Regarding ID Spring 2006 by AVISIAN

Spring 2006

Regarding ID Magazine – a survey of identiﬁcation technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

Authentication Banks begin two-factor move Securing Internet transactions ‘REAL ID’ faces real challenges Identity: physical security’s new frontier Biometric border IDs E-Passport trials underway

S T R E N G T H E N S E C U R I T Y, P R O T E C T B U D G E T S

INTEGRATED ID SOLUTIONS DISCOVER WHY SECURITY PROFESSIONALS

PHOTO ID SYSTEMS

TURN TO DATACARD FOR A TOTAL SOLUTION With ID card solutions from Datacard Group, you can enhance your security program without sacrificing your budget. That is why corporations, governments and other organizations make Datacard® the world’s best-selling brand of photo ID solutions. We offer everything you need to issue ID cards quickly and efficiently.

CARD PRINTERS

We integrate and test every component for seamless compatibility. So, you can expect outstanding power, performance and value. To learn more, call +1 800 356 3595, ext. 6623. Or visit us at www.datacard.com/ID.

ID SOFTWARE AND CAPTURE SOLUTIONS

SUPPLIES

19 | MULTOS | Smart card operating system gets new owners and new mission

28 | SECURITY | Two groups set goals for more secure Internet transactions

20 | FFIEC | Banks compare cost, quality, and strength of multi-factor authentication schemes

29 | EMV | Two-factor beneﬁts from EMV infrastructure

55 | ISSUANCE | Diverging card printer market beneﬁts entry-level and high-end buyers

33 | LEGISLATION | Fans and foes of California RFID bill still seek compromise

56 | STRATEGY | Guiding your transaction system with strategic planning

36 | TRANSIT | Houston transit hires ACS as its contactless ticketing vendor

58 | SECURITY | Identity and convergence deﬁne a new world of physical security

38 | BIOMETRICS | Blood vessels in human hand and contactless card combine to create secure biometric IDs

61 | GEN 2 | RFID’s new Gen 2 communicates better, reads quicker

22 | DRIVER LICENSES | REAL ID Act faces real challenges 25 | COMPANY | ActivCard® becomes ActivIdentity™

24 | TECHNOLOGY | Understanding DPA attacks and the countermeasures available to protect smart cards 4

Spring 2006

54 | BANKING | Oncampus bank branches from the bank’s perspective

55 | INPUT | Campus cards: Not just ID cards anymore

Contents

Index of Advertisers INDEX OF ADVERTISERS Cardtech Securtech www.ctst.com CBORD Group, Inc. www.cbord.com Datacard www.datacard.com Datastrip www.datacard.com Digital Identification Solutions www.digital-identification.com HID www.hidcorp.com Infinacard www.infinacard.com Integrated Engineering www.smart-ID.com ISC West www.iscwest.com Lenel Systems Intl www.lenel.com Muhlbauer www.muhlbauer.de NFC Summit www.scievents.com/NFC NFive www.nfive.com Onmikey www.omnikey.com RFID Library www.rfidnews.org Smart Card Alliance smartcardalliance.org Tokenworks www.carddb.com Ultra Electronics www.ultramagicard.com Visionbase www.visionbase.com

27 59

30 | BENEFITS | Texas goes live with a smart card-based beneﬁts card

3 2 15 68 49 41 43 51 | CAMPUS | QI readers bring USA Today newspapers to card carrying students on 70 campuses

9 13 35 7 67 60 23 50 32 53

16 | BORDER CONTROL | New biometric ID to provide a PASS for citizens traveling between the U.S., Canada, and Mexico

Photo credit: APFOUCHA

62 | TAGGING | Boeing takes RFID to 100-degrees below zero

Perspective Entering the ‘age of authentication’ In this new era, only the secure will survive Chris Corum Executive Editor, AVISIAN Publications

PUBLISHER Jeff Staples, jeff@AVISIAN.com EXECUTIVE EDITOR Chris Corum, chris@AVISIAN.com CONTRIBUTING EDITORS Kristen Fossgreen, Dee Ann Kuhn, Erik Peterson, Sara Pralle, Bret Tobey, Marisa Torrieri, John Wehr, Andy Williams, David Wyld ART DIRECTOR Mike Houghton

It is the new ‘gift with purchase,’ the Gen-2010 loyalty point, the next wave frequent ﬂyer mile ... I am talking about transaction security and I believe that savvy consumers are ready to recognize the value of added protection. We are entering the Age of Authentication. It is a point on the curve when a massive shift is required in the way people interact with technology. Despite what fear mongers would have you believe, our rapidly advancing technology is not the problem. Vast open networks and instant access to data are a great thing. We have simply progressed – in a very natural manner – beyond infancy (or along that adoption curve), such that safeguards should be expected. Nearly every advancing system progresses along a similar pattern. The move from inception through adoption encounters a need for safeguards ... an Age of Authentication. • Currency is the safeguard that enabled primitive barter systems to progress to modern economies. • Licensing is the safeguard that enabled healers to become doctors and countless other practices to become professions. • Intellectual property protections are the safeguards that enabled modern economies to grow while ensuring the future of the entrepreneurial / creative spirit. In the same way, authentication is the safeguard that will enable open networks to progress from communication channels to sustainable transaction infrastructures. So why do I feel that consumers are ready to recognize the value of added security al a authentication? Because the threat has been driven home by governments and media, priming the audience for the message. Mandates requiring secure authentication have come and will continue at a more rapid pace in the near future. But while these mandates may help expedite in certain cases, the real driver is that unseen curve ... the market forces that are aligning to make security a must-have accessory. I don’t think I will be in the minority much longer when I say, “keep your toaster, your greenstamps, and your bonus points ... and give me my “OTP” (or other strong authentication for my transactions). Best, Chris Corum Executive Editor, AVISIAN Publishing chris@avisian.com

ADVERTISING SALES Jeff Staples, jeff@AVISIAN.com SUBSCRIPTIONS Regarding ID is free to qualiﬁed professionals in the U.S. For those who do not qualify for a free subscription, or those living outside the U.S., the annual rate is US$45. Visit www. regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. ABOUT REGARDING ID MAGAZINE Regarding ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Jeff Staples, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2005 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualiﬁcations to info@AVISIAN.com with the message subject line “Editorial Advisory Board Submission.”

Publisher’s note Jeff Staples Publisher, AVISIAN Publications The ID technology market has grown by far more than its technical capabilities in the last year. This hasn’t always been the case. In the past, important country-specific rollouts provided a glimpse of the possibilities, but large-scale cross-border deployments of advanced identification products were often slow to materialize. Ten years ago one could address the broad market as the “smart card” market, and take various avenues while predicting its expansion. Today that prediction would entail many stand-along technologies – Contactless, biometrics, dual-interface IC’s, etc. – and the mash-ups that are materializing and expected by the issuers. Further, standards organizations and large issuers (think ICAO and the U.S.-related FIPS201) are adding fuel to the fire, resulting in a long-awaited boost across the board. Likewise, our electronic and print publications have grown dramatically over the last 4 years. We now serve more than 27,000 online subscribers, over 10,000 subscribers to this magazine, and both groups are expanding rapidly. Our website traffic also continues its meteoric rise, last month we welcomed more than 260,000 visitors to our online publication sites! Our messaging options have grown as well. Our online publications offer the most cost-effective placement options anywhere, and now the available options include our new Marketplace and Ads by AVISIAN text ads. We are also announcing our enhanced vendor profile placements this month. This greater variety means our advertisers have a number of options at their disposal, starting at just $200 per month. To learn more please visit http://www.avisian.com/advertise. Regarding ID magazine offers a great complement to our online placements, and with sponsorship in this quarterly publication often costing half of the placement costs in comparable publications, we continue to provide an incredible value. If you have a product or service that you believe deserves the best messaging mix available, we look forward to serving you. Best regards, Jeff Staples Publisher AVISIAN Publishing jeff@avisian.com http://www.avisian.com/advertise 703-437-4588 office 703-728-2186 mobile 703-832-8448 fax 8

Spring 2006

AVISIAN’s suite of ID technology publications would not be possible without the invaluable support of our advertisers. Join our sponsors ... we look forward to contributing to your success in 2006. AccessID ACG Blackboard Castles Technology CBORD CIM-USA ColorID Corestreet Cryptography Research Datacard Datastrip Digital Identification Fargo General Meters HID Higher One IBM Indala Infinacard Integrated Engineering Intermec IR Security and Safety LEGIC Lenel Muhlbauer Nedap Nfive NuVision Networks Omnikey Plastic Card Systems Sagem SmartCentric Technologies Symbol Synercard Tokenworks Tradewind Technologies U.S. Bank Ultra Electronics Verisign Vision Base US

www.secureaccessid.com www.acg-id.net www.blackboard.com www.castech.com.tw www.cbord.com www.cim-usa.com www.colorid.com www.corestreet.com www.cryptography.com www.datacard.com www.datastrip.com www.digital-identification.com www.fargo.com www.1card.com www.hidcorp.com www.higherone.com www.ibm.com www.indala.com www.infinacard.com www.smart-ID.com www.intermec.com www.irsafeschools.com www.legic.com www.lenel.com www.muhlbauer.de www.nedapavi.com www.nfive.com www.nuvisionnet.net/ias.html www.omnikey.com www.plasticard.net www.morpho.com www.smartcentric.com www.symbol.com www.synercard.com www.tokenworks.com www.tradewindtek.com www.usbank.com www.ultramagicard.com www.verisign.com www.visiondatabase.com

SecureIDNews

Two-factor authentication hits the banking scene FFIEC guidelines force financial houses to shape up with ‘challenge questions,’ token-based schemes and other means of outsmarting fraudsters Marisa Torrieri Contributing Editor, AVISIAN Publications Bank of America’s answer to the new federal guidelines isn’t a biometrics apparatus that detects a legit banker’s paw print or a hardware token that generates passwords on the fly. For now, it’s much simpler. The Charlotte, N.C., national bank chain just started rolling out SiteKey, its free, new online security technology intended to better protect its 13.2 million online banking customers. The risk-based authentication software works behind the scenes, passing information back and forth between the user and bank. When logging on, customers select an image, write a brief phrase and select three challenge questions. When the customer signs in to online banking, they view their image and phrase before inserting their password -- confirming that they are at 10

Spring 2006

the real Bank of America site. If a customer uses a computer the bank doesn’t associate with them, SiteKey will issue a challenge question to conﬁrm that it is the appropriate customer. ”We see this as [part of ] an ongoing process,” says Betty Reiss, a spokeswoman for Bank of America’s online activities, adding that the upgrades will protect online bankers from phishing and other fraudulent activities. The decision to install SiteKey to increase online security is based on months of market research involving focus groups, Reiss says. BOA’s potential customers favored the idea of a challenge question because of its convenience over other two-factor authentication methods. Additionally, the bank’s corporate headquarters favored the method because it was less costly to implement than other methods.

Take 30 seconds and sign-up for a free subscription to this magazine [ turn page for details ]

FREE SUBSCRIPTION The following questions must be answered to complete your subscription. My job title is: ❏ CEO/President ❏ EVP/VP ❏ Director ❏ Manager ❏ Other ________________________ My primary job function is: ❏ Management ❏ Sales/marketing ❏ Operations/development ❏ Administration My relationship to ID technology is: ❏ End user ❏ Manufacturer ❏ Reseller ❏ Consultant ❏ Solution Provider/Integrator ❏ Other _______________________

Subscribe for FREE to Regarding ID magazine and keep up-to-date with the latest news and insight from the world of identity management, biometric, and advanced ID technology. (Free subscriptions available to U.S. addresses only. *International subscribers pay U.S.$45 per year to cover postage and handling costs.)

FAX this form to 703-327-2037 or subscribe ONLINE at www.Regarding ID.com/subscribe ❏ Please send me/continue to send me Regarding ID magazine FREE. ❏ My address has changed. Please send Regarding ID to this address instead.

Name

__________________________________________________________________

Job title _________________________________________________________________ Company

My primary market focus is: ❏ Government ❏ Corporate ❏ Financial ❏ Transportation ❏ Education ❏ Retail ❏ Other ________________________ My primary application focus is: ❏ Physical security ❏Computer security ❏ Payments ❏ Transit ❏ ID issuance ❏ Logistics ❏ Other _______________________ Number of employees in company: ❏ Under 25 ❏ 25 to 99 ❏ 100 to 499 ❏ 500 to 999 ❏ 1000 to 4999 ❏ 5000 to 9999 ❏ More than 10,000 Annual sales volume: ❏ Under $1 million ❏ $1-10 million ❏ $1 -25 million ❏ $25-100 million ❏ More than $100 million In the next 24 months, I expect to be involved in a decision to purchase: ❏ Physical security products ❏ Logical/computer security products ❏ Biometric products ❏ ID issuance hardware and/or software ❏ Smart cards (contact or contactless) ❏ RFID systems/components

___________________________________________________________

Address __________________________________________________________________ City ______________________________________________________________________ State/Province ______________________________ Zip/Postal Code _______________ Country: ❏ U.S. (FREE)

❏ *Other (U.S.$45) ____________________________________

Phone

_________________________________________________________________

__________________________________________________________________

Signature _________________________________________ Date

________________

* Non-U.S. subscribers: Fax this form and we will send you an invoice for U.S.$45 to the Email address you provide. Your subscription will begin when payment is received. To begin immediately, visit www.RegardingID.com/subscribe. I would also like to receive a FREE subscription to the following AVISIAN online publications sent to my email address (check all that apply): ❏ SecureIDNews

❏ ContactlessNews

❏ CR80News

❏ RFIDNews

FAX this form to 703-327-2037 or subscribe ONLINE at www.Regarding ID.com/subscribe

Have a colleague that would like to receive Regarding ID for free as well? A second subscription form is available on the reverse side of this page (colleague must sign the form to authorize subscription).

Like Bank of America, many banks and credit unions serving regular Jane Does (the “horizontal markets” composed of consumers) are charging full speed ahead to improve the security of online banking. The recent guidelines put out by the Federal Financial Institutions Examination Council (FFIEC) sped up that process. In the recent guidelines, “Authentication in an Internet Banking Environment,” ﬁnancial institutions are instructed to analyze risks of fraud attacks and enhance systems with some form of two-factor authentication. The good news for the companies that make two-factor authentication products is that banks must do something to show they are evaluating risks of customers’ data being exposed to the wrong parties via their existing information technology in palace. “The FFIEC guidance has had a huge impact of making people move,” says Stu Vaeth, chief

security ofﬁcer at Diversinet, a company that develops soft tokens and provisioning for two-factor authentication. “It’s putting a lot of the banks over the edge, saying, let’s do something now.’ Banks also want to do something because of the growing media attention to phishing, identity theft, and the risks related to online banking. The more their consumers read about online attacks, the more fear they have to do their banking outside of a branch setting, Vaeth says. Since online banking costs a bank far less than branch-based activities, it’s easy to see why ﬁnancial institutions are weighing their options, wallets in hand.

Great security versus keeping customers happy: How banks are handling the FFIEC guidelines for two-factor authentication For the producers of two-factor authentication products, courting a U.S.-based bank is far

easier today than in the past ... though still not a slam dunk. They must show that their software or other “solution” provides high level of security, is cheap to install, and won’t inconvenience customers. Cost and convenience are the biggest factors inﬂuencing banks’ investments, according to bank analysts and IT staff. “The consumer I think is to blame in a lot of cases,” says Doug Graham, a security consultant for BusinessEdge Solutions, Inc. “They want their cake, and they want to eat it as well.” The biggest challenge is making online banking more secure while inconveniencing consumers as little as possible. This challenge may explain the hesitancy for banks to start issuing hard tokens, or one-time passwords (OTP), says Vaeth, as they lack universal authentication. Because of the lack of a single, authentication standard for all online transactions, you have to use multiple hard tokens for different transactions – you can’t use the same password to transfer money that you use to order goods

SecureIDNews

“It adds an added layer of authentication but doesn’t require an additional purchase in software,” Reiss says.

SecureIDNews

from Amazon.com, for example. This is perhaps one the biggest reasons why the sale of OTP devices hasn’t exploded in America, says Vaeth. “Hard tokens are less desirable for those who don’t want to carry around a necklace of tokens,” says Diversinet’s Vaeth, who doubles as a co-chair for the Initiative for Open Authentication’s (OATH) technical group. The organization, formed in February 2004, is one of a growing number of consortiums meeting to address the “necklace” problem by developing an open standard for strong authentication for any online application. Although the larger 180 or so national institutions like Bank of America have been aware of the need to build to build stronger online security systems to deter fraud, smaller institutions with $5 billion or less in assets are still trying to ﬁgure out the best solution, says George Tubin, a security analyst with TowerGroup, who just authored a new report that interprets the FFIEC regulations (Tubin’s report endorses the risk-based authentication technologies such as that used by Bank of America, over hard tokens). Not turning off customers was International Bank of Miami’s primary consideration when it decided to overhaul its infrastructure and use a voice-based biometric authentication system for high-end customers doing wire transfers or making account changes. After upgrading desktop computers and back end systems, the company contracted with Diaphonics to install the voice authentication system, says Ray Guzman, the bank’s vice president of IT. Such a system enhances security for such customers. Now that the FFIEC made it clear that the bank needs to do more to amplify its security for the rest of its “few thousand” customers, Guzman is comparison shopping different soft token-based “solutions.” “The biggest concern is customers,” Guzman says. “Will they accept the technology?”

What’s next for two-factor authentication, 2006 and beyond Methods in place such as SiteKey are good deterrents for fraudsters today. But just as

Spring 2006

“... the larger 180 or so national institutions like Bank of America have been aware of the need to build to build stronger online security systems to deter fraud, (but) smaller institutions with $5 billion or less in assets are still trying to ﬁgure out the best solution.”

security for protecting customer information improves, so do the methods for circumventing a bank’s ﬁrewalls. And so, whatever banks are doing today may need an upgrade in the not-too-distant future. In his report, the TowerGroup’s Tubin addresses a series of cyber threats that continue to emerge, including Trojan horses, Drive-by Downloads and DNS cache poisoning. Because of the growing level of sophistication, the TowerGroup recommends institutions to look beyond the FFIEC’s minimum requirements and implement comprehensive authentication solutions to protect against the potential for enterprise-wide fraud within an institution. One way of doing this is by offering multiple solutions to different customers, says Graham. For example, a bank using one vendor’s riskbased authentication technologies may ﬁnd itself interested in another provider’s hard tokens for corporate-level bankers who conduct online transactions at multiple locations.

What is likely to happen is a growing number of banks offering a range of products for different customers – high-end users, corporate bankers and low-risk users. For example, a bank might offer an internal, behind-the-scenes risk management system for one customer, but give another customer an OTP to do mobile transactions from afar. Products that allow cross authentication – customers to use a single solution to interact with multiple ﬁnancial entities they have relationships with – will become more important in the future, says Graham. Instead of multiple security devices, “the industry needs to come up with a solid solution where one single authenticator can be used to validate identity to multiple entities, or where trust relationships can be leveraged from one institution to another through the use of identity federation,” Graham says. “Simply put, we need to give the consumers one method of validating their identity, or authenticating to multiple sources.”

