption product. Heartland’s definition of end-to-end encryption requires that the data is secured from the time it leaves the mag stripe, through the point-ofsales terminal, over the wires, through its processing network until it’s delivered to the card brands, Elefant says. “We have it protected for the entire lifecycle of the transaction,” he adds. This required the payment processor to come up with new hardware and software, Elefant says. Heartland looked at the existing payments terminals and didn’t find anything that fit its needs so it created its own. The new terminal features a tamper resistant security module (TRSM) that if tampered with will wipe out the security keys and make it inoperable. “The realization we came to is there is no such thing as secure software,” Elefant says. “The prevalence of malware and sniffers is so great that if you’re going to have security you need physical and logical security and that’s what we do with the encryption of the TRSM. The bad guys have gotten really smart and we want to build the firewalls that keep them out but if they do get in the data won’t be usable.” 30

Winter 2009

E3 has other security features as well, Elefant says. The system does dynamic data authentication, which makes sure the card has not been fraudulently created. The system also does tokenization of the payment card information. While Heartland’s E3 is a homegrown technology, the company is working with payment standards groups to change that and expand its reach, Elefant says. “We need to define end-to-end encryption so things aren’t proprietary,” he says. “Protection against bad guys shouldn’t be a competitive differentiator.” Still, Elefant also doesn’t think the technology should be mandated. “We’re offering it to merchants to be more secure and make transactions more secure,” he says. “We never anticipate we’ll have 100% endto-end encryption.” But Heartland is attempting to make it an appealing option for merchants. The company is lobbying the PCI Council so that any merchant using the system would be in compliance with the data security standards. There are also discussions with the card brands to potentially lower interchange fees for merchants as well. “The brands can reduce the interchange cost and then after some point in time if you don’t move to it we’ll charge you more,” Elefant says. Dynamic cryptograms The Smart Card Alliance has another idea, contactless smart cards with dynamic cryptograms, says Randy Vanderhoof, executive director of

the organization. The advantage is the contactless cards that U.S. banks have issued already use this technology. When a consumer taps the contactless card on a reader, it’s not the static credit card number that’s transmitted but the dynamic cryptogram. “We need to shift the conversation from contactless being a convenience product to have it also be considered a strategy to improve security and reduce fraud,” Vanderhoof says. The alliance posits that contactless has a number of advantages, including less of an impact on the payments acceptance infrastructure for merchants, acquirers and issuers; enabling merchants to implement a solution more quickly and without waiting for new standards; and reducing the threats posed by cloning magnetic stripe-based cards and stealing cardholder data. Chip and PIN EMV is frequently mentioned as a solution, Sidner says. Most industrialized countries, including all of Europe, Canada and Mexico, have either made the switch or are in the process of changing. The knock against chip and PIN is it’s high cost and the long time lines for deployment. Estimates range from $15 billion to $30 billion and

three to five years to deploy EMV in the states. Banks would have to reissue all cards, merchants would have to deploy new terminals and the backend infrastructure from the processors would have to be implemented. Elefant doesn’t see EMV being a realistic option. “I don’t think it’s likely to happen in our lifetime in the U.S.,” he says. “End-to-end encryption is deployable and it’s not dependent on any other technology and has a much lower cost than chip and PIN.” Sidner disagrees saying it’s just a matter of time before the U.S. goes with EMV. “In some ways it’s inevitable,” he says. “European issuers still have to put mag stripes on the back of the cards because of the U.S. There’s lots of card not present fraud in the U.S., and because we don’t use it the power of chip and PIN is diluted.” Chip and PIN is also a proven technology, having been deployed and tested against attacks, Sidner says. “You can buy products that have proven security and proven reliability,” he says. That said, end-to-end encryption may have its day as well. “Heartland and the people who are working on it are trying to get something out there pretty quickly, more so than the three to five year time frame that most other technologies take,” Sidner adds.

PCI Council considers new technologies for payment card security Mark Lobel, principal at PricewaterhouseCoopers, gave a presentation at a PCI conference on some new technologies that could be used to secure payment data. The PCI Council will begin reviewing its standard and potentially considering new technologies and Lobel’s job was briefing the council on some of those options. After 2,000 hours of work and 160 interviews PricewaterhouseCoopers decided to focus on end-to-end encryption, tokenization, virtual terminal and magnetic-stripe imaging, Lobel says. Each of these technologies may be used as standalone systems or paired with others. EMV, or chip and PIN, wasn’t in the scope of the survey since it’s a widely deployed technology. • End-to-end encryption would use cryptography to encode any payment data from the moment a card is swiped until it is received by the bank brand. • Virtual terminals outsource the payment card processing system and has the merchant working with a remote system. “The backend doesn’t sit with the merchant, it’s handled by a third party,” Lobel says. Virtual terminals can be paired with end-to-end encryption. • Tokenization would replace static credit card numbers with a unique reference number for each transaction. • Mag stripe imaging gathers unique information from the stripe to confirm that it isn’t a cloned card. Winter 2009

31

Industry group sees contactless alternative to secure payments Smart Card Alliance suggests dynamic cryptograms rather than end-to-end encryption to curb fraud in U.S. market The following is an except from the Smart Card Alliance’s position paper on using contactless smart cards with dynamic cryptograms for payments in the U.S. Recent and highly publicized data breaches at merchants and processors involving payment cardholder data have had a significant impact on the payments industry. For example, Wired magazine reported that Heartland Payment Systems estimates that the breach it experienced in 2008 has conservatively cost the company in excess of $12 million. Analysis of the attacks has led to a flurry of interest in the implementation of end-to-end encryption solutions to protect cardholder data. Electronic payments industry stakeholders are taking action to address data security problems through the Accredited Standards Committee X9 (ASC X9) by embarking on the development of a new standard to protect cardholder data with end-to-end encryption. This presents the Smart Card Alliance perspectives on this initiative. Encryption of data would make it much harder for attackers to benefit from the kind of network break-in that Heartland suffered. Since sensitive data was not sufficiently protected, cyberthieves were capable of stealing millions of debit and credit card details for several months after initially infiltrating the Heartland computer systems. Supporters of end-to-end encryption envision that cardholder data would be encrypted from the moment the magnetic stripe of the payment card is swiped through the end of the payment processing cycle. The devil is in the details, however. End-to-end encryption does not necessarily mean the same thing to all people, and the payments industry has not yet defined standards. This position paper attempts to clarify and define end-to-end encryption, and detail the problems it solves and those it does not. It also explores the advantages of an alternative strategy for protecting cardholder data—moving data protection to the true endpoint, the payment card itself, using chip card technology. Instead of implementing “chip and PIN” and following the full EMV standard, this paper proposes a new course optimized for 32

Winter 2009

the U.S. market: using contactless chip cards, including a dynamic cryptogram with each transaction and authorizing transactions online.

points for cardholders. For these reasons, endto-end encryption is somewhat of a misnomer and may be misleading.

The existing U.S. payments infrastructure can process such transactions today in the same way that current contactless payment transactions are accepted. Compared to end-to-end encryption, contactless cards with dynamic cryptograms would have the following advantages: • Result in less impact on the payments acceptance infrastructure for merchants, acquirers and issuers • Enable merchants to implement a solution more quickly and without waiting for new standards • Provide a high level of cardholder data protection by including a dynamic cryptogram with each transaction • Reduce the threats posed by cloning magnetic stripe-based cards and stealing cardholder data The Smart Card Alliance is making another important recommendation as well. If the industry does indeed move forward with endto-end encryption, the standard should be defined in a way that lays the messaging foundation for globally-interoperable secure payment transactions using chip card technology in the future. This would have no impact on end-to-end encryption cost or complexity, and yet would make the U.S. payments messaging standard compatible with global payments infrastructure requirements.

Will end-to-end encryption eliminate the chance that stolen cardholder data can be used successfully for fraudulent transactions? The answer, unfortunately, is no.

Perspective: Panacea or Grass Hut? Using this technique, the secret key is never seen in the clear outside of the two endpoints. The first HSM (the origin) encrypts the secret key using the Key Exchange Key then the encrypted key can be securely sent to the second HSM (the destination) where it is decrypted. With respect to a payment transaction, “origin” and “destination are not single places, causing the potential for confusion. There are many temporary endpoints in a transaction lifecycle where all or part of the transaction information is required. In addition, there are several processes, starting with authorization and settlement; but data may be used or stored for refunds, chargebacks or reporting purposes in other places as well.

The Computer Desktop Encyclopedia defines end-to-end encryption as the continuous protection of the confidentiality and integrity of transmitted information by encrypting it at the origin and decrypting at its destination.

According to end-to-end encryption proponents, the encryption in the brick-and-mortar space would ensure that cardholder data is protected from the card swipe all the way through to the issuing banks. To do this, the magnetic card reader would be required to encrypt cardholder information immediately after the swipe and before any transmission, even inside the merchant location.

A reasonably good example of true end-to-end encryption is the distribution of a secret key under a Key Exchange Key (KEK) process between two hardware security modules (HSMs). The KEK process is a common practice in many industries including government, telecommunications and banking, in applications where end-to-end security must be ensured.

This in itself may present challenges because the account number contains the information needed to route the transaction, requiring at least a portion of the data to be in the clear. In addition, other stakeholders require access to account and transaction information. For example, loyalty providers use transaction and cardholder data to create and track loyalty

What is end-to-end encryption?

The term end-to-end encryption, however, has become a catchall for the encryption of sensitive cardholder data as it is transmitted from the point of sale entry point through each of the various organizations and networks in the payments process. Initially, much of the focus may center on data at rest on merchant servers or processor databases. The true endpoint in the payments process is the data on the magnetic stripe that is static and always in the clear on the card, and therefore vulnerable to skimming and cloning. Preventing these attacks would require the use of chip cards or similar technology in order to better protect cardholder data.

There is no doubt that encrypting sensitive data would make merchants and processors more secure and resistant to the types of recent attacks that resulted in large data breaches. As industry specialists look deeper into what end-to-end encryption means, however, three major considerations arise. One important question is: Will end-to-end encryption eliminate the chance that stolen cardholder data can be used successfully for fraudulent transactions? The answer, unfortunately, is no. There is an old saying in the security industry that you cannot secure a grass hut with a steel door. In other words, if you harden the merchant and processor systems with end-to-end encryption, criminals may simply skim magnetic stripe data elsewhere. Imagine hordes of credit card magnetic stripe skimmers in the hands of restaurant employees. Or criminals using false fronts on ATMs in the U.K. to capture magnetic stripe and PINs, and then sending cloned magnetic stripe data to the U.S. for fraudulent attacks, as was done recently on a large scale. End-to-end encryption does not eliminate the risk of card cloning. Current U.S. payment process security mechanisms rely heavily on host neural networks, velocity checking and other sophisticated methods to identify fraud; however, as long as anyone can record the magWinter 2009

33

credit and debit card processing would be a very effective barrier to counterfeit card fraud.

netic stripe, the ability to create a counterfeit card exists. A second important question: What are the complexities and costs of end-to-end encryption? No one can answer that question today because there is no standards-based technical approach that has been fully vetted. The merchant impact has also not been defined. For end-to-end encryption to be successful, merchants would need to implement new functionality to encrypt data at the point-ofpayment, while retaining the capability to use transaction data for other functions. POS terminal upgrades would likely be required, including software changes and capabilities to manage encryption keys. Dynamic end-to-end encryption would also require a robust key management scheme. Merchants would likely not want to contend with the added complexity of this critical element, and any issues with synchronization and using the correct keys could lead to issues with authorizing transactions. A third consideration is that the implementation of a new end-to-end encryption standard would once again send the U.S. payments industry in a different direction from the rest of the world, which is implementing chip card technology as a fundamental security measure. The U.S. magnetic stripe acceptance infrastructure already creates an opportunity for criminals to export fraud into the United States.

