Regarding ID Summer 2011 by AVISIAN

Summer 2011

Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

PIV-I Is it the standard for all future IDs? Private sector use of the FIPS 201 standard could dwarf government use

iDEAL: COST-EFFECTIVE MIGRATION Enhanced Security Easy Installation Multiple Applications Flexible Technology iCLASS®

iCLASS

Choose iCLASS® migration solutions from HID Global. HID iCLASS® smart technology has a lot going for it, now and into the future. You’ll get enhanced security through mutual authentication and encryption, and can add multiple layers of card-to-reader security using the iCLASS Elite program. The platform’s read/write technology opens the way to new functionality, while supporting legacy systems for an easy migration. Plus, it’s easy to install and afford. The security and new applications you want with the flexibility and economy you need — that’s what makes iCLASS migration solutions from HID the ideal deal. To explore access control technology migration, download your FREE whitepaper today at hidglobal.com/ideal-REID

Checkpoints. Not Chokepoints.

Fast. Accurate. Effortless. The AOptix InSightâ&#x201E;˘ VM iris recognition system brings truly high throughput, high confidence authentication to airports and borders. We're changing the way the world looks at biometrics. P. 408.558.3300 | www.aoptix.com/iris-recognition

Government and business rely on trusted identities. Whether you are protecting vital information or securing a border or critical infrastructure, you need to establish, with absolute certainty, that someone is who he or she claims to be. At CSC, we deliver comprehensive identity management solutions that not only provide foolproof identification but also rigorously protect the personal information of citizens and customers. Drawing upon our worldwide identity management experience, we seamlessly integrate the latest technologies, systems, policies and business processes into a solution that is secure, efficient and, most of all, trustworthy.

CSC Public Sector CSC.COM/IDENTITYMANAGEMENT

DELIVERING TRUSTED IDENTITIES THAT ARE

BEYOND A SHADOW

OF A DOUBT

â&#x201E;˘

Contents 26

Cover Story

Will PIV-I be the identity standard of the future?

Health ID

Health care providers seek convergence

Biometrics

Can Web services revolutionize biometrics?

Card issuance

ID lifecycle 101: Understanding issuance models

Mythbusters

Can a mobile phone erase a hotel key card?

42 46 50 40

INDEX OF ADVERTISERS AOptix www.aoptix.com/iris-recognition The CBORD Group www.cbord.com CPI Card Group www.cpicardgroup.com CSC www.csc.com/identitymanagement CSCIP www.smartcardalliance.org Digital Identification Solutions www.dis-usa.com/Re-ID Entrust www.entrust.com Evolis www.evolis.com FIPS201.com www.fips201.com HID Global www.hidglobal.com/ideal-REID IEEE www.IEEEBiometricsCertification.org LaserCard www.lasercard.com Smart Card Alliance Conference www.smartcardalliance.org

3 55 49 4 61 9 5 31 65 2 39 37 59

26 | COVER STORY | Will PIV-I be the identity standard of the future? Or is it already?

67 | MOBILE | Google tackles payments unveiling mobile wallet

29 | LEGAL | Virginia law enables electronic notarization via PIV-I

68 | NFC | NFC posters bring ‘X-Men’ to life in London

30 | STANDARDS | Revisions to bring key changes to FIPS 201 Summer 2011

Perspective EXECUTIVE EDITOR & PUBLISHER Chris Corum, chris@AVISIAN.com EDITOR Zack Martin, zack@AVISIAN.com ASSOCIATE EDITOR Andy Williams, andy@AVISIAN.com CONTRIBUTING EDITORS Daniel Butler, Ryan Clary, Liset Cruz, Seamus Egan, Autumn Giusti, Jill Jaracz, Gina Jordan, Ross Mathis, Mike McDaniel ART DIRECTOR Ryan Kline ADVERTISING SALES Chris Corum, chris@AVISIAN.com Sales Department, advertise@AVISIAN.com SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit www.regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit http://subscriptions.avisian.com and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2011 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to info@AVISIAN.com.

Excited about NFC

But it’s still going to be awhile Zack Martin Editor, AVISIAN Publications When I saw the press release in April that J.P. Morgan Chase would start issuing EMV payment cards I was excited. Finally my bank would enable me to get an EMV card. My elation quickly subsided as I found out that the cards would only be offered to those who frequently travel overseas. Other than a few trips to Mexico – and that Canadian trip the judge said I can’t talk about – my experience abroad is limited so it’s not likely Chase will be offering me an EMV card any time soon. At this point I expect to have a near field communication-enabled mobile device well before a bank issues me an EMV payment card. If anybody starts selling a case with a microSD card for my iPhone 4 I’ll be there. It’s likely that I’ll still end up waiting on the bank because they will have issues letting me put my payment card data on the microSD so it will be another waiting game. In all honestly, I’m more excited about the novelty of NFC than the actual practicality of it at this point. As I’ve shared previously, I already have three contactless cards in my wallet. Besides my Chicago Transit Authority card, the number of contactless transactions I’ve made with the cards I could probably count on two hands. It’s a combination of not frequenting retailers that are equipped with contactless card readers and the payment card I use the most is my debit card, which doesn’t have a chip. I also shop at a smaller, family-owned grocery store that doesn’t understand the difference between credit and debit so the contactless conversation is a ways off. As for the CTA, it’s talking about going open loop but I have a feeling I’ll be waiting awhile before I can download the CTA app to pay for my rides. The loyalty and marketing opportunities for NFC also have me jazzed, but again, I’ll be waiting for this. There will have to be more than one handset on the market that uses NFC before I can start tapping posters for coupons or movie trailers. And let’s be honest, the physical wallet isn’t going away anytime soon. There are not nearly enough contactless payment terminals out there and the idea of teaching my not-so-tech-

savvy parents about NFC gives me chills. Though my mom does use the Starbucks bar code payment app on her iPhone, and she raves about it. But my wallet may be able to get thinner. Maybe I won’t have to keep carrying my Costco card along with the other half dozen other frequent shopper/loyalty cards with me all the time.

I was excited as anyone else the day the document was released, but like the kid on Christmas who gets a sweater there was some disappointment. I had heard from some sources prior to the release that there would be specific use cases included that would show how a national strategy could make identification in cyberspace easier, safer and privacy enhancing. But alas there were none.

But still, the idea of walking around the corner to Starbucks, paying for my coffee and checking the loyalty app to see how close I am to a free drink makes me excited. Oh wait, Starbucks doesn’t accept contactless payments. Shoot.

The long-awaited National Strategy for Trusted Identities in Cyberspace was released in April to much fanfare. Identity folks are excited and a common refrain about the document is that hating it would be like hating kittens and rainbows.

But the honeymoon will be over soon. The first public meeting to discuss governance models will probably have already taken place by the time this magazine hits your desk. Two other meetings are scheduled for the summer with the goal to fund pilots late this year and next. As it’s been said, it will all come down to the implementation. I am looking forward to covering how the system is rolled out over the coming years.

From the Publisher Our singular goal: Help you improve your ID and security programs Ten years, 25 issues and a dozen online ID technology publications later … It is hard for me to believe that this is year number seven for Re:ID Magazine. Harder still, our first online identity publications launched more than a decade ago. We had a reception in Chicago last month to celebrate the 25th issue of this magazine, and I was catching up with a longtime loyal reader. She was complementary of the magazine’s impact and mentioned that she continued to read her ContactlessNews and SecureIDNews email newsletters “virtually every week.” I asked if she visited any of our other sites. She looked surprised. She didn’t realize that we publish more than a dozen titles, each focused on a specific ID technology or market sector. I knew I needed to do a better job keeping you – our subscribers – up-to-date with our offerings.

TECHNOLOGY-FOCUSED:

ContactlessNews – Contactless technology for access,

DigitalIDNews – Issuance and management of online ID,

NFCNews – Implementation of near field communications for

RFIDNews – Use of RFID and sensors for logistics, inventory

SecureIDNews – Smart cards for large-scale government and

ThirdFactor – Application of the wide range of biometric

Many of you have been with us from the beginning, and I cannot thank you enough. Others are newer to the identity market and/or our coverage of it, and I welcome you. In either case, I encourage you to check out the range of online coverage we can provide, subscribe to the titles that can help you succeed with your ID and security initiatives, and make it a habit to visit the sites. We want to help you to stay ahead of the curve. That’s our goal. Let me know if have suggestions as to how we can better serve you.

logical security and access credentials in the array of forms.

ID, payment, access, and mobile marketing.

management , supply chain and emerging applications.

corporate identity and converged access solutions.

modalities across the spectrum of ID and security markets. INDUSTRY-FOCUSED:

So here goes … More than 30,000 newsletters are mailed to opt-in subscribers each week and every day our editorial team posts news and insight to each of the sites listed … over there … to the right.

payment, secure document, identity and transit applications.

CR80News (CampusIDNews) – School and campus ID card

EnterpriseIDNews –Corporate use of Identity and security

GovernmentIDNews – Federal, state and local government ID,

FinancialIDNews – Banking, payment and financial systems

HealthIDNews – Patients and provider ID solutions for

and security programs for multi-application environments.

technology for employeew ID and closed campus applications.

security and credentialing programs around the globe.

use of ID technologies for employee and client applications.

hospitals, practitioners, insurers, pharma and more. PRODUCT-FOCUSED:

Best,

FIPS201 – Detailed information on the GSA approved products available for use in PIV and PIV-I identity programs. NON-ENGLISH:

Chris Corum chris@avisian.com

IDNoticias – Targeted Spanish language ID and security insight for Latin America, Spain and worldwide markets.

Summer 2011

RE:ID BACK ISSUES Save $100 with promo code: SUM11B *Normal price $200, Promo code expires Aug. 31, 2011

ONLINE LIBRARY ACCESS Save $20 with promo code: SUM11L *Normal price $49, Promo code expires Aug. 31, 2011

Another great print magazine …

CR80NEWS

Save $19 with promo code: SUM11C *Normal price $29, Promo code expires Aug. 31, 2011

Own the entire collection of Re:ID Magazine issues and have the identity technology world on your bookshelf. It is an invaluable reference source and could be required reading for new employees. Get all 25 issues, more than 1750-pages, for one low price.

Library subscribers have access to the full archives of more than 15,000 original news items and feature articles published in AVISIAN’s online suite of ID technology publications. For just $49, you receive unlimited password-protected access to content on all of AVISIAN’s sites for an entire year. Sign-up for multiple years and save even more. Your subscription helps fund the continued creation of independent, insightful content.

CR80News Magazine, published twice per year in the Spring and Fall, explores the use of advanced ID technology in campus ID programs. The magazine is the print companion to CR80News.com, and is the single source for news and insight on the technologies, products, and players in the higher education, K-12 and corporate campus markets.

Visit http://store.avisian.com to place your order today!

Do you have an idea for a topic you would like to hear discussed on an re:ID Podcast? Contact podcasts@AVISIAN.com

Episode 71: PIV-I getting more attention

Episode 73: Philly transit goes to smart cards

Anna Fernezian, program manager for identity and assurance at CSC, fills listeners in on PIV-I, the smart card specification that can be used by non-federal issuers to create highly secure credentials. Fernezian talks about the specification and why it’s important as well as the role it may play with future credentialing projects.

The Southeastern Pennsylvania Transportation Authority still uses tokens, but the system that serves 1 million commuters daily will be making the switch to contactless smart cards and near field communication in the coming years, Richard Maloney, SEPTA’s director of public affairs, told Regarding ID’s Gina Jordan.

The original scope of PIV-I was just for non-federal issuers and contractors who need to communicate frequently with the federal government, says Fernezian. “Many organizations have daily requirements for acknowledging documents or reporting structures (and) they need to be signed and trusted by the federal government.”

“SEPTA has the dishonor right now of having one of the oldest fair collection systems of any major transit system in the country. We think we’re the last one using tokens (and) paper transfers,” says Maloney. “It’s not efficient for our customers and it certainly isn’t efficient from revenue standpoint.”

Standards-based systems, like PIV-I, give organizations options and economies of scale. Smart cards can be purchased from one organization, readers from another and software from another still. “Certainly with standardization, costs are reduced because you have more providers, more vendors, more opportunity to purchase products … so prices become more competitive,” says Fernezian.

“For the riders, they will be able to use either a SEPTA card, which they can purchase, (or) they’ll be able to use their cell phones or building ID cards … (even) their driver license in some cases,” Maloney said. “They can use almost any device that they can upload value to that can be read by a machine that can take their ticket.”

To listen, visit SecureIDNews.com/Podcasts and select “Episode 71”

To listen, visit ContactlessNews.com/Podcasts and select “Episode 73”

Summer 2011

Episode 75: NSTIC … It’s all in the implementation

Episode 76: Program head gives ‘shtick’ on NSTIC

The National Strategy for Trusted Identities in Cyberspace has lofty goals, but as always the devil is in the details. If implemented correctly the strategy is a good thing, though this won’t be easy.

Feedback on the National Strategy for Trusted Identities in Cyberspace has been solid, explains Jeremy Grant, senior executive adviser and manager of the National Program Office for the NSTIC. He shares his thoughts on the public response, highlights immediate goals and addresses criticism of the current strategy.

“It is a utopian document,” says Aaron Titus, chief privacy officer and vice president of business development at Identity Finder. “Hating NSTIC, in its current form, is like hating puppies and rainbows because it just about says anything that anyone would want. My concern is in the implementation, there’s a lot that can go wrong.” “The identity ecosystem does create some potential problems. There’s a new central hub and unless done properly your ID provider knows your date of birth and potentially have every other piece of information along with your transaction history,” explains Titus.

“The one message that we’ve gotten from the release of the strategy is it really did strike the right balance which will enable us to help to bring people together from different sectors.” The strategy is going to try and build on current standards. “There’s a lot of working and collaboration because companies all have an incentive to be working around common standards and operating rules,” he says. “Industry is very excited about NSTIC to solve some of these issues and frankly to provide some clarity where there isn’t any.”

“While my retail privacy might be enhanced my wholesale privacy might disappear,” he concludes.

“The devil is in the details and how it will be implemented,” says Grant.

To listen, visit DigitalIDNews.com/Podcasts and select “Episode 75”

To listen, visit DigitalIDNews.com/Podcasts and select “Episode 76” Summer 2011

ID SHORTS SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

VeriFone, MICROS let you pick up the check with NFC

VeriFone and MICROS Systems have teamed up to develop a new solution that enables restaurant goers to pay at the table with NFC-enabled phones. According to the partners, this is the first practical service allowing restaurants to accommodate NFC payment and rewards technology. The new system combines VeriFone’s PAYware Mobile Enterprise POS system, which adapts smart phones and wireless PDAs to securely accept payment transactions, with MICROS’s table management and order management solutions. Together, they hope to enable a quick and convenient way to pick up the tab without having to fork over your phone to the server. “Widespread adoption of NFC requires a restaurant solution, but consumers are not willing to hand over their mobile phones to the wait staff,” said Paul Rasori, VeriFone senior vice president of marketing. VeriFone’s PAYware Mobile Enterprise incorporates a 2D bar code scanner as well as a PCI-approved PIN debit keypad. The solution enables item scanning, facilitates payment card acceptance and allows receipts to be emailed to customers or transmitted to a nearby wireless printer.

Indonesian government plans to sell citizen’s ID data The Indonesian government is considering the sale of citizens’ identification data for business purposes. The move, which will surely be scrutinized, is said to help other businesses market their products effectively based upon demographics of the region. “For example, if a milk brand needs data about infant distribution in Indonesia for marketing 14

Summer 2011

purposes, they can use the data. But we won’t disclose private information,” Reydonnyzar Moenek, Home Ministry spokesman, told The Jakarta Post.

The Indonesian government is trying to create a centralized database that would include, “27 different pieces of personal information including addresses, family members, birth dates, employment and education information.” The database will contain information collected when citizens record their fingerprints at a local level, where they will be asked to check the accuracy of their personal data. The projects remain in the planning stages.

HID unveils FIPS 201 product line HID Global announced the first in a planned family of FIPS 201 compliant solutions. The company’s Federal Identity Compliance Initiative will make it easier for federal agencies to upgrade an existing physical access control system to support recently mandated government identity-verification standards. Customers will be able to deploy HID Global readers that are integrated with ActivIdentity’s ActivEntry upgrade modules and achieve full FIPS 201 compliance without having to replace their current physical access control head-end server, panel or door control hardware. According to a February 2011 memorandum issued by the U.S. Department of Homeland Security and the Office of Management and Budget, existing physical and logical access control systems must be upgraded to use PIV credentials in accordance with NIST guidelines, before federal agencies may use development and technology refresh funds to complete other activities.

HID Global’s Federal Identity Compliance Initiative aims to help agency’s comply and offer a roadmap from legacy to PIV credentials, and provide a modular hardware approach that makes it easier for agencies to respond to regulatory changes, modify security levels in selected areas as required, and take advantage of ongoing advances in access-control technology. HID Global will be offering its Federal Identity Compliance Initiative product family through its proven network of physical access control channel partners. HID Global also plans to extend the program beyond FIPS 201 to support Public Key Infrastructure (PKI)-atthe-door compliance and also PIV-I and PIV-C (PIV-compatible) requirements for cards issued by non-federal entities.

Entrust to deploy e-Passport EAC architecture for Denmark Entrust will help the Danish National Police (Rigspolitiet) migrate Denmark’s e-passport infrastructure to the Extended Access Control (EAC) standard - the EU’s newest standard for biometrics and e-passport security. Entrust will work with its partner Nets, a Danish technology vendor specializing in payments, to provide 670,000 EAC e-passports to Danish citizens on the initial roll out. Eventually all Danish citizens who apply through the Danish National Police will receive a new passport. According to Entrust, the EAC protocol is designed to ensure that only authorized inspection systems are able to access biometric data – iris scan or fingerprint – stored on the contactless chip of an e-passport. The specification describes an architecture enabling cross-jurisdiction passport inspection systems to authenticate the contactless chip as well as the biometric data on a passport.

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com Entrust will deploy its public key infrastructure (PKI) architecture for the EAC project, including the Country Signing Certification Authority, Country Verifying Certification Authority, Document Verifying Certification Authority and full Single Point of Contact capabilities. Entrust, who replaced the initial provider of Denmark’s Basic Access Control (BAC) trust infrastructure, also provides its PKI technology for Denmark’s national ID, of which 3.5 million have been issued to date.

GAO finds weaknesses in TWIC A review of the Tr a n s p o r t a t i o n Worker Identification Credential (TWIC) program by the U.S. Government Accountability Office (GAO) revealed “internal control weaknesses” regarding enrollment, background checking and use of the program. Administered by the Transportation Security Administration (TSA) and the U.S. Coast Guard under the Department of Homeland Security (DHS), TWIC requires maritime workers to complete background checks and obtain biometric ID cards to gain unescorted access to secure areas of regulated maritime facilities. GAO was charged with determining the extent to which TWIC’s processes for enrollment, background checking, and use are effective in providing secure access control. The GAO reviewed program documentation, toured four TWIC centers, conducted interviews and conducted covert tests at several U.S. ports. They identified vulnerabilities related to preventing and detecting identity fraud, assessing the security threat that individuals with extensive criminal histories pose prior to issuing a TWIC, and ensuring that TWIC holders continue to meet program eligibility requirements.

During covert tests, GAO’s investigators were successful in accessing ports using counterfeit TWICs, authentic TWICs acquired through fraudulent means, and false business cases.

Jason Hart, founder and the majority shareholder of idOnDemand, will continue to manage the Pleasanton, Calif.-based company as a business unit within Identive Group.

GAO is now advising the DHS to conduct a control assessment of the TWIC program’s processes to address the existing problems. The program, expected to cost billions, is currently reaching full implementation.

idOnDemand provides Software as a Service (SaaS) ID solutions, delivering a managed identity service that enables organizations to use a single credential for secure access to buildings, computers, mobile devices and corporate information stored in the cloud.

University of Colorado at Boulder taps VASCO

Based on its own IP portfolio and IP licensed from ActivIdentity, idOnDemand’s technology supports a range of corporate standards, including the U.S. government’s FIPS 201 specifications.

The University of Colorado at Boulder has chosen VASCO to protect its newly installed s u p e r c o m p u t e r. VASCO produces the IDENTIKEY server and DIGIPASS GO 6 that are used in tandem to prevent intrusions to the supercomputer and maintain security on the network. The university realized that access control for its supercomputer, which is used by both the university and other organizations including the National Center for Atmospheric Research, was a necessity. In addition, the university had business needs that demanded a solution that would service multiple strong authentication needs – specifically support for its campus VPN. After an evaluation, the university determined that a security solution to authenticate using its new DIGIPASS tokens was ideal. In addition the security solution needed to offer an authentication back-end to other existing authentication systems in use by these partner organizations.

