Regarding ID Summer 2010 by AVISIAN

Summer 2010

Regarding ID Magazine – a survey of identiﬁcation technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

Health Care’s

IDENTITY Crisis Secure patient ID is key to curbing medical identity theft and protecting electronic records

• Biometric social security cards • White House pushes online ID • Next generation e-passports

reid_summer10.indd 1

5/5/10 2:54:42 PM

reid_summer10.indd 2

5/5/10 2:54:47 PM

Identity-Based Security for Citizen eIDs Entrust Citizen eID security solutions are the most scalable, interoperable and proven in the world. As the global PKI leader, Entrust has been chosen by over 35 countries across the globe to provide trusted security solutions for ePassports, national ID cards and other forms of citizen eID. In fact, Entrust is the No. 1 provider of ePassport security solutions for both first-generation (BAC) and second-generation (EAC) ePassport environments and is leading the migration to the EAC standard. No matter if youâ&#x20AC;&#x2122;re just beginning development or evolving your citizen eID or ePassport strategy, Entrust is the choice for security. Visit us online to learn more, generate an EAC certificate or test your ePassport Single Point of Contact (SPOC) implementation.

Visit entrust.com/citizen-eid

Entrust and Entrust product names are trademarks or registered trademarks of Entrust, Inc. or its affiliates. All other company and product names are the property of their respective owners. ÂŠ Copyright 2010 Entrust. All rights reserved.

reid_summer10.indd 3 entrust_epassport022610_2.indd 1

5/5/10 3/1/10 2:54:51 7:50:46 PM AM

Contents 20

Cover Story

Health care’s identity crisis

Government

White House wants online authentication standards

MRTD

The e-passport revolution: the next generation of travel security

Transit

London’s Oyster card upgrade underway

Ticketing

Major League Soccer club deploys contactless ticketing in New York

44 28 54 66

reid_summer10.indd 4

5/5/10 2:54:56 PM

Summer 2010 32 | INNOVATION | Strong User Authentication in Self-Encrypting Drives 35 | TECHNOLOGY | The Trusted Platform Module (TPM)

INDEX OF ADVERTISERS The CBORD Group www.cbord.com

36 | NFC | Meet your new tour guide

38 | TECHNOLOGY | Nokia kills longawaited 6216 NFC handset

CPI Card Group www.cpicardgroup.com

39 | PAYMENTS | Student run coffee shop tests mobile payments

CSC www.csc.com/nps

40 | BORDER CONTROL | Quantifying the e-passport marketplace

CSCIP www.smartcardalliance.org

44 | MRTD | The e-passport revolution: the next generation of travel security

Digital Identiﬁcation Solutions www.dis-usa.com/Re-ID

CoreStreet www.corestreet.com/TWIC

46 | Q&A | Deadlines, risks and the future of e-passports

Entrust www.entrust.com/citizen-eid

Evolis www.evolis.com

50 | LOGICAL SECURITY | Authenticating users and securing access in cloud computing environments

Gemalto

52 | LEGISLATION | Democrats: BELIEVE in biometric Social Security cards

HID Global www.hidglobal.com/cardsondemand

52 | BIOMETRICS | Analysis: What biometric will be on the card?

IEEE www.IEEEBiometricsCertification.org

54 | TRANSIT | London’s Oyster card upgrade underway

Kaba Access Control www.kabaaccess.com

56 | TRANSIT | Group working on open standards for transit cards

LaserCard www.lasercard.com

58 | INNOVATION | Combining students IDs and transit passes

www.gemalto.com

Smart Card Alliance Annual Conference 37 www.smartcardalliance.org

61 | ISSUES | Identity management and the law 62 | TECHNOLOGY | Placing multiple technologies into one credential

19 | CALENDAR | Industry events from the identity and security worlds

28 | GOVERNMENT | White House wants online authentication standards

64 | CASE STUDY | FedExField goes with high-tech IDs

20 | COVER STORY | Health care’s identity crisis

29 | DIGITAL ID | Technologies that consumers may use for online ID

66 | TICKETING | Major League Soccer club deploys contactless ticketing in New York

24 | HEALTH CARE | How health information exchanges fit in

31 | TRAVEL | Registered traveler remains ‘Clear’ after acquisition

Summer 2010

reid_summer10.indd 5

5/5/10 2:54:57 PM

Perspective EXECUTIVE EDITOR & PUBLISHER Chris Corum, chris@AVISIAN.com

Is the end nigh for the card form factor?

EDITOR Zack Martin, zack@AVISIAN.com

Cross-industry insiders look to mobile devices for ID’s future

ASSOCIATE EDITOR Andy Williams, andy@AVISIAN.com

Zack Martin Editor, AVISIAN Publications

CONTRIBUTING EDITORS Daniel Butler, Ryan Clary, Liset Cruz, Seamus Egan, Gina Jordan, Autumn Giusti, Meredith Gonsalves, Ross Mathis, Ed McKinley ART DIRECTION TEAM Darius Barnes, Ryan Kline ADVERTISING SALES Chris Corum, chris@AVISIAN.com Sales Department, advertise@AVISIAN.com SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit www.regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit http://subscriptions.avisian.com and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2010 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to info@AVISIAN.com.

reid_summer10.indd 6

CR80, ID-1 or ISO 7810 – all terms for the ubiquitous credit card-sized ID. Estimates suggest more than 20 billion of them are produced each year. Not surprising as I am the owner of a ‘Costanza wallet,’ referring to the Seinfeld character with the overfilled billfold, and have 14 in my wallet right now What is surprising to me is the number of people signaling the death knell for the plastic card form factor. While reporting three separate stories for this issue, I was told by executives and government officials that the mobile phone could be the form factor of choice for identification in the very near future. “People will walk out of the house without a wallet, but they never forget their mobile phone,” one government official told me as I was researching a piece on Obama’s new online authentication initiative. I hear the same thing over and over again related to government identity, payment security and more. In our cover story on health care identity, executives mentioned mobile phones for storing health information as well as using it as a key for access to electronic medical records. It’s not a stretch to use mobile phones for these tasks. Devices that use GSM networks already use smart card technology, called SIM cards, to authenticate the device to the network and make calls. There are also applications that consumers can already use on their mobile devices to add two-factor security, such as a one-time password generator, to better secure access to Web sites. Near field communication is the next step. NFC enables a mobile device to emulate a contactless smart card and a smart card read-

er. NFC devices could be used to authenticate to computer networks, pay for transit fares and make purchases. In Japan using a mobile device to make purchases and get on the subway is a common task. In other parts of the world, however, it has yet to take off beyond a handful of limited pilot programs. Some say this is about to change. A half a dozen handset models are expected to hit the market in 2010, and real projects are expected to materialize with the commercial availability of devices. The U.S. market has been seeded with contactless payment terminals in a number of large venues – CVS, Best Buy, Sports Authority – and hundreds of other locations. Retailers accepting contactless smart card payments and don’t need to do anything additional to accept NFC payments. If mobile phones are going to be used for identification a whole new education campaign will have to be undertaken to let individuals know how it would work. But the rapidly expanding legion of smart phone users is already being trained on the use of the handset for non-traditional applications. Downloading applications, launching services, browsing the Internet and using the device for data retrieval purposes are becoming ingrained. Identity and authentication functions are simply another application that I hope are around the corner to ease the hefty wallet in my back pocket. I like the idea of using my phone for identification, purchases, security, etc. I could take out my phone, launch an application enter a PIN and get on the bus or make a purchase at CVS. It sounds good to me … Where do I sign up?

5/5/10 2:54:58 PM

What do an Indian driverâ&#x20AC;&#x2122;s license and a public transit pass in Venice have in common?

They are both powered by Evolis! Several states in the Republic of India have selected Evolis printers to deliver millions of secured driverâ&#x20AC;&#x2122;s licenses. Every day, the public transit system of the city of Venice, Italy, draws on Evolis to design and personalize transit passes. Because our solutions are innovative, convenient, reliable and affordable, enterprises and large governmental organizations rely on our technology to serve their identification requirements, in a smart and fully secured way. More information and success stories on www.evolis.com.

reid_summer10.indd 7

5/5/10 2:54:58 PM

Do you have an idea for a topic you would like to hear discussed on an re:ID Podcast? Contact podcasts@AVISIAN.com

Episode 48: Lockheed updates on FBI’s next-gen ID

Episode 51: Securing portable memory devices

The FBI’s upgrading of its Integrated Automated Fingerprint Identification System (IAFIS) program to a next-generation identification program is a huge undertaking. Lockheed Martin was awarded the 10-year contract to upgrade the program, which recently reached its first milestone. Mike Moore, director of the next generation ID (NGI) program at Lockheed Martin, talks with Regarding ID Editor Zack Martin about the recent milestone and where the program is headed.

USB drives and other forms of external memory don’t mean much to most people – insert, download files and move on. But if an individual is storing personal information, or even other people’s personal information, it can be a problem if these devices are lost or stolen. Regarding ID Editor Zack Martin talks with Neville Pattinson, vice president of government aﬀairs and business development at Gemalto North America, about concerns surrounding these memory sticks and precautions organizations can take.

Highlights: “NGI is intended to be a multi-modal biometric capability that significantly enhances identification, the enhancements are in fingerprint … also adding face and photo recognition and iris.”

Highlights: “(There are a) lot of concerns over the breach of data out of organizations from USB sticks,” he says. “There has been a ban in federal departments from using the insecure USB sticks. (if they are) lost or forgotten the information that may be confidential becomes readily available to someone else.”

Regarding the status of the initiative, Moore says, “(we) just finished increment zero and are in the process of deploying the results of that, which are the advanced technology workstations. These are all about making it better for the folks who are doing the service support, looking at fingerprints and ultimately other modalities to quickly make decisions.” To listen, visit ThirdFactor.com/tag/Podcasts and select “Episode 48” 8

reid_summer10.indd 8

“One solution is employee encryption software into the USB device … that’s the minimum that should be taken. Others have deployed biometric and PINs but they tend to be host related and there are new products that do all the encryption and everything on the stick.” To listen, visit SecureIDNews.com/tag/Podcasts and select “Episode 51”

Summer 2010

5/5/10 2:55:03 PM

Episode 53: Exploring the law around identity

Episode 54: ID for health information networks

When it comes to deploying an identification system the focus is typically on the technology and not the legal aspect of a system. While this is a cutting edge area of law it’s starting to get some attention. Tom Smedinghoff, a partner at Wildman Harrold, is chairman of an American Bar Association Task Force that is exploring the legal issues around identification. Smedinghoff spoke with Regarding ID Editor Zack Martin about this area of law, what his task force is working on and commented on the federal government’s efforts to secure online transactions for consumers.

HealtheLink is a health information exchange in western N.Y. that wanted to help health care providers give patients better care. Instead of having to carry around multiple medical records from different doctors the exchange enables providers to look up records from different providers via a secure network. But securing this network is a difficult task. Gina Jordan, contributing editor at Regarding ID, spoke with Dan Porreca, executive director at HealtheLink and Dr. William Braithwaite, chief medical officer at Anakam.

Highlights: “You need rules and obligations placed on the various parties and they need to perform these obligations, and if they don’t then you need some enforcement mechanism,” he stresses.

Highlights: “Braithwaite: “When you go into an application with your user name and password, we create a number that’s sent via SMS to your cell phone.”

“We really try to take a rigorous look at what folks have to deal with when they establish and operate identity management systems … and look at the legal models for making it work.”

“You don’t have to deploy and manage any hardware devices. We’re not handing out key fobs with numbers on them, and we’re not downloading software. It takes away the cost of buying and managing all those extra hardware devices or software downloads, and it allows you as a user to log in from any device that has access to the Internet.”

To listen, visit SecureIDNews.com/tag/Podcasts and select “Episode 53”

To listen, visit HealthIDNews.com/tag/Podcasts and select “Episode 54” Summer 2010

reid_summer10.indd 9

5/5/10 2:55:06 PM

ID SHORTS SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

Malaysian government taps Entrust for e-passport PKI

Entrust is providing PKI-based e-passport technology to help the Malaysian government migrate to the International Civil Aviation Organization’s (ICAO) Basic Access Control standard and eventually go to the Extended Access Control standard. Entrust provides a commercial off-the-shelf solution that enables an upgrade from Basic Access Control to the more advanced Extended Access Control standard. Based on Entrust’s trusted public key infrastructure (PKI) technology, the e-passport security solutions enable strong border control and authentication of identities and biometric datasets on machine-readable travel documents. In order to facilitate interoperability across countries, ICAO set global standards for epassports including Basic Access Control and Extended Access Control schemes. Created to mitigate passport forgery, firstgeneration e-passport use a Basic Access Control contactless smart card containing a simple biometric – usually a digitized photo of the individual – along with the digitized identity information of an individual duplicated on the paper document. Entrust provides the digital signature on e-passports that is designed to help prevent a cloned or modified passport, when it is properly processed, from being used to illegally cross a border. For the second generation of e-passports, the Extended Access Control standard allows governments to leverage a stronger biometric that makes impersonation of the legitimate document-holder more difficult. The use of biometrics – typically a digitized fingerprint or iris scan – establishes a much stronger binding between the individual and the travel document.

reid_summer10.indd 10

To safeguard the biometric data, Extended Access Control enforces strong mutual authentication between the chip and the reader before biometric data is released. The combination of BAC and EAC mechanisms establishes a strong defense to mitigate the threats of forgery and impersonation.

AssureTec, Ctrue partner for e-passport, e-ID solutions AssureTec Technology and Ctrue are partnering to provide comprehensive electronic passports and e-ID authentication solutions that combine AssureTec’s document authentication technology with Ctrue’s face recognition CPass solutions. Ctrue launched its C-Pass e-Gate at Passenger Terminal Expo in Brussels last month to address the growing need for automated authentication of Machine Readable Travel Documents. To date, 250 million of these epassports have been introduced in over 80 countries around the world, the company adds.

M2SYS, Fujitsu partner to bring palm vein to the desktop M2SYS Technology announced an alliance with Fujitsu Frontech North America that aims to grow the adoption of PC-based palm vein biometric recognition systems. Under the partnership, M2SYS has added support for the Fujitsu PalmSecure biometric authentication system to its Bio-Plugin biometrics platform.

biometric recognition system without the development and ongoing support challenges that are associated with low-level biometric software development kits.

Software companies that want to adopt Fujitsu palm vein biometric authentication system can now do so within hours, accelerating time-to-market and reducing software engineering and maintenance costs. Fujitsu PalmSecure technology uses a nearinfrared light to scan beneath the skin’s surface to capture a user’s unique palm vein pattern, resulting in extremely low occurrences of both false positive and false negative readings even in situations of dry, rough, or generally poor skin conditions.

HID releases new products aimed at migration market HID Global announced two new products to be added to its multiCLASS product line, as the company looks to provide flexible and secure migration from the legacy magnetic stripe and 125 kHz technologies to higher security 13.56 MHz smart cards. The new additions to the multiCLASS family include two keypad models - the RMK40, which offers magnetic stripe to contactless iCLASS migration and the RMPK40 for migration from magnetic stripe and proximity cards to iCLASS. Both readers feature removable vertical magnetic stripe readers and 125 kHz support for familiar user interaction. After a site fully migrates from magnetic stripe cards, users can replace the magnetic stripe back plate with a standard contactless back plate to limit the reader to 13.56 MHz credentials only.

Bio-Plugin enables software companies to integrate and deploy an enterprise-ready

Summer 2010

5/5/10 2:55:07 PM

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

Daon selected for Mexico’s biometric ID program

UK hotel deploys sQuid’s contactless loyalty scheme

Daon announced that it will provide software for the Government of Mexico’s National Service of Personal Identification program. Daon was chosen by integrator Unisys to provide a multimodal solution utilizing iris, finger and face recognition biometrics to authenticate individuals.

Nottingham Gateway Hotel has become the first hotel in the UK to introduce a loyalty scheme using sQuid’s contactless smart card solution.

Coast Guard buys TWIC biometric readers MaxID and CoreStreet announced the sale of additional iDLMaxG Tr a n s p o r t a t i o n Worker Identification Credential (TWIC) handheld biometric readers to the U.S. Coast Guard. The iDLMaxG units are bundled with the CoreStreet PIVMAN client software to provide a TWIC-compatible solution that has been in operational use for more than three years in the DOD, Department of Homeland Security, various states, and is on the FIPS 201 Approved Products List. The iDLMaxG is a multi-modal, rugged mobile computer that includes QWERTY keyboard, contact card, contactless card, bar code, optical fingerprint, and optional magnetic swipe and MRZ readers with a digital camera, GPS, and comprehensive communications capabilities. The iDLMaxG is an integrated mobile solution for badging and identity management requirements that is capable of checking TWIC, CAC, PIV, PIV-I, FRAC cards, passports and driver licenses.

The hotels new ‘We Love to Reward You’ loyalty program offers guests contactless smart cards that can be used to make purchases in the hotel and rack up rewards points redeemable in the hotel’s bar and restaurant. According to General Manager Mandy Goldsmith, the card has two purses - one for making payments and one for storing loyalty rewards. Customers will be rewarded with one pound for every five pounds spent, which is paid back in to the loyalty purse on their card. The Nottingham Gateway Hotel cards are sold for five pounds and come with 10 pounds of reward pre-loaded.

U.S. and Germany partner for secure traveling program Department of Homeland Security Deputy Secretary Jane Holl Lute and German Interior Ministry State Secretary Klaus-Dieter Fritsche announced the signing of a document that states each country’s intent to integrate biometric trusted traveler programs to ease travel between the two countries. The eventual integration is expected to utilize both the United States’ Global Entry program and Germany’s Automated and BiometricsSupported Border Controls program. Both programs are designed to allow approved travelers to access special security

lines that authenticate the user to their passport biometrically leading to a large reduction in wait time. By combining the two programs, German citizens traveling in the U.S. and U.S. citizens traveling in Germany will be allowed to use the other’s biometric trusted traveler program. Both countries are expecting the new partnership to help improve efficiency as well as security.

GWU goes for Gold in campus card revision Campus card provider, The CBORD Group, was selected by George Washington University to replace its existing campus card system with the company’s CS Gold campus card solution. The new system will manage card-based purchasing, privileges, access control, vending and more for more than 20,000 students. The campus will utilize iCLASS secure contactless cards and readers for access control.

Gemalto acquires Todos Gemalto announced that it has completed the acquisition of Todos AB from investors led by 6AP, a fund belonging to the Swedish National Pension system. Terms of the transaction were not disclosed. Headquartered in Gothenburg, Sweden, and employing 80 people worldwide, Todos provide strong authentication solutions for Internet banking. Todos has to date delivered more than 20 million products to 100 financial institutions in 30 countries. The company’s core offer is the eCode Suite, including the Todos Versatile Authentication Server, which enables strong authentication and transaction verification.

Summer 2010

reid_summer10.indd 11

5/5/10 2:55:07 PM

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com The Versatile Authentication Server supports all leading industry standards and is augmented by patented technology such as Dynamic Signatures. Using their EMV card and a Todos’ eCode reader, consumers can use their PIN code to securely sign Internet banking transactions. An additional layer of security can be provided by displaying transaction details on the reader, so that users “sign what they see,” thwarting in particular “man in the browser” attacks. Todos will be integrated with Gemalto’s Identification and Access Management business line.

Paysafecard taps Entrust for online authentication Austrian-based online payment organization paysafecard selected Entrust Inc. and the Entrust IdentityGuard authentication platform to secure its mobile workforce. Facilitated by Entrust partner CorTEC IT Security Solutions GmbH, paysafecard uses Entrust IdentityGuard and three types of strong authentication – one-time-password (OTP) tokens, credit card-sized OTP display tokens and SMS soft tokens – to properly authenticate remote access users via VPN. Entrust IdentityGuard SMS soft tokens may be sent directly to a paysafecard employee’s mobile phone. The platform automatically issues a configurable number of OTPs, which can be used as a second factor of authentication. The passcodes expire after a configurable period of time, making them ideal and ultimately secure via SMS. Entrust IdentityGuard enables organizations to layer security – according to access requirements or the risk of a given transaction – across diverse users and applications. The platform’s authentication options include strong user name and password, IP-geolocation, device profiling, questions and answers, digital certificates, out-of-band one-time pass code that are delivered via voice, SMS or e-mail, grid and eGrid cards, SMS soft tokens, 12

reid_summer10.indd 12

and a range of one-time-pass code tokens. Entrust IdentityGuard also provides multiple methods of supporting mutual authentication, including picture and caption replay. Austrian-based paysafecard has expanded throughout Europe. There were more than 15 million transactions executed using paysafecard in 2008, and 35 million transactions have been made to date. The service is available at more than 230,000 locations in 16 European countries.

