44 A SURVEY OF ID TECHNOLOGY - WINTER 2015 - ISSUE 44
Protecting kids’ online identities Clear IDs resurrected at airports, stadiums Cities issuing municipal IDs
DNA
for future identity is in your wallet
Digital identity providers leverage in-person vetting from real world IDs
Make sure every visitor is a welcomed one.
HID Global Secure Visitor Management solutions track your guests and protect your facility. Upgrade from unsecured paper guest books to the robust security of our EasyLobby® Secure Visitor Management solution. With EasyLobby, you can identify who is in your facility and why, control access to secured areas, screen against unwanted guests and more. Just scan each visitor’s ID and print a customized badge in seconds. And it’s scalable, so you’ll get the protection you need as your company grows. Request a free web demo at hidglobal.com/welcomed-cr80 © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved. HID, HID Global, the HID Blue Brick logo, the Chain Design, and EasyLobby are trademarks or registered trademarks of HID Global or its licensor(s)/supplier(s) in the US and other countries and may not be used without permission.
HOW DOES YOUR COMPANY IDENTIFY ITS EMPLOYEES?
By providing ID badges instantly with an Evolis card printer Evolis card printers include modules allowing personal data to be encoded within the card. You can, therefore, use your badges to secure access and strengthen security within your company. Evolis printers together with cardPresso software offer an easy-to-use and powerful system.
www.evolis.com
“ I’m starting a new job, finishing my degree and I have a true passion for the arts. I’m proud of my work and the cards in my wallet represent my life.”
— Robert H. Marketing Director Corporate Technologies
Every person in your program has multiple identities, and securing and protecting those identities is no small task. Datacard® ID solutions empower enterprises to protect what’s most important to them in an increasingly connected world with trusted, long-lasting, secure ID cards.
Visit Datacard.com/ReID to learn more by downloading your free ID Solutions Guide.
© 2015 Entrust Datacard Corporation. All rights reserved.
DATACARD GROUP IS NOW ENTRUST DATACARD
CONTENTS
22 Cover Story: Wallet holds DNA for digital ID In the “real world” there are plenty of ways to assert an identity. There is no equivalent in the digital world, identities are selfasserted and vetting is questionable at best. This is changing, however, as digital identity providers are realizing they can piggyback on the in-person vetting done by driver license, passport, registered traveler, bank card and other issuers.
52 Municipal governments issuing IDs Municipal ID card programs are helping local governments enable and control access to city services. Residents that can’t obtain traditional IDs are using the city-issued cards to open bank accounts, visit food banks, check into health clinics and more.
28 Protecting kids’ online identities Apps and games can be educational for children, but care must be taken to protect them online. New initiatives are changing the way we protect kids’ identities, ensure age verification and promote parental consent.
48 Clear IDs resurrected at airports, stadiums The registered traveler program that made headlines a decade ago has been reborn. Today, Clear cards are being accepted at more than a dozen airports and are also easing access at Major League Baseball stadiums from New York to San Francisco.
Winter 2015
5
CONTENTS
Testing card durability
32
Lollapalooza goes NFC 66 6
Securing cyberspace with your wallet Driver licenses, passports, bank cards powering new gen of digital ID
8
ID Shorts News and posts from the web
22 The DNA for future identity is in your wallet As driver licenses, passports and bank cards enable the virtual, is secure identity within reach?
37
40
28 The challenge of protecting kids’ online identities 29
31
Children’s protection initiatives
34 Dual-interface cards deliver on promise of flexibility With both contact and contactless on board, the cards are finding favor with a host of global issuers
6
Winter 2015
56
re:ID National eID Series: Middle East packs a punch despite small issuance 58
UAE eID brings gov and payments
37
What’s the contactless frequency, Kenneth?
38
Contactless flavors
Three new pilots join NSTIC ranks Initiatives focus on health care, state government and the IoT
39
EEPROM vs. Flash memory
59
NSTIC pilot: Galois Creating secure data storage and access for the IoT
60
NSTIC Pilot: HealthIDx Providing federated identity in health care
61
NSTIC Pilot: MorphoTrust Stop fraudulent state tax returns
59
Five honored in 2015 Women in Biometric Identity Awards 41 42 44 45 46
Student data mining scrutinized
32 Evaluating card durability Industry standard test procedures help issuers achieve the ultimate ’10-year credential’
Contactless 2.0: Latest generation chips are bigger, faster Biometrics, new apps require more memory and faster data transfer
Janice Kephart Kimberly A. Mills Celeste Thomasson Cathy Tilton Patricia Wolfhope
48
Resurrected CLEAR expediting entry at airports, stadiums
50
The challenges of airport entry and exit in the U.S.
52
Municipalities launch city-issued resident ID cards Credentials enable and control access to local services
64
Preserving privacy in the IoT
66
Ticketless, cashless Lolla NFC wristbands replace tickets and cash at mega music fest
MORPHOWAVE
TM
AWARDED BEST NEW PRODUCT OF 2015 BY SIA Revolutionary touchless biometric access solution Ideal for high traffic areas Multifinger matching with a single hand movement On-the-move matching
Maximum efficiency and security from the world leader in biometric solutions with #1 NIST-rated fingerprint technology
www.morpho.com/usa 1-800-444-0496 info.usa@morpho.com
ABOUT
EXECUTIVE EDITOR & PUBLISHER Chris Corum, chris@AVISIAN.com EDITOR Zack Martin, zack@AVISIAN.com ASSOCIATE EDITOR Andrew Hudson, andrew@AVISIAN.com CONTRIBUTING EDITORS Liset Cruz, Autumn Cafiero Giusti, Gina Jordan, Kelsey Ward ART DIRECTOR Ryan Kline ADVERTISING SALES Chris Corum, chris@AVISIAN.com Sales Department, advertise@AVISIAN.com SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit www.regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit http://subscriptions. avisian.com and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2015 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to info@AVISIAN.com
8
Winter 2015
SECURING CYBERSPACE WITH YOUR WALLET DRIVER LICENSES, PASSPORTS, BANK CARDS POWERING NEW GEN OF DIGITAL ID ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS
Traditionally physical credentials – e.g. ID cards – have been trusted but friction-laden due to the need to vet identity and issue in person. Digital or logical credentials – e.g. user names and passwords – have been low assurance but frictionless as they were self-asserted and available for the asking. We have long sought to bridge these two separate realms and merge the trust of physical IDs with the friction-free issuance of online logins. But we tried to do it in a vacuum – not reusing a credential we already have but rather reinventing a whole new one. Rather than build a bridge between the realms we have tried to raise an entirely new landmass. But I am starting to see a convergence. Companies are offering products that bridge physical, real world identity documents to digital credentials. Imagine this scenario. In your hometown you drop by a convenient location, present some breeder documents and submit to a biometric or two. Following a thorough verification process, you are issued an easy-to-use digital credential that can be used to secure online access, and ultimately, virtually eliminate your risk for identity theft, IRS-style breaches and a host of other first-world plagues. Would you do it? Now imagine that you already have “done it.” You have applied and enrolled. You just did not receive the magic credential at the end of the process. That is the case that a host of companies and initiatives are currently making. They say most of us have been securely vetted already, via DMVs, passport agencies, airline pre-check programs, cell phone carriers, utilities and financial institutions. Why, they ask, must we re-require in-person vetting if we can trust the vetting process done when these credentials were first issued? Let’s look at the TSA’s PreCheck program, an expedited airport security-screening program where travelers undergo a background check and are able to get through security quicker. To date, the registered traveler program has enrolled 1.5 million individuals with breeder documents and biometrics.
PERSPECTIVE A few weeks after they are successfully vetted, participants are mailed a Known Traveler Number to use when booking flights so that boarding passes indicate expiated screening approval. While the TSA isn’t in the digital identity business, why couldn’t that PreCheck attribute somehow be turned into digital form and used as a high-assurance credential? PreCheck could do a number of things to enable this. An email address could be bound to the vetted identity, stepped up and then used as a high-assurance credential in a federated scheme. Then, users could download an app to secure that high-assurance identity with the mobile device. It would require changes to PreCheck – and sure some would be hesitant to use a credential from Homeland Security – but this is just an example of bridging physical to digital. I use PreCheck an example because the in-person identity vetting infrastructure is in place. Another possibility is the U.S. Post Office, which does the document reviews for passport applicants. It’s also the agency behind Connect.Gov, the service that will enable consumers to use existing credentials to access government web sites. Government officials have told me that the Post Office is gearing up to issue digital credentials but the agency refused to comment.
As you will read in our cover story, other organizations are using the driver license or the financial account as the bridge from physical to digital. I don’t know if one of these will be the ultimate winner. Future consumers may have multiple options from which to choose. The point is that if we can rely on trusted in-person vetting processes that already exist – or better yet have already been completed – we don’t need to wait while a new bridge to digital identity is designed and constructed. We can start heading across now.
Winter 2015
9
ID SHORTS
ID SHORTS
HIGHLIGHTS FROM SECUREIDNEWS.COM
BILL PROPOSES MEDICARE COMMON ACCESS CARD Bills submitted in the U.S. House of Representatives and U.S. Senate propose a smart card pilot program for Medicare recipients. The bills call for a Medicare Common Access Card – taking its name from the smart card issued to Defense Department employees. If passed through Congress and signed into law, it would require the Department of Health and Human Services to initiate a smart card pilot for Medicare recipients. The current Medicare identity card doesn’t have any real security features and displays an individual’s Social Security number. The Medicare Common Access Card Act would use smart card technology to keep personal information secure and give Medicare beneficiaries assurance that their billing is accurate. The goals of the pilot would be to: Increase the quality of care furnished to Medicare beneficiaries Improve the accuracy and efficiency in the billing for Medicare items and services
10
Winter 2015
Reduce the potential for identity theft and other unlawful use of Medicare beneficiary identifying information Reduce waste, fraud, and abuse in the Medicare program. The bills also come on the heels of a GAO report that looked at using machine-readable technology for recipients in order to reduce fraud. It’s estimated that $60 billion each year is lost to waste, fraud and abuse in Medicare. Using a smart card would address the “pay and chase” system. Currently, the government pays Medicare reimbursements without first verifying the validity of the charges and then, if the charges prove to be fraudulent, attempts to track down those responsible. The bills – H.R. 3220 submitted by Rep. Peter Roskam (R-Ill.) and S. 1871 submitted by Sen. Mark Kirk (R-Ill.) – have both been sent to committee for review. Co-sponsors include Sen. Marco Rubio (R-Fla.) and U.S. Rep. Earl Blumenauer (D-Ore.).
TURKEY TAPS GEMALTO FOR EPASSPORT COVERS Gemalto is supplying its Sealys eCover for ePassports to Darphane, the Turkish Mint and Stamp Printing House. The company is already the provider for the Turkish personalization program, having deployed the Coesys Issuance solution for the country’s national authorities.
ID SHORTS
DECEMBER
RSA Conference February 29 – March 4 Moscone Center San Francisco, Calif.
Connect ID March 14 – 16 Walter E. Washington Convention Center Washington, D.C.
JUNE
Other security features include: A raised signature, date of birth, expiration date, driver license number and “Under 21 until” date that can easily be felt and are difficult to recreate UV ink highlights intricate Wisconsin artwork on front The “Under 21” is prominently displayed in red ink and printed in a vertical format Endorsements for commercial driving, including hazmat certification, are clearly noted.
Gartner Identity & Access Management Summit December 7 – 9 Caesars Palace Las Vegas, Nev.
2016
APRIL
With a REAL ID deadline coming at the end of the year many states are rolling out new driver licenses and making overall efforts to improve the security of the document and the processes. The Wisconsin Department of Transportation’s Division of Motor Vehicles started issuing new driver licenses and identification cards this fall. These new IDs are a polycarbonate card with a laser-engraved black and white photo.
2015
FEBRUARY
WISCONSIN ROLLS OUT LASER ENGRAVED LICENSES VIA ENTRUST DATACARD
CALENDAR
MARCH
With this new contract, Gemalto now provides these Turkish authorities with a complete passport service. For Turkey’s 75 million citizens, electronic passports are issued for new applications as well as renewals. More than two million ePassports are issued each year. According to the multi-year agreement, Gemalto is providing its ICAO Common Criteria certified software, embedded in the passport inlay containing the secure microprocessor. Gemalto’s Sealys eTravel product embeds the ICAO compliant operating system and guarantees integration into Darphane’s ePassport processes.
Smart Card Alliance Payments Summit April 5 – 7 Loews Royal Pacific Resort Orlando, Fla.
ISC West April 6 – 8 Sand Expo Las Vegas, Nev.
Cloud Identity Summit June 6 – 9 New Orleans Marriott New Orleans, La.
Winter 2015
11
ID SHORTS
THE TEAM THAT DEVELOPED THE ALGORITHM WANTS TO HELP LAW ENFORCEMENT MAKE THE TRANSITION FROM KEYWORD SEARCH TO AUTOMATED SEARCH OF TATTOO IMAGES, MUCH IN THE SAME WAY WE NOW SEARCH FOR FINGERPRINTS AND FACES The past three years have seen states make more changes to their IDs, says Kathleen Synstegaard, regional sales director at Entrust Datacard. “States are becoming more educated and the cost of secure documents has declined,” she explains. “Secure documents are becoming more competitive price wise with driver licenses.” Entrust Datacard’s driver license projects span a range of delivery models, processes, and environments working with 25 jurisdictions in a number of ways. The company offers a variety of card security and durability features, including laser engraving, color-printing technologies, and custom laminates that feature tamper evidence. One of the bigger developments has been states moving to polycarbonate, laser engraved card materials, like that
12
Winter 2015
being issued in Wisconsin. Colorado, Washington DC and several jurisdictions in Canada. The use of polycarbonate and laser engraving also leads states to outsource the production of these cards to a central facility run by a third party, Synstegaard says. All the necessary data is sent to the third-party facility, cards are produced and then mailed out. The card printer then deletes all the personal data. A third party is necessary because the laser engraving card printers are expensive and it typically proves cost prohibitive to purchase the necessary equipment to run the card personalization systems, Synstegaard explains.
MORPHOTRAK EXCELS IN TATTOO RECOGNITION MorphoTrak’s tattoo recognition algorithm placed first in the Tattoo Recognition Technology – Challenge (Tatt-C) evaluation conducted by the National Institute of Standards and Technology. Each trial examined an aspect of performance for an automated tattoo recognition solution. In the identification trials, the MorphoTrak algorithm successfully found different instances of the same tattoo on the same subject, collected over time. MorphoTrak also did well at finding a small region of interest within a larger tattoo, as well as determining whether an image contained a tattoo. Tattoo images have traditionally been regarded as a soft biometric – that is, visual information that can be used to
ID SHORTS
narrow down the range of candidates for identification but that cannot be used to explicitly identify an individual. Law enforcement organizations have been collecting tattoo images as long as they have been collecting mugshots, and while mugshots can now be submitted for automated searches using face recognition algorithms, tattoos are still categorized by text, in broad categories such as “Dragon” and “Skull.” The team that developed MorphoTrak’s tattoo recognition algorithm wants to help law enforcement make the transition from keyword search to automated search of tattoo images, much in the same way we now search for fingerprints and faces.
CARILLON RELEASES CERTIFICATE VALIDATION PROTOCOL SERVICE Carillon Information Security announced that it now provides validation services for companies and government agencies looking for X.509 certificate path discovery and validation solutions. This service is launched to address the growing requirements of path validation for digital credentials that need to meet the corporate and government standards. This new solution complies with directives set forth by the U.S. GSA and Federal Bridge PKI. Server-based Certificate Validation Protocol (SCVP) has been available for many years and can manage complex path discovery and validation of certificate policies and digital credentials. From a practical standpoint, the SCVP client can query a central service and confirm the validity status of a certificate in real or near real-time. The platform enables organizations to choose who they wish to trust, and to manage that trust in a dynamic way across their entire organization. With more regulatory requirements moving to mandate PKI-based digital credentials,
ORIGINALLY DESIGNED FOR A NATIONAL CITIZEN ID PROGRAM, THE V371 CAN BE USED FOR ANY IDENTITY VERIFICATION APPLICATION WHERE INDIVIDUALS ENROLL THEIR FINGERPRINT INFORMATION ONTO A CONTACTLESS CARD the Pathfinder-SCVP is a form of Validation as a Service that enables organizations to demonstrate their compliance with these regulations. With this service, Carillon wants to enable companies to focus on using digital credentials they or their business partners already own, as opposed to trying to decipher the complexities of a specific policy and trying to determine the validity of the credential.
HID RELEASES BIOMETRIC, CONTACTLESS READER HID Global announced that it has integrated the company’s Lumidigm biometric technology with its OMNIKEY contactless smart card readers to simplify identity validation for citizen ID and
many financial, health care and other commercial applications. With the Lumidigm V-Series V371 fingerprint reader, program administrators can verify users’ identities by having them present a card, fingerprint or both to the reader. The solution is designed to streamline enrollment and transactions while preventing the use of fake fingerprints. Originally designed for a national citizen ID program, the V371 can be used for any identity verification application where individuals enroll their fingerprint information onto a contactless card. Validation is accomplished by matching the individual’s fingerprint with his or her biometric data that was written to the card during enrollment.
Winter 2015
13
ID SHORTS
CHURCHES USING FACIAL RECOGNITION SOFTWARE TO TRACK ATTENDANCE Some Sunday worshipers are being tracked without ever signing an attendance book thanks to facial recognition software designed especially for churches. Churchix is a tracking software that identifies people in videos and photos. Its main purpose is to measure attendance at an event, like Sunday morning services. “Churchix processes each and every frame, and once a face is detected in a frame, Churchix runs a template generation process which turns the face into a template or vector which serves as a face representation,” says Moshe Greenshpan,
THE REAL QUESTION IS SHOULD A CHURCH TRACK ITS MEMBERS’ ATTENDANCE, MANUALLY OR OTHERWISE? IF NOT, THEN THE PROBLEM IS NOT ABOUT FACE RECOGNITION, WHICH IS ONLY DIGITIZING THE REGISTRATION PROCESS
14
Winter 2015
founder and CEO of Churchix developer Face-Six. “Those vectors coming from the video are then compared against the faces represented in the database.” The church enrolls members and adds their pictures to the database to enable automated attendance logging. The company reports 42 clients – mostly medium to large churches – using Churchix in the U.S. and worldwide. “Attendance to events and services is a key indicator on how a church performs in terms of popularity and growth. It also allows the church to keep a close connection to its members,” Greenshpan says. “Most churches already keep track of members’ attendance manually. However, when it comes to big events it is nearly an impossible task to track
members. This is why Churchix is so useful.” Greenshpan can’t say whether the churches tell parishioners they’re being videotaped or photographed. He says clients that use Churchix have so far declined to disclose their identity because they don’t want to be considered “privacy invaders.” “There’s no doubt using the technology makes some people uncomfortable,” Greenshpan says. “We tell privacy advocates that the real question here is should the church keep track of their members’ attendance, manually or otherwise? If not, then the problem is not about face recognition, which is only digitizing the registration process.”