Identive Group buys idOnDemand Identive Group acquired privately held idOnDemand, a provider of service-based identity credential provisioning and management in a transaction closed on May 2.

In return for 95.8% of the outstanding shares of idOnDemand, Identive Group paid initial consideration of approximately $2.4 million cash and 995,675 shares to a group of selling shareholders of idOnDemand. Total consideration also includes an earn-out worth up to approximately $21.0 million in shares of Identive common stock.

AOS developing long-distance fingerprint scanner Advanced Optical Systems (AOS), an Alabama-based developer of imaging and identity technology, is working on a new fingerprint-based authentication device that they believe will be capable of authenticating an individual’s identity from a distance up to two meters, according to a Technology Review article. The device, called AIRprint analyzes reflections of polarized light on a person’s hand using two cameras – one receiving vertically polarized light and the other receiving horizontally polarized light. AOS says device will be ideal in places where traditional biometric methods are inconveSummer 2011

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com nient, such as physical access control systems that often require a user to stop and physically swipe a finger or card and wait for authorization. As the development of the device continues, the company hopes to enhance it by increasing the number of fingers processed, to up to five, and the processing time to below a second.

Up to 100 million NFC phones will ship this year, says NXP NXP Semiconductors is predicting that between 40 million and 100 million NFC-enabled mobile phones will ship this year. The company helped Google integrate NFC into Android 2.3. “Every time we talk to our friends at Google, they tell us to double the numbers for the Android expectations,” NXP CEO Rick Clemmer told IntoMobile. “If the low end happens, maybe it doesn’t get to be greater than 40 or 45 million units this year. If, in fact, Google’s right and we should double everything, then the numbers are closer to a hundred.” Clemmer added that after a low-key first half of 2011, NFC is set to “ramp rapidly” once the first NFC-embedded devices start shipping later in the year.

eAccess delivers one million contactless transit cards eAccess, a subsidiary of Cubic Corporation, has delivered more than a million of its Limited Use (LU) contactless cards to major U.S. transit and building access customers. 16

Summer 2011

The LU smart cards support both the NXP Mifare-Ultralight and Kovio-2048 integrated circuits. In the U.S. over the past year, eAccess delivered large orders of LU cards to LA Metro, Port Authority of New York & New Jersey (PATH), South Florida, San Diego Metropolitan Transportation System, and various other transit and non-transit applications.

The microchip’s ID number can be checked against online pet databases to trace a lost or stolen animal and return it to its rightful owner. Official organization can also use the RFID microchip and add information to the database such as medical history, vaccination schedules, updated owner addresses and more.

PATH, the most recent group to implement the technology, has branded the cards as SmartLink Gray. They are designed to complement the full-featured plastic SmartLink smart cards. Each SmartLink Gray card includes an LU NXP-Ultralight smart card circuit encoded with either a 10-Trip, 20-Trip or 40Trip value.

Here in the U.S. microchipping is still voluntary and only 10% of pets are identified with RFID. A nationwide pet database does not yet exist. However, individual organizations have established statewide databases to increase popularity and acceptance of microchipping. In other parts of the world, the technology is more widely accepted. Switzerland, for example, requires it for all dogs and horses.

Safegaurd your pets during National Microchipping Month June is National Microchipping Month and animal support groups are raising awareness to highlight the benefits of RFID pet identification for dogs, cats and other companion animals. The microchipping process involves inserting a small RFID transponder encased in a BIO glass tag beneath the animal’s skin. The chip is programmed following ISO standard with a unique pet ID number. “Microchipping is quick, safe and a relatively painless solution,” said Jean-Miguel, global director for HID Global’s Animal ID business. HID Global produces these glass tags on fully automated equipment, using direct-bond technology, which reduces trauma to both wire and chip. All HID Global pet ID tags are certified ISO compliant with 11784 and 11785 global standards, and are readable by any of the scanners routinely used in the pet industry. The tag can be read from a distance minimizing stress on the animal and reducing risk to staff.

Mexico registering biometrics of all minors in Guanajuato In a major move towards biometric registration of its citizens, the Mexican government has begun a project to collect iris and fingerprint data from all children in the state of Guanajuato. This follows the September 2010 program in which iris data was collected from all the citizens of the city of Leon in Mexico. While nothing beyond simple identification programs has been announced in association with the recent collection of data, a Singularity Hub article suggests that many citizens are concerned over the potential breach of privacy and fears of a centralized government having too much control over individuals. Others, however, see it as a unique new tool to fight against the rise of kidnappings in the state as iris recognition could prove beyond a doubt if a child is who the adult they are with is claiming him to be.

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

Jolly announces MIFARE integration with Evolis printers Jolly Technologies, San Carlos, Calif., released version 5.1 of its ID Flow card production solution and its Lobby Track visitor management offering. The upgrades support MIFARE encoding with Evolis printers. The Jolly Encoder supports reading and writing of MIFARE compatible cards using an Evolis printer equipped with a MIFARE compatible reader, such as the SpringCard Crazy Writer reader. “This is a big feature for us in two key areas,” said Kurt Bell, Jolly’s vice president of sales and marketing. “First, it strengthens our offering in the European and other overseas markets that rely on MIFARE technology as the primary means of identity verification. Second, it adds tremendous value to our Lobby Track visitor management and integrated access control systems.” Lobby Track can now read access cards as they travel through the printer, print the cards and write the card number back to both Lobby Track and the integrated access system. “No other product on the market has this capability,” said Bell. “It really optimizes the card issuance process.”

Ingersoll Rand debuts Schlage portable contactless reader Ingersoll Rand Security Technologies, maker of S c h l a g e contactless smart credentials and readers, launched the new Schlage WPR400 Wireless Portable Reader.

Designed for use in contactless access control systems, the device offers a cache mode option for offline applications ranging from attendance, event admission, checkpoints, signal testing, perimeter expansion and more. “The WPR400 Wireless Portable Reader lets users extend the reach of their access control systems,” explains Karen Keating, Ingersoll Rand Security Technologies Portfolio marketing manager. “For a field trip, a school could use the reader to check in students when boarding a bus. Industries could use the reader to verify who has left the plant during a fire or other emergency. There are a myriad of applications.”

Biometrics help confirm bin Laden’s identity U.S. armed forces ensured they had indeed killed Osama bin Laden with the help of biometric scanners and facial recognition, according to a Wired article. The specific tool used by military personnel was an updated version of the Secure Electronic Enrolment Kit (SEEK II), a mobile biometric device that collects iris scans, fingerprints or facial scans and authenticates identities by comparing the information wirelessly to an FBI database. The SEEK II device is a faster, more robust version of the BATS and HIIDE biometric collection systems that military personnel had been using in the Middle East to collect information to better distinguish between normal citizens and those with terrorist ties. Despite the push for usefulness of the facial recognition, defense officials maintain that fingerprint biometrics have remained the most useful and dependable mode of biometric authentication for the military.

GAO pushes DOD to enforce biometric standards The U.S. Government Accountability Office (GAO) issued a recommendation that the U.S. Department of Defense (DOD) better their use of biometric technology. The DOD is budgeted to spend $3.5 billion on the technology between 2007 and 2015. The GAO was tasked with determining how much the DOD has taken standards and interoperability into account as well as review DOD policies on sharing biometric data with other federal agencies. The GAO found that while the DOD has standards for interoperability and sharing in place, they are not strictly enforced. Devices, such as those used to collect biometrics by the Army, are incapable of transmitting data collected to agencies such as the FBI. Since the GAO also discovered that the DOD has no proper process, procedure or timeline for implementation of recognized standards, they have recommended that certain officials such as the Under Secretary of Defense for Acquisition, Technology, and Logistics be tasked with implementing a process for updating devices and policies to conform to standards.

High school students to try out DC One Metro ID cards Students attending the School Without Walls, a public magnet high school located on the George Washington University campus in Washington, D.C., are using DC One smart cards to ride the metro to and

Summer 2011

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com from school. The school is the first in the district utilizing the contactless fare card. Some say the new system will help cut crime. Theoretically, with the ID cards, Metro could suspend the passes of misbehaving teens. Still, city officials insist the goal of the ID cards is not for discipline. The cards can be limited for use during school hours only. If a student drops out of school, the card could be shut off because it’s no longer being used for an educational purpose, said a D.C. Department of Transportation spokesperson.

Fujitsu releases new smaller and faster vein authentication Fujitsu Frontech released a new vascular biometric scanner it is touting as the world’s smallest and slimmest contact-free vein authentication scanner. Officials say that the new palm-vein authentication sensor is small enough to be easily incorporated into laptop computers and other electronic devices for embedded biometric authentication. Additionally, the new sensor has improvements in speed and functionality over its predecessors processing 20 frames per second. This enables a user to lightly place his hand in front of the sensor rather than requiring him to remain absolutely motionless for proper authentication.

CPI Card Group taps NXP, KSW for contactless card tech Leading card manufacturer CPI Card Group will broaden its portfolio of contactless offerings with technology from NXP Semiconductors and KSW Microtec. The partnership will give CPI access to NXP’s Fast Pay contactless security chip used for contactless payment applications in the U.S. 18

Summer 2011

and Canada. KSW Microtec will share its Thinlam contactless prelaminate for contactless personal ID card manufacturing. According to CPI, the solution provides exceptional thinness and maintains high reliability and durability thanks to its unique assembly technology. “Both NXP and KSW have demonstrated their commitment to developing cutting-edge technologies in the contactless space, and we look forward to working together as a team to meet our clients’ needs, and exceed their expectations,” says Benoit Guez, director of Smart Cards and New Technologies at CPI.

Entrust offering PIV-I solution Entrust is extending its Non-Federal Identity SSP service to include PIV-I compliance for state governments, the private sector and entities that wish to securely communicate and interoperate with the U.S. federal government. Entrust’s PIV-I solution has been approved by the Federal PKI Policy Authority and is one of three vendors on the U.S. government’s list of approved PIV-I providers. PIV-I is based on the same standards of vetting and issuance developed by the U.S. government for its employees, but it has been tailored for state, local and enterprise use. The digital identities contained in the PIV credentials are issued by Entrust for all agencies using the USAccess program and major agencies such as the U.S. Departments of Treasury, State and Labor, as well as the Department of Homeland Security and NASA.

HID Global integrates MIFARE technology into security solutions HID will integrate NXP’s MIFARE technology into its physical and logical access readers

and software to enable support for multiple technologies in their access management installations. HID’s Trusted Identity Platform (TIP) will be used to provide a secure delivery infrastructure for updating HID readers to support NXP’s latest card technologies, including MIFARE DESFire EV1 and MIFARE Plus, as well as reader life cycle management. This will also allow readers and terminals to support HID’s next generation Secure Identity Object on MIFARE platforms. “With the emergence of NFC applications and the growing need for mobility and security, our customers face new challenges that require new, future-proof solutions,” says Tam Hulusi, senior vice president at HID Global. “We are pleased to partner with NXP to help fuel this market and bring access management systems to the next level.”

Democrats push for separate flight crew checkpoint Democrats from the House of Representatives’ Homeland Security Committee issued a letter to the Transportation Security Administration (TSA) pushing for a biometric-based fast track security checkpoint for flight crews at airports. The TSA is already piloting such a system, but the representatives worry that the program will roll out without a biometric component, according to a NextGov article, which they see as integral to keeping high security in such a program. Additionally, the TSA is getting pressure from pilots’ unions to move quickly in implementing the new program as new security trends such as the body scans and pat downs have significantly slowed security lines and made arriving for work much more difficult for airline crews.

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

NYU to implement new ID cards New York University students will be getting a redesigned ID card this fall that includes contactless capabilities for building access. “The reason for issuing a new ID card is (twofold),” said a NYU spokesperson. “It has been in place for far too long (10 years), and there is a need to upgrade the card from its current magnetic stripe technology.” The new cards will retain the magnetic stripe for financial transactions but will allow the cardholder to wave the card at a reader rather than swipe the card when trying to access NYU buildings. For extra security, students will have to enter their birth date at the reader.

Design review for Lockheed’s NGI system completed Lockheed Martin announced a successful Critical Design Review of increment 3 of the FBI’s Next Generation Identification (NGI) system, which includes latent fingerprint and palm print matching capabilities. The NGI enables the FBI to collect biometrics from criminals and persons of interest. Local and state police forces can access the FBI database to identify repeat serious offenders or those linked to terrorist activities. The FBI had already announced the operating capability of NGI’s Increment 1, which includes fingerprint-matching capability. Increment 2 involves a capability called the Repository for Individuals of Special Concern, which other law enforcement agencies immediate access to the database.

Chase, Wells Fargo each to issue EMV cards in U.S. Chase Card Services will issue a credit card with EMV chip technology to select U.S. customers. In June, the company will unveil chip-and-signature on the JPMorgan Palladium credit card that serves customers who frequently travel abroad. The feature will be added to other Chase credit cards within the year. The new Chase cards will feature both a chip and a traditional magnetic strip to accommodate merchants in the United States. Chip technology is the standard in Europe and has completely replaced magnetic strips, so cards with chip-and-signature technology offer more streamlined credit card purchases while traveling in Europe. Chase is targeting the card for members who travel frequently overseas, says Laura Rossi, a spokesperson at the company. Current Chase cardholders won’t necessarily receive the cards unless they travel to areas where EMV is used. “At this point we want to offer our cardholders a hassle free experience in Europe,” Rossi says. In a separate initiative, Wells Fargo is testing a Visa Smart Card with a traditional magnetic stripe and EMV chip technology, also to help increase card acceptance worldwide. The pilot includes 15,000 Wells Fargo consumer credit card customers who travel internationally. Two credit unions in the U.S. are also issuing EMV cards.

Precise Biometrics focuses on U.S. expansion Precise Biometrics’ new management group will focus on the U.S. marketplace and development of its new internal divisions of Mo-

bile, Identity Access Management and Access Management. The U.S. made up one-third of sales for biometric technology worldwide and reports predict the market will double by 2015 to reach $3.2 billion. Their new efforts will encompass working towards providing solutions at all levels including government, enterprise and consumer solutions.

Google taps ACiG for NFC smart poster campaign in Austin Google selected ACiG Technology to be the exclusive supplier of NFC stickers for its Google Places marketing campaign in Austin, Texas. Google is distributing the 80x50mm stickers to local business owners throughout Austin to help them promote their products and services. Business owners can affix the tags to promotional posters, enabling customers with NFC phones to access all kinds of relevant information about a local business - such as its address, phone number, hours of operation, payment types and helpful reviews - all with the tap of their phone. Consumers can also rate or review the business from their mobile device and then receive more personalized local recommendations in their search results based on their opinions and those of their friends. Bernardo Hernandez, senior director of consumer marketing for Google, comments: “NFC-enabled stickers are an integral part of our outreach efforts to local Austin businesses as they demonstrate the effectiveness of Internet spot marketing and help consumers quickly discover more information about a business. About 20 percent of all searches on Google are for local information, and NFC technology delivered by Smartag smart stickers enables really interesting ways to connect Austin locals and visitors with the businesses in the area.” Summer 2011

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com “As a manufacturer and distributor of core RFID technology, we see many market trends develop from their earliest stages,” adds Roger Hornstra, President U.S., ACiG Technology. ”Smart posters are expected to be a tremendous growth area in B2C marketing, and we are excited to work with Google as it pioneers this exciting application of NFC technology.”

European campus card standardization pilot successful A European Education Campus Card Association pilot designed to develop standards for campus card issuance across the continent was successfully completed, the association reports. The creation of a standard campus card system is intended to enable colleges and universities to share information using a common ID that will act as a student’s “electronic key” so that administrators at other schools across Europe can access the student’s records on secure databases. Students from Waterford Institute of Technology in Ireland and the Technical University of Lodz in Poland participated in the first trial. The pilot tested and validated the secure transfer of student academic information between institutions and the interoperability of the EECS Pilot Project between campus card systems. With the pilot under its belt, the association’s next step is to move into a full demonstration phase with installation of live systems in several more European colleges and universities.

Indian organization looking to use biometrics to fight TB Operation Asha, a non-government organization in India that monitors Tuberculosis in Indian cities, uses biometrics to keep track of 20

Summer 2011

who has been infected in an effort to eradicate the disease. By collecting fingerprint data from the patients during each visit, counselors at the centers are able to deliver personalized care to ensure that anyone infected is staying on their entire course of medication. The project is one of the thirty social enterprises under consideration to receive a $50,000 grant from the World Bank, according to Times of India.

New FBI technology being used by city police Five police agencies around the U.S. are utilizing a handheld, fingerprint-based biometric scanner as part of an FBI pilot program of its FBI Next Generation Identification System. The new system works by increasing the speed at which police can get federal criminal information on an individual by digitally sending fingerprint samples from their devices to the FBI’s database to check for outstanding warrants, terrorist ties and past sex offenses. The system, called the Repository for Individuals of Special Concern (RISC), was designed to replace the FBI’s Integrated Automated Fingerprint Identification System that’s been in use by the FBI and police agencies around the country since 1999. While the RISC system depends on fingerprint data for now, it has been designed to incorporate other biometric data such as iris scans or face recognition data as the technology comes into use in policing. In addition to increasing speed and ease of matching persons of interest to the FBI database, the RISC system has also increased its accuracy from 92% to 99.6%, according to a Pittsburg Post Gazette article. Additionally, the old system is being taxed as its was designed to handle 62,000 requests daily

but is now processing 200,000 whereas the new system is capable of up to 900,00 daily requests.

Jolly supports QR bar codes in all products Jolly Technology now supports QR bar codes in its Lobby Track, ID Flow, Asset Track and Label Flow products. The company envisions uses of the technology will be for ID verification, ticketing, trade shows and other uses for the transfer of personal information. These bar codes can store information about a given person or item from a database record. The QR bar codes can be printed on a variety of media including ID cards, badges or labels and can be read by QR bar code readers and most smart phones. Jolly also added the capability to email bar codes as record identifiers to its Lobby Track product. Pre-registered visitors and attendees are sent an email that they can use to scan-in and quickly receive a badge.

Ingenico to acquire Hypercom’s U.S. payment systems business French payment solutions provider Ingenico has announced the acquisition of Hypercom Corporation’s U.S. payment systems business. Ingenico has agreed to pay $54 million in cash for the business, but the sum is subject to post-completion price adjustments. Ingenico says the acquisition is a “major step” in its goal to increase its activities in the U.S. market and accelerate the adoption of contactless NFC technology. Following the completion of the transaction, Hypercom’s customers will have access to this technology via Ingenico’s Telium range of contactless payment products.

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com The transaction should close just prior to completion of VeriFone’s acquisition of Hypercom, which is expected to occur in the second half of 2011. In order to facilitate the integration of the two business operations, Thierry Denis has been appointed President of Ingenico North America, reporting to the CEO.

NFC used to test water quality in post-earthquake Haiti The non-profit organization Deep Springs International is partnering with the Nokia Research Center in Palo Alto, Calif. to ensure the supply of clean drinking water in Haiti with NFC technology. In order to track chlorine levels in household drinking water, the partners are distributing water treatment kits with NFC technology to families in the most rural parts of Haiti. The kits consist of a five-gallon plastic bucket with a lid and spigot. BullsEye NFC tags from UPM RFID are attached to buckets, allowing DSI’s water technicians to track water quality and chlorine content using Nokia 6212 NFCenabled cell phones.

tent infrastructure. Simple control, track and trace functions can be created rather easily between an NFC phone and RFID tag, sometimes even without network support”, says Mikko Nikkanen, business development director of UPM RFID.

Samsung, Visa plan NFC handset for 2012 Olympics Samsung will introduce its new Samsung Olympic and Paralympic Games mobile handset with mobile payment technology from Visa. The handset will enable consumers at the London 2012 Summer Games to make contactless mobile payments at more than 60,000 merchant locations. To make payments, customers simply select the Visa mobile contactless application, select pay and hold the phone in front of a contactless reader at the point of purchase. To kick off the initiative, Samsung and Visa are giving their Olympic handset to sponsored athletes. The partners also plan to make the handset available for consumers to purchase through mobile network operators and other distributors. A Visa-enabled SIM card will be required for use with the device in order to make purchases at contactless retailers.

America 2010 by the research firm Frost & Sullivan for their multispectral fingerprint sensor.

