Page 1

Fall 2011

Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

Biometrics FOR PHYSICAL ACCESS CONTROL Match-on-card, spoofing, gait and more

✽ Visa: ‘Yes’ to U.S. chip-and-pin ✽ Phones replace cards for access ✽ New mandate puts PIV to work


Government and business rely on trusted identities. Whether you are protecting vital information or securing a border or critical infrastructure, you need to establish, with absolute certainty, that someone is who he or she claims to be. At CSC, we deliver comprehensive identity management solutions that not only provide foolproof identification but also rigorously protect the personal information of citizens and customers. Drawing upon our worldwide identity management experience, we seamlessly integrate the latest technologies, systems, policies and business processes into a solution that is secure, efficient and, most of all, trustworthy.

CSC Public Sector CSC.COM/IDENTITYMANAGEMENT

DELIVERING TRUSTED IDENTITIES THAT ARE

BEYOND A SHADOW

OF A DOUBT

™


Contents 24

Cover Story

Biometrics for physical access control: Government drives match-on-card, new commercial uses emerge

30

Biometrics

Gait biometrics enable identification and authentication

36

Java Card vs. MULTOS

What happened to the smart card OS battle?

44

Handsets for Access Control Keying in to NFC

54

Mythbusters

Spoofing biometrics

Java Card

36 30 44 54

6 | OPINION | When identity and payments collide 8 | PODCAST | Replacing keys with the mobile, Examining Google Wallet, Taking two-factor ID to the next level, Facebook as an identity provider


Fall 2011 29 | BIOMETRICS | Match-on-card for logical access, health care, banking 30 | BIOMETRICS | It’s all about the walk: Gait biometrics enable identification and authentication 34 | ID | ID Lifecycle 101: Credential management 36 | SMART CARDS | What happened to the smart card OS battle? 40 | DIGITAL ID | Can strong credentials prevent hacks?

INDEX OF ADVERTISERS AOptix www.aoptix.com/iris-recognition Biometric Consortium Conference www.biometricconference.com.com CARTES & IDentification www.cartes.com CPI Card Group www.cpicardgroup.com CSC www.csc.com/identitymanagement CSCIP www.smartcardalliance.org Datacard Group www.datacard.com/id Digital Identification Solutions www.dis-usa.com/Re-ID Entrust www.entrust.com Evolis www.evolis.com FIPS201.com www.fips201.com HID Global www.hidglobal.com/future-REID IEEE www.IEEEBiometricsCertification.org Lumidigm www.lumidigm.com Oberthur Technologies www.oberthur.com Teslin www.teslin.com

10 | ID SHORTS | Key news items from AVISIAN’s online ID technology sites 21 | CALENDAR | Industry events from the identity and security worlds 23 | VIDEOS | Interviews with leading vendors including Ingersoll Rand, Jolly Technologies, USFI, NagraID Security

67 57 55 35 2 59 51 7 3

42 | GOVERNMENT ID | White House demands agencies actually use PIV cards 44 | PHYSICAL SECURITY | Keying in to NFC 46 | DIGITAL ID | RSA breach threatens trust in one-time passcodes 48 | FINANCIAL ID | Feds recommend status quo for online access 50 | PAYMENTS | Visa lays out plan for U.S. EMV, NFC

27

52 | EMV | UN Credit Union’s EMV program a success

63

53 | EMV | U.S. EMV issuers

68 39 31 37 47

24 | COVER STORY | Biometrics for physical access control: Government drives match-on-card, new commercial uses emerge 26 | STANDARDS | MINEX II: Match-oncard gains accuracy, speed

54 | MYTHBUSTERS | Spoofing biometrics: Research nascent but standards developing 56 | ID FRAUD | Common approaches to combat spoofing 58 | WEB SECURITY | Tech 101: Digital certificates secure the Web 60 | PAYMENTS | Mobile, local, social... Modern market trends drive Google to NFC 65 | INNOVATION | New HID readers, credentials enable identity across platforms 66 | REVIEW | Starbucks payment app for mobile handsets Fall 2011

5


Perspective EXECUTIVE EDITOR & PUBLISHER Chris Corum, chris@AVISIAN.com EDITOR Zack Martin, zack@AVISIAN.com ASSOCIATE EDITOR Andy Williams, andy@AVISIAN.com CONTRIBUTING EDITORS Daniel Butler, Ryan Clary, Liset Cruz, Seamus Egan, Autumn Giusti, Jill Jaracz, Gina Jordan, Ross Mathis ART DIRECTOR Ryan Kline ADVERTISING SALES Chris Corum, chris@AVISIAN.com Sales Department, advertise@AVISIAN.com SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit www.regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit http://subscriptions.avisian.com and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2011 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to info@AVISIAN.com.

When identity and payments collide Two worlds increasingly intertwined Zack Martin Editor, AVISIAN Publications Banking, payments and identity have always shared a link. Many people consider a stolen credit card to be identity theft, and advanced payment solutions are taking queues from the identity world to increase transaction security. As newer payment and identification technologies emerge the link will only grow stronger. Recent announcements suggest that higher security for payment cards is on the horizon. Visa’s newly announced support for EMV in the U.S. is long overdue and a good first step. Every other industrialized country in the world has made the move to EMV and Visa’s announcement of a PCI waiver and liability shift are the carrot and stick necessary to start issuers and merchants down the road to EMV and secure contactless payments. It’s expected that American Express and MasterCard will announce similar measures to clarify the path to EMV shortly. Half a dozen U.S. issuers have announced plans to rollout or test EMV, but the cards are reserved for customers who travel overseas. The Visa announcement is likely to change this and extend EMV cards to typical U.S. consumers. Near field communication also has the potential to increase payment security. Users will have to enter a PIN into the payment application before secure data is transmitted. Depending on the deployment the system may use contactless EMV, which would render any stolen data useless. Some see NFC as the end game. If banks can offer a transaction that is as secure as EMV without having to issue a card, some will do a dance in the street. Others, however, fear loss of position in the top-of-wallet battle. In any case, the marketing possibilities mobile offers could provide an additional revenue stream for banks dealing with cutbacks in payment card fees. While payment cards seem to be moving in the right direction for security, the banking world is not moving as quickly to secure online account access. The Federal Financial Institutions Examination Council (FFIEC) released new guidance regarding online account access but called for little more than the status quo.


With banks and their customers under increasing attack from hackers it’s disappointing to see the FFIEC stick with methods that are nearly a decade old. A single, static picture of a cow or a flower to reinforce that a customer is on a correct Web site is no longer good enough when it comes to defending against new attacks. Nor is the reliance on browser cookies. Even one time passcodes can be circumvented with the right malware. The new guidance recognized the emerging threats and stated that there are technologies out there that prevent the attacks, but it didn’t go so far as to state that banks should start issuing them to customers. The National Strategy for Trusted Identities in Cyberspace was initiated because identity theft and hacking has reached levels where it’s a threat to national security. I wonder if the FFIEC is just waiting on the sideline for NSTIC to offer stronger identities because waiting for financial institutions to do it on their own doesn’t seem like the correct solution.