ID SHORTS
FORGEROCK INITIATIVE TO ACCELERATE UMA ADOPTION ForgeRock announced a new digital consent and privacy initiative, led alongside other open-source technology companies and experts, to accelerate developer adoption of the User-Managed Access (UMA) standard. ForgeRock will help spearhead the new Kantara Initiative UMA Developer Resources Work Group to release new open-source UMA implementation toolkits for web applications and the Internet of Things (IoT). UMA, launched by the Kantara Initiative in 2009, is an OAuth-based protocol that gives a web user a single control point for authorizing who and what can get access to their online personal data. The UMA standard has already received support from government and health care organizations including the Government of New Zealand and Philips. ForgeRock’s forthcoming addition of OpenUMA support to the ForgeRock Identity Platform is designed to help deliver “Consent 2.0” experiences to customers and citizens who are increasingly more concerned about their ability to manage their digital privacy. According to recent Pew Research, 91 percent of Americans agree or strongly agree that consumers have lost control over collection and use of personal information. The UMA standard enables both consumer privacy scenarios and next-generation business authorization scenarios. For example, instead of making copies of a child’s healthcare records at the beginning of the school year and walking it into the school office where it will be “filed,” a parent could give the school access to the online record for one week at the start of the school year. Once the school confirms the child’s health status and vaccinations, access to the digital record can be revoked, eliminating the need to duplicate personal healthcare records and maintaining
privacy. In a similar fashion, financial records can be shared with tax accountants and loan officers and healthcare records can be shared with medical specialists. With UMA, individuals can grant access to digital records on a need-to-know basis and for only an appropriate length of time. The new Kantara Initiative Work Group will provide free and open-source software for developers incorporating UMA enablement and protection into applications, services and devices. The software, which will be available in languages such as Java, C++ and Python, will make it easy to add interoperable authorization, access control, privacy and consent features to application ecosystems.
Facial recognition is becoming a popular option as some of the latest notebooks feature a RealSense camera made by Intel. The cameras are embedded above the display. The system uses three cameras – featuring an infra-red lens, a regular lens and a 3-D lens – and uses photographic analysis, heat detection and depth detection to decide who is at your computer display, according to a report in the Australian, which performed an interesting test with the system. The author had great success using the facial recognition system but decided to test it with six sets of identical twins, varying in age, to see if it could spot the differences. For the experiment one of the twins registered into the system and interacted with it several times on a Lenovo Thinkpad Yoga 14. The other twin then
WINDOWS HELLO ISN’T FOOLED BY IDENTICAL TWINS
attempted to use the same system to access the accounts. The system performed well and didn’t let any of the unauthorized twins access. At the same time the system sometimes didn’t enable the authorized twin access, but overall the system performed well in the small experiment. Windows Hello will work with Microsoft Passport and enable user to use biometrics to login to web sites as well.
At this point you’ve likely seen the commercial touting how a toddler won’t have to remember passwords but will be able to login with a smile. This is all part of Windows Hello, the new identity and biometric system baked into Windows 10. The system will support face, finger and iris biometrics depending on the type of hardware available.
Winter 2015
15
ID SHORTS
THE PILOT AIMS TO CREATE TWOWAY CUSTOMER INTERACTION TO ACCESS SERVICES TO RECEIVE SERVICE AND SEND INFORMATION TO THIRD PARTIES
IOWA LAUNCHES MOBILE DRIVER LICENSE PILOT Iowa Department of Transportation employees have started using MorphoTrust mobile driver license software as part of a new pilot. MorphoTrust provides identity solutions to more than 80% of U.S. motor vehicle agencies, including Iowa, and has delivered a test version of the secure software to a group of Iowa DOT employees. This group will assess and validate the solution for use in situations where physical licenses are typically presented. Users download an app after receiving an email to enroll. After entering the email address and PIN the user takes a selfie, which is checked against the previously enrolled image at the DOT and are then able to use the mobile driver license. The pilot will also test record updates to the customer record system with the changes rendered on the phone in realtime. Information such as change of address, over/under 21-years-old status, organ donor status and change in driving status, endorsements or restrictions, can
16
Winter 2015
be updated to the mobile driver license immediately. The DOT if referring to this as “liveness.” Information can be updated at any point on the document, including when an individual turns 21 and the document switches from the vertical format to the horizontal. “The key behind this concept is to move away from the driver license being a physical thing,” says Mark Lowe, director of Iowa DOT’s Motor Vehicle Division. The pilot aims to create two-way customer interaction to access services to receive service and send information to third parties. The MorphoTrust mobile driver license software carries the same level of trust as the physical driver license or state ID card. The mobile driver license software includes both visible and covert security features that are linked and layered in the digital image seen on screen. These features not only ensure a high level of security, they also enable the mobile driver license to be quickly and reliably authenticated when presented for identification purposes and protect against fraudulent reproduction.
In addition to PIN and fingerprintbased security features already built into phones used in the pilot, the mobile driver license app can be secured using MorphoTrust facial recognition unlock technologies which requires the user to take a selfie and use a custom PIN. In the future other abilities can also be added including using wireless communication to share data, Lowe say. Bluetooth or NFC could be added in to share information with law enforcement or others.
SMARTRAC UNVEILS NEW PRE-LAMINATE SMARTRAC introduced its new SMARTLOOP PRELAM that offers benefits to manufacturers of ultra-high frequency eID documents. The benefits include extended read range with a very small antenna, minimal thickness of 100 to 250 micrometers and increased mechanical durability. These features also translate into less complexity, resulting in easier handling of the pre-laminates during eID document manufacturing processes.
Assured Authentication
Lumidigm® is now HID Biometrics. Sometimes you need more assurance about who is requesting access. Only biometric authentication verifies who is present... and only Lumidigm® multispectral imaging provides the reliability, security and convenience required for your mission-critical application. When it’s important to have greater assurance of who is accessing your assets, choose HID Biometrics.
Your Security. Connected. Visit hidglobal.com/lumidigm to see what we’re all about.
ID SHORTS
The wire-embedded UHF PRELAM uses inductive coupling technology and consists of two components: the chip and chip loop on a thin carrier bonded via flip-chip-assembly; and the wireembedded antenna that is connected to the chip loop via inductive coupling. The absence of any intermetallic connection between chip and antenna is designed to make the chip more durable. To underline this, SMARTRAC is granting eID document manufacturers a 10-year warranty.
BOFA DEPLOYS FIDO FOR MOBILE ACCESS Bank of America joins other financial institutions in adding biometric access to its mobile app. The new update includes the introduction of fingerprint and Touch ID sign-in, the launch of an Apple Watch mobile banking app and the ability to add two-factor authentication for access.
The FIDO Alliance framework enables the addition of biometrics. The new fingerprint and Touch ID sign-in capabilities provide eligible Android, iPhone and iPad customers with a convenient way to log into the BofA mobile banking app using their fingerprint. This feature allows access to the most common functionality of the app without the additional need for a passcode. BofA also released a mobile banking app that is compatible with Apple Watch, allowing users to view account balances and recent transactions for their linked checking, savings, credit card and investment accounts, as well as receive real-time alerts and notifications on their wrist. Users can also opt-in to an extra security feature that helps verify the customer’s identity with a one-time authorization code sent via text or email each time they sign in.
THE ABSENCE OF ANY INTERMETALLIC CONNECTION BETWEEN CHIP AND ANTENNA IS DESIGNED TO MAKE THE CHIP MORE DURABLE
18
Winter 2015
MORPHOTRAK LAUNCHES VIDEO ANALYTICS TOOL Morpho, through its U.S. subsidiary MorphoTrak, launched Morpho Video Investigator (MVI), its latest video analytics technology. MVI was developed in response to the need in law enforcement and intelligence communities for a way to quickly assess vast amounts of video for investigative purposes. While images and information of significant forensic value can be found in videos, the sheer volume of data renders extraction of this information time-consuming and labor intensive. Today, analysts and investigators face a daunting workload that has outpaced investigative resources. To meet the challenge, Morpho paired its facial recognition software with the power of video analytics for motion, person and license plate recognition to create MVI. The purpose of MVI is to process and analyze large quantities of video data and provide actionable intelligence to investigators in a fraction of the time it takes with traditional methods. The embedded algorithms process video sequences by detecting, searching and reporting the depicted elements of interest. As MVI sorts through volumes of raw data, the video analyst can start a review based on the most relevant data, saving the time and effort normally spent watching the entire video. In this way, the analyst finds clues faster and is able to exploit them more quickly. Thanks to the collaborative case management tools embedded in MVI, multiple analysts can work on the same case simultaneously. MVI accelerates the analyst’s work of identifying suspected criminals, terrorists and other persons of interest across multiple video encounters.
ID SHORTS
GALLAGHER INSTALLING PIV SOLUTION AT WORLD TRADE CENTER Gallagher is in the process of installing its Personal Identity Verification (PIV) solution at two undisclosed federal agencies inside the World Trade Center. The agencies will be using PKI-based authentication technology that Gallagher has been leveraging in its devices for almost 20 years, says Brandy Sloan, Federal Business Development manager for Gallagher. Gallagher’s system performs PKIbased authentication without the need for additional encryption modules, “providing ease of installation, configuration, and maintenance,” Sloan says. Gallagher is partnering with eVigilant Security Inc. for its FICAM compliant security installations. “The World Trade Center sites require end to end encryp-
tion that meets strict federal standards,” says Dave Einsig, vice president of Sales and Marketing for eVigilant. Gallagher touts its PIV solution as the only enterprise-wide physical access control, integrated alarm, and perimeter security system from one single manufacturer on the GSA Approved Products List. “Secure authentication and encryption between all system components is standard with upgradeable field hardware, thus future proofing Gallagher hardware for any FIPS 201 standard changes and protecting the end user’s investment,” Sloan says. “Upgrading components is as simple as pushing out firmware updates, eliminating the need to physically touch each controller and/or reader.” The new system should be up and running at the World Trade Center sites before the end of the year.
Certification Training for E-PACS About CSEIP • The Certified System Engineer ICAM PACS (CSEIP) Training and Certification Program provides advanced training for systems engineers configuring and testing E-PACS to align with government-wide specifications • This training and certification is recognized and approved by GSA About the Training • Comprehensive three-day program includes expert classroom instruction, hands-on training using commercial E-PACS equipment and testing for competency on course objectives • Course offers instructor-led training on how E-PACS work, how PKI is managed, and how PIV/PIV-I credentials interface with security systems • Individual test workstations using commercial E-PACS hardware and software provides hand-on exercises for configuration of live PKI-based access control systems • A comprehensive written and practical exam wraps up the program with certificates issued upon successful certification
Who Should Attend? • Commercial security firms looking to sell and install ICAM PACS to GSA managed properties under updated GSA procurement guidelines for vendors and integrators • Physical access control vendors who need to train their employees and resellers about proper steps to configure PKI-based PACS • Government security officials responsible for implementing and operating PACS at their department or agency Meets Federal Requirements and Highest Industry Standards • Certification means that you have passed a rigorous, GSA-approved training program which demonstrates your ability to efficiently and effectively implement PKI and federal ICAM architectures for E-PACs • CSEIPs demonstrate knowledge of the latest security industry standards and meet federal procurement requirements
Learn More Today Visit the CSEIP section of the Smart Card Alliance website for complete training information, Winter 2015 19 prerequisites, exam dates, and a full description of this program; http://www.smartcardalliance.org
ID SHORTS
WHEN THE USER WANTS TO OPEN THE DOOR THEY OPEN THE BRIVO MOBILE PASS APPLICATION, IT COMMUNICATES WITH THE CLOUD USING THE SMARTPHONE’S CAPABILITIES AND REQUESTS THAT THE DOOR BE OPENED
NO CARD, NO NFC, NO BLE WITH BRIVO’S NEW CLOUDBASED PACS The vast majority of access control systems use cards, or a mobile device’s NFC or Bluetooth interface for access, but Brivo’s Mobile Pass uses only an app on a smart phone. A user activates the app and presses a button to specify the door to open, a call goes to the cloud to validate access and the door opens, says Steve Van Till, CEO at Brivo. All of this takes about one second. From a workflow perspective, the Brivo OnAir administrator selects a user and creates a Brivo Mobile Pass invitation that is delivered via email. The user then clicks the “Add” button in the email to activate Brivo Mobile Pass on their phone. The users can now open doors, as they would have with a key card. As
20
Winter 2015
with key cards, Mobile Passes can be revoked at any time by the administrator. For users, the Brivo Mobile Pass Application is designed to be more convenient and secure than traditional key cards. It travels with them wherever they carry their phone, and it’s protected by passcode and biometric capabilities built into the smartphone. When the user wants to open the door they open the Brivo Mobile Pass application. It communicates with the cloud using the smartphone’s capabilities and requests that the door be opened. No key card is needed. Future versions of Mobile Pass will offer additional functionality, Van Till says. For enterprises that want higher security the system will require users to enter a biometric or PIN for access to specific doors. For those enterprises that want to ease friction a future version will use geo-fencing so that a door
will automatically open when the user is within a certain distance. Mobile Pass also operates across multiple, unaffiliated Brivo-equipped facilities such as offices, gyms and parking garages. Users can add Brivo Mobile Passes from an unlimited number of accounts via email. Available now on both iOS and Android, the Mobile Pass app enables enterprises to distribute credentials to their entire population without any on-premise equipment changes. Enterprises that use Brivo’s OnAir system will automatically be given five free Mobile Pass users and additional passed can be ordered through channel partners, Van Till says.
HID, MICROSOFT TALKING ‘TAPPING’ FOR ACCESS TO CLOUD APPS HID Global announced that it is working with Microsoft to make cloud app access as simple as tapping a smart card to a laptop, tablet, smartphone and other NFC-based mobile device. HID Global’s ActivID Tap Authentication can benefit users when authenticating to Office 365 and other cloud-based applications. Some use cases for ActivID Tap Authentication include retailers accessing inventory control and payment systems from the store floor, enterprise and health care workers who have to login to numerous applications throughout the day, and others wishing to replace complex passwords with a more simple tap-in experience. ActivID Tap Authentication for Microsoft is powered by HID’s Seos and integrated with Windows Server 2012 R2 Active Directory Federation Services and the HID Global Authentication Cloud Service. It supports Microsoft Windows 7 laptops and desktops, Android-based tablets and other mobile devices via NFC.
ID SHORTS
NIST WORKING ON CONTACTLESS FINGERPRINT TECH Contactless fingerprint scanners have started to emerge, and the National Institute of Standards and Technology is working with industry to bring fast, touchless readers out of the lab and into the marketplace. Before contactless fingerprint technology can be used broadly, the products must be evaluated and proven to work with millions of existing contact-based fingerprint records. NIST is conducting its research on contactless fingerprinting devices with the FBI Biometric Center of Excellence. The goal is to develop common requirements, metrics and open testing methods for this
new fingerprint technology that will support future certification for purchase on the Government Certified Products lists. Researchers at NIST are working with contactless fingerprint devices from MorphoTrak and 3M through Cooperative Research and Development Agreements, and NIST continues to seek new partners to participate in the tests. Contactless fingerprints will look different from those pressed down on a scanner. Because skin is elastic, traditional fingerprints contain natural distortion from the pressure of placing the finger on the fingerprinting surface, says Michael Garris, NIST biometrics senior scientist. There are also many types of sensors being used for contactless fingerprint capture, and because they are significant-
ly different from sensors used to obtain contact-based fingerprints, the touchless scans have different image properties. NIST is developing methods to test these devices to determine if they are reliable, accurate and can work with legacy systems. The first step is to develop models to measure image fidelity on the new systems, including developing calibration patterns that can be used as optical targets to determine resolution, focus, contrast, spatial consistency and other properties of fingerprints. The researchers also are investigating materials for use as synthetic targets for testing, such as aluminum, polycarbonate and NIST-developed materials that can mimic the pigmentation and lightdiffusion properties of human tissue.
Winter 2015
21
ID SHORTS
GERMANS MICROWAVING, BOILING ID CARDS Germans take their privacy seriously. The idea of being tracked or having their phone conversation listened in on is appalling to many. Germany has a national identity card that uses contactless smart card technology, and if there’s one thing about contactless it is that it is often misunderstood. The German cards can only be read from a few inches away and include encryption protection so that data cannot be sniffed from them. But often individuals think that the cards have technology similar to that used on toll roads that could be read from long distances or even from satellites in outer space. Even though some German studies have disproven concerns that the chip could be used to spy on individuals, many Germans remain cautious, some refusing to use the card. Taking this to an extreme, a 29-year old man was arrested at Frankfurt Airport
after authorities noticed that he had microwaved his German identification card to disable the chip, according to a report in the Washington Post. He faces either a fine or time in jail for illegally modifying official documents. Identification documents are state property, according to German law. Disabling contactless chips in payments cards, national IDs or electronic passports might not be as uncommon as one thinks. Videos on Youtube have numerous examples of people either microwaving or boiling the documents. There are even videos of individuals microwaving U.S. passports.
HOMELAND SECURITY RELEASES BIOMETRIC FRAMEWORK The U.S. Department of Homeland Security released a “Biometric Strategic Framework” outlining plans for its use of biometric technologies until 2025.
INDIVIDUALS OFTEN THINK THAT THE CARDS HAVE TECHNOLOGY SIMILAR TO THAT USED ON TOLL ROADS THAT COULD BE READ FROM LONG DISTANCS OR EVEN FROM SATELLITES IN OUTER SPACE
22
Winter 2015
The goal of the document is to create a strategy for using biometrics to ensure national security and public safety. The framework details goals and objectives the agency plans to undertake. “Although DHS has lacked an overarching biometrics strategy to date, activities to advance DHS biometrics capabilities are underway, such as the planning for the rearchitecture of the DHS Automated Biometrics Identification System, research and development activities within the DHS Science and Technology Directorate, and various biometrics initiatives being implemented by DHS Operational Components,” the framework states. The first goal is to enhance the effectiveness of subject identification. This includes refreshing outdated biometric systems, centralizing access to federal and international databases, improving real-time access in the field and expanding the use of multi-modal biometrics. While fingerprints make up the majority of biometrics systems used by law enforcement and other government agencies, facial recognition and iris is starting to be used as well. By adding multiple biometric modalities Homeland Security will be able to better identify individuals using a layered approach. The second goal is to transform identity operation to optimize performance. This goal will be attained by automating resource intensive identity processes, implementing person-centric biometric processing and expediting security processes using identity verification. They will rely on biometrics rather than credentials or documents to verify an identity in order to reduce vulnerabilities and fraud. The third goal is to refine processes and policies to promote innovation by institutionalizing joint requirements efforts, establishing DHS-wide biometrics authorities and developing privacy policies and processes.
Easy to Authenticate. Difficult to Replicate.
TESLIN® substrate (pictured left) is the proven global substrate for secure credentials and ID cards.
When credential security and durability are paramount, TESLIN® substrate… • Offers exceptional flexibility to outlast more rigid card materials while protecting and cushioning embedded electronics.
• Features the ability to be customized with embedded security features for program-specific formulations that enhance material tracking and credential authentication. • Locks in printed graphics and forms virtually indestructible bonds with overlay and card body substrates to deliver highly secure card constructions. • Delivers tamper-evident protection by permanently distorting if alteration is attempted. • Prints unparalleled high-definition color images for quick and easy authentication by field agents.