Gemalto launches MasterCardcertified NFC payments application Gemalto introduced a UICC-embedded software application compliant with Mobile MasterCard PayPass M/Chip 4, the new MasterCard specification for NFC mobile payments. Gemalto says this development could pave the way for mass commercial rollouts of NFC payment across the world. In the UK, Gemalto is already partnering with a global first-tier financial institution and a leading mobile operator to carry out the first mass commercial roll out.

DSI says their chlorine tracking solution is helping curb the cholera outbreak following the devastating earthquake in January of last year. The organization reports a 50% reduction in the incidence of diarrhea among users. So far the organization has reached 35,000 families throughout Haiti.

The partners say they plan to use the Games as a springboard for launching mobile payments in the UK and beyond.

Gemalto’s software application embeds the Trusted Service Management interface for PayPass, enabling mobile account issuance and over-the-air management. It features a user-friendly handset interface designed to make mobile NFC payment convenient and easy to manage. The application can be configured to cover all card portfolios including debit, credit and prepaid. For prepaid accounts, the software application enables consumers to top-up their prepaid accounts directly from their mobile phone.

Lumidigm named to list of top 300 startups

HID adds to its ID on Demand product

Joseph Kaye, senior research scientist at NRC, initiated the project together with David Holstius, a Ph.D. candidate at the UC Berkeley School of Public Health and developer of the software application for mobile phones.

Lumidigm was recognized in the fundedIDEAS publication’s list of TOP 300 STARTUPS ranking of 29th overall. Those honored in the publication scored in the top 300 across 14 parameters for business performance including the strength of its management team, business model, execution strategy and technological innovations. In addition, Lumidigm was awarded Product Innovation of the Year for Fingerprint Biometrics North

HID Global announced it has extended the features of its HID Identity on Demand services to include a secure Web portal that enables customers and channel partners to monitor and manage all aspects of card personalization projects. Design, ordering, data transmission, multi-color printing, programming and delivery anywhere in the world are supported.

“NFC technology is a fast and cost-effective way of shoring up or totally taking over maintenance functions in post-catastrophe environments left with a fragile or non-exis-

Summer 2011

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com The HID Identity on Demand card services portal provides a way for customers to upload and communicate data, photos and other information to a service bureau. This reduces the cost and complexity associated with maintaining and operating a corporatewide badging infrastructure. The portal is designed to make it easier to manage and re-order existing formats, simplify project status tracking and give customers confidence that their data is protected and their issuance needs are met.

Schools, colleges fight UK’s biometric consent bill UK’s Association of School and College Leaders, representing secondary school and college personnel, is fighting legislation that forces schools to seek approval from both parents before they can use a child’s biometric data. It would be a “huge bureaucratic burden” for schools using fingerprint recognition systems for cardless libraries and cashless canteens, the association said. The new Protection of Freedoms Bill also gives pupils in schools and colleges the right to refuse to give their biometric data and compels schools to make alternative provisions for them. Until now, schools have only had to explain to pupils and parents what they are doing but did not need permission. The association said schools already running the systems may see a surge in those deciding not to opt in, and they fear pupils may refuse to give their data just to make trouble. Schools that already use biometric technology will have to seek parental permission retroactively, even if their systems have been in operation for years.

Summer 2011

Face recognition systems tested on identical twins

define the minimum level of security for the whole mobile payment value chain.

Researchers from the University of Notre Dame, Kevin Bowyer and Patrick Flynn, attended the Twins Days Festival in Twinsburg, Ohio to find participants to test the limits of face recognition technology.

“The EPC is committed to advancing a sustainable mobile contactless payments ecosystem through the delivery of implementation guidelines that promote an interoperable and flexible architecture,” said the organization in a release. “This enhanced level of clarity offered by the document will ensure adherence to an adequate level of security measures and appropriate governance by payment service providers.”

Findings presented at the IEEE International Conference on Automatic Face and Gesture Recognition 2011 reveal that face recognition systems are not yet capable of perfectly distinguishing between twins with such similar features, but the technology shows promise in certain situations and environments. The face recognition systems tested very well when lighting was ideal such as in a studio or when facial features such as smiling were controlled. However, when the researchers performed the same tests under conditions that more closely resembled real-world conditions the systems were unable to tell the differences well. In order to rectify this, Bowyer and Flynn suggest a push for higher resolution cameras focusing on finer facial details. According to IEEE Spectrum, the research was funded by a grant from the FBI.

EPC publishes guidelines for NFC payments in SEPA The European Payments Council (EPC) released a final draft of its guidelines for mobile contactless transactions in the Single Euro Payments Area (SEPA). The EPC says the guidelines are designed to expedite the development and implementation of NFC mobile solutions while avoiding the development of proprietary solutions with limited geographical reach. The guidelines also describe the roles of stakeholders involved in Mobile Contactless SEPA Card payments, clarify the position of the EPC, and

The Council is inviting industry members to provide feedback by June 17, according to Finextra, with the goal of publishing final recommendations by October of this year.

LaserCard inks $2.1 million deal for Saudi Arabia national ID card LaserCard received a purchase order valued at $2.1 million for chip-ready, optical security media-based credentials for the Saudi Arabia National ID Card program. The ID cards are issued to Saudi citizens nationwide for identification, e-government and regional travel purposes.

Fulcrum announces new fingerprint scanner for iPod Fulcrum Biometrics has announced the release of a new fingerprint recognition accessory and accompanying application designed for use with the iPod Touch. The new solution, called FbF mobileOne, snaps onto a 2nd, 3rd or 4th generation iPod Touch and enables a user to swipe a fingerprint on a silicon sensor. Fulcrum asserts the device is robust enough for use in government, medical and law enforcement applications.

CALENDAR

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com The company is pushing the new solution for biometric voter registration in rural areas. The mobile nature and long battery life of the iPod enables its easy use far from accessible sources of electricity. Additional applications could include time and attendance tracking for construction or farm workers and on-site law enforcement warrant searches.

Isis welcomes more partners, denies ‘scaling back’

JUNE 2011

OCTOBER 2011

Isis, the mobile payments venture by Verizon Wireless, AT&T Mobility and T-Mobile, is not “scaling back” efforts to launch its own payments platform in favor of a simpler mobile wallet service, contrary to a report by The Wall Street Journal.

EMVCo Annual Meeting June 28 – 29, 2011 Amsterdam, Netherlands Mercure Hotel Amsterdam Ann de Amstel

CTIA Enterprise and Applications October 11 – 13, 2011 San Diego Convention Center San Diego, CA

JULY 2011

NOVEMBER 2011

According to Mobile Commerce Daily, Isis will continue as planned to develop its own mobile commerce network supported by NFCenabled payments and a mobile wallet. However, the company says it is looking to partner with more payment networks and issuers in order to get the service to market faster and at a greater scale.

Mobile Payments & NFC Asia 2011 July 13 – 14, 2011 Eaton Smart Hong Kong Hong Kong, China

Smart Cards in Government Conference November 1 – 4, 2011 Ronald Reagan International Trade Center Washington D.C.

SEPTEMBER 2011

ISC Solutions (formerly ISC East) November 3 – 4, 2011 Jacob Javits Convention Center New York City, New York

“We took the initial strategy of fewer partners to see if we can bring those forces into alignment,” Isis spokesman Jaymee Johnson told MCD. “And last year in November, when Mike Abbott came on as CEO, there were some profound changes in regulation around how payments are priced to a consumer. But, more importantly, as we spoke to the merchant community, banks and payment networks, there was a lot of interest in working with Isis. So now, our initial strategy with working with fewer has accelerated to working with more.” “The bottom line is Isis is now open to more partners to build the m-payments industry and is igniting a one ecosystem factor,” Johnson stated, adding that Isis is not prepared to reveal the names of any new partners just yet.

Seventh Symposium and Exhibition on ICAO MRTDs, Biometrics and Security September 12 – 15, 2011 ICAO Headquarters Montréal, Canada NFC World Congress September 19 – 21, 2011 Sophia – Antipolis, France ASIS International 2011 September 19 – 22, 2011 Orlando, FL 2011 Biometric Consortium Conference and Technology Expo September 27 – 29, 2011 Tampa Convention Center Tampa, Florida

CARTES & IDentification November 15 – 17, 2011 Paris-Nord Villepinte Exhibition Center Paris, France FEBRUARY 2012 RSA Conference USA 2012 February 27 – March 2, 2012 Moscone Center San Francisco, Calif. 2012 Payments Summit February 7-9, 2012 Salt Lake City, UT

Isis will still make its debut in Salt Lake City next year as part of a transit payment pilot.

Summer 2011

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

Congress investigating TSA biometric system failures TSA officials did not show up to a U.S. congressional hearing on transportation worker credentialing. According to a Journal of Commerce article, the hearing was investigating why it has taken the agency so long to get a viable biometric credentialing and security check procedure in place for airline flight crews. John Mica, the chairman of the House Transportation and Infrastructure Committee, the committee overseeing the hearing, stated that he would see to it that the official testimonies are on the books one way or another.

Governments are adopting the credential to help combat fraudulent and criminal activities, improve return on investment and bundle several applications in one document to create efficiencies for government departments and make the documents more userfriendly, flexible, and secure for citizens ABI Research’s new “Government and Healthcare Citizen ID Cards” study examines and forecasts the installed base as well as shipments of legacy and smart documentation over a six-year period. Applications include driver licenses, health care, national ID, passports, voting cards and others. Further forecasts include applications by chip interface and product type.

SmartGroup enters U.S. payments market

Mica is not ruling out reaching out to the House Homeland Security Committee and Oversight and Government Reform Committee in an effort to force the TSA chief John Pistole and Transportation Worker Identification Credentialing (TWIC) program manager John Schwartz to testify.

SmartGroup, a provider of instant card issuance and EMV payment solutions, announced the launch of SmartGroup USA.

The committee is looking into why, after six years, the airline crews still do not have a proper credentialing system in place. In addition, TSA had failures during the TWIC program. Despite the issuance of 1.6 million credentials, the agency failed to deploy devices for reading fingerprints by the established deadline.

This follows their opening of new technical support centers in eastern Canada and the western United States. SmartGroup USA also announced key partnerships with an unnamed North American card issuance provider and printer manufacturer, Zebra Technologies.

1.5 billion smart credentials to ship in next three years Smart card credentials along with biometrics are seeing an uptake in adoption worldwide. ABI Research estimates that about 1.5 billion smart credentials will be issued through 2014.

Summer 2011

SmartGroup enters the U.S. and Canadian markets with a strong client base in Africa, Europe and the Middle East. These include BNP Paribas, BankAsya, CartaSi, Citibank, Dexia, Emirates Bank, Finansbank, Garanti, Migros, Network International, Unitcredito and others. SmartGroup USA provides its customers with card management systems, EMV, contactless, NFC-based SIM or micro SD EMV solutions, EMV prepaid and loyalty based card issuance.

sQuid, ACT partner to form Smart Transactions Group Transit and tourism solutions provider Applied Card Technologies (ACT) and digital payments company sQuid have inked an $87 million deal to form a new corporate umbrella, Smart Transactions Group. The two UK start-ups operate contactless smart card-based networks and now share plans to launch NFC and mobile phonebased solutions jointly. ACT has specialized in visitor destination management systems, retail reward programs and ITSO transit solutions. sQuid has focused on its pre-paid eMoney platform for the education and retail sectors. Together the companies account for more than 500,000 payments and 50 million transit transactions every month. Smart Transactions Group plans to roll out pre-paid travel purses, integrate transit and eMoney cards and launch NFC and mobile phone-based payments and ticketing. The goal is to accelerate expansion in the UK as well as launch small value payment and ticketing services in a number of emerging and fast-growing markets. The company says it will have pro-forma 2011 revenues of approximately $15 million and its payments revenue is growing at a doubledigit monthly rate, while transit transactions are also expected to grow 50% in 2011.

SecureIDNews.com/VIDEOS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

Secure credentials only as secure as the printers Printing secure identity credentials is complicated. “You have to have a whole corporatewide approach to your issuing and credentialing system,” says David Murphy, industry development manager for cards, at Zebra Technologies. “It’s not simply a printer, it’s everything around it: the software, the input, the people handling it, the vetting, etc.” Extra security can secure the card stock and printer ribbons and limit access to the physical printer. “There’s also lock down methods for the printers themselves, both hardware and software lock downs that will only recognize certain applications,” Murphy added.

Teslin helps secure credentials “The composite card that you would make with Teslin is actually going to give you better security, durability and functionality of your integrated circuit because of the composition of Teslin,” says Pamela Campbell, the global manager for Teslin products. Teslin is used in the U.S. and UK e-passports as well as 35 others and is going to be in the Mexico national ID. Teslin is a tear-resistant and tamper-resistant print media made up of hydrogen and carbon that is used as a secure layer in ID credentials. The layer of Teslin material has data printed on it prior to laminating the ID.

MorphoTrak releases combo fingerprint, vein scanner MorphoTrak unveiled a new biometric scanner that captures both the fingerprint and vein pattern at the same time, explains Consuelo Bangs, senior program manager at MorphoTrak. “The device uses two different biometrics. It’s both the standard fingerprint that everyone is aware of, but now, we’re marrying that with the finger vein pattern (inside) the finger,” Bangs says.

Precise Biometrics explains match on card Match-on-card biometrics receives a lot of buzz because of its potential privacyenhancing abilities. With match on card the biometric template never leaves the card so there’s no chance it’ll be intercepted. Precise Biometrics’ Michael Harris explains the technology as well as some of the benefits noting that there are more than 100 million national ID cards with matchon-card in circulation as well as 60,000-plus match-on-card credentials deployed within the U.S. Department of State.

Biometrics on the cusp Organizations have hesitated to deploy biometrics not because of performance issues but because of a perceived lack of standards. That problem has been solved by M1 and ISO publishing good standards that have proven to work, says Richard Lazarick, chief scientist at CSC’s Global Security Solutions Identity Labs “The barrier now is, ‘Can I convince myself that I’m going to get a return on investment’,” states Lazarick. One way that Lazarick thinks the industry will overcome this barrier is with having third-party testing, certifying claims that vendors make as well as an approval process or approved product list for biometrics.

Summer 2011

Will PIV-I be the identity standard of the future? Or is it already?

Zack Martin Editor, AVISIAN Publications

Summer 2011

It didn’t take long after the Personal Identification Verification (PIV) standard was unveiled and government employees were being issued credentials for someone to come up with PIV-Interoperable. The idea was a bit amorphous at first, most seemed to think it would be used for government contractors and first responders. But that’s changed. Government contractors are rolling out enterprise identity management systems using the PIV-I standard, and corporations that do little to no business with the government are considering deployment to comply with regulatory issues such as Sarbanes-Oxley and Payment Card Industry Data Security Standards. “What we find in working with industry is that there are tremendous incentives to use PIVI from a governance, risk management and compliance perspective,” says Sal D’Agostino, CEO at IDmachines. “You can leverage best practices to meet any compliance regime out there. Consolidation of all these compliance issues has a real economic benefit and can help keep a company safe from situations where they could be liable for penalties of up to $1 million a day.” And while corporate America considers using the identity standard, state and local governments as well as contractors are already rolling it out. Over the last few months CertiPath, Verisign, Entrust and Verizon have announced cross-certification with the Federal Bridge Certification Authority at the new PIV-I assurance level. Any organization that wants to issue PIV-I credentials and use them to communicate with the federal government can contract with these companies.

tect for global governments at Entrust. Anything more than six months and contractors are required to undergo a background check from the government. Government contractors are still the primary audience for PIV-I, but the scope has grown to include health care workers, first responders and possibly even everyday citizens wanting to secure their identity online. The standard has grown more popular because of its stability and options with certification, says D’Agostino. “There are multiple options you can take … cross certify yourself, create your own certificate authority, get certificates or get the entire thing as a service,” he says. “PIV-I is pretty clear on how to go about and do it and there are options in the marketplace.” And there may be more options coming soon, D’Agostino says. FIPS 201 is being revised and the first draft has been released. While PIV-I is considered a smart card standard now that may not be the case in a few years. “Look at this as more than just a smart card,” he says. “It gives people options on how to do it. Having the entire specification built on standardsbased technology and protocols are signs of a very mature offering that makes it very attractive.” When choosing a smart card system there are two routes an organization can go: standardsbased or proprietary. Proprietary systems sometimes perform better than standardsbased systems but they lock an organization to a specific vendor or product set.

Standards-based systems, like PIV-I, give organizations options. Smart cards can be purchased from one organization, readers from another and software from another still. There are also economies of scale with standards-based technologies. “Certainly with standardization, costs are reduced because you have more providers, more vendors, more opportunity to purchase products … so prices become more competitive,” says Fernezian. Tapping into the ‘civilian CAC’ Booz Allen Hamilton had been having the discussion around PIV-I for some time, says Frank Smith, chief technology officer at the consulting firm. “But it wasn’t until NIST published a standard three-years ago that VeriSign started thinking about building capability around it,” he says. VeriSign is the contractor for the Booz Allen program. Two years ago the company started preparing for its issuance of PIV-I, what Smith calls, a “civilian Common Access Card.” The process wasn’t necessarily easy. “There are policy issues you have to work through and those will be living as the implementation passes,” he says. “It’s a fundamental change to how an organization deploys security.” Previously, Booz Allen had a corporate ID with proximity technology that was mainly used for physical access control, Smith says. For logical access and digital signatures employees used software certificates.

CertiPath CEO Jeff Nigriny uses a PIV-I card at a physical access point

Why PIV-I? The original scope of PIV-I was just for nonfederal issuers and contractors who need to communicate frequently with the federal government, says Anna Fernezian, identity management program manager at CSC. “Many organizations have daily requirements for acknowledging documents or acknowledging reporting structures that need to be signed and trusted by the federal government,” she says. The spec is meant for government contractors who will be working on a job for six months or less, says Gary Moore, chief archiSummer 2011

Smith adds, “as more physical access control systems roll out.” The physical access control piece of the system is still moving into place at Booz Allen facilities, Smith says. Because prox had been used previously and the new credentials haven’t been issued to everyone, employees must temporarily carry two IDs. The plan is to replace all the legacy prox readers and use contactless for all physical access control. The project overall has been well received from clients, employees and executives at the firm, Smith says. “By consolidating logical and physical access we now have a one stop shop,” he says. “Everything happens with one process.”

Sam Strickland, Booz Allen Hamilton’s Executive Vice President and Chief Financial Officer, goes through the security process to get his PIV-I card

In order to issue a PIV-I credential, the company had to collect fingerprint data from employees, something not all were comfortable with, Smith explains. There are also legal issues governing the collection of biometrics from employees at private companies. If they do not work directly with a federal client, Booz Allen gives employees the option of opting out of the biometric collection. The change in the physical appearance of the badge can cause problems too, Smith says. “Anytime you change the layout it requires work so the current employees know what the badge looks like,” he explains. “The time it takes to do that becomes fairly significant.” There has also been change in how the ID is issued. Employees must be physically present to enroll for the credential and then pick it up. The employee’s identity also must be confirmed with the one stored on the card before it is activated. This has added time to the process. It’s not always practical for the employee to wait for the card to be issued as it can take 15 to 30 minutes for printing and encoding. The time adds up when issuing credentials to 28,000 employees across the country.

Summer 2011

Booz Allen uses both fixed issuance stations and portable versions that go out to smaller offices, Smith says. The company is now onethird of the way through its issuance process. The credentials that have been issued are being used internally for logical access, Smith says. Booz Allen was the first contractor to be cross certified with the Federal PKI Policy Authority. Still before the IDs can be used at a government site, the agency must enroll it in its specific security system. Booz Allen’s customers are happy with the system, Smith says. “They don’t have to issue an ID card, they just have to recognize ours,” he says. “It keeps down their cost and is more efficient.” The company is working to have the credential recognized by all the federal agencies it works with, but it’s a piecemeal effort. The credential is cross certified with the Federal Bridge, which means it’s a recognized ID, but agencies decide whether or not to accept it. “Each single client has to make the decision to cross certify the credential,” Smith says. Booz Allen has had more luck having its credential accepted for logical access than physical access. “But I’m sure that will change,”

Smith still warns that the project is not for the faint of heart. “PIV-I is no trivial undertaking,” he says. “Make sure you know the time and effort that goes into deployment. But it’s a significant improvement in our ability to provide end-to-end identification.” First responders take to PIV-I PIV-I has also been touted as a standard for first responder credentials, and a few jurisdictions across the country have started to issue new IDs. Virginia, with it’s location close to the capital, was one of the first states to start issuing PIV-I, says W. Duane Stafford, statewide credentialing coordinator for the Commonwealth of Virginia. FEMA started the effort to push an interoperable credential to firefighters, paramedics, police and other first responders. The Sept. 11 attacks showed it was difficult to keep track of first responders reporting to a scene. A secure credential that stored the individual’s qualifications emerged as a tool to help solve the problem. The Virginia ID contains a verified identity, listing of the cardholder’s specific skill set and biometrics that comply with the PIV-I standard. “We wanted to deploy an interoperable credential that we could recognize and that others could as well,” says Stafford. At the close of 2010, nearly 13,000 credentials had been issued and 39 handheld scanners purchased for on-scene validation, Stafford

says. There are also eight enrollment and issuance stations hosted by local jurisdictions around the state. Verizon Business set up the system for the commonwealth. To keep costs in line, Virginia is only issuing the IDs to first responders who could be deployed across state lines, Stafford says. The state has also been working with private industry, phone, gas and electric companies, so they could possibly use a PIV-I credential as well when responding to scenes, Stafford says. Entrust sees an opportunity to provide PIV-I credentials to first responders across the country, says Entrust’s Moore. “Many states don’t have the ability to gear up the infrastructure to issue cards to first responders,” he says. The company announced a new service extending its Non-Federal Identity SSP service to include PIV-I compliance for state governments, the private sector and entities that wish to securely communicate and interoperate with the U.S. federal government.