EMV issuance could lead to stronger security for online account access. Adding a one-time passcode or out-of-band authentication to either an EMV card or NFC application could add significant security protections. Banks around the globe are offering readers, tokens or sleeves for EMV cards to enable two-factor authentication. The card is inserted, the PIN is entered and an OTP appears on the screen for use in online purchases or account access. As one industry expert told me during an interview for the FFIEC story, financial institutions consider fraud as an acceptable cost of doing business. A move to EMV will alleviate some of this cost, and perhaps this realization will be the encouragement banks need to get on board with stronger authentication for online account access.


Do you have an idea for a topic you would like to hear discussed on an re:ID Podcast? Contact podcasts@AVISIAN.com

Episode 77: Replacing keys with the mobile

Episode 78: Examining Google Wallet

Though much of the near field communication news is focused on payments, eventually the mobile device will replace keys as well as payment cards, says Daniel Berg, vice president and general manager at ASSA ABLOY Mobile Keys. Regarding ID’s Gina Jordan speaks with Mr. Berg about using the mobile phone as a physical access control token.

Google is early out of the gate with details on its near field communication based mobile wallet, not only enabling payments but loyalty and marketing as well. Howard Wilcox, senior analyst at Juniper Research, details the announcement’s significance, what the tech giant should watch out for, along with Juniper’s predictions for the NFC market.

“The simple benefit of being able to issue access rights instantly and remotely is of course the biggest benefit of this. On top of that you can also add services, like in the hotel case for example, it’s possible to check in and check out, you an increase the value of their loyalty by adding more keys to it and things like that. So you have a richness of services surrounding this delivery infrastructure as well, and then you can receive notifications like alarms (and) access events, since the card is online. So you can do that even if the doors are offline actually.”

“The significance of the Google announcement is they pulled together an ecosystem of participants. There are lots of different parties involved, mobile operators, carriers, retailers and merchant, financial institutions, processors and device manufacturers. Bringing together that ecosystem has been a challenge and one of the things holding up NFC.”

“You have a card, but it’s online as opposed to the dead card that we carry around now. And since the devices are so smart nowadays, it can also be done at very high level of security.” To listen, visit NFCNews.com/Podcasts and select “Episode 77” 8

Fall 2011

Juniper released predictions on the NFC market, which it expects to grow significantly even in the next couple of years. “We’re forecasting one in five smart phones will have NFC technology by 2014, that translates to 300 million NFC capable smart phones. Transaction value delivered by NFC will reach $50 billion worldwide by 2014.” To listen, visit NFCNews.com/Podcasts and select “Episode 78”


Episode 79: Taking two-factor ID to the next level

Episode 81: Facebook as an identity provider

Some consider Kenneth Weiss the godfather of two-factor identification. The founder of Universal Secure Registry and developer of tokenbased authentication technology has since moved on to other security technology that uses voice biometrics and the mobile phone. The new system would identify a user by their voice, a PIN and a randomly generated number that would be attributed to him for specific uses upon the initial two-factor authentication.

The UK is considering enabling citizens to use a Facebook ID for access to government services. Tom Smedinghoff, a partner at Wildman Harrold and chairman of an American Bar Association Task Force discusses how this would work and if it holds promise for the U.S.

“Your mobile phone is a powerful computer that you have on your person. And you’re already using a password to turn on your mobile phone. We integrated a better password, a biometric password and made your phone more usable.” The new product also aims to make it more convenient. “It’s already something that you carry with you and actions that you’re already carrying out. We have increased the level of security … and we have allowed you to be securely identified. To listen, visit DigitalIDNews.com/Podcasts and select “Episode 79”

In order to access government services online many countries have a national ID card, Smedinghoff says. Two countries where that won’t work, however, are the UK and the U.S. “One of the things they’re exploring in the UK is using social network sites as a source for identity credentials,” he says. The important aspect of having citizens use these sites for identity verification is that they are accustomed to the process. “I see a social networking source being one that helps people become aware of the concept of using a third-party as an identity credential. But it won’t be used in any sensitive transactions. I don’t see sensitive transactions based on a social media credential because they are self asserted and there hasn’t been any identity vetting or proofing done.” To listen, visit DigitalIDNews.com/Podcasts and select “Episode 81” Fall 2011

9


ID SHORTS SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

Google Group uses facial recognition to track rioters

A Google Group called “London Riots Facial Recognition” formed online to leverage facial recognition and large public groups to positively identify those involved in the looting and rioting in London. While the group’s moderator and respective members have attempted to keep issues such as ethical and legal identification at the forefront some see the group’s intended actions as vigilante justice.

Radiohead and Sonic Youth grace the stage. Last year’s attendance reached 382,000. Headliners of this year’s festival included Prince, Flogging Molly, Gogol Bordello, Pulp and more.

Subway launches NFC payments in U.S. Subway will launch NFC payment terminals in 24,000 restaurants across the U.S. in the fall, enabling customers to pay for their meals with a tap of their NFC-enabled smart phone.

The group is attempting to employ available facial recognition capabilities to sift through Facebook, Flickr and Twitter pictures comparing them with photos from the riots. Some worry overzealous participants could get innocent bystanders from riot pictures involved with police as possible suspected rioters.

As one of the first retailers to join Google’s Mobile Wallet project, the fast food giant hopes that the roll out will help speed the adoption of contactless mobile payments across the country, says Joost Zimmerman, Subway’s director of digital marketing.

Sziget Festival goes cashless for 2011

By 2012, Subway expects to roll out NFC payments in all 35,000 of its restaurants worldwide.

The Sziget Festival in Budapest, Hungary introduced a cashless payment system using contactless payment cards, watches and NFC technology. Concertgoers were able to make tap-and-go payments within the venue using preloaded contactless Festivalcards. According to Sziget, some 1,200 payments terminals at the festival were equipped to handle contactless purchases. Users added cash onto their cards at 34 Top Up Points throughout the venue. In addition to the card, Sziget launched an NFC-equipped mobile phone from Vodafone and a Festival Watch containing the same contactless chip and payment capabilities as the Festivalcard. Since its inception in 1993, the Sziget Festival has seen the likes of David Bowie, R.E.M., 10

Fall 2011

Aware wins TSA contract Aware Inc. will provide the Transportation Security Administration with a commercial off-the-shelf fingerprint system and associated installation support, training and maintenance. The solution will utilize Aware’s Biometric Services Platform (BioSP) to submit standardcompliant fingerprint records to the FBI for employee background checks and provide a user interface to view results and generate reports. BioSP will perform required workflows and functions associated with the background check process, including acceptance of records in EFTS format from TSA-approved collection agents, validation of the compli-

ance of records being submitted, receipt and proper distribution of FBI responses and temporary storage of records during the background check process. Authorized personnel will use the browser-based user interface to view background check results, generate reports, and other administrative tasks. Heathrow airport to implement face scanning for additional security London’s Heathrow International Airport will add face recognition systems as an additional layer of security for those flying internationally.