SecureIDNews

New biometric ID to provide a PASS for citizens traveling between the U.S., Canada, and Mexico Andy Williams Contributing Editor, AVISIAN Publications With the land border crossing deadline rapidly approaching, there is still no clear consensus on what identity documents will be acceptable for those frequent travelers between Canada, Mexico and the U.S. Now, added to the mix is the recently announced PASS card that is already under fire. Until recently, it appeared that it would take a passport to get into the U.S. – even for citizens of Canada and Mexico ... and even for returning U.S. citizens. While this may not seem like a major issue to some, consider this: residents in border towns in New York, Michigan, Washington, Texas, etc. frequently cross international borders to shop and socialize and less than a quarter of the U.S. population currently has a passport. Left unsaid, because no one wants to be quoted as saying it, is that the U.S. considers Canada’s security porous. For terrorists seeking entry to the U.S., an easier point of entry may be through Canada, the suggestion goes. True or not, it’s creating massive headaches for tourism and commerce officials on both sides of the border. The proposed PASS card is intended to alleviate some of that pain for U.S., Canadian, and Mexican citizens. It will be cheaper -- though the estimated $50 price tag for a PASS card (about half the cost of a passport) could be pricy for many -- and likely easier to obtain. But it hasn’t assuaged the objections of a group of New York and Canadian officials.

It was the driver license, in fact, that many –including tourist agencies in Canada and New York -- wanted to see used instead of the passport. Secretary Chertoff confirmed that the new PASS card would meet WHTI’s travel requirements. He called the new card an “inexpensive secure travel card for land border crossings...” and that people would “not necessarily...(have to) have passports of the traditional kind.” “We want to ensure that everyone who would like this card will be able to get it,” said DHS spokesperson Kimberly Weissman. She said DHS is “working closely with State to collaborate on outreach efforts so people can know where they can get this card.” Passport offices are the logical first choice but there would have to be other locations as well, she inferred. And while DHS/State hope to have the PASS card available by the end of this year, the actual deadline isn’t until Jan. 1, 2008, she added. “What we’re trying to do is phase it in.” DHS has not yet determined what type of biometric would be included. But it’s likely there would be a photo on the card as well as a digital finger scan, said Ms. Weissman. Even the card’s cost isn’t settled. “The passport is currently $97 with new biometrics and what we said publicly is that the card will be at least half that cost. The cost of this card can’t be so high that it’s untenable,” she added.

DHS promotes its new PASS card PASS stands for People Access Security Service and is a proposed card designed to meet the Western Hemisphere Travel Initiative (WHTI) requirements, which mandates that by Jan. 1, 2008, anyone entering the United States, including U.S. citizens, have travel documents that prove their identity and citizenship. The PASS card is part of a three-part program unveiled in mid-January by Secretary of State Condoleezza Rice and Department of Homeland Security Secretary Michel Chertoff. This “vision” includes improved technology, new travel documents, and improved – what the DHS calls “smarter” – screening methods. Secretary Chertoff said the PASS card “will be particularly useful for those citizens in border communities who regularly cross northern and southern borders every day as an integral part of their daily lives. We’re talking about essentially the kind of drivers license or other simple card identiﬁcation that almost all of us carry in our wallets day in and day out.” 16

Spring 2006

The card will also just be good at land borders. “If you intend to ﬂy, you will still need a passport,” she said.

Existing travel cards may also be accepted She said DHS and State are also looking “at the viability” of being able to use other border crossing-type cards currently in existence. “We’re looking at what’s out there and if they can be used to meet the 2008 deadline.” These include the BCC (border crossing card or laser visa currently in use on the Mexican border); FAST (Free and Secure Trade); NEXUS (a joint customs and immigration program between Canada and the U.S. for pre-approved low-risk travelers); and SENTRI (Customs and Border Protection Secure Electronic Network for Travelers Rapid Inspection). But whether these options will meet the security requirements of WHTI is questionable.

Opponents speak out from both sides of the border

SecureIDNews

Opposition is continuing from the border states (primarily in the north) and Canada. Last fall, New York State and Ontario legislators from the bi-national Niagara Region urged the U.S. government to find an alternative to a proposal that they then envisioned would require Canadians visiting the U.S. and Americans returning home from a visit to Canada to have a valid passport when crossing the border. Such mandates will severely impact commerce and tourism between the two countries, not to mention border crossing delays, they said. The group has reeled off a series of stats that seem to support this claim: • Canadians visited New York State almost 2.3 million times and spent $487 million on trips there in 2004, while New Yorkers made more than 1.9 million trips to Canada. • New York and Canada boast the largest bilateral tourism industry in the U.S., with residents from both places crossing the border an average of 11,343 times per day. • In 2004, 16.5 million passenger vehicles crossed the border at just seven of the 17 land ports of entry between Canada and New York, and 89,000 buses crossed at just four of those ports. • Canada is New York State’s primary export market, with $30.2 billion worth of merchandise and goods exchanged during 2004. Even before the PASS announcement, the group said the suggested alternative of a “secure border-crossing document” that people would have to apply and pay for “would be no less a barrier than a passport. Both approaches would discourage large numbers of Canadians and Americans from crossing the border...” They also suggested that increasing the security of a driver license, that citizens of both countries have, would be a better alternative. The recently passed Real ID Act mandates standardized driver licenses from state to state, but a time-line for implementation hasn’t even be set. So it’s unclear what will be required under the rules. The PASS card “is an improvement over the passport but it’s not where we want to be,” said Ken Berlinski in New York Assemblyman Robin Schimminger’s office. “What are we talking about in price? I’ve heard $50. That’s still too expensive.” Mr. Schimminger, who represents the Niagara area, was joined by representatives from a bi-national delegation from the Council of State Governments’ Eastern Regional Conference when they met with key congressional and administration officials in Washington following the PASS announcement. One of the meetings was with U.S. Sen. Susan Collins from Maine.“I suggested she pose to Mr. Chertoff the following question,” said Mr. Schimminger.“It’s all well and good that law-abiding citizens pay good money and get a PASS card, but how does that stop someone who doesn’t get Spring 2006

SecureIDNews

a PASS card from simply walking across the more than 600 miles of potato fields and forests of Maine?” In a meeting with Sen. Patrick Leahy (U.S. senator from New York), the senator suggested that “the solution to this problem really must involve the new (Canadian) Prime Minister (Stephen) Harper at his first meeting with President Bush ... the top issue being this impending PASS plan,” related Assemblyman Schimminger. That could, perhaps, lead to a postponement of WHTI mandates, he added. The assemblyman said he also was uncertain just how much communication was going on between the U.S. and Canada. “We were a little bemused because we were told that they (DHS/State) were working closely with the Canadian government, which was news to them ... (according to) my partners in our visit.” He added: “Having been immersed in this for two days, I came away with a pretty clear opinion that this PASS card would be highly burdensome and marginally effective. It, in fact, would be costly and lead to long lines and wide spread confusion.” Another issue is children: would they be required to have a PASS card? Mr. Schimminger said that in his meeting with DHS officials they “kind of begged off on that question.” The assemblyman is also wary of the time constraints. “The reality of it is they are working on a very short time frame – January 1, 2007 for air and water and January 1, 2008 for border crossings. They have to have readers at all these locations, they have to educate the public and get the card in the public’s hands and maybe create additional lines at land crossings for people to pull into to show their card. It’s a nightmare.”

Spring 2006

E-Pasports are coming, but a standard for applications management is needed Gil Bernabeu Technical Director, Global Platform In 2006, we will see the first deployment and pilots of e-passport schemes based upon the International Civil Aviation Authorities (ICAO) specifications. Designed to enhance both global border control and homeland security, the new standards will tighten border security, reduce card counterfeiting and provide officials with detailed information on a rapidly changing and migrating population. As the industry has now formally adopted ICAO specifications as the standard for the integration of contactless smart card chips and biometric information into passports, efforts have focused on creating a standardized infrastructure to support worldwide access across borders. Governments globally agree on a solution based on the ICAO data definition that facilitates access to information when appropriate, in a consistent language. But the aim of creating an environment in which a citizen can submit a visa application, and receive it via a chip in his or her passport, will only be realized when every country agrees to the standard of the applications management (load and delete an application in a smart card). And governments are eager to secure a unified infrastructure for an interoperable ID program, as this will also assist them in encouraging public acceptance and usage of e-ID programs. By offering additional services outside the conventional ID application, governments intend to demonstrate the advantages a smart card program can afford. First, e-government applications can provide easier access to government services online, reduce the number of forms through use of a smart card, and make official transactions (paying fees, obtaining permits) easier. But non-government applications, such as transit cards and ATM cash withdrawals, will promote the daily usage of such cards. In order to leverage investment in these projects, multi-application programs require a platform that is flexible and offers post-issuance capabilities. The next few years will see a surge in the number Gil Bernabeu Global Platform of new interfaces and protocols. While contactless is becoming the defacto standard for e-passports, the e-ID market looks likely to roll out ‘dual way’ smart cards. These cards have chips that communicate through both the conventional contact interface, as an example, with a computer at home to access online services, while also accommodating a contactless interface, allowing the card to communicate via radio signals to a reader in close proximity. The contactless interface multiplies the smart card capacity to interact with numerous acceptance devices leading to new services.

Holding company, StepNexus, readies the smart card OS for broader application Erik Peterson Contributing Editor, AVISIAN Publications At the close of 2005, Keycorp Ltd. united with Hitachi Ltd, MasterCard International and Oak Hill Venture Partners in a joint venture to develop the MULTOS smart card operating system (OS). Keycorp’s 18 percent stake in the new company amounts to $2.41 million. Hitachi will also take an 18 percent stake, MasterCard is set for 20 percent and Oak Hill will provide the remaining 44 percent. The focus of the new company is the continued development of MULTOS (www.multos.com), a multi-application, open source and high security OS for smart cards. MULTOS was initially conceived for Mondex International’s electronic purse technology. MasterCard acquired Mondex and the MULTOS OS in 1996 but handed over the responsibility for MULTOS development to the MAOSCO consortium, a group of smart card and chip companies developing MULTOS compliant products. MasterCard, however, maintained ownership of the original MULTOS intellectual property. From its inception, MULTOS was designed for use with financial cards. Over the years, however, its use in non-financial applications grew. A November 30 press release suggested that expansion into these other markets could be expedited through the new ownership. It is likely to result in increased financing for development – obviously because of the venture investment but also because two of the partners (Hitachi and Keycorp) have extensive product portfolios that rely on OS. Any company would be more willing to fund a technology in which it has ownership, then one with IP owned by another. StepNexus is born The new holding company will be called StepNexus (www.stepnexus. com). “STEP” is an acronym for Secure Trusted Environment Provisioning and “‘Nexus’ refers to the Trust Centre that provides the key management for Secure Trusted Environment Platforms such as MULTOS smart cards and other new environments that will be announced in the near future,” according Tim France-Massey, MULTOS’ VP Smart Card Marketing & Business Development. Although the holding companies’ four partners own the intellectual property rights to MULTOS, Mr. France-Massey says “changes to the MULTOS OS specification continue to be managed as an open standard by the 15 members of the MAOSCO consortium as it was before.” The new company, with offices in San Francisco, Washington D.C. and Asia, will assume management of the MAOSCO consortium and will explore new markets for MULTOS such as transit systems, identification cards and electronic passports.

“Right now the biggest growth areas are in ﬁnance with our new ‘MULTOS step/one’ product for EMV migration and in the identity space for national ID cards and passports,” says Mr. France-Massey. “MULTOS is being used for identity documents by a number of governments,” he adds, “including the Hong Kong Government who is implementing MULTOS for its national ID card project (and) also for its ePassport project.”

What’s in the cards for MULTOS and StepNexus? It seems that in addition to a life beyond ﬁnancial cards, MULTOS may have a new life beyond smart cards. “The intellectual property of MULTOS deﬁnes not just an OS, but also a trusted mechanism for the secure installation of new application content to secure devices using asymmetric cryptography,” says Mr. France-Massey. “This “StepNexusTM” mechanism can be applied to any trusted environment, whether it be a MULTOS smart card, new trusted smart card run time environments, or completely new secure execution environments such as trusted computing platforms in PCs or PDAs.”

MULTOS ... A look back More than 40 million MULTOS cards have been issued by more than 80 organizations around the globe. MULTOS users range from MasterCard customers to government entities. Prior to technologies such as MULTOS and its rival JAVACard OS, card software was written for a single operating system (OS). Each OS worked with a speciﬁc card technology or the products of a single vendor. This situation severely limited the options available for card issuers, and new software updates and hardware implementations were costly to the issuer. Consumers needed multiple cards to engage different functions and services. As products and services were updated or altered, consumers had to procure new cards to use them. MULTOS addressed these problems on the issuer and consumer ends providing an OS that is ﬂexible, secure and in turn lowered the overall cost of implementation.

Spring 2006

SecureIDNews

MULTOS gets new owners and new mission

SecureIDNews

Banks compare cost, quality, and strength of multi-factor authentication schemes From simple to complex, ﬁnancial institutions have a bounty of choices Marisa Torrieri Contributing Editor, AVISIAN Publications

Here are some of the most feasible ways and methods of strong authentication, which analysts suggest banks consider adopting:

What kind of value will a ﬁnancial institution get for its investment in strong authentication? For FIs, it’s become a burning question, thanks to federal guidance that recommends they boost the strength and security of their online banking systems by the end of 2006. In response, a growing number of tech vendors are rolling out highly sophisticated products.

Hard token authentication

FIs that seek to increase online banking security or widen their existing range of digital security products are nearly overwhelmed with choices. Recent guidelines by the Federal Financial Institutions Examination Council (FFIEC) suggest a range of options. In the FFIEC report, “Authentication in an Internet Banking Environment,” FIs are urged not only to assess their risks of fraud, but to consider strong-authentication methods such as one-time password generators, PKI-based systems, and smart cards. Each suggested method comes with advantages and disadvantages, convenience and cost considerations, says Doug Graham, a banking security consultant for BusinessEdge Solutions, Inc. Some strong authentication offerings aren’t quite as strong as others, he warns. How well a bank prevents fraudulent activity with its authentication system depends on the success of three factors commonly used to authenticate: • the knowledge factor (something you know, like a password) • the possession factor (something you have - such as a token) • the self factor (something you are - such as a ﬁngerprint). Strong authentication generally combines factors together (e.g. a possession factor plus a knowledge factor) and thus can be considered multi-factor authentication. “Generally speaking the more factors involved, the stronger the security,” Mr. Graham says.

Spring 2006

This method of strong authentication is based on the use of palm-sized devices known as One-Time-Password generators. Some are time-synchronized, spitting out a new password every 30 to 60 seconds. Others are event-based, and spit out a “tokencode” when the user presses a button or enters a PIN number. The actual hardware device is small enough to carry on a keychain (some are credit-card sized, notes Mr. Graham), but for a number of reasons, they haven’t caught on in the United States. One problem: the lack of a single open standard creates a problem for users with multiple accounts. They don’t want to carry around a bunch of tokens, says Mr. Graham. Additionally, they are still a bit cost-prohibitive ($5-$10 per device), says George Tubin, senior analyst for the Needham, Mass.-based TowerGroup. Some companies are using a pricing model, which lowers the cost to the $2-per-user ballpark, with an additional, ongoing per-usage expense.

Soft tokens For the mobile user, soft tokens are ideal. These are actually the functional equivalent of hard tokens, but run as an application on an existing device such as a PC, PDA, or cell phone, says Stu Vaeth, chief security ofﬁcer for soft token maker Diversinet. Because of their lower maintenance cost (and lack of hardware cost), they’re a cheaper alternative to hard tokens, he contends. Most “soft tokens” work in relatively the same format with some variation: Diversinet’s MobiSecure soft tokens, for example, generate OTPs on a mobile device such as a cell phone, providing strong two-factor authentication for online transactions. “(It is more secure) since it requires the submission of a dynamic password generated on a separate device held by the user,” adds Mr. Vaeth, “rather than relying only on a static password that can be stolen and re-used to perform fraudulent transactions.”

Public Key Infrastructure (PKI)

Biometrics Biometric authentication refers to technologies that measure and analyze human physical and behavioral characteristics for authentication purposes. Examples of physical characteristics include ﬁngerprints, retinas, facial patterns, hand geometry, and voice. Biometrics is a favored authentication method, but it is not feasible for all bank customers, because it requires the use of readers or scanners to verify the biometric template. “Retinal scanners are great, but it will be a long time before I have a retinal scanner on my computer,” Mr. Graham says. An exception to this, he suggests, is voice authentication. “Voice is good because it is effective and doesn’t require consumers to use any additional hardware,” Mr. Tubin adds. “Everybody has a telephone.”

Risk-based authentication technologies These technologies are “a cost-effective, low-impact alternative to hardware-based ID tokens,” says Tower Group’s Tubin, in a report comparing different security applications. In his report, “No More Straw Houses: The Feds Issue Guidance on Online Authentication,” Mr. Tubin praises risk-based authentication systems because they are invisible ... requiring no behavioral changes, software downloads, hardware devices or multi-step login procedures. When a user goes to log into a bank session online, they are accepted based on perceived risk and a series of

Simple Challenge Questions Want to strengthen online authentication as inexpensively as possible? Start using basic challenge questions (pre-answered, non-standard questions such as “what was your favorite teacher’s last name?”, or “what color was your ﬁrst car?”). This can be the cheapest means to strengthen security and can be initiated by a bank’s in-house IT department. Some banks are doing this as a bare minimum, says Mr. Tubin. But, the method provides only slight protection beyond a username and password methodology, and can annoy customers if they have to answer a challenge question every time they log into their account. Furthermore, “it’s something that could be phished easily” using keyboard loggers or spyware, he adds.

Look before you leap No matter what their size, and whether they’re working independently or with software providers, financial institutions that want to implement a multi-factor, strong authentication solution should keep abreast of industry progress. In 2006, huge strides are being made to create open frameworks for strong authentication, and so a greater range of products will be interoperable. The Initiative for Open Authentication (OATH) and the Liberty Alliance, just two groups on the forefront of such developments, have already produced open specifications they hope to expand. Mr. Tubin suggests banks pursue the tried-and-true method of vetting by seeking references and working with trusted technology providers. Most major players in the strong-authentication space offer pilot programs, and will work with financial institutions to install software or hardware and test it before implementation, he says.