Virginia law enables electronic notarization PIV, PIV-I cited as acceptable credentials

Health care is taking a hard look at PIV-I as well. The National Institute of Health is using PIV-I credentials for login to PubMed, Moore says. PubMed is made up of more than 20 million citations for biomedical literature from MEDLINE, life science journals and online books.

The Commonwealth of Virginia passed legislation that enables remote electronic notarization of documents. Virginia is the first state in the U.S. to pass such a law, says Tim Reiniger, who helped write the legislation and is director of the digital services group at FutureLaw, Richmond, Va.

CertiPath is also hearing from the health care market, says Steve Howard, vice president of credentials at CertiPath. The main interest has been from those working with regional health information networks for access to systems.

Traditionally, notarization of documents takes place in person with individuals in the same room. They show state or federal identification and conduct the transaction that is then notarized. The new law would enable such transactions to be conducted over a video and audio teleconference using high-assurance credentials, such as the PIV and PIV-I. The digital certificates on the credential would be used to sign the documents.

But CertiPath is also issuing PIV-I credentials in little thought of places, such as the janitorial staff at secure government facilities, Howard says. The U.S. Army Reserve is requiring that contractors have PIV-I credentials for access to facilities, and this includes vendors and janitors. Vendors can use the credential to electronically sign and deliver contracts and then those employees who are working at a site can use the ID for access to facilities, Howard says. Physical access may have been the main use case for PIV-I, but a stronger case for online identity may be in the works. With the National Strategy for Trusted Identities in Cyberspace released in April, some are making a case for PIV-I to be a credential standard. The strategy would offer consumers options in order to secure identities and conduct transactions online. There would be levels of assurance, identity proofing attribute sharing all included in a possible identity scheme. Exactly how this would be done and what technologies would be used have yet to be determined. But Howard says PIV-I will be a player in the market due to its stability, and by the time the strategy is finalized, the number of credentials that will already be in circulation. “It is the only standard that works,” Howard says. “For non-federal parties, the only game in town is PIV-I.”

With a large number of government contractors issuing PIV-I credentials and government workers living throughout the state, it seemed logical to include those two credentials in the law, Reiniger says. But legislators also wanted to ensure a bit of future proofing in line with the upcoming National Strategy for Trusted Identities in Cyberspace. Virginia wanted to be ahead of the curve enabling next generation transactions with the forthcoming policies from the national strategy, Reiniger says. The strategy calls for an identity ecosystem where a credential can be used for many purposes, such as logging in to a bank account or saving information on a government Web site. The law also requires that credentials be validated, whether the notarization is done in person or electronically, Reiniger says. New processes will have to be developed so that individuals presenting driver licenses or passports can have those documents authenticated in addition to the electronic verification of PIV credentials. Reiniger, who was executive director of the National Notary Association, says discussions are in place to set up these systems. Summer 2011

Revisions to bring key changes to FIPS 201 Additions include biometrics, mandatory keys but no new form factors The much-anticipated FIPS 201-2 draft was released in March. The team at the National Institute of Standards and Technology had been collecting comments on possible additions to the U.S. federal smart card standard since the first specification was released in 2005. The new draft focuses on clearing up some confusion from the first standard, enhancing functionality and security while not adding a tremendous amount of cost to comply with the new standard, says Bill MacGregor, a computer scientist with the Computer Security Division at the agency. “We tried to achieve new functionality with costs considered and without agencies having to buy more than they wanted to buy,” MacGregor says. “Some people say the draft is conservative but I think it’s appropriate for the current requirements and implementations. Disruptive change would not be good.” For the most part the draft has been well received. Some, however, have expressed disappointment that other form factors for the credential, such as mobile devices, and additional applications were not addressed. The 30

Summer 2011

Interagency Advisory Board plans to encourage NIST to enable other form factors in the revised specification. “HSPD-12 doesn’t specifically call for a card but rather leaves it open for other devices,” says Tim Baldridge, chair of the IAB and project manager for NASA’s Common Badging and Access Control System. Baldridge made the comments during the April IAB meeting stating that the group is going to submit comments recommending other form factors. When collecting comments NIST divided them into three categories. First were the comments that were in scope of the specification and NIST members knew how to address the question. The second category contained questions that were possibly in scope but the team didn’t know how to address the question. The last category contained concerns that didn’t make sense to the team and were out of scope. “The majority of comments were in the first category and were regarding efficiency and effectiveness,” MacGregor says. “Making the

card lifecycle more efficient and coherent, (there were) several changes in this category.” FIPS 201-2 proposes synchronizing the card, digital certificate and biometric lifetimes on the card, MacGregor says. The proposal would extend the card to six years from five and extended the certificates to three years and the biometric data to 12 years. The aim of these changes it to reduce the number of visits an employee would have to make to an issuer. Another change is to the biometric chain of trust, MacGregor says. If an employee’s credential is lost, stolen or damaged, in the past they would have to repeat the entire enrollment process, MacGregor says. The draft spec would enable the employee to be identified using the biometric stored on the system and issued a new ID. The same would be true if an employee transferred between federal agencies, MacGregor says. Instead of repeating the background check and issuance process the employee would be identified with the stored biometric and issued a credential.

What do the Cannes Film

Festival and the Paris Metro have in common? Evolis card printers: their choice for ID card personalization For the past 5 years, the Cannes International Film Festival has relied on the Evolis solutions to manage and deliver accreditation and security badges. Over the last 10 years, Evolis has also provided the Paris Metro transportation network with card printers to personalize on-site contactless transportation cards called Navigo. The largest organizations confidently choose Evolis to manage their advanced and secure identification needs. Simply because the Evolis solutions are innovative, user-friendly, reliable and cost-efficient. To learn more, call us today at 954.777.9262 or visit us www.evolis.com.

The biometric of choice is still fingerprint, but FIPS 201-2 does enable iris as an alternative biometric, MacGregor says. While the failure to enroll rate for fingerprint is low, 1% or less, it still exists and the number can add up when issuing credentials to more than 6 million employees. “We wanted to introduce another biometric modality that would give people a second chance if their fingerprints failed,” says MacGregor. NIST has been testing iris recognition for the past year and results are promising, he adds, explaining that “iris authentication can be used for a range of purposes and error rates are comparable to that of fingerprint recognition.”

For now iris is only being considered for use in enrollment and to verify a chain of trust. But MacGregor expects a discussion to take place when comments are collected on the draft around how the biometric could potentially be used more broadly. “We wanted to take all possible care to prevent disruption of current deployments (and) minimize the impact on existing issuance stations,” he says. Match on card is also proposed in the draft, MacGregor says. Instead of activating the card with a PIN the user could present a fingerprint or iris. The matching of the biometric would also take place on the card, leading to greater security because the biometric information would never leave the card.

The draft also enables match-on-card functionality to be used for other applications, such as physical and logical access control, MacGregor says. The changes in how biometrics would be used in the draft spec are encouraging, says Walter Hamilton, chairman of the board at the International Biometrics and Identification Association. Including biometrics in the chain of trust and enabling it for physical access control are good moves, he says. “It creates a framework for the use of biometrics for contactless access control without requiring entry of a six to eight digit PIN,” he says.

Top 10 proposed changes to FIPS 201 As presented by Hildegard Ferraiolo, a computer scientist at NIST, at the FIPS 201-2 Workshop in April at in Gaithersburg, Md. 1. The asymmetric Card Authentication Key is now mandatory • Used for single-factor authentication for physical access control to access federal buildings and facilities • Used over the card’s contactless interface • By making this Card Authentication Key mandatory, it can be interoperable throughout government • Better alternative than the Cardholder Unique Identifier, which can be sniffed and or copied and replayed

5. Option to support ISO/IEC 24727 standard is included • Added ISO/IEC 24727 based standards technology to improve reader resilience and flexibility. The standard offers a suite of authentication mechanisms for identification, authentication and signature applications with a smart card • Interest in ISO/IEC 24727 for the secure channel feature, for example to secure communication between the card-to-PC or PINpad-to-PC paths

2. An enrollment record, or chain of trust, is introduced • Maintained by issuer and contains the documentary evidence of identity proofing, background investigation and biometric data • Enables cardholder to reconnect to the record by matching against registered fingerprints when card is lost, stolen, or compromised • Eliminates complete re-enrollment • Eliminates recapturing biometrics • Eliminates repeating background check

6. Optional card orientation feature is added • To comply with Section 508 of the Rehabilitation Act that strives to make electronic and information technology accessible to people with disabilities • Improves usability of the card for visually challenged cardholder • The card now has orientation features to help align for insertion into a card reader

3. Iris recognition is supported • Includes iris as an optional authentication method • Includes iris biometric to re-connect to the enrollment record when fingerprints cannot be enrolled with issuer 4. Standards based technological advancements are added In 2005, some open standards were promising, but immature. Now, these standards are mature and thus incorporated in Draft FIPS 201-2 draft • Added optional On Card Biometric Comparison authentication • The cardholder’s fingerprint biometric representation is captured by the reader and transferred to the card, where it is matched against the cardholder’s stored biometrics • On Card Biometric Comparison also enabled as an optional card activation mechanism in addition to PIN–based card activation 32

Summer 2011

7. Maximum length of the printed name is increased • Eliminate name truncation, if possible, and the resulting irritation and inaccuracies that result 8. Online background investigation verification is added and oncard National Agency Check and Inquiries Investigation (NACI) Indicator is removed • Once there is a government-wide, online background check status service, the NACI Indicator can become optional, as advised by OMB 9. Remote post issuance update of the card, in cases where none of the printed information on its surface has changed, is allowed 10. I-9 Identity Source Document specifications are introduced • Define the permitted combinations of I-9 Identity Source documents in FIPS 201-2 to reduce confusion and mistakes

The first FIPS 201 spec has some ambiguity and prevented one type of card key from being used throughout the government. “You didn’t know what kind of card authentication key would be in the card,” adds Bill MacGregor, NIST. This hampered true interoperability but the draft standard remedies this issue with mandatory asymmetric card authentication key.

There’s some work that will have to be done to refine the biometric portions, Hamilton says. Revisions to NIST’s Special Publications 800-73 and 800-76 will have to be done to specifically define how the biometric will be used. “While FIPS 201-2 provides encouraging directions it’s not complete until those publications are updated.”

Application, device authentication

Key changes

This means a card won’t give up any data unless the reader or application is authenticated, which will present possible data skimming, MacGregor says.

FIPS 201-2 also aims to clear up some ambiguity with the public key infrastructure plans from the original standard, MacGregor says. The draft calls for a mandatory asymmetric card authentication key. This wasn’t in the first FIPS 201 standard, which called for an asymmetric, symmetric or both types of keys. It was, however, specified in NIST’s Special Publication 800-73. Since the first FIPS 201 spec has some ambiguity it prevented one type of key from being used throughout the government, MacGregor says. “You didn’t know what kind of card authentication key would be in the card,” he adds. This hampered true interoperability. The asymmetric key would be mandatory with the new draft. “Many people like the asymmetric key because the key management is simpler and less expensive,” MacGregor says.

FIPS 201-2 also wants to enable applications and devices to authenticate to the credential, MacGregor says. “Both ends present their identities,” he says. “The identity of the reader or the application is given to the cards and vice versa and a secure session is created.”

the draft. While there may be many questions on how to port a PIV to a mobile device now, these questions won’t exist in another five years. The specification could be outdated by the time it comes out if alternatives form factors aren’t addressed in some way. The IAB has come up with some ways that other form factors could be enabled, Baldridge says. The secure elements on the devices and software would need to meet specific FIPS 140 encryption standards. Adding applications

Device authentication lends itself to another request that has surfaced in recent years: support for other form factors, such as mobile devices. “This was in the second tier of questions, important but no simple answers,” MacGregor says. Supporting device authentication and encrypting secure sessions between the smart card and a mobile device puts us one step closer to enabling other form factors, MacGregor says. But there are questions to be answered before credentials could be completely moved to a mobile device. Issues surrounding the viability of a complete PKI solution on the device persist, and the security of mobile devices remains up for debate. Steve Howard, vice president of operations at CertiPath, suggests that not tackling alternative form factors was a glaring omission in

Also missing from FIPS 201-2 was the possibility of adding agency-specific applications to the PIV. The Defense Department has been considering transit and payment applications for the Common Access Card and many officials expected something to be added to the new spec related to other applications. MacGregor says that adding other applications can be difficult, and any new application would have to pass additional cryptographic standards testing and validation. While the work on FIPS 201-2 has been going on for some time it’s not going be over soon. Macgregor hopes to resolve the comments from others by the end of 2011, but that could be pushed back depending on the number and complexity of the comments received on the draft. Summer 2011

Trusted identity plan unleashed Now comes the hard part for NSTIC Zack Martin Editor, AVISIAN Publications When the National Strategy for Trusted Identities in Cyberspace was released in April some described it was “Woodstock for identity geeks.” Industry officials were excited to see the plan and hear what was announced, but there weren’t a lot of surprises. The goal of the strategy is to protect privacy, fight identity theft and fraud, drive economic growth by driving business online and create a platform for new Web services, said a White House administration official. User names and passwords are no longer good enough and potentially pose a national security risk. In order to secure online identities, something more is needed – be it a smart card, USB token, mobile device or something else.

senior executive advisor of ID management at NIST. There are also plans to fund pilots in fiscal year 2012 with $24.5 million earmarked for these tests in the Commerce Department budget. NIST will also be having a series of workshops across the country this summer to discuss the strategy. The first two will be held on the east coast with one on the west coast slated for late summer. Governance of the identity system will be a topic covered in the first meting scheduled for early June with future meetings addressing implementation, Grant says. “We can hear from folks in the private sector – not just industry but other stakeholders

“It’s a Soviet style planning document that won’t move the ball forward … (and) if it does, we’re at substantial risk of a poorly designed system.” — Jim Harper, Cato Institute

The government would work on setting standards and facilitating the process while the private sector takes the lead in deploying the credentials and systems used to read them. “Our goal is to have a credential that would work anywhere online. If consumers want to have more than one they can,” said a White House official. The Department of Commerce is leading work on the strategy, with the program office located with the National Institute of Standards and Technology, says Jeremy Grant,

Summer 2011

like privacy advocates, consumer advocates, nonprofits and get their views as to how as we move forward,” Grant says. “We’ll get feedback in terms of what’s out there today rather than have to try and start from scratch.” Trying to build on work that’s already been done is important, Grant says. “Companies have an incentive to be working around common standards and operating rules,” he says. “Industry is excited about NSTIC as a way to bring everybody together to solve some of these issues and frankly to provide some clarity where there isn’t any right now.”

In the past the private sector has been hesitant to offer solutions to the public around securing identities, but the strategy aims to change that, the administration official said. There have been concerns around liability for companies involved in identity, but the strategy intends to clarify these issues. There are no plans, however, to draft legislation around the strategy, Grant adds. “Anytime you’re counting on legislation to enable you to do something, you’re setting up a very big barrier,” Grant says. “Congress does not pass a lot of standalone legislation. A lot of this gets back to the governance structure that we were talking about, and we won’t really know until we really start to get stakeholders together collaborating.” Overall, reaction to the strategy has been positive. A common refrain regarding the document is its perfection. “It is a utopian document,” says Aaron Titus, chief privacy officer and vice president of business development at Identity Finder. “Hating NSTIC, in its current form, is like hating puppies and rainbows because it just about says anything that anyone would want. My concern is in the implementation, there’s a lot that can go wrong.” Titus has been following the strategy since it was first announced more than a year ago. Originally he had concerns regarding privacy, but the document soothed some of those concerns. Grant says making sure privacy concerns were met was a priority. “Privacy ideals like the Fair Information Practice principles are reflected in there,” he says. “One message that we’ve gotten is it really did strike the right balance which will enable us to help to bring people together from different sectors around a strategy that’s going to work best for the American people.”

Still policy is going to have to be developed around privacy concerns with the strategy, Titus says. For example, a 13-year-old wanting to logon to a site needs to authenticate his age. This is done now by providing a date of birth, which is too much private information. In an NSTIC world he would provide his credential and the identity provider would verify that he met the age requirement to access to the site. Not having to give up the additional information, such as date of birth, is privacy enhancing, but what has yet to be determined is what the identity provider can do with the information in its control. “The identity ecosystem does create some potential problems,” Titus says. “There’s a new central hub and unless done properly your ID provider knows your date of birth and potentially every other piece of information along with your transaction history.” There needs to be policies put in place to make sure that the ID providers can’t sell that information to third parties, Titus says. “While my retail privacy might be enhanced my wholesale privacy might disappear,” he adds. Consumers and privacy advocates need to have a voice as the policies and technologies that will make up the strategy are unveiled, Titus says. The identity providers will have a lot of consumer information and what happens with it needs to be regulated. “We should be prepared to regulate these businesses the same we do with credit reporting agencies,” he says. Titus is also watching how NIST’s role in facilitating the strategy will develop. The organization has a great reputation when it comes to creating standards while keeping out of the political discourse. This may have to change as many of the larger companies with possible roles in the identity ecosystem get ready to contribute. “They have the right team but when things start getting contentious and the bullet start flying I worry that NIST will retreat back to its

comfort zone and leave the policy creation to those with the most fire power, the Google’s and Facebook’s,” Titus adds. Is it a national ID? While NIST, other government officials, academics and private sector executives have said that the national strategy is optional and not a national ID program, some are not convinced. Jim Harper, director of information policy studies at the Cato Institute, says the government’s role in the strategy is too large. “What’s important to me is making sure that we avoid having a national ID system and the privacy and civil liberties consequences that flow from that,” says Harper, also author of Identity Crisis: How Identification is Overused and Misunderstood. “It’s a Soviet style planning document that won’t move the ball forward. If it does, we’re at substantial risk of a poorly designed system.”

As for solutions to solve the problem of online identity, some already exist. “Friends of mine in the identity community kind of wrinkle their noses when I say ‘look at Facebook Connect,’ (suggesting) that it’s a dumb simplistic solution,” Harper says. “Little experiments done by big companies or by small entrepreneurs are going to poke at this problem from various directions.” Harper warns that while a lot of time and money will be absorbed by the national strategy it’s more likely that the right identity solution will come from somewhere else. “The exciting things that may come in the identity debate will come from small entrepreneurs,” he adds. NIST’s Grant knows there are concerns that NSTIC is a national ID, but he says they are unfounded. He points out that the route the U.S. is taking is the opposite of what other countries have done where a specific technology was mandated. “The role the government

There needs to be policies put in place to make sure that the ID providers can’t sell that information to third parties. While my retail privacy might be enhanced my wholesale privacy might disappear. — Aaron Titus, Identity Finder

In his book Harper says the private sector should be left to come up with an online identity scheme if one is needed. Even though the national strategy calls for the private sector to implement the program, Harper is still critical. “One justification I’ve heard for NSTIC is that the companies haven’t gotten together to work on an interoperable system,” Harper says. “That doesn’t mean that there’s a government role in doing that, society might not be ready for it.”

does play with NSTIC is to facilitate and work with the private sector to come up with best practices,” Grant says. Still he does understand the concerns. “The devil is in the details and how it will be implemented,” he says. “I believe it can be done, and I wouldn’t have come back to government otherwise.”