The cryptogram itself is a type of digital signature that works in conjunction with traditional magnetic stripe data. The cryptogram is a value based on specific inputs for an individual card and transaction that makes each transaction unique.

Dynamic cryptograms render stolen cardholder data useless to criminals in retail locations and the existing U.S. payments infrastructure can process the transactions today.

measure. In many cases, a PIN entry is also required, sometimes called “chip and PIN.� As of Q1 2008, more than 730 million EMV compliant chip-based payment cards were in use worldwide. EMV was defined for the global payments market, however, and some aspects of this standard are not needed for the U.S. market. In particular, EMV defines a mechanism for offline card authentication by the terminal. To do this securely adds the costs of a cryptographic coprocessor in the card and the complexity of public key certificate management at the merchant terminal.

Since only the chip card itself can create a valid cryptogram, the authorizing host can confirm that the actual card is present. In addition, the cryptogram is generated using secret keys inside the chip card, so key management is not required for merchants. The card issuer controls key management entirely. An online dynamic cryptogram completely achieves the conceptual goal of endto-end encryption. By making the payment card chip an active part of transaction authorization using dynamic cryptograms, stolen cardholder data cannot be used for fraudulent transactions at merchant locations, where a significant portion of fraud still takes place today. An online dynamic cryptogram could also prevent card-not-present (CNP) online fraud, which is essential to effectively combating fraud. This would require an application in the chip such as MasterCard Chip Authentication Program (CAP) or Visa Dynamic Passcode Authentication (DPA), standards that are already defined.

Dynamic cryptograms In the ongoing battle against cyber crime, a real solution to data breaches and other attacks on payment card data can be achieved by rendering transaction data useless for fraudulent transactions, using contactless chip card technology and online dynamic cryptograms. This approach has two important advantages: 1. It renders stolen cardholder data useless to criminals in retail locations. 2. The existing U.S. payments infrastructure can process such transactions today, as it does for contactless payment. Most of the rest of the world is following the EMV standard, which implements a microprocessor chip on payment cards as a security 34

Winter 2009

U.S. critics of EMV chip card implementation have long argued that the merchant terminal implementation costs and the complexity of key management made chip cards prohibitively expensive. Yet, advocates of end-toend encryption are in effect calling for similar changes to the payments infrastructure. The Smart Card Alliance is proposing another option for the U.S. payments market that has clear benefits over both EMV and end-to-end encryption: Use contactless chip cards, include a dynamic cryptogram with each transaction and authorize transactions online. The U.S. payments industry supports contactless payment transactions with threedigit, online dynamic cryptograms today. Combining this with velocity checking in all

These applications enable a cardholder to use a handheld device to generate the cryptogram signature. Web merchants would pass this unique-per-transaction value to the issuer. The beauty of this approach is that it would provide proof that the card was in possession of the person performing the transaction. Further, since the transaction would have the same online dynamic cryptogram protection, fraudsters would not be able to use stolen cardholder data. It should be noted that the proposal to use online dynamic cryptograms is consistent with well-established global standards for chip cards. Issuers that want to provide clients with an internationally compatible card could issue dual-interface contact/contactless cards that are also EMV compatible.

WORLDWIDE OUTREACH

The single industry voice for smart cards ... The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. The Alliance is the single industry voice for smart cards, leading discussion on the impact and value of the technology in the US and Latin America. Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought.

UNRIVALED EDUCATION

Worldwide outreach - A primary mission of the Alliance is to show the world the benefits of smart card technology. We accomplish this through an array of outreach efforts including an informative web site, published industry reports and papers, active press relations campaigns, our Smart Card Talk electronic newsletter, and an international calendar of speaking engagements and exhibitions. Unrivaled education - At Alliance-sponsored events and leading industry conferences, top quality smart card education is offered to the benefit of both members and leaders from industries impacted by the technology.

TASK FORCES & REPORTS

Task forces and reports - Active participation from representatives of member organizations feeds a vibrant network of industry-specific councils and focused task forces. Highly regarded white papers, reports, and other deliverables flow from groups focused on payments, secure identity, health care, transportation, and more. Conferences – Alliance conferences feature informative programs and speakers who provide insight and knowledge on smart card technology and applications, coupled with exhibitions that showcase leading edge products. These events provide exhibitors with invaluable access to true decision makers and enables participants to see the technology in action.

CONFERENCES

Networking - The best and brightest from the smart card industry and the key markets it serves participate in the Alliance, attend Alliance functions, and share a camaraderie that extends beyond the Alliance organization to the worldwide network of industry activities. Join the Alliance. It will pay dividends for your industry, your company, and your career. For more information, visit www.smartcardalliance.org.

2010 Payments Summit February 22 – 24 , 2010 Marriott City Center Hotel Salt Lake City

NETWORKING

TransLink appears poised to finally live up to the scenario first imagined 16-years ago of providing San Francisco Bay transit riders one card that would be good on all 24 agencies serving the area. The one card is now operational at five of the area’s transit systems, two which handle 75% of the daily ridership. That would include San Francisco Municipal Transportation Agency, known simply as Muni, and Bay Area Rapid Transit (BART), as well as three smaller agencies, AC Transit (Alameda-Contra Costa), Caltrain and Golden Gate Transit. The only exception to that list are San Francisco’s famed cable cars operated by Muni, which have not yet been outfitted with readers, says Jake Avidon, TransLink senior program coordinator for the Metropolitan Transportation Commission, Oakland, Calif. Together these five systems represent 80% to 85 % of Bay Area transit riders, says Avidon. Even as little as a couple months ago things looked gloomy for TransLink, which has suffered delay after delay since its inception 16-years ago. In the words of one reporter, writing in the Contra Costa Times in June, TransLink “has lurched along more slowly than a broken-down bus, suffering cost increases and delays.” The holdout was BART with its 116 million riders a year. So it was with obvious relief when the Metropolitan Transportation Commission, which funds TransLink, declared earlier this year that the TransLink card was “revenue ready” for BART. MTC called it “a major contractual milestone signifying that TransLink has successfully passed all laboratory and field tests.” BART important to TransLink’s success

Bay Area’s TransLink sees its 16-year one card goal within reach Some agencies holding out but vast majority are online

Andy Williams Associate Editor, AVISIAN Publications 36

Winter 2009

What makes BART so critical to TransLink’s success is that many of BART’s routes overlay transit routes of other agencies, which means many users ride one vehicle from another agency, then have to transfer to the BART system, says Avidon. In August BART launched what it called a “limited rollout” of the TransLink card on its transit system. About 1,000 users of EZ Rider–BART’s contactless fare card – were invited to participate. Limited or not, according to BART, anyone can order and use a TransLink card during this pilot phase as long as it’s loaded with sufficient e-cash. BART also suggested that passengers should bring, as backup, other means of payment such as BART’s EZ Rider card, a preloaded contactless ticket, or cash. When it announced the TransLink soft launch, BART stated that it intends to phase out EZ Rider by September 2010. However, BART will continue to enable customers to pay for parking with EZ Rider until TransLink makes the jump into that area. Initial plans call for the TransLink card to be usable in five parking garages, all run by Muni, next year, says Avidon. Even with the two biggest operators online, riders haven’t yet made a massive leap to the new card. TransLink’s August figures show an average 37,000 daily riders, a long way from the 700,000 riders TransLink expects to eventually serve.

“Even though the system is up and running, the agencies are soft launching. They’re not yet marketing the program to the public in an aggressive manner,” explains Avidon. TransLink is funded by MTC, the transportation planning, coordinating and financing agency for the nine-county San Francisco Bay Area. TransLink itself is managed by a consortium of most of the agencies in the Bay area and MTC. The six major ones plus a couple of others get a vote, says Avidon. MTC is overseeing implementation of TransLink, he says. TransLink–a little history The initial pilot for the concept of one card actually began in 1993 with the only technology widely available then, a mag stripe card. It barely got off the ground. “The mag stripe readers did not work properly,” says Avidon. “From a technology point, it was a failure.” Returning to the proverbial drawing board, TransLink then looked at smart cards, says Avidon. A contract was signed in the mid-90s with Australian transit operator ERG, now Vix ERG. “We turned on that pilot in February 2002 and ran it for a couple years before the concept was approved and we then moved forward with a full rollout,” says Avidon. In the meantime, ERG’s U.S. assets were purchased earlier this year by Cubic, San Diego, Calif., which inherited many ERG projects including TransLink.

TransLink

by the numbers

Bay Area ridership, 2007-08

Region’s transit vehicle fleet

Total Passengers 494 million Average Weekday Ridership 1.6 million

Ferry Boats Cable Cars Vans Light Rail Vehicles Trolley Buses Rail Vehicles Motor Buses Total Vehicles

Ridership by vehicle, 2007-08 Bus Trolley Bus Cable Car Light Rail Heavy Rail (includes commuter rail, rapid transit) Ferry Total

13 40 252 281 356 838 2,771 4,551

Riders per year 231.4 million 67.5 million 7.1 million 52.3 million 128.5 million 3.5 million 486.8 million

Source: MTC’s Statistical Summary of Bay Area Transit Operators

Despite a full rollout on the horizon, things still weren’t flowing smoothly. One source said the reason for the delays was “bureaucratic in-fighting.” Avidon puts it this way: “I think it was a mix of technical challenges and multi-agency decision making. Agencies all have unique business rules and unique transit arrangements, for example auto loads and senior discounts. The sheer technical complexity contributed to this. Then you have the problem of coordinating operating policies.”

Note: Paratransit figures not included in any of these totals.

The other holdup has been money. What was expected to cost just $4 million back in 1993 is now forecast in TransLink’s 25-year capital and operations budget to total about $338 million. The TransLink card The card comes with an optional auto load feature that is topped up when it drops below a certain balance. “You can also add value over the phone or at the Web site on a one-time basis or at vending machines or one of the retailers in the TransLink network,” he says. There are 200 locations, but Avidon says that will eventually grow to 400. The card has contact and contactless chips so it can work with legacy systems, but it will be shifting to contactless only in the next year, says Avidon. In fact the only way to add value right now is with the contact portion of the card, he says. Translink will be swapping out hardware so the contactless portion of the chip can be used to add value.

Winter 2009

37

The first batch of the TransLink cards, about 182,000, were supplied by French smart card provider ASK. The next order will be for 650,000 cards with delivery expected in early 2010. A supplier for that order hasn’t been chosen yet, says Avidon. On deck for Translink Technology is moving fast and other transit bodies, including MTA in New York, BART and Utah, have explored other payment methods including allowing riders to use a contactless credit cards and NFC-compliant phones. “We do follow developments and trends in the industry, but TransLink has no specific plans to begin accepting contactless credit cards for transit fare payment,” says Avidon. “Similarly with NFC phones, we follow the developments in the industry and one of our project partners, BART, has tested this technology for a BART-only application, but TransLink has no specific plans to integrate with NFC-compliant phones.” Today it seems the focuses is on growth as more agencies are expected to begin accepting TransLink cards throughout 2010 and into 2011. Caltrain was the latest agency to sign on, joining the system in August, says Avidon. The next two agencies expected to come online are SamTrans (San Mateo County Transit District) and Santa Clara Valley Transportation Authority. After those two, the system is planned to expand to an additional 19 smaller transit bodies in nine counties,” says Avidon. Avidon himself can attest to the benefits of just one card. “My daily commute involves two agencies which meant I had to have two cards, and I only went four miles,” he says. “Now I have TransLink.”