Specifically, the systems are being put into place to ensure the person receiving a boarding pass is the same person who uses the boarding pass. The systems, expected to go live in September, were developed by Aurora and are called Aurora Image Recognition (AIR) systems. The AIR system utilizes an infrared flash and requires a passenger to stand three feet from the camera for 4.7 seconds for an accurate authentication. Additionally, AIR will be integrated into the Passenger Authentication Scanning System already in-use at Heathrow and Gatwick airports.

Contactless token holds emergency health information Asahi Kasei, a Japan-based chemical and tech company, developed a tiny contactless health care device that allows paramedics and ER doctors to access a patient’s health records in seconds. Using Sony’s FeliCa contactless technology, the 3x3 cm token makes it possible for first responders to access important health information, such as medication allergies or blood type, by simply tapping the device with a card reader or smart phone.


ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com The compact device, which can be attached to the user’s cell phone, can store a patient’s entire medical history, including links to XRay images and other large documents, says Asahi Kasei. The $25 device should hit the market within a year.

Georgia rolls out smart IDs Georgia has begun a nationwide campaign to provide its citizens with new smart ID cards to allow users to perform online signatures, register and change addresses, fill out declarations, sign contracts, register organizations and much more. Departments will add additional services to the new ID cards and private sector services from businesses, universities and banks will be implemented as well. To perform a signature on a digital document, the user inserts the ID card into the reader, clicks to “sign” the document and is given a numerical code to confirm the signature. Once complete, the file can be sent anywhere online as a valid, signed document. The cards, which cost 30 GEL (about $18), will first be rolled out in Tbilisi and Batumi ahead of a nationwide launch later this year. The Civil Registry plans to print 500,000 cards this year, with the goal of ultimately issuing 3 million.

Oberthur acquired by private equity firm Advent International, a private equity firm, purchased Oberthur’s card and identity divisions in a deal valuing the whole unit at more than $2.1 billion.

The founder of the French technology company, Jean-Pierre Savare and his family will retain a minority stake of about 10% in the business and will keep Oberthur’s fiduciary printing unit. The company will focus on the electronic payment sector, telecommunications and identity for growth in the coming years.

UK company offers mobile wallet fraud insurance Insurance2go is the first company to offer fraud insurance for NFC payments in anticipation of the coming mobile wallet boom. The company launched the service, which covers its current UK customers using mobile wallet technology at no extra cost. “With this new payment system mobile phones will become even more attractive to thieves,” said Duncan Spencer, managing director at Insurance2go in an interview with Mobile Choices. “It would be incredibly frustrating to have your phone covered for loss and theft only to find out after it had been stolen that someone had run up a significant bill on a shopping spree before you’d had time to block the phone.” According to Insurance2go, roughly 60,000 shops in the UK are expected to adopt NFC payments by the end of the year.

Trio aims for fingerprint-enabled NFC transactions NXP Semiconductors, AuthenTec and DeviceFidelity are jointly developing reference designs to enable secure mobile payments via Android-based phones using fingerprint biometrics and near field communications.

The companies also collaborated to complete the first biometrically enabled NFC mobile payment transaction in the U.S. The transaction was made with a Motorola ATRIX 4G smart phone equipped with AuthenTec’s AES1750 smart fingerprint sensor and DeviceFidelity’s In2Pay microSD card based on NXP’s secure NFC solution.

Probaris launches Identity as a Service solution Philadelphia-based identity software and services provider Probaris entered the Identity as a Service (IDaaS) field enabling commercial enterprises, government agencies and government-affiliated parties to issue PIV Interoperable (PIV-I) credentials. The IDaaS solution works with Probaris ID Registration Authority for PIV and PIV-I to create an authoritative identity capable of mapping to extreme levels of assurance. When the two products are integrated, organizations can issue smart card and mobile credentials efficiently. This product is also offered as a managed service that can handle the credential deployment process, related infrastructure and applications. Probaris initially envisions the product for companies wishing to do business with the U.S. government.

EU smart card project complete At the end of July the final report was submitted to the German Federal Ministry of Education and Research (BMBF) marking the completion of the biggest chip card research project in the European Union. The results of the “BioPass” project lay the technical foundations for future electronic ID documents in the EU. There are estimated to be 380 million ID cards in circulation in the 27 EU member states with a total population of 500 million.

Fall 2011

11


ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com The BioPass project hopes to replace laborious and costly paper correspondence between citizens and the state, accelerating the data transfer and simplifying usage of electronic services for citizens. Giesecke & Devrient, Infineon and NXP Semiconductors were three of eleven companies that conducted three years of research into the development of high-security chip card technologies. The German Federal Government attaches great importance to IT security and data protection, and therefore the research project received BMBF support. The research demonstrated that the data transfer rate between electronic ID document and reader can be increased from 848 kbit/s so far to about 6.8 Mbit/s and theoretically could be further increased to up to 12 Mbit/s. A number of European nations – Bulgaria, the Czech Republic, France, Greece, Hungary, Poland, Romania, and Switzerland  – plan to introduce electronic ID cards that conform to international standards and technologies developed in the BioPass project. The budget for the research totaled almost $18.5 million, half of which was provided by the participating partners from business.

Symantec reaches milestone in certificate issuance Symantec Corp. has issued more than a quarter-billion digital certificates to verify user and device identity. Adam Geller, senior director of User Authentication, said that the volume of certificates issued reflects the company’s efforts to get commercial and government organizations to understand that digital certificates are key to strong authentication. The company rebranded its Managed PKI Service that allows users to deploy and scale certificate-powered security applications easily for cloud and mobile computing models. 12

Fall 2011

U.S. Army recruits Cubic GTS to track military vehicles and equipment Cubic Global Tracking Solutions is providing the U.S. Army with its new wireless mesh network technology to enhance logistics and asset visibility for military equipment being removed from Iraq. As part of the Army Mobility Asset Tracking System, Cubic delivered 2,000 mesh network asset tags at Camp Arifjan Wash Rack, located near Kuwait City. Small, battery-powered tags with GPS receivers are attached to vehicles and connect wirelessly with one another to form a mesh network. The technology is helping to track and organize thousands of U.S. military vehicles and equipment being redeployed from Iraq as the U.S. draws down its forces. The precise location of any tag can be determined by searching for its serial number in the Cubic GTS Device Management Center, the central database for all tags in operation.

Nokia launches ‘NFC Hub’ online store Nokia has launched an online store to provide businesses with NFC-enabled marketing materials. Dubbed the “NFC Hub,” the store will offer a variety products, including NFC posters, tags, stickers and even business cards, to help companies reach out to their customers in a new interactive way. An NFC business card allows a user to scan the card with an NFC phone to receive the owner’s contact information, which can be

stored to the phone with the simple click of a button.

Philippine Social Security agency adopts contactless ID cards Beneficiaries of the Philippine’s Social Security System will soon be issued new United Multipurpose Identification (UMID) cards equipped with contactless chips. The UMID cards, which feature a magnetic stripe in addition to the chip, are designed to facilitate secure transactions within the Social Security System and combat fraud, agency officials said. In addition to standard ID functions, the cards will enable holders to withdraw benefits and other loan proceeds from ATMs. Other government agencies such as the Government Service Insurance System, PhilHealth and Pag-Ibig are joining the UMID system. The agency plans to distribute 600,000 cards during the summer.