Summer 2011

SAFE-BioPharma: An NSTIC model? SAFE-BioPharma was created to try and transition the health care world to an electronic environment. The organization, created by the biopharmaceutical industry, is using and issuing credentials to help ease what can be paper-intensive research projects. Mollie Shields-Uehling, president and CEO at SAFE-BioPharma, says that the organization fits with the ideas behind the national strategy. “We fit in as part of a growing network of cross-certified cyber communities,” she says. “We trust the identities of other communities because we have a set of standards.” SAFE-BioPharma has been cross-certified with the U.S. Federal PKI Policy Authority. Re-

searchers with the organization’s credentials can send signed documents to government officials. SAFE BIO-Pharma can certify for level three, a high level, of identity assurance.

cally guarantee the integrity of documents to which they are affixed. Prior to the study, the signature process was delayed by use of courier service, fax or travel.

SAFE-BioPharma conducted a 2010 pilot study that involved government and industry cancer researchers indicates that using interoperable digital identities, digital signatures and cloud computing to accelerate initiation of a clinical trial while lowering its costs.

The first phase of the program ran from July to October 2010 and showed the use of digital identities for authentication and the application of digital signatures to electronic documents

The ongoing study involves researchers at the National Cancer Institute’s Cancer Therapy Evaluation Program, a sponsor of cancer treatment clinical trials, and the pharmaceutical company Bristol-Myers Squibb. The National Cancer Institute’s researchers used PIV credentials issued by the government while industry participants were issued credentials through SAFE-BioPharma. In the pilot, electronic documents were placed in the cloud, where the researchers were able to access and sign them immediately. The digital signatures cryptographi-

Summer 2011

The second phase started early 2011 and expanded the study to include researchers in pharma company sanofi-aventis. The third phase is starting this summer and will include researchers at universities and academic cancer research centers. The new digital identities will be part of the Research Education Bridge Certification Authority, an identity trust hub serving the country’s higher education sector, which currently is in the process of cross-certifying with other trusted cyber-communities. The pilot has successfully demonstrated the ease with which interoperable digital identities could be deployed and used to access electronic documents and apply digital signatures. It successfully eliminated the use of paper copies and allowed signed documents to be exchanged rapidly and securely online.

Secure ID programs are complex. Choosing the right partner doesn’t have to be.

LaserCard’s customized secure credential solutions have been trusted for decades around the world. Find out why customers and partners look to LaserCard, now part of HID Global, for secure, counterfeitresistant credentials and solid ID solutions, implemented on time and on budget. ÊÊ Professional services and consulting to optimize Secure ID

program implementation and performance ÊÊ Innovative credential design and manufacturing services ÊÊ Advanced credential technologies incorporating leading

physical, visual and digital security ÊÊ ISO 9001 certified: secure credential manufacturing plants

in USA and Germany w w w. l a s e r c a r d . c o m

Can smart cards curb $370 billion in fraud? Politicians eye tech to reduce losses in Medicare, Medicaid With the budget battle underway, the case for a strong identity credential for Medicare may be too good for Congress to pass up. Smart cards could help the federal government to reduce Medicare fraud and abuse to the tune of $370 billion in the next 10-years, says Kelli Emerick, executive director of the Secure ID Coalition. More than ever before, Americans believe that the budget deficit is a major problem that must be addressed. This is also a consensus across party lines. A recent Gallup Poll found that 89% Republicans, 81% Democrats and 79% Independents believe it is an issue. Emerick laid out the case for the new credentials at the Smart Card Alliance Annual Conference in Chicago. She said that the U.S. Department of Justice estimated Medicare fraud at $60 billion annually. The federal government isn’t the only one looking at this issue, states are proposing legislation that would also require stronger identity credentials for access to Medicaid. With Medicare making up 23% of the federal government’s budget, only second to defense spending, there are differing opinions on how to keep costs in line. Rep. Paul Ryan (R-Wis.) wants to institute a voucher program that would move Medicare under the control of the states and potentially cut some services. President Obama, however, wants to put in place programs that eliminate waste, fraud and abuse. “When you look at the case for preserving benefits and cutting cost how do you do it?” Emerick asks. A smart card-based ID could be one way to keep services in place while reducing waste and fraud, Emerick says. The current Medicare system has no way to truly know whether someone actually received a procedure. “Nobody can confirm that a transaction happens in Medicare and this (leads to) false claims,” she says. In a smart card enabled system, Medicare applicants would go through identity verification and be issued a secure ID. When a service is performed the person would use the 38

Summer 2011

card to verify the transaction. The verification would be done at the point of care and would require a second authentication factor, such as a PIN or biometric. Health care providers would also have a smart card to verify the transaction on their end.

Whatever HHS does to add security to the Medicare card, Kirk wants to make sure the agency looks at what’s being done with credentials elsewhere in the federal government. States considering strong IDs for Medicaid

With 48 million Medicare beneficiaries and 1.65 million providers it would cost $1.9 billion, assuming $35 per person to deploy such a system, says Emerick. She estimates that $550 million would have to be budgeted annually for maintenance. Emerick believes a smart card system could cut fraud by 66%, for an annual return on investment of $37.7 billion. That equates to a $377 billion savings in 10 years. Existing programs as model for a Medicare ID During a U.S. Department of Health and Human Services (HHS) budget hearing in March, U.S. Sen. Mark Kirk (R-Ill.) questioned HHS Sec. Kathleen Sebelius about upgrading the Medicare ID card to help prevent fraud and waste. The HHS budget request includes a record $580 million for fraud prevention, Kirk said during the hearing. Specific strategies for its use are not clear. He suggested that one could be to offer seniors a new Medicare ID card with better security so the cards can’t be as easily counterfeited. Most Medicare cards don’t have any security features, just the patient information printed on the card, though a pilot in Indianapolis is issuing a card with a magnetic stripe. Kirk said this technology is “outdated” and can be cheaply and easily replicated. Kirk said HHS should look at the U.S. Defense Department’s Common Access Card as a model for a new Medicare ID. He says the DOD has spent an average of $8 to issue smart cards to soldiers and personnel. Instead of HHS paying for the new cards, Kirk suggests that they be offered to seniors who would then pay the $8 and receive extra identity theft prevention.

Where Medicare is a federally run program available to all seniors, Medicaid is a state run program for low-income recipients. As with the federal program, fraud is a serious problem for Medicaid. Thus, states are also looking at better technologies for Medicaid credentialing. New York State wants to establish the “Medicaid identification and anti-fraud biometric technology program.” Proposed legislation would require the Department of Health, in consultation with the office of the Medicaid Inspector General and the Office of the Attorney General, to implement a program requiring the use of biometric technology as a means of identification and fraud prevention. Georgia is also looking at piloting a program to reduce fraud in its Medicaid program, according to legislation passed by the State Senate. The bill would require Medicaid recipients to acquire an ID card that would contain the cardholder’s photo and other security features. Initial media reports suggest the card would include biometrics, but insiders have hinted that public concern may already be derailing the use of the biometric technology. Under the Georgia plan, Medicaid recipients would be issued a card that would store the individual’s data and be confirmed against a database. When the patient arrives for an appointment the card would be scanned to verify identity. As the states consider their own reforms, it seems clear that some form of federal legislation is a foregone conclusion. On both sides of the political aisle, Medicare fraud losses have reached an intolerable point. Perhaps identity technology will prove key to helping solve this national dilemma.

Become an

IEEE Certified Biometrics Professional

Why CBP? The IEEE Certified Biometrics Professional® (CBP) program has two major components: Certification and Training. Professionals and organizations both can benefit from the IEEE CBP program. Key advantages are: ■ Prove

your knowledge

■ Increase ■ Learn

your credibility

a baseline of industry knowledge

■ Train

employees

■ Gain

a competitive advantage

“The IEEE CBP program delivered on its promises. It strengthened some of the areas and aspects of biometrics that are less familiar to me and made me more well-rounded.”

Learn more and register today! www.IEEEBiometricsCertification.org

—Gregory Johnson, CBP, BRTRC

Health care providers seek convergence Efforts to secure network and building access nascent but growing As more health care providers begin the move to electronic medical records, efforts are underway to better secure the computers and networks that store the data.

be the victims of medical identity theft in 2011 at a cost of more than $20,000 per case.

The U.S. government’s Health Information Technology for Economic and Clinical Health (HITECH) Act and it’s $19 billion for providers has been the driver for many to move to electronic records.

While companies report that health care providers are securing networks, there are still gaps. The U.S. Department of Health and Human Services Inspector General issued a report stating that general IT security controls were lacking for electronic medical records systems.

The legislation also calls for health care organization to have “meaningful use” of the software in order to qualify for the grants. “The criteria requires health care data to be kept confidential, private and secure, accurate, shareable with patients as well as providers, mobile and exchangeable, and readily available,” states a Smart Card Alliance white paper that was released in February.

Another report that looked at how states were complying with HIPAA identified problems with how states were securing electronic personal health information. The audit of seven hospitals across the country identified 151 vulnerabilities in the systems and controls intended to protect personal health information, of which 124 were categorized as high impact.

Some type of identity management system is necessary to meet this requirement and control access to patient medical records. A Ponemon Institute report on medical ID theft released in March stated that 78% of those surveyed want health care providers to ensure the privacy of records. The same report stated that 1.49 million people will

“Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries’ personal data and performed unauthorized acts without the hospitals’ knowledge,” the audit stated.

Summer 2011

There are a variety of technologies health care providers can deploy to secure networks. At Albert Einstein Healthcare System in Philadelphia and Seattle Children’s Hospital, smart cards and one-time passcode tokens are being used. Albert Einstein made the switch because it was separating from another health care system in Philadelphia, says Russ Johnson, network director of protective services. Since all employees would have to be rebadged the organization decided to migrate to a converged multi-technology credential from HID Global and integrated by Seimens. The health care provider had been using an antiquated Weigand swipe card for physical access control, Johnson says. Making the switch for the health care system’s 7,500 employees and 1,000 physicians at four hospitals, seven campuses and 50 offsite primary care physician and surgical center locations was a daunting task. They had to issue the new credentials and notify individuals of the change. “Because the employee’s were spread out it was a logistical challenge,” he says. HID’s Identity on Demand product was ideally suited for the task, Johnson says. The vast majority of employees already had photos in the human resources database so the health care network seperated the employee’s by location, had HID produce the card and then mail the credentials to those specific locations. Albert Einstein went with multi-technology cards, including iClass, prox and bar codes.

Eventually some of the bar code capabilities may move to the contactless interface, Johnson says. The credential is being used for single signon to the hospital’s networks. Employee’s simply tap the badge against a reader and are signed into the network. Johnson would like the facility’s medical equipment to be enabled by the credential too. Eventually he hopes to have employees logon to all different types of medical equipment, including medication carts, with the badge. “We want to see the ID as a gatekeeper,” he says. The most important take away for Johnson is communication. Health care providers undertaking a rebadging or a refresh of identification technology need to make sure to communicate with employees, set deadlines and stick to them. Seattle Children’s Hospital When employees use the computer network internally at Seattle Children’s Hospital they still login using user names and passwords, says We Wright, vice president and chief technology officer at the provider. But the provider was looking for something that employees could use to securely access the network from home or when traveling.

For physical access control, the health care provider went with a dual technology reader that handles both the older Weigand technology and the new iClass technology. They replaced 1,000 readers.

The hospital selected Gemalto’s Protiva .NET solution to leverage the “plug and play” capabilities of its existing Microsoft infrastructure. This included the ability to deploy three types of .NET devices provisioned and managed through Protiva Strong Authentication Server – the .NET USB key, the .NET Dual token and the Easy OTP token.

Bar codes were needed for the Kronos payroll system, Johnson says. Employee’s punch in and out using the bar code on the badge, so it was critical that this piece worked correctly from the start otherwise employees might not get paid. “We went though four or five pay cycles using different employees testing the bar code in the time and attendance system,” he says.

Some 2,700 keys have been deployed for employees who travel or need to access the network from home with plans to distribute a total of 4,500, Wright says. Seattle Children’s opted for the USB keys because they didn’t require dedicated card readers or additional software that would be required for smart cards. “If you’re using a hotel computer you can’t install any software,” he adds.

The bar code is also used to make purchases in the cafeteria and keep track of annual testing for flu shots and safety certifications.

Using the device, a user can access to a virtual desktop, Wright explains. The employee goes to the Web site, enters a user name and

password along with a six digit PIN from the token and then has access to the desktop as if they were in the hospital building. This includes electronic medical records, Microsoft Exchange and other patient applications. Wright considered having the tokens used as an additional form factor for internal security but it created too many workflow issues. Seattle Children’s took the step to better secure its virtual networks. But health care organizations are taking a tougher look at both physical and logical security, says Ray Wizbowski, global senior director of marketing for the Security Business Unit at Gemalto. “Health care providers are looking at both logical and physical access to meet regulatory requirements, i.e., HIPAA, but there is a struggle between recommendation and implementation,” he says. “A converged solution offers the best economies of scale by centralizing all authentication needs into one credential. Hospitals in particular can benefit from this type of solution, but have faced the challenge of user adoption.” Government regulations may eventually force health care providers to add security, Wizbowski says. For example, A U.S. Department of Health and Human Services committee recommends that at least twofactor authentication be required for those exchanging information using the Nationwide Health Information Network standards. Health care providers that are looking for increased security seem to be taking one of two routes, Wizbowski explains. They are either going the route Seattle Children’s selected or they are going for a standard’s based approach. “For providers who are looking to tie into broader national initiatives like the First Responder Access Credential, the choice is to go with an open platform identity based on the PIV-I standard,” he says. PIV-I is a U.S. federal standard for identity documents for non-government employees. Using PIV-I would give health care providers more options. “The value of this technology will be fully realized as the ecosystem becomes more developed and the interoperability of the identity can be used in multiple domains with multiple applications,” Wizbowski adds. Summer 2011

Web services look to revolutionize biometrics New protocols could cut cord to biometric readers, end need for software drivers Jill Jaracz Contributing Editor, AVISIAN Publications The National Institute of Standards of Technology (NIST) is working to establish protocols to ease implementation and increase interoperability for biometric devices. A team within NIST sees Web services as the key to extending biometrics across platforms, solutions and devices. The Biometric Web Services (BWS) project, a five-person team within NIST’s Information Technology Laboratory Image Group, is creating specifications for biometric devices to use Web services for interoperability. Ross J. Micheals, NIST’s supervisory computer scientist and leader of this project, explains that in the current climate, sensors and matchers need to be built from the ground up. As new technology comes on the mar42

Summer 2011

ket, the devices may not necessarily be able to interact with a user’s current system. In a nutshell, Biometric Web Services is aiming to make it easier to bring biometric capabilities to more devices than ever before – devices that would otherwise require an investment in a specific combination of hardware and software. Currently biometric devices require dedicated software to interact with other electronic devices (e.g. computers, handhelds, mobiles). When either device changes, the wheel must essentially be recreated – or at least the software that drives it. “If devices can understand the Web inherently and the device changes,” explains Micheals, “you don’t have to rely on the software that hinders interoperability.”

About five years ago, NIST decided to create specifications to determine if biometric devices were viable over Web protocols. The Biometric Web Services project was formed. The group is focused on the creation of two basic protocols that would eliminate the need for biometric devices to have dedicated connections and dedicated device drivers, says Micheals. If successful, users would be able to control any device from anywhere. In terms of physical connectivity, the use of Web services will eliminate the need for a USB or IEEE 1394 connection and device drivers. Instead, the connection can be made via Ethernet or Wi-Fi. Additionally, a system won’t need to rely on device-specific, softwarebased drivers.

Web services also change logical connectivity in that devices could be shared from an Internet-enabled device, such as a tablet or handset, and it won’t matter whether or not the device operates on the same platform. “There is no reason why devices shouldn’t inherently understand Web protocols. It’s very tractable to have this technology in a small handheld form,” Micheals says. With the Biometric Web Services protocols, mobile devices can be programmed to talk to the Web and no longer need data storage capabilities. “What we’re really trying to do is to describe an outlet, cut the cord on the biometric sensor, and define a clear boundary between components of the system.” The team’s first major release was a working demonstration of the project, which it presented at the Biometric Consortium Conference in September 2010. Since then, Biometric Web Services has worked with the OASIS standards body on an implementation of the OASIS Biometric Identity Assurance Services (BIAS) specification. OASIS’ BIAS Integration Technical Committee is determining a standard way to access remotely invoked biometric services via a services-oriented framework. This effort has resulted in the team’s January 2011 release of a simple implementation of the BIAS spec in which a client and server use arbitrary binary data to show BIAS’ various functions. In February OASIS released a draft of this specification and is accepting comments and suggestions from the public to aid in its revision.

Web site,” Micheals says. “How you secure, encrypt data, and how it travels through the system are important questions you have to think about when designing solutions.” One of the project’s sponsors is the Department of Homeland Security, who can use Biometric Web Services with its systems, particularly as these systems and components age. Operating within a closed system, Biometric Web Services can work with a mixture of new and old technology that still has the capability to interact because all the components are designed with the same protocol. NIST hopes these standards will help drive technology and stimulate the market. “When [devices] all talk the same language, markets open up,” Micheals says. When the protocols are established, customers will be able to purchase products that work with any existing Web protocol system, and developers will be able to add their own value to the devices. “There’s a potential market for biometric access control devices that are more interchangeable. Certainly as a consumer, that makes it more attractive,” Micheals says. Micheals says that NIST is reaching out to the public for feedback and input. “Our mission is to do the best thing technically, but we know a lot of excellent technology work is done in the private sector, so that’s where we’re trying to get help,” Micheals says. The Biometric Web Services team is fostering relations with experts in industry, academia and government to get input on the protocols. It maintains a listserv for announcements about projects and discussion from individuals.

Challenges to protocol creation In developing the protocols, the team has run into some challenges. One hurdle has been developing multi-user capabilities. Because biometric sensors are currently built as single-user devices, they will have to be built with concurrent access capabilities in order to incorporate the multiuser functionality of Web services. The team is also trying to answer questions around live previewing capabilities and multilayered security. “Local door access has different requirements versus logging onto a

The team is being careful to create flexible protocols that can be extended and won’t render future technology or modalities incompatible. “We don’t know what might be needed to add to the list later. [They should be] not so strict that you couldn’t extend them,” Micheals says. Work on these two protocols will continue through the majority of 2011. BWS intends to have a final draft of the specifications written by the end of NIST’s fiscal year, which is in October.

Web services defined Web Services: The Internet standards body W3C defines Web services as “a software system designed to support interoperable machine-to-machine interaction over a network.” It uses a machine-processable format such as WSDL and standardized SOAP message formats, HTTP and XML. Web services can implement a Service-oriented architecture (SOA), which is a flexible way to design an ecosystem of interoperable services that work with multiple systems across various domains. WSDL: Web Services Description Language, an XML-based language used in combination with SOAP to enabled clients programs to find and connect to Web services over the Internet. SOAP: The Simple Object Access Protocol was designed in 1998 a specific way to exchange structured information used by Web Services. Messages are exchanged in XML using application-layer protocols such as HTTP or RPC (Remote Procedure Call). HTTP: Hypertext Transfer Protocol, developed since 1991, is a networking program for distributed information systems and forms the basis for communicating over the Web. HTTP/1.1, defined in RFC 2616, defines nine verbs (methods) for manipulating remote resources. XML: Extensible Markup Language, an open standard for encoding documents in machine-readable form, was published in 1996 with the goals of simplicity and ease of use over the Internet. Since then, most modern APIs and file formats have been developed on top of XML-based formats, such as RSS, Atom, SOAP, XHTML, and various office document formats. REST: Representational State Transfer, introduced in 2000 is an “architectural style”, simpler than SOAP, which defines the interactions between clients and servers (requests and responses) and the data they exchange (resources and representations). It typically a subset of the HTTP verbs (POST, GET, PUT, and DELETE) to implement create, read, update, and delete operations on remotely accessible resources. Summer 2011

Secure browsers pave the way to secure ID? Devices, credentials can help protect online transactions

and energy strengthening their physical infrastructure, such as their branches. Yet online banking customers have remained vulnerable. The average customer uses his computer for a number of different things outside of online banking, such as Facebook, email, online shopping and other areas that create opportunities for breaches. “The frustrating part about this is that an attack is on the banking customer’s computer, so it’s not an attack on the bank itself,” says Kevin Bocek, director of product marketing for IronKey, an online banking security firm based in Sunnyvale, Calif.