New PIV-compliant, dual-interface card Oberthur Technologies announced the availability of its dual interface ID-ONE Cosmo card to the corporate market. The new card is aimed at those markets that want to use the FIPS 201 specification outside the federal government. Oberthur already has received interest in the card from defense contractors, pharmaceutical companies, oil and gad industries and “key critical infrastructure,” says Patrick Hearn, vice president of government and identification markets for North and Central America at Oberthur. “This credential will meet the physical access control needs of any corporation offering PKI-driven authentication,” he says. From a physical access control standpoint, the card will be able to accommodate new FIPS 201 standards but can also be used with legacy systems, such as 125-kilohertz frequencies and other ISO 14443 standards, Hearn says. 38

Winter 2009

Corporations that deploy Microsoft’s Windows 7 would be able to use the cards without much of an issue, but for these corporations who are sticking with an older version of Windows, Oberthur has middleware ready, Hearn says. “We can make available middleware applications that we have tested in the global corporate environment to enable seamless access for a PIV-based model,” he adds. Oberthur has lined up distribution partners to help get the cards in the field, Hearn says, though he wouldn’t disclose the partners. “There is significant interest on the partners’ part to drive it into some key organizations, like oil and gas and key critical infrastructures,” Hearn says.

those who are looking at using international standards rather than proprietary technology,” Hearn says.

Many of these partners are looking at the growing security convergence market, the marrying of physical and logical access control into one credential. “We want to support

Corporations can add other applications to the card as well, including a closed-loop payment system that could be used in company cafeterias.

Indiana blood bank uses biometrics for donor ID The Indianapolis-based Indiana Blood Center had a problem. Regulations required that blood donors be positively identified each time they donated blood, but the problem was donors don’t always have their government-issued identification card, such as a driver license. “You would be surprised how annoyed people would be when they couldn’t give blood,” says Pete Lux, manager of blood collection at the not-for-profit blood bank. Forgetting IDs wasn’t the only problem either. Data entry errors were leading to duplicate records and it came down to names and date of birth weren’t good enough for record keeping, says Lux. The center had been storing Social Security numbers, a practice it wanted to stop to ease identity theft concerns. The Indiana Blood Centers collect from approximately 500 donors per day at 10 fixed sites and has the capability to conduct 30 blood drives a day. The center had must comply with identification regulations from the Food and Drug Administration and the European Union because it sends blood plasma overseas.

issue their own ID card or move to a biometrics-based system, Lux says. Since the current system wasn’t working very well and issuing ID cards would have been too expensive biometrics won out. “It’s easy and always with a donor, unlike an ID card,” Lux says. After deciding on biometrics, the blood center evaluated modality options and decided to adopt a fingerprint system. They selected BioKey because the company enabled the center to choose any type of fingerprint scanner. This center wanted to be able to pick different fingerprint scanners because some would be used in the field at blood drives and had to be ruggedized, Lux says. When enrolling into the biometric system, the donor presents a government ID and scans both index fingers three times. The Bio-Key system then assigns a donor ID number, Lux says, which is used to identify that donor in the blood center’s system.

Lux recommends getting the staff’s opinion before deploying and then spending some extra time training them on the system before introducing it to donors. Making sure they are comfortable with how it works makes it easier for them to use and leads to a better customer experience. So far the Indiana Blood Center has enrolled 20,000 donors into the voluntary system. If a donor doesn’t want to register his fingerprints he just needs to bring a government ID on each visit. The center did have to combat some misperceptions about the technology and how it was going to be used, Lux says. “Be prepared for the conspiracy theorists,” he says. “Some people thought we were sending their fingerprints and DNA to the FBI.”

On return the donor just needs to submit the fingerprint and the information is pulled up in the system. The biometric solution had virtually eliminated clerical errors, reduced checkin times and lowered overall operating costs.

The blood center was looking at three identification options: maintain the current system,

Winter 2009

39

Public Key Infrastructure Primer: Why is PKI important? Bryan Ichikawa Unisys Corp. In discussions of identity, Public Key Infrastructure (PKI) is often mentioned in the same breath as smart cards and biometrics. While the latter two are widely known and becoming familiar to their many users, PKI can still be confusing. PKI stands behind the smart card and provides the platform for it to be successful. So with more digital identity documents being issued and PKI becoming more prevalent it’s important to get a handle on the technology. PKI can be expensive and could be hard to deploy when it was a new technique, but now it’s become mainstream and is commonly deployed in identity projects. So what is a PKI and how does it work? Let’s break down the term into two pieces – Public Key and infrastructure. The term “public key” represents one technology that can be used to encrypt and decrypt information. The term “infrastructure” represents the notion that there is a wide-spread network of connected items. Thus Public Key Infrastructure, or PKI, is a wide network of connected technologies that are specifically Public Key related.

Specifically, there are three basic concerns. 1. Is the information being exchanged private and secure? Can I rest assured that nobody has tampered with the data? 2. Is the person with whom I am dealing with really the person I think it is? 3. Once I conduct a transaction, can anyone deny participation after the fact? In dealing with people face-to-face, there is an element of trust backed up with receipts and signatures that give us a degree of comfort in conducting business. There is also the assurance we receive simply by looking at a person and recognizing them. If we require additional levels of assurance, we employ the services of notaries, or bring witnesses to bear. In dealing with people electronically, those assurances are lost, so how do we establish this type of trust in an online environment?

So let’s understand what Public Key technology is, but first a little background and scene setting.

First, we must establish the true identity of an individual to some reasonable level of certainty. Driver licenses, birth certificates, witnesses and passports all may be used, depending on the level to which we will need to trust future interactions and transactions, e.g., the department of motor vehicles might require a lower assurance for registering an automobile than a central bank would for transferring a huge sum of money to another central bank.

In today’s world, individuals, corporations and governments are using the Internet as the primary method for communicating information and conducting business. As we all know, it can be difficult to determine, with any amount of certainty, who you are dealing with at the other end of the connection.

Second, having completed our “identity proofing” we give the individual something very special, a secret and personal “Private Key” established with Public Key technology. That’s right, Public Key technology generates a Private and Public key set for an individual – and the two keys fit the same lock. Let’s look at this further!

ORIGINAL MESSAGE

PRIVATE KEY

ENCRYPTED MESSAGE

PUBLIC KEY

DECRYPTED MESSAGE

u u u u

Joe encrypts a message using his private key and sends it to Sue. She accesses his freely-available public key and decrypts the message. The message will only be legible if Joe indeed encrypted the original message. Thus Sue can be certain that Joe sent the message and Joe cannot deny he sent it (a concept called non-repudiation).

40

Winter 2009

Public Key technology is based on Public Key cryptography, a technology that itself is mathematically complex. Essentially, it is a cryptographic technique that enables one person to encrypt some data with one key and this data can only be decrypted with another, related, key. You can also encrypt data with the related key and it can only be decrypted with the original one key. These key “pairs” are related and no other key or key pair can encrypt or decrypt data outside of this pair. This is the notion that two keys can fit the same lock, as mentioned above. This basic concept is transformed into a powerful utility once a basic premise is applied. And this premise is – make one key of the key pair a secret and make the other key publicly available. The “secret key” is only known to the holder of that key, and the “public key” is known to all, and is known by all as belonging to holder of the corresponding secret key. This truly amazing technology can now be applied to accomplish all of the three concerns mentioned above. How? Consider the diagram below. Any data encrypted using Key A, the “private key” can only be decrypted with Key B, the “public key.” Since Key B is public, anything encrypted by Key A can be decrypted using Key B. The point in encrypting here is not to make anything a secret (if you think that the only reason to encrypt something is to make it a secret – not so!). Since Key B is a public key, anyone in the world has access to it and anyone in the world can decrypt the data encrypted by Key A. So what? So that means by virtue of being able to decrypt the message, you know 2 things – it was encrypted by Key A (any message encrypted by any other key would result in junk data), and the message was not tampered with (had anyone messed around with the encrypted data, the result would also have been junk data). This is the same thing the medieval king did when he put his signet ring into a gob of wax on a proclamation to be posted in the castle. It

ORIGINAL MESSAGE

PUBLIC KEY

ENCRYPTED MESSAGE

PRIVATE KEY

was guaranteed authentic and unchanged. (Well, a clever fellow might be able to scrape the parchment and change the message, so PKI signatures are better!) Conversely, if anyone were to encrypt data using the Public Key B – which, remember, everyone has – then only the corresponding Key A would be able to decrypt it. In this case, we are keeping secrets and only the holder of Key A could see the message. Now the king has put the parchment into a secure envelope and put a seal on the flap! So the notion of Public Key technology – the ability to have related key pairs that only work with one another where one of which is kept secret and the other made public, makes for a powerful utility that can protect data, provide knowledge about the other party, and secure transactions. The other part of PKI, the “I” or infrastructure component, is what makes Public Key technology work in a global arena, enabling individuals and organizations to trust one another. Key to this infrastructure are the concept of certificates and authorities. The Public Key pairs and identities mentioned above are of little value without something to guarantee their authenticity. One must be able to associate a person, or entity, with their keys. This is accomplished via something called certificates. A certificate is basically a container that holds the Public Key (of the public/private key pair) and data associated with that key such as the individual’s name, the key’s expiration date and other pertinent data elements. The certificate becomes the essential component that relates a key to its owner. Certificates are issued by authorities. Authorities are high-level entities that establish the notion of a trust center. All certificates issued by an authority can be trusted if one trusts the authority. All certificates issued by an authority are all a part of the family of that authority.

DECRYPTED MESSAGE

u u u u

Sue encrypts a message using Joe’s freely-available public key and sends it to Joe. Using his private key, Joe is able to encrypt the message but only he can do so. Both parties can be confident that no other person else can decrypt the message as only Joe is in possession of his private key.

Winter 2009

41

A parallel can be drawn by looking at driver licenses. Think for a moment about the Driver License Infrastructure being the license number, the card itself and the motor vehicle division that issues the driver license card. The license number is like the key, the card is like the certificate, and the DMV is like the authority. You know that the number is associated with a person by looking at the card and you can trust the license because it was issued by a DMV you know. The final piece of the puzzle concerns how different authorities can trust one another. Again, making the parallel with a driver license, the relationship between states is mostly one of policy. If State A trusts the processes followed by State B to issue its licenses, then that State A can trust the licenses issued by State B. In summary is different certificate authorities use agreed upon processes to identify individuals and issue certificated then they can trust the pool of certificates issued by other authorities. Cost and complexity While PKI may be involved and costly, it’s not the technology but trust issues associated with the technology that make it complex. PKI intends to satisfy issues of trust and liability that rely on strict adherence to business policies, practices and procedures. Deploying and managing trust and liability becomes an expensive proposition.

A second reason is one of quantities of scale – the first PKI you implement becomes an immense undertaking while the tenth is much less mysterious. In the past, many organizations have established only one, their own, but today there are specialist practitioners ready and able to assist with PKI establishment. While this inherent high degree of difficulty and cost associated with PKI technology has made it slow to be adopted, it’s on the rise. Today’s operating environments for governments, businesses and individuals are becoming more and more Internet centric. The three tenets described above can only be solved efficiently and ubiquitously through use of PKI technology. Any solution that is not Public Key technology-based would be tremendously inefficient and prohibitively onerous to operate. It would likely be more expensive for a reduced level of functionality. PKI provides a mechanism that enables people and organizations to securely conduct business over open networks. It enables strong mutual authentication of the parties. It enables transactions to be secure and reputable. It provides a method to protect the integrity of information. No other technology can efficiently and effectively provide these capabilities, and as more and more business is transacted over the Internet, PKI will be here to protect information exchange.