Sarnoff launches new iris system Sarnoff Corporation launched a new version of its Iris on the Move (IOM) PassPort iris recognition system. The IOM PassPort serves as a walkthrough iris recognition system capable of capturing and identifying a moving person via their irises from a distance and at a rate of up to thirty per minute. This is in contrast to most other iris recognition systems that require a user stop to be scanned. One of the major differences in the new version of the IOM PassPort is its physical design, which is now slimmer with a smaller footprint. Sarnoff also announced that it will be integrated into its parent company, SRI, at the beginning of 2011. Officials from SRI cite that the decision stems from the similarity of operations between the two entities, and that integration would provide each of the two companies more operational resources and capabilities.

grade kit with NFC cell phone compatibility at the Best Western Hotel de la Paix in Reims, France. The new system will allow Best Western guests to enter their rooms by simply waving a contactless card or NFC-enabled smart phone in front of the door lock. According to VingCard, the upgrade allowed Best Western to keep most of its existing locks and replace only the bezel card reader. Classic RFID is a secure open-platform system compatible with the three contactless ISO standards – ISO 14443A/Mifare, ISO 14443B, ISO 15693. It features a 600-event audit trail, anti-cloning software, low energy output locks and a new NFC transaction platform to enable remote check-in for guests with NFCenabled smart phones.

EXTENSION INC. starting consortium to promote smart card health IDs EXTENSION INC. is launching a group to advocate the issuance of smart card IDs for health care, says Todd Plesko, CEO at the Fort Wayne, Ind.based company. With the push to deploy electronic medical records underway, there needs to be a means to properly identify patients while also keeping the information secure. Plesko says smart cards are a way to do that. “This is a very wellproven technology that works in every other corner of the world,” he says. France and many other European countries use smart cards for patient identification.

VingCard gives NFC upgrade to Best Western Reims

EXTENSION INC. has a system that would cost health care providers $6 per patient, Plesko says. “It’s a very low-cost solution to a series of high cost issues,” he says.

VingCard has announced the installation of its Classic RFID contactless electronic up-

The proposed consortium is still in the planning stages, Plesko says. He’s hoping to at-

Summer 2010

5/5/10 2:55:08 PM

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com tract 12 high-profile companies to join the group that would educate providers and government officials on how smart cards can be used in health care.

Codebench, DAP partner Codebench Inc., a provider of HSPD-12/FIPS201 authentication software, announced that it has formed a technology partnership with rugged-computer manufacturer DAP Technologies to offer a mobile solution for the validation and registration of FIPS 201, PIV II compliant credentials. Codebench’s PIVCheck software suite – a card validation, authentication, and registration solution for HSPD-12 compliance – is now integrated with DAP’s CE3240B Guard System handheld computer. The Guard System computer features a rugged, modular design that can be configured with readers for magnetic stripe cards, contact and contactless smart cards, and HID Proximity cards to accommodate a number of credential formats including TWIC, PIV and CAC. It also can include a fingerprint biometric reader. The integration of PIVCheck on DAP’s CE3240B Guard System enables security personnel to more easily validate and register credentials from cardholders in nearly any location within a facility, which is essential for creating temporary physical access control portals or conducting spot checks on credentials. Once DAP’s Guard System handheld computer has scanned the credential, the information can be validated and then uploaded to a facility’s physical security access control system by the PIVCheck software. The PIVCheck software suite provides a transition to HSPD-12 or FIPS-201 compliance by leveraging a facility’s physical access control system for card validation, authentication and registration. The software uses threefactor identification to determine the cardholder’s unique identifying data and biometric information, and verifies the validity of the card by checking with the appropriate X.509 certification authority or other entity, such as the TSA hot list.

reid_summer10.indd 13

Hirsch revs up Velocity’s functionality Hirsch Electronics, a security systems manufacturer, announced it is extending the functionality of its flagship security management system, Velocity, to include IT-oriented identity and card management capabilities. Specifically, Velocity will interface with certificate authorities and Active Directory to create smart cards that can be used for secure computer log-on and door access control. Velocity is Hirsch’s security management system that integrates access control, intrusion detection, badge printing and video surveillance. Its new capabilities enable it to acquire digital certificates from a certificate authority, expose Active Directory user and group lists for selection, encode the smart card with the trusted certificate, bind the card to the Active Directory user-ID, push the binding information to Active Directory, and do real-time checks of the certificate’s validity. These new capabilities will enable users to log-on to Windows using strong authentication: two-factors (card and PIN) plus a realtime check of the card’s certificate status (i.e., valid versus revoked). The Hirsch solution lets the physical security or human resources department issue a single smart card that can be used for both door and computer access. However, IT maintains its control. During card creation, the issuer must choose from the user and group lists that IT previously defined. IT need only ensure the user account exists in Active Directory.

USA Supreme introduces biometric car starter USA Supreme Technology announced a new biometric security device for cars in the U.S.

The Biometric Car Starter is a fingerprintbased solution that renders a car inoperable until an authorized user swipes their fingerprint. USA Supreme points out that the solution focuses on prevention of theft rather than tracking a car after theft or alerting people about the theft.

Lumidigm announces new line of fingerprint sensors Lumidigm introduced a new series of fingerprint sensors called Mercury. The Mercury sensors were developed as a multispectral, compact and cost-effective solution to join the portfolio of offerings like the company’s Venus sensors. The sensors return a 500 dpi image via either USB or RS-232 connections and can serve a number of authentication methods including image output, template output, verification and identification. Lumidigm offers two models of the Mercury sensors – one designed for high-performance and high-throughput applications and the other as a desktop solution designed for use as workstation authentication.

Gemalto and Microsoft to launch integrated security solution Gemalto has announced that its Protiva Strong Authentication Server is now fully integrated with Microsoft Forefront Identity Manager 2010, allowing organizations to provision, deploy and manage smart card-based one-time password (OTP) devices linked to Gemalto’s server on the familiar Microsoft interface.

Summer 2010

5/5/10 2:55:08 PM

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com According to Gemalto, the integrated solution allows security managers that work with Microsoft identity solutions to implement and manage OTP devices without learning a new interface. Managers can use the Forefront Identity Manager portal interface for all of the administrative functions for managing OTP devices, while the Gemalto strong authentication server works in the background for authentication. Users can also create or update a Gemalto OTP device record, link the record to the user, and activate the device. They can then manage or change access privileges or remove devices using the same Microsoft interface.

Aware providing biometrics for Lockheed station Aware Inc. announced that its technology will be used in Lockheed Martin’s Advanced Technology Workstation. Among the various software offerings from Aware that have been integrated into the workstations are its NISTPack, WSQ1000, AccuPrint and AccuScan products.

Smart Card Alliance releases two reports on upgrading transit fare systems The Smart Card Alliance Transportation Council has released two reports aimed at helping transit agencies planning to upgrade their fare collection systems. The Smart Card Alliance Transportation Council is made up of more than 130 individuals from 59 organizations, including transit agencies, payment brands, financial services providers and technology and service providers. The first report, “Planning for New Fare Payment and Collection Systems: Cost Considerations and Procurement Guidelines,” presents a conventional approach for planning, 14

reid_summer10.indd 14

conducting a cost analysis, and procuring a new fare payment system or upgrading an existing system. It also provides a Microsoft Excel-based cost model that allows users to input an agency’s current fare payment and fare collection costs and compare them to the costs for proposed alternative systems. The second report, “A Guide to Prepaid Cards for Transit Agencies,” provides an overview of the prepaid card industry and the products available, including network-branded prepaid cards. The report is intended to help agencies evaluate the feasibility and benefits of using prepaid cards as one element of a fare collection system that includes open loop payment cards.

ActivIdentity unveils PIV-I program ActivIdentity Corp. launched a PIV-Interoperable (PIV-I) initiative to enable non-federal organizations to issue employee identity cards that are technically interoperable with U.S. government PIV systems, and issued in a manner that allows government and relying parties to trust the cards. To address the newly defined PIV-I card standards, ActivIdentity has modified its ActivID Card Management System that is being used in conjunction with its ActivClient security software. Customers looking to deploy the ActivIdentity PIV-I credential management solution can also leverage the ActivIdentity PIV+ applet that enables PKI-based access control as well as one-time-password-based authentication on a single PIV-interoperable identity card. The ActivIdentity PIV+ applet together with the ActivID Card Management System and ActivClient are part of the government-approved product list. As the PIV initiative progresses, PIV-I has become a requirement for commercial enterprises that interact with government agencies on a daily basis. Non-federal issuers of credentials need to produce employee IDs that can technically inter-operate with government PIV systems and can be trusted by

relying parties via cross-certification. However, the PIV card standard is limited in scope to the federal government and has several requirements that can be addressed only by that community. In response to these interoperability requirements, the Federal CIO Council defined the standards for PIV-I cards for non-federal issuers. Several federally sponsored PIV-I programs already exist, including the First Responder Authentication Credential (FRAC), the Transportation Worker Identity Credential (TWIC), and the Airport Credential Interoperability Solution (ACIS). Many other programs are in development with the same desired goal of technical interoperability and trustworthiness in the Federal government PIV environment.

CSC launches smart card-based remote access solution CSC announced the launch of the Common Access Card Enabled - Remote Access Solution (CE-RAS), a secure connectivity product that enables employees to access government networks from non-government computers, regardless of location. With the solution, employees can meet increased work requirements during surge periods and continue working during emergency situations that prevent them from reaching their customary workplaces. This secure telework solution is a government-approved product that meets security standards and permits the use of non-government equipment to connect to government networks. CE-RAS was procured under the U.S. General Service Administration’s Millennia contract and is being used in the Office of the Secretary of Defense (OSD), Office of the Director, Cost Assessment and Program Evaluation. It can be customized for different systems employed by other government and commercial organizations. The solution utilizes an economical, government-supplied CAC reader and enables employees’ personal

Summer 2010

5/5/10 2:55:09 PM

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com computers to connect to OSD’s remote access infrastructure.

Entrust hits PKI milestone with GSA Entrust Inc. has been providing PKI services to the General Services Administration as part of the USAccess program since July 2007, and the group recently reached a milestone, activating its 450,000th PIV credential with PKI. The GSA created the USAccess program to facilitate the deployment of the credentials

across federal agencies. The program was developed in response to Homeland Security Presidential Directive 12, which requires federal agencies to issue a common identity credential. While the GSA’s PIV credentials provide users with physical access to secure buildings and facilities, the PKI certificate – issued from Entrust’s hosted federal PKI certification authority – enables employees to digitally sign documents and e-mails. Each GSA credential includes four PKI certificates that are stored in a PIV container on the contact chip. Via a trusted PKI environment, Entrust enables U.S. government agencies to use authentication, encryption and digital signatures to maintain security standards through physical and online channels. By

assigning digital certificates to authorized identities, departments and even devices, Entrust PKI serves as a trust infrastructure to help improve operational efficiency, help prevent fraud and information breaches and promote secure communication and collaboration on sensitive projects.

L-1 employs financial advisors for possible sale L-1 Identity Solutions has hired Goldman Sachs & Co. and Stone Key Partners as financial advisors as the company continues to pursue a new owner or ownership model. L-1 is hoping to determine a solution with the help of their advisors that will deliver more value to shareholders. While officials from L-1

Summer 2010

reid_summer10.indd 15

5/5/10 2:55:10 PM

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com have said that the results of the financial advisor assistance may not result in a sale of either the company or one of its divisions, they have not ruled out such as sale.

Diebold, NOAA studying physical and logical access control systems In an effort to develop a solution for managing universal identities and access to federal facilities and systems, the National Oceanic and Atmospheric Administration (NOAA) and Diebold Inc. are partnering on a study of the requirements and scope for such a project within NOAA. The study will first take a look at the agency’s physical access control and logical access control systems to determine the most effective and financially beneficial means of applying the current or new technology across all of NOAA facilities. The target architecture may require physical access control systems to be replaced and/or upgraded based on a gap analysis. Diebold will also be responsible for putting together a comprehensive project plan and timeline for completion.

BIO-key provides law enforcement two-factor solution BIO-key announced the deployment of more than 400 FBI compliant, mobile, two-factor authentication devices to the Oklahoma County Sheriff’s Office. The system is designed for use with law enforcement mobile data system users so that they can access the FBI Criminal Justice Information Services (CJIS) databases with collected biometric information. Additionally, the devices allow officers to logon to the CJIS system biometrically saving them time and 16

reid_summer10.indd 16

removing the need to remember user names and passwords. The new program for Oklahoma County’s law enforcement was made possible due to a Justice Assistance Grant through the Oklahoma District Attorney’s Office.

Novell and idOnDemand partner to deliver single sign-on solution A new partnership between idOnDemand and Novell produces a PIV smart card and single sign-on solution for secure login systems. The product secures access to corporate IT resources, login through VPNs, and authentication to legacy Internet services, as well as services with SAML and Open ID compatibility. idOnDemand features a pay-as-you-go model allowing small organizations to implement smart card usage in cost effective manner.

VASCO introduces DIGIPASS for mobile authentication The latest version of VASCO Data Security’s DIGIPASS authentication includes DIGIPASS for Mobile software to enable mobile phones to double as authentication devices. The service utilizes one-time passwords (OTP) and digital signatures powered by VASCO’s IDENTIKEY authentication server. DIGIPASS for Mobile addresses the need for employees to have access to enterprise networks and applications from remote locations. The two-factor authentication solution combined with the portability of the mobile phone works to protect a company’s network and data in mission-critical applications.

VeriSign finalizes acquisition of TrustBearer VeriSign announced the acquisition of TrustBearer Labs LLC., a provider of strong authentication solutions for online applications. The acquisition is anticipated to help VeriSign achieve a broader presence on various Web

browsers and platforms. Turstbearer worked with VeriSign during the past year on the development of VeriSign’s Managed PKI (MPKI) product. VeriSign representatives have mentioned embedding TrustBearer technology in the future VeriSign models.

Air Force tests air fueling efficiency The Edwards Air Force Base in California is in the process of testing an RFID-enabled aircraft identification system that is said to make air-to-air refueling more efficient and economical. A form of inventory control, the test involved a KC-135 fuel tanker and an F-16 Fighting Falcon equipped with RFID tags. Antennas from fuel tanker scan the F-16 to see if it recognizes it and to accurately gauge the amount of fuel transferred. Currently, when an airplane approaches a tanker for refueling, the boom operator manually records the receiver aircraft’s information. Information for the receiving plane, such as the tail number and squadron, must be visually identified or communicated by radio. This process will allow the boom operator to focus on safely refueling the aircraft, rather than administrative tasks, and is especially useful during night operations and radio silence situations.

South Africa to implement contactless payment for public transit Aconite Technology Ltd. and Traderoot Africa (Pty) Ltd., its partner in South Africa, are working together to supply a prepaid contactless chip card system for South Africa’s new integrated public transit network.

Summer 2010

5/5/10 2:55:11 PM

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com The project, scheduled to go live this summer, will enable public taxi-bus riders to purchase tickets using contactless smart cards or, potentially, NFC-enabled mobile phones.

iris capture cameras. Other aspects of the device include a smart card and proximity card reader, GPS, various wireless communications, digital camera, barcode reading capability and the ability to be vehicle mounted.

According to Aconite, replacing cash with smart cards will reduce costs while mitigating fraud and theft, as well as speed up the fare transaction process.

Pilot phase of e-health care project begins in Gabon

For the system, Aconite will provide its Prepaid Value Manager software to Traderoot for integration into Traderoot’s Universal Prepaid Issuing Platform.

The desire for greater health care coverage in Gabon and the modernization of the country’s health insurance system remains a persistent goal of the nation’s current president.

The system can manage closed or open-loop smart prepaid payment products that may be accepted in both offline and online point-ofsale terminals. According to Aconite the system is ideal in places where online authorization is impractical, uneconomic, unreliable or non-existent.

The first phase of deployment for national e-health cards is taking place one year after Gabon national health care body, CNAMGS, announced the selection of Gemalto as the official supplier of cards, personalization services and ID verification systems.

The initial pilot launch will deploy 50,000 cards, with numbers expected reach 2 million in 24 months as the solution is rolled out to all elements of the integrated mass transit network. A target of 10 million cards is expected within 3 years.

Northrup Grumman develops mobile biometric device Northrup Grumman announced the release of BioTRAC, a portable and mobile identity authentication device that collects biometric data and authenticates the individual in field-based operations. The device is manufactured by Black Diamond Advanced Technology and is reported to be well suited for use by law enforcement, homeland security and other military personnel. The BioTRAC boasts a rugged design with four high-resolution fingerprint scanners and dual

The new e-health care project will deliver cards to the entire Gabonese population. The Sealys Laser-Secured card is made of polycarbonate material that offers a high level of security and durability. It features secure laser personalization within the body creating a protective layer in which data cannot be altered or accidentally damaged. This particular technology has made the card almost impossible to forge. The cards will be used in hospitals, pharmacies and health clinics to prove that an individual has access to care while also ensuring that individual’s data is kept private and secure.

ASUS netbook to incorporate AuthenTec software and hardware AuthenTec, a developer of security and identity management solutions, has announced its AES1660 TruePrint smart sensor and accompanying TrueSuite identity management software will be incorporated into computer manufacturer ASUS’ new Eee PC 1018P netbook.

The AES1660 TruePrint smart sensor is a fingerprint sensor designed specifically for use in notebooks and netbooks and is the second netbook from ASUS that has embedded the sensor. Additionally, the TrueSuite software that is included in the new netbooks has been designed for use with Windows 7, which also comes with the Eee PC 1018P. Other capabilities of the AuthenTec sensor pertinent to its use in a netbook include one-touch access to digital identity and social networks.

SCM releases CHIPDRIVE MyKey to U.S. market SCM Microsystem’s CHIPDRIVE MyKey utilizes an encrypted PIN-protected password manager with Microsoft Windows access and compatibility. It has been available in Europe’s security solutions market for more than a year, and SCM has now partnered with online retailers including Amazon, Buy.com and Staples to make the product available in the U.S. The CHIPDRIVE MyKey is a USB stick that allows the user to access secure sites from multiple locations without having to memorize individual passwords. User names and passwords are stored on the smart card chip embedded in the USB device. Another security feature, called Compute Lock, locks the PC when a user removes the USB device. These features, which are compatible with Windows 7, Vista, XP and 2000, are said to be especially practical for notebook users, as it prevents access to all data even if the computer is lost or stolen.

Summer 2010

reid_summer10.indd 17

5/5/10 2:55:11 PM

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

ActivIdentity unleashes credentialing solution for BlackBerry users ActivIdentity introduced a new mobile security solution for BlackBerry Users featuring a secure microSD card that enables users to sign secure e-mails digitally or provide two-factor authentication when accessing protected networks from a remote location. The solution enables public key infrastructure to work naturally at full strength on the smart phone. In the past businesses found it nearly impossible to complete transactions on mobile BlackBerry devices without a way to connect or embed a smart chip and credential to the phone itself. Now there is a secure microSD residing in a smart phone to facilitate the secure transactions. ActivIdentity is working to create smart phone authentication that can control access to Web-based applications and secure access to data and applications from the local network. Additionally the product can be used for mobile banking, merchant transactions, and e-commerce.

Hewlett Packard lands contract to supply Ireland with smart ticketing Hewlett Packard Ireland has been awarded a contract to operate a smart ticketing system for Ireland’s Railway Procurement Agency (RPA). The project will provide riders with reusable pay-as-you-go smart cards for use on Dublin Bus, Luas, Iarnród Éireann, Bus Éireann and other privately operated services. In addition to supplying the smart cards themselves, HP will be responsible for providing a point-of-sale network in which riders can buy the smart cards and load them up with value, as well as provide customer sup18

reid_summer10.indd 18

port services, back office business processing and the upkeep of an ITS website. According to Transport Minister Noel Dempsey, the system will be rolled out in stages this year.