The old way of robbing a bank meant busting into a branch, brandishing a weapon and ordering a teller to hand over all the money. Next-gen criminals accomplish their stealing from the comfort of their own homes. Their weapon of choice is malware, and the scene of the crime is often a bank’s website. Although they may have abandoned some of the more violent tactics, today’s thieves are more dangerous when it comes to emptying money out of bank accounts.

For example, a customer may log in to what they believe is their banking site, when in reality their computer has been attacked and they are using a false site that looks identical to the one their bank runs. They perform payment transactions they believe are real, when malware is actually manipulating the transaction. “And now they’re executing code that’s been inserted by this criminal malware, which then proceeds to steal money,” Bocek says.

“The bad guys used to be in it for fame and agenda,” says Sam Curry, chief technologist for Bedford, Mass.-based RSA, the security division of data storage firm EMC Corp. “But the vast majority now are financially motivated. It’s not just about how to make money; it’s about how to make more money.”

In terms of how identity can be matched to secure browsing, observers point to a few areas where these two worlds could coincide. Not only does the user need to authenticate to the system, the system should authenticate itself to the user. “We see the two as ultimately being very related,” Bocek says.

Enter the arena of secure web browsing, a tactic more security firms are deploying to protect commercial banks from online thieves, specifically those who target business bank accounts. It also has the potential to make inroads in securing identity, industry experts say.

Secure browsing could also come into play in countries that are fostering e-government systems, where there is more digital interaction between the government and citizens. Such is the case in Brazil, which employs an electronic voting system.

The most common secure browsing solutions are those that produce a hardened version of the browser, usually stored in a portable USB device or a smart card that users can plug into a PC. The browser that is stored and secured on the device or credential is used to access the bank’s secure Web site and protect the user from viruses and malware. The USB devices typically use smart card microprocessors to secure the sessions.

In the United States, secure browsing could be used by organizations such as the U.S. Census, which must build up and tear down environments full of data on identities, Curry says.

Through secure browsing, banks are focusing more of their security on their online presence. Traditionally, banks have spent a lot of time

In the private sector, companies are shifting more to the cloud, which creates a greater need for secure browsing, Curry says.

Summer 2011

Secure browsing could also be used for food stamp distribution on the municipal level and, on the federal level, building a better national structure for security and identification, he says.

IronKey employs two-factor authentication on its secure browsing product, IronKey Trusted Access for Banking, when users log on. “Certainly in the future, we see authentication becoming more and more important,” Bocek says. Staging counterattacks Last July, when the malware problem was becoming more acute, IronKey began offering IronKey Trusted Access for Banking, to enable commercial banks to protect their users and transactions. With the product, users connect their IronKey portable USB security device to automatically launch a secure, virtualized browsing environment. The Trusted Access Browser starts at the bank’s home page and allows users to navigate only to bank-authorized sites. “You really are running another computer inside your computer,” Bocek says. “We run that virtual machine from a read-only part of the USB device. You can’t override it, so malware can’t get into it,” Bocek says. IronKey takes all the browsing traffic for users and channels it through a separate encrypted tunnel that’s connected to the bank’s website to lock out man-in-the-middle attacks. Advanced encrypted keyboard input protects users from keyloggers, who track and log an individual’s keystrokes. This is how usernames, passwords and other authentication credentials can get stolen. In developing Trusted Access, IronKey has taken cues from federal regulators and industry experts that have issued guidance on how banks can help customers to protect themselves from browser attacks, Bocek says.

IronKey has also thrown its support behind the Federal Financial Institutions Examination Council’s development of new guidelines containing expectations for banks to strengthen their security controls. One of those mechanisms is the USB device, which separates users and their banking system from the computer. Since launching Trusted Access, IronKey has acquired more than a dozen customers in the United States and Europe. IronKey markets the product to banks, which then offer it to customers, often bundling it into existing services. RSA does not have any secure browsing products on the market yet but has been researching the service in recent years. RSA is in the advanced development stage and anticipates bringing secure browsing products to market. “It’s our objective to (provide) thought leadership and prod the industry,” Curry says. “Companies are coming to us consistently for guidance on how they can secure these (services).” Following a cyber attack in March targeting RSA’s two-factor authentication system, SecurID, RSA said they do not anticipate that the attack will affect its other products. The attack sent shock waves throughout the industry and has highlighted the need for secure browsing as a way to secure individual account holders, and not just the bank itself, Bocek says. “Banks are seeing it’s not just about the layers they have on their infrastructure,” Bocek says. “They also need to be protecting their clients on their (personal) computers. This attack is only going to accelerate that understanding.” Malware on the market

In 2009, the FBI and the Electronic Payments Association – formerly the National Automated Clearinghouse Association, or NACHA – recommended that banking customers should use a separate, dedicated computer for online banking that contains all of the latest updates and anti-malware software. Authorities also said the computer should support the latest in two-factor authentication. “Of course, for each banking customer to have a computer only for online banking is pretty difficult,” Bocek says.

In what has become a billion-dollar global underground economy, criminals have set up portals to share experiences and market wares and services. Attackers can now buy commercial malware, costing anywhere from a few hundred dollars to in excess of $10,000, from online markets. “These attacks are very easy to marshal,” Bocek says.

“You really are running another computer inside your computer. We run that virtual machine from a read-only part of the USB device. You can’t override it, so malware can’t get into it.” — Kevin Bocek, IronKey

The criminals fall into a few different categories. There are those who create the malicious code, those who sell it and those who recruit individuals to act as money mules receiving and transferring the stolen money – often without knowing it, Bocek says. Much of the crime originates out of Eastern Europe. This problem has become far too real for many individuals. “In the morning (a banking customer) will have a certain bank balance and in the afternoon find that hundreds of thousands of dollars have been stolen,” Bocek says. Business banking in particular is affected because of the larger transactions made. The real criminals directing the scheme are much harder for authorities to track because they rely on mules to transfer the money. Often the mules are unknowingly recruited into the criminal enterprise through what appear to be legitimate businesses, such as work-athome offers. “Criminals will set up what look like very real companies with real training programs, and what appears to be real task management, in that you as an employee now have certain tasks to carry out during the day,” Bocek says. “It gives you the feeling that this is a real-life business,” Bocek says. “Unfortunately, what happens after a certain time is that law enforcement does come.” The software that now attacks online banking users is rapidly changing, Bocek says. “It is in almost every case undetectable by traditional virus software because of the way it’s constructed. When they create a new attack, the fingerprint of the software changes,” Bocek says. “So traditional antivirus software can’t keep up with thousands of different attacks.”

Summer 2011

ID lifecycle 101: Understanding issuance models Part two in a series on credential issuance and management Autumn Cafiero Giusti Contributing Editor, AVISIAN Publications As the Real ID Act continues to make headlines, more attention is focusing on the second stage in the identity process – issuance. The 2005 act would tighten standards governing the process for issuing credentials – specifically driver licenses and state-issued IDs – used for federal purposes. As a result, many states could migrate the issuance of these IDs toward a centralized, or off-site, model. That means an individual applying for an ID wouldn’t walk away with his credential the same day he applies for it. In March, the U.S. Department of Homeland Security extended the deadline for states to comply with the act until Jan. 15, 2013.

Summer 2011

Although the move toward a more centralized model has garnered criticism, experts say there are pros and cons to both on-site (decentralized) and off-site (centralized), the two primary models for issuing credentials. Deciding which model to use comes down to the issuing agency’s security needs and customer service preferences. “If it’s an instant process, the chances go up that you’re going to give a license to someone you might not want to give a license to,” says Geoff Slagle, director of Identification Standards for the American Association of Motor Vehicle Administrators, headquartered in Arlington, Va. “If you had more time, the

chances are better – not perfect, but better – that you might catch (on) before you give a license to someone who shouldn’t have one.” On-site versus oﬀ-site In the on-site model, credentials are issued over the counter the same day an individual enrolls. This is the case with most driver license bureaus, corporate environments and campuses. “You prove who you are with some sort of ID document; they take your information and assume you pass your driver’s test, and you get your credential printed right there at the

counter,” explains Steve Purdy, business development director for government affairs with digital security firm Gemalto. The company personalizes about 1.3 billion identity documents and devices a year at its 30 worldwide personalization centers as well as via over-the-counter issuance. In the off-site model, an individual enrolls by providing any required information, such as proof of identity, biometrics and other documentation. The agency providing the credential then reviews that information and runs any background or criminal history checks to make sure the individual’s identity is sound. The printing and issuance of those credentials is conducted off-site at one or more centralized facilities, and the credential is mailed to the individual or sent to a location where it can be claimed. Complying with Real ID could require more agencies to adopt the off-site issuance model. Some supporters of off-site issuance argue that certain issuance programs create more opportunities for fraud by giving a single person the power to both enroll and issue a credential, Purdy says. Because a driver license is

a breeder document for other forms of identity, the federal government has expressed concern about how licenses are issued. Pros and cons of issuance models Customer service is one of the main reasons why people go with over-the-counter, on-site issuance, Purdy says. “If people have to take time out of their day and go to a center to enroll, it becomes somewhat painful to require them to come back again,” he says. When a credential is issued over the counter, the cardholder can look at the ID and be able to tell immediately whether all of the information is accurate, so the card could be reissued right away. But with a central issuance model, the cardholder isn’t present, so there has to be a strong process in place to ensure the accuracy of that information. “The central issuance facility can only print what’s given to them,” Purdy says. “There will be a quality check for the accuracy of what (information) they’ve received, but not a quality check with the cardholder in front of them.”

Digital technology has enabled even faster creation of a card on the spot. “It can be handy for the consumer, but you don’t necessarily have enough time to vet an individual who comes to you,” Slagle says. Another disadvantage of off-site issuance is that the credential is often mailed to the issuing agency instead of the individual’s home or office, meaning the person has to yet again prove their identity to claim their card. Then there’s the need to factor in shipping and postage costs to the cardholder or to the agency. And, because of the time lag between enrollment and receipt of the credential, a temporary document may need to be issued. In addition to vetting time, experts cite a number of other advantages to off-site issuance. It can give an organization more control over document security features. A facility that produces cards in bulk may have more resources and, thus, the ability to provide more advanced security options for credentials. Security features such as laser engraving and high-end holography are more readily

Issuance at a glance The GSA follows four steps when issuing a document: 1. Someone from the issuing agency sponsors the individual. That individual then receives an email from the system saying they’ve been sponsored. The email contains a link for the individual to schedule an appointment at one of GSA’s enrollment sites. 2. During the scheduled appointment at the enrollment site, the individual’s enrollment documents are verified and his fingerprints and biometric information captured. 3. The agency adjudicates the individual by performing a national criminal history check. GSA then issues a request to print the credential. 4. The credential is printed and shipped to the location specified by the individual’s sponsor. The individual is notified and asked to make an appointment to activate and pick up the credential. At that time, GSA electronically personalizes the credential and loads the certificate, fingerprints and biometrics to the card’s chip.

Summer 2011

available at centralized facilities than via smaller-scale desktop printing environments. By opting for off-site issuance, agencies also don’t have to worry about replacing consumables such as printer ribbons, or calling in a technician to repair a broken printer. “It’s more overhead to manage that program than it is to outsource it. And you potentially have fewer personnel,” Purdy says.

process swift and user-friendly through over-the-counter methods. But the trade-off was less time and ability to check the individual’s background. “We can’t turn this around. We literally are now left with this thing that an overwhelming majority of people use for ID purposes. So how do we fix it?” Slagle asks.

Licensing changes ahead

Moving toward off-site issuance is one solution, but a program has been put in place to explore other options.

One of the fundamental issues the ID world faces is that a driver license is an identification document, not just a license to drive a car, Slagle says. In the past, states have been able to make the issuance

The Driver License/Identity Verification Systems (DIVS) program was formed to organize, implement and coordinate a system to verify information provided by applicants for driver licenses and identification

Exploring the GSA’s centralized PIV-issuance process In carrying out its task to issue compliant credentials to the federal work force, the General Services Administration relies on off-site printing to allow for more security checks and features. When President Bush signed HSPD-12 in 2004, mandating a federal standard for secure identification, the Office of Management and Budget asked the agency to come up with a uniform service so that the numerous agencies employing GSA credentials wouldn’t have to come up with their own model for issuing cards, says Steve Duncan with the GSA’s managed service office. GSA has 90 customers that are federal agencies, and many are small boards and commissions that would be unable to issue their own cards. “We made a business decision that off-site was the best way to go at the time this first started,” he says. GSA opted for off-site issuance for a number of reasons, with cost being one of them. Onsite printing can be expensive, says Duncan. It requires high levels of maintenance and can burn through a great deal of printer equipment.

Summer 2011

GSA issues cards using a number of different card stocks as source material. Decentralized issuance would require inventorying these card stocks at many different locations. “That becomes a huge problem in the security of the cards,” Duncan says.

been working to improve its delivery mechanism and reduce the time from when the cards are initiated until they reach the end user. That time varies, but for people in remote locations, it can take up to two weeks to get a credential.

By opting for a shared issuance program across multiple agencies, GSA made it so that a person could go into any GSA building and get enrolled for their credential. GSA has 360 enrollment locations nationwide where people can submit their fingerprints and have their photo taken. Credentials are issued at a single off-site facility in Washington, D.C., and shipped across the country. GSA contracts with HP Enterprise Services to issue its credentials.

“Now that more agencies are on the usage side of the credential, that’s just not acceptable,” Duncan says, adding that the earliest delivery time can be overnight. “If you’re using your credential to log on to your computer at work and it breaks, and it takes two weeks to get a new one, that creates a productivity problem.”

When GSA first developed the business case for this service, it had about 40 agencies as clients and anticipated issuing 400,000 credentials to this base. The agency now has more than 90 agencies, commissions and boards, and expects to issue between 750,000 and 800,000 to the group.

In the meantime, GSA has developed two solutions to more rapidly get credentials to more remote users. Light activation setup enables the individual to activate his or her credential from a more convenient location, possibly even their desktop. A new mobile issuance solution features a roll-around suitcase that agency representatives can take into the field, hook up to the Internet and enroll people, Duncan explains.

Still, GSA’s off-site issuance system comes with its challenges, Duncan says. GSA has

GSA is negotiating with HP on ways to improve the issue, Duncan says.

cards. Mississippi is the lead state for planning and implementing the initial stage of the program. Florida, Indiana, Kentucky and Nevada also participate in the joint effort between the states, DHS and AAMVA. DIVS encompasses several electronic verification systems that can be used by state driver licensing agencies to verify documentation provided by driver license applicants as a form of identification, says Maj. Jason Jennings, director of the Driver Services Bureau of the Mississippi Department of Public Safety. The scope of DIVS includes verification of: • U.S.-issued birth certificates; • U.S.-issued Passports; • U.S.-issued immigration papers; and • Social Security information. DIVS also has oversight of a yet-to-be-developed system states can use to make sure that a driver license applicant does not hold multiple licenses across the country. Because of the reliance on a number of outside entities to provide these verification services, many states are looking at moving from over-the-counter issuance to central issuance, Jennings explains. “By making this change, states will have the time they need to examine the results of the various electronic checks before issuing a license without being overly concerned about the impact that system downtime has on customer service,” he says. The program is also charged with determining ways to address the budgetary challenges states could face in complying with Real ID. The estimate from the AAMVA and the National Conference of State Legislators is that it would cost states $4 billion collectively to comply, down from the initial estimate of $11 billion, Slagle says.

Whereas anyone can go out and buy a desktop printer to make a fake document, not anyone can duplicate laser engraving features or holograms on a card, he says. Obtaining equipment to perform these tasks would be cost prohibitive for most people.

Despite the security advances, the actual process for central issuance will likely remain much the same, Purdy says. “Visibility, traceability and security features are just going to get more advanced,” he says.

Technology for every one Contact Contactless Dual Interface EMV Sticker MicroSD GPR Retail Over the Air

At CPI we provide support globally for all Smart Card, Prepaid and Mobile technology solutions.

As the centralized issuance model gains prominence, experts predict more systems coming in place to support it. A large part of that will be more emphasis on security features. “I think the way the market is going now, you’ll continue to see vendors differentiate themselves by offering more and more distinct security features,” Purdy says.

Learn more at our website: www.cpicardgroup.com Summer 2011

Mythbusters Can a mobile phone erase a hotel key card? It’s a warning any seasoned traveler has probably heard: Don’t carry your hotel key card in the same pocket as your cell phone or the card could get erased. Some travelers cautiously heed the advice, while others write it off as urban legend. Even among card industry professionals, there are varying opinions on whether cell phones can actually erase or damage data from magnetic stripe cards. There is agreement, however, that there are other variables that will damage these cards. CPI Card Group, a card manufacturer based in Littleton, Colo., believes it has evidence of the cell phone-mag stripe correlation. CPI manufacturers a mix of magnetic stripe cards, including payment cards as well as gift cards, hotel key cards and casino gaming cards. “A lot of the cards people tend to use in harsh way,” explains Julie Hermanson, quality control manager for CPI.

Summer 2011

Cardholders typically protect their credit cards in an enclosed place such as a wallet, but hotel key cards are often carried in a person’s pocket next to their cell phone. “The mag stripe is often exposed to magnetic fields that can cause the encoding to degrade or erase,” Hermanson says. In 2009, CPI conducted internal studies in which card users carried mag stripe movie theater cards in their pockets with a cell phone that had no magnetized case around it. After the cards were carried with the cell phone for about three hours, testers started to see the encoding on the stripes being disturbed. When the problem is truly with the magnetic stripe, outside interference is most often the cause. “The number one issue was cards being demagnetized by being carried next to a cell phone or set on a TV in a hotel room,” Hermanson says. “Anything with an electro-

magnetic field transmitting from it can cause a mag stripe to demagnetize.” Often, however, the problem is not really with the mag stripe material. Frequently when problems are reported, it turns out that the encoding equipment needed to be cleaned or maintained, or there were lock malfunctions at the hotel, Hermanson says. Another industry veteran, however, isn’t buying it. Shane Cunningham, marketing and communications manager for card printer manufacturer Digital Identification Solutions, believes the idea of a cell phone erasing a magnetic stripe card is bogus. “I have been in this industry for 16 or 17 years, and I have yet to find an instance of a card accidentally becoming demagnetized by a source other than an actual encoder or an outright magnet,” he says.

Cunningham expressed doubts even after seeing the CPI study, pointing out that the test utilized cards at the bottom of the coercivity spectrum, meaning the cards most easily erased or damaged. Cunningham travels about 12 weeks of the year for work and frequently comes into contact with hotel key cards. In his own travel experience, he has seen hotels propagate the cell phone-key card theory. After receiving two room cards and checking both to make sure they worked, he put one in his wallet next to his credit card. He left the other in a shielded sleeve in his room. The next night, the key in his wallet still worked. On his third night, which was an

extended stay, neither card would open his door. “The first words out of the mouth of the person at the desk were, ‘Did you have it in your wallet with your cell phone?’” “I can almost guarantee you that when I booked my room, they didn’t book my third night. So when I went up that night, the key cards didn’t work,” he says. “But the first thing that came to (the attendant’s) mind was that I must have somehow erased them.” Mag stripe enemies Cell phone debate aside, industry experts point to a number of other reasons why magstripe cards fail. The more likely culprit in the mag stripe card mystery is the quality and age of the card itself or the equipment used

to encode and read the card, Cunningham explains. “My personal opinion is that these cards used by hotels aren’t designed to be coded and re-encoded multiple times,” he says. That means that if hotels program and deprogram cards to open a different room every few nights, eventually the cards’ mag stripes are simply going to wear out. Hotels typically use low-cost encoders, Cunningham says, so the data can become garbled. Unlike credit card companies, hotels tend to order cheaper, lower quality cards to keep their costs down. Mag stripes vary in coercivity, the measure of how difficult it is to encode and thus erase in-

Mag stripes put to the test In 2009, CPI Card Group conducted a series of durability tests on sample theater cards with low-coercivity magnetic stripes of 300 Oersteds. The issued cards were returned with evidence of what appeared to be partial erasure. The cards were issued to theater patrons. They used the card at the concession stand at least once but found it was unreadable when they tried to use it again later.

Scenario

Result

Carried in a Blackberry holster for 15 minutes.

No disturbance of encoded mag stripe tracks.

Carried in a Blackberry holster for 30 minutes.

Disturbance was visible on the right edge of encoded tracks, similar to field failures.

Carried in a Blackberry holster for 45 minutes.

Some possible degradation of one of the mag stripe’s three tracks, but only minor disturbance of encoded tracks; card still read back.

Carried in a Blackberry holster for 1 hour.

No disturbance of encoded tracks.

Randomly rubbed a kitchen magnet across encoded tracks.