Fingerprint biometric sensors secure medication cabinets San Diego-based CareFusion has been putting fingerprint scanners in its medication cabinets since 1999 and in 2001 the company made it a standard in all its Pyxis medication dispensing units. The company has 200,000 of the cabinets deployed worldwide, enabling nurses and pharmacists to obtain controlled medication for patients. To use the secure system, the staff member enters an ID, provides specifics on the medication and patient and is then authenticated using the fingerprint scanner. But over the past seven years the company was noticing problems with the fingerprint scanners it was using, says Scott Bostick, senior vice president and general manger of medical dispensing at CareFusion. “80% of the time the nurses and pharmacists were successful using biometrics to access Pyxis,” he says. “But that left a gap 15% to 20% of the time in security and this wasn’t acceptable performance for us.” Environmental factors create challenges for biometric systems in health care environments. Labs can be very dry and cold – not ideal situations for fingerprint scanners, Bostick says. CareFusion went looking for a more reliable fingerprint scanner and found Lumidigm Inc. The Albuquerque, N.M.-based company has a multi-spectral biometric scanner that is able to get a high-quality fingerprint scanner regardless of the environment of quality of the fingerprint. The Lumidigm scanners were first deployed in medication cabinets at a hospital in Houston and has already resulted better usability, Bostick says. “The nurses love it because it’s really fast,” he says. “We’re seeing a lot of improved performance.” 42

Winter 2009

2005 2006 2007 2008 Spring 2008

Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

THE

COMING

STORM

SECURING IDENTITY

in an online world

Outsourcing ID programs Real ID becoming reality London trials NFC

Summer 2008

Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

Fall 2008

Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

IDENTITY and the ELECTION Will a new president scale back existing projects or add new ones?

Contactless payments: Floundering or burgeoning? Airport worker credential in the making New rules for biometric sharing

Winter 2008

Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

BEYOND ISSUANCE … e-passports struggle to achieve usage

Is identity broken? EU considers student ID Registered Traveler in flux Plus NFC, RFID, biometrics

OWN THE ENTIRE COLLECTION 1000+ pages of ID technology insight just $200 • Educate new employees • Refresh your industry knowledge • Research for presentations • Review best practices • Learn from the experience of other implementations • Gain a competitive edge

For the first time, AVISIAN is offering all back issues of their industryleading re:ID magazine in a packaged set. You receive three year’s worth of top-notch news and insight – 15 issues of re:ID and 6 issues of CR80News magazine. Plus you get password-protected access to our online library with more than 1000 feature articles. To order, visit http://store.AVISIAN.com.

Improving contactless security is goal of emerging PLAID project Australian spec looks to better secure contactless identity credentials Graeme Freedman Principal, DotInDots Concerns with the security and privacy of contactless smart card technology are nothing new. In recent years, the Internet has caught up with the physical access control industry and the PKI smart card industry, and some ‘dirty little secrets’ have been aired. For those of you who do not believe me, go to your browser and search “RFID hack clone,” “mifare hack,” or go to eBay.com.hk (Hong Kong) and search “RFID.”

and readers and mount attacks on advanced smart cards.

In a matter of minutes you will find board-level schematics, source code and build-yourself kits that will allow you to clone many of the existing contactless devices used for physical access control and even transit. From eBay you can purchase shrink-wrapped product to clone the cards (with free shipping)! If you are a real nerd, you can Google “OpenPICC” or “OpenPCD” and purchase sophisticated portable devices that pretend they are real cards

The problem really stems from a combination of steam whistle technology and bad practices which have led us to the point where the options for access control systems are either proprietary or no longer fit for purpose.

ing a 26-bit number up a piece of telephone wire. Weigand was designed for extreme cable lengths, not security. The problem is that it cannot support an end-to-end session or clear channel, and because of that, cannot easily support modern cryptography based authentication protocols that authenticate using longer and longer keys requiring a significant amount of protocol data. Even just the authorization records are moving to 128 bits RFC1422 GUID under the next round of FIPS 201. Weigand needs to be eventually replaced by modern structured wiring (e.g. Power over Ethernet and fibre optic for long distances) but this is going to take many years and we need a solution sooner.

Weigand - The majority of physical access control systems use the weigand protocol, which was first deployed a quarter of century ago. The weigand protocol is based around send-

No cryptography – Because the physical access control industry thinks that “Joe Average” cannot understand the radio frequency methods used, they mostly rely on the obscurity

44

Winter 2009

None of this is new, but what is new is that a group in Australia under the direction of one of the largest government IT shops and most capable of agencies, have been looking at what to do about it. The problem

of the radio protocol rather than any secure methodology involving cryptography or keys. The vast majority of PACS systems do not secure or obscure the channel between the card and the reader, and as a result, it is easy for people to create cloning and replay devices … and to sell them on the eBay. Vendors will tell you they solve his problem by using a second factor of authentication, such as a PIN, but in a recent survey of PACS system suppliers found that a second factor was used in less than 1% of implementations. Privacy – A solution involving “no cryptography” presents a privacy problem. It is overly simple to use a sniffer device to obtain a unique identification number from the card and then clone it. Poor cryptography – When the physical access control industry has used cryptography, the tendency has been to use inexpensive, low-end cards. Those who did this now realize they got what they paid for! Many who deployed the MIFARE Classic using the crypto-1 protocol are now struggling to find a solution to a proprietary and publicly broken cryptographic cipher. Speed – Because contactless cards are out of range of the device very quickly, and tap-n-go convenience is often a crucial requirement, any solution to the problems above must operate at less than 500 milliseconds, and preferably at less than 200 milliseconds (0.2 of a second). Most existing access control protocols operate on commercial product between 40 and 200 milliseconds. This speed requirement rules out most authentication protocols using asymmetric keys including all current PKIbased protocols. No Standards – Currently the only authentication protocol which does not suffer from the above problems, and which is commercially available, is only available under licence from a single vendor. Whilst there are general standards for authentication under ISO/IEC 9798, these are so generally described that they cannot guarantee interoperability between multiple suppliers, and have not been customized for PACS speed and performance Protocol for Lightweight Authentication of ID (PLAID) PLAID defines a standardized authentication protocol resolving the above issues that is ca-

pable of transitioning older Weigand-based solutions to modern solutions without relying on re-cabling, PKI, or anything other than commercial off-the-shelf smart cards, readers and public domain cryptographic libraries. The intellectual property for PLAID is freely available to any manufacturer, government or other party under an irrevocable licence from the Australian Commonwealth. The full specifications, licence reference, source code and testing tools are available at www.govdex.gov. au. Steps are underway to standardize PLAID for Australian and International standards at which point the intellectual property will be assigned to those bodies. PLAID was developed within an Australian Government smart card project operated by Centrelink, an agency responsible for the broad provision of social services in Australia. Centrelink has a very large footprint with more than 300 offices and 30,000 desktops needing secure, private, smart card based authentication for both logical and physical access using contactless protocols. Centrelink implemented a centralized, role-based ID management system some nine-years ago and is transitioning this system to support contactless smart cards which gave rise to the PLAID project. PLAID, developed by cryptographer Glenn Mitchell and smart card developer Andrew Fisher, is a cryptographic and algorithmic method and associated source code that uses hybrid symmetric and asymmetric cryptography. There is no exposure of card or cardholder identifying information or any other information useful to an attacker, and every transaction is totally unique. The protocol supports either single or dualfactor authentication with support for authentication of the smart card, the access control system record, and optionally, the cardholders PIN or biometric template. The PLAID protocol is optimized for a fast mutual authentication between the smart card and devices or middleware using either contact or contactless smartcard implementations. This has been tested on a wide variety of cards from the major card vendors resulting in transaction times between 160 and 300 milliseconds (0.16-0.3 seconds). Slightly longer times are experienced when authenticating large access control objects such as biometric templates.

The cryptography used is standards-based cryptographic ciphers commonly available on most programmable smartcards, computer systems and embedded devices. The protocol is consequently highly portable to existing cards and devices. Different keys may be used by purpose (i.e., perimeter, logical access, computer room and administrative key sets) and maintenance of keys is possible by rolling onto a spare un-used key set already stored on the smart card. Work is planned for a reference implementation that includes SAM/HSM device code that demonstrates how to design a strong key management/key roll system using secure FIPS 120-2/3 devices. In order to support simple transition between systems requiring different record types, multiple access control system records may also be authenticated by purpose (up to 65,536). Depending on the record requested by the reader, PLAID will authenticate just the record required for the particular environment. These records could for example be ALL of or one or more Weigand numbers; a U.S. Federal FASCN staff number; a FIPS 201 CHUID, a RFC 1422 GUID record; an ISO/IEC 7812 card number; a biometric template or any other numbering system required by the environment. Unlike existing systems, these records are never exposed in the clear. The protocol also supports a 256-bit session key that is provided for the next smart card operation. PLAID is extremely fast, and may be used as a bootstrap protocol to set up the card with a secure session to support subsequent higher-level protocols or operations. This for example can be used to protect a public certificate accessed in the next operation from exposure of its otherwise publicly available attributes. The PLAID reference source code also implements a number of generic countermeasures that may usefully be included in operational implementations. Finally, PLAID has been evaluated in the public domain for some three years now and has been available under open licence since February 2009. The long public evaluation has resulted in improvements particularly in the reference implementation, but has failed to identify any fatal flaw in the protocol. Winter 2009

45

Is the future of campus cards contactless? New programs are expanding its use beyond access into the full array of campus card functions Zack Martin Editor, AVISIAN Publications As campuses switch to contactless smart cards for student IDs and move more applications to the chip are the mag stripes’ days numbered? Greater security, increased convenience and reduced wear and tear on cards and readers are just a few of the reasons leading some campuses to make the switch to contactless technology.

to bring the electronics industry giant’s FeliCa contactless technology to the U.S. market. FeliCa is widely deployed in Japan and other Asian countries with more than 350 million cards and readers used for payment, access and transit solutions, says Jeff Staples, vice president of marketing and business development at Blackboard.

In the next ten years the time will come when there’s no need for a card at all, says Nirmal Palliyaguru, director ACCESS and conferences at Santa Clara University in California. “The next time we re-card there won’t be a card,” he says. “It might be on your cell pone, we’ll have a docking station, and people will upload the card to their cell phone or PDA.”

Morehead State University in Kentucky also has fully embraced contactless technology with the help of its campus card vendor, the CBORD Group. Morehead’s new EagleCards include HID Global’s iCLASS contactless technology and enable access, payment and privilege control applications.

Santa Clara is deploying Blackboard’s contactless smart card offering for a range of applications on campus. Blackboard partnered with Sony

According to Mark Doi, director of education market strategies at HID, the drive for increased functionality is encouraging campuses to

46

Winter 2009

look at contactless. “We are seeing campuses migrate away from legacy technologies and upgrade their infrastructure over time (with contactless technology), because of the ability to add more applications beyond just opening the door.” “The education market as a whole has embraced iCLASS as they see the value in comparison to older technologies such as proximity and mag stripe,” adds Doi. In Fall 2008, Doi told CR80News that more than 100 campuses were using or were in the process of migrating to iCLASS. Clearly contactless has emerged as the premier technology of access control but as Santa Clara and Morehead are proving, it can also benefit other applications as well. Both universities are in the process of implementing the cards not only for physical access but for payments and more. Time to re-card It had been ten years since Santa Clara had refreshed its campus card system, Palliyaguru says. The institution was in the process of getting rid of Social Security numbers associated with student IDs and started looking at different technologies that could better protect the information on the card. In his travels around Southeast Asia, Palliyaguru saw the FeliCa technology in use and he remembered a presentation Blackboard had given on the technology during a NACCU Conference. “This is clearly the next generation and I thought this was the route for us to go,” he says. Santa Clara is doing a slow rollout of the contactless cards on campus. Incoming freshman and first year law students received the cards first, Palliyaguru says. Anyone needing a replacement card is also receiving one. Contactless readers from Blackboard are being deployed around campus and will be used at the various points-of sale, as well as vending, laundry and copier locations. The physical access readers are also being converted to accept contactless. The card still has a mag stripe, adds Palliyaguru, so it can be used where the new readers have not yet been deployed.