Apple’s new mobile payment solution cuts banks out Apple’s newly patented mobile payment solution for the iPhone may block banks from reaping the benefits of mobile payment’s long-awaited arrival, says American Banker. While financial institutions were expecting Apple’s new system to rely on debit or credit cards, Apple had its eyes set on allowing customers to use their iTunes accounts to store credit for mobile transactions. In effect, this cuts banks entirely out of the picture, as consumers would be able to use Apple’s solution to buy just about anything through an iTunes account, in addition to swapping cash peer-to-peer. However, American Banker points out that banks may be able to realize their mobile wallet hopes in Apple’s wake. “Bear in mind also that, if Apple drops a technology into a device, others will quickly follow suit,” says Nick Holland, a senior analyst at Aite Group LLC in Boston. “Alt-payments providers should be licking their lips.”

Facebook to use NFC? Rumors from Facebook’s F8 developer conference have it that Zuckerberg & Co. may be adding NFC-based features to the social networking site, this according to a report from pocket-lint.com. Visitors to the April conference were issued tags to tap in and out of exhibits. Some believe this is Facebook’s way of testing the technology to develop a location tracking feature for the website.

Some imagine a scenario in which a Facebook user’s NFC phone would communicate with the site’s server to tell your friends Google Latitude-style where you are and what you’re up to. If that sounds obtrusive, consider that, if taken to the extreme, the technology could allow Facebook to trace your NFC mobile transactions to tell the world, say, that you just bought a round at Hooters.

Dairy cows tweet via RFID A herd of dairy cows from the University of Waterloo are using Twitter to communicate their status. The data for the tweets come from a computer operated, cow initiated milking system run via RFID. Each cow wears a tag that communicates with a central computer and coordinates her activities. As she approaches the milking pen, a reader captures the tag and determines whether or not the cow is scheduled to be milked, based on her stage of lactation and average daily output. If the cow is ready for milking, she is allowed into the pen. Once inside, a robotic arm washes her, latches on, and extracts the milk while the cow eats high-grade feed to make her happy. The milk output and feed input is recorded by the main computer and stored in a database, along with the total milking time and total time in pen.

Consult Hyperion funds mobile phone security research at the University of Surrey Consult Hyperion, an independent UK-based consultancy specializing in secure contact and contactless transactions, is helping fund a NFC mobile payment project at the University of Surrey.

Summer 2010

5/5/10 2:55:12 PM

CALENDAR

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com Neil McEvoy, managing director of Consult Hyperion, states that the research will be focused on: “acquiring in-depth knowledge of the vulnerabilities of typical and specific mobile phones in order to develop appropriate protections for sensitive transactions.” At the University of Surrey, the project relates to existing research groups in Information Security, according to Consult Hyperion. The research team will be led by Dr. Hans Georg Schaathun, Principal Investigator, who comments: “This is a golden opportunity for us to develop our expertise in a research area with clear economic and social impact on society.”

Adirondack Trust Company launches mobile payments in Upstate NY Upstate New York-based Adirondack Trust Company is now offering Bling Nation’s mobile payments system to its customers and community. Customers with a checking account at Adirondack Trust can now sign up for a BlingTag, a quarter-sized sticker that is applied to the back of their mobile phone to enable mobile payments. Customers can also use the tag to redeem loyalty incentives from participating retailers and receive transaction and account balance text messages at the point of sale. Participating businesses in the Saratoga Springs, Glens Falls and Ballston Spa area include: the Bread Basket Bakery, the Hungry Spot Café, Impressions of Saratoga, N. Fox Jewelers, Putnam Market, The Chocolate Mill, Saratoga Salsa and Spice Co., Compliments to the Chef, Menges & Curtis and the Country Corner Café. Each of these businesses will be able to set up their own loyalty program in which Bling Nation tracks loyalty activities and accrued points, automatically applying them at the point of sale.

SEPTEMBER 2010

NOVEMBER 2010 (Cont.)

The Security Standard September 13 – 14, 2010 Marriott Brooklyn Bridge New York City, New York

Smart Cards in Government Conference November 16 – 19, 2010 Washington D.C.

DECEMBER 2010 2010 Biometric Consortium Conference September 21 – 23, 2010 Tampa Convention Center Tampa, Fla.

Smart Event 2010 September 21 - 24, 2010 Sophia-Antipolis, France

OCTOBER 2010

ASIS International 2010 October 12 – 15, 2010 Dallas, Texas

CARTES & IDentification December 7 – 9, 2010 Paris-Nord Villepinte Exhibition Center Paris, France

FEBRUARY 2011

RSA Conference USA 2011 February 14 – 18, 2011 Moscone Center San Francisco, Calif.

APRIL 2011 NOVEMBER 2010 Sixth Symposium and Exhibition on ICAO MRTDs, Biometrics and Security November 1 – 4, 2010 ICAO Headquarters Montréal, Canada

ISC East 2010 November 3 – 4, 2010 Jacob Javits Convention Center New York City, New York

ISC West 2011 April 5 – 7, 2011 Sands Expo and Convention Center Las Vegas, Nev.

18th Annual NACCU Conference April 17 – 20, 2011 Marriott Waterfront Hotel Baltimore

Summer 2010

reid_summer10.indd 19

5/5/10 2:55:14 PM

Health Careâ&#x20AC;&#x2122;s

IDENTITY Crisis Secure patient ID is key to curbing medical identity theft and protecting electronic records

Zack Martin Editor, AVISIAN Publications

reid_summer10.indd 20

Summer 2010

5/5/10 2:55:16 PM

The health care industry is in the process of switching from paper to electronic medical records. President Obama set aside more than $19 billion for health care providers to deploy the electronic records in order to streamline health information. But with the transition there are concerns about linking the correct electronic record to the correct patient. Linking to the wrong record can lead to misdiagnosis and medical complications. According to the independent health care ratings organization HealthGrades, more than 195,000 deaths occur annually in the United States because of medical errors. Almost 60% of these deaths were attributable to a failure to correctly identify the patient, according to a Smart Card Alliance white paper. “If a billing company makes a mistake on a charge it gets denied,” says Paul Contino, CIO at Mount Sinai Medical Center in New York, which has a smart card ID system. “When a doctor is looking at an integrated set of information and making a decision based on the clinical information the stakes are a lot higher. It’s not just about shuffling paperwork, it’s about health care and saving lives.” Proper identification will become more important as Health Information Exchanges start emerging around the country. The idea behind these regional networks is to enable properly authorized physicians to find medical information about a patient without jumping through multiple steps, as they must now. Electronic medical records are coming, but some fear they are coming too fast. Without standardized ways to identify patients there are concerns regarding the rate at which the systems are being deployed because of the identification and privacy challenges. “The pot of gold is that everyone gets an electronic medical record, but there’s a pitchfork sticking up because you need to make sure someone is properly identified,” says Contino. But when it comes to figuring out how to identify patients there are more questions than answers. How do health care institutions properly identify patients? Who does the enrollment, vetting and issuance of the credential? Combating medical identity theft Connecting the right electronic medical record to the right patient may be the primary reason strong identification is needed in health care, but there is also the growing health care identity theft issue. Nearly 1.5 million Americans have been victims of medical identity theft with an estimated total cost of $28.6 billion – or approximately $20,000 per victim, according to a recent study by the Ponemon Institute, an independent research entity focused on privacy, data protection and information security policy. “Many authorities consider medical identity theft one of the fastest growing crimes in America,” states a report from the Smart Card Alliance. “With the digital age of health care upon us, the risks are expected to increase as electronic medical records become more prevalent and the exchange of this data over expanding networks becomes more pervasive. Heightened concern over personal data security and

privacy highlight the importance of having secure electronic medical identities.” Patients whose medical identities are stolen face various, long-lasting effects. Fraudulent health care events can leave incorrect data in medical records. That data – like information about tests, diagnoses and procedures – can impact future health care and insurance coverage and costs. Patients are often unaware of medical identity theft until a curious bill or a surprising line of questioning by a doctor exposes the issue. Then, the burden of proof is often with the patient and it can be difficult to get the patient’s legitimate medical records cleaned up. The consequences can also be life threatening and can lead to serious medical errors and fatalities. The way to stop medical identity theft and identity confusion is to improve patient identification and provide enhanced data protection. Strong authentication and data encryption are methods that can achieve these goals, the Alliance report states. “To address medical identity theft, solutions need to provide higher levels of assurance than today’s processes, whether the interactions are in person or remote. Identity management is a crucial foundation for health care, and solutions that incorporate smart card technology can be used to address the security and privacy challenges facing the industry. This foundation can be put in place without reinventing the wheel. The federal government has already established a set of best practices, standards and technology solutions for smart card-based identity management and authentication that can be adapted to and leveraged by the health care industry.” Why electronic records? Electronic medical records are supposed to streamline health care and make it more efficient, enabling all the various health IT systems to be seen in one place instead of having multiple pieces of paper floating around. The systems could also potentially lower costs by reducing duplicate laboratory tests and other unnecessary procedures. There’s also one camp that says electronic medical records can be privacy enhancing. With paper-based systems many parties with unauthorized access can view records without leaving a trail. With an electronic system that view would be audited and role-based security could even prevent unauthorized views, says Dr. Robert Wah, chief medical officer and vice president of CSC’s North American Public Sector business unit. “Some systems have tokens, ID cards or other devices and the system grants them access to information based on their role,” Wah says. For example, a registrant would only have access to appointment data whereas a physician would have access to medical information. Health care institutions need to make sure that these security systems are put in place but a primary concern of those in the identification industry is how patients are identified. Duplicate and incomplete records can lead to misdiagnosis or incorrect treatment. Summer 2010

reid_summer10.indd 21

5/5/10 2:55:16 PM

Contino says patient safety may be compromised in the rush to deploy electronic medical records because of the $19 billion from the federal government. He fears proper security and privacy controls may not be put in place. “You need to have security first,” he says, “and that only happens by having a person properly identified.”

Establishing guidance and standards There are efforts underway to create standards that health care organization can use for security. The Cybersecurity Enhancement Act of 2010, passed by the U.S. House of Representatives, also mentioned health care. The bill states that a program should be set up

Why electronic medical records and health information networks? Interoperable health IT can improve individual patient care in numerous ways, including: • Complete, accurate, and searchable health information, available at the point of diagnosis and care, allowing for more informed decision making to enhance the quality and reliability of health care delivery. • More efficient and convenient delivery of care, without having to wait for the exchange of records or paperwork and without requiring unnecessary or repetitive tests or procedures. • Earlier diagnosis and characterization of disease, with the potential to thereby improve outcomes and reduce costs. • Reductions in adverse events through an improved understanding of each patient’s particular medical history, potential for drugdrug interactions, or (eventually) enhanced understanding of a patient’s metabolism or even genetic profile and likelihood of a positive or potentially harmful response to a course of treatment. • Increased efficiencies related to administrative tasks, allowing for more interaction with and transfer of information to patients, caregivers, and clinical care coordinators, and monitoring of patient care. Source: HHS

that would support the development of standards around identity management, with a particular focus on health care. The U.S. Department of Health and Human Services (HHS) has the Office of the National Coordinator for Health Information Technology leading these efforts. While no specific technologies or standards have been released, some high-level recommendations have been trickling out. The National Health Information Network Working Group made some recommendations to the Health IT Policy Committee, one of which stated that existing federal standards, policies and practices for authentication and identity proofing should be used. HHS has also asked the National Institute of Standards and Technology (NIST) to look into protecting personal information in health care. Enter PIV Such recommendations to make use of existing standards coupled with HHS’ request to have NIST investigate the issue has some suggesting smart cards, and more specifically the PIV-Interoperable (PIV-I) standard, may be the answer for health care ID. “The government spent four years coming up with the standard [PIV-I], policies and operational systems and as a result you have something that works,” says Randy Vanderhoof, executive director of the Smart Card Alliance. “The foundation has been built and the health care industry should look at what’s already in place before creating something new.” PIV-I credentials are starting to be issued to first responders, including some physicians, as part of he First Responder Authentication Credential program though FEMA. Because of this many in the smart card market feel that it’s a natural fit. Federal agencies have issued millions of PIV credentials. Officials from Health and Human Services have been briefed on PIV and PIV-I and the information has been well received, Vanderhoof says. Health IDs at the national level Smart cards and biometrics are being touted as two solutions for patient identification.

reid_summer10.indd 22

Summer 2010

5/5/10 2:55:17 PM

Secure ID programs are complex. Choosing the right partner doesn’t have to be.

LaserCard’s customized secure credential solutions have been trusted for decades by major governments and enterprises around the world. Find out why customers and partners look to LaserCard for secure, counterfeit-resistant credentials and solid ID solutions, implemented on time and on budget. ÊÊ Professional services and consulting to optimize Secure ID

program implementation and performance ÊÊ Innovative credential design and manufacturing services ÊÊ Advanced credential technologies incorporating leading physical,

visual and digital security ÊÊ ISO 9001 certified: secure credential manufacturing plants

in USA and Germany

reid_summer10.indd 23 LaserCard_AVISIAN_ad_v2.indd 1

w w w. l a s e r c a r d . c o m

5/5/10 2:55:19 PM 4/21/10 3:17 PM

The SESAM-Vitale system links health care professionals with the health insurance administration. The first generation card was a family social security card that only contained information included on the paper social security card.

According to SESAM-Vitale supplier Gemalto, the system includes nearly 60 million cards and more than 225,000 healthcare professionals use it for data exchange.

Both have numerous deployments but none are the clear winner in the U.S. Smart cards have been in use in Europe and other parts of the world for health care IDs for more than a decade. The French health ID, the SESAM-Vitale, has been a smart card since 1998. The country is currently issuing its second version of the card that is used by both the patient and the physician to access health records and confirm identity for service.

Version two of SESAM-Vitale is a smart card that offers up-to-date standards in terms of security and enables stronger identification of beneficiaries. The new card is designed to simplify administrative procedures, increase transaction security and speed reimbursements.

It also contains additional information, such as details of attending physicians, people to contact in case of emergency, authorizations for organ donation and insurance policy details. Furthermore, the Carte Vitale 2 includes a photograph of the insured individual. The addition of the digital photograph is expected to help slash fraud. In total, 59 million cards are to be issued by the end of 2010.

How health information exchanges fit in Identifying patients when they show up to their doctor’s office is a challenge, but regional health information exchanges may ease this and other processes. The plan is to connect hospitals, group practices and clinics into regional data sharing bodies to create efficiencies. But it’s at this point where the identification problem is amplified. A hospital may have 15 or 20 Joe Smith’s but when you expand that to a city, county or even a state that number can be hundreds or even thousands. Making sure the individual is properly identified is crucial. Also important is making sure that only authorized individuals have access to the patient information. Privacy advocates are concerned that making individual’s health information available in a network will be a problem, says Paul Contino, CIO at Mount Sinai Medical Center in New York. But in order for physicians to work together quickly and efficiently there needs to 24

reid_summer10.indd 24

be some sort of connection. “I’m all for security and privacy but I want it to work for me and I want to be able to exchange information with my doctors,” Contino says. There can also be a perspective switch depending on the patient’s health. “You ask a healthy person about sharing information and they’re up in arms but then you ask a sick person if they want the information linked and they’ll say yes,” Contino says. The Health and Human Services Official of the National Coordinator has come out with some specifications for health information networks. Encryption should be required for personal health information and there should not be a single national infrastructure for health ID. “We want to form data islands,” says Dr. Robert Wah, chief medical officer and vice president of CSC’s North American Public Sector business unit. “And we want to make sure we

can connect the data islands so we can make better decisions about health care.” But putting these linkages in place is the problem. “If you have a bunch of encrypted silos it doesn’t help,” Contino says. “I’m a New Yorker and I break my leg in California … how is that doctor going to be able to get my information?” Wah says that some “rules of the road” must be put in place. “We need some basic agreement on identifying information,” he says. If basic identification rules can’t be created there will be problems, Contino says. “Institutions like Mount Sinai have a hard enough time identifying patients,” he explains, “imagine doing that with 20 more hospitals.” Physician identification is another important aspect of health information exchanges. HealtheLink, a health information exchange for eight counties in western N.Y., recently

Summer 2010

5/5/10 2:55:20 PM

Germany also had plans to issue smart cards as health IDs to its citizens, but the project is currently on hold. The plan was to issue 80 million smart cards that would be used for insurance verification and to store information emergency health care information and prescription data. The program was put on hold because of privacy concerns. Smart cards are continuing to be issued in specific areas but will only contain basic patient data, insurance status and a photograph. A set of emergency health data will only be included if the patient has agrees to have it added to the card. Health IDs at the local level Though national health IDs are not the norm, regional or private implementations can be found around the world. In the U.S. the Mount Sinai Medical Center is rolling out version two of its smart card patient ID this summer, Contino says. The medical center is working with Trustbearer Labs and EXTENSIONS INC. on the current smart card system. The new system is Web-based and doesn’t require any software installation on individual computers, Contino says. The EXTENSIONS system integrates with all of Mount Sinai’s other health care IT systems, such as radiology, lab and others, to give one view of the patient based around the smart card. The EXTENSION system will also update the card with any new information after an episode of care.

The EXTENSIONS appliance aggregates the information from the health care organization’s systems, massages the data and enables it to be delivered to end point devices, such as kiosks, PCs and even mobile readers, says Todd Plesko, CEO at EXTENSIONS Inc. This is Mount Sinai’s second go around with a patient ID system, Contino says. He had worked with Siemens previously but the company discontinued its smart card health care business. The medical center has more than 10,000 cards issued, a mix of old and new credentials, Contino says. Mount Sinai has ordered 100,000 new cards to begin large-scale issuance this summer. There is a chance the rollout could get delayed, however, because the institution is also in the midst of rolling out an electronic medical records system. The systems are in place, Contino says. There are 50 different locations equipped with Web cams for pictures, smart card printers and software. “We’ll probably take a phased approach,” he says. “We have a lot of venues, clinics, ambulatory environments … we’ll find a place where the electronic medical record has already been deployed or won’t be deployed for awhile and start there.” The purpose of the smart card is to make sure the health record is connected with the correct patient, Contino says. When a patient walks into the hospital or a clinic this can be difficult. “The typical process is asking 20 questions to make sure you have the right person and the right record,” he says.

implemented a two-factor authentication system from Anakam. HealtheLink mandated that physicians use two-factor security to access the network, says Dan Porreca, executive director at HealtheLink. Physicians go to a Web portal and login with a user name and password. Based on that they will receive either an email or text message on a mobile device with a second pass code for access to the network.

“If you have a bunch of encrypted silos it doesn’t help,” Contino says. “I’m a New Yorker and I break my leg in California … how is that doctor going to be able to get my information?”

Dr. William Braithwaite, chief medical officer at Anakam, says this solution works and is inexpensive. “You don’t have to deploy and manage any hardware devices,” he says. “We’re not handing out key fobs with numbers on them, and we’re not downloading software. What that allows you to do is it takes away the cost of buying and managing all those extra hardware devices or software downloads, and it allows you as a user to log in from any device with access to the Internet.” Summer 2010

reid_summer10.indd 25

5/5/10 2:55:21 PM

The problem is registration can sometimes be a hurried process, and if the registrant can’t find the record easily they may just create a new one or worse link to an incorrect record, Contino says.

PIN. “I don’t think it would be a biometric,” he says. “A PIN is much more achievable than enrolling biometrics.” Biometrics as an identiﬁer

The smart card alleviates this problem. The patient’s picture is printed on the card along with their full name and a bar code that points to their medical record number. A contact chip, when inserted into a reader attached to a computer, brings up the medical record. “The chance of a new or duplicate record being created is virtually eliminated,” Contino says. The card stores a limited electronic medical record, Contino adds. The card has a 64K capacity, equivalent to 24-pages of text he explains, but Mount Sinai is only storing a snapshot of emergency medical data on the card.

By deploying the kiosks the clinic was able to standardize check in for all patients.

reid_summer10.indd 26

During a pilot and initial rollout at Springfield, the technology performed very well, handling 20,000 encounters with no support issues, explains Hewitt. The group’s 22 clinics will be rolling out 50 palm vein-enabled automated check-in kiosks in the spring and early summer, Hewitt says. The first time a patient walks in before enrolling in the system they go to the reception desk and the system is explained to them. At that point a picture is taken of the patient as well as the palm vein scan. After enrolling the patient can then check in for appointments using the kiosks.

While smart cards seem like a good solution for health care ID there are some concerns about who issues the card. Mount Sinai, the health care provider, decided to roll out a system because it had a specific concern regarding the identification of patients, but other providers may not feel the same way or want to spend the money to deploy credentials, says Neville Pattinson, vice president of government affairs and business development at Gemalto North America.

By placing their hand over the scanner the patient’s health summary, maintenance plan and picture are pulled up on the screen in less than a second. Next the patient selects the appointment they are there for and check in is complete. “The average check in time was five minutes and now it’s just 90 seconds,” Hewitt says.