Learn more by visiting Teslin.com/Easy.
© 2015 PPG Industries, Inc. All Rights Reserved. Teslin is a registered trademark of PPG Industries Ohio, Inc.
DNA
for future identity is in your wallet
AS DRIVER LICENSES, PASSPORTS AND BANK CARDS ENABLE THE VIRTUAL, IS SECURE IDENTITY WITHIN REACH? ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS
When travelers go to the airport they show a driver license or passport to get through the security checkpoint and agents make sure the information on the boarding pass matches the identity document. From there, the bar code on the boarding pass is scanned and the identity document might be passed under a ultra-violet light, both of which further ensure sure that documents are valid. In the digital world there isn’t an equivalent to this process. There is no Internet driver license or passport that individuals can show to access online services. High-assurance digital credentials are limited to enterprises that issue them to employees and rarely are they useful outside of that enterprise.
24
Winter 2015
This all may be changing, however, as new initiatives could finally bring strong identity to the masses. A number of projects are making real strides to enable individuals to use documents they already have for highassurance access, in essence using IDs already in the wallet as the DNA for future identity.
VETTING IN THE DARK One of the more difficult aspects of issuing high-assurance digital credentials is that moving the vetting process entirely online has proven problematic. Yet consumers don’t want to go somewhere with documentation and to enroll for and receive a token. Rather they want to be able to apply for a credential online and use
it immediately with as little friction as possible. To date, the primary remote online vetting method used by identity providers has been knowledge-based authentication, or KBA. These are the quizzes that ask so-called out-ofwallet questions such as where the user lived in years past, the amount of their mortgage payment or what bank holds their car loan. These KBA systems have never been perfect, but after the 2015 IRS breach – where hackers used data gathered from other breaches to access more than 300,000 records and in many cases break the KBA system – the stakes have been raised. Experts are now in virtually unanimous agreement that KBA alone is insufficient for remote identity proofing.
Nexthenticity. SecureKey Concierge is the next generation of authentication and identity verification. Online, on the strength of many.
It is in the news nearly every day: data breaches, account theft, identity fraud. In light of today’s threat landscape, SecureKey delivers an entirely new way to authenticate and verify identities for users creating accounts online. The SecureKey Concierge Service provides next generation ID verification through a strong network of trusted identity partners. It is the natural evolution from knowledge-based questions/answers to a new level of convenient, secure, private and cost-effective transactions online. Partners only need to integrate once to the SecureKey Concierge network, and for online service providers, it creates a simpler, lower cost online enrollment solution. End users benefit from the ability to confidently use a credential they already have and trust. SecureKey Concierge introduces a new federated identity model for consumer authentication and ID verification that brings strong benefits for online service providers, identity providers and consumers. If you want to move more of your customers online with less friction and lower cost, think about the next thing in authenticity. Visit us at www.skconcierge.us
USA © 2015 SecureKey Technologies, Inc.
“Given where we are today with all the breaches – Anthem, the U.S. Office of Professional Management and others – we have to assume that our data has been compromised in one way or another,” says Doc Vaidhyanathan, vice president of product management for CA Advanced Authentication. “Nobody should rely on a system that says ‘if you know these three or four things, then it’s you.’ KBA should just be one layer in verifying an identity.” Some projects are starting to link real world credentials – driver licenses, passports and payment cards – to add assurance to digital identities. In the UK, the Verify project has a different take on online identity verification. At a base level Verify is the UK’s version of the U.S. government’s Connect.Gov offering. Each enables citizens to create an online identity that can be used in various ways to interact with the government and potentially other relaying parties in the future. The difference between Verify and Connect.Gov, however, is that there is a stronger level of assurance behind a Verify identity. Citizens must pass a KBA quiz and also provide a driver license or passport number to be verified. Systems like this that authenticate physical identity documents online are becoming more common, says Emma
Lindley, founder of Innovate Identity, a UK-based consultancy. Mobile phones can take photos of documents to send for verification, and handset are of sufficient quality to even allow for verification of the document’s visual security features. In the future handsets with NFC could read the chips on a contactless passport and other identity documents as an additional factor. Many of these systems will also use facial recognition as the final factor. After the initial identity document is scanned and verified, the individual will take a selfie that will be checked against the photo originally captured by the document provider. Combine the identity document verification with facial recognition and you have a fairly high assurance credential, Lindley says. Layer in a KBA check and you have remote three-factor authentication prior to credential issuance – something you have via the driver license, something you know through KBA and something you are from the facial recognition biometric check. The key here is that this level of scrutiny is only required prior to a credential’s issuance. In the future, the actual credential or token – in whatever form it may take – can be trusted because it was tied to the individual in an assured manner at the start.
Dynamic KBA vs. Static KBA After the IRS breach there was a lot of discussion around dynamic knowledge-based authentication and static knowledge-based authentication. Here are the differences: Dynamic KBA: This type of system culls information from an individual’s financial records. What was your last mortgage payment? Who holds the loan on your car? Static KBA: This is the type of system is used to reset passwords. What was your first car? Where did you spend your honeymoon? Dynamic KBA is certainly more robust and harder to defeat, but it also adds complexity. And in the case of the IRS breach, it was still subject to compromise.
26
Winter 2015
BUILDING BLOCKS FORMING IN U.S. MorphoTrust has been piloting a system that uses state-issued driver license information to create a high-assurance credential. The project has been running for about a year in North Carolina and is expanding to Georgia. The company also rolled out Identix – an identity platform that extends this service to any enterprise. The platform delivers the ability to build strong identity vetting and credentialing into any app or web site, says Benji Hutchinson, senior director at MorphoTrust. The platform relies on information accessed from state driver license systems, Hutchinson says. “The primary way U.S. citizens establish identity is with the driver license, and with that physical token you can establish your identity anywhere,” he explains. “In any aspect of your life where you want to establish identity, you need the driver license. We are linking to the license to create a digital credential that will enable multiple new layers of identification.” There are a number of ways this may work in practice. Citizens may opt for it when they renew or apply for a driver license or they might be enrolled by a third party, says Mark DiFraia, senior director of solutions strategy at the company. For example, an insurance company could build the Identix functionality into its mobile app. Someone applying for new car insurance could take a photo of their driver license and submit it along with a headshot or selfie via the app. The license would be checked for validity against the issuing state’s DMV data and then facial recognition software would match the submitted headshot with the image captured when the license was issued. “If I type in my information it’s not terribly trustworthy, but if I scan my driver license and it is authenticated that adds far more trust,” DiFraia explains.
MorphoTrust is offering Identix as a white label product so enterprises can just add the functionality to their existing systems and apps. Consumers wont have to download an additional app, enterprises will enable the functionality on their end. “Rather than having to build a whole new authentication piece, developers can add that ability from us,” DiFraia says.
COULD BANKS BE KEY TO ONLINE ID? While the driver license may be the standard identity document in the U.S., there are also payment cards. While individuals aren’t normally asked to present a payment card as proof of identification, financial institutions must perform “know your customer” verification before enabling a customer to open a bank account. In Canada, banks have been enabling customers to use that login for access to government sites. This gives the government a high assurance of whom they are dealing with without having to vet and issue identities. The system has been running for three years with three separate financial institutions, says Charles Walton, CEO at SecureKey. One of the main applications is enabling citizens to use the bank login for access to the Canadian IRS, but other applications are rolling out in the provinces. “In the first six months of the year – peak times – we generally see about 2 million transactions per month,” Walton explains. This basically takes the idea of a social login – that normally relies on a self-asserted Google, Facebook or LinkedIn user name and password combination – and adds a high level of assurance thanks to the vetting the bank has previously performed. “This is social login with privacy and trust,” says Stuart Vaeth, senior vice president of business development at SecureKey. The company is extending the service beyond Canada, launching SecureKey
Onboarding: What not to do When enabling a customer to create a new identity, it’s important that there are checks involved from the start, says Doc Vaidhyanathan, vice president of product management for CA Advanced Authentication. In some cases it’s fine to enable a self-asserted identity for browsing or simple tasks, but when it comes to payments or a high-assurance identity there are steps required before granting privileges or access. Making sure addresses and other data elements match up can be checked by a financial institution’s fraud alert system. But what’s trickier is if someone steals a payment card and starts using it in the real world. When Apple rolled out Apple Pay on its iPhone 6 and 6 Plus it was touted as a secure, biometric payment tool. Enrolling a new card was easy too, just use the camera to snap a picture and you were ready to go. This proved to be too easy as fraudsters were taking cards, enrolling them on phones and making purchases. At one point it was estimated that 6% of Apple Pay transactions were fraudulent. “The minute I put that card on my phone it’s as legitimate as anything else,” Vaidhyanathan explains. When enrolling a new card on a device an important step was left out, says Vaidhyanathan. A second factor should have been put in place before that card could be used. Something as simple as an email with a link would have prevented much of that early fraud. Apple was trying to make enrollment as simple as possible with the new system, Vaidhyanathan says. “If you had to take another step some people would have abandoned it,” he adds. “It’s the age-old problem that happens with security, we don’t want friction in our experiences.”
Concierge with US Bank in the U.S. This will enable US Bank customers to use the login information for their financial accounts to access other services in a secure and privacy enhancing way, Vaeth says. “It solves two issues: password proliferation and how a service provider verifies who the user is online,” he adds. SecureKey is in talks with other financial institutions about using the system in the U.S. and the company is focusing on health care for initial use cases, Vaeth says. Instead of relying on knowledge-based authentication for access to a health care provider or insurer, the Concierge service would use the bank credential to verify identity. When accessing the site the user would be given the option of using a banking credential for access, Vaeth says. Instead
of answering the knowledge-based quiz or undergoing another verification step, the user would enter the banking credential, consent to share the information and then US Bank would pass along an anonymous identifier. “This leverages the identity proofing that the banks have already done,” he explains.
COMBINING STRANDS WITH LAYERED IDENTITY Systems like those from MorphTrust and SecureKey are taking early steps to bridge physical credentials with virtual users, but these are just two of the efforts underway to assure an identity online. There are other technologies and approaches that can be used in the background to validate an
Winter 2015
27
Porn drives online ID The adult entertainment industry is credited with bringing many technology advancements, but now it may also be responsible for bringing validated online identities to the masses in the UK.
identity and move beyond self-asserted credentials and standalone KBA. Setting up an identity for an individual online should be a process rather than a single action at a single point in time, says CA’s Vaidhyanathan. “Collect basic information from people at the start – for example a small amount of knowledge-based authentication to on-board a user – but don’t start them off with the high level of authentication,” he explains. Using KBA as one ingredient of an identity recipe is what Idology recommends, says John Dancu, president and CEO at the company. Idology’s products work in the background to help figure out whether or not an identity is legitimate. “We have to assume that data has a high-probability of being breached and the idea of taking data and matching it to public records isn’t sufficient,” he explains. Idology look at the data someone is presenting, examines the devices and looks for malware, geo-location and other attributes, Dancu says. A lot can be determined by looking at location and activity-based attributes. “If the same customers are all coming in from the same location within a matter of minutes it raises fraud flags,” he says. All of these attributes can be checked in the background and as long as no flags are raised the transaction can take place with a high level of assurance, Dancu says. If some of the flags are raised you add additional layers, such as KBA, to raise the bar. “When you pull together all the other attributes you can validate a legitimate customer pretty quickly,” he explains. “You have to look at the other factors and then only go to KBA when you have to.”
28
Winter 2015
It’s not that users will have to have a completely vetted identity, but they will have to go through age verification before accessing adult content, says Emma Lindley, founder of Innovate Identity, a UK-based consultancy. “All adult sites will be regulated and have to confirm age,” she adds. “A lot of personal ID providers are playing in this space and are looking to federate age verification.” There are several initiatives to bring such a system online but it’s also possible that Verify, the UK’s online identity initiative, may be used. Verify could provide the attribute that the individual is old enough to access content without divulging other personal information not required for the transactions.
Idology works with retail, financial services and health care companies. One of its latest focuses involves the mobile device and being able to identify people even if they switch handsets or carriers. “More fraud is coming from mobile and we want to establish persistence on these devices,” Dancu adds. This is an area that Payfone focuses on as well. Payfone works with all four of the major mobile networks to identify device owners, regardless of whether they switched handsets or carriers, says Mike Bijelich, director of strategic deployments at the company. For example, if a customer is using a financial institution’s app on a new mobile device, the institution sees an IP address, cookie and some other details. With Payfone the institution will also see what mobile operator the phone is on, whether it’s a new device and if there have been any changes with the customer. “We tie the mobile network identity to the login event and then tokenize it and add it to our intelligence,” Bijelich explains. “With our technology in the background, fewer authentication challenges are required.”
As the mobile device number is increasingly becoming one of the more valued identity attributes, it’s important to know something about who owns that device, Bijelich says. In essence, the mobile, its device ID and the individual’s phone number are comparable to a modern day driver license. But mobile has the added benefit of already crossing the physical and virtual realms. Companies like Idology and Payfone are breaking new ground, exploring how the mobile and the vetting done by carriers can be leveraged for identity purposes.
MAPPING THE WALLET’S DNA Mobile phones, passports, driver li¬censes and bank cards hold the DNA to link the physical world with the digital. Enabling attributes from these documents and devices to be used for digital identification can solve two of the biggest problems out there: getting new credentials into the hands of consumers and making sure they have been thoroughly vetted prior to issuance.
We develop solutions designed for a secure and convenient consumer experience – across all channels. Solutions that help our customers increase efficiency, boost growth and build next-generation services. Visit our website to watch the 96 second video on how Gemalto is helping our customers to thrive in the digital world.
gemalto.com ENABLING ORGANIZATIONS TO OFFER TRUSTED AND CONVENIENT DIGITAL SERVICES TO BILLIONS OF INDIVIDUALS. LEARN mORE AT GEmALTO.COm
© Gemalto 2014. All rights reserved. Gemalto, the Gemalto logo, are trademarks and service marks of Gemalto and are registered in certain countries. January 2014 - Credit photos: Thinkstockphotos - CC
Trusted and convenient digital services for billions of individuals
THE CHALLENGE OF PROTECTING KIDS’ ONLINE IDENTITIES AUTUMN CAFIERO GIUSTI, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS
Children growing up in post-1950s America have been raised with the mantra, “Don’t talk to strangers.” But digital age kids need to know much more than the traditional perils of taking candy from someone they don’t know. The Internet has made it tricky to protect the identities of children, and this creates real dangers that extend from the online to offline world. Through instant sharing practices, children’s personal information can fall into the wrong hands within milliseconds. The rise of Big Data has put children in the crosshairs of private-sector data miners who target them even in schools. And the anonymous nature of the Internet has helped breed issues such as cyber bullying. Thankfully, there are initiatives taking shape to keep children safe online and
30
Winter 2015
protect their identities. But doing so requires striking a delicate balance between allowing children to maintain a level of anonymity from other users while still enabling sites to know just enough about their identity to protect them from abusers. Kelli Emerick, executive director of the Secure ID Coalition, a federal lobbying group for the identity industry, says that identity verification and authentication is critical to protecting children online. “A lot of the problems in the kid space comes down to the ability to be anonymous,” she says. Laws dictate that websites and online applications need to have parental consent in order to gather any personal information from children, but figuring out a way to both obtain and verify that consent has proven difficult.
Internet privacy and security lawyer Parry Aftab says regulators and companies have been taking a harder look at how to better protect children’s identities online, but they are still confounded by the issue. Aftab is a founder in the field of cyber law and consults with the children’s Internet industry through her firm WiredTrust. Aftab says that once kids are identified online, it’s easier for predators or even peers to blackmail them into doing other things. “Sextortion,” cyber bullying, cyber stalking and trolling are among the risks kids face. Aftab cited a case involving inner-city kids in which a girl became jealous and tried to provoke gang attacks against another girl she knew. “Our kids are at risk offline far more than ever before,” Aftab says.
Children can also naively give out just enough credential information about themselves to allow someone to steal their identity. For example, they might be tricked into providing a Social Security number to play a game, and someone could take that information and open up credit cards in that child’s name. Parents can suffer the consequences of their children’s online behavior, too. A child might, for example, make a comment about a parent leaving their job, unintentionally tip off a friend whose dad employs that person, and ultimately cost the parent their job. More commonly, however, kids can ruin their own reputations online for years to come. The more identifiable they share, the longer that reputation will live with them online. “When they grow up and run for president, people will know they really did inhale,” Aftab says.
REGULATORS AND COMPANIES ARE TAKING A HARDER LOOK AT HOW TO PROTECT KIDS’ IDENTITIES ONLINE, BUT THEY ARE STILL CONFOUNDED.
obtain parental consent. Conversely, a site run by a toy company or a kids’ television channel would face more scrutiny. Failure to comply with COPPA can result in fines of up to $16,000 per violation, according to the FTC.
CREATING A MINORS TRUST FRAMEWORK Privacy Vaults Online Inc., or PRIVO, an identity and consent service provider, has been working on an initiative to help parents and companies gain a better understanding of COPPA.
“There’s rampant noncompliance,” says Denise Tayloe, president and CEO of PRIVO. “Companies either don’t understand it all, or they do understand it and they think they can fly under the radar.” Its PRIVO iD is an online identity credential for families based on a trust model called the Minors Trust Framework. PRIVO has been developing that framework through a grant from the National Strategy for Trusted Identities in Cyberspace (NSTIC), a White House initiative that aims to support collaboration between the private sector, public advocacy groups and public-sector agencies.
UNDERSTANDING COPPA One of the primary regulations governing the use of children’s information online is the Children’s Online Privacy Protection Act (COPPA). Congress enacted the law in 1998, requiring the Federal Trade Commission to issue and enforce regulations concerning the online privacy of children under the age of 13. The goal of COPPA is to put parents in control over what information commercial websites and apps can collect from children online. Moreover, it requires that website operators obtain verifiable parental consent before gathering any personally identifiable information from a child. Since COPPA took effect, there’s been some confusion among website operators in the marketplace regarding how to comply with the law. This stems from the fact that COPPA’s rules vary based on a website’s primary audience and the critical question of whether a site is directed toward children in the first place. If it’s a site such as Facebook that’s directed toward a general audience, the site can turn away any users who say they are under the age of 13 and avoid the need to
Student data mining scrutinized While initiatives such as the PRIVO pilot are addressing parental consent issues, the rise of data mining has introduced a new wrinkle for COPPA and identity protection for children online. The big game changer has emerged in the education space. Classrooms have been receiving educational technology, hardware and cloud services for free or at reduced rates. But this is not as altruistic as it may seem. Companies are providing the technology in return for the right to collect and aggregate demographic information and data on student preferences. “There has been a huge outcry about this by activist parents,” says Kelli Emerick, executive director of the Secure ID Coalition. A 2013 report by McKinsey & Co. found that the use of student data could generate $890 billion to $1.2 trillion annually in global economic value. In the U.S., some estimates value the pre-K-12 education software market in the U.S. at more than $8 billion, covering everything from online textbooks to games students play in the classroom. “The market for pre-K through high school is huge,” Emerick says. “And these companies are collecting millions and millions of data points on kids.” In January, President Obama announced his support for the Student Digital Privacy Act, which says that student data collected in the classroom could be used for educational purposes only. The act aims to prevent companies from selling student data to third parties for marketing or profiling purposes. The president has also encouraged education technology companies to sign the Student Privacy Pledge saying they’re not going to sell data. As of June, 150 companies had signed the pledge.