One of the biggest advantages of contactless on campus is its ability to facilitate transactions, Staples says. “For us the biggest difference is going to be in the high volume, high access areas like dining point-of-sales, door access and other areas,” he says. “We’re able to offer speed, security, and high performance readers that will ultimately impact customer satisfaction. We’re focused on the user experience and want it to be faster.” It will likely be summer 2010 before the system is completely implemented at Santa Clara, Palliyaguru says. Eventually the campus

will issue around 10,000 new cards. Administrators are taking it slow to make sure to troubleshoot any problems as they arise. “The technology hasn’t been used in this field before,” Palliyaguru says. “We don’t know what pitfalls we’ll find.” While Santa Clara is taking time and care to deploy the new system, Palliyaguru is also focused on the future. He sees a wide range of other applications the card will enable, suggesting that they will “increase the touch points … ticketing, events, fundraising, anything can be done.”

A Leader in

Smart Card Solutions 1 0 11 00 11 0 1 1 10

Access Control Contact EMV Contactless Dual Interface Government ID

Visit us at Cartes

Stand 3C 005

November 17 - 19

0

www.cpicardgroup.com Winter 2009

47

Deploying contactless at Morehead has given the university unlimited potential for the card, Snedegar says. There are plans underway to extend the contactless infrastructure to Morehead’s regional campuses in Ashland, Prestonburg, West Liberty, Jackson and Mount Sterling. The university is also exploring the use of the card for logical access.

Morehead State University EagleCard Cards issued: 13,500 Provider: The CBORD Group Technology: HID iCLASS

“The sky is the limit,” Snedegar says. “It’s a work in process and our goal is to eventually be contactless everywhere on campus.” Is this the end of the mag stripe? Santa Clara University ACCESS Card Cards issued: 10,000 in process Provider: Blackboard Inc. Technology: Sony FeliCa

At Morehead we discussed whether the stripe would be a thing of the past, Snedegar says. But since the card can be connected to a U.S. Bank account, the mag stripe was necessary for debit purchases and ATM transactions. Campus card business consultant Bob Huber agrees noting that mag stripes won’t be going away anytime soon. “I think they’ll be around for another 20 years,” he says. “You need to have a mag stripe on the card for merchant acceptance.”

Full deployment at Morehead Morehead State is moving all of its campus card applications to contactless with the help of system provider CBORD and HID Global’s iCLASS contactless technology. It also has a mag stripe that is used for banking functions and for some of the remaining doors that haven’t switched to contactless, says Doug Snedegar, Morehead’s EagleCard coordinator. The iCLASS cards are being used with Morehead’s existing Odyssey PCS campus card system from CBORD. To date Morehead has issued 13,500 contactless cards to students and employees, Snedegar says. The university is no stranger to smart card technology. Since 2001 the Morehead ID has used a contact smart card for beverage, snack, laundry and copiers purchases while the mag stripe was used for physical access. Payments first Traditionally when an institution decides to switch to contactless, the first application on 48

Winter 2009

the list is physical access. Morehead took a different route rolling out payments first, Snedegar says. The university has 220 contactless readers deployed across campus, but only a handful of these are being used for physical access. The rest are used for dining services, snack/beverage vending, copying and printing and laundry payment. The contactless readers have proven to be revenue drivers. Vending sales, previously managed with a contact smart chip in the EagleCard, required students to maintain separate accounts for vending purchases. With contactless readers managing purchases across campus, the university now offers students a multi-use account known as BeakerBucks, making it easy to spend and manage EagleCard funds. EagleCard-based vending sales have increased nearly 10% since the change was made, Snedegar says. Switching to the contactless readers has been a relatively painless process and not too expensive, Snedegar says. The readers deployed at the bookstore, print station and dining services cost less than $250 each.

But Huber says contactless on campus may see significant increases in the coming years. Wear and tear on readers and cards is less with contactless than mag stripe and campuses can see a significant cost reduction on that alone, Huber says. Traditional magnetic stripe readers should have a life of five to eight years, while contactless readers should have an expected life of 15 years or more. Add in the cost of labor for trouble-shooting and service fees for maintenance and repair and contactless provides a total cost of ownership half that of magnetic stripe readers, says Huber. The reliability of contactless is also on par with mag stripe, suggests Huber adding, “the problem with defective cards is about the same.” Read Winkelman, vice president of sales for colleges and universities at CBORD, says interest in contactless on campus is growing. The interest started out of the convenience factor but is growing because of the better security. “As security concerns in general increase, campuses are looking for anything that is more secure, that’s part of what’s driving the interest in contactless,” Winkelman says.

Have you gained access to Biometrics Certification? Access is now being granted to qualified Biometrics Professionals.

IEEE, along with some of the world’s leading biometrics experts, has developed a new certification and training program for biometrics professionals and their organizations. The IEEE Certified Biometrics ProfessionalTM (CBP) program focuses on the relevant knowledge and skills needed to apply biometrics to real-world challenges and applications. • Certification: Earning the IEEE CBP designation allows biometrics professionals to demonstrate proficiency and establish credibility. • Training: The IEEE CBP Learning System combines print materials and interactive online software – ideal for job training, professional development, or preparing for the CBP exam.

To gain access to more details, visit www.IEEEBiometricsCertification.org.

At Brigham Young University’s Rexburg, Idaho campus, 120 students and faculty members are using their cell phones to make payments in the campus bookstore. The mobile technology startup, RFinity, developed the secure solution using microSD cards with Near Field Communication capabilities to enable contactless payments with the devices. “The RFinity pilot at BYU-I will be one of the first mobile contactless deployments that focuses on securing transactions in a way that reduces the risks associated with legacy payment systems,” says Aaron Turner, RFinity co-founder and CEO. The company went after BYU in part because of its convenience. The company is located just 20 minutes away from the 12,000 student Rexburg campus, says Wally McPheters, RFinity product manager in charge of the BYU pilot. For the pilot RFinity supplied participating students’ with a new cell phones–either a Palm Treo or the Ozone phone from Taiwan-based HTC Corp. “I was easier for us to prepare for the first pilot by providing them with phones,” says McPheters. The phones serve as a replacement or option to the campus’ magstripe ID card known as the I-Cards.

BYU students take first crack at replacing ID card with mobile phone Pilot project enabled bookstore payments via microSD equipped handset

For the first stage of the pilot, which lasts through fall semester, the phones can only be used in the campus bookstore and are pre-loaded with scholarships and money to pay for books and it also includes a declining balance account. “BYU said the university store was the best arena for this pilot,” says McPheters. “It’s a full-scale store and is the center of all activities. The store sells clothing, textbooks, technology, convenience store items, in other words a number of product lines other than educational.” The goal of the pilot is simple, says McPheters. “We want to prove the technology works and then improve it. It allows us to show financial transactions at POS and give us valuable feedback. We also expect to generate ideas for additional applications.” No personal data on phone Andy Cargal, BYU University communications, says each microSD contains the RFinity technology and a unique number that correlates to the student’s account numbers in the BYU database leaving no personal information on the phone. The pilot is being coordinated with the university store management team, while the outcomes are overseen by the university’s Presidents Council, says Cargal. Turner anticipates there could be an increase in sales just due to the novelty factor. So far, purchases have ranged from a nickel for gum, up to $1,700 for a MacBook, he says. Students were chosen for the pilot following several surveys that determined what’s important to them and how they buy, says McPheters. “We wanted a cross section of people who frequent the university store and those who don’t, so we could see how often the phones get used.”

50

Winter 2009

The microSD card in the phone uses RF communication to transmit data at point of sale. It sends a unique number that correlates to the student’s account number in the BYU database.

The company surveyed 1,500 students. “We looked for those attributes that would help us ID different types of shoppers, such as single under classmen, single upper classmen and married students,” says McPheters. “These three buy a little differently. That narrowed us right down to about 120. We then reconnected with them all to see if they were still interested and would be here this fall, and what kind of phone they carry.” Cargal says following the surveys there were more than 500 students who expressed interest in participating in the pilot. He says those who didn’t make the first cut are still on the list when the pilot expands to more students, likely in January.

to actively initiate every transaction by pressing the button to protect the information from being accessed fraudulently or inadvertently.

along with the flash memory. The card can be used in mobile phones, smart phones, netbooks and even in USB tokens, says McCown.

For amounts of more than $25 the user must authorize the transaction by entering a PIN. If a student is standing in line and getting ready to pay for $300 worth of books, he can preauthorize his next transaction by entering the PIN, thus saving time at the POS. Then when he gets to the register, he simply holds down the button to activate quickpay, says McCown.

If a phone is lost or stolen the student can call RFinity and shut down the key, says McPheters.

While $25 is the default amount each participant can adjust it to meet their personal security needs. Some students have insisted on a zero threshold, which means they have to enter a PIN for every transaction, Turner adds. Input from Giesecke & Devrient

“This will be a way for a student to take his student ID card with him virtually. From the student’s perspective, all they’d need is a cell phone,” says McCown.

The system uses a microSD card from Giesecke & Devrient called the Mobile Security Card CL (for contactless). The security feature in the Mobile Security Card CL is provided by a cryptography controller integrated in the card

The project is going well, says Turner. “The thing students told us is that they like not having to carry a wallet into the bookstore, they love the convenience factor. And they like the fact they can control their own security.”

Students control payment process Steve McCown, RFinity’s chief technology officer, says the technology can handle two payment modes. Quickpay, for transaction less than $25, requires the user to press a button on the phone to transmit the necessary information to the reader. RFinity requires the user

The second stage of the pilot is likely to include more applications and as many as 1,600 participants. McPheters would not elaborate what those apps would be, but he hinted it could include adding the ability to read from a person’s bank or debit account and expand beyond financial transactions.

Winter 2009

51

A merger of convergence SCM, Hirsch and BlueHill merge to take on a growing market When Felix Marx joined SCM Microsystems in late 2007 he had a mission: reposition the company in the identification market. In the two-years since Marx took over as director and CEO he has been able to change the company’s focus and add to its product offerings, making it a one-stop shop for the ever expanding converged security market. Some of these changes have taken place because of a shift in product line focus, but a lot of it has been through acquisition. Less than a year after Marx joined the company SCM and Hirsch Electronics merged. More recently, the newly combined company announced the acquisition of BlueHill ID, a small ID provider with a strong presence in the European market. Before Marx joined the company it had been focused on manufacturing contact smart card readers. The company wanted a more active focus in the government, health care, ticketing and payments market in the U.S. and Europe. The bigger switch, however, was on the technology side. “The target was to move from contact reader manufacturing to contactless technology and be compatible with all the different infrastructures out there,” he says. “Contactless is the way going forward.” There was also a revision in the business model, Marx says. SCM was a hardware manufacturer and the goal was to broaden the reach and look for some way to bring in recurring revenue.

In the two-years since Marx took over as director and CEO (of SCM) he has been able to change the company’s focus and add to its product offerings, making it a one-stop shop for the ever expanding converged security market.

These factors all lead to the merger with Hirsch. The two companies had discussions in 2006 and 2007 but it wasn’t until March 2008 that those talks began in earnest. Hirsch had already been SCM’s partner for physical access control readers and with the movement toward converged products heating up, the timing was right, Marx says. “We’re not just talking about physical access or logical access,” he says. “Customers want an end-to-end system and that’s how we found ourselves together.” Hirsch is a 28-year-old company that started producing a high security, digital keypad called the Hirsch ScramblePad. The product became an industry icon and established Hirsch in the electronic access control market. The company went on to launch software packages to manage access control, alarm monitoring and badging, first as separate packages and then as an integrated solution, called the Velocity Security Management System. The keypad and reader line expanded to include contactless and smart card use as well as biometrics and even PKI capabilities.