Spring 2006

SecureIDNews

Because it enables mutual authentication (between the client and the server) PKI technology is the “killer app” of strong-authentication, says BusinessEdge’s Graham. The technology, defined by online encyclopedia Wikipedia as “an arrangement which provides for third-party vetting of, and vouching for, user identities (via keys contained) in certificates.” But, PKI can be challenging and costly to implement. To use the technology, a computer network must be equipped with smart card readers that can mutually authenticate information, says Mr. Graham. Implementation costs for the required infrastructure -- certificate authorities, smart cards, and readers – have traditionally been prohibitive for many organizations. The good news: the technology is ready to go, card costs are dropping, and readers are being standardized in some laptops, says Mr. Graham.

observations (such as their location, computer terminal or time of login). Bank of America uses this type of risk-based solution for its SiteKey application developed by PassMark Security, Mr. Tubin points out. As with most solutions, price is based on a number of factors, such as the number of users and licensing agreements. It might work out to $1 per user, says Mr. Tubin, and decrease to 60 cents per user transaction once a bank has passed a given user threshold (i.e., 500,000).

SecureIDNews

REAL ID Act faces real challenges Driver license reform enters rulemaking amid funding and technology disputes Opposition is building against the Real ID Act requirement that, among other things, forces states to standardize driver licenses. Many at the state level fear that the under-funded, aggressive mandate will be overly burdensome and difficult to meet. At least one coalition of privacy-concerned groups fear the new rules, in development now, could force states to include RFID chips on their driver licenses. The REAL ID Act of 2005, which passed Congress last May (it was tucked inside a massive appropriations bill), prohibits federal agencies (and airlines) from accepting state-issued driver licenses or identification cards unless they meet minimum security requirements – such as including common machine-readable technology and certain anti-fraud security features. It also requires verification of information presented by the license applicant, who must also supply evidence that he is a citizen or a legal immigrant. The act requires standardized driver licenses by 2008.

with RFID-enabled ID cards.“This is one reason that states do not currently use a RFID or computer chip of any kind in their driver licenses,” states the letter. Just as critical are costs, says the coalition. “While the Congressional Budget Ofﬁce estimated that the cost of complying with the REAL ID Act would be $100 million for all 50 states, the state of Washington independently concluded that it would have to spend at least $92 million in the ﬁrst two years alone. The National Conference of State Legislatures estimated the cost of implementation of the REAL ID Act would be $9-$13 billion. Citizens Against Government Waste has estimated that a federal chip mandate for state drivers licenses would cost $17.4 billion,” the coalition wrote. That, according to CAGW, breaks down to about $93 per license. David Williams, CAGW’s vice president for policy, said the coalition has received no response from DHS. “I’m not surprised,” he told SecureIDNews, “but we’ll keep hammering away.”

And, therein lies the controversy ... Though the REAL ID Act in its current form does not specify RFID or any other speciﬁc technology, a coalition consisting of groups spanning the political playing ﬁeld has submitted a letter to DHS opposing the inclusion of RFID. This latest shot came from a coalition of 21 organizations, including the American Conservative Union, Citizens Against Government Waste (CAGW), and the American Civil Liberties Union, that sent a letter to Department of Homeland Security Secretary Michael Chertoff, urging that DHS, in its rule-making, “...establish a standard that provides the greatest possible security at the most reasonable cost while protecting individual privacy.” The letter was prompted by the group’s concern that DHS might mandate that an RFID chip be included in all state driver licenses. The group contends that many states are already using secure technology, such as 2D bar codes, “as an anti-fraud tool” and are also protected against skimming, which can (also) happen 22

Spring 2006

His organization has also collected some 10,000 signatures on a petition urging DHS to stay away from mandating RFID technology on driver’s licenses. “There has been talk in Congress about opening up the REAL ID Act again, but nothing has happened,” said Mr. Williams.

State license issuers ready for the task at hand The American Association of Motor Vehicle Administrators (AAMVA), a group representing those who will have to implement the driver license portion of the REAL ID Act, has taken a calmer, wait-and-see attitude. The AAMVA says in its REAL ID Act credo that its members will do everything they can to make sure the act is implemented properly, adding: “...AAMVA members recognize there is a need for uniform minimum standards and best practices to assure there can be reciprocity and efﬁciency within and among the issuing authorities.”

It has created its REAL ID Task Force, which has been working with the Department of Homeland Security and state groups, like the National Governors Association and the National Conference of State Legislatures, “to prepare formal input regarding the issues, impacts and recommendations to ensure the REAL ID Act is implemented in a practical and successful manner.” The AAMVA task force plans to issue its recommendations in late February 2006.

Homeland Security still in the early stages of detailing Real ID Meanwhile, DHS has no timeline on when the rules might be written, said Jarrod Agen, DHS spokesperson. “We’re not at the point of announcing what may be in the rules,” he said. DHS is currently “working with individual states to talk about the key issues, like information sharing and technology connectivity and some of the hurdles that need to be looked at in those areas,” he added. In the technology and security areas, he said DHS is “open to areas that are going to beneﬁt some states.” He referred speciﬁcally to the PASS card (People Access Security Service) recently announced to comply with the land border crossing requirements of the statutory Western Hemisphere Travel Initiative. That law requires that anyone applying for admission to the U.S., including U.S. citizens, present secure travel documents that denote citizenship and serve as proof of identity. The biometric-enabled PASS card will be an alternative to a traditional passport book for use by U.S. citizens living in border communities who frequently cross into Canada or Mexico. The card will be issued starting in late 2006. PASS, which is being developed by the Department of State, will likely include RFID technology, said Mr. Agen. “We hope to get to the point where you can talk to states about how that technology will work and whether states want to use that (technology) in their driver’s licenses,” he added.

WORLDWIDE OUTREACH

The single industry voice for smart cards ... The Smart Card Alliance is a not-for-proﬁt, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. The Alliance is the single industry voice for smart cards, leading discussion on the impact and value of the technology in the U.S. and Latin America.

UNRIVALED EDUCATION

Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. Worldwide outreach - A primary mission of the Alliance is to show the world the benefits of smart card technology. We accomplish this through an array of outreach efforts including an informative web site, published industry reports and papers, active press relations campaigns, our Smart Card Talk electronic newsletter, and an international calendar of speaking engagements and exhibitions. Unrivaled education - At Alliance-sponsored events and leading industry conferences, top quality smart card education is offered to the benefit of both members and leaders from industries impacted by the technology.

TASK FORCES & REPORTS

Task forces and reports - Active participation from representatives of member organizations feeds a vibrant network of industry-speciﬁc councils and focused task forces. Highly regarded white papers, reports, and other deliverables ﬂow from groups focused on payments, secure identity, health care, transportation, and more. Conferences – Alliance conferences feature informative programs and speakers who provide insight and knowledge on smart card technology and applications, coupled with exhibitions that showcase leading edge products. These events provide exhibitors with invaluable access to true decision makers and enables participants to see the technology in action.

CONFERENCES

Networking - The best and brightest from the smart card industry and the key markets it serves participate in the Alliance, attend Alliance functions, and share a camaraderie that extends beyond the Alliance organization to the worldwide network of industry activities. Join the Alliance. It will pay dividends for your industry, your company, and your career. For more information, visit www.smartcardalliance.org.

Smart Cards in Government

5th Annual Conference and Exhibition April 18 - 20, 2006 Sheraton National Hotel • Arlington, Virginia For details, visit www.smartcardalliance.org

NETWORKING

SecureIDNews

Understanding DPA attacks and the countermeasures available to protect smart cards Ken Warren Smart Card Business Manager Europe, Cryptography Research The primary reason for smart card technologies growing success in the marketplace is simple – security. Smart cards are self-contained security units that can provide unparalleled barriers to fraud and piracy. But what if they were actually discovered to be insecure? Even worse, what if attackers could unobtrusively defeat a smart card’s security using inexpensive equipment? Would governments, businesses, and consumers continue to rely on them for critical transactions? This is the threat the industry has faced since the late 90’s when scientists at Cryptography Research Inc., discovered a vulnerability called Differential Power Analysis (DPA). DPA is an attack that attempts to compromise data on a device by monitoring the electrical activity of the chip. Realizing the impact that these fraudulent attacks could have on the industry, smart card vendors and issuers were informed of the vulnerability and were provided with patent-pending countermeasure techniques to help ensure subsequent smart cards would be secure. Today, most smart card standards mandate DPA resistance as an important component of the system’s overall security requirements. DPA resistant techniques are available to smart card manufacturers and silicon providers under a DPA Countermeasure Licensing program represented by a “lock” logo.

Photo credit: APFOUCHA 24

Spring 2006

What is DPA? At the fundamental level DPA is a power analysis attack which attempt to compromise data on a device by measuring the electrical activity of the chip. All device operations and programming activity involves speciﬁc electrical activity at the transistor level, which can be accurately monitored as power consumption. The power trace, or ‘signature’, is a direct function of the particular operation being performed and data that is being processed. SPA - Simple Power Analysis The least complex technique is known as Simple Power Analysis (SPA). An SPA attack directly observes a device’s power consumption – a process which has been likened to monitoring a patient’s heart beat on an EKG. Analysis of the resulting power traces on a smart card can reveal information about which computational process are being employed, distinguish non-volatile memory programming, or identify cryptographic routines as they execute. By studying detailed features of a power trace, individual device instructions can be distinguished, and data dependant variations in program ﬂow can be observed. In particular, key-dependant power variations during cryptographic processing can reveal secret key values.

ital identity the consequences can be catastrophic. Copying or cloning of banking cards enables fraudulent credit and debit card transactions to be conducted; criminals possessing keys for prepaid cards or e-purse applications can create electronic money. But perhaps the most worrying scenarios involve the cloning or forgery of Smart Card used for government-issued ID credentials.

DPA – Differential Power Analysis

In contrast to most other attacks on smart cards, SPA and DPA are non invasive and inexpensive to repeat, and in many situations the cardholder would have no idea that a successful attack has taken place. Since smart cards are nearly always relied upon for their security merits, resistance to SPA and DPA attacks is essential for nearly all smart card applications.

DPA is a more complex and more powerful variation of SPA. With DPA many power traces are gathered, and statistical analysis and error correction techniques are used to extract information leaked across multiple operations. The robustness of these techniques allows very small differences in power consumption to be isolated, even when the signal level is a good deal smaller than the ‘noise’ from other processes, measurement errors and even deliberate attempts to obscure the signal. In a typical DPA attack the smart card is monitored whilst performing a number of cryptographic operations, and power traces are recorded for each operation (typically this information is stored on a computer hard drive). After suitable signal processing the attacker uses the collection of sampled traces to test ‘guesses’ about the key or other secret information. If the attacker makes a correct ‘guess’ there will be statistically signiﬁcant correlation in the set of power traces, resulting in an identiﬁable DPA signal. If the guess is incorrect or if suitable countermeasures are present, than there will be no correlation of the traces and no DPA signal will be observed. The attack is completed by making multiple guesses about the key information and using the DPA process to verify or refute successive guesses. DPA attacks can be automated and usually take between several minutes and several hours to conduct. DPA countermeasures are described in further detail below, and can involve a combination of hardware, software, protocol, and crypto designs.

What are the implications of a DPA attack? At a fundamental level all smart cards aim to ensure that a particular ‘asset’ is used or accessed in an ‘authorised’ or permitted manner. Software and cryptographic keys on the smart card are used to protect these assets. A successful SPA or DPA attack on the smart card provides an attacker with means to access, bypass, or clone, the authorisation criteria for the assets protected by the card. In any applications this has a signiﬁcant business impact, as fraudulent misuse of mobile phones, transportation services and pay TV signals result in lost provider revenue. In applications such as banking and dig-

DPA Countermeasures The fundamental countermeasures to DPA and other power analysis attacks are patented. Effective deployment of DPA countermeasures requires careful design and implementation. Although many smart card products in the market today include DPA defenses, some are considerably more effective than others. As previously stated successful DPA countermeasures generally involve a combination of hardware, software, protocol and crypto design. Some of the common types of DPA countermeasures are: • noise generation – increase the amount of noise detected by an attacker • leakage reduction – reduce the amount of detectable key related signal • leak resistance – design protocols which maintain security even when information does leak Smart card customers need to know that the products they are purchasing are secure against DPA attacks. A DPA Countermeasure Licensing Program has been designed to assist vendors in ensuring that countermeasures in their products are effectively implemented. Vendors which have successfully implemented and tested licensed countermeasures in their devices will be able to display the ‘DPA Lock’ logo on their products and in marketing literature. Going forward the smart card industry will continue to evolve, building upon its outstanding growth in recent years. Smart cards offer a highly cost effective and ﬂexible solution for a range of applications beneﬁting commerce, governments and consumers. But above all else smart cards offer security, and an essential component security are robust defenses against would be attackers. Effective DPA countermeasures are a vital component in protecting the smart card, and its future success. The security promise of smart cards still exists, though it is worth being sure the cards you are issuing are properly protected.

Spring 2006

SecureIDNews

Sound complicated? Unfortunately, it’s not complicated enough. A device that is vulnerable to SPA can be compromised by the analysis of a single power trace captured during a normal transaction. What’s worse, the attack can be automated and completed in seconds by even relatively unsophisticated fraudsters. The good news is that effective countermeasures against SPA are relatively straightforward.

SecureIDNews

ActivCard® becomes ActivIdentity™ Rebranding to reﬂect company’s expanding work in identity assurance Sara Pralle Contributing Editor, AVISIAN Publications ActivCard®, a leader in digital identity assurance, recently changed its name to ActivIdentity™ in an effort to reﬂect the migration from its initial focus on card-based solutions to its current focus on a wide range of identity solutions. “The timing couldn’t be better,” Julian Lovelock, the company’s director for the Financial Services Group, told SecureIDNews.“The market as a whole is understanding the identity management concept now.” Founded in 1988, the Fremont, Calif.-based company developed a niche helping organizations secure access to information technology resources through the use of smart cards, tokens and biometrics. In 2000 the company raised $306 million upon its initial listing on the NASDAQ (it continues to trade under its current ticker symbol, ACTI). In 2005 ActivIdentity acquired its closest competitor, Protocom Development Systems, and reported revenue in excess of $42 million. Globally, more than 10 million users now access the company’s technology at leading enterprises and government agencies, such as Airbus, Hewlett-Packard, the U.S. Bureau of Land Management, Renault, and ST Microelectronics. The world’s largest multi-function smart card deployment, the U.S. Department of Defense’s Common Access Card, also relies on the company’s technology

New Name, New Focus According to ActivIdentity’s Chief Executive Officer Ben Barnes, the change reflects the company’s vision and alignment of its business with the high growth global identity markets. “Our new name more accurately reflects our business focus and position within the broader identity management market,” Barnes explained.“This is more than just a name change; this move reflects a refinement in our position and focus.”

The focus is to extend and leverage existing network infrastructure – utilizing directory-based services to manage the multiple digital identities and credentials associated with each employee or user. The integrated architecture allows clients to securely issue, use, manage and deploy additional components of digital identity infrastructure as needed. The goal, says Barnes, is “to deliver best of breed proof of identity, digital signatures and credential management integrated with our industry leading ... partners including IBM, Lenel, Microsoft, Novell, Oracle and Sun. Together ... we deliver a trusted end-to-end identity management solution to help our customers meet voluntary and mandatory legislation such as eSign, HSPD-12, HIPAA, Graham Leach Bliley, FFIEC guidelines, Sarbanes-Oxley and BASEL II.” Primary markets include financial services, government, and enterprise as well as a newer focus on the healthcare industry.“Healthcare is coming into its own,” says Mr. Lovelock, “due largely to (the need for) single sign-on” ... where the company’s products help ensure the privacy of medical data and rapid, secure access to patient resources in accordance with HIPPA guidelines. In the financial services arena, ActivIdentity solutions enable institutions to secure banking channels, thwart phishing scams, and comply with the FFIEC’s recent recommendations for two-factor authentication. This is accomplished, says Kristy Dennis, Corporate Communications Manger for ActivIdentity, “via the use of ActivIdentity Tokens, Authentication SDK, Solo II (a standalone smart card reader), and 4Tress, a multi-channel authentication server. The solution enables organizations and business customers to authenticate to each other ... making the transaction extremely secure.” ActivIdentity has development centers in the U.S., Australia, France and the United Kingdom and sales and service centers in more than 10 countries. With the growing need for identity security in the financial and healthcare industries, the company’s new name reflects the forward-looking approach that is vital in the highly competitive industry of hardware- and software-based authentication.

products • products • products • prod Secure Remote Access

Single Sign-On

Enterprise Access Cards

Tokens, USB Keys or Smart Cards -- that can be deployed concurrently to match a company’s speciﬁc requirements. Users enter their PIN on their keyboard to access the credentials on their card. The ActivIdentity software then authenticates the user, conﬁgures the VPN session and makes a connection ... all transparent to the user.

Helps organizations to prevent the identity proliferation that can compromise conﬁdential information, revenue, compliance, and reputation. Assists enterprises to comply with e-business legislation, such as the Sarbanes Oxley, HIPAA and the Gramm-Leach-Bliley Acts by enforcing proof of identity, restricting users’ access to information and auditing their application-level authentication activity.

The ActivIdentity card management system handles smart cards and their associated credentials through the entire lifecycle – from issuance to revocation. ActivClient software currently enables about 6 million users to access PKI credentials stored on the smart card for applications, such as secure e-mail, digital signatures and secure web access.

Spring 2006

May 2-4, 2006 The Moscone Center San Francisco, CA

F o c u s e d . S p e c i f i c . Tw o Te c h n o l o g y S e c t o r s . O n e E v e n t . CTST is America's largest advanced card and biometrics conference, covering secure transaction technology, contactless cards, and IT/physical access security convergence. CARDTECH: The Revolution of Contactless Transactions FULL-DAY WORKSHOPS COVER EVERY ASPECT OF TOKEN-BASED TRANSACTION AND SECURITY TECHNOLOGY AND BUSINESS STRATEGY. Foundations of Card Technology for Transactions

Contactless Transactions: An Issuer Perspective

Workshop Advisor: Randy Vanderhoof,

Workshop Advisor: Donald Davis, Editor and Associate Publisher, CARD TECHNOLOGY, SOURCEMEDIA

Executive Director, SMART CARD ALLIANCE

Java Card Technology Update

Prepaid Card Technologies and Business Strategies

Workshop Advisor: Ramanuj Banerjee, Technical Marketing, JAVA CARD GROUP

Workshop Advisor: Tim Sloane, Director Debit

GlobalPlatform and Multiapplication Card Technology Update

Advisory Service, MERCATOR ADVISORY GROUP

Integrating New Technologies for Point of Sale

Workshop Advisor: Marc Kekicheff, VP, VISA INTERNATIONAL, and Vice-Chair, GLOBALPLATFORM

Workshop Advisor: Paul Grill, Principal, FIRST

Contactless Transactions: An Acquirer/Merchant Perspective

Workshop Advisor: Henry Dreifus, CEO, DREIFUS ASSOCIATES, LTD.

Technologies and Strategies to Increase Customer Loyalty Workshop Advisor: Rick Ferguson, Editorial Director, COLLOQUY速

NFC: Technologies and Strategies for the Contactless/Telecom Convergence. Workshop Advisor: Jeff Staples, Publishers, AVISIAN PUBLISHING

ANNAPOLIS CONSULTING INC.