An individual may not be loyal to one medical provider, seeing a general practitioner from one group and an orthopedic provider from another group, Pattinson explains, suggesting that it makes more sense for the health care insurer to take this on. “Insurers are already issuing cards and already have a way to do this where it can be trusted,” he says.

The response from patients has been positive. “I’m surprised at how willing people were to use the biometric,” Hewitt says. “There’s wonderment of putting a hand down and having access to all that information. That’s what’s neat for the patient.”

Pattinson says the card would most likely be protected with a

Biometrics, however, is catching on in certain health care areas. Palm vein scanners are being used in patient identification solutions with both the health care organization deploying them and the patients using them enjoying the application, says Jim Hewitt, CIO at the Springfield Clinic in Illinois.

The clinic is also able to capture payment information upon check in, the patient just swipes a credit or debit card after checking in and the copay is paid. “We get direct payment into out accounts and don’t have to worry about bounced checks,” Hewitt says. The Springfield Clinic had been surveying patients to find out what they like and don’t like about the clinics. Coming in low on those surveys was the check-in process where patients were required to fill out the same forms multiple times, make repeated trips to the desk and endure long wait times. By deploying the kiosks the clinic was able to standardize check in for all patients.

Electronic medical records are supposed to enhance patient privacy and enable them to receive better care. They also offer a number of new efficiencies for patients and physicians. Making sure these records are properly secured is a key step in order to make sure that the migration to electronic records actually delivers on the promise. Whether smart cards, biometrics or other identification technologies are ultimately employed, it will be crucial that a system of strong authentication be put in place to help solve this health care identity crisis.

Summer 2010

5/5/10 2:55:23 PM

THERE ARE TWO SIDES TO EVERY SUCCESSFUL

IDENTITY MANAGEMENT SOLUTION

When it comes to identity management, trust is not a one-way street. You need a solution that not only establishes foolproof identities but also protects the personal information of every citizen. At CSC, we deliver integrated identity management and privacy assurance solutions that create confidence and earn public trust. You can count on us to seamlessly integrate the latest technology, systems, policies and business processes into a solution that is secure, efficient and, most of all, trustworthy. CSC Public Sector CSC.COM/NPS

reid_summer10.indd 27final.indd 1 CSC_IDManagemnt_Ad

5/5/10 3:00:36 2:55:24 PM PM 4/8/10

White House seeks online authentication standards

resident Obama recently created a group called the National Strategy for Secure Online Transactions to produce a framework that may lead to U.S. citizens using strong authentication when conducting business on the Internet.

reid_summer10.indd 28

Summer 2010

5/5/10 2:55:26 PM

The vision of the group is to: “improve the trustworthiness and security of online transactions by facilitating the establishment of interoperable trust frameworks and implementation of improved authentication technology and processes for all online transaction participants, across federal, civil and private sectors.” The rise of identity theft and growing concerns around cybersecurity are the reasons behind the group’s activities. It will work with government officials, industry and citizens to create a framework for online authentication that may require more than user names and passwords for transactions and access to secure sites. A draft of the potential framework was circulating in April, but White House officials were keeping a tight lid on the document. The first official draft is expected to be delivered by late May with a final draft on the president’s desk by Labor Day. A report from Unisys released in April stated that consumers are concerned with protecting their identity but aren’t sure how to do it. Giving up private information was a concern for survey respondents. Almost two-thirds of those surveyed are seriously concerned about their private information being misused. While there has been an apparent shift from “very” to “extremely” concerned, overall, the level on this issue has remained high and consistent since 2007.

Concern about identity theft Identity theft along with national security are Americans’ #1 area of concern. In the first half of 2010, almost two-thirds (64%) are seriously concerned about the issue of identity theft.

Not concerned

15%

Extremely concerned

31%

Somewhat concerned

20%

Very concerned

33%

Source: Unisys “People are concerned about identity theft and credit and debit card fraud,” says Mark Cohen, vice president of enterprise security at Unisys. “We’re seeing recognition that consumers know their identity is valuable and it’s hard to protect identity data.”

Technologies that consumers may use for online ID President Obama wants people to be better secured when using the Internet. The rising costs and concerns over identity theft as well as weak cybersecurity have caused the president to task a group with finding solutions to the online identification problem. Obama’s group, the National Strategy for Secure Online Transactions, may eventually recommend ways for consumers to be vetted, some type of background check, and a technology they can use for better security when conducting business online. The president wants consumers to use strong authentication, something more than user name and password, which will most likely add another security factor, say officials familiar with the project.

For example, user name and password is one-factor security, something you know. But additional factors can be added. A token or digital certificate can be a second factor, something you have, resulting in stronger two-factor authentication. If you add a fingerprint or other biometric, something you are, it’s increased to three-factor security. The more factors, the better the security.

Web browser can then automatically check the certificate along with user name and password to enable Web sites for two-factor authentication.

It’s now known what the National Strategy for Secure Online Transactions group will recommend for consumer but potential technology options include:

One-Time Password tokens In some parts of the corporate world these tokens, which sometimes look like key fobs, are standard issue. Individuals request access to a system or resource (e.g. secure Web site) and then hit a button on the token to generate a one-time pass code to enter with the transaction. Because a legitimate pass code can only be created by the user’s token, this

Digital Certiﬁcates An individual certificate can be stored on a USB drive, secured on a smart card or downloaded directly to a personal computer. A

If a consumer uses multiple computers to conduct transactions they will have to load the certificates on all those PCs or carry certificates with them via a token or smart card.

Summer 2010

reid_summer10.indd 29

5/5/10 2:55:27 PM

The strategy proposes: • Ubiquitous availability of recognizable, credible, and interoperable identity media to the general public. • Further development of interoperable standards for authentication of people, devices, software, and data. • Protection of personal privacy and identity information when collected. • Reduced financial losses and improved recovery from identity fraud. • Increased consumer confidence in online transactions. • Availability of e-government services for citizens and industry at the Federal and State level. • Overall increased efficiency and improved user experience – fewer passwords, more online services, and reduced dependency on paper transactions. Documents state that end results will be a partnership between public and private sector. The identity services will also be tailored to a market, for example health care, taxes, online banking, energy utilities, etc. An idea that’s been floated involves the creation of businesses where citizens can go, be vetted and then receive some type of authentication token, be it a smart card, one-time password or digital certificate on a computer.

Such a service would likely offer consumers the ability to choose the level of identity assurance desired. The levels could be the same as for FIPS 201 with level one offering no identity assurance and level four guaranteeing high identity assurance. The level of risk for a particular transaction would correlate with a different identity assurance level. For example, filing taxes online would require a level four assurance while checking news sites would require level one. When it’s all said and done, the National Strategy for Secure Online Transactions intends to: • Foster the creation and adoption of federated identity frameworks that use a variety of authentication methods. • Encourage the use of authentication methods with well-understood security, privacy, usability and cost characteristics. • Encourage the use of authentication methods resistant to known and projected threats. • Provide a general trust model for making trust-based authentication decisions between two or more parties. The strategy will apply to government-to-citizen, consumer-to-business, business-to-business and other transactions.

Whether this solution will be an end result is not yet known. There are concerns about liability and privacy if private companies are handling this information.

creates a second factor of authentication, something you have. These tokens come in a variety of form factors including key fobs and standard ID cards with embedded displays. Some of the vendors also have released applications that enable users to get the pass code from a smart phone instead of having to carry around a dedicated token. Smart Cards Microprocessor smart cards have been around for a long time and are being issued by the U.S. federal government for employee credentials. Computer manufacturers have started to include smart card readers in some laptops as the cost of adding one to a PC is nominal. Using smart cards for access to computer networks is a pretty standard task, but if the 30

reid_summer10.indd 30

committee decided to go with smart cards and Public Key Infrastructure (PKI) it could get a bit more complicated. Deploying national PKI would be complex and expensive, though in the long run it may be the best and most secure option because PKI is one of the most secure technologies available, officials say. Biometrics Although, some computer manufacturers are embedding fingerprint scanners into laptops, this is most likely a long shot for a nationwide secure authentication solution. Readers are not inexpensive and few biometric modalities have made it to the desktop to this point. Smart Phones Some government officials see mobile devices as the key for online authentication. People will leave the home without a wallet or ID badge but rarely do they forgot their mobile phone. With Near Field Communication (NFC)

on the horizon it could be identification rather than payments that brings the technology to the forefront, some officials say. NFC enables a mobile device to transmit information using the same protocol as contactless smart cards. The snag in this plan is that most PCs aren’t equipped to read contactless smart cards or NFC. But could the smart phone connect via a USB or another protocol until contactless readers are embedded in computers? After the committee finishes its work it’s likely a combination of these technologies will be recommended. Consumers may be able to choose the technology they want to use. At that point the more interesting questions will be how consumers are vetted and how the tokens/certificates/cards are to be issued.

Summer 2010

5/5/10 2:55:27 PM

Registered traveler program remains ‘Clear’ after acquisition The registered traveler program may be getting another chance with Alclear LLC buying the assets of the Clear program and intends to re-launch at airports in September, company officials say.

time remaining on customer’s previous contracts when it begins operations again. “If you had six months left you will have six months for free under the new Clear,” says Seidman Becker.

Verified Identity Pass had deployed its Clear program at 20 airports around the country when it was shut down in June 2009 with virtually no notice. There were two other vendors also operating registered traveler programs that ceased operations shortly thereafter.

The program will continue to use a smart card along with fingerprint as the primary biometric and iris as a backup. Alclear is also looking at opportunities to make the credential interoperable with government IDs, such as the Defense Department’s Common Access Card and other FIPS 201 credentials.

The idea of using biometrics and smart cards for secure, expedited access through airport security came about after the 2001 terrorist attacks. Clear emerged in 2005 and had attracted a reported 250,000 customers when it folded last year. The idea remains popular with some members of congress. A bill passed late last year by the U.S. House of Representatives that is pending in the Senate would require the Transportation Security Administration to put the program in place.

Alclear would like the credential to be accepted at more places than just airports, but the focus is on getting back up and running there first, says Seidman Becker. “The more usage you can drive from the card the better off the customer is,” she says.

Consumers are also interested in using biometrics at airports, according to the Unisys Security Index. Some 57% of travelers would be willing to submit biometric data for enhanced security and convenience. “The majority of people understand the implicit bargain in giving up their information,” says Mark Cohen, vice president of enterprise security at Unisys. “Our impression is that there’s a reasonable degree of confidence that the information will be respected and protected.” Several potential buyers competed for the assets of Clear but Algood Holdings won out with a bid around $6 million. The new company, Alclear, will use the Clear brand, says Caryn Seidman Becker, CEO at Alclear and founder of Arience Capital Management. “Same brand, same logo, different company,” she says. Former customers will begin receiving notification about the program in May. The new company intends to honor any

The company is working on reestablishing relationships with the airports and creating a partnership with the TSA. One of he criticism of the program previously was that registered traveler wasn’t a security program but a front of the line program. Alclear is focused on convenience for its customers but it also wants to increase security for the airports, Seidman Becker says. “Our value is the secure ID and giving people predictability at the airport,” she adds.

The evolution of registered traveler November 2001 The Aviation and Transportation Security Act is signed into law requiring federal screening of passengers and calls for establishing rules for a trusted traveler program, later to become registered traveler, for passenger who undergo a prescreening for expedited access through security. November 2002 The U.S. Government Accountability Office issues a report on a potential registered traveler program stating that it “found support for this program among many stakeholders, GAO also found concerns that such a program could create new aviation security vulnerabilities.” June 2003 TSA, United Airlines and U.S. Customs pilot a registered traveler program between Washington’s Dulles International Airport and London’s Heathrow Airport that uses fingerprints and facial recognition. June 2004 The TSA taps Unisys Corp and EDS Corp to pilot registered traveler at Houston, Minneapolis, Los Angeles Boston and Washington airports. June 2005 During a U.S. House of Representatives hearing, airline executives call in question the value of the registered traveler program with one congressman calling it “lame.” August 2005 EDS and Unisys make program interoperable so travelers registered at one airport can use it at the other. September 2005 Steve Brill, through new company Verified Identity Pass, launches the Clear program at Orlando International Airport with more than 8,000 travelers enrolled. November 2006 Vigilant Solution launches registered traveler program based out of Jacksonville International airport in Florida. January 2007 FLO Corp., a subsidiary of SAFLINK, launches to develop registered traveler program. October 2007 FLO buys Unisys’s registered traveler assets. July 2008 The TSA stops requiring background checks for the registered traveler program, effectively, many contend, making it a “front of the line” program and not a security program. June 2009 Clear shuts down causing competitors, FLO and Vigilant Solutions, to also cease operations. December 2009 Preparing for a comeback, FLO announces an agreement with Cogent Systems to leverage Cogent’s national network of 1,000 biometric enrollment locations for frequent travelers to enroll in the TSA-sponsored RT program. September 2010 Clear re-emerges under new ownership.

Summer 2010

reid_summer10.indd 31

5/5/10 2:55:28 PM

Strong user authentication in self-encrypting drives Lark Allen Executive Vice President, Wave Systems Corp. complexities associated with the software working with core systems functions, other security applications, and systems tools and utilities. Several years ago, the Trusted Computing Group – an open, industry standards organization engaged in creating security hardware specifications – tasked a work group comprised of the major disk drive companies and storage software vendors to create an open specification for adding encryption capabilities into the hardware of storage devices. The group also had to define a new approach for user authentication to the drives. In 2009, the organization published three specifications associated with self-encrypting drives. These include a specification for client drives (Opal Subsystem Class) a specification for data center drives (Enterprise SSC) and a drive interface specification. All now have been implemented in drives. How self-encrypting drives work The flood of worldwide laws and regulations regarding privacy and data protection, along with escalating penalties for breaches and violations, have made full-disk encryption a required capability in PCs. Once all the data on a disk drive has been encrypted, including the operating system, one of the technical challenges for full-disk encryption is how to provide a mechanism for authentication of authorized users before ‘unlocking’ the drive in order to boot the system and provide access to the user data. Software-based full-disk encryption applications have been around for many years. Typically, software-based-encrypting drive solutions provide pre-boot authentication software, which modifies the master boot record and the operating system in order to gain control of the system at power up. Authentication is performed by the PC before control is passed to the operating system. The authentication software then provides support for a range of authentication options such as passwords, biometrics and smart cards. Once authentication has taken place, the encryption key is made available to decrypt the disk drive and give control of the drive back to the operating system to boot. Several of the challenges with this approach include the requirement to modify the core operating system and security exposures associated with a wide range of attacks aimed at capturing the authentication credentials, the encryption keys or modifying the pre-boot software to gain access. Separate from the authentication challenges, software-based full-disk encryption faces traditional disadvantages like degrading the PC performance, administrative headaches for the IT personnel who must deploy and manage the software and manage encryption keys, and the 32

reid_summer10.indd 32

The security model for the drive is very straightforward: when power is removed from the drive it is locked. When the user shuts down their system or a drive is removed, it will automatically lock. How does this work? Encryption hardware is added to the drive controller, providing encryption/decryption of all user sectors of the drive. The drive operates at its full media speed, with no impact on throughput or performance. Encryption is always on and cannot be turned off by the user. The drive controller generates the encryption key internally; therefore, it never leaves the drive and thus does not need to be backed up, recovered, nor managed, unlike traditional software encryption. To erase the drive, an administrator merely deletes the encryption key, a process that takes less than one second and renders any data unavailable. The drive will automatically create a new encryption key and new data can be immediately written to the drive under the new key. All current self-encrypting drives use AES 128 or 256-bit encryption keys using standard algorithms that are FIPS 197 certified. In the design of the cryptography, the secrets such as encryption keys, passwords, etc. are never held or stored in the clear. They are typically hashed, so if the drive is stolen, there is no way for the thief to get the secrets out of the drive. The only way to access data on the drive is to have the credentials to unlock it. Authenticating users to self-encrypting drives Self-encrypting drives have two modes of operation. The first is a standard ATA mode in which the drive functions as any standard drive, including the use of the ATA security commands for setting a user and a master password, assuming the PC BIOS has been enabled for that

Summer 2010

5/5/10 2:55:32 PM

Use Government Smart Cards at Stand-Alone Doors ...

Made in the USA

With the E-Plex 5800 Series GS FIPS 201

A PPROVED

The First and Only PACS Integrating Certified CHUID Readers Into Stand-Alone Locking Devices

• Scalable from one door to many • Simple card enrollment at door, or use optional software (Single PC or Networkable) • Perfect Solution when it is not feasible, or desired to run wiring • Validation through Federal Bridge PKI available • No wires to, or through the door • Meets Buy American Act • Install in minutes!

Kaba Access Control • 1.800.849.8324 • www.kabaaccess.com reid_summer10.indd 33

5/5/10 2:55:45 PM

function. The passwords are set by going into the BIOS SETUP, turning on the hard drive password, and setting the passwords. This function has been generally available for many years and does not change for the ATA mode of self-encrypting drives; however, it is not standardized, is only for individual users, and has known security exposures. The new self-encryption drives required a different approach to be highly secure, independent from the operating system, support all the authentication capabilities enabled by software encryption, and provide support for multiple users and administrators, each with their own unique credentials and unique authorized functions. To achieve this, drives based on the new specifications provide secure areas of storage called Security Providers. These are not included within the user area of the drive and are intended for storing software and other secure information. Normal disk tools and utilities for formatting, erasing, and etc. cannot see nor can they make any changes to these protected areas. This secure storage is fully protected from an access standpoint so that only ‘authorized’ software or parties can access it. The largest of these secure partitions is up to 128 megabyte and is designed to store a preboot operating system whose primary function is to provide device support and user interfaces for the various authentication devices in the platform, such as the keyboard, biometric sensors, and smart card readers. Self-encrypting drives are shipped in the normal ATA mode; however, using management software designed to provide full life cycle services for self-encrypting drives, the user or enterprise can subsequently ‘initialize’ the drive in order to enable the advanced functions. When a self-encrypting drive is initialized, the new advanced security functions defined by the Opal specification are activated in the firmware. The management software loads a pre-boot OS into the protected area, which becomes a ‘shadow’ or ‘alternate’ master boot record. Finally, users and administrators, identified by their normal domain/user ID in an enterprise directory, are assigned to the drive, along with their initial passwords. With Opal drives, depending on the vendor, you can have 4-24 users and 4-8 administrators assigned to each drive, with a range of defined capabilities. For most users, the only functions they are allowed to perform on the drive are to authenticate for unlocking and changing their passwords. They cannot add other users nor disable drive locking. All appropriate security General Policy Objects, such as changing the pre-boot, adding users, or disabling drive locking requires an administrator. This level of drive control provides much better enforcement of policies for compliance assurance reporting. The management software makes setting up of self-encrypting drives easy and enables them to be integrated into the enterprise identity and access management systems. Many software programs for these self-encrypting drives also supply a centralized server management capability for IT control of remote drives in user machines.

reid_summer10.indd 34

Authentication in operation When a user powers up the PC with an enabled self-encrypting drive, the self-encrypting drive firmware defaults to use the ‘Shadow’ Master Boot Record, which automatically loads the pre-boot OS into the system from the protected area on the drive. This is a highly secure solution, since alteration of the pre-boot OS is very difficult to do by any known attacks or hacks, and there are no other processes running in the system during this time, so key stroke loggers and other attacks are highly unlikely. The pre-boot OS guides the user through entering their credentials and provides for strongly authenticated, high quality assurance to unlock the drive. Currently, self-encrypting drives only accept passwords for user authentication to the drives. However, these passwords can be up to 32 characters long and support the typical complexity approaches. In order to have multi-factor authentication to drives, the pre-boot operating system from the drive management software vendor must support the multi-factor capabilities in their software and/or the hardware features integrated into the PC platform by the manufacturer. Moving forward, the drives will also support PKI certificates, but the support for biometrics, smart cards, etc. will remain in the pre-boot operating system. One PC maker, who has integrated support for both a full range of authentication devices and self-encrypting drives, provides an excellent implementation for multi-factor authentication to the drives. The PC has a hardware crypto vault for storing passwords in a security chip on the platform. Fingerprints are authenticated in hardware. Smart cards, both contact and contactless, are hardware supported in the platform, and the Trusted Platform Module (TPM) chip in the PC also protects credentials. The management software shipped with the platform manages both the authentication devices and the self-encrypting drives. For multifactor authentication, once a user has successfully entered their tokens, fingerprints, PINs, etc. and has been authenticated in the preboot firmware, a drive authentication password is released from the crypto vault and securely sent to the self-encrypting drive. The drive, since it does not store the passwords – only a hash of the passwords – authenticates a hash of the password and, if successful, uses this to decrypt the media encryption key, thus ‘unlocking’ the drive. The drive will immediately begin decrypting the Master Boot Record, OS, and user data and the system will boot normally. The authentication process, done in hardware, is very fast and normally takes only several seconds to unlock the drive and continue on to booting the system in a normal fashion. Since encryption happens at the hardware level, it is completely transparent to all the rest of the system and secure. As an option, the strong authentication transaction can be passed from the protected self-encrypting drive and can then be used for single sign-on and access to other key resources in the enterprise network or on the Internet.