52

Winter 2009

Hirsch also had its professional services group, which designed and implemented security systems. This part of the company would be a source of recurring revenue. “We’re not just talking hardware anymore but systems services and consulting,” Marx says. “It’s something we didn’t have before.” Larry Midland, Hirsch’s president and now executive vice president at SCM, saw the market changing and the need to branch out. “Expertise and resources in areas such as digital identities and information security are increasingly important,” he says. “We want Hirsch customers to turn to us not only to secure facilities but also to secure computers, identities, information and information exchange.” The merger of the two companies closed in April and they have already worked on projects together in Europe and the Middle East, Marx says. In September it announced the acquisition of BlueHill ID, a Swiss-based ID provider. BlueHill, founded in 2007, is a newcomer to the market. The company saw an opportunity to take a fragmented industry, consolidate and create a powerhouse, says Ayman Ashour, CEO of BlueHill. About a year ago the two companies started discussion to work more closely together and started with an agreement to work closer on some research and development projects, Marx says.

Australia, Ashour says. The companies BlueHill has acquired run the ID security gamut, from corporate ID providers to payment card and NFC vendors to long-range RFID used for animal tracking. Ashour says BlueHill’s technology offerings will complement SCM’s. “BlueHill helps SCM advance its strategy of expanding their position in contactless markets and technology by offering entry into the important RFID transponder technology market,” he says. “It also strengthens their position in the e-passport and national ID business and provides them access into important growth verticals.” It was the combination of technology along with the company’s experience with mergers and acquisition that held appeal for SCM, Marx says. “They have created a very powerful mergers and acquisitions machine and that’s something we’ve been looking at,” he says. “At the end of the day we decided it would be best to combine the two companies.” With the BlueHill purchase the new combined company may be a force to be reckoned with in the ID market, Marx says. “The ID market is very fragmented with lots of smaller players,” he says. “With the acquisitions we’ll be able to provide everything from the inlay to the smart card to the hardware and ID management systems from Hirsch and even the professional services and consulting. We are a full service company that serves customers from A to Z.”

BlueHill had been an active acquirer itself, adding more than 15 companies and building a presence in, Europe, the Americas, Asia and

The ScramblePad (right) became an industry icon and established Hirsch in the electronic access control market. SCM’s line of contact chip, USB and contactless devices established the company as a leading reader manufacturer.

Winter 2009

53

Featured FIPS 201 Products ST-1210 SmartTerminal & SR-4300 ExpressCard Card Reader Cherry Electrical Products Cherry’s new SR-4300 ExpressCard reader and ST-1210 standalone smart card readers are now FIPS201 certified by the General Services Administration (GSA) for use with Personal Identification Verification (PIV) smart cards. The ST-1210 is a CCID-compliant, low-profile USB contacting reader, designed for one-hand operation. At just 105mm x 70mm x 12mm high, it is easily transportable and fits in even small workspaces. The SR-4300 ExpressCard reader is already being bundled with notebooks for applications in federal government agencies. Cherry’s new smart card readers are also PC/SC compliant and compatible with ISO7816 (Class A, B, C).

Newly approved FIPS 201 products FS51 1.6”x1.5” Fingerprint Scanner Module Futronic Technology Co Ltd.

Card Electronic Personalization Device

PIV Middleware

MyID PIV for VeriSign VeriSign, Inc.

ActivClient ActivIdentity

Transparent Card Reader

Electromagnetically Opaque Sleeve

PIV Minidriver 90meter, Inc.

bioBASE TCR Privaris, Inc.

SCVP Client

G83-6610 SmartBoard Smart Card Reader Keyboard (XX1X) Cherry Electrical Products

Smart Tools RFID Shield Smart Tools Facial Image Capturing Station (Physical) PreFace SDK with Canon EOS Rebel XS Aware, Inc. Fingerprint Capture Station Multiscan1000 Green Bit Americas, Inc.

PIVCheck Desktop Edition Codebench, Inc. Single Fingerprint Capture Device ET1 ITALDATA ingegneria dellidea S.p.A.

SR-4300 ExpressCard Smart Card Reader Cherry Electrical Products ST-1210 SmartTerminal Smart Card Reader (XX1X) Cherry Electrical Products

FS50 1.6”x1.5” Fingerprint Scanner Module Futronic Technology Co Ltd.

Get your FIPS 201 Approved Product listed on FIPS201.com customizing photos, links, brochures, contact information, and more. Contact info@fips201.com for more information.

FIPS201.com the premiere resource for compliant credentialing

Contact:

Ryan Kline FIPS201.com Coordinator 850-391-2273 ryan@AVISIAN.com

an

id technology resource

visit FIPS201.com to research and compare approved products 54

Winter 2009

What POWERS Your Campus? Contactless technology from Blackboard Transact™ is ready

Blackboard Transact proudly presents another wave of

to power faster, safer and more convenient transactions at

innovation that includes our payment application-compliant

forward-thinking institutions everywhere. Around the clock,

server software and new terminal hardware that supports

our clients manage transactions in dining halls, bookstores,

both magnetic stripe and Contactless technologies. Let

vending machines, and more. They use our technology for

us show you how you can achieve the system performance

privilege verification, door access, video surveillance, and

you expect and the user experience your students demand

even managing the crowd at the big game. Now, they can

from a name you can trust.

do it faster and more securely than ever before.

www.blackboard.com/contactless

Copyright Š 2009. Blackboard Inc. All rights reserved.

Winter 2009

55

Group working on standards for identity vetting

There are efforts underway to standardize identity vetting for U.S. citizens. Currently states and the federal government have their own individual processes to confirm an individual’s identity. But the North American Security Products Organization (NASPO) is working on standards that could be used throughout the U.S. and even potentially on the international stage. NASPO is a Washington-based non-profit organization that certifies that providers of security documents. It’s obvious that some of the identity vetting in place now doesn’t work. Eight years after 9/11–when the hijackers were easily able to obtain fake IDs – it appears our identity verification procedures still leave a lot to be desired. This became apparent in early 2009 when an undercover investigator for the U.S. Government Accountability Office used fake documentation, including a birth certificate and driver license, to obtain four U.S. passports. In at least one instance, he got the passport the same day and used one of the fakes to buy a plane ticket and get past security. The goal of the Identity Verification Project is to put checks in place so this doesn’t happen. Graham Whitehead, director of Auditing and Standards Development for the North American Security Products Organization and ID Verification Project Working Group leader, related the group’s progress at a recent meeting of the Government Smart Card Interagency Advisory Board. Verifying a person’s origins through documents such as a birth certificate, lie at the heart of Whitehead’s ID verification project. Eventually he hopes it becomes a U.S. standard and maybe even an international one. The GAO investigation points to the fundamental problem that identity documents don’t have a lot of security. Among the fake documents the GAO investigator used were Social Security numbers of a fictitious five-year-old child and another from a dead person. “With a little bit of skill you can get yourself a document that most will agree is secure … a passport with a chip,” he said. The project initially had three phases, he said, the first which was tentatively completed in July. That’s the concept formulation, a difficult phase that includes many philosophical positions. It involved three elements: How to build certainty in a claimed identity, the criteria for the acceptance/rejection of a claim and the methods for the detection of fraud. The second phase is to prove that it can work. This testing portion involves looking at the birth certificate and driver license issuance processes at state vital records offices and departments of motor vehicles. All of this should lead to the third phase, methods for the verification of personal identity. He noted that part of the solution his group has looked at involves selecting and training adjudicators, a new breed of notaries, who would be specially accredited and certified to be judges of identity documents. The verification process would involve a combination of corroborative evidence and then using that evidence to confirm the claimed identity.

56

Winter 2009

Verifying a person’s identity starts with what Whitehead calls the “identity resume.” This would be something akin to the document people use when applying for a job, said Whitehead. The resume should include a person’s origin, where he was born, the date he was born, his gender, the name he was born with, his parents’ name, basically his “primary attributes at birth,” said Whitehead. The individual would also have to confirm that the same identity has been used over a lifetime. “A lot of it contains unique events in a person’s life and it all has to be verifiable,” he said. Whitehead said a system also has to be in place to detect symptoms of fraud and find out if the individual has ever used another identity. “For example if someone presents a passport and Social Security card but he has never had a birth certificate, that’s a symptom of fraud.” Part of the identity vetting would be an in-person meeting to review the resume, Whitehead says. Without this, the identity verification job won’t get done. “There’s no way to escape having an in-person meeting,” he said. Verifying a person’s identity is a two-step process, he said. “If we can’t prove anything about a person or if his documents are fake, we ask that person to come back in again.” While a purely electronic verification might make the process quicker, a human element is needed. “If in the course of adjudication, the adjudicator sees or hears something that explains why a person doesn’t have a birth certificate or birth record, he’s at liberty to say his other evidence mitigates this finding,” said Whitehead. A contra indications table, a check list of what to look for or what has been observed, can aid in verifying a person’s identity, said Whitehead. Some of the items on Whitehead’s table, things to look for that could be a symptom of fraud, include: • Inadequate resume • Applicant incoherent • No SSN • Origins unknown • Poor or no knowledge of places lived • No contact disclosures • Uncooperative/hostile attitude • No documents tendered • No picture ID “At the end of the day what we are advocating is binding the person in some way to a verified identity,” added Whitehead.

Advisory Committee: ‘Comprehensive ID management’ needed in U.S. The President’s National Security Telecommunications Advisory Committee has released a report calling for changes in identity management in the U.S. The committee is part of the U.S. Department of Homeland Security and advises the president on emergence and preparedness of telecommunications. “A need has emerged for a national, comprehensive identity management strategy that would recognize and protect the roles and interests of private citizens and commercial participants while enabling collaboration among key stakeholders,” the report states. As the Internet is used more and more for communication there is a need to reliably identify individuals. Because of this there is a need for a federation of interoperable ID management systems. “Such a federation of interoperable ID management processes would enhance identity trust, awareness and education among end users, providers and devices. This federation would strengthen trust relationships and enhance the nation’s security.” The federated model would involve three characteristics: interoperability; Trust Anchors, those who verify identities; and choice-based participation. The committee made three recommendations to the president: Demonstrate national leadership in ID management to influence the national culture, attitude, and opinion. “Successful development and implementation of a

national ID management vision and strategy requires national commitment across Government, industry, and individuals dependent on cyber applications.” Charter a national ID management office appointed and dedicated leadership, in the Executive Office of the President. “This office must have powers to integrate and harmonize national ID management policies and processes, including those related to law enforcement and security, as well as physical and logical access controls. This office should seek active private sector participation in developing such policies and processes in order to succeed and to ensure that successful solutions are shared with the private sector, as appropriate.” Direct the new office to develop a coordinated agenda to implement a comprehensive ID management vision and strategy to address four component areas, specifically: • Government organization and coordination; • Public-private ID management programs; • Policy and legislative coordination; and • National privacy and civil liberties culture. Because no existing government office or organization is engaged in all areas and issues across the total scope of ID management, a new approach is required to harness the expertise and interests across all areas.

Winter 2009

57

CARTES event brings world’s ID community to Paris for top notch education and expo CARTES and IDentification Congress 2009, featuring 1,500 delegates, 240 speakers and 20,000 visitors, will take place in Paris, Nov. 17 though Nov. 19 at the Paris-Nord Villepinte. The 24th edition of CARTES has also added four new areas in addition to the return of most of its normal standbys. Not to be overlooked, however, is the Sesames Awards presentations that always occur on the eve of the CARTES show. From an original 309 applicants and 34 finalists, ten winners will be announced on Nov. 16. Opening CARTES Nov. 17 will be the World Card Summit that will bring together leading directors from the card and identification markets. Throughout the three-day event there will be 15 card and ID programs, some a full day others a half day.