Disturbance of encoded tracks that followed the pattern of the rub; not similar to field failure.

Control card encoded, not exposed to magnetic field.

No disturbance of encoded tracks.

Placed a high-strength magnetic badge holder on top of card.

Disturbance across encoded tracks, similar to field failures – significant bar pattern noticeable. Testers suspect this was due to the higher strength magnet.

Attached the card to a magnetic white board with a common kitchen magnet.

Data was wiped out in the area of the magnet.

Carried in a Blackberry holster overnight.

Disturbance across encoded tracks, similar to field failures.

Affixed a common kitchen magnet to front and back of the card.

Data wiped out in area of the magnet.

Source: CPI Card Group

Summer 2011

formation from the magnetic stripe. Coercivity of about 300 Oersteds (Oe) is considered to be low coercivity (LocCo) and is primarily used for short-term use cards and those where data may be changed, such as hotel key cards. Most credit cards use magnetic stripes with at least 2,750 Oe that are considered high coercivity (HiCo). Low coercivity cards are fairly easy to encode, but they also tend to be more susceptible to accidental erasure and damage, Hermanson says. They are also less expensive. “Hotel cards are a commodity-driven product, so price is very important. LoCo mag stripes are cheaper than HiCo, so it’s difficult to make that switch,” Hermanson says. But even HiCo cards can erase if exposed to strong enough magnets. Also, if mag stripes are scratched across the surface of the stripe, they can cause swipe readers to skip, she says. Myth two: credit cards demagnetizing hotel key cards When Cunningham’s key cards ceased to work and he told the hotel attendant that he did not have the card next to his cell phone, the attendant asked whether he had the card in his wallet next to his credit cards. This highlights another common question relating to magnetic stripe damage. Can a HiCo card, such as a credit card, demagnetize a LoCo hotel key card? Both Cunningham and Hermanson say no. Despite what you may hear in the hotel lobby, it is not unsafe to store two cards with their mag stripes facing each other. “I have not been able to reproduce actual degradation of the encoding by having the cards together,” Hermanson says. Carrying a key card next to other credit cards could damage the mag stripe but only because the raised numbers on the credit card could scratch against and damage the key card’s stripe, Cunningham says. The mag stripe’s future As smart cards gain prominence in the market, the debate over whether cell phones affect mag stripe cards could become moot. “I’m pretty sure in the next five years, you won’t see mag stripe cards anymore,” Cunningham says. In Digital Identification Solutions’ European offices, he explains, magnetic stripe cards are hardly ever used because everything is switching to contact and contactless chip cards. But mag stripe cards remain king in the U.S. because of the massive infrastructure in place to support them. Mag stripe material overall is extremely robust, Hermanson says, adding that the handful of manufacturers adhere to very strict standards. “A mag stripe can hold a tremendous amount of information in a fairly secure manner, and for a relatively low cost. And I think those remain its major advantages,” she says.

Summer 2011

The handset could be the only key you need Most of the buzz around near field communication has to do with payments with a bit reserved for marketing and loyalty possibilities. What’s going unnoticed is that the same technology can be used for physical access control to open doors at the office, at a hotel or even at home. Daniel Berg, vice president and general manager at ASSA ABLOY Mobile Keys, says use of the mobile device as a key is going to increase exponentially as more devices are equipped with NFC. “We’ve been happy to see all the news from different phone manufacturers that they are finally rolling out compatible phones,” he says. NFC uses the same technology as contactless smart cards, the ISO 14443 standard. So in theory any physical access control solution using that standard could port the application to a mobile device equipped with NFC. The switch won’t happen over night, Berg says. It will take a couple of years before enough NFC devices are in circulation to warrant companies offering NFC as an option for employee physical access control. There are also issues to address such as how a company deploys the application to the SIM or secure element of the device. “The business models and roles are still being defined, so there’s still a debate between who should do what and what should be there,” he says. Companies could do away with printed badges when NFC reaches critical mass, Berg says. “Basically, you have a card, but it’s online as opposed to the kind of the dead card that we carry around now,” he says. “You can issue and you can revoke access rights instantly and remotely, which is of course a huge benefit.” Other security benefits include the ability to block and revoke credentials over the air. “If somebody steals your phone, you can remove the credentials, and you can also have credentials inactivate unless the user is identified with a PIN,” Berg explains. “Compared to a physical card, you can have the same security or higher security.” Rachel Sa of ASSA Abloy Future Labs concurs. She says that the major advantage of the mobile contactless credential lies in its ability to be sent instantly to the end user’s handset, providing a greater level of convenience and security. The commercial sector will see the most benefit from mobile contactless credentials, says Sa. Security managers could remotely provide access credentials to all users, from visitors to highlevel execs, via a central access control system, she explains. Aside from saving time and money, this would provide real-time traceability, letting managers to see precisely when a credential was used. Hotels could build loyalty by offering check in and room access via NFC. Instead of waiting in line a hotel guest could check in online, have the room key downloaded to the handset and go right to the room. The same app could be used to notify the guest of offers and events. “If you use your mobile to open a door, we know where the door is located, so you can add localized services,” Berg says. “You can add some simple services like checking in on Four Square or you can use it for advertisements and localized information. You can put up messages for employees when they enter the building and things like that.” “The technology is there,” adds Berg. “Now it is up to innovative companies to put all the pieces together.” Summer 2011

University of Arizona deploys multi-app, contactless ID for students and staﬀ Jill Jaracz Contributing Editor, AVISIAN Publications In the last five years, the University of Arizona has transformed its CatCard from a basic identification card to a multipurpose tool. In terms of security, the school has been particularly aggressive creating multiple levels of access using magnetic stripe, contactless smart card and biometric technologies. In 1998, the Tucson, Ariz.-based university had 14 different ID cards on campus, according to Assistant Director of CatCard Services, Diane Tatterfield. University leadership decided to consolidate these into one identification card, the CatCard. Today there are 75,000 active CatCards used to gain access to 800 locations around campus. Prior to 2006, the CatCard featured a magnetic stripe and a contact smart card chip. The mag stripe enabled physical access to buildings and privileges such as meal plans. Users

loaded money onto the contact chip to pay for other services such as vending, laundry and photocopying. The university decided to pilot a contactless chip card five-years ago when it built the BIO5 Institute and medical research laboratory buildings, Tatterfield says. Because parts of these labs demanded high security, the university needed a solution beyond what CatCard’s magnetic stripe could provide. Partnering with Irish smart card integrator, SmartCentric, the university developed a system of three readers that enabled different levels of access based on a particular environment’s security requirements. Options include tapping the contactless chip, tapping the chip and entering a PIN, and finally tapping the chip and presenting a fingerprint for biometric matching.

Tatterfield says the university evaluated door access readers for six-months before selecting units from Integrated Engineering, a Dutch company that was acquired by HID Global in 2007. The CatCard includes an NXP DESFire contactless chip. It stores a biometric template containing a series of points from the fingerprint. This stored template is later matched with a template created by a reader at the door. By installing the new security infrastructure at the time of construction, the university avoided a future retrofit of the buildings. With higher levels of access control, the labs have a leg up when competing for grants and contracts that require secure facilities, says Tatterfield. While most access points on campus still use the magnetic stripe, a campuswide conver-

Arizona CatCard at a glance: • Active cards: 75,000 • Students: 39,000 • Faculty/Employees: 12,000 • Retirees, alumni, guest researchers, vendors, and satellite campuses • Cards issued each year: 25,000 • Total number of readers: ~800 • Magnetic stripe: ~570 • Contactless: 100 • Contactless-plus-PIN: 60 • Biometric: 70 • Number of buildings on campus with contactless readers: 12

Summer 2011

Purchasing. Security. Event privileges. Your campus card system should open the door to a world of possibilities on campus, online, and beyond. CBORD® is the industry leader in campus card systems that keep a new generation of students connected to their university communities. Visit www.cbord.com and take your one-card program to next level with CBORD.

Comprehensive Solutions. Innovative Products. Dedicated Service. Summer 2011 The CBORD Group, Inc. • 61 Brown Road, Ithaca, NY 14850 • 607.257.2410 • FAX: 607.257.1902 • www.cbord.com

sion to contactless physical access control is underway. All new construction includes contactless readers, including two new residence halls that opened this Spring with contactless tap and tap-plus-PIN security.

For more fine-grained control, the building manager for each facility can dictate access for cardholders. Access can be limited to a specific time period, such as 24/7 access, business hour access or access for a certain number of days.

The price for increased security

The card has a lifespan of four to five years. When a card is replaced, the cardholder receives a new 16-digit ID number based on the International Organization for Standards’ ISO numbering protocol. The system automatically replaces the user’s old ISO number so that the new card is usable immediately at all access points to which the cardholder is approved.

Higher levels of security do come at a price. According to Tatterfield, standalone contactless smart card readers costs the university just $40, but adding PIN capabilities ups the cost to $700 and biometric versions cost $1,200. The total cost for a finished card – including card stock, ribbon, printer and personnel – is $42, explains Tatterfield. Students pay $25 for the card, and employees, retirees and alumni receive their first card for free. Vendors – such as Coca-Cola, Federal Express and lab supply companies – who need access to secured areas pay full price for their cards. The CatCard office receives additional funding to cover the full cost of the cards. The university eliminated the contact chip from the card in November 2010. According to Tatterfield, improvements in technology enabled the unattended payment environments such as vending, laundry, and photocopy to move to the contactless interface. Removing the contact chip saves approximately $5 per card. Contactless technology has helped the university save in card replacement costs. Because the magnetic stripe is swiped less frequently due to the contactless interface, the stripes do not wear out as quickly so cards don’t need to be replaced as often. This has decreased Arizona’s card replacement levels from 11,000 per year to 6,000 per year, says Tatterfield. The university phased-in the contactless technology as new students required their initial card and returning students replaced lost cards. Today 95% of the cardholders have contactless IDs. Controlling access privileges To leverage the CatCard’s security features, general building access is determined by the cardholder’s status. When a student signs up for a CatCard, says Tatterfield, within 15 minutes he receives access to certain facilities including computer labs, TV lounges, the recreation center, library and athletic facilities.

The University of Arizona selected door access readers from Integrated Engineering, a Dutch company that was acquired by HID Global in 2007.

Summer 2011

The biometric challenge Implementing a new system, especially a sensitive one like biometrics, took some trial and error. Relying solely on fingerprint scans for individuals who work a lot with chemicals can be difficult because chemicals can ruin people’s fingerprints. The university also discovered that it was difficult to get high quality fingerprints from Asians, explained Tatterfield. The CatCard department worked with the university disabilities office to determine that the inability to offer a good fingerprint was, in fact, a disability. With this decision, a number of labs were downgraded from biometric readers to chip-plus-PIN security. A policy was made that if every individual using a specific lab could not use the biometrics, that lab could not upgrade the system to biometric readers. The CatCard office also discovered that the dry Arizona climate interfered with the biometric readers. Electric shocks were frequent when users touched a reader causing interruption in the reader’s operation. To eliminate the problem, the readers were reprogrammed to reset every second instead of every five minutes. The desert heat also often made a user’s hands too dry to roll a proper print, but they found that hand lotion solves this problem. Additional applications The CatCard provides other services beyond identification and physical security. It is necessary to access e-mail accounts and class schedules. The CatCard also controls meal plans, manages Bursar accounts and authorizes library and recreation center services. The contactless chip also contains a wallet that holds up to $250 for use on campus. Also on the financial side, a partnership with Wells Fargo enables users to tie their bank account to the CatCard and use it for debit card and ATM functions. The contactless chip enables the university to explore non-traditional partnerships, concludes Tatterfield. Ongoing discussions with Tucson’s bus system could one day result in the CatCard being used for transit ticketing and fare collection. And a host of other applications are on the horizon as the CatCard continues to claw its way into the future.

TSA again considering trusted traveler program Program would cut out private-run companies With security lines at airports yet again growing and concerns about full body scanners rampant, traveler frustration is again reaching a tipping point. The Transportation Security Administration recognizes this and is … once again … dusting off the idea of a trusted traveler program.

Details of the new known or trusted traveler program is still being worked out, but it will be different from the registered traveler programs that have been in place up to now, a TSA spokesperson says adding, “those programs have essentially been front of the line programs.”

TSA Administrator John S. Pistole wants to change the airport security checkpoint experience to enable “known travelers” to have expedited screening.

The trusted traveler programs were first thought of after the Sept. 11, 2001 terrorist attacks as a way to alleviate security checkpoints at airports. Private company’s sprung up to fill the need but ran into financial issues and ceased operation. In the last year a couple of new players have emerged, but they are only operating at a handful of airports.

“Recognize that TSA screens more than 628 million airline passengers each year at U.S. airports,” Pistole said in a speech before the American Bar Association’s 6th Annual Homeland Security Law Institute in March. “The vast majority of the 628 million present littleto-no risk of committing an act of terrorism.” Pistole wants to use risk-based, intelligence driven programs to enable easier travel. “Everyone is familiar with the current system that screens nearly everyone the same way,” he said. “If we want to continue to ensure the secure freedom of movement for people and commerce across this great nation and around the world, there are solutions that go beyond the one-size-fits-all system.”

Any new program will most likely dovetail with pilots for crewmember screening. That system will tie airline employee databases together in a seamless way and enable TSA security officers to positively verify identity and employment status of crewmembers. CrewPass, a pilot of a crewmember system, has been running since May 2009 at Baltimore/Washington International Airport, Pittsburgh International Airport and Columbia Metropolitan Airport in South Carolina. Crewmembers enroll in the system by show-

ing a government-issued ID, an airline ID, answering some questions and registering fingerprint biometrics. Pistole wants to expand this program to other airports and enable travelers to enroll, the spokesperson says. Benefits of the program may include enabling travelers to keep their shoes on, leave laptops in bags and perhaps skip the full body scanners, the spokesperson says. The TSA may tap into airlines frequent flyer systems to get information on travelers so the agency has additional data, the spokesperson says. The program will be different from previous ones because it also won’t guarantee expedited processing. Participants could be pulled aside at any point. “We won’t guarantee expedited screening,” the spokesperson explains. “There will always be a random element to this.” The TSA is expected to release more details with information about pilot program later in 2011. Expect to see it tested at one or two airports with additional rollouts if successful.

President Barack Obama meets with Homeland Security Secretary Janet Napolitano and Transportation Security Administration Administrator John S. Pistole, right, in the Oval Office to discuss transportation security. (Official White House Photo by Pete Souza)

Summer 2011

Protecting card printers and materials Manufacturers try to rein in the supply chain, but is it in vain? Autumn Cafiero Giusti Contributing Editor, AVISIAN Publications When it comes to securing the ID card printer supply chain, the process can be a lot like selling a car. Once a dealership sells a car to an individual, the dealer no longer has insight into whether the buyer sells that car to someone else. “That’s the point where we lose visibility,” says Ryan Park, senior manager of product marketing for secure issuance for HID Global, which manufacturers the FARGO line of card printers.

awarded to some company we haven’t even heard of,” says Jonathan Bowen, business development manager with DIS. In the past, DIS has cautioned its end users about buying printers from unauthorized resellers. “You don’t know the age of those supplies, or how they’ve been stored and handled, and that puts us at risk,” Bowen says. “It’s not just about fraud for us; it’s about how we do business every day.” Secure elements on the card can help

For this reason, protecting printers and supplies is an ongoing challenge for manufacturers in the industry. Ultimately printers can end up on eBay or other online sites, where fraudsters can buy them to create fake driver licenses, campus IDs or credit cards with mag stripes. “At some point, you as a manufacturer lose control of the printers you sell,” Park says. But there are measures manufacturers can take to reduce the chances that printers will end up in the wrong hands, or that if they do they won’t have the capabilities needed to replicate authentic cards. The key is working with authorized dealers, creating layers of security on cards to make them harder to reproduce and educating dealers and end users on how to safely get rid of unwanted printers, manufacturers say. There is also an initiative in the UK for law enforcement and printer companies to work together to prevent the cards and printers from falling into the wrong hands.

Adding layers of security onto the actual card is key to protecting the printer supply chain, manufacturers say. That way even if a printer ends up being used fraudulently, the person would not have all the tools needed to add those security features and make a card that appears legitimate. Holographic foils, special laminates and UV printing are examples of security features that can help prevent card duplication. “An ID document, if well done, will have some exclusive security features that are not commercially available on the street,” says Benoit Guez, director of smart cards and new technology for card manufacturer CPI Card Group. “Those can be on the material of the plastic,

In protecting its printers, one of the first safeguards that card printer manufacturer Digital Identification Solutions (DIS) takes is making sure that the retailers its dealers hire are authorized by contract to sell the company’s products.

the printing, the personalization and on the overlay protecting the personalization.” Most of CPI’s cards start with white plastic on which the issuer prints cardholder information. That information is protected with a secure overlay that may contain a hologram or some other feature. Some printers contain UV printer ribbons, so that when someone uses a UV black light to verify an ID, they can examine the card to make sure it contains certain security elements. This tends to be the case on driver licenses and national IDs. “That’s a really easy-to-add security feature for the end user, but we had to have a way to secure it so UV ribbons wouldn’t end up everywhere on the market,” Bowen says. To address this, DIS requires dealers who sell the special printer ribbons to sign an appendix to their contract, agreeing to a multi-step process in which they track every printer they sell to an end user. They must log the date the printer was sold and how many supplies went out. There is also a form the end user must sign. Anytime a user prints with one of Digital ID’s UV panels, the MAC address of that specific

Using UV ribbons, the MAC address of the printer is printed directly onto the card. Without a black light, the number is invisible to the naked eye.

MAC address

“What we’re looking for is when a dealer comes back to us and says a bid is being Card in normal daylight

Summer 2011

Card under UV light

The 10th Annual

Smart Card Alliance Government Conference Smart Strategies for Secure Identity

Nov. 2–4, 2011

Pre-conference Workshops Nov. 1

Ronald Reagan International Trade Center, Washington, DC

The Leading Showcase for Government Projects in ID and Security Who Should Attend? The conference draws key decision makers from every level of government and industry. Over 700 will attend, including government and industry executives, administrators and technologists

Join the Leaders

The 10th Annual Smart Card Alliance Government Conference will look at the opportunities and challenges ahead for government issuers, accreditation and testing authorities, procurement programs, and the industry to meet the government’s market demands.

Building on years of development and tens of millions of government-issued smart cards, the conference expands its focus on emerging identity and security developments by including new government initiatives to improve and implement electronic medical records (EMRs). The conference will cover new smart card applications with the potential to improve the security and privacy of patient information, provide the secure carrier for portable medical records, reduce healthcare fraud, provide secure access to emergency medical information, and provide the platform to implement other electronic applications as needed by the healthcare IT industry. Conference sessions will reﬂect and amplify the though leadership of the Smart Card Alliance Healthcare and Identity Councils.

Surveying Recent Deployments of Secure Electronic Medical Records

Continuing Coverage of Current Strategies for Secure Identity

The conference features comprehensive coverage of efforts toward strong authentication technology in government identity programs, including federal and non-federal Personal Identity Veriﬁcation (PIV) credentials, developments in National Strategy for Trusted Identities in Cyberspace (NSTIC), trusted ID on the Internet and on mobile devices, developments in state and local ID, as well as evolving global standards. Presentations emphasize real-world use-cases directly from the implementors and administrators.

Key Government Agency Participants and Presenters

For exhibit and sponsorship opportunities contact Bill Rutledge scaservices@smartcardalliance.org, 212-866-2169

OVER 50 EXHIBITORS IN A SHOWCASE OF INDUSTRY-LEADING TECHNOLOGY ActivIdentity • AMAG Technology • ASK intTag • AVISIAN Inc. • Aware Inc. • CPI Card Group • CSC • Datacard Group • Digital Identification Solutions • Exponent Inc. • Gemalto • Giesecke & Devrient • HID Global • HP • Identification Technology Partners, Inc. • Identity Stronghold • International Card Manufacturers Association • Kaba Access Control • L-1 Identity Solutions • LaserCard Corporation • Lenel, a UTC Fire & Security Co. • MorphoTrak • Muhlbauer Inc. • NXP Semiconductors • Oberthur Technologies of America Corp. • SafeNet • SMARTRAC Technology Group • Software House/Tyco International • Teslin Substrate by PPG Industries

Mark Your Calendar: Registration Opens this July • www.smartcardalliance.org

Industry, UK law enforcement partner to prevent ID fraud The UK Metropolitan Police Service and identity industry executives have banded together to try and separate criminals from the equipment and supplies they need to make fake identity documents.

working together we will make it harder for criminals to obtain such equipment, which undermines both the industry’s reputation and the security of the United Kingdom.”