Winter 2015
31
Under COPPA, parents have to separately answer each consent request they get from every online service their child wants to access. This has created challenges for both parents and website operators alike. An even bigger problem arises when children circumvent the process entirely by lying about their age in order to access online services. Through the Minors Trust Framework,
Tayloe says the goal is to equip millions of parents and children with a way to better manage their personal information, understand how it’s being used, and have online access in a compliant way that preserves privacy. “If every company puts their head in the sand and pretends like they don’t have kids on their service – or dumbs it down so much that kids have no choice but to lie
IF COMPANIES WANT TO STAY IN BUSINESS, THEY MUST DECIDE WHAT PIECES OF PERSONAL DATA THEY ACTUALLY NEED, COLLECT IT, SECURE IT AND BE TRANSPARENT ABOUT HOW THEY’RE USING IT. parents will be able to have their identity verified once by PRIVO and have the ability to give their children consent in advance to access services within the PRIVO ID Network. “We’re trying to give parents a way to say, ‘Hi, I’m a parent and I am willing to go through a little bit of vetting to prove that,’” Tayloe says. So if a child participates in a contest in which he or she needs parental consent to upload a video, the child can log in with a PRIVO ID instead of having to provide the parent’s email address. In 2013, PRIVO was awarded a $3.2 million NSTIC grant to develop a pilot for an identity protection system to help keep families safe online and help companies to comply with COPPA. The grant period began October 2013 and goes through March 2016. The pilot is at the implementation stage. PRIVO is in the midst of delivering its credential service to some of the pilot participants, with the goal of getting its first 1 million accounts under management. Verizon is among the companies collaborating with PRIVO to roll out the pilot.
32
Winter 2015
because they’ve been marginalized – it’s as if we never taught kids to cross the street,” Tayloe says. “And it’s not possible for them to grow up and be good digital citizens.”
IMPROVEMENTS IN KID SPACE Some companies have been making headway with children’s identity protection efforts. Aftab says companies in the kid space have been giving the protection issue a lot of thought because they can’t afford to have parents hate them or have someone publicly expose them for a misstep. She points to Google’s creation of the YouTube Kids app, which provides children access to child-appropriate content
without collecting or tracking any information about their identities. The app works only on tablets, and parents can set controls to limit their child’s screen time. The kids site Webkinz has also taken steps to avoid collecting children’s personally identifiable information, Aftab explains. They keep an email address that they can use to reach out to the user in case of a forgotten password, but they don’t share it with anyone else or use it for other purposes. Aftab believes companies in the general audience space have a lot of work to do because they’re the ones collecting personal information from children and hiding behind that general audience banner. “A lot of them just close their eyes and say, we’re allowed to consider everyone an adult.
And in doing so, I think they’re putting kids IDs at risk,” she adds. Companies in the mobile space also need to prepare for improvement in this area. Today, the laws don’t clearly regulate their actions involving children, but this will change, suggests Aftab. “In all cases, the people who buy cell phones are over the age of 12, so they don’t have a COPPA issue,” she says. But we all know, whether they are using their own device or a parent’s device, kids are avid users of the technology and services. Aftab tells companies that if they want to stay in business, they must decide what information they need, collect it, secure it and be transparent about how they’re using it. “In the end, it’s all about setting reasonable expectations, being open about it, doing your job and keeping things locked up if you’ve got it,” she says.
Children’s protection initiatives Child Online Privacy Protection Act of 1998 (COPPA) COPPA seeks to empower parents by requiring commercial Web site operators to obtain parental consent before collecting data from children under 13. The Federal Trade Commission is responsible for implementing and enforcing COPPA rules. Harvard Berkman Center for the Internet & Society, Internet Safety Technical Task Force (ISTTF) – February 2008 A group of Internet businesses, nonprofits, academics and technology companies banded together to identify tools and technologies to create a safer online environment for children. The task force was created in accordance with the Joint Statement on Key Principles of Social Networking Safety announced by the Attorney General Multi-State Working Group on Social Networking and MySpace in January 2008. The group has looked at identity theft and age-verification of children online. President Obama announcement on protecting personal data – January 2015 President Obama announced his support for the Student Digital Privacy Act to restrict student data collected in the classroom to educational use only. Several states introduced legislation to address the issue prompted by parent groups. Global Privacy Enforcement Network - May 2015 The Federal Trade Commission and 27 members of the Global Privacy Enforcement Network (GPEN), a group of privacy enforcement agencies around the world, are marshaling resources to protect the privacy of children online. Privacy experts from the FTC’s Office of Technology Research and Investigation will conduct an analysis of the privacy disclosures, interactive features and information collection practices of children’s mobile apps. The staff expects to release a summary of its findings later this year.
MINORS TRUST FRAMEWORK
Winter 2015
33
EVALUATING CARD DURABILITY INDUSTRY STANDARD TEST PROCEDURES HELP ISSUERS ACHIEVE THE ULTIMATE ’10-YEAR CREDENTIAL’ Employees in card issuing offices often have interesting stories of people coming in to replace their IDs. The card will be splitting into its different layers and when asked how it happened they explain they used it as an ice scraper on their windshield. Or the card will be warped and faded and the cardholder will admit to leaving it on their car’s dashboard on a hot summer day. Federal and state agencies as well as other high-value issuers want to get as much out of a document as possible, and a 10-year lifespan seems the ultimate objective. To achieve this issuers are moving away from 100% PVC cards – the cheapest and most common type – to composite cards made up of a variety of materials, often including polyesters, polycarbonate or Teslin substrate. Issuers are moving away from single substrate, monopolymer cards, says Joanne Ogden, global sales manager for the security division at ITW. “The standard is not a 100% PVC card anymore – because it’s not durable enough and won’t last five to 10 years,” she says. In the past few years, the credentialing market has shifted dramatically when it comes to card materials, Ogden says. “The increased need for durability has completely changed the market. Gone are they days of PVC and top laminates,” she adds. “The documents now are far more complex, there are far more substrates out there along with an increased number of security features.” Choosing the right materials for an identity card is important when it comes to durability. But the first thing an issuer must
34
Winter 2015
decide is what it means by durability. “What is the expectation of a document? Do they want it to last for five, seven or 10 years?” asks Pierre Scaglia, global segment manager for Secure Credentials at PPG Industries, which produces Teslin. “How will the document be used? Is it used once in awhile or several times each day? All of this will impact durability.” The climate can even impact the durability of a credential. “Durability can depend heavily on the usage scenarios and environments,” says Brad McGoran, principal engineer at Exponent, a consultancy that performs card testing. “For example, cards used frequently outdoors can degrade and become brittle due to UV exposure, leading to premature failure and cracking.” Security of the document also needs to be taken into account. An issuer can produce the longest lasting document, but if it doesn’t include security features strong enough to see it through such a lifespan, then it has done little good, Scaglia says. Issuers are embedding security features into the different substrate layers of the card to make it counterfeit proof, Ogden says. “You might have a hologram embedded on one layer and another feature on the Teslin layer,” she explains. Electronic components add another level of complexity when talking about durability. More and more, identity documents contain embedded electronics, and protecting these chips and antenna coils is important. “If you use highly rigid card materials with embedded electronics, in time they may crack,” says Scaglia.
He adds that both PVC and polycarbonate are typically considered various applications it will support. The second part uses this among the more rigid card materials. determination to define a series of tests to evaluate if it can meet Cards with embedded electronic components may have a shorter this prescribed lifespan. lifespan based on that fact alone, McGoran says. “With contact, Think of it this way, the demands on a passport card used infrecontactless and dual-interface cards, our experience and testing quently for international travel are far less than those placed on a have shown that the durability of the internal fare collection card used multiple times each components, circuitry and connections can day for public transport. Still the required BLENDED CARDS SUCH AS significantly affect card life longevity,” he lifespan for a passport card is far longer than explains. PVC AND POLYESTER BLENDS that of a transit card, so this too must be taken Still, maximizing lifespan is the goal and into consideration as tests are designed. TEND TO RESIST CRACKING composite cards made with different materiANSI INCITS 322: This defines a Card DURING REPETITIVE FLEXURE Structural Integrity Test to help gauge a als have the best durability, says McGoran. TESTING BETTER THAN PURE card’s resilience against delamination under “Blended cards such as PVC and polyester blends tend to resist cracking during repetiadverse environmental conditions. The test PVC CARD STOCK tive flexure testing better than pure PVC card is considered rigorous or extreme, and used stock,” he explains. “We have observed this most often as a qualitative or comparative often translates to longer service life in the field for these blended assessment between different card constructions. cards versus pure PVC card bodies.” To conduct one of the ANSI INCITS 322 tests, cards are placed Polycarbonate cards are popular for European credentialing into a one-gallon paint can along with “dummy cards.” Thirtyprojects, Ogden says. “But polycarbonate isn’t the only answer,” milliliters of distilled water and 10 grams of sand are added, she explains. “There are other substrates out there that are more and the can is sealed and mounted into a standard paint shaker cost effective and could be used with both local and central issusimilar to the machines used at hardware stores. The cards are ance applications.” then shaken for three hours, removed and rinsed. The cards are “These alternatives can also be as or more secure and durable generally considered satisfactory if they do not delaminate or than all-polycarbonate cards because of their increased chemical peel apart. If they include an integrated circuit chip, this should resistance, abrasion resistance and flexibility,” says Scaglia. still be functional. This test has proven to be quite revealing for the various card STANDARDIZING CARD DURABILITY materials and structure technologies used by card manufacturers. Many cards come out of the shaker with only worn corners, but There are several facets to card durability. A primary consideration some cards simply disintegrate or separate into their component is the mechanical durability of the card body, which includes charlayers. acteristics like bending and stiffness, peel strength and resistance to chemicals, says Brad McGoran, principal engineer at Exponent, ANSI INCITS 322 SURFACE ABRASION TEST a consultancy that performs card testing. Additionally, there are the durability characteristics of the To conduct the Surface Abrasion Test, two cards are mounted printed and laminated features on the card. These include the on a machine that rotates them below a pair of abrading wheels abrasion resistance of the magnetic stripe or printed barcode, or grinders of prescribed weight and grit rating. The machine is the resistance of the printed dye to smear or drift, and the UV stopped every 250 rotations and a resurfacing disk with a preresistance of the printed surface, McGoran explains. scribed grit rating is used to resurface the abrasion wheels. After If the card includes an integrated circuit chip with a contact pad every 500 cycles the cards are photo documented. This process or a contactless antenna, durability issues also revolve around continues until the cards reach 5,000 cycles. The estimated point the resilience of those features. For example, the card should of print breakthrough is tracked and recorded. maintain functionality after exposure to x-rays and magnetic fields, and it should survive anticipated levels of electrostatic A CARD ISSUER CAVEAT EMPTOR discharge exposure. For each of these areas, internationally recognized standards When it comes right down to it an issuer has to look at the use of bodies have developed a series of testing methods. Test labs implethe credential. “In our experience, there is no one single formula for ment these prescribed procedures to provide unbiased analysis of the best and most durable card body construction since different a specific card construction’s durability and likely longevity. Key blends and formulations are best suited to different environments test standards include ISO 24789 and ANSI 322. and usage scenarios,” McGoran says. “We recommend that issuers ISO/IEC 24789: This standard is made up of two parts. The and their card manufacturers run specific tests to evaluate overall first is a methodology for determining a card’s expected lifespan durability of the card body to ensure that fielded cards meet their taking into consideration the demands placed upon it by the designated life expectation.”
Winter 2015
35
DUAL-INTERFACE CARDS DELIVER ON PROMISE OF FLEXIBILITY WITH BOTH CONTACT AND CONTACTLESS ON BOARD, THE CARDS ARE FINDING FAVOR WITH A HOST OF GLOBAL ISSUERS AUTUMN CAFIERO GIUSTI, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS
In the world of smart cards, interface is key. The term describes the way data is communicated between card and reader. In the early days, issuers chose either a card with a contact interface that is inserted into a reader or contactless interface that requires only close proximity to the reader. Later, hybrid cards offered both interfaces by embedding two separate chips on a single card. Today, however, demand is growing in multiple markets for dualinterface cards that offer both contact and contactless interfaces via a single chip. Dual-interface cards are widely adopted in the federal government space through
36
Winter 2015
both the PIV and the Defense Department’s CAC cards. Dual interface is also poised for growth in both banking and transit sectors, as the payments industry continues its transition to EMV chip cards and transit boards explore open-loop fare collection systems. For the first time, ABI Research predicts that dual-interface smart card shipments will exceed the 1 billion mark in 2015. “Having a single processor in a card has enabled us to enhance both security and personalization,” says Paul Brady, senior director of sales engineering at Identiv. “It has also reduced the complexity of the card
itself, making it more reliable and cheaper to produce.”
ONE CHIP VERSUS TWO It used to be that a hybrid card – one with two separate chips – was the only way offer contact and contactless interfaces on a single card. Initially the hybrid technology was the easiest way to merge the two functionalities into a single card without substantially changing the manufacturing process. In essence, the hybrid concept simply required embedding a contact chip onto a pure con-
tactless card. Until recently, dual-interface card manufacturing remained prohibitive for most of the industry because of its complexity. “Dual-interface cards are often an intermediate step for migrating from a contact to a contactless card,” says Stefan Barbu, head of NXP’s Secure Identity Business for the Americas. High-security card applications originally started using contact chips, which were more mature than contactless. But as contactless technology evolved, it became faster and more secure and is now preferred for many applications due to its speed, security, durability and user convenience. Because many card programs and schemes have a large deployment of legacy contact-based infrastructure, it can take years to migrate the hardware, standards and processes to contactless. In such cases, dual-interface cards can facilitate a transition over time. Today, new card programs that don’t have these constraints in terms of legacy
compatibility typically start directly with contactless, explains Barbu. In addition to the easier manufacturing processes, hybrids also worked because there wasn’t a business reason that demanded a one-chip solution, says Julian Lovelock, vice president of strategic initiatives for HID Global Identity Assurance. The cards supported separate functions with contactless generally enabling physical access and contact enabling logical access. “The fact that there were two chips really didn’t matter because they were two completely different sets of use cases – with two different sets of cryptographic keys – and that is the way many people wanted it to be,” says Lovelock. But having two chips on one card did lead to challenges managing multiple credentials on a single piece of plastic. With hybrid cards, there is no electrical communication between the contact and contactless chips. Instead separate, unconnected processors manage the two chips,
WITH HYBRID CARDS, THERE IS NO COMMUNICATION BETWEEN THE CONTACT AND CONTACTLESS CHIPS. INSTEAD SEPARATE PROCESSORS MANAGE THE TWO CHIPS, MAKING IT IMPOSSIBLE TO UPDATE BOTH WITH A SINGLE PROCESS.
Hybrid smart card: Card has two separate chips, one contact and contactless, that have to be managed and provisioned separately.
making it impossible to update both via a single process. Also with hybrids, contactless chips were typically lower end memory or read/ write-only. “The application loaded on those chips could not be changed, making it impossible to provide risk remediation in case of compromised data or to address other security issues,” says Stephane Ardiley, director of product management for Identiv. The benefit of a dual-interface chip is that it is programmable, and its application can be upgraded during the life cycle of the card, says Ardiley. This offers the opportunity to increase the level of security or security protocol without having to reissue the card itself. The more robust chip in a dual interface card can handle more applications, heavier applications and better cryptography, says Terry Gold, founder of IDAnalyst LLC. Jerome Becquart, vice president of operations for access management provider Axiad, says that nearly every enterprise that had been deploying hybrid cards are now looking at dual interface because they enable both identity security and physical access via a single chip. “From a cost standpoint as well as a security standpoint, it’s a better solution than a card with two different chips,” Becquart says.
Dual-interface smart card: Card has contact and contactless capabilities driven from a single chip.
Winter 2015
37
DUAL-INTERFACE CARDS ARE BECOMING MORE PREVALENT IN MARKETS THAT NEED HIGHER-SECURITY APPLICATIONS AND WHERE THE CARDS ARE NEEDED FOR MULTIPLE USES Still others argue the true costs for the two solutions are difficult to compare. While the dual interface cards save cost by requiring one chip instead of two, they also add complexity in the manufacturing process and result in significantly higher losses and field returns than hybrid cards. This, however, is something that gets better with time as card manufacturers continue to refine production processes and techniques.
WIDESPREAD GOVERNMENT ADOPTION The use of dual-interface cards is becoming more prevalent in markets that need higher-security applications and where the cards are needed for multiple uses. One of the highest volume issuers of dual-interface cards has been the U.S. federal government. The Department of Defense’s Common Access Card is a dual-interface specification. “I think they drove the market quite a bit and helped drive the price down,” Gold says. “Other governments around the world saw that.” As a result, more commercial enterprises, such as health care, have been looking into dual interface. Transit is another growing market for dual-interface. The transit market has been evolving more from proprietary, closedloop fare collection systems – such as the London Oyster card that can only be used at London transit terminals – to an open-loop system that would incorporate Visa, MasterCard, Discover and American express branded dual-interface cards. When the goal is to combine a traditional payment card that relies on a contact interface for merchant payments with a transit card that requires contactless, dual interface is an ideal solution.
38
Winter 2015
INROADS IN PAYMENTS
DUAL-INTERFACE’S FUTURE
The payments industry is poised to become the next market for widespread deployment of dual-interface cards, says Philip Andreae, vice president of field marketing in Oberthur’s financial services business unit. In the U.S., the payments industry is currently migrating from contactless to contact chip cards and will soon start to consider dual-interface, he says. Outside of the U.S. there is already a significant number of EMV payment cards using dual-interface, enabling the card to support either mode depending on the requirements of the specific merchant location. The U.S. migration to EMV chip cards is relying largely on contact cards. Only about 3.5% of the chip cards going out today are dual interface for payments, Andreae says. “We expect that number to grow rather rapidly in 2016.” “On a global scale, we see something in the order of 40% of all EMV cards in market being dual interface,” he says. Andreae points out that certain markets, such as Poland and China, are already predominately dual interface. Spain, France, the United Kingdom and Australia are migrating from contact only to dual interface. Markets still in early deployment, such as the United States, are taking a contact first path before eventually migrating to dual interface, he says. The hope is that higher quantities driven by the federal government and the payments industry will ultimately make the cards more attainable for smaller issuers. “The volume that EMV is pushing may over time push down prices on dual-interface chips and hence make them more viable for access control markets,” says Lovelock. “But that’s not the case yet.”