HID Global receives PIV-I certification HID Global completed cross-certification to the PIV-I standard via the CertiPath Bridge. With the certification, HID launched its PIV-I Service – an online offering that reduces the time and complexity required for contractors to obtain compliant credentials. The certified PIV-I service offering will be managed by HID Global’s identity assurance business, ActivIdentity. This marks the second cross-certification that CertiPath has announced within the past three months, which highlights: • The increased demand for non-Executive Branch federal employees, customers and partners, first responders and state and local officials to gain access to facilities and systems using their own, single identity credential.


ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com • The growing number of mobile employees who “hotel” at various employer sites, as well as consultants, contractors, and visitors who may need access for days or for months to complete a project. • Additional pressure on federal agencies to roll out PIV compliant access systems, be they logical or physical, in accordance with the Office of Management and Budget Memo 11-11, which specifically ties future information technology funding to compliance with the standards defined by the Federal Identity, Credential and Access Management Roadmap. CertiPath is the U.S. Federal Public Key Infrastructure Policy Authority partner in testing PIV-I credentials, used for both physical and logical access. The company introduced the architecture for a single credential that can provide secure access and interoperability for employees, customers, and partners in 2009. It now applies that experience and expertise to vet and validate that issuers’ credentials meet the PIV-I standard.

Lumidigm extends solution to Windows OS Lumidigm ported its Mariner line of multispectral fingerprint readers to be compatible with computers running Microsoft’s Windows operating system. Beyond the multispectral aspect of the sensors, which is capable of reading subsurface aspects of a fingerprint for more accurate authentication and functionality in otherwise poor environments, Lumidigm notes the reader’s durability and reliability for industries including construction, health care and heavy industry. The Mariner is offered as a standalone reader and an original equipment manufacturer package for easy integration into keyboards, kiosks and handheld devices.

RFID, Facebook makes a splash at Ibiza Hotel, Spain Located on the beautiful Spanish island of Ibiza, the Ushuaïa Ibiza Beach Hotel is now outfitted with an RFID system that enables guests to share their visit online. Guests are issued an RFID-enabled bracelet linked to their Facebook account. Scattered throughout the hotel and the surrounding area are special pillars equipped with an RFID reader to scan the bracelets and allow the guests to share photos or post status updates.

Report: One billion contactless payment cards to ship in 2016 ABI Research has released a new report predicting one billion contactless payment cards will ship globally in 2016. The estimate marks a nearly six-fold increase from the 170 million contactless cards shipped in 2010. The report predicts that smart card shipments will overtake magnetic stripe card shipments by 2015, although ABI says that mag-stripe cards will still have a “significant hold” on the payment cards market through 2016. It cites China as the region to watch. According to ABI, China now has 2.3 billion payment cards in circulation, all of which will need to be replaced by smart cards in the country’s effort to undergo a complete transition to smart cards by 2015.

Vancouver considers finding riot suspects via face recognition British Columbia’s privacy commissioner is investigating the use of facial recognition technology and driver license photos to track down suspects from the Vancouver riots following their loss in the NHL Stanley Cup

finals. The Insurance Corporation of British Columbia is considering using its database of driver license photographs along with face recognition technology to find those involved. Concerns are that the Freedom of Information and Protection of Privacy Act prohibits a government agency from collecting information for one purpose, such as a driver licenses, and using it for another without due process from the police legally requesting specific data. Until the investigation is complete the data can only be used under a court order. ICBC officials stated that they fully intend to cooperate with the investigation.

Confident Technologies releases image-based authentication Confident Technologies released a new two-factor authentication platform for mobile phone out-of band authentication. The patent-pending product called Confident Multifactor Authentication offers a smart phone-based secure image selection process as a second authentication factor not connected to or stored on the device. When users register with Web sites or online services, the application asks them to choose different categories of everyday objects they can easily remember, such as types of plants and animals. Anytime the user needs to authenticate a transaction, the application generates a grid of random categories, some of which are the user’s chosen images. The user then taps on their chosen categories, enabling the authentication. Because the process authenticates via an application, the secure images aren’t accessible Fall 2011

13


ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com to identity thieves. The grid of authentication images changes with each use, preventing the risk of shoulder surfing or theft through keystroke logging malware. Requiring users to memorize the second-factor authentication rather than storing it on the device means that losing a handset doesn’t create vulnerabilities in the user’s identity.

Google acquisition brings facial recognition technology Google acquired Pittsburgh Pattern Recognition (PittPatt), a seven year-old developer of facial recognition technology. Despite not releasing any specific plans for the company, a spokesman for Google did say that the technology holds many potential benefits to their users. Previously, Google dabbled in facial recognition services with different product, but decided to remove the facial recognition capabilities after deeming the potential for misuse to be too high.

French government votes to deploy national smart IDs The French National Assembly approved an identity protection law and plans to implement a smart ID card to combat rising identity theft. The French Interior Ministry claims that there are 80,000 cases of identity theft in France annually. To lower the risk of identity theft, the government plans to move from driver licenses and national ID cards to an eID smart card. Jean-Noel Georges, global director smart cards practice at Frost & Sullivan, says the smart card will contain two chips, one with personal and biometric information and another for optional e-services. 14

Fall 2011

One of the challenges the French government faces in implementing this program is collecting, storing and managing citizens’ biometric and personal information. Another issue is the deployment of card readers, the lack of which could hinder the effort.

South Africa makes another attempt to implement smart cards The South African Department of Home Affairs plans to try again to implement a smart card-based ID program. Its original smart ID pilot, planned for 2008, was postponed and the entire program scrapped last year because the department used the project’s allotted funds elsewhere. The postponement gave the government time to implement its Who Am I Online infrastructure, which the smart ID will use. The smart ID will enable citizens to access secure state pension payout and will replace the South African green ID books.

Proxama to launch ‘Basketball Wives’ NFC poster campaign Proxama has announced the release of a new NFC poster campaign to support the latest season of VH-1’s ‘Basketball Wives.’ Fans of the show will be able to tap their NFCenabled phones against the posters to instantly receive an exclusive trailer for the new season as well as a link to the show’s Facebook page. The posters, equipped with NFC chips, will be introduced at bus stops around New York and Los Angeles. Developed alongside Nokia, Hyperspace, CBS Outdoor, JCDecaux and Cemusa, the campaign is being run to illustrate the benefits that NFC ‘hyper-local’ marketing offers, according to Proxama. This new deployment

follows Proxama’s London NFC outdoor marketing campaign for the X-Men movie.

Safran, L-1 merger approved by CFIUS L-1 Identity Solutions and Francebased Safran announced that the Committee on Foreign Investment in the United States (CFIUS) approved the merger between the two companies by completing its investigation and finding no unresolved national security concerns. With the news of the approval, Safran and L-1 officials publicly announced their intent to complete the merger.