Project Genesius focuses on the supply chain for printing equipment and source materials used for the manufacturing of cards, documents and credentials. The idea is to make it more difficult and increase the likelihood of discovery for illegitimate users to access the items.

Card printing companies participating in the project are expected to make sure customers are legitimate and notify police if there’s any suspicious activity. Sharing this intelligence makes it more likely that violators will be caught and others will opt to avoid the crime altogether.

“This is a Metropolitan Police initiative with the plastic card industry,” said Detective Inspector Nick Downing. “We have joint responsibility to eradicate the abuse of card printers and associated equipment. By

The end result of the project is to hopefully help Law Enforcement disrupt organized criminal networks and minimize economic fraud gained through the abuse of printing equipment.

printer is printed directly onto the card as a unique identifier. Without a black light, the number is invisible to the naked eye. “Let’s say a counterpart of mine in Europe is going to use UV on the cards, and a year after selling that, they start finding there are fake national ID cards being sold for 2,500 euros. The cards look so legit that they actually have the printer number printed on it. We can go back and find out where the printer was sold (since) we’ve had these machines on the market,” Bowen says. Manufacturers can also code their printer products to work only for the appropriate user. For instance, if the federal government purchased card printers from HID for a large installation, HID could encode the printers ribbons to work only with printers sold to the government client, Park says. Out with the old

HID Global’s SecureVault combines inventory management software and RFID access control technology to provide secure and convenient storage for sensitive ID card issuance materials and equipment.

Printers being resold on sites such as eBay or craigslist are usually the real deal. “It’s just generally the older real deal,” Bowen says. Such printers may be five or six years old, or may be damaged and need some repair to become functional again.

“There are definitely printers out on eBay that someone who knows what they’re doing can buy and create realistic looking (fraudulent) badges,” Bowen says.

Sometimes schools or other legitimate organizations purchase the used printers to create badges for students and employees. But this isn’t always the case.

HID gives directions on how to properly dispose of old printers. However, much like auto dealers cannot control the resale of their cars, printer manufacturers cannot legally restrict

Summer 2011

suppliers in the U.S. and Canada from reselling printers online. “We haven’t found a good recourse legally to prevent that,” Bowen says, adding that the only thing they’ve been able to do is offer trade-in values to pull those printers back in. “It’s a hard one to control for sure.”

That doesn’t stop the individual end users from implementing their own safeguards. Airports, government agencies and other entities where ID security is paramount often have their own systems in place for safely phasing out printers and supplies to ensure they do not go back into the market on eBay.

To some degree, dealers are on the honor system. “In the U.S. you may be able to trust, but there are parts of the world where bribes and kickbacks are an everyday part of life,” Bowen says. Education key to combating fraud in the field

Within the Department of Defense, for example, there are only a few suppliers qualified to sell government-marked material, Park says, adding that a fraudster would actually have to buy a printer from one of those qualified vendors.

Forged documents are easily detected by the trained eye. But an untrained individual wouldn’t know how to differentiate cards, which is why Guez says education is key in protecting the printer supply chain.

The rules can be different in the corporate world when companies are ready to unload their old printers. If a corporation wants a new printer to produce its employees’ ID badges, HID allows them to participate in a trade-in program within its dealer channel.

“People can scan a real card and try to change the name and photo, and then print it on plastic. And they usually miss all the security features. So a forged document is just a basic document, and that’s obvious to anyone who knows a little bit,” he says.

“Or you can throw it up on eBay, which may be why more often than not, you see printers for sale on the Internet,” Park says.

Requiring two or more forms of identification, such as a passport or birth certificate, can also help rule out fraudulent cards, he says.

Of course, not all fraudulent IDs are created using purchased or otherwise-obtained printers. Often, fake national IDs and driver licenses turn out to be cases of internal fraud where someone within the organization uses actual printers and supplies. “They’ve forged IDs that they issue on real machines in real offices in real time … when no one notices (they’re making) a fake ID,” Bowen says. For now, taking precautions by adding security layers and educating and vetting printer dealers and users may be the only real recourse printer manufacturers have against fraudsters. “In the end, I don’t think there’s a perfect way to prevent legitimate supplies from falling into the hands of illegitimate people,” Bowen says. “As we distribute legitimate supplies around the world, it takes constant vigilance to make sure these aren’t distributed into the wrong hands.”

Become a Certified Smart Card Industry Professional About CSCIP Professionals now have the opportunity to increase their industry knowledge, sharpen their professional skills, and take charge of their personal professional development. A CSCIP certification means you have passed a rigorous, comprehensive smart card technology and applied business applications education program and gained recognition as a certified smart card industry professional.

Join LEAP and make the SMART career move LEAP is an individual membership option offered by the Smart Card Alliance that offers exclusive industry knowledge, professional networking, and access to the only accreditation program (CSCIP) available for smart card industry professionals. LEAP is available to everyone, with special discounts offered to Alliance members. For more information, visit http://www.smartcardalliance.org/pages/activities-leap.

The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. http://www.smartcardalliance.org.

Next test dates JUNE 23, 2011 London, UK NOVEMBER 4, 2011 Washington, DC NOVEMBER 16, 2011 Paris, FRANCE Visit the LEAP web site for future exam locations and dates in 2011 and 2012.

Summer 2011

NFC and EMV: Live together in perfect harmony? Whether on a card or a handset, payments will be more secure Like two trains speeding toward one another in the dead of night, EMV and near field communication seem poised for a collision in the U.S. Rapid fire NFC announcements occur daily and reports that two major U.S. banks will begin issuing EMV cards to frequent overseas travelers suggest it is only a matter of time before the two technologies meet. But will it be a collision or a meld? Most likely any type of NFC payment transaction will be as secure, if not more so, than a traditional EMV transaction. “EMV works better on a phone than it does in a card,” said Dave Birch, director at UK-based Consult Hyperion at the Smart Card Alliance Annual Conference held in May. Mobile phones may also prove to be safer than cards, Birch said. “If someone steals your phone you notice,” he added. Some have said that people typically notice a missing mobile phone in less than an hour versus up to 24-hours to notice a missing payment card. EMV is the payment security standard of choice in virtually every industrialized country in the world except the U.S. But this is likely changing as forces in the U.S. align for an EMV enabled payment infrastructure. And NFC may actually be the enabler to bring EMV to the U.S. “NFC is attached to EMV, it’s difficult to talk about one without the other,”

says Murat Guzel, COO and general manager of the SmartSoft Group, a Eurasian payment services company that is setting its sites on the North American market. In the U.S. it may be quicker to enable NFC than EMV, Guzel suggests, because there are more contactless payment terminals deployed than EMV contact terminals. Surveys also show that customers are interested in mobile payment. A MasterCard survey released in May found that 62% of Americans who use a mobile phone would be open to using their device to make purchases. Where NFC and EMV diverge It is important to separate a technology like NFC from an implementation such as EMV. A smart card is a technology that can be used for many purposes including access control, single sign-on, loyalty or payment. In the same way, NFC is a technology that can be used for many purposes of which payment is certainly one. The question centers on the specific payment implementation to be conducted via an NFC handset. It could be a proprietary closed-loop system, a contactless system using U.S. model of magnetic stripe data emulation or it could be a contactless EMV solution.

“NFC is attached to EMV, it’s difficult to talk about one without the other.” — Murat Guzel, SmartSoft Group

Summer 2011

In the U.S., contactless payments are not based on EMV. Instead, they use a Magnetic Stripe Data (MSD) configuration that is supported in MasterCard’s PayPass and Visa’s PayWave products. For the rest of the world, contactless EMV has been the choice as most countries deploying contactless payment cards have already migrated to contact EMV. MSD would have been a step backward in terms of transaction security for those countries. So the question for the U.S. market becomes whether to push the older, but deployed, MSD implementation to NFC or join the rest of the world and use EMV for NFC payments. “Nearly all NFC mobile payments being discussed at present are EMV based,” says David Worthington, principal consultant for payment and chip technology at Bell ID. But can the deployed infrastructure of point-of-sale terminals and backend systems support contactless EMV on a card or a phone? The simple answer is “Yes,” explains Worthington, “but it would be necessary to update the POS software. This might be a configuration change or replacement terminal application depending on what was originally deployed.” The responsibility to update the software would fall to the terminal manager. Depending on the environment, this could be the actual merchant, the acquirer, processor or even the terminal supplier if it provides management services.

In its report, Card Payments Roadmap in the U.S., the Smart Card Alliance highlighted that contactless terminals deployed in the U.S. would typically require a firmware upgrade, including an EMV Level 2 software kernel and application upgrades. In some cases this process can be done via remote download, but in many cases it will require the merchant to return the terminal to the manufacturer for upgrade. With proper software, a contactless terminal can support both magnetic stripe data and EMV. This would be the logical solution for the U.S. as it would provide a migration path from the currently deployed contactless cards to new contactless EMV cards and NFC devices. Similarly, an NFC device can be configured with multiple payment options. “Initially for the U.S., the NFC phone EMV application can be configured to support full EMV and MSD as well,” says Worthington. “So it will work at legacy devices from the POS terminal deployments of the last decade.” In this way, the NFC device itself becomes the bridge between existing POS devices and upgraded or EMV-ready terminals. Timeline Deploying new payment technologies takes a lot of time, said Richard Oliver, executive vice president with the Federal Reserve Bank of Atlanta at the Smart Card Alliance Annual Conference. Canada’s EMV deployment took five years and the move away from checks has been given a seven to eight year timeline in the UK.

“Initially for the U.S., the NFC phone can be configured to support full EMV and the Magnetic Stripe Data format as well.” — David Worthington, Bell ID

Summer 2011

Global EMV deployment and adoption Region

EMV cards

Adoption rate

EMV terminals

Adoption rate

Canada, Latin America, and the Caribbean

182,185,043

26.4%

2,000,000

55.6%

Asia Pacific

305,126,927

26.6%

3,200,000

41.6%

Africa and the Middle East

16,841,874

13.7%

348,000

62.5%

Europe Zone 1

555,688,434

65.4%

9,400,000

84.7%

Europe Zone 2

22,817,271

11.5%

457,800

61.2%

1,082,659,549

36.0%

15,405,800

65.0%

United States1 Totals

Figures reported in September 2010 and represent the latest statistics from American Express, JCB, MasterCard and Visa. 1 Figures do not include data from the United States. Source: EMVCo

Mobile in the U.S. seems on a faster pace but there’s a lack of focus, Oliver said. He called for a central organization, similar to NACHA in the payments industry, to help. Elements of a successful U.S. mobile payments scheme include an open wallet stored on a secure container on the mobile device that uses dynamic authorization. “It needs to simulate chip and PIN,” he added. In Turkey SmartSoft, TurkCell and PlastKart deployed a model that could accelerate the adoption of NFC in the U.S. The project’s Trusted Service Manager was the first in Europe to be approved by MasterCard. It enables payment and other application to be securely loaded on to a device’s SIM card. A Trusted Service Manager is the bridge between banks and mobile operators enabling the secure transmission of data to mobile devices. Using a Trusted Service Manager for administration of payment products gives banks more control and enables the consumer to have access to more information. TurkCell is offering its customers mobile payments with its NFC-enabled Mobile Wallet, NFC Gateway and Over the Air Platform. The service will be available for payments but also transportation, loyalty and other services in the near future. “Our NFC Gateway infrastructure enables multiple applications over one SIM card,” says Ali Salci, head of Mobile Financial Services at TurkCell. “As a result, the mobile phone can be used as a mobile wallet 64

Summer 2011

and you can load bank cards onto your SIM from participating banks.” The Trusted Service Manager model also solves some of the business case issues that have plagued NFC deployments. Both mobile operators and banks have tried to figure out ways to make money via NFC. With the Trusted Service Manager the bank buys space on the mobile device’s SIM from the mobile operator. The bank still makes money off of interchange from merchants when a transaction is conducted. Using the Trusted Service Manager, the customer downloads an application to the device, explains SmartSoft’s Guzel. Then the official payment card data would be securely loaded from an Over the Air transaction once the cardholder was authenticated. Security But how does NFC rank compared to EMV from a security perspective? Contactless payment technology is often the subject of controversy in the mainstream media with claims that someone can walk by and grab your credit card data. NFC, while using the same protocol as contactless payments, would increase security because the credit card data would only be transmitted after the user enters a PIN to activate it, says Worthington.

“From an EMV point of view the difference between a contact and contactless transaction is how contactless is used for lower-value transactions,” Worthington says. In traditional card-based EMV deployments, small transactions can be conducted without PIN entry. When a threshold amount is reached, for example 50 euros, a PIN becomes mandatory. In a NFC deployment of EMV, it is likely that a user will enter a PIN on the handset with every transaction. Thus, NFC could enable higher-limit transactions without requiring a PIN at the point of sale device. NFC can also enable banks to give more information to cardholders enabling greater security, Worthington says. When a cardholder makes a transaction at a point of sale the card is swiped, maybe a PIN is entered or a signature jotted down, but that’s it. With NFC the device can present more information and confirm the transaction with a user. The NFC application can also enable a user to make payments or find out about deals in the area. Will the card go away? With the seeming inevitability of NFC the discussion of the wallet on the phone has started again. Guzel, however, says the physical wallet won’t go away anytime soon because the older generation won’t want to give up a plastic card and it will take awhile for ATMs to adapt in order to get cash.

PIV, PIV-I and FIPS 201 approved products Research detailed product listings and compare different vendor offerings online at FIPS201.com, the most robust source for FIPS201, HSPD-12, ISO 24727, PIV and PIV-I products and services. Recently approved products PIV Card SafesITe FIPS 201 w/ HID Prox Card Gemalto Gemalto TOP DL with ActivIdentity Digital Identity Applet Suite Gemalto, Inc

Transparent Card Reader Realtek Integrated Smart Card Reader Fujitsu America, Inc. Biometric Attachment Finger Print & Smart Card Readers Motorola Solutions, Inc. PC Express Card Fujitsu Gemalto PC USB-TR DOD Gemalto Visotec Mobile 100 Bundesdruckerei GmbH

Caching Status Proxy Quintron AccessNsite HSPD-12 Plug-in Quintron Systems, Inc.

Card Electronic Personalization Device

Ready to explore compliant credentialing for your enterprise? FIPS201.com is the best place to learn about the array of products certified by the US federal government for PIV and PIV-I use. Heralded as the future of standards-based identity systems, PIV-I solutions are launching or being evaluated by corporations, first responder groups, campuses, hospitals and other organizations where security is key and standardsbased solutions are embraced. Begin your investigation at FIPS201.com to find the latest project news, access documents and presentations from pioneering organizations, and evaluate products â&#x20AC;Ś from cards and readers to biometrics and cryptographic elements.

MyID PIV v9 Intercede Limited

FIPS201.com

Facial Image Capturing Station PreFace SDK with IVA IVIN5M-UVC Aware, Inc.

the premiere resource for compliant credentialing

PreFace SDK with Pixelink PL-E533 Aware, Inc.

PreFace SDK with VistaFA2 Aware, Inc.

SCVP Client Path Builder SerVE CoreStreet, Ltd.

PIV Middleware PKI Client Symantec Corporation

id technology resource

Get your FIPS 201 Approved Product listed on FIPS201.com customizing photos, links, brochures, contact information, and more. Contact info@fips201.com for more information. Contact:

Ryan Kline 850-391-2273 ryan@avisian.com info@fips201.com

visit FIPS201.com to research and compare approved products

GOOGLE UNVEILS

Tech giant first out of gate with NFC payment network in U.S. Ryan Clary Contributing Editor, AVISIAN Publications 66

Summer 2011

S MOBILE WALLET Google announced the launch of two new mobile commerce services that the company says will revolutionize the consumer shopping experience.

All three items are passed to the terminal in a single tap, and once the cashier OK’s the transaction the customer signs to confirm the purchase.

Dubbed ‘Google Wallet’ and ‘Google Offers,’ the new Android apps will work together to enable customers to pay for goods, use their loyalty cards and redeem coupons all in a single tap at the point of sale, said Stephanie Tilenius, Google’s vice president of commerce at the launch event. The Wallet app stores multiple payment cards, including a new prepaid Google card that the customer can use to make contactless payments at the point of sale. Offers is a marketing program that lets users redeem digital coupons culled from the Net or nabbed from NFC posters.

The new service will work anywhere MasterCard’s PayPass technology is accepted, including 120,000 locations in the U.S., Tilenius said. In the future, Google hopes to allow users to store anything that would be kept in a normal wallet on the phone, including tickets, IDs, health insurance cards and more. The company also plans to add a feature that will allow customers to share receipts with merchants over the phone, eliminating the need for paper. Is it safe?

Google has partnered with Citi, Sprint, MasterCard and First Data to launch the service but the platform is open to anyone who wants to join, Tilenius said. Field trials are already underway in New York and San Francisco, with a broader launch set for summer. Initial participants include Macy’s, Toys ‘R Us, Subway, American Eagle Outfitters, Walgreens, Noah’s Bagels and more.

Google is providing several layers of security for the new service. First Data is the Trusted Service Manager (TSM) for the program. It is the TSM’s job to communicate with the phone’s secure element during a transaction, said Rob Von Baron, a security engineer at Google. The encrypted card information is shared only with the bank and the TSM and is provisioned securely en route.

Google’s vision With merchants nationwide already integrating support for the service, NFC payments via Google Wallet are right around the corner for U.S. customers, Tilenius said. But Google has a more complete shopping experience in mind that will take a little bit longer to come together. Here’s how it will work: Upon entering a store, a user’s NFC Android phone will automatically determine the location and begin working with Google Wallet and Google Offers to tailor your shopping experience. A welcome screen will pop up along with a shopping list based on your previous buying habits. Google will track down any deals in the store that align with your shopping history. For example, when going into a grocery store your phone might remind you when your favorite kind of bread is on sale, or if there is a coupon available for your usual purchases like eggs or milk. When it’s time to check out, a customer taps the NFCenabled phone against the reader and Google Wallet automatically assembles everything needed to pay – including credit card, customer loyalty card and coupons.

Google’s Nexus S handset, available from Sprint, contains a secure element from NXP. This chip stores and encrypts all of the user’s financial data, which is kept separate from the Android phone’s memory, Von Baron said. Users can set a PIN to unlock the phone and another to unlock the Mobile Wallet. When the screen is turned off, the NFC antenna is automatically disabled ensuring that data cannot be skimmed while the phone sits dormant. Leveling the playing field At the news conference in New York, Google urged prospective partners to take advantage the free-to-join, open platform. “The goal is to level the playing field,” said Osama Bedier, vice president of payments at Google. The new service will let small merchants leverage the same robust style of coupon and loyalty tools that major retailers enjoy, while large retailers will be able to use personalized offers to simulate the ‘one-on-one’ shopping experience that gives small retailers their edge. “This is only the beginning,” Bedier said. “This can get a lot better.” Summer 2011

NFC posters bring ‘X-Men’ to life If you happen to be an fan of the X-Men movie series … and you happen to be wandering around in London … and you happen to have an NFC phone … You can check out the latest in what the ad industry calls “out-of-home” or “hyper-local” marketing. Around London, promotional posters for 20th Centrury Fox’s new film, X-Men First Class, are different than those in other cities. The London version contains an embedded chip that enables NFC phone users to access an exclusive movie trailer and a link to the film’s Facebook page with a simple tap of their phone. The X-Men poster is the first product of Proxama and Nokia’s collaboration on NFC apps. Outdoor media specialist Posterscope, media owner JCDecaux and network operator O2 are also participating in the campaign’s launch. The tags cost around $1.50 to $3 depending on the volume, says Graham Tricker, chief technology officer at Proxama. There is also an additional $1.50 fee for licensing the service which allows a company to 68

Summer 2011

create campaigns, access campaign reporting, etc. “We see this moving to a cost per click model as NFC compatible phones become more widely available,” he adds. To educate users on the system, Proxama is developing a logo to indicate the touch point and an instruct users how to tap the phone, Tricker says. “We are developing the logo in such a way that the tapping instructions can be removed providing a unique and distinguishable logo that everyone will recognize,” he says. In addition to providing NFC phone users with information and media, the posters allow advertisers to collect unique location-based data about consumers which in turn allows for more targeted messaging. “What is so exciting about this layer of interactivity is its simplicity and the size of the opportunity for generating scale,” says James Davies, director at Hyperspace, Posterscope’s innovation and digital division. “There are 130,000 commercially available poster sites that can be instantly enabled … the potential application of this technology is immense.”