Summer 2010

5/5/10 2:55:49 PM

The future of authentication with self-encrypting drives With this new ability to achieve a highly secure multi-factor authentication in the PC at the edge of the network, completely independent from the operating system and protected from attacks, there are some strategic security options. The self-encrypting drive and authentication provide a strong ‘root of trust’ in order to initialize other highly trusted environments and applications. Virtualization and multi-core processors are enabling end users to have virtual machines for specific applications, including ‘trusted virtual machines’ which could be used for secure online banking, accessing cloud services, and fully authenticated access to corporate networks. Strong authentication with self-encrypting drives has the potential to dramatically improve the overall security in end user devices.

Lark Allen is a representative from Wave Systems to the Trusted Computing Group, an industry organization that has created a portfolio of specifications to enable more secure computing across the enterprise in PCs, servers, networking gear, applications, storage and embedded devices. More information and the organization’s specifications and work groups are available at www.trustedcomputinggroup.org. Allen has worked on a number of industry initiatives in security, privacy and digital business. He holds degrees in physics and industrial administration and spent more than 20 years with IBM before joining Wave Systems.

The Trusted Platform Module (TPM) TPM has proven to be more secure and provide a lower cost of ownership than softwarebased certificates, tokens and smart cards. Plus it is the only token that supports both strong user and machine authentication. The TPM meets most enterprise requirements for multi-factor authentication for remote access. Wireless access can be protected with the TPM, where it securely identifies a user or machine and automatically integrates with the 802.1x authentication framework.

The Trusted Platform Module, or TPM, is a microcontroller or other integrated circuitry that securely stores passwords, digital keys and certificates that can provide unique identification. It is based on specifications created by the Trusted Computing Group and versions are available from a number of semiconductor vendors. The TPM handles cryptographic operations such as asymmetric key generation, asymmetric encryption/decryption, hashing and random number generation. Some 200 million PCs, servers and embedded systems include the TPM, and many vendors provide software that enables its use. These

As part of its High Assurance Platform program, the National Security Agency uses the TPM in a virtualized approach to run multiple secure environments. Almost all computers acquired by the Department of Defense since July 2007 are required to have a TPM.

The TPM also can determine changes to the system prior to boot-up, which means root kits and other malware can be detected and action taken before the system is booted and connected to a network. During the boot process, the TPM measures or hashes all the critical software and firmware components, including the BIOS, boot loader, and operating system kernel, before they are loaded. By making these measurements before the software runs and storing them on the TPM, the measurements are isolated and secure from subsequent modification attempts. When the PC connects to the network, the stored measurements are sent to the server, checked against the server’s list of acceptable configurations, and quarantined as an infected endpoint if a non-match occurs.

In authentication, the TPM plays a key role, where it can provide “something you have.” An additional factor such as a PIN or password can be added for “something you know.” The

TPM information can be found at the organization’s website, www.trustedcomputinggroup.org/developers/trusted_platform_module.

packages support multi-factor authentication, single sign-on, password management and other functions.

Summer 2010

reid_summer10.indd 35

5/5/10 2:55:52 PM

Meet your new tour guide NFC enables artists to add rich media to exhibits Ryan Clary Contributing Editor, AVISIAN Publications

Le Centre Pompidou, Paris’s goliath, industrial-chic contemporary art gallery, is looking to shake up the museum experience for Generation Z. By next year, visitors to Pompidou’s planned Teen Gallery, as well as the old city center of Nice, will be using smart phones to interact with works of art, learn about historical sites, and even leave comments about the attractions and share relevant media in a social network setting, à la Facebook or Twitter. The concept, called Smart Muse, revolves around Near Field Communication (NFC) technology. When approaching a work of art or historical site, users pass an NFC-enabled handset over a corresponding contactless smart card tag and voilà – information regarding the point of interest automatically pops up on the tourist’s phone complete with video and audio. Smart Muse uses 13.56 MHz contactless smart card tags with unique ID numbers that when read by a visitor’s NFC-enabled handset, access detailed information online. The Paris-based company Connecthings hosts the server and provide the content-management software for the project. The purpose of Smart Muse, as explained by Mauricio Estrada Muñoz, project manager of the Youth Program at Le Centre Pompidou, is threefold – education, communication and interaction. First and foremost, the system is designed to give teens a better understanding of the artwork than a static sign tacked to the wall can provide. It does this with rich materials and media – cell phones and YouTube videos – that teens have come to expect. Passing a phone over a tag might launch a video interview on the user’s handset where the artist explains the meaning of the work. Following the video clip, the system might present a question such as, “do you agree with the artist’s views, yes or no?” 36

reid_summer10.indd 36

Based on the response, another video could be launched for the user’s consideration. In this way, Smart Muse keeps the viewer engaged with the artwork, staving off the “art-overload-zone-out” state that anyone who has spent more than a couple hours in a museum has likely experienced. On the communication front, Smart Muse leverages social network sites – predominantly Facebook – to help revive and foster interest in contemporary art in the youth as a whole. It helps to “bridge the gap between the art world and digital practices,” says Muñoz.

The inaugural exhibit at the Teen Gallery will house art inspired by the streets and address its impact on the contemporary art community. Among contemporary works by Jean Faucheur, Florent Lamoureux and Elsa Mazeau, the exhibit will feature a human beat box workshop that will examine the practice’s origins and teach visitors how to do it themselves. Heading south to Nice

Smart Muse does this in a number of ways. When a visitor begins a tour of the Pompidou’s Teen Gallery, his or her Facebook status is automatically updated to say that they have entered the museum. Users can post to their Facebook or Twitter accounts different videos, audio or any other media that pop up on their phones during the course of their visit. This serves to provoke conversation about art with their online friends. NFC-enabled posters for upcoming events and new exhibits will be on display throughout the gallery and visitors can RSVP by tapping their phones to the tag. Interactive works of art Artists can incorporate Smart Muse’s NFC technology into the work of art itself. For example, the artist can program the tag to play a certain tone or sound bite on the viewer’s phone, adding an additional dimension to the experience of viewing the piece. Visitors can even use the phones to send comments directly to museum management, or even to the artist, in a sort of digital guestbook or suggestion box.

Nice is also deploying Smart Muse as a hightech tourist aid for the city’s historic old town. Visitors can borrow NFC-equipped handsets from tourist centers to access information from NFC tags and 2D barcodes affixed to sign posts at museums, churches and historical monuments. The tour is designed to lead a visitor from tag to tag and lasts about one hour. Nice’s tourists will be able to share media online through social networking sites and receive information on various tourist services including stores, restaurants, hotels and events. According to Connecthings’ founder Leatitia Gazel-Anthoine, bus stops in the old town will also be equipped with tags to provide tourists with information on bus routes and schedules. Both projects are being developed through a multi-million Euro grant from France’s Ministry of Economy, Industry and Employment, which has launched thirteen pilots focused on NFC and contactless technology.

Summer 2010

5/5/10 2:55:54 PM

WORLDWIDE OUTREACH

The single industry voice for smart cards ... The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. The Alliance is the single industry voice for smart cards, leading discussion on the impact and value of the technology in the US and Latin America. Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought.

UNRIVALED EDUCATION

Worldwide outreach - A primary mission of the Alliance is to show the world the benefits of smart card technology. We accomplish this through an array of outreach efforts including an informative web site, published industry reports and papers, active press relations campaigns, our Smart Card Talk electronic newsletter, and an international calendar of speaking engagements and exhibitions. Unrivaled education - At Alliance-sponsored events and leading industry conferences, top quality smart card education is offered to the benefit of both members and leaders from industries impacted by the technology.

TASK FORCES & REPORTS

Task forces and reports - Active participation from representatives of member organizations feeds a vibrant network of industry-specific councils and focused task forces. Highly regarded white papers, reports, and other deliverables flow from groups focused on payments, secure identity, health care, transportation, and more. Conferences â&#x20AC;&#x201C; Alliance conferences feature informative programs and speakers who provide insight and knowledge on smart card technology and applications, coupled with exhibitions that showcase leading edge products. These events provide exhibitors with invaluable access to true decision makers and enables participants to see the technology in action.

CONFERENCES

Networking - The best and brightest from the smart card industry and the key markets it serves participate in the Alliance, attend Alliance functions, and share a camaraderie that extends beyond the Alliance organization to the worldwide network of industry activities. Join the Alliance. It will pay dividends for your industry, your company, and your career. For more information, visit www.smartcardalliance.org.

9th Annual Smart Cards in Government Conference 2010 November 16-19, 2009

Washington Convention Center Washington, DC

NETWORKING

THE YEARâ&#x20AC;&#x2122;S LARGEST GOVERNMENT SMART CARD FORUM

FOR EVENT INFORMATION AND TO DOWNLOAD AN EXHIBITOR AND SPONSOR PROSPECTUS VISIT WWW.SMARTCARDALLIANCE.ORG

sca_summer10_ad.indd reid_summer10.indd 37 1

5/3/10 2:55:55 2:59:15 PM 5/5/10

Nokia kills long-awaited 6216 NFC handset But company and industry stress NFC and single wire protocol are live and well When Nokia announced it was delaying the 6216 handset, its first mobile phone model to use the new single-wire protocol for near field communication (NFC), concerns about the company’s commitment to NFC were rampant. Industry observers questioned whether single wire was the way for NFC to roll out. But Nokia execs stressed that neither concern’s were merited. Delaying the 6216 had nothing to do with the company’s commitment to NFC or single-wire protocol, says Jeremy Belostock, director of sales and marketing for NFC at Nokia.

“We are still fully committed to NFC,” he says. “We are one of the few handset manufacturers that continue to work on the interoperability between devices and have continued to invest in the space.” The 6216 was set to be Nokia’s first singe-wire device and one of the very first commercially available models. Part of the problem was that the 6216 was very similar to Nokia’s 6212, Belostock says. “It originally came out in 2008 and if you look at what’s available in 2008 and what’s available in 2010 there’s been a huge leap in what consumer’s want.” Making sure the phone was compelling to end users was more important than rushing a single-wire device into the market, Belostock says. “The last thing the consumer wants is something old,” he says.

Single-wire protocol: A boon for smart card manufacturers? SIM cards used to authenticate handsets and users to GSM networks are more or less a commodity item. Operators buy them in bulk and while they perform an important task the technology is standard and inexpensive. If single-wire protocol takes off, however, this may change. With this near field communication standard the SIM is where applications are stored, secured and activated. Since the technology will be more advanced it will also be more expensive, says Neil Livingston, principal consultant at Consult Hyperion. “The SIM cards for single-wire protocol are more expensive than typical SIM cards,” Livingston notes. “They contain additional memory capacity for apps and additional cryptographic capabilities and faster processors.”

reid_summer10.indd 38

There are a handful of methods to enable an NFC transaction, says Neil Livingston, principal consultant at Consult Hyperion. Singlewire protocol stores the NFC capability on the device’s SIM card. In other methods, mobile devices can be hard wired with a separate chip specifically for NFC, it can be incorporated into a microSD card and then there are tags and stickers that can be affixed to the handset. Though the 6216 was scrapped, other handset manufacturers will be releasing singlewire protocol devices this year, with about half a dozen models expected to hit the market, Livingston says. The NFC method selected will likely depend on the region where the handsets are being deployed because of the different mobile phone standards. Areas that don’t use the GSM standard don’t require a SIM card and therefore are unlikely to use the single-wire protocol. Livingston says there are pros and cons to each of the different NFC approaches. He doesn’t see a future for NFC chips hardwired into handsets but he believes the other approaches remain viable.

MicroSD cards, tags and stickers don’t tie a user to a network operator. The users NFC applications are stored on the different media, which can be moved or placed in another device if the user switches networks. Anyone can issue a microSD card so a bank or transit operator, for example, could initiate a project.

Making sure the phone was compelling to end users was more important than rushing a single-wire device into the market. – Jeremy Belostock, director of sales and marketing for NFC at Nokia

On the other hand, the SIM card is controlled by the network operator and while it can be moved to another device, it will still be on the same network, Livingston says. Negotiating with network operators to place applications on the SIM has proven difficult and points to the business model challenge that continues to plague NFC. “We’re still struggling to see business models between carriers and the banks,” he says. Because of this challenge, in the short term placing the NFC secure element on the microSD card may take off, Livingston says. Banks can provide the cards to customers for use in their devices. If the banks and mobile operators can agree on a business model, however, single-wire protocol may dominate in regions where GSM prevails.

Summer 2010

5/5/10 2:56:05 PM

Student run coffee shop tests mobile payments Brian Rogal Contributing Editor, AVISIAN Publications The University of Denver’s Daniels College of Business is always looking for technical innovations they can introduce on campus to better educate students. They need to be familiar with the latest technology for us to be seen as legitimate by the industry, says David Corsun, the director of Daniels’ School of Hotel, Restaurant and Tourism Management. That’s why the school is partnering with Denver-based mobile payments provider Mocapay Inc. to enable customers at Beans, the student-run coffee shop, to make payments with their mobile phones. Beans customers have the option to download a Mocapay app to their phone. To make a purchase, they launch the app, enter the transaction amount, and then receive a unique six-digit code on their phone. They provide the code to the cashier and the amount is deducted from their prepaid account. Merchants can opt to have customers punch the six-digit code into a pin pad or have a bar code sent to the customer’s phone for scanning at the POS. “We are agnostic as to

what your point-of-sale process is,” says Kevin Grieve, Mocopay’s chief executive officer, but whatever process is used, “no customer-sensitive information is stored on the phone or passed to the merchant.” “We’re the first to market with this solution,” he adds. Mocapay conducted trials from 2007 to 2009 and now supports merchant-branded gift and loyalty programs at 125 locations in several states. Mocapay also uses its mobile platform as a marketing tool. Users receive alerts when new merchants join the service, customer satisfaction surveys and occasional reminders about their remaining balance. Corsun says academic institutions need something like Mocapay for several reasons. The first is simple convenience. “We know that most of our students have smart phones and many are reliant on their parents for their spending cash,” he says. With Mocapay, parents can replenish the accounts online or students can add funds from their mobile phones.

Mocopay’s software-as-a-service delivery model meant, “there was no hardware cost to us,” says Corsun, stressing that it’s difficult for colleges to get funds for any new capital investment in the current economic environment. But most important for Daniels College, all of their students take a technology course that will now include studying the Mocapay project alongside a multitude of software systems used in the hospitality industry. “We see [mobile payments] as something that is going to be pervasive and our students need to know how to operate it. They’re not just learning that Mocapay exists, they’re going to learn the way it adds value.” Grieve says the Daniels deal will pay future dividends, noting that, “as a young company, we need to build awareness and let people know what we can do.” The best way to do that is to “target industry leaders and innovative merchants, and students are the next crop of industry leaders.”

Summer 2010

reid_summer10.indd 39

5/5/10 2:56:09 PM

Quantifying the e-passport marketplace Rudie Lion and C. Maxine Most Acuity Market Intelligence By the end of 2010, e-passport adoption will climb to 91 countries with another 11 countries planning to convert their passports e-passport by the end of 2014.

Ten years ago, the e-passport was a concept circulating among forward thinking individuals and small groups of associated industry, government and non-government agencies. In the wake of the terrorist attacks on the World Trade Center in 2001 and the subsequent transit attacks in Madrid in 2004 and London in 2005, the e-passport idea rapidly transformed into a foundation for global security. Today, e-passports have not only become mainstream but have also created a multi-billion dollar industry poised to fundamentally change the global travel and border control infrastructure. E-passport Market Growth $7,000 $6,000 $5,000

CAGR 35.51%

$4,000 $3,000 $2,000 $1,000 $0 2009

2010

2011

2012

2013

2014

Market sizing The e-passport market, made up of hardware, software, and services, will reach sustainable annual revenues of $7 billion by the end of 2014, with a compound annual growth rate of 31.5% from 2009 through 2014. Europeâ&#x20AC;&#x2122;s market dominance will diminish as overall market share drops from 49% to 20% during this period. At the same time, the Asian market will experience the most significant market share growth increasing from 25% to nearly 46% of annual market revenues with an annual compound annual growth rate of nearly 50%. E-passport Adoption

2009

2010

2011

2012

2013

2014

Total countries issuing e-passports

101

104

Passports issued (000)

103,955

104,995

106,044

107,105

108,176

109,258

Of which e-passports issued (000)

59,424

83,013

92,919

96,359

96,369

96,809

% e-passports of passports issued

57.16%

79.06%

87.62%

89.97%

89.09%

88.61%

Passport circulation (000)

663,692

670.329

677,032

683,803

690,641

697,547

Of which e-passports circulation (000)

186,866

266,700

353,697

434,243

507,860

553,828

% e-passports of passports circulation

28.16%

39.79%

52.24%

63.50%

73.53%

79.40%

reid_summer10.indd 40

Summer 2010

5/5/10 2:56:11 PM

The strongest revenue growth will be in South America where the compound annual growth rate will reach a startling 117%. Annual revenues will increase from a modest $11 million in 2009 to nearly $540 million in 2014 as South America’s market share expands from less than 1% to more than 8% of global revenues. The e-passport industry has grown from humble beginnings. In 2004, Malaysia and Belgium introduced the first e-passports together issuing less than one million documents to their citizens. By the end of 2009, 71 countries were issuing e-passports. By the end of 2010, e-passport adoption will climb to 91 countries with another 11 countries planning to convert their passports e-passport by the end of 2014. While the number of 2010 issuing countries represents just less than 50% of the International Civil Aviation Organization’s (ICAO) 190-country membership, the total volume of 83 million projected passports produced by these countries accounts for 79% of the expected annual global volume. By 2015, 104 e-passport issuing ICAO members will generate almost 97 million e-passports, representing nearly 89% of the annual worldwide passport volume and nearly 80% of the total passports in circulation at that time.

Biometrics Current ICAO requirements dictate the use of a facial biometric on all e-passports. Thirtyseven countries now require fingerprints as a secondary biometric with another 10 countries planning to require fingerprints by 2014. The European Union (EU) Commission mandated use of this secondary biometric by June 2009 and to date, all 27 EU countries have or are in the process of complying. Finger as a secondary biometric is also increasingly being considered in Asia and South America, and will likely be adopted in the Middle East as these countries move to e-passports. Capture of biometric data at enrollment varies significantly by country and region. Enrollment options range from mailed-in photographs to fully automated kiosks with live capture and validation of biometrics, digital signature and authentication documents at application. Countries that require

Live Capture at Enrolment & Borders

2009

Total countries issuing e-passports

Total Countries with live capture

Countries with e-passports with live capture

52.11%

2010

43.96%

2011

42.86%

2012

45.45%

2013

101

45.54%

2014

104

45.19%

A Leader in

Smart Card Solutions 1 0 11 00 11 0 1 1 10

Access Control Contact EMV Contactless Dual Interface Government ID

www.cpicardgroup.com Summer 2010

reid_summer10.indd 41

5/5/10 2:56:11 PM

fingerprints for their e-passports all have some level of live biometric capture which for most of these countries means simply deploying readers at all application locations and providing an IT infrastructure to manage the data.

will be e-passports, only 6% of the world’s border control points will be equipped to read them.

The inherent limitations of applicant photograph submission - the cost of quality control to meet ICAO specifications and the potential poor performance of facial recognition programs – will become significant roadblocks as countries adopt automated border control systems. It is therefore, highly likely that as automated border control become more prevalent, so too will live capture enrollment solutions.

By the end of 2012, global e-passport adoption will reach more than 60% of total circulation. For many countries, e-passport holders will represent the majority of travelers crossing their borders. Use will then reach a critical tipping point. It will simply no longer make economic or operational sense not to leverage the capabilities of these documents. Traditional border control processes will be replaced by automated solutions on a global scale driving significant market growth and associated revenue.