Emerging Payment Technologies: Challengers, Contenders and Conquests

Workshop Advisor: David Evans, Founder, MARKET PLATFORM DYNAMICS

Keynote Speaker:

For sponsorship and exhibiting opportunities, please contact Sharon Davis at sharon.davis@sourcemedia.com or 212-803-6586

JOHN PARTRIDGE PRESIDENT AND CEO GLOBAL IT ARM, VISA USA

Media Sponsors:

www.ctst.com

800-442-CTST

212-803-8777

SecureIDNews

Two groups set goals for more secure Internet transactions OATH, Liberty Alliance members build open algorithms, make digital banking easier Marisa Torrieri Contributing Editor, AVISIAN Publications The good thing about strong authentication is that the technology measures up to the hype. The problem is most organizations don’t want to invest in anything but the minimum needed to beef up security, say manufacturers of multi-factor authentication and the advisors helping them market their goods. What’s slowing the sales of one time password technologies (OTP), soft tokens and PKI is the lack of a single, open standard for strong authentication products, says Stu Vaeth, chief security ofﬁcer for Diversinet, which makes strongly authenticated soft tokens that go inside mobile devices. Vaeth is part of a growing number of high-tech, Internet security executives trying to combat this challenge. To do so, he serves as co-chair of the technical committee of OATH (The Initiative for Open Authentication), one of two noticeable organizations working to make digital transactions both more secure and less frustrating -- for businesses and their customers.

OATH: Armed with new algorithms, roadmap and pushing for universal adoption OATH doesn’t call itself a standards organization, but a consortium with more than 50 companies: authentication hardware and software manufacturers, security professionals, and as of last year, ﬁnancial institutions. All are collaborating to create and adopt a single, open framework for strong authentication. The organization was founded in February 2004; founding organizations are IBM and VeriSign.

Spring 2006

Force (IETF) for two methods of strong authentication: an HOTP algorithm and a challenge-response algorithm (a variant of the HOTP algorithm). Basically, each of the interoperable sub-algorithms represents two different applications: the first creates one-time passwords and the second creates challenge-responses between two parties, such as a user and a Web site, resulting in mutual authentication. The algorithm is based on a shared secret transformation using random numbers, digest, and hashing technologies, says OATH. Mutual authentication refers to the idea that two parties, such as the bank and the bank’s client, knows the other party is valid. “The context of OATH is a whole authentication framework,” says Mr. Vaeth. “These algorithms are only a small part.” The overall goal is to provide a total open framework. “I might have a token issued to me by bank X,” says Mr. Vaeth, “and that [token] might be acceptable to use with my brokerage firm, because this is an open framework.” When the algorithm is universally accepted, it will be incorporated into all methods of strong authentication. And so, a bank will be able to offer a variety of services based on multiple devices and platforms, such as PDAs, cell phones and USB drivers. “OATH was founded because we needed to change the landscape in the context of the consumers,” says VeriSign’s David Berman, who is OATH’s marketing manager. “The open, royalty-free specifications, the ability to promote embedding in all sorts of devices, and making all sorts of types of authentication available for consumers – not just institutions – that’s what’s going to drive adoption.”

The organization’s goals for 2006, outlined in its latest roadmap that went on display at the RSA Security Conference in San Jose, Calif., in February, are well underway.

Liberty Alliance: also striving for easier, more secure digital transactions

At the end of last year, OATH members submitted a draft for an algorithm to the Internet Engineering Task

Meanwhile, another group is on the forefront of simplifying digital banking and other online applications.

Liberty Federation started out as an open alternative to Microsoft’s proprietary Passport initiative, across vertical markets, says a spokesman for the organization. A major goal for 2006 is to deploy interoperable strong authentication. Like OATH, Liberty has a technical group focused on developing a strong authentication specification for the industry. Theirs is called ID-SAFE, and is expected to be released during the fourth quarter. “What the Liberty Alliance is trying to do is effect a network world in which businesses and people can conduct transactions securely in an Internet environment.” says Roger Sullivan, who moonlights as vice president of the Liberty Alliance Management Board when he’s not busy with his duties as vice president of business development for Oracle’s Identity Management solutions. “What that implies, under the covers, is we need to enable the sharing of identities from one to another unit.” The sharing can involve B-to- B or B-to-C markets. The Liberty Federation spec allows for single sign on, authentication and secure movement of identity information in the federated network, a spokesman adds. Liberty’s ideas and specs can make life easier, but ultimately, those using the technology must agree to must cooperate and join the network to share the information. Thus, Liberty’s public policy group helps corporations work out the legal and privacy issues related to sharing, says a spokesman. Such information passing already works as a viable alternative in the corporate setting, says Mr. Sullivan. In offices that deploy Liberty’s specification, employees no longer have to log into a dozen or so accounts (401K, medical insurance, dental insurance, etc.) and memorize a bunch of passwords to retrieve information. “We have created technical specs that focus on traded identities between companies so users can access 401K within employer’s Intranet,” Mr. Sullivan says.“It’s the same in a supply chain model, where credentials are securely shared.” The biggest difference from OATH is that Liberty doesn’t just focus on strong authentication – it’s just one component of a bigger picture. Still, Liberty supports OATH’s goals in creating an open security standard, Mr. Sullivan says. “The real bang for the buck,” says Mr. Sullivan, “is to facilitate business-to-business transactions, to make it easier for commerce to flow on the Internet.”

Two-factor takes charge Benefits from EMV infrastructure Nigel Reavley Director of Business Unit for Banking, XIRING The banking and financial services industry is starting to wake up to the need for greater security for online transactions. With Gartner warning that static passwords will become obsolete in two years, the industry is moving towards wide-spread implementation of two-factor authentication. In the US, federal regulators have gone as far as to state that banks must have two-factor authentication on their web sites by the end of 2006. EMV migration continues to drive authentication technology, since banks are able to re-leverage the considerable investment, and use it for security purposes. Europe is ahead of other regions in this respect, with forecasts from MasterCard predicting the percentage of EMV-enabled cards in Europe at 67% by 2007. The technology already exists, and as banks start to recognize the business benefits afforded by securing their online business – more transactions, less overheads – secure authentication will provide a point of differentiation among competitors. As EMV’s global proliferation continues, greater investment in EMV-based authentication solutions will further diversify the range of solutions available to satisfy the segmented needs of online banking customers. XIRING is already developing solutions that do more than just generate oneNigel Reavley, XIRING time-passwords or enable a digital signature, bringing to market connected smart card readers that allow consumers to store a variety of information on their smart cards, including ship to/bill to addresses, phone numbers, store discounts, and receipts. Looking ahead to 2006 and beyond, I predict that it won’t be long before the financial industry begins to reap the rewards of greater consumer confidence in online banking.

Spring 2006

SecureIDNews

The patriotic-themed Liberty Alliance, which was created in 2001 and has 150 member organizations, harbors the ultimate goal of making Web transactions easier and more secure for consumers. The group is focusing on promotion of its three speciﬁcations-- Liberty Federation (ID-FF), Liberty Web Services (ID-WSF), and Liberty Strong Authentication (ID-SAFE). Liberty’s speciﬁcations are deployed now at a number of organizations, including American Express, AOL, Sun Microsystems, Nokia, General Motors and France Telecom.

SecureIDNews

Texas goes live with a smart card-based benefits card Speed, convenience and quicker reimbursement all add up to a successful launch of the WIC smart card program in Texas. WIC, a federal program begun in 1974, stands for Women, Infants and Children and provides participants with nutritious foods, counseling, and referrals to health and other social services at no charge. The program serves lowincome pregnant, postpartum and breast-feeding women, and infants and children up to age 5 who are at nutrition risk. In most states, women are given WIC vouchers or checks that they redeem at grocery stores for WIC-eligible foods and beverages, such as milk and infant formula. But in Texas, all that is changing. After a year-long pilot program in El Paso, the state’s Department of State Health Services (DSHS) is expanding the use of an electronic beneﬁts smart card for purchases made by WIC clients, replacing the paper voucher system. “The pilot went very well,” said Hank Lundberg, part of the DSHS Electronic Beneﬁts Transfer Development project. Last October, the state began the gradual implementation of the WIC smart card program, issuing its Lone Star Card to women in the north central Texas area near Dallas. This same card is also used for food stamp and TANF (Temporary Assistance for Needy Families) recipients, he said. “It will be an incremental expansion,” said Mr. Lundberg of the multiyear project.“We had to break this up into manageable pieces so stores can get ready.”

The smart card, produced by Gemplus and issued through First Data Government Solutions, contains a chip that stores food benefits data for all members of a household participating in the WIC program. “The card is loaded for each client at a WIC clinic,” Mr. Lundberg said. At the grocery store, the user inserts the card into a device at the register, where the card stays until the purchases are complete. “Computer systems of WIC-authorized grocers read the cards at a checkout terminal and match the information to items as they are scanned,” said Mr. Lundberg. Store computers identify WIC-approved items based on scanned product codes. When the WIC client is finished, she is prompted to remove her card. The items are deducted from the user’s card as the items are rung up. When the client comes through the lane, two transactions are actually conducted, one for the store and one for WIC, explained Mr. Lundberg. Those WIC transactions are then bundled “and sent to us electronically.” Each card contains food benefit information covering three months, calculated on a month-by-month basis. As items are purchased, the card is automatically updated with the remaining balance. Under the old system, WIC-eligible items had to be separated and totaled so the vouchers could be properly redeemed. This process took extra time at the cash register. No more. “A huge benefit for the client is the ease in using the card,” said Mr. Lundberg.“Instead of carrying a big wad of paper (vouchers), they just have this one plastic card. In the past, if the client lost the vouchers, we had no mechanism to replace them, but if they lose the card, we now know what they’ve used and we are able to easily replace the card.”

Spring 2006

And the users? “They don’t want to go back to paper,” he said. The new program “virtually eliminates fraud. Also, the cashier doesn’t have to think about whether it’s a WIC or non-WIC item,” he added. Before the state even began its pilot program, it worked closely with retailers, making sure the system would work with the various cash register systems in use. “Let’s say the grocer users NCR or IBM systems. We worked with the grocers to make sure their ECR (electronic cash register) vendors could integrate the electronic beneﬁts transfer (EBT) function into their software,” said Mr. Lundberg. The program will also work for the small grocer who may not have the sophisticated electronic cash register capability of the chains. “We have an EBT-compatible device developed for the small operation,” he added.“We have three commercial vendors who have developed solutions for small grocers which does the same thing as the electronic cash register.” That, he added, was one reason Texas’ program is more successful than pilots that started, and failed, in other states. “Many states were trying to set up a stand-aside solution where they had two systems running,” he said. “Cashiers had to scan twice and in a lot of cases that hasn’t worked very well.” Another reason for the state’s success is the number of people who participated in the pilot program. “We had more participants covered in our pilot than in all the other states combined,” said Mr. Lundberg. He said the state is “still working on ﬁnal implementation dates. After we complete Collin County (near Dallas) next month, we’ll be expanding to west Texas, Midland-Odessa and just east of El Paso but south of the Panhandle. It’s a pretty large area and that expansion will start in June. In September we’ll be expanding into the Panhandle, Lubbock and Amarillo.”

Beneﬁt card programs by state State(s)

Clients/Tech

Description / Status

New England PARTNERS (NH, ME, VT, MA, RI, and CT)

7,700 / Smart card & Mag stripe

Deliver WIC food beneﬁts and carry health services information. Pilot planned for Q2 of FY 2006. Phase 1 is to implement EBT in New Hampshire.

Ohio

11,000 / Smart card

Both WIC and FSP participants used same smartcard for purchases. Pilot launched Oct. , 2000. Due to the high cost of EBT, OH converted back to paper when contract ended in June 2005.

New Mexico

4,000 / Smart card

Partnering with Texas on design. Will utilize integrated software for grocer system. Pilot launched July 2003. Expanding in 2006.

Texas

50,000 / Smart card

Partnering with NM on design. Developed in-house stand-beside software for grocers. Pilot launched June, 2004 in El Paso. Program launch underway.

Wyoming

11,000 / Smart card

Began development in 1995 and is the ﬁrst state to operate statewide. POS stands beside existing retailer equipment. Launched statewide in 2002.

Nevada

6,000 / Smart card

Using the same WIC EBT system as that used in WY. Pilot launched June, 2000. System is operational in Reno/Sparks and in much of Las Vegas.

Michigan

4,300 / Mag stripe

Michigan is demonstrating a new system for WIC EBT using on-line technology with some off-line functionality. Pilot launched July, 2005. Jackson County converted to EBT as of Oct. 2005.

Washington

300 / Mag stripe

Washington participated on-line demonstration project to test delivery of WIC beneﬁts using existing retailer equipment with mag stripe card.

Source: USDA Food and Nutrition Service, WIC EBT Status Report, November 2005 Spring 2006

SecureIDNews

Supermarkets love it too, not only for the time it saves a cashier, but because it reduces the time it takes for the store to be reimbursed for the WIC items. “With paper, it takes three to four weeks to get reimbursed,” said Mr. Lundberg. “With electronic transactions, redemptions occur in only three to four days.”

Who is copying your cards? You can produce quality plastic ID cards in a few minutes so can the counterfeiters!

What you need is HoloKote™ HoloKote™ is a high security watermark that is printed across the entire card surface - at no extra printing cost. And it can be customized to ensure that nobody can copy your cards. Holokote is a patented security feature available only on Magicard printers.

The Magicard Rio 2 prints a CUSTOM HoloKote™ pattern - your logo - on your cards. Security is ensured.

secure ID card printers Call Ultra Electronics Card Systems Inc. at 425 556 9708 or toll free 877 236 0933 email: USsales@UltraMagicard.com visit www.ultramagicard.com

www.ultramagicard.com

Spring 2006

ContactlessNews

Building bridges? Fans and foes of California RFID bill still seek compromise Marisa Torrieri Contributing Editor, AVISIAN Publications The California RFID bill hailed by privacy advocates but feared by the tech industry is undergoing major revisions as both sides try to work out differences before the end of the legislative session in August, when the bill would expire. SB 768,“The Identity Information Protection Act of 2005,” co-sponsored by the ACLU (American Civil Liberties Union) and the EFF (Electronic Frontier Foundation) is far from ﬁnished. Voting on the bill, formerly known as SB 628, has been delayed since August while lawmakers and RFID supporters continue to wrestle over its contents. At a recent conference with RFID industry professionals, the bill’s primary author, Sen. Joe Simitian [D-Palo Alto], said that his top concern is to protect the privacy of individuals. Most of the bill is devoted to security measures that government agencies should take when they

implement the technology in state and local government IDs (such as minimal data elements, authentication security, and affirmative consent). The portion of the bill causing significant commotion is a three-year moratorium for chip-based wireless technology to be studied more carefully before it is used in government-issued state ID cards (such as driver licenses). Mr. Simitian notes, however, that bill completely permits the use of chip-based wireless technology in every single government-issued identification document one can think of except for four highly sensitive, mass-distributed IDs. At the center of the debate, says Mr. Simitian, is the issue, “Should state and local governments be in a position to compel citizens to carry documents that broadcast their personal information?” During that proposed three-year waiting period, Mr. Simitian says the technology will be studied, and ethical issues regarding the use of RFID will be debated. Spring 2006

ContactlessNews

The senator’s intentions, via SB 768, are to criminalize bad behavior (such as skimming), to make sure government-issued IDs have security or privacy elements in place (such as unique identiﬁcation numbers instead of person’s social security number or other personal information), and to make sure that government-issued IDs can only be read by authorized readers.

Other areas of concern ...

“The bill’s been amended half a dozen times,” Mr. Simitian told ContactlessNews, noting that the latest version took industry’s concerns into account. “I feel that I’ve made some pretty dramatic accommodations.”

Should the state of California have its own privacy law in place, it could be exempt from the federal Real ID Act of 2005, says Nicholas Chavez, the president for RFID Ltd., a public RFID consulting ﬁrm. Thus, California would become the preferred entry point for terrorists.

Meanwhile, longstanding opponents of the bill – RFID manufacturers and associations like the AeA (formerly the American Electronics Association) – contend that SB 768 will severely slow the growth of RFID. This, in turn, could hurt companies that produce the technology and hope to contract with the government, Marc-Anthony Signorino, director and counsel of technology policy for the AeA, said in a November interview.

The industry’s response to Sen. Simitian’s latest stance The good news for RFID industry folks, says Mr. Simitian, is that the bill does not apply at all to private sector uses, nor does to the vast number of uses in the public sector.

Until the federal government deﬁnes the speciﬁcs of its Real ID Act, which could possibly incorporate RFID into certain documents such as driver licensees in an effort to bolster homeland security, it is unclear how SB 768 and Real ID might coexist.

”You’re talking about a giant leaking point for terrorism and immigration on the California-Mexico border,” he says. Additionally, today’s IDs are much easier to duplicate than ever before via advanced desktop publishing software, Mr. Chavez says. “The encryption inherent RFID-enabled ID cards would help prevent counterfeit cards better than the holograms and watermarks used on state ID cards and driver’s licenses today,” Mr. Chavez says. “Encoding an RFID chip with the proper information, in the proper sequence and subsequently encrypting it provides an identiﬁcation system that is next to impossible for counterfeiters to crack.” As technology evolves, consumers are becoming more concerned about privacy issues, says HID Executive Vice President Debra Spitler.

“It’s only this narrow slice of mass distribution documents,” he says. Although current California Law prohibits unauthorized electronic tracking except by law-enforcement agencies, it doesn’t prohibit skimming a person’s RFID-embedded government ID (or, for example, skimming the ID of everyone at an anti-war rally or gun show and compiling a list of all those who attended). In a recent conference sponsored by HID Corporation, manufacturer of contactless access control cards and readers for the security industry, Mr. Simitian attempted to assuage industry fears. As a panelist for the “RFID & Privacy in the Information Age” forum, in Sacramento, Mr. Simitian reiterated his support for the technology to 65 so attendees, and tried to explain the motives behind his bill. ”I thought we made a little progress,” Mr. Simitian said.“Some of the room seemed open to the possibility of ﬁnding common ground.” But rethinking or shortening the bill’s three-year moratorium clause is not likely, as Mr. Simitian expressed to ContactlessNews that he thinks it is a reasonable amount of time to study and debate the technology’s presence in government IDs.

Spring 2006

“Naturally, consumers are concerned about their privacy as the digital world becomes more pervasive,” says Ms. Spitler. “However, RFID and many other technologies are actually making personal information more secure. Greater public understanding of this, as well as responsible and necessary privacy policies, will go a long way to dissipating these concerns.”

April 4, 2006 Las Vegas Convention Center

Y! ER DA ST O GI D T RE EN T AT

Co-Located at:

Association Sponsors:

Simplifying Consumer’s Connectivity, Content and Commerce with Near Field Communications Attend NFC Technology Summit at CTIA Wireless 2006 showcasing Near Field Communications, a contactless payment and consumer services enabling technology and its impact on the businesses of mobile carriers, handset suppliers, technology enablers and consumer brands.