Isis welcomes Visa, MasterCard, Discover, AmEx to mobile platform Isis, the mobile commerce venture between AT&T, TMobile and Verizon, announced the addition of Visa, MasterCard, Discover and American Express to its mobile commerce platform. According to Isis, the move makes it the first mobile commerce platform with full support of all four national payment networks. This will allow merchants and consumers greater ubiquity and freedom of choice when it comes to payment network acceptance. Slated for launch in Salt Lake City and Austin in 2012, Isis will enable customers to make purchases, store loyalty cards and redeem coupons all with the tap of an NFC-enabled phone. “Since the formation of Isis in November, we have been committed to building a mobile commerce platform that aligns and ad-


ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com vances the interests of consumers, merchants and banks,” added Michael Abbott, CEO of Isis. “By working with the nation’s payment networks – Visa, MasterCard, Discover and American Express – we significantly advance the vision of an open and secure platform that provides banks and merchants with a new and highly relevant way to connect with consumers.”

U.S. Green Card wins Identity Innovation award The U.S. Permanent Resident, or Green Card, manufactured by HID Global under its LaserCard brand won the ACT Canada “International Innovation Award” for identity management. The U.S. Green Card is issued to all legal foreign residents of the U.S. under the United States Citizenship and Immigration Services (USCIS) border security program. USCIS is an agency of the U.S. Department of Homeland Security. USCIS was honored for the application of secure innovations to the card’s structure and its data and visual security features. The redesigned Green Card, launched in mid-2010, combines HID’s LaserCard optical security media and an embedded RFID tag. General Dynamics Information Technology, the prime contractor for the U.S. Green Card program, supplies the cards to USCIS.

TSA releases some trusted traveler details Transportation Security Administration Administrator John Pistole provided an update on the agency’s efforts to implement riskbased, intelligence-driven security measures. As part of the discussion, Pistole provided details on the agency’s plan to conduct a pi-

lot program to enhance TSA’s identity-based, pre-flight screening capabilities and provide trusted travelers with expedited screening. At Atlanta and Detroit airports, selected frequent fliers from Delta Air Lines and certain members of CBP’s Trusted Traveler programs flying on Delta will be eligible to participate in the pilot. At Miami International and Dallas Fort Worth International airports, certain frequent fliers from American Airlines and certain members of CBP’s Trusted Traveler programs will be eligible. TSA plans to expand this pilot to include United Airlines, Southwest, JetBlue, US Airways, Alaska Airlines, and Hawaiian Airlines, as well as additional airports, once operationally ready. Details of the screening and background checks were not released during Pistole’e briefing but it’s possible that participants may be able to avoid the full body scanners and requirements to remove shoes and coats. The idea of a trusted traveler is not new, private companies have offered services but ever since Clear went out of business twoyears-ago the programs have struggled to get back going.

U.S. Bank launches wristband for contactless payments, health records U.S. Bank launched a new contactless VITAband, a lightweight wristband that combines contactless payment technology with emergency contact and medical information. Equipped with MasterCard’s PayPass technology, the VITAband enables customers to make purchases by simply tapping their wrist against any point of sale that accepts contactless payments. The device also pro-

vides a link to a customizable emergency response profile that provides medical professionals with quick access to critical medical information in the event of an emergency. U.S. Bank employees piloted the new device in the second quarter of 2011. It is made in partnership with MasterCard Worldwide, Vita Products, Oberthur Technologies and FIS. It features a contactless chip that can be preloaded with funds via an online user account, as well as a VITAnumber - a unique, eight digit numeric identifier that links the wearer to a customizable emergency response profile. In addition to contactless payments, the VITAband enables customers to check their account balances, reload associated prepaid accounts and customize their emergency information.

Military biometrics program sees success The U.S. military’s biometrics program scored a big win in the war on terror this year when the system was used to recapture Afghan prisoners who broke out of the Saraposa jail in Kandahar. The military has been a proponent of biometrics over the last seven years, pouring billions of dollars into the creation of databases, systems and tool sets to capture Afghans’ biometric information and check it against that of insurgents and detainees. While the system has had issues functioning properly in the heat, it did play a role in nabbing 35 of the 475 prisoners who tunneled out of the jail this past spring, showing that the military’s biometric database can be a useful tool. The database, called the Automated Biometric Information System, collects iris scans, Fall 2011

15


ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com fingerprints and facial data. Troops use this data at checkpoints to help identify whether individuals are wanted. The military plans to increase the amount of data in the system and eventually turn it over to the Afghan government.

Idaho completes driver license rollout The Idaho Department of Transportation (IDT) has completed its transition to a new, more secure identification system. During the two-month transition period, the department issued nearly 30,000 licenses and state IDs. The cards have enhanced security features including microprinting, ghost images, laser-perforated state-shaped patterns and bar codes. The IDT also moved the card processing function to a central issuance system. When people apply for a card, they receive a temporary paper license that’s valid for 30 days. The permanent identification is made at a central secure location and mailed to the applicant. Waiting time for the permanent ID is about 10 days. Idaho is one of 24 states that create driver licenses and state ID cards through a central processing site.

Kenanga building goes contactless with LEGIC security system LEGIC announced that the K&N Kenanga International building in Kuala Lumpur, Malaysia has installed a new physical access control solution using LEGIC’s contactless 16

Fall 2011

technology. Located in Kuala Lumpur’s central business district, the Kenanga building is a 22-story commercial structure with a threeand-a-half-story annexed podium block. Kaba Jaya Security was selected to provide electronic access control, visitor management systems and half-height sensor barriers. LEGIC says the system should provide the building with improved reception management, shorter lines during rush hour, improved safety and asset protection.

New PayPal widget offers phone-to-phone NFC payments PayPal has developed a new Android widget that enables users to tap their phones together to exchange money. Expected to launch this summer, the widget runs only on NFC phones. To exchange funds, one user enters the amount to paid and then holds their phone against the other user’s handset. This sends a payment request to the second user, who then enters a PIN to confirm the payment. The new service could be particularly successful in the small business community, as well as personal peer-to-peer payments.

purchase IdentityGuard 10.0. For participating organizations, Entrust will replace up to 5,000 hard tokens with mobile and soft tokens. Companies do not need to turn in their old hard tokens as part of the program requirements. Citing the recent FFIEC guidance, Entrust president and CEO Bill Conner said that the hard token-based system of authentication is out of date, and given the recent high profile security breaches, solutions need to upgrade to a more flexible and seamless authenticator.

Gemalto offers FFIEC guidance Gemalto announced the launch of its 2011 eBanking Security Guide. This ten-step guidebook for securing online banking offers North American banks a solution to meet Federal Financial Institutions Examination Council’s (FFIEC) guidance. Gemalto’s eBanking Security Guide is free of charge and illustrates, step-by-step, how banks best address the new landscape of layered security, risk-based authentication and dynamic transaction verification.