E-passport Readers (standalone)

2009

Total addressable market

Total e-passport readers deployed

Adoption

122,018

18,258

14.96%

2010

128,119

19,801

15.46%

2011

134,525

24,380

18.12%

2012

141,251

28,535

20.20%

2013

148,314

30,215

20.37%

2014

155,729

29,985

19.25%

Currently, use of e-passport biometrics at border entry is, with few exceptions, still in trial phase. Travelers from designated origins can use automated border control systems based on e-passports with facial recognition at: • Manchester and Stansted airports in UK, • Lisbon airport and other border control points in Portugal, • Helsinki airport in Finland, Frankfurt airport in Germany, and • International airports in Australia (and soon in New Zealand).

Market evolution

This will mean accelerated deployment of eGates and kiosks with integrated e-passport and biometric readers. A precondition is the global uptake of ICAO’s Public Key Directory, which will act as a central broker to manage the exchange of nations’ PKI certificates and certificate revocation lists. Twenty to 30 countries are currently participating in the directory and the majority of the remaining e-passport issuing countries will likely follow in the next two to three years. The ongoing development and production of a secure e-passport infrastructure will provide sustainable market opportunities as countries stabilize existing programs, continually incorporate new document security features, replace aging equipment, and re-issue documents on a five or ten year lifecycle. In addition, by 2014, the deployment of a secure global border-crossing infrastructure that leverages the proliferation of e-passports will begin in earnest. With an emphasis on automated self-service verification of documents and identity, and global data exchange, this border transformation will both be driven by and drive e-passport market evolution.

This analysis is based on The Global ePassport and eVisa Industry Report published in May 2010 by Acuity Market Intelligence (www.acuity-mi.com)

However, for most international travelers, e-passports are still used in the context of a standard visual check that compares the facial image retrieved from the chip to the photograph in the passport and the individual presenting themselves to a border control agent. E-passport readers

E-passport readers deployed at border control posts account for less than 2% of this total addressable market. Limited growth is expected for readers over the next five years, which is somewhat counterintuitive given the significant investment being made in the e-passport documents themselves. Even by 2014, when as discussed nearly 80% of the world’s passports 42

reid_summer10.indd 42

Photo: 3M

Most e-passport readers that have been deployed to date are used to verify documents at issuance. Approximately 16,000 systems are currently installed at passport enrollment locations, representing 13% of the total addressable market for these standalone e-passport readers.

Summer 2010

5/5/10 2:56:12 PM

Have you gained access to Biometrics Certification? Access is now being granted to qualified Biometrics Professionals.

IEEE, along with some of the world’s leading biometrics experts, has developed a new certification and training program for biometrics professionals and their organizations. The IEEE Certified Biometrics ProfessionalTM (CBP) program focuses on the relevant knowledge and skills needed to apply biometrics to real-world challenges and applications. • Certification: Earning the IEEE CBP designation allows biometrics professionals to demonstrate proficiency and establish credibility. • Training: The IEEE CBP Learning System combines print materials and interactive online software – ideal for job training, professional development, or preparing for the CBP exam.

To gain access to more details, visit www.IEEEBiometricsCertification.org.

IEEE_re_id_ad_0809.indd reid_summer10.indd 43 1

8/18/092:56:15 10:01 PM AM 5/5/10

The e-passport revolution: The next generation of travel security Adam Tangun Sales Director e-Government for EMEA, HID Global

Passport control procedures have been a major area of focus, with a heavy emphasis on how governments monitor and control access at their borders. ICAO has been working for many years to establish a single, common standard for the reading of travel documents and the use of passport 44

reid_summer10.indd 44

data around the world, and April 2010 marks a critical milestone in this move. As of this date, every contracting country must either issue its citizens a machine-readable passport or an e-passport that contains a microchip with information that can aid agents in authenticating the identity of the passport holder based on the encrypted biometric data. Around 170 countries have already introduced a machine-readable passport and the first ICAO-compliant e-passports were introduced in 2004. While early e-passport adopters include countries like the UK, Australia, Sweden and Singapore, other countries are likely to miss the April 2010 deadline and some are likely to jump straight to the next-level of security innovation: the second-generation e-passport.

Photo: HID Global

Over the past decade, growing concerns over national security have forced governments around the world to raise their overall public safety profile by refining existing security policies and procedures. Driven by the threats of terrorism, illegal immigration and identity theft, the challenge facing governments and entities like the International Civil Aviation Organization (ICAO) has been to find the best way to increase the security of international travel by minimizing human error and safeguarding personal data.

Summer 2010

5/5/10 2:56:17 PM

The enhanced functionality of second-generation e-passports is also driving the developments of far more powerful chips with storage capacity of at least 64Kb to properly support fingerprint data and extended access control functionality. data against the visual data in the passport. The accuracy of the stored biometric data is key, along with its security and the ease with which it can be verified and transferred using secure certificates. An added level of security - extended access control - is now being introduced to strengthen basic access control. Extended access control offers even greater protection against unauthorized reading, or ‘skimming,’ of the personal data stored on the chip by combining basic access control, chip authentication and terminal authentication. The enhanced functionality of second-generation e-passports is also driving the developments of far more powerful chips with storage capacity of at least 64Kb to properly support fingerprint data and extended access control functionality. Many of the early, lower-capacity chips used in the first-generation e-passports are therefore being phased-out and replaced by chips that can store nearly double the amount of data, as well as facilitate improved processing capabilities and a faster operating system. While e-passports are breaking down traditional barriers to secure international travel, they also come with their own set of challenges. Perhaps the biggest technical hurdle when implementing an e-passport-based border control system is the infrastructure that supports it. The basic concept behind this enhanced epassport is that the holder’s personal data and biometrics – including photograph, fingerprint and or iris – are securely stored in the contactless smart card chip, which is accessed through secure contactless technology. Basic access control safeguards against the inadvertent capture of data stored on the chip, while protecting the privacy of the holder’s identity. Basic access control also secures communication when the travel document is read by a passport-reading device at a passport control point. The passport holder is identified and fraud attempts are discovered by comparing the chip

At the present time, not all countries have installed the facilities and infrastructure needed to conduct electronic verification. The ability of all participants to use the technology that underpins the overall system will be critical for its success. The speed, accuracy and security of the epassport readers themselves are also a critical factor for success. Additionally, without seamless interoperability between the transponders and the readers, and compatibility between the systems used in different countries, non-compliant passports could cause significant operational problems. As the most

complex element of the system, the readers must be compatible with a variety of chips and multiple operating systems. Developers of this technology are working closely with ICAO and governments around the world to ensure that the infrastructure is up to the job, so the security printers of each country can confidently produce secure credentials with embedded secure contactless technology and visual security elements designed to deter counterfeiting. Manufacturers currently offer the document readers that comply with the standards and help agents retrieve the information stored in e-documents for on-the-spot identity verification. Even with the challenges of mass e-passport adoption around the world, millions of electronic passports are already in circulation, and all major airports have initiatives to establish an e-border control infrastructure throughout 2010. In the words of ICAO: “This represents a first step in bringing global state travel document systems and technologies more in line with 21st century border control, facilitation and security objectives.” As early adopters of e-passports seek to upgrade their passports, this trend will inevitably spur improvements in functionality and encourage the integration of ever more sophisticated security features. The high levels of security and authentication provided by second-generation e-passports translates directly into increased efficiency and convenience for governments and their citizens, with secure contactless technology helping to make passport-based identity checks simpler, faster and more secure. The convenience of easier traveller processing at border crossing points is an obvious attraction of the contactless smart card technology-enabled e-passport technology. And its greatest benefit is the role it will play in the next decade to safeguard against terrorism, illegal immigration and identity theft - the most pressing national security threats of our time. Summer 2010

reid_summer10.indd 45

5/5/10 2:56:18 PM

Deadlines, risks and the future of e-passports A conversation with ICAO’s Barry Kefauver Barry Kefauver has more than 30 years of government experience and has been instrumental in the development of electronic passport programs. Kefauver served as the deputy assistant secretary of state for Passport Services at the U.S. Department of State. He has chaired many international fora, including the International Civil Aviation Organization (ICAO) Work Group on New Technologies and the main committee of the International Organization on Standardization (ISO) assisting ICAO in drafting the biometric passport guidelines. Kefauver is principal at the consulting firm, Falls Hills Associates LLC. and has served as adjunct professor at the University of Mary Washington, teaching international business. Kefauver was kind enough to answer a series of questions for re:ID readers on the latest with the electronic passport programs.

reid_summer10.indd 46

Q: What’s the state of e-passport issuance around the world? First, I would like to clarify the ICAO “deadlines” that have been the subjects of some confusion. The first deadline is that which has just passed; that is, as of April 1, 2010, all countries must have begun to issue Machine Readable Passports (MRP). The second deadline, and clearly related to the first, is that all issued non-Machine Readable Passports must expire before November 24, 2015. Note that neither of these deadlines requires that biometric or e-passports must be issued at all. The deadlines are focused solely on machine readability on an international and globally interoperable basis. With respect to the status of passport issuance at the time of this writing, there are approximately 81 countries that are issuing electronic, chip-based biometric e-passports that are in compliance with ICAO requirements. I say approximately because this number and the others that I will cite are based on the best data available from all of the best sources, but subject to change on a daily basis, generally increasing the number of issuing authorities employing e-passport technologies. Also, there are several countries that characterize their passports as e-passports that are NOT in compliance with one or more ICAO specifications. These

Summer 2010

5/5/10 2:56:19 PM

are not included in the 81 noted earlier. If and when these are brought into compliance, they will be counted as well. There are an additional 27 countries that indicate they intend to issue e-passports yet within 2010.

Unknowns of many kinds, such as new technologies, contactless chips in a paper substrate, interoperability, the infancy of biometrics, untested public perception, political concerns, resource requirements, and others, swirled about as work was being carried out.

On the other side of the equation, there are approximately – note that word again, for the same reasons – 20 countries that are not issuing machine-readable passports in compliance with ICAO standards. Several of these passports that are not in compliance can be brought into compliance relatively easily and the countries have been notified as to the discrepancies.

Very fundamental questions, some of which had never been asked, most of which had no clear answers, abounded. And of course, those questions that continued to arise as work went on, those that we didn’t even know existed until they raised their ugly heads, were the most vexing.

Therefore, hopefully by the time this is published, this number will be diminished. In addition, at least eight countries are moving toward machine-readable passport issuance still to occur in 2010. In sum, of all of the ICAO 190 member state contracting parties, approximately 170 are now issuing traditional machine-readable passports or e-passport issuance in accordance with ICAO standards.

Q: What was the risk that ICAO took on biometrics that paid off? In the early days when the quest was colloquially called “Co-Existing Technologies,” the goal was primarily to link the bearer with the document in a way that would enhance the ability of the human inspection process through the use of machine-assisted identity confirmation.

Interesting that we assumed that the most difficult areas of deployment would involve the application of biometrics, frankly the reason why the chip’s data carrying capability had been chosen in the first place. After all, we had the maturity and deployment experience of ISO/IEC 14443 that would serve as our turn-by-turn deployment GPS. Wrong. In addition to having to rewrite 14443 to accommodate the travel document functionality, we also had to define de novo ways in which to test the chips for both performance as well as reliability and durability, encountering a number of new-science learnings regarding the behavior – and vulnerability – of radio frequency chip technology. So the risks facing ICAO were of several differing types, each one complementing and feeding on the others. There were the kinds of risks that we knew about such as the untried and essentially untested

Become a Certified Smart Card Industry Professional About CSCIP Professionals now have the opportunity to increase their industry knowledge, sharpen their professional skills, and take charge of their personal professional development. A CSCIP certification means you have passed a rigorous, comprehensive smart card technology and applied business applications education program and gained recognition as a certified smart card industry professional.

Join LEAP and make the SMART career move LEAP is an individual membership option offered by the Smart Card Alliance that offers exclusive industry knowledge, professional networking, and access to the only accreditation program (CSCIP) available for smart card industry professionals. LEAP is available to everyone, with special discounts offered to Alliance members. For more information, visit http://www.smartcardalliance.org/pages/activities-leap.

The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. http://www.smartcardalliance.org.

reid_summer10.indd 47

Next test dates JUNE 24, 2010 Niagara Falls, CANADA JUNE 29, 2010 Washington, DC NOVEMBER 19, 2010 Washington, DC DECEMBER 9, 2010 Paris, FRANCE Visit the LEAP web site for future exam locations and dates in 2010.

Summer 2010

5/5/10 2:56:19 PM

field performance of biometrics on the kind of global scale that worldwide passport issuance required. And then there were the intangible perceived risks that began to become clearer and more daunting, the kinds associated with ways in which to insure privacy and data integrity, while capitalizing on the operational virtues of the contactless chip that had formed the basis for its selection in the first place. The use of biometrics, especially the use of facial recognition as chosen by ICAO as THE globally interoperable technology, was viewed quite skeptically and by one observer I recall, characterizing biometrics as “the new snake oil.” Certainly the body of knowledge that had been assembled when ICAO was fully committed to biometrics was sparse. As well, it was the ICAO/travel document application that drove identity management initiatives and had substantial impact on the enhancement and improvements of biometrics as well as the attending enabling technologies. These kinds of risks are often the companions of pioneering efforts in many efforts to effect change. However, this work was being carried out on a global and worldwide scale and demanded that international and multilateral cooperation drive each and every decision and direction, otherwise that all-critical global interoperability would be left to wave aimlessly in the breeze. The stakes were very high and very visible. So the risks, known and unknown, were dealt with as they were encountered and they were addressed in ways of global collegiality, a sense of togetherness that has characterized the MRTD programs. While there is always room for improvement, I think the payoff has been in confronting these risks head on, addressing them as effectively as humanly possible and being strengthened by having done so; we now have the most secure passport the world has ever known.

Q: What are some of the risks that ICAO may need to face in the future? This is a very timely question and one that I have pondered for a while before trying to answer. So I will try to respond with a two-part answer. The simple part of the answer is that the risks that will be faced in the future are very similar in nature to those faced in the past. Independent of technological direction or substantive content, these risks will reside on the foundation of the unknown. The myriad of surprises that inevitably will occur and create speed bumps and stumbling blocks to any new direction in which the travel document community chooses to proceed. So, that is rather easy to capture and assess. The more difficult and far more troubling risk that we face is the risk of doing nothing, or too little too late. There have in the past been views expressed that now that ICAO Document 9303 has been published, the work of development is completed and all that needs to be done is to carry out maintenance. It would be quite comforting to declare victory – “mission accomplished” to put into flawed context – and bask in the facts reflected in the answer to the first question showing that the vast majority of the world is ICAO compliant. 48

reid_summer10.indd 48

However, technologies are changing and improving literally day by day. Perhaps not on the scale of Moore’s Law, but the tools and technologies of identity management in the broadest sense are increasing at a very fast pace. The travel document community has to keep pace with these evolutions, not to chase technology but to insure that the fabric of the world’s border management infrastructure is as tightly woven as possible. Those who would make mischief with identity vulnerabilities, such as terrorists, drug and human traffickers and other international criminals, are all seizing on this same evolutionary technological progress in seeking ways to work their ills on humanity. So, as I see it, there is no choice but to take the same kinds of risks that have led the visionary way forward for the travel document community over the past decade. The stakes have never been higher.

Q: Describe the types of partnerships that need to be put in place for the success of e-passports. This is a crucial and pivotal question. The cornerstone of globally interoperable travel document utility and border management functionality has always been cooperation, interdependence, collegiality and accountability. Without the kinds of partnerships that have been forged, for example, between the world’s governments and the private sector, there simply would not be the bedrock that is now Document 9303. As well, along with the growth in recognition of the travel document’s pivotal importance in the trans-border movement of people, has come the corollary need for like-minded entities and organizations to come together. Accompanied by the evolving and changing face of threat and vulnerability over the past several years, the realities of combining assets, resources, expertise, access and perspective have brought about a natural and critical coalescence of those who share in the stakes of enhanced identity and border management. The partnerships that have formed and still shaping bring together a number of interests that find similarities of purpose in the use of machine readable travel documents, biometrics and the myriad tools of sound and effective identity management. To name a few of the key partnerships: ICAO, INTERPOL, IOM, OAS/CICTE, OSCE, UNCTED, among others. Driven in part with the need to provide assistance and expertise, especially for those countries seeking to deploy a machine-readable passport program where none had existed before, these partnerships over the past couple of years have resulted in a number of direct interventions with specific countries

Summer 2010

5/5/10 2:56:20 PM

as well as regional workshops intended to smooth the way for those in the development stage as well as those countries seeking to improve and build on that which already exists.

• 16 countries currently participate in the ICAO Public Key Directory (PKD), the organization that handles the exchange of PKI certificates among countries.

By joining forces, with ICAO serving as something of the catalyst or fulcrum, these groups have been able to better utilize the increasingly scarce fiscal resources as well as to capitalize on access to that most elusive commodity, objective and knowledgeable expertise in the breadth of disciplines needed for modern, effective border security and identity management.

The use of biometric and other related tools is increasing as these data reflect. Of particular note is the last bullet, focused on PKD membership. There is immense power offered by reading and confirming the PKI aspects of machine-readable travel documents for data validation and verification.

The expansion of scope and reach of these kinds of partnerships is perhaps the single most important factor in insuring a successful future for the travel document evolution, the enhancement of border security and, most of all, the improvement in facilitation and security of the world’s traveling public.

Q: What’s the status of deploying inspection systems for e-passport around the world? There is no question that the deployment of machine-readable passports and e-passport issuing programs has proceeded with somewhat greater speed and broader impact than the reading and inspection tools. This is to be expected and resembles the time lag that accompanied the initial wave of machine-readable passports and their inspection and reading. That took more than eight years to catch on with any meaningful critical mass, so, if measured by that standard, we are currently a bit ahead of the power curve. The introduction of new technologies and the kinds of changes effecting change represents is always a learning and slow process. The use of new reading systems, new storage media, new measures that are required to protect privacy and insure data integrity, new traveler throughput models, new human resource requirements and a number of similar issues must be addressed and solved. Much work has been done and much remains, but at this point the progress is noteworthy. The question of “who reads/inspects machine-readable travel documents and for what purposes” has been with us forever. So any quantification must be preceded by a very big “approximately” for the same reasons that caveat my response to the first question. However, the ICAO New Technologies Work Group (NTWG) launched a formal new work item at its recent meetings in Bangkok specifically aimed at being able to authoritatively answer these questions. So, with the word “approximately” modifying each of these data, the following provides a snapshot of where things stand at the moment. • 16 countries are currently reading and “using” the biographical and biometric data stored on the chip • 53 countries are using biometrics in some form for border management purposes (primarily face and finger or a combination of those two, but a couple using iris) • All 81 countries that issue e-passports are, of course, capturing biometric data in those chips (36 facial image, 45 both face and fingerprint)

Additionally, coupling the resource that the PKD represents in assuring and verifying a number of integrity attributes on which today’s inspection systems must reside with that PKI process is the foundation that potentially takes today’s MRTD beyond the reach of most of the unscrupulous. I say potentially because inspection authorities must capitalize on this power by reading the data stored on the chip and comparing that data to the live subject who claims to own the document. As well, the corollary PKD membership provides the vehicle to insure that information on the origins of the data stored in a chip is valid and real. Simply stated, many more countries need to do so. For an issuing authority to have invested in an e-passport program and not join PKD or use the chip data has been likened to buying a very expensive, beautiful luxury car, but scrimping by not buying the wheels to go with it.

Q: Any prediction on what ICAO may be looking for in its next epassport request for information? The ICAO Request For Information process has been functioning on a roughly three-year basis since 1995. The intent of the RFI has been to give governments an opportunity to formally engage in a dialogue with industry in terms of more clearly and systematically identifying longer term needs, directions and priorities. This allows the private sector to give some peeks into the laboratory for emerging technologies as well as to showcase current products that might be of interest to the travel document community. This mutual exchange sharpens both the government’s sense of direction and provides a clearer business case justification for industry to invest in research and development. The first request for information, supplemented by the several other similar undertakings, yielded something of a feast on which the travel document community thrived for quite some time. That earlier emphasis was on biometrics, physical security features and data storage media. All of these areas have borne demonstrable fruit. At the moment, the next request is a discussion item that has just begun. While I would expect some of the same areas of interest of the past to remain into the future, the idea of the RFI is to look out over the next decade or so and articulate a sense of vision of the travel document and border-identity management needs of the future. So, with thought just beginning, all I can advise is: Wait and see.