NFC's momentum in payment services and in the mobile industry is increasing rapidly. The five-year implications of the technology from NFC cellular handsets to NFC consumer electronics show tremendous promise of enhancing end user experiences while reshaping communications, content and payment business models. What is your NFC Strategy? Who Will Attend: • • • • • • • • • • • • •

Mobile Wireless Carriers Wireless Industry Suppliers Consumer Electronics Manufacturers Semiconductor Designers and Manufacturers Wireless Handset Manufacturers Wireless Operators and Carriers SIM and Smart Card Manufacturers RFID Tag and Reader Manufacturers Media and Entertainment Companies Payment Infrastructure Companies Merchants Considering Contactless Payments Bluetooth and Wi-Fi Component Manufacturers Wireless Handset Application Developers

FOCUSED PRESENTATIONS COVERING… • NFC and Mobile Wireless: A New Era in Seamless, Secure and Personalized Services • Market Overview: NFC Payment and Consumer Services • Security, Authentication, Privacy and Trust • AND MORE ... Media Sponsors

Produced by

For More Information: www.SCIevents.com/NFC • 800.608.9641

Houston transit agency cuts Cubic and hires ACS as its contactless ticketing vendor Andy Williams Contributing Editor, AVISIAN Publications

ContactlessNews

It has been four years and one failed startup in the making, but Houston commuters may soon use a contactless smart card as their transit ticket ... offering convenience and speed over their existing magnetic stripe-based cards. The Metropolitan Transit Authority of Harris County, known simply as METRO, serves the United States’ fourth largest metropolitan area that includes Houston. A fare collection and ticketing system was supposed to have been in place by 2004, but when that deadline came and went, the transit authority overseeing the project dumped the current provider and hired a new one. Now, it looks like the system should be live by the third quarter.

Spring 2006

Out with Cubic ... In 2002, the agency hired Cubic to provide a smart card fare system, which was to be operational by 2004. In March 2005, however, the agency terminated its contract with Cubic, claiming the company was in default. As stated in a press release issued by METRO on March 18, 2005,“In Dec. 2004 and early Jan. of this year, METRO performed a series of tests on the hardware and software Cubic had delivered as of Dec. 1, 2004. Finding that many system components either had not been delivered or did not meet the requirements of the contract, on Jan.18, 2005, METRO issued a Notice of Default to Cubic, identifying 18 signiﬁcant default conditions.”

In with ACS ... While METRO’s action is currently in litigation, the authority late last year awarded a new contract to Afﬁliated Computer Services, Inc. The original Cubic contract was for $8.5 million. The contract with ACS, which includes signiﬁcantly more equipment and services than the Cubic scope of work entailed, is valued at $14 million. Dallas, Texas-based ACS, normally a provider of business process outsourcing and information technology solutions, got into the transport business just last year when it acquired the Transport Revenue Division of Ascom, a Switzerland-based company that has now shifted its focus to its other two divisions: wireless and security solutions.

“We wanted a provider that had existing systems in operation that we could go see,” said Mr. Richard Lobron, a Pennsylvania consultant hired to oversee METRO’s smart card conversion in 2004, when the original Cubic system was to have gone live. Once METRO had narrowed the prospects down to three ﬁnalists, “we went around the world to see their systems. We were looking for a system that had been tried and tested. The solution presented by ACS is running in Lyon, France, and therefore met our requirements.” The transit division of Ascom, which ACS purchased, handles numerous transit systems around the world. It has an Atlanta, Georgia ofﬁce and serves U.S. customers in New Jersey and Metrolink in Los Angeles, according to Mr. Lobron. Other installations include: • • • • • • • • • • • • • • • •

Athens - Greece Milan - Italy Calgary - Canada Berlin - Germany Hong Kong - China Paris - France Naples - Italy Nice - France Toulouse - France Berne - Switzerland Barcelona - Spain Medellin - Columbia Goiania - Brazil Sunderland - United Kingdom Montpellier - France Warsaw - Poland

“ACS took over the Transport Revenue Group that includes tolls, parking and fare collection,” explained Sanford Weinberg, vice president of fare systems for ACS Transport Services in Atlanta. “We’re also in the process of deploying a fare card program for Montreal. We do work in Paris, Warsaw (Poland), and Leon (Mexico) among others. We have over 100 smart card projects around the world.” Ascom at the time of its sale

“I know that one of the criteria was that the agency wanted a contractor with proven technology. One of our strengths is that we have a rather large reservoir of proven installations,” said Mr. Weinberg.

Making up for lost time ... ACS has wasted little time in meeting its new METRO contract. “The project is moving ahead at a pretty good pace,” said Mr. Lobron. “The designs are in and installations should commence by the end of this month. We plan to be operating by the third quarter on a contract that was just executed last November.” METRO has pulled the Cubic smart card project equipment from the buses. ACS is currently replacing that hardware with its own equipment. “METRO removed all Cubic smart card project equipment from its property,” Mr. Lobron said.“The agency has Cubic fare boxes on buses which are 12 years old.” The system ACS is putting in is “based on systems that ACS (Ascom) has in 50 other cities around the world,” he said.“That consists of a card reader on the buses. The cards will be MIFARE-compliant and we’ll have retail POS devices at 250 retailer locations around the city.” The Equipment includes ticket validators, point of sale devices, and ticket vending machines. Besides the 1,300 buses, METRO also has a 14-mile light rail system. “We’ll be installing the equipment for that in late 2006,” said Mr. Lobron. The system carries 300,000 riders daily and METRO hopes to be providing 70% of these riders with smart cards in the ﬁrst year. The initial card order, said Mr. Weinberg, will be about 200,000 units. Besides the contactless transit card, the agency will also be producing disposable contactless paper tickets. A card supplier has not yet been selected, he added. “The cards will have a stored value and other transit products and potentially could have e-purse capabilities, but that’s a call of the agency,” added Mr. Weinberg. Users will have a choice of methods for reloading their cards, such as ticket sale locations, self-service terminals, or via the Internet. In addition, contactless tickets can be reloaded automatically by using a subscription service. “We’re taking it one step at a time,” said Mr. Lobron. “The public has been waiting for this since 2002. We want to see it work. We all have great hopes and dreams for it.”

Spring 2006

ContactlessNews

After METRO terminated its existing Cubic contract, it went through a competitive bid process that initially included nine companies.

to ACS, had been in the transport business for more than 20 years, he said.

ContactlessNews

Blood vessels in human hand and contactless card combine to create secure biometric IDs Forget fingerprints. A Toronto, Ontario company wants the whole hand involved. And it’s not talking palm prints. It wants to identify the blood vessels in your hand. Identica Corp. has linked its Universal Controller with a hand vascular scanner manufactured by a Korean company. The result is a biometric access control mechanism solution that it claims is accurate, fast, and non-intrusive for users. Terry Wheeler, Identica president, calls this a “whole new paradigm of biometrics on its own. Ours is completely unique.” Mr. Wheeler started Identica in 2003. “My background goes back to biometrics,” he said. “At Identica, we were first involved with fingerprint-based solutions but then I started looking at what was going to be next, and I found this technology from Seoul, Korea. We got the rights for Canada, and at that point we realized we needed a bigger marketplace. Last spring, we acquired American Biometric and Security in Naples, Florida.” To expand its North American market, Identica recently signed Johnson Controls Inc. (JCI), Sima Valley, Calif., to sell and integrate the Techsphere Hand Vascular Pattern Recognition (VPR) biometric solutions to its clients in the US and Canada (Identica also owns the rights for the vascular scanner in North America and Mexico).

SunFirst Bank, St. George, Utah, just recently integrated the Techsphere into its access control system for its Datacenter.“It is being used all over the world. You have installs in gaming, casinos, banking, transportation, and government.” Mr. Wheeler explained that Techsphere scans a portion of the hand, going beneath the surface of the skin, “so we’re not concerned with contaminants like ﬁngerprints would be. It scans for the main veins and blood vessels all around. It does a one to one comparison and it’s very accurate. You can use the product with a standard pin or HID iCLASS smart card.” He added: “With a smart card (such as with HID’s iCLASS) you’re storing the encrypted template right on the card. The user keeps the card with him. That’s one of big issues for any biometric is where the template is stored. I present my card and hand and it sends the message to the access control system and opens the door,” he added. Only a 208-byte template is required. “You don’t have to worry about where it is. You enroll them once. If you have a thousand doors around the world, all you need is your card and your hand to enter.”

Future plans include additional card types and additional ID technologies Live applications and implementations underway “Johnson Controls has a large established and growing customer base that relies on the company for their expert advice and integration of products to match their security requirements”, said Mr. Wheeler.“A typical JCI client has sophisticated access control security challenges that require the undeniable user veriﬁcation and the many other beneﬁts that the Hand VPR biometric solutions provide.” Identica and its use of the Techsphere vascular hand reader is starting to get noticed. The company was awarded an iCLASS Innovation 2005 Award several months ago by HID, a world-leading manufacturer of access control readers and cards. The award was presented for Identica’s integration of HID iCLASS smart card modules with its Universal Controller and the Techsphere Hand Vascular Pattern biometric scanner. 38

Spring 2006

“While the product we currently have is with HID, we will also have Mifare and Desﬁre capabilities. The whole development project is in the works for the Universal Controller.” Identica’s scanning process will also work with 2D barcodes.“I can store my template in that barcode and print it on anything, on a boarding pass, on the back of any card,” said Mr. Wheeler. “It really depends on what the customer wants. I personally think HID iCLASS is the way to go, but we want to make the integration easy.” He said the initial choice of HID was easy. “HID is the biggest in the market. They’re a great partner to work with and they always support their products.”

New chip may slash contactless ticket prices for transit A company that once used its RFID technology to make Star Wars-licensed toys talk, is now going after a market it believes looms larger than Darth Vader ... Disposable smart tickets for public transportation.

ContactlessNews

“I have done a lot of evangelizing” about low-cost smart tickets, admitted Trevor Crotch-Harvey, senior vice president for United Kingdombased Innovision Research and Technology, developer of a chip tailormade for such tickets. While the product, called the Jewel chip, isn’t yet in use, it is in production and there has been “considerable interest” shown in the chip, he says. A headline on a press release the company put out recently, summarizes what Mr. Crotch-Harvey would like to see happen: “Innovision R&T challenges industry to stop discussing the benefits and start committing to low cost smart ticketing.” His view ... that transit agencies need low-cost alternatives to smart cards. “A large number of transit agencies are moving to smart cards. Every day, I pick up the phone to talk to another one,” he said. “I’m not anti-smart cards, but a smart card doesn’t cover all the ticket types that a transit agency needs. A limited use smart ticket ... complements (full-fledged smart cards) giving them a host of benefits,” he added. “When the UK Government published its ‘Transport 2010: The Ten Year Plan’ paper in 2000, it recognized smart cards as an important element in improving the transport infrastructure to encourage greater use of public transport,” he said. “It’s fair to say that the advantages of smart card-based contactless ticketing are by now well known within the transport sector, but there is still confusion and concern, mostly over the potential high costs of implementing such schemes. For smart cards to really deliver on their promise of seamless, inexpensive and improved travel, the industry needs solutions that can be rolled out economically and that meet agreed international standards.” Innovision’s low-cost smart ticketing solution would allow more transit operators to become involved and could simplify integrating different ticketing systems (as in a universal fare standard) among different operators. It could also entice more riders to begin using the system. “Agencies everywhere are trying to encourage people to get out of their cars. They need to provide a seamless ticketing process that’s good across transit agencies,” he added. 40

Spring 2006

2191 Adv 54x248

Addressing the issue of cost ... Cost is a major factor in slowing the evolution of smart card ticketing. But with disposable tickets that include the company’s Jewel chip, “I see the price heading to around 0.15 euros (about 17 cents U.S.) per ticket over the next one to two years,” says Mr. Crotch-Harvey. “Enough to provide a return on investment for operators and encourage them to adopt lowcost contactless ticketing applications sooner rather than later.” To reduce the cost, according to Mr. CrotchHarvey’s white paper, limited use smart cards will need to be made of thin plastic, cardboard or paper and “dispense with the on-board microprocessor” of high-end cards. And, he adds, “bringing down the cost of the chip is having a signiﬁcant impact on the cost of cards.”

The small Jewel chip has very large potential ... The Jewel chip, two years in development, contains 96 bytes of memory. “It’s a very small chip, like a grain of sand. You need a microscope to see it,” he said. Why Jewel? “That was its internal engineering project name and it stuck. We got used to calling it that.” Despite its small size, its 96 bytes of memory “allows transit agencies to have two products on one ticket, like park and ride, or ride and event entry.” This dual use for the ticket is just one more way to “encourage people to use public transportation,” he said. “We’re working with a number of integrators,” he said. “Some have already done the work to implement Jewel in their readers, such as OTI, Empresa1 (Brazil), Kentkart (Turkey) and Cubic.” Mr. Crotch-Harvey also lobbied the UITP (International Association of Public Transport) World Congress in Rome in June asking members of its transport sector to re-evaluate the business case for smart cards in transport. While presenting his white paper, he noted: “The industry is demanding low cost limited use smart ticketing, but very few are prepared to step up to the mark and fully commit to it. Cost has certainly been an issue up to now for low value ticket types such as daily passes or single trip tickets. But recent developments in RFID components and improvements in

silicon chip manufacturing are rapidly driving down the unit cost, to the extent that it should no longer be a major concern.”

19-07-2005

11:24

INTEGRATED E N G I N Sm E art E RTecI hno N Glogy!

If the smart disposable ticket plummets to around 17 to 25 cents U.S., he believes the market would be substantial. His white paper estimates this market could grow from 277 million units in 2006 to 8.6 billion in 2009. He said limited use tickets are already in use in Portugal and Italy and in some cities in Australia, Norway and the Netherlands. Though the Jewel chip wasn’t available in time for these projects, Mr. Crotch-Harvey notes that “we’re starting to see Jewel being speciﬁed in tenders coming out now.” “The message is loud and clear. Many of the barriers to adoption are being removed and, while there are many contactless ticketing trials now in place, it is up to the transport operators, authorities, systems integrators and vendors to seriously re-evaluate this opportunity and make low cost smart ticketing for mass transit a reality.”

From toys to transit ... Innovision came on the scene in 1994, at first “to create innovative electronic solutions for all kinds of new products,” he said. “That was very successful in the 90s. We found ourselves presenting solutions for the toy market. Our biggest success was with Star Wars Episode 1. We designed figures for (U.S. toy manufacturer) Hasbro using RFID to make these figures talk. They were astoundingly successful. Whenever you brought the figure near the reader, it spoke one of three or four speech segments in one of seven languages. It’s now a collector’s item.” The company went public in 2001. “In recent years we’ve been more focused on professional applications and, particularly now, on RFID solutions,” not only in the transport market but in the medical industry as well. “Our specialty is designing very low-cost chips and tags and readers, where the price point is critical and volumes are high.” Innovision is also a member of the NFC Forum (near field communication) and is involved in designing “low cost silicon chips with NFC capability. We’ll start seeing that technology coming next year,” he added.

www.smart-ID.com Contactless Smart Card readers for Security, -Passport & -Payment Standards: ISO 14443 & ISO 15693 (including Mifare®)

Smart Security & Identification Europe Head Office � : +31(0)20 46 20 755 USA West Coast � : +1 831 659 3218 East Coast � : +1 717 666 1107 � info@smart-ID.com

Pagi

E-Passport trial underway at San Francisco airport Tests include newly-issued documents from New Zealand and Australia

ContactlessNews

Global electronic passport usage moved ahead as trials got underway in San Francisco in January, following similar tests at Los Angeles International Airport last year. This latest multi-country test -- involving New Zealand, Australia, Singapore and the U.S. --revolves around a contactless chip-enabled passport that is expected to increase security for those entering the U.S. while speeding up entry procedures. Participants include citizens of Australia and New Zealand who have already been issued the new e-Passports, as well as Singapore Airlines crewmembers and U.S. diplomatic e-Passport holders. The 90-day San Francisco trial is scheduled to conclude on April 15, 2006. The Department of Homeland Security is overseeing the tests. According to its spokesperson, Kimberly Weissman, they are testing the security feature known as Basic Access Control (BAC), a process designed to help prevent the unauthorized reading, or skimming, of information from e-Passports. “BAC protects personal privacy,” she says.

Frank E. Moss, deputy assistant secretary for Consular Affairs, in a presentation to the U.S. House of Representatives Homeland Security Committee last year, said: “ICAO recently identiﬁed BAC technology as a best practice for passport security. BAC technology will prevent the chip from being read until the passport is opened and its machinereadable zone is read electronically. This will serve to unlock the chip and permit the chip and reader to communicate through an encrypted session.” Basically, the machine-readable zone (MRZ) of the passport is scanned and a key is created based on its contents. This key is then used to authenticate the passport before any of the passport holder’s information is transmitted. Using BAC, no personal information can be transmitted via the contactless interface unless the passport has been purposefully opened and its MRZ read and authenticated.

Specifics of the San Francisco trial “We’re working with Australia and New Zealand because (some) citizens have already been issued the passports,” said Ms. Weissman. So far, about 70,000 passports have been issued to New Zealand citizens, along with airline crews from Singapore. The New Zealand passport is supplied by Canadian Bank Note Company. It uses the Philips SmartMX e-passport chip. The new passports were first issued in November 2005 and contain the holder’s biographic information and a biometric identifier, in this case a digital photograph, embedded in a contactless chip. Describing the LAX and San Francisco trails use of the New Zealand passport, Philips’ spokesperson Jim Sheire, noted, “these are some of the first that have been used in the U.S (and) we have learned that the technology is vetted, it is an excellent choice for passports, and e-passports are on the way.” Five inspection lanes at San Francisco Airport are equipped to handle the new passports for the trial. “We’re testing how the new readers operate,” says Ms. Weissman. The readers deployed for the trial are from 3M and Viisage. Passengers are provided information explaining the new system and where they’re to go to present their e-passports. According to Ms. Weissman, “all is going well, from what I understand.”

Spring 2006

Dealers | System Integrators | End-Users of Security

ISC West. Where ALL security professionals belong.

ISC West | April 5-7, 2006 | Sands Expo and Convention Center | Las Vegas, NV The need has never been greater. ISC West has never been greater.

Get a lock on security at America’s largest and most attended security event — ISC West 2006. Join other security professionals for three packed days of state-of-the-art new products, technologies, trends, and the industry’s best educational conference. It’s the only Show for the entire industry.

• • • • •

Security. It all comes together at ISC West. You should too. Secure your place today at www.iscwest.com/reID

Access Control • Alarms & Monitoring Biometrics • CCTV • Remote Monitoring Fire Control • Systems Integration Wireless Applications • Urban Security and more...

Get more Information and Register at: www.iscwest.com/reID SPONSORED BY:

PRODUCED BY:

ENDORSED BY:

CORPORATE SPONSORS:

Proximity payment defines the future of mobile commerce

ContactlessNews

Pierre A. Roberge Electronic Payment Consultant Businesses around the world are starting to recognize the value of RFID as a way to increase simplicity and convenience in their consumer products. Last year’s announcement by various card associations in the United States for a national roll out of proximity-based payment products was a clear sign of such acceptance. The convergence of the proximity payment market with the mobile device market is providing the key ingredients for the long awaited mobile-commerce revolution, as well as enabling other exciting business opportunities.