Prepaid in Motion, (Nov. 18) This half-day session will look at prepaid cards and whether they represent the new market opportunity for payment cards. Besides increasing usage as gift cards, prepaids are also being used to provide social benefits and insurance and as a method to reach the under-banked. Transactions at Point-of-Sale, (Nov. 19) How do you insure to merchants and customers that a POS terminal is accurate and secure, that customers don’t have to worry about their data being hacked and that merchants are complying with PCI requirements? Finally, will savings from fraud prevention justify additional security costs? Here is the rest of the CARTES show agenda:

CARTES’ four new offerings include:

Nov. 17

Payment in Emerging Countries, (Nov. 17) Mobile banking holds promise for developing countries since cell phones outnumber payment cards by a large margin. This session will look at some of the success factors needed to create a sustainable system, including the right business model, ease of use, reliability, legality and security.

Cards and Payments 2009 Delve into contactless payments, its progress and pilots and what has been learned form them. Are users ready for the transition? Are current technology and security measures enough? And what do you need to manage a large rollout?

Banking, leader or outsider? (Nov. 18) How are the different players in this market positioning themselves due to the emergence of new contactless and NFC payment methods? In addition, the gradual implementation of the Single Euro Payments Area is opening up the payments market to competition, allowing an even broader range of players, including telecommunications companies and retailers.

58

Winter 2009

Multi-Applications Look at recent technological advances in cards that have made it possible to host several applications on a single chip regardless of form factor. This makes it possible to offer cardholders numerous services in both contactless and mobile areas.

Back to Basics Consider globalization, new trends in payment card issuance, fundamentals of Java Card technology and PayFair, the new European payment plan. Data Protection Explore the techniques and strategies to mitigate both the risks and consequences of data security and privacy breeches. Topics include the latest security research, key management, best practices, secure network infrastructures and responsible disclosure.

NFC Forum Conference Learn about the forum’s latest activities and plans regarding NFC technology, certification and projects currently underway. Xiring Conference Explore strong authentication solutions for e-banking & e-commerce, including securing remote transactions with home chip and PIN solutions. The session will cover the status of the technology and the benefits and implementations so far. It will also look at case studies from European banks that have successfully put a physical, easy-to-use, and dedicated security device in the hands of their customers.

Nov. 18 Nov. 19 Mobile Money Services: Can I pay with my mobile? Look at pilot results that confirm mobile payments will be the next feature demanded by consumers. How will consumers prefer to pay at traditional retailers? How about payments in the virtual world, which is also moving to the mobile space? What’s required to get banks more involved? Convergence Explore convergence and collaboration. Both mobility and identity are influencing the development of smart card products and will continue to do so over the next five years. Due to the challenges faced by the use of numerous new technologies and their large scale rollouts, the need for cooperation between issuers, service operators, technology suppliers and lawmakers/regulators has greatly accelerated. SIM Power Consider the technological advances of SIM cards. The microprocessors offer more functions and support more applications than ever before and are forming the hub of a new generation of converged services and applications. The presentations will highlight the increasing role played by SIMs in provisioning and securing personalized access to networks and will also review the latest innovations, such as Smart Card Web Server and Mobile NFC.

Citizen ID Look at citizen identity programs that are driving innovation with national ID programs, e-passports, driver licenses, health ID cards and first responder credentials. This increased demand has moved secure identity credentialing into the mainstream of chip technology. This session will also highlight the advances in citizen ID programs from around the globe. NFC and Contactless Take a customer-focused approach and look at why contactless and NFC have been so successful in other regions, such as Japan and Asia. Explore what can be done to replicate that success globally and who is needed to kick start this process, as waiting for a perfect ecosystem to manifest itself doesn’t appear to be working. Loyalty Gift Cards and Co-Branding Explore why loyalty programs have usually thrived in a recession and how the combination of new technology, changing laws and global brands are about to make the loyalty industry a safe bet for the future. Card and Security Address major card security themes and look at threats, vulnerabilities and the roles of the smart card and other form factors, such as USB tokens and NFC phones.

Winter 2009

59

Education tops priority list as Smart Card Alliance industry councils look to next year The Smart Card Alliance’s councils are gearing up for 2010, intending to review some of the key issues affecting their various sectors and taking a more proactive approach in education. In most cases, the councils have also announced new officers.

current acceptance infrastructure to reduce fraud,” said the new council chair, Charles Walton, INSIDE Contactless. “Our priority for the upcoming year is to keep this discussion active, and to delve more deeply into the subject and provide further resources..”

vice president of government affairs and standards at Gemalto. “As the administration builds a comprehensive national security strategy, we hope to help by educating on the use of technology to securely authenticate individuals on the Internet.”

Here’s a capsule review of each council’s accomplishments this year and, if available, their plans for 2010.

This year, the council also developed several educational resources on contactless and NFC payments, including a series of white papers: “What Makes a Smart Card Secure?”, “Issuer and Merchant Best Practices: Promoting Contactless Payments Usage and Acceptance”, and “Security of Proximity Mobile Payments.”

In 2009, the Identity Council collaborated with the Smart Card Alliance’s Health Care Council on a number of projects, including a National Press Club briefing in Washington DC to raise awareness of the importance of privacy, access and identity in healthcare reform. The two Councils also collaborated on the brief, “Effective Healthcare Identity Management: A Necessary First Step for Improving U.S. Healthcare Information Systems.”

Contactless and Mobile Payments Council This council has placed education about the security benefits of chip card technology and its capability at reducing fraud in the U.S. payments industry at the top of its priority list for 2010. It has already published a position paper, “End-to-End Encryption and Chip Cards in the U.S. Payments Industry,” which proposes using such cards to protect cardholder data and reduce fraud. With contactless cards and acceptance terminals already deployed in the U.S., the paper discusses the fraud-reducing benefits of contactless chip cards, including the use of a cryptogram with each transaction to help complicate the use of counterfeited cards. “This position paper was a success in bringing to light the security advantages of contactless chip cards, and how they can be used with the

60

Winter 2009

The council’s new officers, in addition to Walton, are Ron Pinkus, Giesecke & Devrient, vice chair and James F. Lock III, JPMorgan Chase, secretary. Identity Council The council plans to turn its attention to cybersecurity and health care identity in 2010, while continuing its work to educate and make identity and credentialing recommendations for corporate enterprise, health care and state and local governments. “With the Obama administration making cybersecurity a priority, this is clearly an issue to which we will be paying close attention,” said new Identity Council chair Neville Pattinson,

Other resources published by the Identity Council this year included: “ePassport Frequently Asked Questions”; “Privacy, Identity, and the Use of RFID and RF-Enabled Smart Card Technology–A Smart Card Alliance Brief for State and Local Governments”; “Emergency Response Official Credentials: An Approach to Attain Trust in Credentials across Multiple Jurisdictions for Disaster Response and Recovery”; and “Using FIPS 201 and the PIV Card for the Corporate Enterprise.” Joining Pattinson as council officers are John McKeon, IBM, vice chair and Sal D’Agostino, IDmachines, secretary.

Health Care Council In addition to its work with the Identity Council on health care identity management, the council also produced white papers or briefs on “Smart Card Technology in Healthcare FAQ”; “Effective Healthcare Identity Management: A Necessary First Step for Improving U.S. Healthcare Information Systems”; and “A Healthcare CFO’s Guide to Smart Card Technology and Applications.”

To help accomplish that goal, the council hosted an October workshop “Smart Cards and Next Generation Physical Access Control Systems (PACS).” The Council this year participated in industry events such as ISC West and ASIS, providing comments on government specifications and issuing recommendations on technology and credentialing for the air transport industry and emergency first responders.

The council officers are Paul Contino, Mount Sinai Medical Center, chair and Mike Magrath, Gemalto, secretary.

New officers include Suneborn, Bob Merkert, SCM Microsystems, vice chair and Sal D’Agostino, IDmachines, secretary.

Physical Access Council

Transportation Council

Education on next generation physical access control systems will be the council’s focus for 2010. “Many government agencies are in critical stages of their implementation of new physical access control systems to meet the government mandate,” said new council Chair Lars Suneborn, Hirsch Electronics. “Our goal for the upcoming year is to provide educational resources that will move them over their implementation hurdles and towards success.”

The Transportation Council members were major participants at the 2009 Payments Councils Summit held earlier this year in Salt Lake City, Utah. The summit coincided with the launching of Utah Transit’s system-wide contactless electronic fare collection system that accepts third party paid passes and contactless credit and debit cards from American Express, Discover, MasterCard and Visa.

“We are seeing more transit agencies understanding the security and convenience that accepting contactless credit and debit cards directly as fare payment brings to travelers,” said new council Chair Craig Roberts, Utah Transit Authority. “These kinds of open transit fare collection systems that integrate payment and transit systems are paving the way for new kinds of technologies.” The Transportation Council has published three white papers: “Transit Payment System Security”; “Serving Unbanked Consumers in the Transit Industry with Prepaid Cards”; and “Co-Branded Multi-Application Contactless Cards for Transit and Financial Payment.” Currently two new white papers are in process, a prepaid implementation guide and one to help agencies evaluate the cost impact of alternative automated fare collection models. New officers in addition to Roberts, are Jerry Kane, Southeastern Pennsylvania Transportation Authority, vice chair, transit, and Ian Newberg, Parkeon, vice chair, parking. All of the white papers and other information about the alliance’s councils can be accessed at www.smartcardalliance.org.

Become a Certified Smart Card Industry Professional About CSCIP Professionals now have the opportunity to increase their industry knowledge, sharpen their professional skills, and take charge of their personal professional development. A CSCIP certification means you have passed a rigorous, comprehensive smart card technology and applied business applications education program and gained recognition as a certified smart card industry professional.

Join LEAP and make the SMART career move LEAP is an individual membership option offered by the Smart Card Alliance that offers exclusive industry knowledge, professional networking, and access to the only accreditation program (CSCIP) available for smart card industry professionals. LEAP is available to everyone, with special discounts offered to Alliance members. For more information, visit http://www.smartcardalliance.org/pages/activities-leap.

The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. http://www.smartcardalliance.org.

Next test date OCTOBER 30, 2009 The next CSCIP in-person exam will be at the Washington DC Convention Center, as part of the 8th Annual Smart Cards in Government Conference. Visit the LEAP web site for future exam locations and dates in 2010.

Winter 2009

61

Voice biometrics: Using speech for access Voice biometrics doesn’t receive the same level of attention as other modalities, but it has unique benefits the others cannot match. Chief among these is its ability to enable remote authentication over the telephone. This phone-centric model means it doesn’t require any additional hardware, and geographic proximity is irrelevant. Considering that call centers dedicate 12% of call duration to confirming a customer’s identity, it makes sense that any solution that expedites authentication and increases security would be crucial. This is the core of the voice opportunity.

Voice biometric authentication works by detecting an individual’s unique pitch, tone, and volume, according to a report from the SANS Institute. Several factors contribute to an individual’s voice: the size and shape of the mouth, throat, nose, and teeth, and the size, shape and tension of the vocal chords. The chance that all of these are exactly the same in any two people is low. The manner of vocalizing further distinguishes a person’s speech: how the muscles are used in the lips, tongue and jaw.

Mobile communications provider Vodafone Turkey rolled out its Voice Identification Service powered by the VocalPassword solution from PerSay. The service makes a spoken pass phrase a universal identifier for customer support, enabling customers to avoid having to remember multiple PINs or undergo a cumbersome and costly manual authentication process. The system was integrated with Vodafone’s Voice Portal Platform, enabling secure self-service applications such as GSM Personal Unlocking Key reset.