For years, smart card industry insiders have questioned the future need for the contact interface. When the data throughput, speed and security of contactless are robust enough, why would anyone choose to insert a contact card into a reader? In other words, they posit that improvements in contactless could potentially eliminate the need for the contact interface and, subsequently, the dual-interface card. Lovelock and others stress that this scenario is still off into the future. He sees a need for the contact interface because it remains challenging to reliably transmit large payloads of data over a contactless interface. “If you’ve got a very chatty protocol like PKI, it’s hard to do that over a contactless interface,” he says. New protocols, however, are optimizing the PKI exchange so this will change with time. Another reason why the contact interface will persist is because contact readers tend to be cheaper and more ubiquitous than contactless readers. However, as more laptops and devices have contactless readers built into them, by default that reason will fade over time, Lovelock says. Additionally, in highly secure transactions concerns remain when exchanging data in the clear over a contactless interface that could be susceptible to eavesdropping. Within the payment card industry, there is still some concern over how to protect the PIN when it’s sent “over the air,” explains Identiv’s Brady. He says that short ranges help, but it’s still not a good idea to send the PIN unprotected. “Chip processing power can protect the PIN with encryption, and we are seeing more protocols being developed to take advantage of this capability,” Brady says. “Still we will continue to see dualinterface cards for some time,” he says.
CONTACTLESS 2.0
LATEST GENERATION CHIPS ARE BIGGER, FASTER BIOMETRICS, NEW APPS REQUIRE MORE MEMORY AND FASTER DATA TRANSFER The underlying technology behind contactless smart cards hasn’t Identity Business for the Americas. “Combining the government changed much in recent years. The international specification documents’ security requirements with the speed of transit apthat enables different cards from differplications and strict process regulations ent manufacturers to communicate with surrounding the financial applications different readers from different vendors has been a tough challenge, but this is is stable and extremely well established. now becoming the market reference.” But that does not mean manufacturers Electronic passports and many naor their offerings have stagnated. tional electronic identity projects rely Two of the biggest changes in contacton contactless technology. Countries Low frequency proximity cards operate at 125 less smart card technology are the speed are starting to deploy systems that can or 134 kHz. These lower security cards are typically used for door access applications. of the chips and the memory capacity, says read the chips and make sure the photo Joerg Borchert, head of chip card busistored in the chip matches the individual High-frequency products operate at 13.56 ness at Infineon. “The major topic over at the border crossing or other service MHz and included the common ISO 14443 the last five years has been the interface delivery point. and 15693 standards. The vast majority of ID speed, which has increased with higher These and other applications that credentials are high frequency, with passports and bankcards using the ISO 14443 standard. and higher bit rates,” he says. store biometrics on the chip are appear“The chips also are evolving to keep ing in greater numbers, and present a Ultrahigh frequency (UHF) operates at 433 to pace with new applications, and addinew challenge compared to the tried and 953 MHz and can be read from up to 30-feet. tional security is being built into the hardtrue payment and transit applications UHF is commonly used in RFID tags for logistics ware,” Borchert explains. Additionally, he that have been around for years. applications and asset tracking. adds that contactless cards are now more These chips require large memory durable thanks to new manufacturing for biometric and image storage as well techniques. as faster data transfer for presentment and comparison. And it “Modern day applications require multiple applications – such is the demands of these newer applications that have driven the as ID documents, payment and transportation – to run in paralindustry to produce chips that are faster and have larger memory, lel on the same chip,” says Stefan Barbu, head of NXP’s Secure Borchert says.
What’s the contactless frequency, Kenneth?
Winter 2015
39
Chip memory is split between two functions: one is for applications and operating systems while the other is for storage. Newer card applications require more memory for both of these areas, says Borchert. Today, contactless smart cards used for identity applications have between 500 and 800-kilobytes of memory, split between the two functions. Just a few years ago, typical chips maxed out at 128-kilobytes of user memory and up to 400-kilobytes of read-only memory for applications and operating system code. The speed of these chips has improved tremendously in the past few years. Borchert says that some chips are four times faster than they were a few years ago, and are able to transfer 180-kilobits per second.
ADVANCES: SPEED, SIZE AND NEW MEMORIES Larger storage is becoming a necessity as biometrics are used for multi-factor authentication, says Neville Pattinson, vice president for Government Affairs, Standards and Business Development
at Gemalto. “We’re starting to see pilots for contactless use of biometrics,” he explains. The Department of Defense is piloting systems that store a biometric template on the card but do the matching on the server. Another change on the horizon for contactless is the use of flash memory instead of EEPROM, Pattinson says. Once flash memory chips are widely available, the chips will have larger memory capacity and enable easier formatting. Instead of requiring the operating system and applications to be burned into the chip at the point of manufacture, flash memory can be formatted in the field by the issuer. With EEPROM the operating system and applications had to be “masked” separately from personalized data, a process that could add months to the production time for EEPROM chips. These newer flash chips ease this burden, and should be widely available in the next 18 to 24 months, Pattinson says. It is with these new flash chips that higher data rates may really benefit issuers. Higher speeds can be beneficial for some of the new applications, but in many cases it is more crucial during the
Contactless flavors While the differences between these contactless flavors – or specifications – are often minor, there are some proprietary or custom variations of contactless smart card technology. Here’s a sample:
Open standards When it comes to the largest of issuances, such as open system payment cards and electronic passports, banks and countries have gone with purely standard 14443 technologies. An open architecture was a necessity for these projects because of the millions of documents that would be produced and the variety of places the information on the credential would have to be read.
HID iCLASS HID’s iCLASS platform operates at the 13.56 MHz frequency like its fellow contactless providers, but it uses the less common ISO 15693 standard. The different standard enables a longer read range and longer keys for enhanced security.
40
Winter 2015
LEGIC Prime and LEGIC advant LEGIC’s original 13.56 MHz contactless technology, LEGIC Prime, predates the development of the ISO standards for contactless. While Prime has been widely used since its launch in 1992, a newer line, advant, is now available. The LEGIC advant system is a set of products that includes cards, readers and applications. LEGIC ensures its card readers are compliant with both the ISO 14443 and ISO 15693 standards as well as its own proprietary technology.
NXP Mifare DESFire NXP’s DESFire is the next generation after MIFARE. The ISO 14443A-standarized chips are Common Criteria EAL4+ certified and can hold up to 28 different applications. DESFire chips are capable of using 2KTDES, 3KTDES and AES128 cryptographic methods. Unlike the proprietary contactless flavors, it is fully compliant with both ISO 14443 and the ISO 7816-4 file system specifications.
NXP Mifare NXP’s family of MIFARE card and reader ICs is the precursor of the ISO 14443 Type A standard. MIFARE cards support multiple applications, each capable of operating independently of the others through user definable key sets and access conditions.
Sony FeliCa Sony’s FeliCa could be the most varied of the contactless flavors, complying with a different ISO standard. It was introduced to the Japanese market in 2001. FeliCa is based on the ISO 18902 standard that defines near field communication.
document’s creation than during future use in the field. When flash Another change has been how the cards are constructed. A memory is used for passports, for example, manufacturers need contactless smart card has an embedded integrated circuit chip to load large amounts of data including operating system code to that contains the applications, data and memory that make the card every card during the document production process. functional. The chip and the antenna are embedded in the layers In such cases, the high-speed capabilities – referred to as of different substrates that make up the identity card or document. Very High Bit Rates or VHBR – can save time and money. At the In the early days, there were issues from time to time with the point of reading the passport in the field, antenna and IC connection breaking. however, the standard communication Today, however, new manufacturing speed of 848kbps – defined in the ISO techniques encapsulate the chip and 14443 contactless industry standard – antenna leading to greater durabilremains the norm. Insiders say it takes ity and a 10-year lifespan, Borchert just 3 seconds to read a passport chip in explains. While flash memory is common to most people the field, a small fraction of the time it using USB drives and even some computer hard drives, the smart card industry hasn’t been as takes to progress through gates, present OTHER FORM FACTORS quick to use the technology. Instead, smart cards documents and biometrics for comparihave relied on electrically erasable programmable son and talk to officers. Another change is that contactless read-only memory (EEPROM). A change, however, Another change has come as applicatechnology is being ported to form has long been on the horizon. tion programmers have become more effactors beyond cards and documents. One of the main reasons is speed. EEPROM ficient when it comes coding for contactWearables are embedding the technolmemory can only be written and erased one byte less, says Philip Andreae, vice president ogy and then there’s the ever-present at a time so formatting these chips can take a bit of for Field Marketing North America at mobile device. time. The time it takes to initially load information Oberthur Technologies. Contactless smart card technology to cards has been a drawback. And there is a switch to a different type and the ISO 14443 standard is the same Flash memory erases slower but writes much faster of processor. “Silicon manufacturers are technology that’s used in near field than traditional EEPROMs. This makes it possible to moving toward RISC-based processors, communication. With Apple Pay and fully setup and personalize flash chips in the field, shrinking the execution time of a comSamsung Pay taking advantage of rather than “masking” the operating system code mand,” he adds. NFC, the same technology is being and applications at the point of manufacture. Another major leap in terms of secuused in an entirely different form facrity is the introduction of chips that do tor, says Andreae. not store the critical information, such It’s only a matter of time before this as secret keys, but rather generate it at every transaction based technology is enabled to do even more than make payments, on the “chip DNA,” known as Physical Unclonable Function. Andreae explains. Transit agencies around the globe are moving While the introduction of these and other emerging technologies to open-loop systems so these technologies can be used for access. opens new doors for contactless, it also creates new challenges Hotels and other consumer service industries are also increasingly for the industry in terms of security and standardization. Current using the technology. security evaluation schemes such as Common Criteria have been It won’t be too long before NFC is included in laptops, PCs and validated over the past 20 years on traditional contactless chips tablets, Andreae says. In this way consumers can use their phone and approaches. The introduction of new memory technologies or a card as an additional factor of authentication when accessing and communication protocols will bring new attack scenarios, secure sites or making purchases. and thus new protection profiles and safeguards are needed. The Another important aspect of the NFC adoption is the ubiquity industry is already working to define these new security standards, of reader infrastructure. Governments and businesses no longer in order to enable mass adoption with a similar level of security need to rely on heavy hardware infrastructure investments for as the previous generation of products. rolling out nationwide contactless card schemes, because the new use cases rely more on developing apps on these consumer STABLE STANDARDS devices, explains NXP’s Barbu. Even with different form factors emerging, contactless cards Contactless smart cards use the International Organization for continue to grow in both numbers and capabilities. Next generation Standards’ ISO 14443 standard to communicate. This standard has chips are capitalizing on the stable foundation constructed during parts A and B that denote slight differences in the spec, but these the previous two decades, while amping up speed and capacity. aren’t as much of an issue as they were a few years ago. “It’s been This opens new doors and is paving the way for an even brighter put to rest,” Borchert explains. “The readers are supporting both contactless future. types at the same time and it’s no longer a topic of contention.”
EEPROM vs. Flash memory
Winter 2015
41
AVISIAN Publishing – publishers of re:ID magazine and SecureIDNews – is pleased to announce the winners of the inaugural Women in Biometrics Identity 2015 awards. The awards were presented at the Borderpol North American Meeting on Sept. 10 at the DuPont Circle Hotel in Washington, D.C. The judges ultimately selected five awardees from more than 50 nominations received. The winners are: Janice Kephart, CEO, Secure Identity & Biometric Association Kimberly A. Mills, director, Entry/Exit Transformation Office, Office of Field Operations, U.S. Customs and Border Protection Celeste Thomasson, president and CEO, MorphoTrak
42
Winter 2015
Cathy Tilton, chief technologist, Biometrics, CSC – North American Public Sector, Science & Engineering Patricia Wolfhope, program manager, Department of Homeland Security, Science and Technology Directorate “It was a true pleasure to oversee this inaugural award process and learn about the tremendous achievements and contributions from the 50-plus nominated women,” says Chris Corum, executive editor and publisher, AVISIAN Publishing. “The final awardees exemplify the best attributes an industry can hope to find in its leaders – innovation, dedication and a mentoring spirit.”
Janice Kephart CEO, Secure Identity & Biometrics Association Janice Kephart was working on the 9/11 Commission when she uttered something that stuck. “I think the phrase that everybody knows is ‘assuring that a person is who they say they are.’ It’s kind of a benchmark phrase for the industry and for government in all kinds of ways, and now for the commercial sector as well,” Kephart says. Biometrics became a big part of Kephart’s work after the September 11 attacks, but she’s been involved with the identity market since the late 90’s. She served as counsel to the Senate Judiciary Subcommittee on Technology and Terrorism where she was responsible for conducting investigations into counter-terrorism issues and had oversight of the Immigration and Naturalization Service. She put together the only Congressional hearing into the foreign terrorist threat prior to 9/11. After the attacks, she signed on as counsel to the 9/11 Commission. The panel was charged with compiling the circumstances surrounding the terrorist attacks in New York and Washington and providing recommendations to prevent future attacks. “We realized that there must be a better way to identify somebody in a way that they can’t lie about it, and that came down to biometrics,” Kephart says. The commission concluded its work in 2004 in the early days of biometric technologies. “Today, we have huge varieties of biometrics – all extremely accurate and mature technologies – that help prevent identity theft and secure both the commercial and public sectors.” Kephart founded the Secure Identity and Biometrics Association (SIBA) in early 2014 to promote use of these important technologies across both government and enterprise markets. Kephart says her most significant accomplishments came as a result of her work on the 9/11 commission: The U.S. has largely implemented the commission’s recommendations into the use of biometrics. “The Office of Biomet-
ric Identity Management at the Department of Homeland Security does more than 300,000 identity transactions per day,” Kephart says. Everybody crossing the U.S. border must now present a passport and can no longer just orally declare citizenship. Minimum identity standards are required for driver licenses. “Controversial, yes, but it has driven assurance and ushered in massive reductions in identity fraud,” she says. More secure processing at ports of entry using biometrics. Foreign nationals have to provide ten fingerprints and have their pictures taken and many other biometric initiatives are underway. Kephart says her work in biometrics has sometimes been an uphill battle. “There have been many times when women have not been perceived as a great value to the industry. We are engineers, leaders, great advocates, and we have much that we can offer to the industry,” Kephart says. “I think it’s beginning to break through, but it’s taken quite a while.” Her future plans include work around biometric access control in various sectors. “There are many forms of access: cyber access, physical access, border control. So there are places that still need work,” Kephart says. “Probably the biggest one is the implementation of a biometric exit for immigration at both our land and air ports of entry.” She also wants to see more collaboration with international partners. In the meantime, SIBA is thriving. “To me, this award shows that our trade organization is the leader in advocacy and I hope we can build upon it,” Kephart says.
Since this interview, Kephart left SIBA to work with MorphoTrak.
Winter 2015
43
Kimberly A. Mills Director, Entry/Exit Transformation Office, Office of Field Operations, U.S. Customs and Border Protection Kim Mills was working in the U.S. Visitor Immigrant Status Indicator Technology (US-VISIT) program in 2004 when Congress mandated that the Department of Homeland Security implement a biometric-based entry and exit system. “At the time, I was responsible for the systems that U.S. Customs and Border Patrol (CBP) used on entry, and there wasn’t an exit system. We’d get the manifest data, but there wasn’t really what you’d call an exit system,” Mills says. “I had to develop a way to take the current method used by CBP officers to process travelers arriving in the United States and incorporate biometric verification into that process. That’s basically what led me into biometrics.” US-VISIT implemented the first portion of the biometric entry process, integrating biometrics into the arrival process for foreign nationals. Over the next few years, this rolled out across all ports of entry – air, land and sea – using ten-fingerprint enrollment. “We’re never going to go away from fingerprints because they add such an enforcement benefit to securing our nation,” Mills says. “But we want to start introducing different biometrics such as face or iris.” The exit component of the mandate turned out to be more challenging, as field trials failed to yield an easily adaptable biometric exit solution. In 2007, Mills’ work moved to CBP. She was there in 2013 when Congress transitioned the biometric entry/exit operations into CBP, leading to the creation of Mills’ current position as director of the Entry/Exit Transformation Office. Today she is focused on implementing a biometric exit solution, as well as enhancing the way biometrics are used during entry. “We’re transforming how the entry and exit process is done,” Mills says. “We’re not only looking for a high assurance that the person departed, but it’s an identity verification that you’re not just utilizing somebody else’s travel documents.” Mills says the current exit system is robust but based on biographic only. Airlines can provide manifests of travelers, but no
44
Winter 2015
verification of actual identity. “Now we know your travel document departed, but biometrics can add that high assurance that it really was you that departed as well,” she explains. Mills counts as her accomplishments: The successful integration of biometrics into entry processing. “It has single-handedly has eliminated Visa fraud. You can no longer wash a Visa or fraudulently create a Visa because that document is tied to fingerprints, and when you arrive at the ports of entry, we’re verifying that information,” she says. More innovative biometrics such as facial recognition for returning citizens. “We can compare the photograph that’s stored within an electronic passport to a live capture to ensure the person that’s presenting that passport is really the person that the passport was issued to,” says Mills. CBP’s implementation of initiatives like handheld biometric devices for data collection at airports. “We’re putting technology in the hands of officers that can actually go out to a departure jet way or passenger loading bridge and conduct a real-time fingerprint verification on a traveler that’s departing the United States,” she says. Mills says her goals are the successful implementation of a biometric exit solution and a streamlined biometric entry process. “I’d like to see technology tell officers who a person is so that it takes all that administrative processing away from the officer, and we can speed travelers through our ports of entry,” Mills says. “I want to make sure I stay current on what’s next and how I can incorporate that into our operational processes because we’re really trying to take the lead again for biometrics. We did in 2003-2004 when we put fingerprints out there, and now we’re looking to take that lead again in terms of innovation.”
Celeste Thomasson President and CEO, MorphoTrak
Celeste Thomasson’s first major involvement with biometrics came about five years ago while she was general counsel for international technology group SAFRAN. “I played a significant role in the largest biometric company acquisition I believe in the industry, which was SAFRAN’s acquisition of L-1,” Thomasson says. “That was the most significant sort of trigger for me to take the position that I have today at MorphoTrak.” Her fascination with the technology’s potential to change our world, however, came years earlier. “I have been interested in biometrics since it really emerged as a science back in the early 2000s,” she says. A defining moment in her career came in 2005 when Sagem and Snecma merged to form SAFRAN. “I was in the aerospace part of the business at the time, and that’s when the whole biometrics business came into the group,” she explains. In 2009, SAFRAN acquired Printrak, the biometrics division of Motorola, and MorphoTrak was formed. Thomasson took over as president and CEO of SAFRAN’s MorphoTrak at the start of 2014. Among her significant accomplishments at MorphoTrak, she counts: Retaining and attracting the best talent. “We’ve been expanding our internal expertise and bringing on some of the best talent in the industry in subject matter expertise, facial recognition, integration, cybersecurity, video analytics,” Thomasson says. “The areas that we see coming up in the future as being areas where our customers will need solutions.” Optimizing company operations to be more agile and closer to customers. “We announced in February of this year that we’d be consolidating our west coast operations into a
46
Winter 2015
new facility in Anaheim,” Thomasson says. “We expanded our operations in Alexandria, Va. to be close to our federal customers, and we are opening an office in West Virginia close to the FBI’s Criminal Justice Information System which is a very critical customer and user of our technology in the next generation identification system.” She also led the company into an expanded technology partnership with West Virginia State University. Thomasson says her future includes bringing more technology and solutions to the marketplace for customers ranging from law enforcement and border control to the commercial space. “I’m very much dedicated to the missions of our customers to be able to provide technology such as the contactless fingerprint technology, the MorphoWave, which won the best new product at ISC West this year,” Thomasson says. She sits on the board of the International Biometrics & Identification Association and supports corporate memberships in additional industry associations including the Security Industry Association and the Secure Identity & Biometrics Association. Since Thomasson took control of MorphoTrak, the company has focused on advancing biometric technology. Being a woman in this industry, she says, hasn’t been a hindrance. “I suppose that similar to other science and high technology companies, the percentage of women in leadership roles is probably lower than in some other areas,” Thomasson says. “I’m supported by a very strong team here within Morpho, and the technology performance speaks for itself. So, I don’t at all see it as something that would hold me back or hold the company back. I think we’ve shown over the past 18 months that’s not the case.”