Proximity payment Proximity payment ﬁrst started in 1997 with Exxon Mobil. The company was looking for a way to improve its service to “Taxi-Mom,” by allowing simple and quick payment at the pump. Speedpass was launched and, by 2000, the company announced 4 million customers. Entrepreneurs and innovators noticed and started to leverage RFID technologies into their consumer oriented products. In Canada, for example, Dexit used the technology in its open multi-merchant cash-replacement payment solution to facilitate payment transactions. RFID by itself does not solve any retail issues; it is an enabler. You have to think in terms of the new transaction metaphor created: “touch the object,” which is a very simple, intuitive and logical action for the user. It is the only three-word user manual that I know – TOUCH THE OBJECT.

Mobile Device Revolution There are more than two billion mobile phones out there. According to Tomy T. Ahonen, 3G Strategy consultant and author, phone users are twice the number of Internet users and three times the number of computer users. There are more mobile phones than credit cards, automobiles or TV sets. Since Taiwan ﬁrst hit the milestone in 2001, 30 more countries have reached over 100 percent penetration. First-time customers are under the age of 10 in Finland, Italy and Hong Kong. The phone has become a personal device, not just for communication. The majority of people would refuse to lend their phone to a friend for a day. In 2003, Siemens Mobile reported that more than half of people in Asia Paciﬁc will return home if they forget their mobile phone. Unisys reported in the same year that it takes an average of 26 hours to notice and report a lost wallet, compared to 68 minutes for a mobile phone. 44

Spring 2006

Convergence enables and extends Cell phones are everywhere and so is convergence, from a camera integrated with a phone, a phone integrated with a PDA or a transit card integrated with payment. At the end of the day, convergence serves one purpose: convenience. Convergence enables and extends new ways of using the same service . . . the same device. There was a trend in the last few years to minimize the size and weight of mobile phones, but these days most of the popular phones (at least in Japan) have a bigger form factor to accommodate a bigger screen, allowing a better experience for content viewing. This shows a growing preference from users for added convenience, illustrating the important paradigm shift from the “killer application” to the “killer combination.” In the payment arena, a killer combination links multiple applications with payment. Payment and transit is another “killer combination” for the consumer. In transit systems, consumers must carry a transit card, and they must carry a payment card. When these needs are combined within a phone, RFID brings it all together because of its capacity to leverage the modern infrastructure and its throughput and speed capabilities.

The convergence proposition What is the value proposition to combine payment and mobile devices? For the consumer, it is the added convenience in a single device: one phone, many cards. For those more security and privacy-minded, it can also be password protected. For the merchant, it is all about speed. Speed translates into increased cashier throughput, reduced walk-away or drive-away, and ultimately more revenue. In addition to speed, pilot programs with the drug store CVS have shown a 20 percent increase in the average order compared to cash transactions. Merchants that consumers visit once every few weeks or months also benefit greatly. Theses merchants are trying to establish relationships with their customers, often using loyalty card programs or other branded payment cards. If customers only go once a month to the renovation store for example, they are unlikely to carry the store’s card. With an electronic wallet on a cell phone, there is really no limit to the number of cards that customer can carry. Given this alternative, the customer can enjoy the added benefit of being a recognized loyal customer and will “carry the card” because it is convenient. For the issuer, there is an opportunity to increase significantly the number of transactions and to offer the preferred product. The added processing capability, color screen, sound, etc., of the phone also enables new options not possible with tag/card today. The issuer can add a

sound byte to every transaction for example. It is also a good platform to get the Americas on board with the EMV migration. For the mobile operator, offering payment functionality will increase stickiness with its customer. It is a very powerful way to reduce churn and increase loyalty. Including payment functionality on the phone will also help facilitate the monetization of the investment made in 3G technology.

Nonetheless, M-Commerce was not popular in the late ‘90s for numerous reasons, including: • complex and costly solutions; • being pushed by technology vendors in anticipation of future demand from end-user; • substantial investments and changes were required; • there were no universal standards to enable large scale deployment and interoperability; and • there was no convenient, cost-effective way to capture revenue. The biggest barriers, however, were not technical. At the end of the day, the industry never presented a simple and convenient user experience to the consumer. Remember the two line, eight-character interface; pointing an Infrared beam on a minuscule reader; entering 15 keystrokes for a can of coke. We were far from our three-word user manual. The key for M-Commerce success will be the development of a ubiquitous infrastructure – pretty much the same way that a Canadian mobile phone has service roaming worldwide. This ubiquitous infrastructure, when accessible from any contactless interface regardless of the type of electronic device, can only be successful through the use of global standards to allow interoperability among various providers. This must be achieved at numerous levels, all of which have seen great progress

There are still some outstanding issues to be solved, like customer ownership, branding guidelines and other problems very speciﬁc to payment like personalization and fulﬁllment processes that minimize the overall risk. For the combination of proximity payment and mobile device to be successful, there needs to be something for the entire value chain. Interoperability could be the answer to “crossing the chasm” and to passing “the tipping point.”

Key success factors

ContactlessNews

All of this is only one example of the impact of convergence of “Proximity,” not only proximity payment, with the mobile handset. One can think that SMS short code could also beneﬁt from using RFID by enabling a “one touch” SMS short code version – instead of the numerous required key strokes today.

(including several International Standards) since the Dot.com era.

To ensure adoption, simplicity and convenience of service are necessary but not sufﬁcient. Tangible beneﬁts need to exist for the end user. The “touch-based” service has to be easy to use, secure and private, and the user experience has to be reliable and consistent. There also needs to be a sustainable and effective business for the entire value chain of the service offering. Remember, RFID is only an enabler, so this list of key success factors is the same as most other products/services. The RFID industry is poised to continue its growth with the implementation of more pervasive initiatives, such as embedding Near Field Communication (NFC) technology into as many consumer electronics devices as possible. RFID only provides a building block for the evolution and success of mobile commerce in the consumer marketplace. Ubiquitous infrastructure providing consumers’ access to multiple interfaces regardless of the electronic device or geographical location is key. Simple and convenient service is a lifestyle choice for a broad base of consumers. The added convenience and attributes of RFID will increasingly become commoditized as “contactless” continues to be embedded in a growing number of consumer products. The strict user of RFID is not sustainable to achieve simplicity and convenience. Think in terms of killer combination as oppose to killer application. The convergence of payment with the mobile device will ultimately allow the merchant, and the issuers, to get a bit closer, and more personal, with the customer.

About the author Pierre A. Roberge brings years of expertise and experience at the forefront of the electronic payment marketplace. He has acquired a unique perspective of how to successfully design the strategy and implementation of innovative payment solutions including e-commerce, m-commerce, mini-payment, and prepaid. Pierre was a co-founder and co-inventor of Dexit, the ﬁrst open contactless cash replacement (prepaid) service in North-America. To discuss payment solutions, please contact author Pierre A. Roberge at info@paroberge.com

Spring 2006

The annual SESAMES awards are presented at the CARTES event in France at the close of each year. The nominees and winners are traditionally a strong indicator of where the identity markets are heading. In past years, winning projects and products have gone on to achieve tremendous market success. This year, three companies accounted for ﬁrst place honors in eight of the 10 categories. Axalto and XIRING each walked away with three awards while Oberthur gathered two. Gemplus and MasterCard accounted for the other two ﬁrst place honors.

ContactlessNews

SESAMES awards showcase “Best of” global identity

Hardware Axalto calls its SmartFob a convenient and “trendy” payment device that can provide the same functionality as a contactless smart card. It consists of a SIM card module and a contactless keyfob. The SmartFob concept could be used to create contactless payment or other capability in a watch, a cell phone, or any other personal object, according to the company. The SmartFob can be equipped with a switch to avoid unauthorized transactions because the antenna is separated from the chip. The miniature ‘SIM’ can be added after the keyfob production phase, in the same way that a SIM card is added to personalize a mobile phone. This allows SmartFob to be mass-produced at a much lower cost than keyfobs in which the antenna and the module are bound together. Furthermore, these miniature contactless cards can be updated as often as necessary, just like SIM cards.

IT security Axalto and semiconductor solution provider STMicroelectronics partnered to produce the USB full speed I/O controller, winner in the IT security category. It allows end users access to a wide range of multimedia applications while beneﬁting from enhanced security and protection of their personal credentials. This, says the two companies, opens up new uses for smart cards in consumer electronics, such as SIM-based conditional access and digital rights management for ADSL or mobile pay-TV, digital signature, and homenetworked applications.

IDentiﬁcation

Spring 2006

Photo credit: APFOUCHA

In SESAMES’ identiﬁcation category, Axalto’s Axseal e-passport solution took top honors. Axseal is designed to meet strict durability requirements (5 to 10 year operability) and is ICAO compliant. The Axseal re-enforced module is integrated into a multilayered polymer and can be laminated. Axalto said it designed its Axseal to support governments’ secure printing agencies in their migration to chip-enabled passports. Its e-cover, according to Axalto, solves the challenge of integrating the Radio Frequency (RF) interface into passport cover sheets. It also allows for mass production using existing industrial equipment.

Transport MasterCard International’s TaiwanMoney Card won out for best transport application. Goal of MasterCard was is to produce a single card (with a single balance) for contactless payments in both retail and transport environments. Launched in South Taiwan last year, the card extends open retail payments into transport, rather than trying to expand a closed transport card scheme into retail payments, according to MasterCard.

Mobile

In the best banking/ﬁnance/retail application category, Oberthur Card Systems, along with Barclays bank and BskyB, took top honors with the SkyCard MasterCard. The world’s ﬁrst MasterCard credit card to be fully integrated with interactive television, SkyCard allows secure payment and account management directly from a consumer’s home via Sky’s set top box. The Barclaycard/Oberthur Card Systems partnership provides the secure technology platform.

Another Oberthur innovation, its GIGantIC card, is the world’s first USIM (Universal Subscriber Identification Module) card. It combines up to 256 MB of high-capacity flash memory and a high-speed protocol and won in the best mobile application category. The card enables Oberthur cell phone operators to offer more revenue-generating services through storage and secured access to multimedia content.

Software

Loyalty

Best software went to smart card provider Gemplus International’s Smart Server Platform .NET, which provides a compliant implementation of the .NET speciﬁcation for trusted devices such as USB dongles or smart cards. It embeds standard Internet protocols so that applications can directly communicate as a peer with any networked service.

XIRING also won in the loyalty category with Xi-LoCEx, a loyalty smart card extension. It allows for human interaction to check the content of a loyalty card (e.g. cash bonus, coupons, loyalty points) on a display and to modify personal data. The form factor is a pocket card reader with a keyboard and a display. When the user inserts his card, the Xi-LoCEx displays information or requests input from the user. Based on the SIM ToolKit worldwide standard deﬁned in GSM specs, Xi-LoCEx acts like a mobile phone, but without the GSM communication capability.

Health Care

E-transactions

XIRING’s Secure Tele-Diagnosis was the winner of the best health care application. Developed with France Telecom and TMT, the package shows how to perform an electrocardiogram on a patient at home or elsewhere, performs a strong authentication based on the CPS professional smart card, and then transfers data to a remote medical server. Healthcare professionals use their CPS card to remotely authenticate themselves.

Xiring’s Xi-Ware IP, the e-transaction winner, enables smart card-based transaction systems to beneﬁt from Internet technologies, enhancing performance while reducing operating costs. Based on the ‘thin client’ concept, the product addresses smart card projects that need a simple easyto-deploy public infrastructure to create card service points in public areas.

This Gemplus solution provides seamless integration of secure devices into an IT infrastructure. It includes TCP/IP connectivity, standard .NET ﬁle format without external converter, and multithreading. According to the company, its smart .NET-based platform provides a compact but compliant implementation of the ISO/ECMA335 standard which characterizes Microsoft’s dot NET environment.

Spring 2006

ContactlessNews

“The TaiwanMoney Card, which utilizes MasterCard PayPass contactless payment technology, is the ﬁrst card to combine both transportation and shopping. It can also be used as an e-purse. This allows for Southern Taiwanese to carry one card for all their needs,” said Tina Chiang, vice president, Greater China, MasterCard International.

Banking/Retail

ContactlessNews

Watch out ... EMV is coming in contactless too Dominique Gauthier Marketing Manager, Software and Technologies, Ingenico This past year will remain in the payment industry history as The Year It Really Started. For the first time, the banking industry took seriously a technology it had regarded with distrust. After years of successes in the transit industry, the first massive deployments of a contactless infrastructure are happening in the U. S. Some 10,000 readers and several million cards are already active in this country. Most observers agree that 2006 will see an acceleration of these deployments in the United States, with probably 20 to 50 million cards issued by the end of 2006. This was an easy out, some critics may say, because U.S. banks chose relatively simple technology, the contactless equivalent to magnetic cards. It was cheap, quick, and without a lot of security, but online verification was there to compensate. This isn’t an option, however, in any country where banks are painfully implementing costly EMV standards, or are planning to do so.

Dominique Gauthier, Ingenico

For these, MasterCard, Visa, and American Express have devised speciﬁcations that implement the same EMV mechanisms in contactless. EMV-like transactions involve much more data trafﬁc between the reader and the card, each requiring the other to authenticate itself. 48

Spring 2006

First, experiments done two years ago were quite catastrophic in terms of transaction time. Luckily there has been considerable progress on both sides (cards and readers). Ingenico and MasterCard were first to demonstrate, as early as ‘04, that an offline EMV transaction could be accomplished in a fraction of a second -- not perceivably longer than a non-EMV one. Using EMV standards, sophisticated security mechanisms can even be implemented. For example, MasterCard and Visa have developed specifications that allow offline contactless transactions until a floor limit is reached, say $30. When that limit is reached, the user is requested to insert his card in the payment terminal that would require an online PIN-verified transaction. The transaction level would then be reset. Many banks now realize they can have the best of both worlds: contactless offline transactions for speed and convenience and contact online transactions for PIN verification. Cards that enable both contact and contactless transactions allow banks to leverage their contact infrastructure. And adding a contactless reader to an existing terminal is quite easy if the reader is used as a transparent peripheral, getting all commands from the terminal application in the same way as the contact connector. Both contact and contactless can then be integrated in the same payment application, ensuring seamless transition from one to the other. Demonstrations of contactless EMV payments at the recent Cartes show in Paris raised considerable interest. Several pilots are now underway. There is little doubt 2006 will be the year contactless EMV got off the ground.

SINGLE SOURCE FOR ALL YOUR I N F I N I T E

CARDING SOLUTIONS.

P O S S I B I L I T I E S

��

�� (��

��

� � � ��

��

LARGEST DESK PRINTER CAPA TOP IN THE INDUSTCITY RY -

1,000 CARD CAPACITY

FOR BOTH INPU & OUTPUT T PRINTER HOPP ERS

��

• EXTREMELY RELIABLE • EASY TO USE • SPACE SAVING SIZES • FAST THROUGHPUT (UP TO 150 FULL COLOR CARDS PER HOUR) ��

��

INFINITE POSSIBILITIES

CR80News

Card readers from QI bring USA Today newspapers to card-carrying students on 70 campuses USA Today, aided by a Dallas, Texas-based smart card company, is getting its newspapers into the hands of college students using the college’s own campus card program. The QI controller and USA Today machines are currently in use on at least 70 campuses. QI Systems Inc., developer of chip-based card payment and tracking solutions, uses the campus card to control access to USA Today newspaper vending machines. Under USA Today’s Collegiate Readership Program, the papers are provided free to students at participating campuses. QI readers are used to verify that a valid student ID card is accessing the machines, said Rick Murray, QI’s senior vice president and general manager from his Vancouver, Canada ofﬁce. The company calls it a “lowpower hybrid card reader and newspaper-box controller system.” “USA Today enters into a contract with universities for a subscription at a deeply-discounted rate to provide the newspapers to students,” said Mr. Murray. According to USA Today, Penn State University president Graham Spanier created the program in 1997 “as a way to ensure that his students were exposed to the world beyond the bricks and mortar of the campus. The program’s success at Penn State...has since served as a model that is now replicated” at universities around the U.S.

QI supplies the controller that can read magnetic stripe or chip cards.“It can read tracks 1, 2 or 3,” said Mr. Murray. QI ﬁrst developed the concept for USA Today’s vending machines, said Mr. Murray, but “we’re also open to providing this function to other newspapers ... (via) the same machine.” “Back in 1996 during the Olympics, Visa started a stored value card program and we did a program with USA Today to accept (Visa) cards for payment,” he added. The QI controllers were installed in USA Today newspaper machines at MARTA transit stations throughout metropolitan Atlanta. “A while later, USA Today developed a collegiate relationship and asked if we could provide the hardware. We agreed.” QI got its start in the smart card industry by developing smart card payment systems, said Mr. Murray. “We started out promoting to the banking community the stored value concept. We set ourselves the challenge of making our equipment reasonably simple to retroﬁt. However, the banking community didn’t proceed with the deployment of stored value chip cards, so we became experts in an obsolete art.” The controller developed by QI will accept standard ISO 7816 cards, he said.“We also make payment terminals for unattended devices, such as vending machines, the USA Today machines, as well as payment terminals for parking.

Spring 2006

Texas campus capitalizes on the flexibility of NuVision’s One Card system

CR80News

For nine years, Texas A&M International University (TAMIU) had, in the words of its ID administrator, “just plain ID cards used for identiﬁcation and library checkout of materials” and nothing more. A year ago, the small school located in Laredo, Texas on the Mexican border, switched to NuVision Networks’ One Card and hasn’t looked back.

“We evaluated the major one card vendors,” said Mr. Chavez. “What made us go with NuVision was their use of the latest technology and their customization feature. Besides having your base software, they can customize it to meet our school’s needs,” he said. “We also felt it was a more secure system.”

pus,” said Mr. Chavez. “Students can add funds to pay for goods and services on campus, such as in the foodservice area, the book store and copy center.” Beginning next semester, students or their parents will be able to reload their cards or check their balances via the web, Mr. Chavez said.

“When we made the move, NuVision (Napa, Calif.) came in and had the whole process working in a week,” said Albert Chavez, the university’s ID system administrator. “Then we started with re-carding everyone. It was a pretty smooth transition from the plain cards we had before to a new card with more features that help make the student’s campus life easier.”

Issuing the cards is easy, which is why re-carding went smoothly. “NuVision has its own video imaging software. We take a picture of the student and print out the card,” he said. With NuVision-issued wireless readers (which also contain a camera) college staff can attend freshman orientation, take pictures and have the ID cards to the students the same day, he added.

