Depending on how the card is used will determine the level of encryption needed. The more critical and sensitive the data are, the more encryption should be added to the smart card, making it harder for anyone to hack into the information the card holds. Adding a biometrics layer to the encryption will bump up the level of protection even further, making it almost impossible for someone else to get access to the card’s data. |
The University of Arizona, like major research universities across the country, found that many of its grants and contracts were tied to higher levels of access security. Access to buildings with old-fashioned keys and locks or cards with magnetic strips swiped into pin pads didn’t provide the amount of security the University was looking for. So the school made the switch to smart cards.
“We use smart cards primarily for access control into high secure areas. Either tap, tap and 4-digit pin, or tap and biometric fingerprint,” says Diane Tatterfield, Assistant Director, CatCard Services at the University of Arizona. “In anticipation of future applications, we have added an area for transit. We prefer read only so that changes can easily be made in a database vice having to re-card 75,000 active cardholders should a new application be implemented.”
The University of Arizona is just one of a growing number of organizations and institutions moving to smart card use. ABI Research, which recently released the study Government and Healthcare Citizen ID Cards, estimates that 1.5 billion smart cards or credentials will be issued through 2014.
Smart cards, ABI Research says, have become essential tools for organizations to combat fraud and to create a better sense of security. The cards cover a wide range of uses – they can open doors; they can carry financial data; they can provide access into secure areas.
The way we think about smart cards and their role in security was driven with the events of September 11, 2001, Martin Janiak, president of Veridt, explains. He points to the moment he believes smart cards really took off as a risk management tool – when the nation’s ports began requiring transportation workers to have smart cards that needed background checks. Having the smart cards showed truckers and others who worked in transport had gone through a vetting process and could have direct access to ports. Government entities began to incorporate smart card use, and over time the mandate for higher security has moved into the private sector.
Technology in smart cards has advanced considerably over the years, adding biometrics as an additional security level to help prevent fraud. Janiak says another level of security can be added with digital certificates. According to Janiak, today’s smart cards can be linked directly to an individual via biometrics, while the certificate verifies the card’s validity, making sure it hasn’t been revoked or compromised.
Smart cards help prevent fraud and reduce risk because they create a layered security environment. For example, a card is linked to an individual so that person can go through the front gate of a building. But once that card is read by the reader, it determines first if the individual is allowed access and then where else in the facility the individual will have access to. A card equipped with biometrics can ensure that this person truly is permitted access to restricted areas. Bottom line, with a layered approach, says Janiak, security management can invoke higher levels of clearance with relative ease and confidence that people entering certain areas are allowed to be there.
Biometrics provide important protection if the smart card is lost or stolen, since the biometric data stored can only belong to one person. But biometrics is not going to be the security solution for everyone, says Tatterfield.
“Being a research facility, we found that some people’s fingerprints are hard to read, or can’t be enrolled, because they deal with chemicals and their fingerprints are worn off,” she says. “In that case, readers have to be swapped out with pin pads.”
For as secure as the smart cards are, Tatterfield does have some concerns about using them on her campus. “As we saw with MiFare, it was hacked but in a controlled environment,” she says. (MiFare is the trademark of a series of chips used in contactless smart cards.) “With ‘compartments’ now going to ‘data streams,’ I feel more secure with the advanced cards; however, we constantly have to stay ahead of the bad guys.” Tatterfield adds that another concern for smart card use is the size of the University of Arizona. “With an institution of this size, sometimes it is very challenging to develop a migration path to the next level of security without having to re-card a mass amount of people. If you have the project management skill set, along with the subject matter experts, usually a good plan can be put in place providing the industry supports migration research and development.”
Smart cards, ABI Research says, have become essential tools for organizations to combat fraud and to create a better sense of security. The cards cover a wide range of uses – they can open doors; they can carry financial data; they can provide access into secure areas. |
How to incorporate smart card security into an organization really depends on its overall security plan. Once a company understands the ground rules require for security operations, then it can move into deciding how to best incorporate a smart card into the business. Are the risks of unauthorized access high or low? If it is high, is turning to biometrics the best way to control who has access to an area? Does the company want to be able to verify that the person with access is who he says he is? Security risks are best mitigated if there is a solid security policy and plan in place before instituting new technology, according to Janiak.
Organizations also want to consider what kind of applications the smart cards are being used for and what information is being protected, explains Jennifer Toscano, marketing manager with Ingersoll Rand. Depending on how the card is used will determine the level of encryption needed. The more critical and sensitive the data are, the more encryption should be added to the smart card, making it harder for anyone to hack into the information the card holds. Adding a biometrics layer to the encryption will bump up the level of protection even further, Toscano adds, making it almost impossible for someone else to get access to the card’s data.
However, Shane Cunningham, marketing communications manager with Digital Identification Solutions, warns that when buying into smart card technology, it should be the newer technologies on the market, rather than older technologies, especially those like the earlier versions of Mifare, that has been hacked. The latest technologies, Cunningham points out, have better encryption.
While the point of using smart cards is to reduce security risks, smart cards come with their own inherent risks that need to be taken into consideration. One of the biggest smart card risks is loss or theft, says Andrew Peterson, senior manager with Kanematsu. Cards will have different levels of security. Take a college student ID, for example. Many students use their cards as a credit or debit card, and the only verification of its use is a signature, which may or may not be checked. On the other hand, a card with a biometric layer of security would require the user to provide, say, a fingerprint before access is permitted.
However, one of the fundamental features to the smart card system is each card holder is added to a database, with information to uniquely identify that individual. Within the database, the administrator can set permission levels. If the card is lost or stolen, and reported, the card number can be flagged. If it isn’t reported, access can be revoked because the person is using it to enter into an unauthorized area or tries to enter the building in the morning when the card only allows access in late afternoon and evening hours, for example.
Because buying smart cards can be a drain on the budget, some companies try to cut down on expenses by recycling or reissue old cards. This cuts down on the overall effectiveness of the card. What often happens, Cunningham explains, is an adhesive skin is attached to the card, and to the skin, personalization such as hologram lamination or UV printing is added. The problem is, the skin can be easily removed and replaced while the data on the card stays the same, meaning it would be simple for someone with a lower security access to co-op another person’s higher security card.
Even though smart cards have been around for years, the advances in technology have helped make the cards an easy and convenient fraud and risk management solution.