Evolis, EFT Source partner for instant issuance EFT Source partnered with Evolis to develop Card@ Once, a new product for financial institutions to easily and more afford-

Entrust offers hard token replacement program In an effort to encourage companies to adopt software-based tokens for its IdentityGuard security program, Entrust is offering a hard-token replacement program. Companies that wish to partake must already be users of IdentityGuard 9.3 or higher, or

ably issue cards instantly. Card@Once enables banks and credit unions to provide debit, prepaid or reloadable cards onsite to customers. Card@Once has successfully undergone an independent, third party PCI-DSS audit. When a customer requests a card, the data is securely transferred from the branch location


ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com to EFT Source. The data is then processed and converted into a print file that is sent back to the branch electronically. Card@Once encodes the data and prints the card enabling the customer to walk away with a ready-touse card. EFT Source partnered with Evolis to develop the proprietary equipment. The Card@Once card printers have been designed based on the Evolis dual-sided color card printer, Dualys. Additional benefits for Card@Once include key management, custom card designs, toll free technical support, 24­hour replacement, and the option to integrate with core processors or operate as a standalone solution. The first Card@Once machines have already been delivered and are in service.

Korean Airport uses biometrics to ease traveler experience The Incheon International Airport in Korea is using a program developed through its U-Airport Team to use biometrics to streamline multiple aspects of a traveler’s experience. The program utilizes kiosks with fingerprint or face recognition to authenticate traveler identities. Through the new program, travelers use their e-passport, which contains their biometric data on a scannable chip, in conjunction with their own biometrics to authenticate at immigration, check-in, security and boarding. Officials from the U-Airport Team believe that not only is the program increasing efficiency and security at the airport, it is the first step toward total biometric security and check-in, eventually eliminating the need for boarding passes and passports.

Pizza Hut franchisee implements biometric time and attendance

also allows system owners to unlock doors remotely for guests via their mobile phone, no matter how far away.

DigitalPersona deployed the U.are.U Fingerprint Biometrics solution to Rage Inc., a Pizza Hut franchisee, to be incorporated into a biometric time and attendance solution.

Oberthur supplies payment stickers for MasterCard events

The new fingerprint scanners will be used in 118 Pizza Hut locations throughout South Carolina, North Carolina, Kentucky, Tennessee and Virginia and will be incorporated into the Speedline point-of-sale systems. Employees will use their fingerprint to clock in and out and managers will use their fingerprint to authorize transactions such as discounts and voids.

Oberthur Technologies will provide its contactless FlyBuy stickers to MasterCard for tap and go payment at festivals and events. Equipped with MasterCard PayPass technology, the stickers were integrated into wristbands worn by MasterCard selected VIPs at the UK’s Isle of Wight Festival in June. The wristbands enabled contactless payments within the festival facilities.

Rage is expecting the new system to improve operations and finances by increasing individual accountability and reducing fraudulent activities such as giving out unauthorized discounts. Additionally, the biometric time and attendance solution will help eliminate payroll fraud such as buddy punching.

Apigy’s ‘Lockitron’ system brings NFC access control to the home Apigy is offering a service that lets companies and homeowners install NFC-enabled access control systems. Designed specifically for companies that use contract workers and people who rent out their homes, “Lockitron” lets users issue virtual keys to the guest’s cell phone, rather than make a physical copy of a key. The guest then uses the phone with the embedded password to unlock the door with a simple tap. The service costs around $340 for equipment and installation and can provide either permanent or temporary access. The service

Qatar taps Gemalto Gemalto was selected by Qatar’s Supreme Council of Information and Co m m u n i c a t i o n Technology to deploy the Coesys eGov 2.0 solution for eGovernment in Qatar. Using Qatari citizens’ national eID card as a strong authentication token, the solution will boost usage and enhance access security of their national eGovernment services portal. Qatar plans to expand the existing service to integrate more than 50 eGovernment initiatives in the coming years. Qatari citizens will have access to eGovernment services in their homes and perform administrative procedures such as visa application, commercial registration, electricity bill payment or health card renewal. In addition, users will be able to digitally sign official documents and forms on the Web. The Gemalto solution requires no additional software installation by the end-user, they simply use their eID card as the single credential and a personal code for authentication.

Fall 2011

17


ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com This technology enables Web applications running in a standard browser to access a smart card connected to the user’s computer. This also enables the government portal to deploy and update its services in a transparent way.

Remaining Australian airports receive biometric gates Darwin International Airport in Australia launched SmartGate counters to enable users with specific passports to use automated kiosks andface recognition to get through customs, rather than traditional manned counters. The implementation of the SmartGate technology at Darwin completes the rollout at all of Australia’s international airports.

Foreigners seeking extended stay in Korea must enroll biometrics Foreigners visiting Korea that plan to stay for more than 91 days will be required to register their ten fingerprints and a facial scan upon entry to the country. The new program, which is a result of immigration legislation that passed Korea’s National Assembly in April 2010, will also require more than a million foreigners already residing in the country to register their biometrics by January 2012. In addition to immigration purposes, the Korean government expects to bring the biometric system into law enforcement and government programs helping with management of criminal cases and social security. While some have expressed worries that the program could lead to racial profiling, Korean officials are more interested in the potential positive effects citing Japan’s 35% reduction in crimes committed by foreigners and the ar18

Fall 2011

rest of 33,000 foreign criminals in the United States.

SchoolsConnect keeps parents informed on child’s whereabouts

VeriFone device turns tablets into NFC readers

EarthSearch debuted its student transportation and class attendance monitoring system, SchoolsConnect, in Dubai.

VeriFone’s new add-on device transforms tablets into NFC readers, enabling retailers to accept mobile payments on the go. Compatible with the Apple iPad, Samsung Galaxy Tab and Motorola Xoom, it accepts payments from traditional magnetic stripe cards and NFC devices. VeriFone’s move puts them toe-to-toe with m-payments start up Square, which has already shipped 500,000 units of its card reader attachment.

Indian ID authority grants access to corporations The Unique Identification Authority of India, an organization that assigns ID numbers to the country’s poor to help them obtain social services, is starting to give corporate access to its database. ICICI Bank Ltd. and State Bank of India are the first two companies enabled to receive the information. They will be the first of 64 banks that will open accounts based on the biometric information in the government’s database. According to a study by The Boston Consulting Group, nearly half of Indians don’t have a bank account. With the Authority giving access to its data, banks will be able to better reach the unbanked and provide them basic financial services. The Authority hopes to provide 600 million people with ID numbers by 2014. It says it has the capabilities to collect every Indian citizen’s birth date, gender, fingerprints and iris scans but is trying to solve data storage issues surrounding this information.

SchoolsConnect offers wireless integration between GPS and RFID technology to provide real time information about student bus riders and class attendance monitoring. Automated SMS or email notifications alert parents when their child has been safely picked up or dropped off at home or at a school. Notifications can also tell if the student has been excessively late for class or skipped school. Based on EarthSearch’s LogiBoxx technology, the system also enables access control and parent/teacher communication modules that allow teachers to upload grades and other information for parent viewing.