Cathy Tilton Chief technologist, Biometrics, CSC – North American Public Sector, Science & Engineering
Cathy Tilton has been in the biometrics industry for more than 20 years, though she’s always worked in non-traditional fields. “I majored in engineering in college in the 70’s, a time when there weren’t many women in the field. Then I went in the Army, where I was an officer. It was a male dominated environment at that time, never mind working as an engineer in industry,” Tilton says. “I’ve always found that if you focus on your work, if you see yourself in that light, that others will see you the same way.” She recently joined Virginia-based Computer Sciences Corporation (CSC) as chief technologist for biometrics. Prior to that, she was vice president for Standards & Emerging Technologies at Daon. She served as principle investigator and project manager for Daon’s NSTIC pilot, delving into the use of mobile biometrics for strong online authentication in a federated identity environment. Tilton’s career veered toward biometrics in the early 90’s while she was putting her systems engineering background to work on complex defense systems for Unisys. “The FBI was seeking to create the Automated Fingerprint Identification System (AFIS). We were one of the three teams that were contracted to develop prototypes for AFIS. So that’s how I put my foot in the water,” Tilton says. “I found it extremely interesting and learned a whole heck of a lot about fingerprinting during that project.” She went on to join small companies working in the biometric space – both government and commercial – on a wide range of applications from computer logon apps to a large national ID system. She has seen tremendous changes in biometric technology and says it took longer than expected for the industry to take off. “I remember from the early days back in the mid to late 90’s, there was a lot of hype around the technology,” Tilton says. “It was disappointing in many cases because it took a while to build up to where we are today.”
Tilton counts as her accomplishments: Contributions in the area of biometric standards. “While I was at a company called SAFLINK – the first company that actually built a biometric software development kit – we worked with a variety of different fingerprint sensors and algorithms,” Tilton says. “We were approached by NSA, and we worked with them to create an industry committee to look at something called the Human Authentication API. That wound up getting pulled into an effort called Bio API.” Biometrics and e-authentication. Tilton chaired the group that developed the “Study Report on Biometrics in E-Authentication” within INCITS M1. She also chaired the Standards Coordination Committee of the Identity Ecosystem Steering Group (IDESG). Biometrics with smart cards. Tilton contributed to the Transportation Worker Identification Credential (TWIC) card and reader specifications. TWIC is a program to improve security at transportation facilities by creating a secure, nationwide biometric credential. “The TWIC work wound up informing the PIV program and a lot of the work with how biometrics and smart cards are used synergistically,” she explains. Her new role as a biometric subject matter expert for CSC is a departure from her years with a commercial product company. “In a way I’m moving back to my roots both from an engineering point of view and also from a broader biometric technology point of view with the type of applications that I’m looking at,” Tilton says. “So I just see myself continuing to support CSC’s customers and the industry in that way.”
Winter 2015
47
Patricia Wolfhope Program Manager in Biometrics for the Department of Homeland Security, Science and Technology Directorate Patricia Wolfhope joined the biometrics industry after her then 7-year-old daughter was almost abducted. At that time she was working at the Defense Advanced Research Projects Agency and was shocked that law enforcement wasn’t taking advantage of the different technologies available to catch perpetrators. “It blew my mind that state and local police weren’t using technology to their benefit,” Wolfhope says. “I was working with the police and I realized that they were behind the curve on adopting the technology that was out there because it wasn’t ready for everyday use.” Wolfhope left DARPA and went to work with the U.S. Department of Justice, helping state and local governments better use the science and technology available. “I found it so rewarding to find bad guys using science,” she says. When a position opened up at Homeland Security in the Science and Technology Directorate, Wolfhope jumped at the opportunity. Since then she’s been focused on enabling law enforcement to use mobile biometrics in a variety of use cases. One project that she is particularly proud of deals with latent fingerprint and the Stockton, Calif. Police Department. The department is able to use mobile scanners to capture latent fingerprints at a crime scene and get responses within three to five minutes while still at the scene – a process that had previously taken week or months. “This is changing how law enforcement does their job, enabling them to get ahead of the bad guys,” Wolfhope explains. Another project used facial recognition technology. Wolfhope is creating a system that identifies child exploitation victims in photos and videos that are being transmitted by pedophiles. Non-cooperative facial recognition systems – like those used to identify abuse victims – are needed to spot individuals for a variety of reasons. “Wolfhope has led the charge when it comes to bringing face recognition automation to front-line investigators who rescue child victims of abuse – typically child pornography – and bring
48
Winter 2015
the perpetrators to justice,” says Rick Lazarick, chief scientist for Biometrics at CSC and nominator of Wolfhope. “Her funding has been used to develop enhanced investigative tools, and to annotate video and still imagery of victims and perpetrators.” In the future, Wolfhope sees additional use of mobile devices to identify individuals. For example, the Science and Technology Directorate created an add-on for a mobile device that will be able to capture iris, face and fingerprints for enrollment and search capabilities. Homeland Security’s U.S. Border Patrol will use this system to enroll illegal person crossing the border and then track prisoners in a detention facility. There was the possibility of there being up to 1,000 prisoners in different areas and they had to be moved to clean cells or conduct other activities. This device was used to keep track of the prisoners and make sure they were in the right place. Similar systems can also be used to identify guards. Often after a prison riot, guards will be attacked and prisoners will take their uniforms and try to escape. This type of system can confirm a guard’s or prisoner’s identity. These mobile systems involve a commercial off-the-shelf tablet outfitted with a sleeve that added the biometric functionality, says Lazarick. “In one instance, the sleeve includes a PIV reader and fingerprint sensor and supports a three-factor authentication time and attendance system,” he adds. “In another instance the sleeve will be multimodal, with iris and fingerprint, to augment the tablet’s internal face camera.” With all these systems it’s important that they work well in the field, something that can be overlooked. Wolfhope works with officers in the field to make sure that these devices work as advertised. “I get out in the field to see the end results and see this technology in action,” she explains. “You can develop a prototype but then you need to take it into the field and make sure it can be used to perform the necessary functions.”
MORPHOBIS IN THE CLOUD EMPOWERING BIOMETRIC IDENTIFICATION AT THE NEXT LEVEL CRIME SOLVING CAPABILITY – EMPOWERED SYSTEM AVAILABILITY – UNLEASHED COLLABORATION POTENTIAL – UNLIMITED
MorphoBIS is now empowered by a CJIS and FedRAMP-compliant cloud platform, ensuring that your data is secure, resilient, and highly available. Flexible options allow you to choose the structure that suits your needs: Disaster recovery with system replication in the Cloud, a standard AFIS solution with a Full Cloud solution, or a tailored AFIS solution with a Full Cloud solution. Our cloud solution also features unlimited scalability, allowing your database and system throughput to expand as your needs grow. With MorphoBIS in the Cloud, you can future proof your technology investment with the best-in-class biometric identification solution.
MorphoTrak Contact Us: 1-800-368-9505 • www.morpho.com/USA 5515 E. La Palma Ave. Ste. 100 Anaheim, CA 92807
RESURRECTED
CLEAR EXPEDITING
ENTRY AT AIRPORTS,
STADIUMS GINA JORDAN, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS
Registered traveler programs are booming as airlines welcome record numbers of passengers. CLEAR, one of the programs that started it all a decade ago, is back and now operating in 13 U.S. airports and three Major League Baseball stadiums. The original incarnation of CLEAR launched at Orlando International Airport in 2005 and quickly grew to more than a 18 airports. But it was hit with bad publicity in 2008 when an unencrypted laptop containing personal information of 33,000 CLEAR users disappeared. The Transportation Security Administration suspended new enrollment, and in June of 2009, the company went bankrupt. The following year, new investors emerged. “We bought the assets out of bankruptcy in early 2010, and we relaunched the business in November of 2010 at Denver International Airport and Orlando International Airport,” says president and CFO Ken Cornick, one of the co-founders of the new CLEAR. “We had nothing to do with the old company.” The new team saw the potential for a viable business by implementing a better cost structure and holding growth to a manageable pace. “We saw a sort of beloved product. People really loved the service,” Cornick says. “Who wants to wait in line at an airport? Users were missing the service and they wanted it back.” CLEAR customers can sign up online or at a participating airport. They complete the registration in person by showing an ID and having their fingerprints and iris image captured. A CLEAR card with a contact chip is issued as the identification credential for an annual fee of $179. “Once you’re enrolled, you can walk over to the security checkpoint and use CLEAR immediately,” Cornick says. Users scan their boarding pass, tap their finger, and move directly to the physical screening. “You’re getting your ID checked and your boarding passes validated,” he says. “That’s the first step, and that’s where CLEAR provides an efficient, predictable experience so you know you’re going to get through the process in generally five minutes or less.” Cornick would not disclose enrollment numbers, but he says the business is thriving and just began operations at its thirteenth airport in Austin, Texas.
NOT JUST FOR AIRPORTS CLEAR is expanding its business model beyond airports. Major League Baseball now requires all 30 of its teams to screen fans using hand-held metal detectors or walk-through magnetometers, and CLEAR is expediting access at the Colorado Rockies, New York Yankees and San Francisco Giants stadiums. The partnership with the Giants was CLEAR’s first expansion outside of the travel industry. The team and the company spent about two years trying to find the easiest and most efficient way to usher fans into the stadium. Beta testing of the program began at AT&T Park late last year, and it was opened to all Giants fans this season.
50
Winter 2015
“A facility of any real size has to be safe for fans, and magnetometers were not going to be optional. They were going to be a requirement at some point, and we wanted to try to get ahead of it,” says Jason Pearl, senior vice president of sponsorship and business development for the Giants. “Knowing that our fans are technophiles in many ways and willing to be early adopters of technology, we felt like we could be the right market to implement something like CLEAR,” Pearl says. “But it took us a while to figure it out because it’s fairly complex from a marketing and public relations standpoint – determining who gets to use a CLEAR entry and why. So, figuring out what the rules are was just as important as making sure the technology was working.” For now, the stadium has one CLEAR lane open and CLEAR personnel operate it. “You put either your thumb or two fingers
the CLEAR entrance and being verified, it’s a better process for the other 90%, too.”
CLEAR OFFERS SERVICE IN TANDEM WITH TSA PRECHECK The TSA launched its expedited security screening program, PreCheck, in October of 2011. It’s grown to more than 150 airports with 12 participating airlines. The $85 fee is good for five years of PreCheck status. According to the TSA, more than 1.5 million travelers are enrolled in PreCheck. MorphoTrust USA’s IdentoGO service handles enrollment at more than 330 application centers around the country, soon to expand to more than 400 centers thanks to a partnership with tax service provider H&R Block.
EVEN IF ONLY 10% OF OUR FANS ARE COMING THROUGH THE CLEAR ENTRANCE, IT’S A BETTER PROCESS FOR THE OTHER 90%, TOO down on a tablet and it biometrically recognizes who you are,” Pearl says. “If you are verified, your face pops up on the tablet and a green light goes off which tells everybody that you are now clear.” The Giants started with a small group of fans to see how the traffic would flow. As enrollment increased, organizers had to make sure the CLEAR entrance wasn’t so clogged with users that it was slower than the regular entrances. At the same time, other fans were adjusting to the magnetometers. “CLEAR has been a fantastic partner helping us work with major league baseball’s security personnel to confirm that the algorithm that allows us to know that a fan is clear, if you will, is something that meets that standard,” says Pearl. CLEAR users must still submit to bag checks, just like other fans, but they avoid waiting in line to go through the magnetometer. “We haven’t had any push back whatsoever,” Pearl says of the CLEAR option. AT&T Park sells out at just under 42,000 seats. So far, more than 11,000 Giants fans have been verified with CLEAR. That number doesn’t include fans who may already be CLEAR members at airports. The airport membership can be used to get into AT&T Park without the need for a separate verification, and Giants fans can apply to use the service as well. After signing up with CLEAR online, enrollment can be completed at a kiosk in front of the ballpark. “This is about the community of our fans having a better process,” Pearl says. “Even if only 10% of our fans are coming through
Registered traveler programs like CLEAR are not affiliated with PreCheck, and some travelers may enroll in both programs. CLEAR members who are enrolled in PreCheck can use the CLEAR lane to avoid long security lines and have their boarding passes scanned. They can then move to the PreCheck lane where they get a new round of perks. Unlike the other passengers, PreCheck users don’t have to remove their shoes, belts, jackets, liquids or laptops. By comparison, CLEAR performs background checks and biometric scans to verify customers who are permitted to go to the front of the line for the physical screening. After their boarding passes and travel documents are checked, their special privileges end. They still have to take off their shoes and perform the other tasks like other travelers, but they get to go to the front of the line. While the TSA is encouraging as many air travelers as possible to enroll in PreCheck, the team at CLEAR sees a lot of applications for their platform beyond airports and stadiums. The company is eyeing real estate next. “If you go to a New York City building, you’re showing your driver license. They’re scanning it and taking a picture of you. It’s a pretty inefficient process,” Cornick says. “So we think there’s opportunities for secure biometric identification in things like building access, and there’s many other applications.” “When we bought the business, our vision was always to create CLEAR as a secure identity platform that could be used anywhere a secure transaction was required,” Cornick says. “The vision all along was to expand outside of the airports.”
Winter 2015
51
THE CHALLENGES OF AIRPORT ENTRY AND EXIT IN THE U.S. KELLY VLAHOS, CONTRIBUTING WRITER, SECURITY INDUSTRY ASSOCIATION
The United States may be the head of the class in a lot of things but experts say it’s far behind the rest of the word when it comes to biometric solutions for entry and exit at major international airports. Global terrorism and a fluid migrant situation across Europe and the Americas emphasize the need to know who is coming into and out of the country. Other nations that serve as transfer points for tens of millions of international travelers a year are standing up technology that can identify and capture vital information about individuals while still getting them to their planes on time. But after more than a decade of trying, the U.S. government is still working on it. Nearly a year ago, a host of security companies decided to make a crack at it. The Airport Entry and Exit Working group – a joint venture by the Security Industry Association (SIA) and the Security Identity & Biometrics Association (SIBA) – formed to offer a bridge to the Department of Homeland Security and U.S. Customs and Border Protection in the government’s quest for state of the art entry and exit screening for non-citizen passengers. “We see the working group as yet another example of where bridging the gap that often exists between private sector innovators and government decision makers can yield benefits to both,” says Jake Parker, head of government relations for SIA. He says the interaction has already had some positive effect. A series of federal statutes for biometric screening passed in 1996, and they gained urgency after the 9/11 attacks. A 2004 law required full implementation of biometric entry and exit for
52
Winter 2015
non-citizens. To date, biometric technology has been instituted at entry points at more than 100 international airports in the U.S. But the exit piece has yet to get off the ground. While there were pilot programs in 2004, 2006 and 2009, a lack of clarity over how exit screening would take place prevented it from progressing beyond the initial pilot studies. The latest effort, the DHS Apex Air Entry/Exit Re-engineering (AEER) project, is currently testing technology and processes for CBP at test sites. The Airport Entry and Exit Working group, which consists of 19 biometric security industry companies, was invited to two site visits in the last year: the DHS Science and Technology Directorate’s Maryland Test Facility and the CBP Global Entry Enrollment Center at Dulles International Airport outside Washington, D.C. There are varying impressions of both sites by working group members who were there, but as Parker points out, they are at least grateful to be in the loop. He was at the Dulles test center, where the vendors were asked after the tour what the government could improve. “That is the kind of dialogue we need to have,” he says. According to member company representatives, the working group has had two key impacts. First, it has opened dialogue on the challenges of screening biometric technology, the testing of passport identification technology and comprehensive exit screening implementation. Second, it has spurred member meetings with government officials and testimony on Capitol Hill to promote both the policy and the solutions to back it up.
INSIGHTS Cutting-edge viewpoints on the use of security technology from the industry’s leading electronic physical security association. Learn more at securityindustry.org.
“By crafting a unified message for the Congress and speaking with one voice, we have created receptivity on the government side,” says working group member David Simon, COO of Secure Planet, a Virginia-based provider of mobile biometric verification and identification systems. For its part, DHS says it likes the open communication. “In a program like Apex AEER, close interaction with key private-sector stakeholders – especially U.S. and internationally-based airport, airline and biometric technology industries – is critical in understanding the physical and operational conditions,” says John Verrico, spokesman for DHS Science & Technology Directorate, which is the lead on the AEER program. Now that all stakeholders seem to be on the same page, notes Parker, “the challenge is to actually put it into practice.”
U.S. government does not have updated and accurate metrics on annual overstays. “This data is vital for future decision-making by immigration, law enforcement and intelligence authorities after the fact,” testified Kephart. Improvements to biographical screening at the borders “can never replace the efficiency, accuracy and speed that biometric solutions provide to assure that people seeking entry to or exit from the United States are who they say they are – and are not associated with nefarious information,” she says.
DHS’ APEX AIR ENTRY/EXIT RE-ENGINEERING (AEER) PROJECT IS CURRENTLY TESTING TECH AND PROCESSES AT A SERIES OF PILOT SITES IN AIRPORT LOCATIONS
WHY IS EXIT SO IMPORTANT? According to Janice Kephart, former SIBA CEO who testified before Congress in April, the evolving global terror threat involves sophisticated means of manipulating one’s biographical data – name, passport and other paper verification – and can enable terrorists to slip through borders undetected. This makes advanced screening critical. Biometric identification – face, fingerprints, iris – can be instantly checked against advanced passenger data and the Office of Biometric Identity Management’s core database. While getting a “hit” won’t necessarily mean a traveler will be stopped on the way out, officials will have better alerts to individuals on watch lists, outstanding warrants, and people who have overstayed their visas. The last is important because currently the
A BUFFET OF SOLUTIONS Today screening at international airports ranges from capturing single or multimodal biometrics at simple automated kiosks at international boarding gates to more centralized capture at security checkpoints. Agents may use hand-held devices like tablets to obtain a traveler’s biographic and biometric data. “I think the government is looking for more off-the-shelf solutions,” said John Hernandez, senior industry analyst with Frost & Sullivan’s Aerospace and Defense portfolio. Working groups can help get companies with the right solutions a chance to get noticed, even if they are not associated with a big contractor. DHS is keeping its methods and what it is currently testing close to the vest, but it’s clear from public statements it is a variety at least. The facility in Maryland, according to the DHS Science & Technology Directorate, has been testing with a ready-made passenger manifest of 1,300 volunteers at a mock security gate to gauge wait-times and efficiency. Reports suggest DHS is eyeing FY 2016 for the initial field trial.