Summer 2010

reid_summer10.indd 49

5/5/10 2:56:20 PM

Authenticating users and securing access in cloud computing environments Ed McKinley Contributing Editor, AVISIAN Publications Cloud computing can seem like “Cloud Nine” when IT departments use the technique to cut costs, boost profits, increase efficiency, bolster computing capacity, shrink carbon footprints and free up time to concentrate on core pursuits. But these benefits don’t come without risk, security experts warn. Dangers of cloud computing include criminal hacking, inappropriate access by rogue administrators, and the uncertainty of where data resides in a world where notions of privacy differ and regulations vary across national borders, cautions Nico Popp, vice president of product development, trust services, for Mountain View, Calif.-based VeriSign Inc. Others cite the possibility of online terrorism or even an all-out cyber war. “With cloud services the network perimeter is gone,” says Popp, whose company provides Internet infrastructure, authentication services and secure sockets layer certificates. “All customers are concerned about security.” On his blog Popp has referred to cloud computing security as “dicey.” Identifying users is also a concern. “As enterprises shift their IT infrastructure and information to the cloud … CIOs need to federate corporate identities with cloud service providers,” Popp explains. “For cloud resources, the corporate directory becomes the identity providers and the cloud services are the relying parties.” As more information is placed in the cloud, such as health care information, there is a need for federated identity and strong authentication in the cloud to protect against fraud, Popp says. “These transactions are complex and risky,” he adds. “They are complex because they involve multiple independent, sometime competing organizations. Federation is needed. These transactions are also too risky because the current Internet

reid_summer10.indd 50

authentication system based on name and password is too weak. High assurance identity is needed.” To keep data safe in these early days of cloud computing, security experts advise IT departments to study definitions, commit their companies gradually and insist vendors explain how they are operating in the cloud. Those steps require IT executives to do their homework.

Spivey says, noting that the movement has now reached the early adoption phase. Closer examination reveals a multiplicity of clouds, typically broken down into public, private and hybrid, Curry says. Large companies or those with a high degree of risk often choose to create a private cloud to keep their data secure, he says. Small companies with

Cloud computing refers to the storage and manipulation of data on servers operated outside the four walls of a company or handling data internally in a way that emulates an external cloud. The cloud works like a utility that users can turn on when they need it and turn off when they do not. Users pay when the “spigot” is open but not after closing it, so it can be an efficient way to maximize computing resources across the organization. “You can reach up into this fluffy thing and grasp a service up there and say this is tangible and I can rely on it to be there – that’s what the cloud is about,” says Sam Curry, chief technologist at Bedford, Mass-based RSA, the Security Division of Hopkinton, Mass.-based EMC Corp. Besides increasing computing power without adding in-house capacity, companies find the cloud can help them run greener operations. “You’re running less hardware, burning fewer electrons and not having to cool that whole data center,” says Curry. “That’s a big concern for companies in this day and age, and it’s compelling in terms of savings.” The origin of the cloud dates to virtualization in the late 1990’s, says Jeff Spivey, president of Security Risk Management Inc., a Charlotte, N.C.-based consulting firm. Between 2003 and 2006, cloud computing gained technological maturity and won wider acceptance,

Summer 2010

5/5/10 2:56:21 PM

lower risk might feel safe enough using the public cloud, he notes. Other businesses choose a hybrid version that stores data in the public cloud but relies on a proprietary platform. Another way of viewing clouds comes from Popp and Spivey, who list the differing approaches as software as a service (SASS), platform as a service (PAAS) and infrastructure as a service (IAAS). As cloud computing becomes a fact of dayto-day life, some users may begin to recognize that the technique’s seemingly new qualities actually parallel more familiar situations. Companies were exposing data to the outside world even before the cloud by hiring an increasing number of contractors, Spivey says. The due diligence required of IT depart-

ments as they join the cloud movement does not differ so much from the caution required in any outsourcing deal, he notes. “We are telling them that they need to place security requirements on their cloud providers,” agrees Popp, citing the need for access control and data encryption. Trust also comes into play, he continues, which vendors and their customers can establish through audit trails, monitoring and reporting. “But it is a steep slope because there is no industry framework or best practices,” Popp continues. “So they are pretty much on their own to define all this and capture the fine points in a contract.” To help IT departments evaluate vendors, Popp advocates establishing a certification

process that could resemble the Payment Card Industry Data Security Standards. “Customers should be able to require that their cloud providers meet the Cloud Compliance Trust Level 1 or whatever it gets called,” he says of a PCI-like set of standards. “Knowing that a cloud provider is already up to that level and that the same cloud provider is regularly audited to meet these requirements would accelerate the process and increase peace of mind.” Companies can begin their cloud experience by picking a piece to try out instead of “betting the farm” by immersing their companies in the cloud, Spivey says. “Stick a toe into the water, see what surprises come out of it, get confirmation of how things operate, see what kind of vendors you’re dealing with and start building relationships with cloud providers,” he advises. Popp agrees. “I advise a ‘crawl, walk, run’ cloud strategy,” he says. That could entail starting with large SAAS vendors to become familiar with what it means to shift IT to the cloud. “That is the crawling part,” he notes. “If you are a fortune 50, you are large enough to walk into experimenting with private clouds. Otherwise, take a look at a hybrid cloud. I would only advise public clouds to those who already know how to cloud walk.” IT departments should think of the cloud in terms of journeys and processes, Curry advises. “Be leery of anyone who says we’re done and it’s wrapped up and here’s a bow,” he says. “You still have to think about the risks associated – just as you would with any business decision.” And these risks certainly include the ability to securely identify users before granting access to data and resources in the cloud. Strong authentication will be mandatory as the shift of valuable corporate data and sensitive private customer information is housed further and further beyond the physical walls of the organization.

Summer 2010

reid_summer10.indd 51

5/5/10 2:56:22 PM

Democrats: BELIEVE in biometric Social Security cards There are varying reports on whether immigration reform will be discussed in Congress in 2010, but if it is addressed one aspect that will likely be included is a biometric Social Security card for employment verification. Dubbed Biometric Enrollment, Locally-stored Information, and Electronic Verification of Employment, or BELIEVE, the card would be required to verify permanent residence when starting a new job. The democrat-sponsored proposal would have the Social Security Administration issuing biometric cards 18 months after the law is passed. “These cards will be fraud-resistant, tamper-resistant, wear resistant, and machine-readable social security cards containing a photograph and an electronically coded micro-processing chip which possesses a unique biometric

Analysis:

What biometric will be on the card? The proposal for a biometric Social Security card provides some specifics on how the new credential would work, but there is no indication as to the biometric modality to be used. Fingerprint seems the obvious choice. It has a track record of being used in government identification schemes and is the oldest biometric technology. It’s also cheaper than many other biometric technologies. “There are a number of commercially available lowcost fingerprint sensor devices that can attach to a standard Windows PC through a USB interface,” says Walter Hamilton, chairman of the board at the International Biometric Industry Association. “There has been extensive independent testing of fingerprint sensor hardware and fingerprint template generation and matching algorithms. So fingerprint is clearly the most mature of the biometric modalities that might be considered.” 52

reid_summer10.indd 52

Summer 2010

5/5/10 2:56:29 PM

identifier for the authorized card-bearer,” states the conceptual proposal for immigration reform.

would serve as the sole acceptable document to be produced by an employee to an employer for employment verification purposes.

The biometric information would be stored in template form on the card and not in any databases. When verifying employment eligibility the card would be inserted into a reader, the cardholder would present the biometric for matching against the template stored on the card and it would either match or not match. The proposal doesn’t specify which biometric technology would be used with the system.

The card would only be used to verify employment status and to verify Social Security benefits and would not be able to be used for any other purpose.

The card would replace Homeland Security’s E-Verify system, which is used to verify employment eligibility now, says Walter Hamilton, chairman of the board at the International Biometric Industry Association. With the E-Verify system a prospective employee presents a Social Security number and the system tells the employer if it’s valid. It doesn’t actually check to make sure the number is associated with that individual. A biometric Social Security card would change that, linking the individual to the card. The federal government would be required to use the system as the sole employment verification system within three years after enactment and federal contractors will be required to use the system within four years after the date of enactment. Within five years, the card

But fingerprints have a negative stigma from long-term use by law enforcement to identify criminals. The proposal is already being called a national ID card, which is not a popular idea in the U.S., and using fingerprints could make it more difficult to gain public acceptance. Iris would be next on the list and has gained in popularity. The modality has been touted as being just as accurate as fingerprints, but without the negative stigma. It doesn’t require a user to touch anything but instead just look at a camera, Hamilton says. The downside of iris is its cost, with cameras being much more expensive than fingerprint scanners. Additionally it can be difficult to enroll some individuals, Hamilton says. “It can be a challenge for some individuals to submit a good quality iris image because of occlusion, motion, pose or illumination issues,” he says.

Prior to issuing a new card, the Social Security Administration would be required to verify the individual’s identity and employment eligibility by asking for various breeder documents. SSA would also be required to engage in background screening verification techniques to confirm identities. While the system will match the biometric on the card to the individual locally, information will still be sent to the federal government for confirmation. The system will respond to each inquiry to confirm that the card is genuine. The proposal says digital certificates would also be stored on the card to prevent counterfeiting. In order to pay for implementation of the BELIEVE System, funding will be obtained in whole or in part by collecting various fees and fines, however, the proposal states that U.S. citizens would not be charged for the card.

One issue for iris is the lack of standards around the storage of the iris template. “There is an international standard for storing compact iris images (rather than templates),” Hamilton says. “According to NIST, standard iris image records with sizes around 3 KB can be produced that are suitable for one-to-one authentication applications. Given that today’s smart cards can hold 128K or more of memory, the larger data record size associated with compact iris images – compared with 1K for fingerprint templates – should not be a significant issue.” The other option is vein pattern recognition, which has been popular with ATMs in Japan, Hamilton says. “The vein pattern can be measured at the finger, back of hand or palm area depending on the vendor and the design of the sensor device,” he says. “Vein pattern recognition is considered to be more privacy enhancing than fingerprint or iris since the

vein pattern cannot be observed in ordinary light. In addition, there is no artifact left on surfaces – as is the case with latent fingerprints – which could be copied. So it would be virtually impossible for someone to make a fake finger to spoof a vein pattern reader device.” Vein pattern is also considered a hygienic biometric since it doesn’t requires direct contact with a surface, Hamilton says. Initial testing has also shown the technology as accurate as iris and fingerprint with the cost of reader being slightly more expensive than fingerprint readers. Standards, however, are also an issue with vein pattern. There are efforts underway but data size may be an issue if standardized vein pattern images were used for storage on the smart card instead of the proprietary vein pattern templates that are available now. Summer 2010

reid_summer10.indd 53

5/5/10 2:56:30 PM

London’s Oyster card upgrade underway Program migrates from compromised Mifare Classic chips to DESFire Transport for London, issuer of the popular Oyster card that Londoners use to pay transit fares and make small purchases, is in the process of upgrading to new, more secure cards. Two-years ago researchers found vulnerabilities with the security architecture used in the existing Mifare contactless smart cards that the agency was using. NXP’s Mifare Classic line of products is arguably the world’s most widely deployed contactless product, used for countless transit, physical security and government ID applications. The Mifare Classic line includes the Mifare 1K, Mifare 4K and Mifare Mini products.

chip was doing and output the code so they could analyze the security techniques.

reply to inquiries on whether it had plans to upgrade its cards and readers.

NXP sued one of the research groups, Radboud University Nijmegen in the Netherlands, to block the public release of details on the security weakness.

Mifare was first released in 1994 so the Classic line relies on a security architecture is more than 15 years old. Commenting on the vulnerability, many security experts suggest that it should not come as a surprise to find vulnerabilities in aging products.

The Massachusetts Bay Transportation Authority, issuer if Boston’s Mifare Classic transit card, sued a team of MIT researchers regarding a Mifare hack. A U.S. District judge issued an injunction that prevented the researchers from presenting the findings at a Defcon hacker conference. The transit agency did not

Thus the move to the new Oyster Card may just be an indicator of things to come in a world where security technologies are rapidly advancing and early ID programs are aging.

Transport for London is gradually rolling out NXP’s DESFire cards, which have higher levels of encryption than the Mifare Classic line. “Transport for London began the phased replacement of Mifare Oyster cards last year and London Underground ticket offices will continue to gradually swap existing cards,” says a Transport for London spokesperson. Besides gradually phasing out the older cards with the new ones, the change also required Transport for London to upgrade the software on the card readers. “The entire Oyster system now accepts DESFire cards as all readers have had new software installed to read the higher level of encryption associated with DESFire cards,” the spokesperson says. “Cardholders need to take no action to replace their cards as ticket office staff are incrementally replacing cards when they are presented by our passengers either when topping up, renewing season tickets or replacing lost or faulty cards.”

Photo: Transport for London

Two years ago there was a flurry of activity around the Mifare “hack.” Several research groups independently claimed to have deciphered the inner workings by analyzing communication between the chip and the reader to expose the cryptographic protocols. The gist of the efforts involved slicing off one layer of the chip at a time and then taking photos to reconstruct the structure. The researchers trained computers to read what the

reid_summer10.indd 54

Summer 2010

5/5/10 2:56:32 PM

2005 2006 2007 2008 2009 Spring 2009

Spring 2008

Regarding ID Magazine – a survey of identiﬁcation technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

THE

Regarding ID Magazine – a survey of identiﬁcation technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

Airport IDs:

COMING

Grounded ... off? or ready for take

STORM

SECURING IDENTITY

converges Canadian telco logical ID physical and

in an online world

contactless Bank-issued te payments compe t for transit marke

Outsourcing ID programs Real ID becoming reality London trials NFC

renew Card fraud cases in US call for EMV e NFC global updat

Summer 2009

Summer 2008

Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

Regarding ID Magazine – a survey of identiﬁcation technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

HACKING IDENTITY The impact of smart card and security hackers Iris at-a-distance takes biometric center stage Health care mulls identity options EMV takes aim at U.S.

Fall 2009

Fall 2008

Regarding ID Magazine – a survey of identiﬁcation technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

DIGITAL

IDENTITY and the ELECTION

IDENTITY The forces are aligning but

Will a new president scale back existing projects or add new ones?

is America

READY

BIOMETRICS On campus, in the military PLASTIC IDS Recycling & green options

Contactless payments: Floundering or burgeoning? Airport worker credential in the making New rules for biometric sharing

Winter 2009

Winter 2008

Regarding ID Magazine – a survey of identiﬁcation technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

Changing Perspectives?

BEYOND ISSUANCE … e-passports struggle to achieve usage

NATIONAL

IDs

Is identity broken? EU considers student ID Registered Traveler in flux Plus NFC, RFID, biometrics

OWN THE ENTIRE COLLECTION 1000+ pages of ID technology insight just $200 • Educate new employees • Refresh your industry knowledge • Research for presentations • Review best practices • Learn from the experience of other implementations • Gain a competitive edge

For the first time, AVISIAN is offering all back issues of their industryleading re:ID magazine in a packaged set. You receive three year’s worth of top-notch news and insight – 15 issues of re:ID and 6 issues of CR80News magazine. Plus you get password-protected access to our online library with more than 1000 feature articles. To order, visit http://store.AVISIAN.com. Summer 2010

reid_summer10.indd 55

5/5/10 2:57:07 PM

Group working on open standards for transit cards Autumn C. Giusti Contributing Editor, AVISIAN Publications Imagine jet-setting from L.A. to Boston to Paris, catching the subway in all three cities, and only having to buy a single transit pass to get around. If four smart card powerhouses achieve their goal, this could one day be the reality for transit users.

Transit evolution

In January, smart card manufacturers Giesecke & Devrient and Oberthur Technologies and chip suppliers Infineon Technologies and INSIDE Contactless launched an initiative to develop a new secure solution for next-generation smart card-based public transport applications.

Talks with transport agencies revealed that in the coming years, the market will split into low-, medium- and high-end applications, ranging from paper tickets on the low end to high-end solutions such as NFC or multi-application cards combining citizen services or payment. Contactless credit cards are getting more attention, and proprietary, closed-loop products have their own set of problems, according to Infineon.

The solution would be built on an open-standard system the four companies are implementing, but an independent body would eventually govern it. Despite some of the companies being competitors, the partners say they formed the initiative because they need each other’s expertise to attain a fully interoperable system. “We decided that to be successful, you needed to have a group of partners with different proficiencies,” said Werner Koele, marketing manager for the Personal and Object ID business line of Infineon, the company that spearheaded the initiative. And the group is poised to add more partners. While Koele wouldn’t disclose names, he said the four companies are in discussions with other major players that could join the initiative in the coming weeks and months. 56

reid_summer10.indd 56

In 2009, Infineon undertook a market analysis that identified several changes underfoot in the transport market.

At the same time, the public transit sector is expected to grow dramatically in the next 20 to 30 years, with governments worldwide spending large amounts of money on infrastructure. The biggest demand for projects will come from mega cities with populations of 5 million to 20 million, for which an open standard system would be well-suited, said Roland Magiera, adviser of Transit Segment Marketing, Government Solutions for Giesecke & Devrient. “We think this (system) will be a higher value for the transit authorities and for the customers,” he said. The initiative touts vendor independence, increased vendor choice, interoperability and cost savings among the benefits to transit operators.

Summer 2010

5/5/10 2:57:12 PM

The fact that there have been several public transit pilot programs involving NFC and payment cards shows that the technical dynamic is possible for an open-standard system, Magiera said. “We think that new technology with an open standard could be very helpful for the industry and development,” Magiera said. “This is the main reason we’ve joined the initiative and are speaking with the other companies.” Security beneﬁts After completing its market analysis last year, Infineon determined that the best course of action would be to get away from a proprietary, closed-loop system in favor of a more modern, open standard system that would allow for multiple companies and technologies. One argument for the open standard is that proprietary products are seen as security risk. Magiera cites the 2008 security breach of NXP Semiconductors’ Mifare Classic, a proprietary chip commonly used extensively in transit passes and access control badges. The breach made it possible for someone to clone the chip.

Part of the initiative’s goal is to develop a unified security concept as the common base for a variety of products, according to Infineon. This concept is based on groundwork performed by Infineon, which developed a hardware-based security system specifically suited for public transportation smart card applications. It consists of an authentication scheme using the open and well-accepted Advanced Encryption Standard, which can be implemented in low-cost silicon. “We believe that AES is the best for this market. It is well defined and proven,” Koele said. Although the security concept and mandatory file types will remain the same, vendors will be able to differentiate their products from each other by offering additional features and better performance, according to Infineon. “The goal is to come up with products that are interoperable, so different products can be used in the same system,” Koele said. For instance, even though Infineon and INSIDE Contactless have different chips, either would work in the same system.

Need for collaboration The looming logistical challenge the initiative faces will be to get the various transit agencies around the globe to cooperate so they will all be using the same system. Transport agencies have the prime intention of bringing users from Point A to Point B, and payment and ticketing concerns are secondary, Koele said. By nature of being government-run, the agencies are driven by a slow, politically driven decision-making process on such matters. “There are too many players in the market, and they have to align internally,” Koele said of the transit agencies. “Our standard for public transport could be the basis for such a scheme. And that’s the intention we have.” The first cities are expected to run pilots using the initiative’s open system a year from now. The initiative is eyeing about three dozen cities for deployment. The system would take another three to five years to implement with widespread deployment in the next 10 to 15 years, Koele said.

Summer 2010

reid_summer10.indd 57

5/5/10 2:57:16 PM

Combining students IDs and transit passes The multi-function, multi-app smart card may not be such a mythical beast Multi-function cards on college campuses aren’t new. Student IDs have paid for meals, accessed residence halls and checked out library books for decades. But adding applications that can be used outside of the university has been more difficult. Off-campus merchant programs are common but beyond that the campus card remains an on-campus tool. A number of universities have expressed interest, largely due to student demand, in using the card off-campus in the local transit agency’s contactless fare collection system. While campuses have offered students deals on public transportation passes in the past, this has typically involved a separate card or a homegrown solution with a campus card reader on the transit vehicles. 58

reid_summer10.indd 58

Integration with the existing contactless system is a far more seamless solution, but it has proven to be an elusive goal. The problem is that transit agencies frequently use proprietary systems and specific contactless card types that don’t readily translate to other uses. In other words, if a campus issues a contactless card that meets the transit specs it may not be usable for on campus needs such as access control.

dor. The campus would then issue this card in its normal manner and use the magnetic stripe for school needs. The transit application could either be pre-loaded on the contactless chip or the student could take it to a specific location to turn-on the functionality.