Report: Mobile payments users to reach 2.5 billion by 2015 Mobile payments users are expected to grow by 40% to reach 2.5 billion globally by 2015, according to a new report from Juniper Research. The Far East & China region will be the largest market for mobile payments, accounting for nearly 30% of the total by 2015, while the Indian sub-continent is forecast to exceed 400 million users. Mobile tickets for transport and entertainment were found to be two of the key sectors influencing growth. Senior analyst David Snow comments: “While the mobile payments sector offers substantial growth opportunities, it needs to be seen by innovative players as a platform from which to develop new value added applications and services, such as personalized mobile cou-


ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com pons, loyalty schemes, and novel augmented reality offerings.”

Water parks and resorts using RFID to capture memories Great Wolf Resorts, a chain of North American indoor water park hotels, launched a new program that enables guests to link to Facebook and automatically share photos using RFID-equipped wristbands. Dubbed Great Wolf Connect, the platform allows guests to check-in at designated Paw Posts photo booth kiosks located throughout the resort. Guests simply scan their wristband and photo is taken. That photo and a caption are then automatically posted on the guest’s Facebook page. Developed by Fish Technology, the wristbands also serve as guests’ room keys and inhouse charge accounts. The Great Wolf Connect program will make its first appearance at the Great Wolf Lodge in Grand Mound, Washington.

VingCard introduces NFC check in solution VingCard Elsafe launched a new service that enables hotel guests to check in remotely through their PC or smart phone and receive room keys directly to their NFCenabled phone. Compatible with existing contactless locks, the solution uses NFC as a secure delivery infrastructure for distributing and managing virtual keys securely on mobile devices. These virtual room keys are sent to the guest’s NFC

phone on the day of arrival, allowing the guest to bypass the front desk and head straight to their room, says VingCard. Holding the phone within 10 cm of the lock opens the door. Built around VingCard’s VISIONLINE system, the solution features standalone electronic locks that communicate with a central property server, eliminating the need to manually encode key cards, cancel master cards and check battery life. A remote audit trail and live card-tracking capabilities are also provided, as well as optional communication functionality designed to keep hotel management constantly in the loop via automated text message or email. VingCard says their solution provides endto-end security by making it impossible for unauthorized people to use a lost or stolen mobile phone. Security managers can add, remove or update access rights for any of the users instantly, regardless of whether the doors are online or offline.

Sakae Sushi keeps the sushi train fresh with RFID Sakae Sushi, with more than 70 outlets in Asia and beyond, has deployed an RFID system to keep its delectable sushi fresh as it moves from the kitchen to the customer tables. An RFID tag embedded under each sushi plate relays information to a central computer that tracks the plate and ensures it doesn’t “expire.” Expiration for cooked food is typically two hours, but raw foods such as sushi are typically pulled within the hour. With the RFID system in place - instead of checking on the freshness of the sushi - chefs can focus their attention on food preparation. The system can also track customer preferences, enabling chefs to prepare fewer plates

of sushi that are less in demand, which in turn keeps food waste to a minimum.

idOnDemand extends token trade-up program idOnDemand extended its RSA SecurID token trade-up program through the end of 2011. Companies affected by the breaches to RSA’s SecurID tokens can trade in their tokens for a free trade-up to an idOnDemand smart card system. Only companies currently using RSA SecurID tokens may participate in this program. For every token it turns in, a company will receive a credit toward idOnDemand Smart ID cards. Companies may turn in a maximum of 100 tokens. The Smart ID service includes managed certificate authority; FIPS 201 compatible smart cards; building access for HID, Indala, Honeywell compatible and MIFARE, PIV, ISO 14443; support for all major VPN routers and an enrollment portal.

ID scanner brings CRM tools to dining and drinking establishments Tokenworks released a new ID verification scanner that includes integrated customer relationship management features, as well as membership management tools. The IDVisor Touch reads IDs from all 50 states, driver licenses from all Canadian provinces and U.S. military IDs. It features rechargeable Li-Ion batteries, a color touch screen and a scanner that can integrate quad band phone, Wi-Fi and Bluetooth technologies. The device can store the 65,000 most recent ID scans in an encrypted SQL database. To Fall 2011

19


ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com comply with states that have ID scanner data retention limits, the device can be set to autodelete scans after a specified length of time. Redesigned software features incorporate CRM and membership management capabilities. Businesses can use the reader to track customer’s visits and personal information and assign levels of status to customers. They can also manage membership or rewards programs through the reader. Data can be exported to a CSV file and copied to any spreadsheet program. Data on the device is protected by strong database encryption and optional PIN code access. New IDVisor Touch units retail for $1,495.

Evolis unveils new printer, new dual encoder Evolis announced the launch of ZENIUS, its next-generation single-sided color printer with a redesigned printing engine, software architecture and consumables. The printer can be monitored directly at the user interface through pop-up notifications that provide information on the printer’s status. The Evolis High Trust range of consumables is designed to enhance graphic performance and simplify routine tasks. The new ribbons are supplied in a cassette with an RFID chip that identifies the ribbon type to the printer and configures all settings. ZENIUS is an eco-designed printer that uses recycled material that can be recycled.

Scandinavian Airlines to launch NFC check-in system Scandinavian Airlines (SAS) will introduce an NFC sticker system to streamline the airport experience for frequent fliers. Dubbed Smart Pass, the NFC stickers can be attached to a 20

Fall 2011

mobile phone for use at self-service kiosks, security, Fast Track, lounges, duty free shopping and at the gate. Already piloted in three Scandinavian cities, the Smart Pass system will be available this fall to all EuroBonus Gold frequent fliers across Scandinavia.

CPI Card Group launches dual interface EMV solution from NXP CPI Card Group, a global manufacturer of contactless payment cards, announced the certification of a new EMV dual interface payment solution for Visa card issuers. Built around NXP Semiconductors’ SmartMX microcontroller IC, the new solution helps reduce card fraud and migrate EMV systems to North America, says Karsten Danziger, director of banking solutions for NXP Semiconductors. The cards feature GlueLogic design methodology, dedicated hardware firewalls to protect software and data, and a comprehensive suite of technologies addressing attack scenarios. CPI says its first target market will be in Canada, where it operates a Toronto facility certified in producing and personalizing EMV cards. The company will then introduce the dual interface cards to EMV markets in the U.S., Europe and Latin America.

U.S. Bank to launch America’s first dual interface EMV credit card U.S. Bank, together with Visa and Oberthur Technologies, announced the release of a new dual interface payment card combining Visa PayWave contactless technology, EMV chip and magnetic stripe. Designed to be compatible with all payment systems around the world, the U.S. Bank Flex-

Perks Travel Rewards Visa credit card will be the first dual interface EMV card introduced in America, says U.S. bank. Manufactured and personalized by Oberthur, the new cards will be introduced to more than 20,000 U.S. Bank FlexPerks Visa cardholders this month. Plans are in placed to expand the offering to other travel reward cardholders in the coming year.