TAMIU bills itself as being located at the “Gateway to Mexico,” actually the border town of Laredo. At its creation 35 years ago, it was called Texas A&I University at Laredo and was originally designed to meet the demand for teachers and provide business courses. It was considered an upper-level school, which means it only offered junior and senior courses. After a couple name changes, which included joining the Texas A&M University System, it ﬁnally became TAMIU in 1993. Two years later, the university became a fouryear school and was authorized by the state’s Legislature to develop joint degree programs with Mexican and Canadian institutions. In 2004, the school offered its ﬁrst doctoral level program, a doctorate in international business. It currently has a student population of about 4,500. Although the college has dorms, a majority of the students are commuters.

The same wireless readers function as activity readers. “They’ll show if a card holder (i.e. a current registered student) is eligible to attend an event,” said Mr. Chavez.

TAMIU selects NuVision As Mr. Chavez explains it, after nine years, the school had outgrown its “plain ID cards” and decided to look into one-card programs that other schools were using.

Spring 2006

NuVision President William Adoff, a former computer science professor, agrees that security is one of the company’s strong points, particularly since it’s online-based. “We have the only One Card System that uses AES 256bit encryption along with Packet-Lok, which makes us the most secure system in existence. This high security extends to all NVN components including wireless, and even vending readers.” As to NVN’s customization aspect: “One of our theories is that a school should never have to change its business model to meet our needs. It is our requirement to make any modifications to our processes to meet a college’s business model. It’s just the way it has to be.” The TAMIU card is a standard mag stripe with the student’s picture, name, and classification. The card also has debit card capabilities for oncampus use. “Students can put money on the card at our business office, but we also have automated cash to card stations around cam-

Flexibility is key for the TAMIU card office But Mr. Chavez is happiest with the system’s flexibility. “We’ve been very satisfied with the card system, especially with the customization aspect. We actually developed an equipment checkout application and use that at our recreation center,” added Mr. Chavez. “The attendant swipes the student’s card and looks at a listing of equipment that’s available that can be issued to the card holder.” The card also tracks a student’s meal plan.“Our students staying in housing on campus (about 400 of them) all have meal plans (for a specific number of meals per semester) on their card,” said Mr. Chavez. Another indication of NuVision’s flexibility is the ability of its system to connect with thirdparty vendors. For example, electronic door access system for the dorms is through Compass

The TAMIU card is also acceptable by the college’s copiers and a vending capability for snack machines or washing machines may be added on later, said Mr. Chavez.

Customized functionality for campus offices ... “One application NuVision developed for us is a sign-in program,” he added. “When a student goes to the career services office, his card is swiped, the attendant can pull up the student’s information and can check off the reason the student came into the office. This is a great way to document utilization of this office and in preparing reports for the university.” Along the same line, the college will soon be introducing a NuVisiondeveloped application that will track the university’s tutoring sessions. “We can track when the student came in, what he’s being tutored on and which tutor was assigned. This will also will help at the end of the semester to see if we need more tutors in say, math,” said Mr. Chavez.

NVN recently introduced a similar system at Paine College in Augusta, Ga. The college’s Tutorial and Enrichment Center is required to maintain detailed records of usage to meet Title III grant requirements. NVN modiﬁed some of its software to accommodate the college’s needs. Now, users can simply scan their cards in a computer, choose the faculty member, course, and tutor and click a sign-in button. To sign out the cardholder simply swipes his or her card again and presses the sign-out button. NVN’s One Card system began over 20 years ago as AMECS (access monitoring eligibility and control system) and when it became internet-capable, it became iAMECS. Now NVN has iAMECS Advanced that is “our advance system that includes a pure one card system with complete campus-wide integration,” said Mr. Adoff. It handles meal plans and activities can integrate with a university’s other departments, such as accounting, and, as already noted, can be used for access control through NVN’s partnership with Compass. “In a nutshell, any service that a college provides should be able to be controlled with a One Card,” he added.

Spring 2006

CR80News

Technology. “You create a cardholder on the NuVision system and it’s transferred over to Compass,” said Mr. Chavez. “NuVision can interface with other vendors (as well).”

On-campus bank branches from the bank’s perspective Among the biggest questions surrounding campus card bank partnerships is whether or not to locate a branch on the campus. Of course, a branch can certainly foster a closer relationship between the bank and the future depositors (students, faculty, and staff ) but it can be a significant investment for both the bank and campus. So just how is the decision made? Certainly the student population is a major consideration. Are there enough students to warrant the upfront and ongoing expense of operating the branch? While many in the market have quietly suggested that a 10,000-student population is a range where the branch becomes feasible, most agree there is no magic number. “Each campus has to be looked at individually,” said Whitney Bright, vice president, Campus Banking, for U.S. Bank. While she calls 10,000 the “soft number” used for feasibility, she quickly points out that they have branches on campuses with smaller populations such as the 6,000-student Xavier University. “It depends on what type of exclusivity you have on campus,” she adds, suggesting that the mix of ATM ownership, card program partnership, and branch location is key. “If we have all the ATMS and a branch, then we’d have a higher level of success, (when compared to a situation where) two or three banks have ATMs on campus.” In addition to the campus population and the level of exclusivity provided to the bank, another key factor is the revenue share between the campus and the bank. Because the creation of the branch requires significant cash outlay (e.g. setup, vault installation, security) and the operation entails a continued cost (e.g. rent, utilities, staffing) the economics of the relationship must be weighed. A campus that desires a branch may need to forgo some of its revenue share to get the bank partner to agree.

Spring 2006

Trends in on-campus branches Many campus administrators dismiss the idea of branch because of the common problem of space constraints. But, on-campus branches need not look like the traditional bank branch found in the community. Fullservice branches can fit in very tight spaces. The most important thing is the quality of the location for student access ... the size is secondary. Though she stresses that 500 square feet is ideal, Ms. Bright says that U.S. Bank operates branches in as little as 125 square feet. “Our Northwestern branch is only 157 square feet (and it is) the most heavily-trafficked branch in the Chicago area.” Another alternative to a full-service branch is the bank service center. These locations do not offer all of the functions of the branch but they can be a cost effective option when a branch is not feasible. Typically, service centers do not contain a vault and cannot accept deposits but they are staffed and enable face-to-face account establishment, assistance, education, and marketing. And by locating a full service ATM in the service center, bank staff can help students to make deposits at the ATM, in essence, circumventing the “no deposits” situation. According to Ms. Bright, a service center can be operated by one person rather than the five to six employees at a traditional branch and can cost as much as 70% less to operate. Another trend is to encourage use of the campus branch for members of the community. This can help cost justify the expense for the bank and bring peripheral benefits to the campus such as strengthening town-gown ties and exposing the community to other services offered by the institution.

A myriad of factors influence the decision As you can see there is no single factor that answers the ‘branch or no branch’ question. There is a matrix of contributors that must be weighed in tandem. But when student population, service exclusivity, revenue shares, space availability, service needs, and the host of other items are evaluated in a realistic manner, the right decision is likely to emerge. If that is a on-campus branch your program and your students are sure to benefit. If it does not end with a branch, however, an extremely effective and beneficial bank partnership can still be developed ... it just requires a different approach.

Campus cards: Not just ID cards anymore Bruce Lane Executive VP and COO, The CBORD Group, Inc. We are graduating! I think that seems like the growing theme enveloping the campus card world. No more are we just a head counting tool or a glorified calculator for figuring out how much more a student has to spend. Campus card systems are taking their rightful place as true mission-critical, enterprise systems, rather than part of some other, “more important” campus system. The next few years will see many of the following trends become fact: • Our systems are asked to do more, be more flexible, and drive more revenue for campus auxiliaries. We are asked to provide solutions to long running town/gown controversies that have the effect of increasing campus revenues while still maintaining the “in loco parentis” coverage of old. • Our campuses are no longer shielded from crime and violence and we are called upon to provide integrated, state-of-the-art access control and integrated electronic surveillance and security. We need to provide computer tools not only to help match roommates and manage the growing stock of more sophisticated housing facilities, but our systems must, in an integrated fashion, track student conduct and pro-

vide the feedback loop of Clery Act reporting so prospective students and parents can view crime-on-campus statistics. This takes the form of judicial tracking software, biometrics, CCTV and Digital Video. • The business of running a campus has never been more complex. An increasing number of auxiliaries and student life managers are joining ﬁnancial managers … serving ﬁrst in private industry before coming to academia. They seek the same sorts of system tools to make it all happen in ways that stand up to a rigorous audit and that work handin-glove with other university IT systems. • At the same time, the marketing imperatives of the modern college world dictate that, to attract and retain the best students, a school must offer campus card capabilities that make it easy to attract deposits and spend more money on campus. Loyalty programs and discount services to students, attached to that singular piece of college identity (the ID card), are not only the way to increase on-campus spending, but increasingly are seen as a real key to keeping a relationship with the student as he or she transitions into that lucrative alumnus status. What that portends for campus card system providers is a boatload of challenges for the future. There is almost unlimited opportunity that comes from the outpouring of great ideas and needs from this new wave of university managers.

Diverging card printer market benefits entry-level and high-end buyers In 2006, we will see a continued divergence in the ID card printer industry. Growth in entry-level, price-driven ID card systems for small companies, K-12 schools, health clubs and loyalty applications has been fueled by the Internet and its convenience in researching and purchasing products. By unofﬁcial count, there are more than 20 card printer manufacturers worldwide, the majority of which are focused on entry-level products. This amount of competition at the manufacturer level can lend itself to price concessions. For customers, this means lower prices, but potentially less service in integrating and maintaining a custom solution. As card functionality, ease of use, and basic security increase at the entry level through new technologies, organizations without current card programs may enter the market. And those integrators, whose business models can handle high-volume, short-margins sales (such as those via the Internet), will ﬁnd steady revenues. High-security, multi-function applications, like those in large corporations or government agencies, will continue to demand more complex solutions. Initiatives like the Homeland Security Presidential Directive

12 (HSPD-12), which mandates a standard ID card for all federal employees and vendors, will logically grow the demand for high-security systems at the federal level. But its impact will reach farther than that. As the implementation of HSPD-12 continues, its potential as the default standard for non-federal applications at state and local agencies and corporations is high. Card printer/encoders are just part of a high-security card identity system. There is a growing realization among security managers that even a minor glitch in the issuance of an ID card can be the chink in the armor that allows a devastating security breach. If a card contains a multitude of complex security features, but the process to issue it doesn’t include safeguards, the integrity of the credential is lost. Having card printers on a network can complicate the security equation. Preventing unauthorized ID card issuance poses a major security challenge when badging stations are scattered throughout a building or campus. As more printers are networked, the need for products to secure that niche will grow. Fargo has begun to identify and address these vulnerabilities with its SecureMark technology, the basis of its next-generation printer/encoders, software, systems and materials. As the card-related niche of the security market continues to grow, look for more advanced-technology products that help protect all aspects of the card production process. Spring 2006

CR80News

Joe Wright Marketing Director, Fargo Electronics

Guiding your transaction system with strategic planning Tom Bell VP, Commerce Industry Relations, Blackboard At a recent seminar, campus executives were asked how they planned their card system and if their plan was strategic. All referred to the planning as “detailed;” and said it involved partner research, equipment evaluation, software testing and a variety of other important steps. As much as they wanted it to be, however, none considered it strategic, let alone ongoing. I think we may all have known that feeling. Planning is often detailed but rarely strategic. In fact, many campus transaction systems result from reactionary decisions. These reactions are driven by immediate needs, such as updating point-of-sale equipment, adding access control or controlling some kind of campus crisis.

Scheme, Scope and Scale

CR80News

A transaction project, like any enterprise system, should not end with deployment. In fact, that may just be the beginning. As campuses

Spring 2006

tend to discover, innovative ideas and applications will bubble up the longer the system operates on campus and as more departments become familiar with its capabilities. Ideally, a rolling three to ﬁve-year plan should blend system objectives with a campus’s mission and strategic plans. That may be ambitious given the challenges of a modern university environment; still, an ongoing process that tackles both current challenges and long term direction will go a long way toward increasing the value of your investment. Imagine any of the following situations. (If you’re campus is typical, it won’t be difﬁcult.) • The Student Services Division needs to provide secure access to residential facilities. • Finance and Administration want to see better control in contract administration and cash handling procedures. • Athletics must be certain that only currently registered students are using facilities. • Student Government wants more students voting in campus elections. • Clubs want the ability to sell tickets to events.

• The Alumni Association needs additional channels to promote Homecoming and generate contributions. • The Art Department wants to sell clay to students in Ceramics 101 classes. Any or all of these can be the starting point, a milestone or distant outlier for a strategic planning effort. Even in its most limited implementations, the transaction system will touch almost every department and division of the university in some way, and very often the surrounding community as well. For that reason, it is essential that campus decision-makers recognize that transaction system planning is an institution-wide project, not a departmental one.

Teams Make The Difference How well your transaction system strategy is aligned with the mission and strategies of the university may do more to determine its return-on-investment than almost anything else. These systems must be capable of adapting, integrating, and expanding as mission, strategies and constituencies change, so maintaining that alignment should be an on-

going process. Trying to deal with those situations listed above individually, as each arises, under short deadlines and shrinking budgets is a prescription for “sub-optimizing” (at least!). Unfortunately, this is where many campuses ﬁnd themselves when they fail to look at the larger and long-term picture?

result is a true Networked Transaction Environment where all members of the campus community are able to access information, services and facilities using a single account.

• explore opportunities to eliminate boundaries. The transaction system should be capable to being used on and off campus,wired or wireless, from the web and through other campus systems.

The Game Plan: X’s And O’s

A better solution is to create planning committees from representative campus groups. These groups should set objectives based upon the larger organizational vision, and they should provide direction to a campus implementation task force, whose job it is to keep the project on schedule.

What should be covered in a strategic plan? Among other speciﬁc considerations it should:

In addition to aligning with the university’s mission, systems planning must be consistent with—if not driven by—campus-wide operational plans and strategies, at least for near- and mid-term objectives. For example, business goals for a given year might call for improvements in efﬁciency. Technology will certainly play a key role in any such effort, therefore aspects of the transaction system plan might focus on issues such as its use as a systems integration platform, automating reporting or speeding services.

Very important: Comprehensive education should be provided to everyone on these teams so that old and outdated technology doesn’t contaminate the final product. Once implemented, a transaction solution will present a new way of doing business and a new method for providing services to the university community. Forming cross-campus strategy teams will help ensure that key decisions satisfy and will be embraced by all (or at least most) constituencies. For example, one important consideration will be how to access the systems—card, PDA, website or a combination. You’ll want to find the right fit for everyone, both for today and tomorrow. The end

• express a clear understanding of how the transaction system will support the core mission of the university. • reflect substantial thought about integration with existing and future campus systems such as library systems, student information system, print management, etc. • identify paths toward reducing operational costs and enhancing revenue generation. • recognize groups and areas that will benefit significantly from greater convenience, ease of use, maintenance capabilities or financial accountability. • define ways to leverage business partnerships. • reflect risk management, property protection and human safety goals, particularly those that can be furthered by improvements to access control systems.

The Ongoing Value of Strategic Planning The transaction system is a unifying platform for so much campus activity that in perhaps no other area will ongoing planning provide greater returnS. As users experience the advantages of the transaction system, campuses that have made the change see new ideas rising up from across campus. This change will happen gradually, but it will happen, and that’s exactly the kind of situation that can beneﬁt most from good strategic planning.

CR80News

Spring 2006

Identity management and convergence define new world of physical security Chris Corum Executive Editor, AVISIAN Publications In 2006 a great new feature section will appear in the AVISIAN suite of ID technology publications. Our new Physical Security Corner will explore key issues related to the changing security landscape. Physical security is no longer a standalone “silo” within an organization ... it is a vibrant, essential component with enterprise-wide implications. Key themes running through this recurring feature article will be identity and convergence. That is because these are among the most significant defining features of the modern security landscape. Thus it seems fitting that we explore these two concepts for this inaugural installment of our Physical Security Corner. Identity and physical security ...

CR80News

The concept of physical security assumes adequate identity management, but unfortunately this has not been the case. To explain this idea, an understanding of the identity management process is necessary. Identity management can be thought of as a set of processes used to identify an individual within an organization and grant access to a deﬁned set of privileges based on that individual’s unique status. Certainly from the traditional concept of physical security, identity management seemed obvious ... we create a badge and the badge holder swipes or presents it to a card reader and is granted or denied access. True this is a form of identity management, but is it “adequate identity management?” Most agree it is not. There are far too many weak points in the chain. Was the individual’s identity vetted prior to badge issuance? Was authentication conducted at the reader to ensure that the badge’s user is the person it was issued to? Is an effective system in place

Spring 2006

to revoke access rights for former users, lost cards, etc.? Questions such as these indicate why adequate identity management must be a fundamental component of any security system. Though identity management has become a cross-industry buzzword and countless definitions are kicked about, key concepts or steps are common. Identity management consists of: Verification “Verification,” according to the OpenGroup, a standards and interoperability-focused consortium, “is the process of establishing identity prior to the creation of an account that can later be used as an assertion of identity.” It is the background check that ensures that the individual you are about to enroll in the system or provide a credential to access the system is indeed the person they claim to be. Verification can be lenient (e.g. “I am John Doe because I say I am”) or strict (e.g. fingerprint checks, interviews with past associates). The first requirements of HSPD-12, the new U.S. government mandate for standardized secure credentials across agencies, focus on verification of new and existing employees through extensive background checks. Interestingly, a source tells us that a number of existing employees using fake identities have already been uncovered via the process. Authentication The OpenGroup defines authentication as “the process of gaining confidence in a claimed identity.” It is the means by which the person claiming to be “John Doe” is tested to determine that he is indeed “John Doe.” In traditional security architectures, authentication was limited to visual checks of the credential by a guard (e.g. flash pass) or simple possession and presentment to a reader of the issued credential.

In modern identity systems, multi-factor authentication (possession of the credential combined with some combination of passwords and biometrics) is desired. Validation of the credential’s authenticity is also key. Revocation The other core step in the management process is the revocation of issued credentials and the subsequent notification of that revocation to impacted systems. Obviously, the days of former employees possessing still-valid credentials are past. Immediate revocation must be enabled to avoid potentially disastrous security breaches. In addition to this obvious need for revocation, many systems are purposefully revoking or suspending privileges of valid identities as a means to cyclically return to the first phase of the identity management process, Verfication. In so doing, the individual is subject to some form of re-verification, such as an updated check of criminal history files or suspected terrorist lists.

Looking ahead to 2006 ... With these fundamental concepts in hand, we will move forward throughout the next year in our exploration of this new world of physical security. We will investigate core concepts of security systems, delve into speciﬁc issues such as maintaining databases for converging systems, and keep a constant eye on the

impacts that initiatives such as HSPD-12 and global standardization efforts may have on your organizations. The editorial team at AVISIAN Publishing would like to thank security leader, Lenel Systems International, for the sponsorship that will enable us to bring you this dedicated feature throughout the New Year. Stay tuned.

CBORD Campus Solutions Campus Card Systems - Access Control and Electronic Security Foodservice Management - Catering and Event Management Software Web-based Ordering - Housing Assignment Systems Judicial Conduct Tracking

While there are many other important aspects to identity management – trust, provisioning, federation – these three cornerstones form the core of the concept. These and other concepts will underlie many of the future discussion in this Physical Security Corner.