Obviously, the ideal scenario is a standard contactless technology that serves the campus card needs and also supports the transit application. This has not been the case.

New transit systems open door for campus cooperation

In most cities with contactless fare collection systems, a local university would need to buy a specific card from the transit system’s ven-

The process is cumbersome, expensive and virtually eliminates the campus from utilizing contactless technology for its own needs.

The challenges that have kept campus cards and transit cards largely separate are beginning to ease. Fare collection systems are evolving and at the same time campus card programs are recognizing the benefits of

Summer 2010

5/5/10 2:57:18 PM

Maximize your card technology . . . Campus Card Systems • Access Control and Integrated Security Solutions Food Service Management Tools • Online Ordering • Catering and Event Management Housing Assignment Systems • Judicial Conduct Tracking

. . . One safe student at a time. • Improve safety • Drive revenue • Reduce costs Learn how at www.cbord.com.

The CBORD Group, Inc. · 61 Brown Road · Ithaca, NY 14850 · TEL: 607.257.2410 · FAX: 607.257.1902 cbord_cr80.indd 1 59 reid_summer10.indd

2/22/2010 8:44:13 PM AM 5/5/10 2:57:19

contactless technology. The time may be right for cooperation as exemplified by recent projects in Utah and Washington D.C. The Utah Transit Agency (UTA) approached its fare collection system differently than others in the U.S. It opted to deploy a more open system that accepts multiple card types including its own fare collection cards and bankissued contactless credit and debit cards. The UTA system as deployed by ERG Group, now owned by Cubic, and MetraTech, a Boston-based billing and settlement provider. Utah was ERG’s first foray into this type of public transit payment mechanism. “It’s the first and only one we believe that’s been fully deployed,” says Michael Cook, ERG’s vice president of business development for the Americas. “There are other systems out there that use a credit card, but it’s really a transit application embedded in the card that gives the appearance that someone is using a credit card. We view Utah as our future. It’s similar to what they’re doing in New York, but on the subway it’s a flat fare structure. Here we can accommodate all types of fares.” Westminster College in Salt Lake City and Utah Valley University in Orem have started using contactless cards for student IDs and enabling the same card to be used as a transit pass. The two schools, however, took different paths to get there. Utah Valley was already using a multi-technology student ID card, including a Mifare chip and magnetic stripe, says Dawn Bridges, manager of the Campus Connection ID Station at the university. The campus has a Blackboard transaction system and uses Lenel to manage physical access control. The contactless chip is also starting to be used for a time clock system. Utah Valley and the UTA had worked together previously and when the school found out its ID card could work with the transit system administrators decided to combine them, Bridges says. Students pay $20 a month for the pass and the information stored on the chip is then sent to the UTA. That way when the student taps the card on the reader it’s read as valid. The two are also working on a system that would enable real-time connectivity. 60

reid_summer10.indd 60

Westminster College took a different approach when combining its student ID and transit pass. The school had not been using a contactless card but decided to make the switch after discussions with the UTA, says Kerry Case, director of the environmental center at Westminster. “It’s nicer to have only to carry around one card instead of two,” she says. “With the old passed you had to show your student ID card with the transit pass if the transit police asked.” The school is now buying blank card stock from the UTA to use as its student ID, Case says. Since the UTA buys card stock in bulk it’s cheaper than Westminster buying it on its own. The card also has a magnetic stripe that is used for food service, access to the gym and other applications. Westminster has an in-house system for managing the campus card program for its 2,500 students. The primary purpose of the contactless portion of the card is for the transit pass, says Collin Bunker, director of information services at Westminster. When the card is issued the number on the chip is sent to the UTA and updates are sent on a weekly basis. Students don’t have to pay for the pass as long as they use the system a certain number of times a month. But with contactless cards starting to be issued throughout campus the college is rolling out additional functionality, Bunker says. Westminster is putting contactless physical access control readers in its new science building to enable student access to the labs after hours. He says the school is considering expanding the contactless physical access control system over time to other buildings and is also exploring its use for meal plans as well. American University in Washington is conducting a pilot combining its student IDs with the Washington Metropolitan Area Transit Authority, according to a university spokesperson. A small number of American University student IDs with the transit agency’s contactless SmarTrip functionality are being tested by selected members of the campus community. If all goes well and the test is successful, then the entire American University community may soon be offered the option to integrate their student ID with SmarTrip access.

Whereas the UTA used the ISO 14443 contactless smart card standard for its cards, SmarTrip uses a proprietary technology that can only be purchased from the system vendor. This would also make it difficult to use the card for anything other than the transit program. For several years, however, rumor that the Washington D.C. transit program would migrate from the proprietary card to a more standard card type has circulated. If this was the case, American University could one day issue the combined card and open up the use of the contactless chip for on-campus applications. A dual-use future? As contactless smart cards become more popular on campus its possible there may be more integration like those in Utah and Washington D.C. For this to happen on a large scale, however, changes are still required. Transportation officials will have to decide if using a proprietary, closed-loop system is better than a more inclusive, open fare collection system. Unless this move to card types that readily support campus applications occurs, campus card administrators will need to weigh the relative importance of the transit application compared to the other on-campus applications of contactless technology.

Summer 2010

5/5/10 2:57:20 PM

Identity management and the law Shifting focus from technology to legal ramifications of identity Ross Mathis Contributing Editor, AVISIAN Publications In the area of identity management there has been significant work related to the technical exchange of identity information and the actual authentication processes. There has not, however, been a focused look at the legal issues, particularly those that would hold parties responsible for not properly identifying and authenticating users or customers. “You need rules and obligations placed on the various parties and they need to perform these obligations, and if they don’t then you need some enforcement mechanism,” says Tom Smedinghoff, a partner at Wildman Harrold and chairman of the American Bar Association’s Federated Identity Management Legal Task Force. A year ago the task force was formed to address these legal issues, as well as the privacy and liability issues faced by all participants in the identity management process.

The goal of the ABA task force is to analyze legal issues that arise in connection with the development, implementation and use of federated identity management systems. “We really try to take a rigorous look at what folks have to deal with when they establish and operate identity management systems … and look at the legal models for making it work,” says Smedinghoff. Exploring various legal models, the group is studying the structure and weighing out the pros and cons of each to develop terms and contracts that can be used by parties in ecommerce and other electronic communication settings. “In order for there to be a viable trust framework you’ve got to address the legal side of it,” he says. These trust frameworks, also called identity and authentication frameworks, attempt to bind all parties to a common set of rules. “More commonly now we’re finding a consortium, or groups of businesses, that are looking at setting up an identity infrastructure … so you get more of a collaborative approach to a set of rules and changing those rules as needed,” Smedinghoff says. On the other side, there is a regulatory overlay that must be taken into account. There are certain issues of identity management that are regulated by laws, which cannot be buried or superseded by contracts between the parties.

While this is a cutting edge area of law it’s starting to get some attention. “It varies by jurisdiction but there’s a fair amount of privacy law, particularly in the European Union, but to a lesser extent in the U.S. financial and health care sectors,” Smedinghoff says. Case law starting In situations regarding identity theft, case law is beginning to emerge. Courts are starting to point the finger at businesses that did not, in their opinion, do enough to protect personal information. Businesses need to be sure to meet obligations and properly authenticate or identify individuals and make sure not to release personal or confidential information. The Federal Trade Commission has even instituted enforcement actions where businesses did not properly authenticate customers, says Smedinghoff. When addressing these issues, the ABA task force considering a number of areas of law that may apply. “It’s those underlying issues … we need to figure out how they might apply, and how parties can mitigate the legal risks and allocate them fairly among participants in the process,” Smedinghoff says “We need to look at the laws of negligent representation, and see how that affects the process.” If a business is the identity provider within the management process, then they are making assertions about a subject to a third party or a relying party. These assertions can, in theory, be considered warranties or representations. Smedinghoff notes that looking at warranty law to see how that affects the process may prove useful. “It’s these kinds of obligations that are going to have to be addressed,” he concludes. “We need to get down to the level of what are those things that you should be doing and what are those things that you shouldn’t be doing?”

Summer 2010

reid_summer10.indd 61

5/5/10 2:57:22 PM

Placing multiple technologies into one credential Two chips on a card is nothing new, but three plus an optical stripe? Autumn C. Giusti Contributing Editor, AVISIAN Publications Blocking fraud digitally

Sometimes the best way to improve on an idea is to incorporate the tried and true.

resident card, better known as the Green Card, since 1997.

That’s what Mountain View, Calif.-based LaserCard Corp. discovered with some of its deployments, combining its optical storage and security technology with a traditional smart card.

But in the past decade, customers began seeking out cards to carry out multiple applications.

One of LaserCard’s early multi-technology deployments was the Indian vehicle registration card. Historically, the three Indian states of Gujarat, Dehli and Maharashtra relied primarily on paper documents to register vehicles.

“Progressively, we began to see the increasing requirement to add other technologies, such as contact chips,” said Stephen Price-Francis, vice president of marketing for LaserCard. “The trend is toward customers demanding a combination of technologies.”

“The simple task of registering and reregistering a vehicle involved bringing multiple documents to the motor vehicles register,” Price-Francis said.

Throughout the 1990s LaserCard relied mainly on its optical storage and security feature, an area of optical media embedded into an ID card form factor. Similar to optical storage on a CD or DVD, a LaserCard ID can store large amounts of data, biometric information and high-resolution images. Most notably, the innovation has powered the U.S. permanent

Today, that means layering contactless and contact technologies as well as long-range radio frequency identification tags on a single card to enhance LaserCard’s optical stripe.

Optical Security Media and Contact Chip

Relying on paper created widespread fraud and considerable bureaucracy. To evade authorities, tax evaders and traffic violators erased ownership records and previous violations.

Top Layer Optical Security Media Inlay

Security Printing on Polycarbonate Contactless Chip Inlay

Back of Card

Security Printing on Polycarbonate

Bottom Layer

Front of Card 62

reid_summer10.indd 62

Summer 2010

5/5/10 2:57:29 PM

Transportation officials in the three Indian states wanted a more secure option that could store a decade’s worth of data while also improving customer service. LaserCard’s solution was to incorporate two forms of technology. The optical security feature stores biometric information including a facial image and fingerprints. A contact chip stores images of scanned documents, such as the vehicle registration, so the owner doesn’t have to carry paper records to every visit. The documents are scanned at the security desk once and can then be pulled up the next time the vehicle owner visits. The card also stores information about vehicle infractions making it easier for authorities to track down violators. The three Indian states adopted LaserCard’s technology in 2001 and, to date, have issued more than 4 million cards. There has been no known instance of a security breach on the card, and it has cut registration processing times by 60%, according to LaserCard. One card, four technologies

Saudi Arabia seeks security

In 2002 the Italian government tasked LaserCard with creating a secure ID card for the country’s national police, Arma dei Carabinieri.

Interest in Italy’s model spread to Saudi Arabia, where paper-based identification had become a security problem for its national ID card. The challenge was to reduce instances of counterfeit and fraud in a country with an increasingly mobile population, two long coastlines and borders with seven neighboring countries.

Members of the police force needed a single card to serve four functions: • employee ID badge, • national identity card, • security access card for entering police facilities, and • nationwide e-government services card. Previously, officers carried separate credentials for each purpose. The new card combines optical security media with contact and contactless chips as well as an RFID tag. Shoehorning four technologies onto a single card created some manufacturing hurdles. “As you start incorporating more and more technology, there can be a challenge for real estate on the surfaces of the card,” Price-Francis said. Adding multiple chip layers also made it challenging to meet the card thickness standards set forth by the International Organization for Standardization. Price-Francis said LaserCard worked closely with its manufacturing partners to engineer a solution that maintained the card’s size without compromising its physical durability.

In 2004, Saudi Arabia introduced a secure ID card through LaserCard card that relies on optical and smart card technologies. The optical media component stores the cardholder’s color photo, demographic information and fingerprints. It also incorporates authentication and security features, such as a hologram that allows inspection agents to verify the card’s authenticity with the human eye. All of the stored information can be updated as needed. The contact chip manages PIN information and stores demographic and health data. Although the basic technology has remained the same on LaserCard’s deployments in India, Italy and Saudi Arabia, continued adjustments and refinements are made to the card’s features and capabilities year after year, said LaserCard spokeswoman Mary McEvoy Carroll. “It’s like a piece of Microsoft software,” she explains. “Although it might be called the same thing, it’s a very different animal.”

“It’s a very small piece of plastic, essentially, so the technology must coexist,” Price-Francis said. “We’re leaders in the lamination of complex materials using polycarbonate, and we work with our industrial partners to address these challenges.”

Summer 2010

reid_summer10.indd 63

5/5/10 2:57:36 PM

FedExField badges 10,000 employees with high-tech IDs FedExField in Andover, Md. plays host to the Washington Redskins, college football games, soccer and a variety of other events through the course of a typical year. Because of the huge influx of seasonal, contract and temporary employees, stadium operators wanted a better way to identify staff and control their access to the facility. During the off season when no event is planned there are around 50 employees in the stadium during the day, but during an event this number skyrockets to as many as 10,000 employees, says Chris Bloyer, vice president of operations for FedExField. In the past employees would walk through a checkpoint but with thousands of other employees entering the stadium it was possible that individuals could sneak in without a badge or use the badge of another employee, Bloyer says. Executives needed to ensure that only authorized employees were granted access to the facility. Because of the stadium’s close proximity to the nation’s capitol, we decided to deploy a smart card and biometric system to identify employees and contractors entering the facility, Bloyer says. The MobileAssure Access Control from Telos Identity Management Solutions was selected.

reid_summer10.indd 64

Employees undergo a background check before being hired, Bloyer says. Executives were looking for a system that would collect that information along with other employment data. The Telos system integrates with human resource management, scheduling and payroll systems. “We were looking for a system to compile all the checklists and create a credential that would tie the person who was vetted to the credential with a photo and biometric,” he says. The Telos system also enables stadium officials to designate specific times and entrances where the credential is valid, says Mike Ortt, program manager for Telos ID. If an employee shows up at the wrong entrance or at the incorrect time they can be denied entry. Otherwise, the employees swipes the credential, places a fingerprint on the scanner and is granted access, he says.

The system was used for the 2009 NFL season and a couple of other events with about 3,000 employees, Bloyer says. Since it was successful in this limited trial, stadium operators are rolling it out to all employees and have now enrolled 10,000 individuals. “We were concerned about push back from employees because of the more rigid processes,” Bloyer says. But it has worked well, he notes, and employees have embraced the system.

Summer 2010

5/5/10 2:57:41 PM

Newly approved FIPS 201 products Research detailed product listings and compare different vendor offerings online at FIPS201.com, the most robust source for FIPS201, HSPD-12, ISO 24727 and PIV products and services. Caching Status Proxy

PIVCheck Plus Desktop Edition PIVCheck Plus Mobile Edition • Codebench

Card Electronic Personalization Device ActivID CMS for PIV • ActivIdentity

CHUID Authentication System

PIVCheck Desktop Edition • Codebench

CHUID Card Reader (Contact) IDL MAX • MaxID Corp.

CHUID Card Reader (Contactless IDL MAX • MaxID Corp.

Electromagnetically Opaque Sleeve Rigid Shielded Badge Holder Vinyl Shielded 2-Card Holder Shielded sleeve • Brady People ID / JAM

Cryptographic Module

nShield F2 1500e nShield F2 500e nShield F2 6000e nShield F3 1500e nShield F3 500e nShield F3 6000e • Thales e-Security, Inc.

PIV Authentication System

PIVCheck Desktop Edition • Codebench

PIV Card Printer Station

ZXP Retransfer Card Printer • Zebra

OMNIKEY® 2061 Bluetooth® Reader from HID Global HID’s OMNIKEY® 2061 Bluetooth® reader is an easy-to-use logical access solution that features hands-free, high-speed log-on to IT networks for government agencies, institutions and enterprise organizations concerned with data privacy in shared computing environments. The reader’s user-focused design allows the device to be easily carried on-person for visual security and freedom of movement for mobile employees, enabling organizations to maintain productivity while increasing security. With Bluetooth connectivity, manual card presentation is not required, making the reader an ideal solution for use in hygienic environments.

PIV Middleware

Smart Security Interface • Charismathics

FIPS201.com

SCVP Client

PIVCheck Desktop Edition • Codebench

Template Generator

the premiere resource for compliant credentialing

BioMatch 378 Generator v2.1 • Precise

Template Matcher

BioMatch 378 Matcher v2.1 • Precise

Get your FIPS 201 Approved Product listed on FIPS201.com customizing photos, links, brochures, contact information, and more. Contact info@fips201.com for more information.

Transparent Card Reader

Omnikey 2061 Bluetooth Smart Card Reader • HID Corporation Multi-Tech Wallmount Reader Multi-Tech Wallmount RS485 Reader Single-Freq Mid-Range Keypad Reader Single-Freq Mid-Range Reader • XceedID SCR3500 USB Smart Card Reader • SCM ACR3801 Smart Card Reader • ACS LifeBook T5010 w/ integrated O2Micro SmartCard Reader • Fujitsu America, Inc.

Contact:

Ryan Kline FIPS201.com Coordinator 850-391-2273 ryan@AVISIAN.com

id technology resource

visit FIPS201.com to research and compare approved products

reid_summer10.indd 65

5/5/10 2:57:42 PM

Major League Soccer club deploys contactless ticketing in New York Ross Mathis Contributing Editor, AVISIAN Publications As part of a green initiative, and to compliment its new arena opening in late March, Major League Soccer’s Red Bull team of New York incorporated a new paperless ticketing system with the aid of contactless smart card technology. Designed to improve the customers’ experience and increase the speed of entering the arena, the smart cards serve dual purposes - granting both arena access and purchase power at concessions and merchandise locations. The effort also reduces paper use by storing the ticket on the card instead of printing them. Special turnstiles equipped with both smart card and barcode readers will be utilized to validate each of the cards authenticity and grant entry to the arena. In the beginning smart cards will only be issued to season ticket holders. Paper tickets with barcodes will still be issued to fans purchasing single game admission.

ing the Red Bull’s Web site. Fans may then use their cards to make purchases at concessions and merchandise locations. The Red Bull team has already mailed 7,000 smart cards to fans but expects these numbers to grow by more than 40% by the end of the year. London-based Fortress GB supplied the ticketing infrastructure for the arena. The company has provided similar systems for a number of large soccer clubs in the UK including Arsenal and Manchester. Fortress GB is also managing Soccer City and Cape Town Stadium during this summer’s World Cup. In City of Manchester Stadium, home of the Manchester soccer club, every season ticket holder is issued a personalized smart card with their name, seat number and a unique member number. Non-season ticket holders receive a smart card, as well, but it contains only their name and a member number.

In either case, once a fan is given a smart card they never have to visit the box office again. The ticket holder simply goes online or calls the box office to give their member number and pay for the admission. The card is then activated for that game, or series of games. The arena turnstiles are fitted with smart card readers that quickly validate the card for entry. Upon entry, readers at each of the concessions and merchandise kiosks allow cashless payments for goods and services. Each cardholder is also given access to a secure Web portal where they can add and replenish funds to their cards. These types of transactions benefit both the cardholder and the arena, in that specific promotions and events can be directed towards specific members. A club can gain a better view of their fan base and personalize rewards and the experience of each fan.

Season ticket, smart card holders may also manage and load funds onto their cards us-

reid_summer10.indd 66

Summer 2010

5/5/10 2:57:46 PM

Healthcare_AD09_PRESS.pdf 1 4/30/2010 1:34:43 PM

CMY

reid_summer10.indd 67

5/5/10 2:57:48 PM

I need... a trusted partner to make our global badge rollout a success.

HID Identity on Demand™ services delivers... the expertise and speed needed to ensure the success of your custom credential and ID projects – on-time and within budget. Offering card design, database management and card personalization, we manage ID projects from start to delivery, creating superior ID badges for all types of organizations. Sold through HID Global’s extensive channel network of security integrators, Identity on Demand services are ideal for organizations that need a trusted source to manage the personalization of technology credentials due to lack of resources or tight time constraints.

To learn how HID can assist your badging projects, visit hidglobal.com/cardsondemand

HID_IoD_RE.ID.indd 68 1 reid_summer10.indd

4/30/10 1:17 PM PM 5/5/10 2:57:49