Winter 2015
53
MUNICIPALITIES LAUNCH CITY-ISSUED RESIDENT ID CARDS CREDENTIALS ENABLE AND CONTROL ACCESS TO LOCAL SERVICES AUTUMN CAFIERO GIUSTI, CONTRIBUTIN EDITOR, AVISIAN PUBLICATIONS
A growing number of cities are making it possible for residents to prove their identity to local agencies and institutions without having to present a driver license. With the adoption of municipal ID programs, local and state governments are issuing ID cards to residents – mostly undocumented individuals – who otherwise wouldn’t be able to obtain a traditional ID. Without documentation, immigrants, homeless and unbanked individuals lack the necessary forms of identification needed to open a bank account, check in to a health clinic or even visit a food bank. Cities including Los Angeles, San Francisco and more recently New York have been issuing municipal ID cards to qualifying residents. Others including Nashville
rolled out the very first program in response to attacks on the city’s immigrant and unbanked populations. Immigrants were being victimized and targeted as “walking ATMs,” since they were less likely to have bank accounts and often carried large amounts of cash as a result. The last straw came for the city in 2006 with the murder of Manuel Santiago, a 36-year-old Mexican immigrant who was robbed and stabbed to death after cashing his paycheck. “It’s a public safety issue for cities,” says Paule Cruz Takash, director for business development and financial inclusion for SF Global LLC, an Oakland, Calif.-based company that administers municipal ID programs. “When criminals know that
“WE STRONGLY BELIEVE BEING RECOGNIZED IS A BASIC HUMAN RIGHT.” — RAQUEL CASTANEDA-LOPEZ, DETROIT CITY COUNCIL MEMBER
and Charlotte, N.C. are exploring the possibility. Residents can use the ID cards to obtain city services, identify themselves to local authorities and enter city buildings such as schools. In some cities, the IDs enable cardholders to receive museum memberships and discounts at local businesses. Municipal IDs have been around since 2007, when the city of New Haven, Conn.,
54
Winter 2015
people get paid on a certain day, and that they don’t bank or are not able to bank, it means that these people are targets.”
PAYMENTS PLUS IDENTITY Following New Haven’s ID card rollout, other local and state governments have expanded upon the concept.
In the San Francisco Bay area, the cities of Oakland and Richmond, Calif., launched municipal ID programs and rolled in payments card functionality. While ID-only cards are available in these cities, qualifying residents can obtain ID cards with a prepaid debit component. LaShonda White, senior management analyst for the city of Richmond, Calif., says that the city adopted its ID card program to improve public safety, increase civic participation and support local commerce. “All of those things are possible because it is a prepaid debit card and an ID card,” she says. Oakland has been offering municipal IDs for more than two years, while Richmond starting enrolling cardholders a year ago. SF Global contracted with both cities to administer the card program, and the company is in negotiations to bring its combined payment and ID card to undisclosed additional cities. SF Global claims to have invented the first hybrid municipal ID/prepaid debit card. The company incubated its card out of its research center at UCLA and – in line with its self-described social mission – developed the ID program in response to mounting issues that plagued undocumented residents, including immigrants, homeless people, senior citizens and individuals released from prison. “For populations whose legal status is undetermined here in the United States, we knew this was an issue for them in terms of being able to get banked,” says Cruz Takash. “They would not be able to provide the required ID to open a bank account.” Residents who are 18 and older can obtain an ID-only card, and those who
MUNICIPAL ID PROGRAMS ISSUE CARDS TO RESIDENTS WHO OTHERWISE WOULDN’T BE ABLE TO OBTAIN TRADITIONAL ID. IT ASSISTS IN OPENING A BANK ACCOUNT, CHECKING IN TO A HEALTH CLINIC OR VISITING A FOOD BANK.
fulfill eligibility requirements can apply for a MasterCard-branded prepaid debit ID card. Residents can apply for the card at a church space that the city is using as an intake center for enrollment. To obtain an ID, residents still need to show qualifying documents to enroll in the program. Basic cardholder information is stored in a database so that various city departments can access it and provide services to cardholders. Right now the ID is a magnetic stripe card with built-in security features, although SF Global plans to switch to chip cards for the next round of IDs issued. Cruz Takash says SF Global anticipates enrolling about 10% of the population of
each city it serves, based on poverty levels and racial and immigrant makeup. The company has issued about 6,000 ID cards in Oakland, and about 450 in Richmond. It costs $15 for anyone ages 18 to 65 to obtain a card, and $10 for anyone over 65. Although it could begin charging any other cities it serves in the future, SF Global is not charging a contract fee to Oakland or Richmond to provide the service since those cities were embracing a new program. City officials in Richmond would like to see the card help support local commerce in the future. They envision the card providing benefits to residents who use it to shop at local businesses.
“I think that would make the card more attractive,” White says. SF Global has been training the city’s police department on what the cards look like and how to read them. The contractor also has been working to get the state motor vehicles department to accept Richmond and Oakland municipal ID cards as a form of identification for people to get driver licenses. “As long as the institutions are accepting of the process you go through to verify identity, I think the door will be open as to what institutions are going to accept this as a form of primary or even secondary identification,” White says.
Winter 2015
55
NYC SETS BIG-CITY MODEL New York City is the most high-profile city of late to adopt a municipal ID program. In January, the city launched its NYC ID program and has since enrolled 530,000 cardholders, making it the country’s largest municipal ID program. “Response has been extraordinary,” says city spokeswoman Rosemary Boeglin. At the onset of the program, demand exceeded expectation, and the city had to implement an appointment-based system for enrollment. Appointments take about 20 minutes, and cards are mailed out to residents within 10 to 14 business days. Boeglin says the program enables the city government to work more effectively and efficiently by expanding access to the services, programs and opportunities available for city residents. “We believe it is vital for all of our city’s residents, regardless of immigration or economic status, to be able to access government, interact safely with law enforcement and feel secure in their communities,” she says. All city residents age 14 and older are eligible to receive a municipal ID card. Enrollment is free for anyone who applies during the first year of the program, with IDs being valid for five years. To establish identity in order to obtain an ID, applicants can use any of more than 40 documents, such as a foreign driver license, birth certificate, green card, utility
bill or school ID card. Applicants need to present at least four documents. Of those documents: at least three need to prove identity at least one needs to prove residency at least one must include a photo of the applicant (if the applicant is over the age of 21) at least one must include the applicant’s date of birth.
Natural History and Central Park Zoo, as well as receive discounts on prescription drugs and health club memberships. Residents can also use the card to open a bank account at more than a dozen financial institutions. However, residents cannot use the ID to board an airplane, drive or obtain a driver license.
Each ID features the cardholder’s photograph, date of birth, eye color, height and a unique ID number. The card is also available in 25 languages. The IDs come equipped with several security features, including an embedded hologram, an applicant signature, an engraved city seal and a secondary blackand-white “ghost” photo of the applicant. Technology firms PruTech Solutions, Inc. and MorphoTrust USA won bids to develop the card enrollment program for $3 million. The city also contracted with St. Paul, Minn.-based 3M to print the cards on polycarbonate card stock. Among the card’s uses, residents can access city services, check out library books and take the high school equivalency exam. The New York Police Department also recognizes the card. During the program’s inaugural year, cardholders receive free one-year memberships to 33 of the city’s cultural institutions, including the American Museum of
Following the attention New York received for its NYC ID, other cities have set the wheels in motion or are at least considering their own municipal ID programs. Detroit is positioned to be one of the next cities to roll out a program and could start issuing ID cards to residents as early as the first quarter of next year. Over the summer, the Detroit City Council drafted an ordinance to establish the program. City Council Member Raquel CastanedaLopez says the Council’s goal is to complete a final draft late this year and then launch the program in the first three to six months of 2016. “We strongly believe being recognized is a basic human right,” she says. City estimates indicate that 15% to 20% of Detroit’s 688,700 residents are in need of an ID, although its goal is to enroll 30% of the population, Castaneda-Lopez says. Neighboring Washtenaw County, Mich., implemented its own ID program earlier this year and has been assisting Detroit with the drafting process. The city is also working with libraries and local nonprofits to provide facilities where people can obtain the IDs. Costs of the program are still being determined. Castaneda-Lopez said the program will likely follow a similar model to that of New York, offering access to city services and discounts at local businesses, and might eventually consider linking the card to public transit. “We’re hoping to remove some of the barriers certain communities face in getting the recognition to take advantage of city and community resources,” she says.
The New York City ID card grants residents access to city services, libraries and allows them to take the high school equivalency exam. The New York Police Department also recognizes the card.
56
Winter 2015
DETROIT DRAFTS ID PROGRAM
SAV E T HE DAT E
June D.C. June 15 15–– 17, 17,2016 2016• Westin WestinCity CityCenter, Center, Washington, Washington, D.C.
Join Us in 2016 at Our New Location, Westin City Center, Washington, D.C. WHY ATTEND • Learn the latest on legislative and regulatory matters affecting the security industry • Gain a better understanding of the market drivers at work in the government space • Network with government and privatesector decision makers
WHO ATTENDS • Security executives • Sales and marketing professionals • Security practitioners and policy specialists • Federal and Congressional staff
www.securityindustry.org/summit Security Industry Association
www.securityindustry.org
re:ID NATIONAL eID SERIES:
MIDDLE EAST PACKS A PUNCH DESPITE SMALL ISSUANCE ANDREW HUDSON, ASSOCIATE EDITOR, AVISIAN PUBLICATIONS
Over the course of the year, re:ID has looked at the state of national eID credentials, breaking down the global market into key regions. The final installment of the series focuses on the Middle East, a region that in 2016 expects to see a significant boom in the number of issued eIDs. Acuity Market Intelligence’s “Global National eID Industry Report,” suggests that the Middle East is set to see its most significant issuance volume next year, peaking at 40.2 million credentials issued. While these figures don’t quite reach the issuance heights of Asia or Africa, the Middle East does boast some advanced projects. The region also saw some of the early adopters of the credentials. “As with Europe, the Middle East boasts numerous multiapplication national eID programs that rely on advanced card technologies and include qualified electronic signatures,” says Maxine Most, founder and principal of Acuity Market Intelligence. Looking at the bigger picture, the Middle East’s eID volume share peaks in 2016 when the region accounts for 5.9% of global eID credentials issued. This percentage then drops slightly as global eID issuance rises and eID projects Middle East reach maturity.
DRIVERS IN THE MIDDLE EAST As with other global regions, the drivers for eID programs in the Middle East include security, service and cost savings. Enrollment, adoption, interoperability and the rollout of e-services stand as the primary challenges to eID in the region. “Middle East governments are currently trying to prevent fraud and criminal activities, stop terrorist activity and enhance regional security,” says Jon Trader, director of communications for M2SYS. “As result of that many of the Middle Eastern countries have already adopted biometric enabled eID systems, and many others are keeping it under consideration for the future.” Smart national credentials are a key component in enabling citizens to access e-government services. “There is the need for
58
Winter 2015
strengthening national security in order to safeguard citizen information,” Trader says. “Equitable distribution of public services like health care, financial and legal services is driving the adoption of eID in the region.” Beyond that, Trader says that political unrest and lengthy decision-making processes can also act as barriers to eID implementation in the region. Societal factors, he says, play a role as well. “Although the benefits and application area of eID systems are similar throughout the globe, factors like religious and social values make the Middle East market different from others,” Trader says. “Due to these factors society itself sometimes acts as a barrier, for example, to take photographs or perform biometric scanning on female citizens.” And yet, the Middle East plays home to some of the more advanced eID programs in the world. “Countries that are economically strong and have sufficient infrastructure to deploy these systems include Saudi Arabia and UAE,” says Trader. M2SYS has worked on a number of national identity management projects throughout the region and still considers it a highpotential market, says Trader. The company has worked on the Saudi Arabian NGHA health care patient identification project, the Yemeni voter registration project and the UAE’s airport employee security project.
OMAN AN EARLY ADOPTER Bordering Saudi Arabia and United Arab Emirates to the west, Oman’s eID program dates back to 2002 when government officials were seeking a means to modernize its national registry and pave the way for eGovernment services. The country selected Gemalto as its partner on the project, and with its official deployment in 2004, the Omani eID credential became one of the first smart card-based eGovernment systems in the Middle East.
Global and Middle Eastern eID card volume forecast Unit Forecasts (millions)
800
802
741
681 627
600
Global
540 400
459
200 23 2013
30 2014
30
40
2015
2016
Middle East 24 2017
23 2018
Source: Acuity Market Intelligence, “The Global National eID Industry Report”
National eID card volume share (The Middle East) 2013
2018 BAHRAIN EGYPT IRAN IRAQ ISRAEL JORDAN KUWAIT OMAN QATAR SAUDI ARABIA UNITED ARAB EMIRATES YEMEN
Winter 2015
59
With a population of roughly 2.9 million, Oman first had to establish a central population registry using data collected from disparate databases. Next it needed to link that data to twelve enrollment and issuance centers spread across the country. The Sultanate of Oman and the Royal Omani Police spearheaded the project. The Royal Police was tasked with selecting an eID credential that was versatile and open enough to enable future upgrades, so that the document had a sufficient lifespan and would not need to be reissued every time a citizen’s personal data changed. The card provides secure access to three main applications – identity, driver license and border control. Oman’s citizens and residents securely store their personal credentials on the cards,
UAE eID brings gov and payments The objective of the United Arab Emirates’ new eID program is to promote both eGovernment and eCommerce in the country. In partnership with Gemalto, the UAE’s national ID acts as an official ID and travel document for Gulf Residents, enables access to eServices and offers a range of functionality including an e-purse for handling payments to government bodies. Government and financial institutions have led the charge, promoting efficiency and convenience making all manner of transactions easier to complete with the eID credential. Civil servants and their families in the Identity authority have been registered as earlier adopters.
60
Winter 2015
including name, address, digital photo and fingerprints. The eID’s Java Card operating system provides the ability to accommodate future applications down the road. The inclusion of biometrics in Oman’s eID cards enables verification by portable terminals and automatic electronic validation at places like airport immigration checkpoints, among others.
SAUDI ARABIA At the same time that Oman was pursuing its eID program, Saudi Arabia was laying the groundwork for one of its own. The Kingdom of Saudi Arabia selected a credential based on HID Global’s LaserCard optical media. In 2004, HID Global was also selected to manage the implementation of a new distributed card issuance system in 20 cities for phase one of Saudi Arabia’s program. In addition to writing the card management and personalization software, HID designed, integrated and installed 60 card personalization systems, trained local operators and provided ongoing operational support. The card itself features two machine-readable technologies in the form of optical security media and a contact IC chip. The optical media stores a high-resolution color portrait of the cardholder, their demographic information and a fingerprint template for automatic identity verification. The optical media also incorporates layered, visible authentication and security features to support reliable in-person document examination. The contact chip uses the MULTOS smart card operating system to manage Public Key Infrastructure transactions and stored demographic data. The card’s 2.86-megabyte optical stripe has more than adequate capacity to hold all required demographic and biometric information and can be updated over time as needed.
EID IN THE FUTURE The Middle East makes up for its comparably smaller issuance numbers with a host of advanced, mature eID implementations that are on par with some of the world’s leading programs. Middle Eastern countries also show that the world isn’t just now coming around to eID credentials, but rather has been testing the waters for a decade or longer. Despite the odd holdouts, the future of national ID in the region undoubtedly belongs to the eID, with some forward-thinking countries already experimenting with mobile ID. These credentials offer the ability for citizens the world over to prove their identity as they travel across national borders as well as enable access to a myriad of valuable eGovernment services.
NSTIC THREE NEW PILOTS JOIN NSTIC RANKS INITIATIVES FOCUS ON HEALTH CARE, STATE GOVERNMENT AND THE IOT
The National Strategy for Trusted Identities in Cyberspace National Program Office awarded three new pilots – totaling $3.7 million – focusing on health care, access to government services and the Internet of Things. This year’s selections show how that the program office is transitioning pilots to focus on filling more specific gaps in the marketplace with a focus on privacy-enhancing technologies. The recipients of the latest round of grants include: Galois – building a tool that enable users to store and share private information online. HealthIDx – developing a privacy-enhancing technology that protects patients’ identity and information MorphoTrust – focusing on preventing the theft of personal state tax refunds This is the fourth year pilots have been awarded, with more than $23 million awarded over that time. NSTIC’s stated goal is to encourage private companies to create an identity ecosystem with secure, privacy enhancing, interoperable digital identities for consumers.
NSTIC PILOT: GALOIS
Creating secure data storage and access for the IoT Galois focuses on cyber security, primarily serving the U.S. government, and with its NSTIC pilot funding the company will pilot a project to build a tool that can enable the storing and sharing of private information online. The data storage system will rely on biometric authentication. Project
partners also plan to develop transit ticketing on smartphones and integrate the secure system into an Internet of Things (IoT) enabled smart home. The project starts with a product already built by a Galois spin off company. Tozny is a password-free mobile system that enables users to access websites or apps just by logging into their mobile phone. “When your phone is the key, it makes it easier to use and more secure
than passwords,” says Isaac PotocznyJones, Identity Research lead at Galois and CEO of Tozny. “This new NSTIC funding will support our development of a new privacy preserving personal data service. The goal is to give users control not just over the login process but also in the storage and sharing of their own personal private data.” Tozny will be integrated with two production pilots. In the first, Galois is partnering with smart home company IOTAS for its work in apartment buildings. “Their approach is neat in that it focuses on apartments instead of having users directly purchase and integrate smart home products in their own homes, which can be a little bit of a barrier to adoption,” Potoczny-Jones says. Instead, renters find those products already integrated when they move in. “We’re integrating our password-free authentication system as well as our personal data service with their smart home IoT system.” The other pilot involves mobile transit company GlobeSherpa, which handles mobile tickets for Portland’s TriMet and a number of other U.S. based transit systems. Again, the team will integrate the password-free login to remove the challenge for users trying to type in letters and numbers as
Winter 2015
61
NSTIC
they run for the bus or do any number of things on the go. “We want to give them a way to log in securely without a password and to store personal data such as what buses they ride and when, along with their habits, and in the end integrate these two systems together so we have the smart home system and the bus system,” PotocznyJones says. “With the user’s consent, they can choose to enable the sharing of data like ‘I’m on my way home from work, so I’d like my home to start warming up,’ for instance. These little pieces of information about your life are very private – when you’re home, when you’re traveling, and
Galois was awarded $1.85 million for the first year, with work beginning in October. The pilot spans two years, so the company hopes the government will come through with additional funding. The partners will spend that time trying to prove that security and privacy can be built into new technologies from the ground up. He says that can only happen if security is easy to use by default. “That means easy for end users but also really easy for software developers and for companies to adopt and integrate into their product. We really aim to make privacy and security something that every single user can count on, and build
THIS NSTIC FUNDING WILL SUPPORT DEVELOPMENT OF A NEW PRIVACY PRESERVING PERSONAL DATA SERVICE. THE GOAL IS TO GIVE USERS CONTROL NOT JUST OF THE LOGIN PROCESS BUT ALSO OF THE STORAGE AND SHARING OF THEIR OWN PERSONAL PRIVATE DATA. what kind of appliances you have. So you want the users to have as much control as possible over the storage and sharing of that data.” Tozny will serve as the developer and tactical lead on the project. SRI International, a nonprofit research institute, will provide a biometric authentication platform for login. “We’re looking at a gait-based biometric that enables passive identification of the user, again with their consent and with privacy preserving infrastructure in place,” he says. “It can identify the user while walking around, so by the time they get the phone out of their pocket to make a purchase of a ticket or to perform some other action, we already have a pretty high confidence of user’s identity.”