CR80News

Convergence and physical security ... As the importance of identity management was being recognized, so to was the concept that a single individual has many identities within and across an organization. At the core, many individuals have both physical access and logical (or network/data) access needs. Converging aspects of the identity management for physical and logical security affords great beneﬁts in terms of user convenience, process redundancy, and enterprise-wide security. The melding of the veriﬁcation, authentication, and revocation processes for physical and logical security has become a major goal and challenge of modern organizations. Previously separate management and organizational structures (e.g. facilities and IT) are striving (sometimes struggling) to share this common ground.

Enjoy the power of a ﬂexible and expandable system from the recognized leader in the industry. Automate functions. Minimize operation costs. Maintain consistency. Enhance reporting. Run efﬁciently.

The CBORD Group, Inc. • 61 Brown Road, Ithaca, NY 14850 607.257.2410 • FAX: 607.257.1902 • www.cbord.com

Come see us at NACCU Booth #52! Spring 2006

RFIDNews RFID’s new Gen 2 reads quicker, communicates better, Marisa Torrieri, Contributing Editor, AVISIAN Publishing In this first-ever installment of the RFIDNews Gen2 Corner, we investigate the benefits Gen 2 offers over its predecessor. In the future, this recurring corner will delve into features and concepts such as Q-Algorithm, Persistence, and Dense Reader Mode as well as applications, products, and more. Stay tuned... Like many technologies, the promise of RFID seemed to be more pipe dream than reality. For years, challenges such as frequent interference and missed reads happened so often that the technology destined to follow barcodes hadn’t measured up to the hype. But in 2006 that’s going to change, say both industry experts and manufacturers of RFID products. Thanks to some of the new readers, tags, chips and antennas entering the market, the next generation of the technology is vastly superior. This might be the year RFID fulfills the promises of greater accuracy, faster speed and improved operations in warehouses and across supply chains. “Generation 2 works much better than Generation 1,” says Marlin Mickle, the director of the RFID Center of Excellence at the University of Pittsburgh. Mickle, who doubles as a professor at the university, heads a team of researchers and testers who work with RFID product developers who want to improve a product’s characteristics (i.e., a reader’s ability to pick up a tag in a difficult environment). “The protocol, the exchange between reader and tag is better, and they have error correcting codes, which makes them easier to verify from the reader’s standpoint.” But whenever a good thing comes along, so do a host of manufacturers with a host of new products – and tech stalwarts from Symbol to Alien Technology to Intermec are peddling Gen 2 product suites. While using 61

Spring 2006

the same Gen 2 specification, every RFID product on the market boasts different advantages. “By the end of 2006, nearly everybody will be using Gen 2,” says Alan Melling, director of business development at Symbol, which manufacturers RFID readers, antenna and tags. What makes the Gen 2 RFID different “One of the drivers behind Gen 2 is to get everybody to produce the same things,” says Melling. Unlike the first RFID generation, for which two standards (Class 0 and Class 1) existed, Generation 2 is one standard, or “flavor,” he says. On Dec. 14, 2004, the EPCglobal Generation 2 RFID standard, with input from more than 60 companies, was ratified and approved by the EPC Global Committee, the not-for-profit standards organization representing the supply chain industry. Since then, manufacturers have brewed up a suite of products based on that specification. The good news is that Gen 2 RFID technology is a huge improvement in many ways, offering a better read range and performance in crowded environments, for starters. This is in part because of the physical interface. With Generation 1 RFID, there were some problems with read accuracy. With Gen 2 the encoding in the bits that identify tags has changed, enabling devices to more accurately read the tag. Another advantage, from the business side, is data storage. The first generation had either 64 or 96 bits of information; Gen 2 RFID starts at 96 bits, says a spokesman from EPCglobal.

Because Gen 2 can store additional bits of data, more information about each product can be made available – a reader picks up more complete information about a tagged container, including the differences between items, containers, and pallets, Mickle says. According to Intermec’s white paper, Will Your EPC Gen2 System be up to Standard?, Gen 2 does not specify a minimum speed as this depends on factors such as power output, tag density, and more. The white paper notes, however, that: “Gen 2 technical specs should enable readers to perform more than 1,500 tag readings per minute in North America and 600 reads per minute in Europe, which has more power and bandwidth restrictions. These speeds support the ability to identify objects on conveyor belts moving 650 feet per minute, and those being carried by forklifts that pass through reader portals at eight miles per hour. The write rate, which is highly dependent on the amount of data written, is about 10 tags per second and is fairly consistent worldwide.”

Bombarded by product pitches? Take a step back to the basics

RFIDNews

Before you begin testing different products on the market, Mickle suggests asking yourself some basic questions. How are you going to use the RFID products? In what environment will they be used? Will they be used in an open space, such as a warehouse, or an environment with a lot of metal in it? What’s the maximum distance the reader needs to read? And think big, recommends Melling, explaining that companies simply looking to comply with a mass-market retailer’s mandate (such as Wal-Mart’s) often overlook the advantages of the technology. Unlike bar codes, RFID can provide access to data you never had prior, such as the fact that a product is sitting on the wrong shelf - not being sold - for a long period of time. “Companies that only focus on compliance only read the tag as it is leaving their shipping dock,” says Melling. “By applying and reading the same tag earlier, they could use RFID to improve their own internal processes at minimal incremental cost.”

Spring 2006

Boeing takes RFID to 100-degrees below zero Sensitive sealants are monitored to prevent spoilage Victoria Forlini, Contributing Editor, RFID News and RFID Operations Dipping RFID tags in liquid nitrogen may not be standard operating procedure for most projects, but Boeing IDS believes a sub-zero experiment may help reduce spoilage and track containers in their plant here. Supply chain manager Steve Georgevitch and his team have been monitoring individually tagged cylinders of frozen sealant for six to eight months. The aerospace sealant is used so pieces of metal don’t rub together causing critical problems during ﬂight. Though kept at low temperatures for increased stability, the sealant needs to be used in a timely manner or spoilage, and loss of investment, will occur. He estimates the current spoilage rate at about 10 percent. Monitoring the hundreds of 4- to 8-ounce plastic tubes of sealant is a bit more complex than just counting them: They sit in -100 degree F freezers. Each container in the experiment has a Class 0 passive UHF 915 MHz RFID tag attached; the reader is also in the freezer. The information received from the tags will be monitored in a database. The workers will have a better idea of how to get inventory out the door, and see which containers have been sitting in the freezer longest, an important factor when the substance’s shelf-life is just 60 days. Boeing will also be able to track the containers within approximately 50 freezers throughout the facility. Understanding the scope of a project and getting it under way in a timely manner may be as important as having all the technology and equipment available for an RFID implementation, says Georgevitch. “Some projects take on a life of their own and never reach a point of completion.” Boeing began using RFID in 1999. The St. Louis facility started with RFID about three years ago.

RFID-equipped wristands improve prison safety Precision Dynamics offers its leading ‘Clincher’ band with passive tag Precision Dynamics is using passive RFID wristbands to track jailhouse prisoners. Right now, the company is in local jails, but state prisons are next. “We currently have three facilities (jails) up and running,” said Tom Foster, RFID patron management specialist for Precision Dynamics. “We also have a dozen water parks up and running so you don’t have to carry a wallet,” he said of the company’s RFID Clincher wristband. Because Clincher uses passive RFID tags, the cost per inmate at county jails is extremely low, about $1.50 to $2, said Victor LaRosa, PDC’s age/ID manager for patron management. “Our cost to entry is a lot less than if you were using active tags.” “Correction ofﬁcers are strapped to the hilt and governments don’t have a half million dollars to implement this,” added Mr. Foster of active RFID technology.“We can get them up and running for $10.000.” He believes that using active RFID technology to track prisoners “is overkill.”

Some of the advantages of the wristband, as touted by PDC, include: • Identification data is electronically detected when an inmate scans through portals with RFID readers attached, facilitating contact-free identification and tracking throughout the facility; • Positive verification is achieved through a link to an inmate’s photo/ ID database, which helps detect band tampering and helps prevent erroneous releases.

“Administrators as well as corrections officers,” said Mr. Foster, “agree our Smart Band technology safeguards their facilities against inmate litigation due to the time and attendance functions that are built into the RFID Smart Band. We have the ability to track every action within the facility, from inmate medication dispensing to the correction officers’ cell tours.” The company has been attending trade shows dealing with corrections for the past three years, he said. “The first year no one knew what RFID stood for.” The said the corrections market alone “represents about a billion and a half dollar opportunity.” While the company’s wristbands are currently in county jails, “there’s a lot of talk about expanding into (state) prison systems,” said Mr. Foster. PDC has had “a lock on inmate identification bands for decades,” he said. The Clincher product alone has been around for 10 years. “With RFID coming into play in the last couple of years, we found it (jails) to be a great niche market for our existing Clincher band,” said Mr. Foster. The wristband used in county jails is a heavy duty band virtually indestructible. Mr. Foster would not reveal the material used in the band’s construction. “It’s very robust, you can’t cut it,” he added. The wrist band’s primary jailhouse use is to track time and attendance for inmates and guards, said Mr. LaRosa. (See Prison Safety, pag 65) Spring 2006

RFIDNews

PDC’s RFID wristbands contain a microchip and antenna, which allow information to be written to and retrieved by RFID scanners. The wristbands can also be indexed to instantly retrieve and verify each inmate’s photo and ID information from a facility database.

• Wristbands can be conﬁgured to debit inmates’ accounts each time a purchase is made through the commissary. • The Clincher Smart Band enhances correctional facilities’ overall inmate safety and security. • It protects guards and administrators from costly litigation.

RFID and handhelds increase amusement ride safety Marisa Torrieri, Contributing Editor, AVISIAN Publishing The arrival of spring brings warmer weather and, in many states, the beginning of another season for amusement parks and carnivals. Until now, the latter has also meant a roller coaster of paperwork for state safety inspectors. Nationally, about 3,000 people are injured on mobile amusement park rides, according to the U.S. Consumer Product Safety Commission. But the most tragic and widely publicized incidents (fewer than ﬁve die every year) are leading to new regulations that hold states accountable. This February, a bill calling for stricter safety inspections—“Greyson’s Law”— was introduced in Ohio. The bill is named after eight-year-old Greyson Yoe, who died last year, a month after he was shocked from an improperly grounded bumper-car ride.

RFIDNews

But Indiana Building Commissioner Bill Franklin didn’t need tragedy to know it was time to change his state’s antiquated, pencil-and-paper inspection system. Indiana is the ﬁrst state

Spring 2006

to adopt RFID technology as an application for fixed and mobile amusement parks. By summer 2006, all 1,700 rides in the state will have 13.56 MHz tags, and building inspectors will be able to use RF readers to retrieve safety reports on every machine—a process that used to take hours. With most of its rides tagged now, Indiana is already reaping the benefits of RFID. Inspectors say the technology is making data easier to retrieve. They are now able to devote more manpower to inspecting machines that have shown signs of trouble in the past, and making sure problems have been corrected. Indiana’s deployment is so successful that other states now have plans to adopt the technology, including Massachusetts, Ohio, Kentucky and Illinois, says Raphael Feldman, the developer of the RFID application specifically for Indiana and CEO of Pro Squared, a subsidiary of The Project Group in Houston.

Carnivals transition from logs to tags Mobile rides are the most likely to cause problems. “In order to come into the state, the state

inspector has to inspect every ride,” Feldman says. “Every time you move, you have to do that all over again.” A ride must meet a long list of requirements before it is in the clear, so inspection is a tedious process. Not only must inspectors check the nuts, bolts and electrical circuits, but they must also fill out a ton of paperwork. In addition, they must compare their findings with previous inspection reports to make sure earlier problems have been fixed. “The person who does the first inspection on the amusement ride generally is not the person who does the second inspection, so the issue was, how do you get the information to the second person?” Franklin says. “Without that information readily available, you have to mail that paperwork to the inspector.” This process may take several days and delay rides from opening, Franklin adds. All of the hand-me-down reports only make it easier for something to go awry, Feldman says. If there is any missing information (for example, an inspector doesn’t get a safety report from the previous week in time, or the old report

doesn’t note that a mechanical problem has not yet been ﬁxed), mistakes are more likely to occur. Now, because the information resides on the ride, it is transferred inspector-to-inspector, city-to-city. “One of the big issues we had was, how did that new inspector get the report of what the ﬁrst inspector found? Now that information resides on the chip,” Franklin says.

Evolution of the system Pro Squared has installed tags on all rides that pass through Indiana. The state financed the initiative with federal and state grants, but most of the money came from the State Emergency Management Agency. Each tag costs $5 (though in larger quantities the price is likely to be lower), and every inspector working with the system uses a $5,000 kit that allows him or her to read the tag and transmit information. Kits include Bluetooth antenna readers, Bluetooth-enabled printers, iPAQ Bluetooth PDA readers, iPAQ accessories and 1.3 megapixel digital cameras (so inspectors can take photos of violations). Pro Squared also charges the state a $25,000 one-time license fee for the iPAQ server, which includes patented software and database applications, and a $1,250 one-time usage fee for every inspector’s iPAQ. Pro Squared installed the software and the tags (manufactured by Gemplus, which has since spun off its tag manufacturing division to TAGSYS). For the Indiana installation, Pro Squared partnered with Northern Apex, an Indiana firm with expertise in hardware, which, because of its location, is better able to assist the state with any problems. This summer will be the first time all 13 state inspectors will be brought up to speed. The new process, Feldman says, will work like this: “The inspector inspects the ride, looking at wires, rotation specifications or whatever the ride’s parameters are, then enters that information into the iPAC PDA by simply hitting the ‘write to tag’ button. He or she does this with all the rides in one carnival, and completes the report in a few keystrokes. That information resides within the tags on the rides, so when the next inspector retrieves it, problems and violations are spotted immediately.” At first, the system had a few glitches: Some of the tethered hardware connections wore down after being plugged in and taken out. But with wireless Bluetooth most of these problems disappeared.

Based on the project’s success, Franklin is hoping to install RFID tags on more than 17,000 elevators. But that won’t happen until funding is allocated by the legislature.

At a Clincher-equipped jail, correction officers are issued an RFID badge and inmates the wristband that contains an RFID chip. “The correction officer’s badge is read, and time and date stamped, when he comes on duty. The officer reads each inmate’s wrist band while he’s in the cell. Then, he can hot synch his reader to a reporting structure which is custom tailored to each facility’s need. But you have the capability to drill down by location,” said Mr. LaRosa. If the jail wants to see what an inmate did that day and where he was, or which correction officers he came in contact with, that data is available. After the inmate’s badge is read (there’s a three-inch read range using a handheld reader), the guard can then input activity codes — whether the inmate was sleeping, was he belligerent, etc.“It is all updated in real time,” said Mr. LaRosa. One of the beauties of the PDC system is that the inmate does “have eyeball to eyeball contact with each inmate. That reduces litigation,” explained Mr. Foster. “If there’s something wrong with the band, you’d know it when you tried to read it.” When the band is scanned, the inmate’s picture pops up.“That also prevents releasing the wrong inmate,” said Mr. LaRosa. He said the jail could install gate readers through which all the inmates at some point during the day have to pass through, such as at the cafeteria. “If 100 went in and only 99 came out, then you’d know immediately to look for that other inmate,” said Mr. Foster. As for the location tags, they can be posted in each individual cell or outside each pod. “Typically,” said Mr. Foster, “they want the location tags outside each cell.” Tags can also be installed in the infirmary. The guard scans the tag where he’s at, then he scans the inmate. If the inmate has been given permission to go to the infirmary, “you can set up an alert device, giving the inmate say five minutes to reach his destination. If he doesn’t make it then, an email alert goes out that tells the facility the inmate didn’t make it to the infirmary,” explained Mr. LaRosa. “You can even have a reader open the door. There are different ways you can force them to interact with the reader.” “The company sells more than a half billion waistbands each year. “We’ve had the patent since 2000,” said Mr. LaRosa. “We sat on it for a couple of years until about two years ago when the first RFID Clincher rolled out.” Spring 2006

RFIDNews

With a summer of rides about to go into full swing, the biggest thing Franklin’s staff is feeling right now is relief. “If you’re an inspector, you don’t have to ﬁnd all that paperwork,” he says. “You don’t know how big a deal that is.”

Prison safety ... continued from page 63

Secure ID in concert with RFID ... Combining technologies to revolutionize transport “Coupling cargo tracked with RFID and the capabilities of a secure biometric credential will mean that all cargo and all personnel are accounted for and linked together in real time. “

Gordon Hannah Managing Director, Public Sector Security and Identity Management Group, BearingPoint Secure personal identiﬁcation combined with the tracking capabilities of RFID will soon transform secure shipping and cargo transport. Through the use of secure and speedy authentication, organizations can add extra layers of security that add end-user authentication to RFID-enabled asset tracking implementations. Coupling cargo tracked with RFID and the capabilities of a secure biometric credential will mean that all cargo and all personnel are accounted for and linked together in real time. Administrators will know the last authorized handler of each piece of cargo, where the cargo is in real time, detect deviations en route, and be assured that only those people who are authorized can access sensitive freight, tracking people’s actions and cargo location together. Shared technologies will allow:

RFIDNews

Data Privacy Protection Users can have differentiated access to read the information on the RFID tag based on privileges held in their card. RFID tags created according to scramble number schemes can be used in concert with smart card capabilities; only those tags to which users have been given “rights” will be seen, added to cargo lists, or be shipped to certain geographic locations. This allows individuals to control data collection and sharing while preventing covert tracking and proﬁling applications based on package content. Linking People to Cargo Cards used for access to vehicles or facilities can be matched against cargo RFID to automatically reconcile cargo itineraries against known cargo and personnel movements. By 66

Spring 2006

linking people’s locations with RFID cargo locations, administrators can reduce fraud and determine the “who, when, and where” if any package loss occurs. Local Authorization for Inventory Movements Smart cards can act as secure, digital lists of instructions, inventory, and package recipients, allowing people who sign for packages to be verified through the use of PKI, biometrics and other digital means. If tagged packages are moved by an unauthorized person, future privileges of that person can be locked and flags can be raised to administration. Package- and User-based Physical Access Biometric IDs, RFID and GPS position transmitters will work together to allow secure access only to authorized persons with authorized cargo at only intended destinations. Through biometric authentication to truck ignition systems, administrators will be assured that trucks stay within specified corridors on their way to the cargo’s intended destination, that they know who is driving, and even enable them to remotely disable and lock trucks that deviate, have wrong users or wrong cargo. Scenarios where this combination of technologies may soon be applied include HAZMAT drivers, weapons transport, banking records and even passports. Credentialing systems are already underway for the major ports of the world and will be used to link card to identity to ship to cargo, where cargo is monitored already with RFID. The future world of secure shipping will allow owners of cargo to track in real time the exact location of crate, each driver, each truck, and be sure that they are all supposed to be traveling together.