While there are many different voice biometric vendors, the systems typically work in a similar manner. The user undergoes a two-factor authentication, identified with ID number or PIN and then authenticated by having him speak a phrase or password.

The primary driver for Vodafone Turkey in implementing a voice verification system was to provide customers with an even better experience while trying to safeguard their privacy.

Voice biometrics may be poised for some big gains, according to a report from Opus Research. In 2009 the firm predicted $139.5 million in sales for the market but it expects that to jump to $225.8 million in 2010. Research and Markets predicts that voice biometrics poised to move from pilot projects to full-scale deployments. The focus of using the technology is also shifting, the firm states. The use of voice biometrics was focused on fraud prevention, but it is shifting to improving the user experience and shortening the time it takes to authenticate over the phone.

Voice biometric market 2007 - $107 million 2008 - $116.1 million 2009 - $139.4 million 2010 - $225.8 million 2011 - $260.1 million Source: Opus Research

62

Winter 2009

A host of other applications for voice biometrics demonstrate that it can be used in just about any environment, such as: • At the New York Town Manor, a residential community in Pennsylvania, voice is used to help senior citizens access apartments and other areas. • Union Pacific Railroad uses voice biometrics to enable customers to release empty rail cars. Customers enroll in the voice authentication system over the phone and they then only have to call back to release an empty rail car once their voice is authenticated. • Bell Canada has deployed voice biometrics for employee technicians. Instead of using laptops to log in and access information on their next appointment, they use the phone to authenticate via voice biometrics and then are provided relevant details. • A common application for voice biometrics is password resets for financial institutions and corporations. Instead of having to speak with a representative, an employee or customer can be authenticated via voice and allowed to reset a locked or lost password.

• Financial institutions are also using voice for authentication when phoning a call center. This cuts down on the time it takes for verification when the customer speaks with the call center employee. National Australia Bank has deployed a voice system for its customers from Telstra and Salmat VeCommerce. Using the voice biometric functionality of VeSecure, once a caller has registered his unique voiceprint he simply needs to recite his individual account number to have his identity verified.

Layering security makes voice a truly powerful solution

• Larimer County Colorado Community Corrections department is using voice biometrics from Diphonics to authenticate defendants over the phone before providing them with pre-trial information, reporting schedules and electronic monitoring.

This would make it difficult for a fraudster to take over the account. While the hacker might be able to get an account number, user name and password he would not have access to the individual’s phone or voice.

Authentify has a voice biometric system that also ties a user to a computer network and telephone. For example, a user attempting to activate an account will receive a telephone call at a number retrieved from his existing account records. The phone call requires him to speak a confirmation pass code being displayed on his computer screen, and captures a voice recording.

The ramifications of this layering of security techniques are significant. Combining voice

biometrics with speech recognition technology makes an extremely powerful solution that includes both the biometric authentication and a challenge and response opportunity. Rather than utilizing a static spoken password or phrase, speech recognition technology can enable a unique phrase to be presented at the time of a transaction. It is then checked for both content and biometric accuracy. This would thwart record and playback attacks against a voice biometric system. It seems that there may be a growing future for voice biometrics. From a convenience perspective it can be a great solution for geographically dispersed authentication via existing hardware (telephones). From a security perspective, the technology has promise as well, especially when layered with other techniques such as speech recognition, caller ID and computer/network identification.

Winter 2009

63

NFC and social media applications It’s more than just payments A new NFC technology coming out of Finland will enable individuals, by touching their phone to a tag, to let Facebook friends know where they are. Called Hot in the City, or HIC for short, it is the world’s first phone-operated NFC technology solution for social media, says its inventor, Tuomo Tuikka, senior research scientist for the non-profit VTT Technical Research Center in Oulu, Finland. The name came from the original use of this system, says Tuikka. “We thought that restaurants would be the first obvious place for you to see where your friends are, then you know that is the best place to go. The name stuck, and we never really tried to rename the service even though we realized the connection with Billy Idol’s song,” he adds. The idea came about in early 2008, says Tuikka. His team started experimenting to connect NFC phones to Facebook. In April 2009 the effort took first place honors in the research track of NFC Forum’s Global Competition. He is now seeking to patent the new technology and find investors. Tuikka believes his social media solution for NFC phones may be the third cornerstone for NFC. “If you follow the media on NFC, everybody talks about payments and ticketing, which are considered the killer apps for NFC,” he says. “The third one was social media solutions.” Hot in the City is composed of four components: an application for use in NFC-enabled mobile phones, a back-end service being operated by VTT’s server in Finland, a Facebook application front-end available from the social media network or the Hot in the City site (hic.vtt.fi), and a Web portal. While Facebook is currently the only social site offer-

64

Winter 2009

ing Hot in the City connectivity, Tuikka thinks it could work just as well at other social networking sites. “Our service could be interoperable with any open social media platform,” he says. The lack of optimized peer to peer communication can “make connection a bit troublesome,” says Tuikka. Next generation NFC phones should improve on this, particularly when NFC Forum standards are developed. “Usability is the first issue to tackle during the pilots this autumn. The more feedback and platform experience we get the better the system will be.” Since Hot in the City is run from a server in Oulu, Finland, users also may experience longer than normal response times, says Tuikka. And, because it’s still relatively new, he estimates that users number just in the hundreds. Event tags “Hot in the City lets you create tags for events and locations,” says Tuikka.

The tags cost around 1 Euro (about $1.50) a piece. For example, you create a tag at your workplace using the application on your phone, touch your NFC phone to it and your friends know you’re at work. When you leave, you touch your phone to the tag again and essentially you log out of your workplace. You get to a restaurant and create another tag giving the name of the restaurant, touch your phone to that newly-created tag, and your friends are notified you’re at the restaurant. This same information is also sent to your Facebook page so someone on a computer at the Facebook site can also view your location. Tuikka points out that Hot in the City is different from connecting with a friend virtually via Facebook. By bringing two NFC phones together, individuals can automatically add friends to their Facebook page. Individuals can probably even poke friends, if they want. “Here with two phones coming together, you’re actually meeting someone in person,” he says.

LEGEND In-Ceiling Sensor Under-Desk Sensor

RFID enables courts, law firms to track files In courthouses and law firms keeping track of records can be a hassle. Who checked them out? Did they sign them back in? The amount of time it can take to locate a missing record eats up valuable resources.

This required deploying more than 100 RFID sensors throughout the courthouse. Every clerk’s desk, the courtrooms and judges’ chambers as well as exits and entries are equipped with sensors.

Courts and law firms around the country are looking to RFID to keep track of files. Some of the systems are more elaborate than others, says Tom Pemberton with San Jose, Calif.-based FileTrail Inc. Some deploy RFID systems that can track a file in transit, while others track who checked it out and when it occurred. Often handheld devices are used to track missing files.

The biggest savings from the systems is in the time saved by personnel. Files are automatically tracked as they move to each new location. To find a missing case file the staff member logs in to a Web-based system and enters the search parameters. The system then tracks the file and displays its current location.

Clerks at the St. Charles County Courts in Missouri were spending hours trying to track down files in the 13-courtroom, five-floor courthouse. “In the old days, finding files meant walking floor-to-floor and desk-todesk, every day, sometimes several times in the same day,” says Stacy Phillips, criminal supervisor with the county. “We would routinely have ten clerks looking for a file for two hours or more. That was a big waste of money.” One of the main requirements for St. Charles was no human intervention, says Roger Steele, network administrator at the courthouse. “We didn’t want a scanning task — not even stopping to use a scan-pad. FileTrail tracks the location of every file without changing the tasks our staff must do each day.” Each file is outfitted with an EPC Gen Two tag, which is entered into the system along with the name of the file. The tags can typically be read from six to eight feet but have been picked up from as far away as 12 feet, says Pemberton.

If the clerk is having trouble finding the file with the deployed sensors there is a handheld unit that can be used to track files. “From the beginning, the portable FileDetector has had a huge impact,” says Cindy Syberg, chief deputy clerk for the courthouse. “We had one file that had been lost for six months — we found it within a matter of minutes with the FileDetector about four feet from where it should have been in our filing system.” “In another case, we were looking for a file that FileTrail said was in a judge’s chambers but no one could find it,” says Syberg. “The FileDetector found it for us in minutes. It was completely hidden under a stack of papers on the floor where no one would have ever seen it, nor looked for it.” Some law firms are considering RFID as a replacement to bar codes in the legal field, Pemberton says. In the past a lawyer or secretary would check out a file and the bar code would be scanned. With RFID the user doesn’t necessarily have to stop and do anything to take the file. Winter 2009

65

test shows iris interoperability Zack Martin Editor, AVISIAN Publications

The Biometric Consortium Conference is a good place to catch up on the latest developments and get some hands on experience with the latest technology. Iris biometrics has always fascinated me. At my first Biometric Consortium Conference in 2002 I tested an iris camera that required me to be within an inch or so to get it to work properly. The technology has since come a long way and you can now authenticate from many feet away. The lack of standards plagued the iris industry. Iridian, now owned by L-1 Identity Solutions, owned the patent on the biometric templates. But the patent has expired enabling others to enter the market. At the conference this year I tested an interoperable solution with three different iris vendors. Unisys coordinated the test to show that iris solutions from multiple vendors could be used for one implementation. The U.S. Department of Homeland Security’s US VISIT program contracted Unisys for the project.

From there I went to Global Rainmakers Inc. to be verified by its HBOX. This one was easy, yet confusing at the same time. You walked through an entry way and there was a video monitor but at first I wasn’t sure where to look, how fast to walk or whether I’d been verified. After I was shown where the camera was, however, it was simple to use. Next it was on to the LG booth to be verified by the LG Iris iCAM H100 handheld prototype. This was a small device, the size of a large PDA, that verified me from about a foot or so away. The last stop was AOptix for verification on its InSight sensor. This demonstrated iris identification from a distance of more than six feet. I walked up to the camera, stood in a box and waited for it to give me a green light before proceeding on. The verification took a couple of seconds and successfully identified me from my original enrolled iris biometric template.

The demonstration incorporated iris detection and identification solutions from three vendors: LG Iris, AOptix, and Global Rainmakers Inc. At the conference the system was setup over a traditional WiFi network so the different vendors and booths could communicate.

Iris has a lot of potential because it’s capable of recognizing individuals from a distance, nullifying a lot of the hygienic concerns that people have with fingerprints. It also has the potential, whether you like it or not, to be used for non-intrusive or surreptitious identification. Demonstrating that the technology can work with multiple vendors could be a boon for the market.

I enrolled at the Unisys booth using the LG Iris IrisAccess iCAM4000. It was simple enough. I took my glasses off and was about a foot or so away from the camera where it enrolled both my irises and took a notso-flattering photo.

For me, I was just happy to not have to stick my eyes in the reader like I did back in ‘02. You can see a video of the demonstration at ThirdFactor. com along with my interview with Bryan Ichikawa, vice president of the Identity Solutions Group at Unisys, about the test.

66

Winter 2009

The Original Multi-Technology Readers

125 kHz PROX

13.56 MHz SMART FIPS 201 PIV II US GSA APL

The Most Versatile, Secure Readers in the Industry

To learn more please visit: www.xceedid.com Copyright Š 2007, XceedID Corporation. All rights reserved. XceedID, XACTT, and ISO-X are registered trademarks of XceedID Corporation.

I want... company-wide security that’s reliable and future-proof.

HID innovates reliable solutions... to bridge the gap between security and convenience. With more than 300 million customers using our secure credentials, we take our position as trusted industry leader seriously. Our commitment to customers is to ensure that their demanding security needs are met now and in the future.

Find reliable and future-proof solutions, visit hidglobal.com/reliability