62
Winter 2015
a level of trust between users and the companies that process their information,” Potoczny-Jones says. “We can all do a lot more on the Internet if we all trust each other to do the right thing, and security and privacy are the foundation for those trust decisions.”
NSTIC PILOT: HEALTHIDX Providing federated identity in health care
The catalyst for the HealthIDx pilot is ensuring the security and privacy of electronic health records – to both provide patients and card givers with fast access and at the same time protect them from theft by cyber criminals.
HealthIDx provides cloud-based, highassurance identity and access management services. It was founded in April 2015 as a spinoff of ID.me – a digital identity network that enables consumers to prove who they are online while controlling how their information is shared. ID.me was awarded an unrelated NSTIC grant in 2013. “We’re in the business of issuing trusted identity credentials for the healthcare industry,” says Scott Lowry, founder and CEO of HealthIDx. “We would like to be, if you will, the VISA for identity in health care.” HealthIDx sees the industry moving toward a federated identity model with health care providers relying on trusted credential service providers and identity brokerage services. What’s missing, according to the HealthIDx pilot proposal, is protection of the end-user’s data at all stages of the brokerage process and subsequent data exchange. Currently, they see the risk of exposing end-user identities and health information to unauthorized individuals as significant. “Identity in health care relies much on the concept of federated identity,” Lowry says. “For federated identity to work, individual identity credentials must pass through something known as a trust broker. This trust broker bridges the gap between various identity providers who issue credentials and various relying parties who accept those credentials prior to providing the service.” The HealthIDx pilot proposes to deliver a privacy-enhancing technology that protects patients’ identity and information in this process. The project will pilot a “triple blind” technology, effectively blinding the identity broker by providing a secure key exchange protocol. The protocol, facilitated by the identity broker, will enable identity providers and relying
NSTIC
parties to exchange session keys while remaining confidential from the broker. In traditional models, the identity provider and relying party don’t know anything about each other, but the trust broker sees both sides of the transaction. The goal of the pilot is to blind the broker to that transaction as well, because
financial institutions plagued by privacy and government regulations that impose barriers to their participation as an identity provider. “This is, at the end of the day, a proof of concept to demonstrate that this technology can in fact be implemented and it is possible to blind the broker. It will then
HEALTHIDX WILL CARRY OUT TWO PROOFS OF CONCEPT. THE FIRST ENABLES A HEALTH CARE SYSTEM TO TRUST A FEDERATED CREDENTIAL THAT IS UNKNOWN TO THEM, WHILE THE OTHER TESTS INTEROPERABILITY OF CREDENTIALS BETWEEN GOVERNMENT AND FINANCIAL INSTITUTIONS. there are privacy and security concerns around the broker having knowledge of these transactions and possibly misusing confidential information. HealthIDx intends to carry out two proofs of concept after the initial research and design phase. The first enables a health care system to trust a federated credential that is unknown to the health care system. According to the technical proposal for the pilot, the credential will be certified to an equivalent or greater level of assurance than the health care system requires and will be trusted as part of the trust fabric implemented in the pilot. The HealthIDx trust framework will provide the business, legal and technical requirements by which participants will abide. The second proof of concept surrounds interoperability between government and financial institutions. A user with a government issued credential from an identity provider could use that credential in a commercial setting without being tracked across the ecosystem. HealthIDx will also promote interoperability with
be up to the commercial marketplace to determine if this is something that is really needed and implement it in every instance of the trust broker,” Lowry says. “I think the federal government has indicated that it has a need for this type of technology, but whether it goes beyond the federal government remains unclear.” The grant award is $1.6 million over two years, and the pilot includes several partners: Hydrant ID is a provider of digital identity and advanced authentication services for securing data and systems as well as e-commerce transactions Covisint is a technology company and cloud platform provider SafeMashups was started in Silicon Valley by security industry veteran Ravi Ganesan, who is chief architect of the pilot proposal. The partners will work to provide technology to the Identity Ecosystem that balances transactional anonymity while enforcing the trust framework’s secure,
interoperable identity and attribute validation. “This notion of blinding the broker has been around as a concept, and a desire, for some time,” Lowry says. “I think we should all be thankful that the government has finally stepped up and said let’s take this from theory to reality and see if it really can be made to happen.”
NSTIC PILOT: MORPHOTRUST
Stop fraudulent state tax returns MorphoTrust USA was awarded its second NSTIC grant, this time focusing on the prevention of tax refund theft. The project will involve driver license and taxation departments from the states of North Carolina and Georgia. The company’s previous grant was awarded in 2014 in partnership with North Carolina government agencies. That pilot focused on the creation of an electronic ID for accessing online services with the same security and identity authentication as in-person transactions. “We thought there was something else to prove that we could demonstrate to the marketplace, and that is the securing of a transaction outside of a live web session,” says Mark DiFraia, senior director of market development for MorphoTrust USA. “We thought that asynchronous authentication was really important to demonstrate. We also thought this tax refund theft issue was so big that it really needed an answer and that we were perhaps uniquely positioned to demonstrate one.” The pilot focuses on the issue of tax refund fraud at the state level, where a criminal submits a tax return in someone else’s name and steals the refund before the victim has had a chance to
Winter 2015
63
NSTIC
file. It’s a huge headache for the federal government as well, but this pilot specifically deals with the problem at the state level. The project seeks to show how to leverage trust created during the online driver licensing process – which includes verification through biometric identification – to then create trustworthy electronic IDs. MorphoTrust and its partners will set out to prove that a user can secure an online session that includes logging into a website and performing transactions in real time with a secure electronic ID
protections typically occur after the fact. We get notified and then we can go take some action. This is a measure you can take to prevent the theft or fraud from happening to you in the first place.” MorphoTrust is partnering again with the North Carolina Department of Transportation, which will continue issuing electronic ID’s to state residents. The North Carolina Department of Revenue is joining the team, as is the Georgia Department of Driver Services and the Georgia Department of Revenue. The project will enable users to log
THE PILOT FOCUSES ON STATE TAX REFUND FRAUD, WHERE A CRIMINAL SUBMITS A TAX RETURN IN SOMEONE ELSE’S NAME AND STEALS THE REFUND. THE PROJECT WILL SHOW HOW TO LEVERAGE TRUST IN THE DRIVER LICENSING PROCESS TO CREATE STRONG ELECTRONIC IDS.
based on the trust of a driver license. They’ll also show that a user can secure a transaction that will happen in the future. “In many ways, this example is a preventative action that the taxpayer can take to prevent somebody from being able to perpetrate fraud on their tax ID account with the Department of Revenue. That’s a very different approach to what’s been going on in the marketplace now, which is typically a reactionary approach,” DiFraia says. “Things that we have that are identity
64
Winter 2015
in securely to the Revenue site, put a virtual lock on their tax ID, and authenticate later when a tax refund is filed in their name. The Georgia Technology Authority will assist in determining how lessons learned from the pilot may be extended throughout the state. Commercial partner H&R Block will help get the word out to taxpayers in both states that the service is available. The total grant award is $1.8 million over two years, and the timeline requires that the project be aligned with the tax calendar. “We’re going to really
engage the departments of revenue in their heavy lifting after the close of the tax cycle in April with an eye towards being live and available for people to go in and put that protective lock on their tax ID account in the fourth quarter of 2016. That makes sure that everybody’s ready for the 2017 tax cycle,” DiFraia says. MorphoTrust’s arrangement with the National Institute of Standards and Technology includes the ability to work in tandem with more states as the pilot project is carried out. This gives states that want to participate a chance to join sooner instead of having to wait until the 2018 tax season. “This is one of those problems that people are now increasingly aware of, even fearful of, but there’s really not a whole lot you can do proactively to prevent it from happening to you,” DiFraia says. “We really wanted to make this available as widely as we possibly can, leveraging the grant dollars to prove the things that need to be proven but welcome other states to participate.” “State DMVs are the most trusted repository of identities in the U.S. and the best proofer of the largest number of Americans,” says DiFraia. “They can play a huge role in an online identity assurance and we’re really optimistic that this can lead to some great things for all of us as individuals in the next few years.”
The Global Event for Payment/Identification/Mobility
tcommeterre.com
BECOMES
Register now on www.cartes.com
17 19 Nov. 2015
HALLS 3 & 4 Paris Nord Villepinte France
y
www.cartes.com
PRESERVING PRIVACY IN THE IOT KATHLEEN CARROLL, VICE PRESIDENT CORPORATE AFFAIRS, HID GLOBAL
In today’s inter-connected world, the Internet of Things (IoT) promises new opportunities for consumers and businesses to improve productivity and quality of life. At the same time, the IoT opens the door to new threats to information privacy. Yesterday’s vision for the information superhighway has come true. Unfortunately, that superhighway is creating a number of new IoT-related on-ramps that cybercriminals may be able to use as vectors of attack to commit fraud and identity theft. The IoT enables electronic devices to wirelessly connect and communicate, combining the Internet and the physical world into a complex new matrix of cyber/physical systems. This network of connected physical objects embedded with electronics, software and sensors is making its way into our daily lives – controlling home automation and security systems, connecting our cars, and enhancing and managing municipal services in smart cities. In a world where potentially everything can be connected the risks multiply exponentially. Privacy protections must be as important as security assurances, and protecting personal information should be one of the most important focus areas in the design, deployment and lifecycle of each and every interconnected device, service, application and system.
66
Winter 2015
THE PRESSURE ON IDENTITY Today’s biggest privacy threats have generally been associated with personally identifiable information (PII), which is at the heart of identity. Many companies in the security industry today rely on identities as the core of a multi-level security strategy to authenticate and authorize user access to buildings, services and information systems. As the IoT evolves, identity is expanding beyond
and homeowner habits which create vulnerabilities not only in cyberspace but in the physical world as well. The IoT’s benefits are substantial, but they come with risks. Energy companies can use smart-meter usage data to recommend energy management applications or alert users to high-energy usage that might signal a pending maintenance issue. Now, imagine that a thief accesses that same data which could reveal when a homeowner is away. Consider too that
privacy and security. According to the report, experts estimate that there will be 25 billion connected devices this year and 50 billion by 2020. The report listed a variety of potential security risks presented by the IoT that could be exploited to harm consumers, a list that included (1) enabling unauthorized access and misuse of personal information; (2) facilitating attacks on other systems; and (3) creating risks to personal safety. The report noted that privacy risks could flow from
WHEN IT COMES TO THE IOT, ONE OF THE MOST IMPORTANT PRINCIPLES IS DATA MINIMIZATION, WHICH ENSURES THAT SYSTEMS COLLECT ONLY THE REQUIRED DATA AND DELETE THAT DATA IN A TIMELY MANNER people and their PII to objects and their authenticity. In addition, sensors in the IoT are often collecting what some consider PII and that data deserves security and privacy protections as well. Sensors, such as mobile fitness applications and other wearable devices, are collecting data, as are home security and automation systems, smart meters and other devices. The IoT is fueling a growing category of consumer products and services that are collecting information about health metrics, running routes
financial institutions can engage customers based on consumption, health, travel, leisure activities and other data. But a health insurance provider could use that same data to determine coverage levels.
“PRIVACY BY DESIGN” AND THE IOT In January 2015, the Federal Trade Commission’s staff report on the IoT recommended a series of concrete steps that businesses could take to enhance and protect consumer
the collection of personal information, habits, locations and physical conditions over time. “The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” said FTC Chairwoman Edith Ramirez. “We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”
THE NEW PRIVACY IMPERATIVE It is imperative that the industry embrace the FTC’s tenets and a mindset and approach that makes privacy proactive rather than reactive, positioned at the very center of security solutions and business practices. In March 2015, a Consumer Privacy Bill of Rights debuted that included this same “Privacy by Design” concept with its approach to building privacy management and protections directly into the design of a company’s information technology systems, business practices and infrastructure, while also factoring them into each stage of product and service development. It is also important to support the long-standing Fair Information Practice Principles (FIPPs) that include the elements of notice, choice, access, accuracy, data minimization, security and accountability. When it comes to the IoT, one of the most important principles is data minimization, which ensures that systems collect only the required data and delete that data in a timely manner. For instance, when RFID tags are used alongside cameras and other connected devices to monitor and control assets and processes, there is the potential that the data associated with a connected object will be stored and used
for a business purpose and profit. This IoT data might include personal information such as an individual’s location, activities, images, or even private transactions and messages. For the most privacy-protective solution, RFID tags should not collect or store PII. In those cases where PII is required, the data should be encrypted and mutual authentication, a secure handshake between the RFID tag and the reader, should be employed.
LEVERAGING TECHNOLOGY AND STANDARDS According to the FTC’s report, IoT-specific legislation at this stage would be premature. The FTC recognizes the potential for innovation and suggests that self-regulatory programs designed for particular industries can encourage the adoption of privacy- and security-sensitive practices. Connected cars are a great example. The auto industry is working to leverage existing standards such as digital certificates and encryption to ensure there are trusted connections and secure communication both throughout and beyond the in-vehicle network. Beyond encryption and digital certificates, there are technologies with great potential for privacy protection, in-
Federal Trade Commission’s recommendations for companies developing IoT devices: Build security into devices at the outset, rather than as an afterthought in the design process (“privacy by design”) Train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization Ensure that when outside service providers are hired, those providers are capable of maintaining reasonable security and reasonable oversight is provided When a security risk is identified, consider a “defense-indepth” strategy whereby multiple layers of security may be used to defend against a particular risk Consider measures to keep unauthorized users from accessing a consumer’s device, data or personal information stored on the network Monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.
cluding biometrics. Biometrics goes beyond what the user has and knows – card or phone and PIN – to characteristics unique to an individual such as fingerprints or iris recognition. Biometrics will become even more important with the increasing reliance on digital versions of our identity for use on ID cards, phones and other mobile devices. Binding digital credentials to the actual person through biometrics, reduces the risk of fraud. Additional technological capabilities such as the ability to distinguish between live and fake fingerprints, further enhance security and privacy.
The most effective security strategies are multi-layered and in many cases, multifactored. With the rapid growth of the IoT, it will be particularly important that the industry makes privacy a central element in system design, development, deployment and management. The requirement will increase in importance as conventional networks increasingly overlap with the IoT, adding applications that present additional opportunities to expose personal information. Security and privacy must have co-equal status for the IoT to thrive and deliver its promised benefits.
Winter 2015
67
TICKETLESS, CASHLESS LOLLA NFC WRISTBANDS REPLACE TICKETS AND CASH AT MEGA MUSIC FEST KELSEY WARD, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS
Ranked in the top 15 most widely attended music festivals in America, Lollapalooza in Chicago’s Grant Park is no small affair. The annual weekend-long festival attracts more than 160,000 fans and hosts some of the biggest names in music. This year’s headliners included Paul McCartney, Metallica, Sam Smith, and Florence and the Machine to name a few. The event brings in millions of dollars each year for the performing artists, advertisers, and the city of Chicago. Ticket sales kicks off the financial spend, but food, drink, clothing and more continues the flow of dollars throughout the weekend. For the past two events, producers of Lollapalooza have partnered with Tx Systems, Festival Control Systems and Advanced Card Systems (ACS) to facilitate spending and increase the customer experience with near field communication technology. Attendees don NFC wristbands that eliminate the need to carry cash, tickets or payment cards, simplifying purchasing and securing the festival for attendees and vendors alike. In 2014, more than 170,000 attendees registered wristbands across six festivals including Lollapalooza, says Marc Barry, operations and systems analyst at Festival Control Systems. This ranged from 50% to 90% adoption rate and accounted for roughly one-third of the overall transaction activity at the events. “It was far and away more than what we expected for a first rollout, and it was absolutely a success in our book,” he says. With another year came more success. “All festivals that participated in 2014, chose to continue the NFC rollout in 2015. “Events saw a 10% average growth rate year over year,” says Barry. Although the logistics at an event like Lollapalooza are complex, the NFC payment solution is straightforward. After purchasing a ticket to the festival, attendees receive a wristband in the mail. At the event web site, the wristband can be linked to the attendee’s credit or debit card of choice, and a PIN number is selected to secure future transactions. If an individual opts not to link a payment card, the wristband still serves as the event ticket and is required for access to the venue. Show vendors receive Android tablets equipped with point of sale software and an NFC reader. The ACS ACR122T reader, normally in USB token form factor, is removed from its token casing and embedded within the tablet’s shell for added durability. This hardware solution integrated by Tx Systems is coupled with Festival Control Systems merchant software to complete the package. “It is easy to buy a reader and plug it into a device, but in demanding environments like a Lollapalooza-style event you
68
Winter 2015
need tight, secure integration,” says Eric Gregg, sales representative at Tx Systems. “Using the ACS reader board rather than an off the shelf desktop reader, we were able to deliver our client a dependable NFC-ready tablet that stood up to the rigors of one of the world’s largest festivals.” When attendees are at the festival, they are able to order from any vendor displaying the Lolla Cashless logo, tap their wristband to the tablet, enter their PIN and go. At events such as Lollapalooza with tens of thousands of people accessing the cellular networks to share pictures or to download a hot new track that was just performed, access can be spotty at times. To account for this and ensure festivalgoers could continue to use their wristbands if connectivity is down, the tablets are set up to store transactions for processing when connectivity is reestablished, explains Barry. “The tablet stores a token that references a customer profile stored with the credit card processor. As long as the tablet is able to receive incremental updates for registrations that happen during the event, the system is able to work offline,” he adds. With numerous NFC readers on the market to pick from, Festival Control Systems chose the ACS ACR122T model for its form factor and price. “It enabled easy inclusion within the tablet and communication infrastructure, and the price point made it possible to deploy the system across the festival grounds,” says Barry. “The ACR122T is one of our most versatile and popular readers due to its convenient form factor, size and price point,” says Robert Merkert, president for the Americas at Advanced Card Systems. “Adding NFC capabilities to any mobile tablet, PC, or device via USB has empowered applications from retail payment and loyalty to government ID.” While Barry says the solution has proved cost effective at both per user and per transactions levels already, ticketless entry and in-venue purchases may be just the beginning. Lollapalooza and other users of the NFC solution may soon benefit from additional functions such as access to VIP areas and services, loyalty applications and tie-ins with social media accounts for easy upload of photos and status updates. He suggests that expansion to other events is likely, as they have had significant new interest for the 2016 festival season. When asked if they plan to do anything differently next year at Lollapalooza, Barry is upbeat. “It’s working well enough to keep it just as it is,” he says. For now.