New safes biometrically lockdown prescription narcotics ESSC’s new biometric safe is designed for health care organizations to secure narcotics to reduce employee and patient theft. Called MedixSafe, it utilizes three-factor authentication to open including a PIN, proximity card and fingerprint scan. According to paramedics already using the solution, the idea of people being tracked each time they open the safe to obtain drugs serves as a significant deterrent to theft.

California credit union implements CardWizard instant issuance Kern Schools Federal Credit Union has implemented Datacard’s CardWizard software for instant debit card issuance at its seven fullservice branches, in addition to three campus locations. CardWizard software enables the institution to instantly issue Visa debit cards so members leave the branch with an activated, ready-touse debit card immediately after opening a new checking account or requesting a replacement card. Since 2008, the credit union has been utilizing CardWizard software in its three campus service center locations throughout California’s Central Valley. The expansion brings the software to the seven full-service branch locations. The Datacard 150i card personalization systems instantly print and emboss the cards


CALENDAR

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com on site. With the CardWizard software and associated hardware, the Credit Union instantly issues a variety of payment cards including personal debit cards, business debit cards, ATM cards and campus ID cards.

Voice biometrics secure credit union account access Finivation Software unveiled its voice biometric authentication solution to enhance credit union call center security as well as online and mobile banking security. The solution, called VoiceVerify, will be first implemented at the Phoenix-based Desert Schools Federal Credit Union where the new technology is expected to ease the process of authenticating customers via the phone as well as decrease the time it takes to do so. The technology better links customers with their accounts and helps prevent fraudsters from gaining access to sensitive information or making transactions. Specific challenges VoiceVerify addresses include authenticating a user’s identity over the phone when accessing an account, authenticating one’s identity via phone for final authorization of a transfer or payment and automating password reset by phone.

TicketFriend debuts NFC ticketing app for Android Dublin-based tech firm TicketFriend launched a new N F C - b a s e d contactless ticketing app for Android phones. This endto-end system enables users to purchase, store and redeem event tickets all from their NFC-enabled smart phone. The system allows promoters to target customers with customized ticketing options for their events, as well as connects users through a social media network. TicketFriend

OCTOBER 2011

FEBRUARY 2012

CTIA Enterprise and Applications October 11 – 13, 2011 San Diego Convention Center San Diego, Calif.

Smart Card Alliance 2012 Payments Summit February 8 – 10, 2012 Hilton Salt Lake City Center Salt Lake City, Utah

NOVEMBER 2011

RSA Conference USA 2012 February 27 – March 2, 2012 Moscone Center San Francisco, Calif.

Smart Cards in Government Conference November 1 – 4, 2011 Ronald Reagan International Trade Center Washington D.C.

MARCH 2012

ISC Solutions (formerly ISC East) November 3 – 4, 2011 Jacob Javits Convention Center New York City, New York

ISC West 2012 March 27 – 30, 2012 Sands Expo and Convention Center Las Vegas, Nev.

CARTES & IDentification November 15 – 17, 2011 Paris-Nord Villepinte Exhibition Center Paris, France

APRIL 2012

is testing the system with a number of promoters ahead of a commercial release later this year.

Report: Transit companies look to open-loop future The Mercator Advisory Group’s new report analyzes the transition to open-loop payments systems among transit authorities. According to Mercator, millions of public transport fares are processed every day through propriety, closed-loop smart card ticketing

NACCU 19th Annual Conference April 22 – 25, 2012 Sheraton Seattle Hotel Seattle, Wash.

systems in cities such as Hong Kong, London and Seoul. This accounts for some $100 billion in annual fare collection. Mercator says many of these operators are working to switch to open-loop payments based on contactless EMV bank cards in order to eliminate the cost of supplying their own tickets and spare themselves the hassle of adding retail payment capabilities onto their proprietary smart cards. Because there are a number of regulatory hurdles keeping transit authorities from easFall 2011

21


ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com ily adding everyday retail payment capabilities, i.e. buying a cup of coffee or a newspaper, onto their smart cards, operators are finding it ultimately easier to “outsource” their ticketing to banks and credit card issuers, according to Mercator. “Contactless EMV is set to transform ticketing, with travelers able to tap-and-go with any number of standard credit and debit card products,” Mercator stated in the report, Smart Ticketing: The Move to Open-Loop Transit. “Open-loop payment cuts more fare collection cost for operators, simplifies back end financial processes, accelerates throughput by removing ticket purchase and recharge bottlenecks from transit stations and improves transit accessibility for casual travelers and visitors.” Mercator added that NFC-enabled smart phones are another reason to transition to open loop. The up-and-coming technology will soon be available on a number of handsets worldwide, and since it uses the same RF antenna as smart cards, no new or special turnstiles of fare boxes are required.

Florida county secures student transactions with vascular biometrics Florida’s Pinellas County School District deployed biometric technology to provide a more reliable and secure method for handling school food service program transactions. The solution combines Fujitsu PalmSecure biometric technology with MCS Software’s point-of-sale system to provide enhanced security without student PINs or fingerprints scanners. Unlike other readers, the PalmSecure device never comes into contact with the student’s skin, making it extremely hygienic, non-intrusive and unrestricted by external factors such as skin types and conditions. 22

Fall 2011

The Fujitsu PalmSecure sensor uses a nearinfrared light to capture a student’s palm vein pattern, generating a unique biometric template that is matched against the palm vein patterns of pre-registered users. It assures the student’s identity thereby reducing waste and impersonation.

ABI sees the greatest growth potential in the vending machine industry thanks to the increased speed and simplicity of contactless payments. Customers benefit from the quick and easy cashless transactions, while operators are spared the hassle of dealing with PIN entry or signatures. This, ABI says, plays into the “essence” of the vending industry.

China to ship 1 billion smart payment cards by 2016

Ingenico, VeriFone and Hypercom are the three leading vendors of POS terminals and command most of the market, according to ABI. VeriFone recently completed the acquisition of Hypercom after satisfying the antitrust concerns of the U.S. Department of Justice. The report finds that contactless terminals have formed an increasingly significant part of Ingenico’s portfolio in recent years, accounting for 21% of the company’s shipments in 2010.

IMS Research’s new report predicts that the number of payment smart cards shipped in China will leap from 17 million in 2010 to more than one billion total by 2016. According to Analyst Don Tait, the People’s Bank of China announcement in March to convert the country’s debit and credit payment cards to smart cards is the key to driving growth. By mandate, all financial institutions in China must be ready to issue financial smart cards by January 1, 2013. As a result, by 2015 all new cards issued in China will be smart cards, most likely dual interface. This mandate will also have a global effect on smart card shipments running up to 2016, according to Tait. “The growth of payment and banking cards in China is projected to happen over a much shorter time frame than in many developed Western countries,” concluded Tait. “This reflects the fact that change is mandated. Having the support of the government will also drive this initiative to mass roll out and acceptance.”

Report: 85% of POS terminals contactless-enabled by 2016 A new report from ABI Research predicts that 85% of point-of-sale terminals worldwide will be contactless-enabled by 2016, up from just 10% in 2010. ABI attributes the growth to the proliferation of contactless cards, “rapid” adoption of NFC-enabled cell phones, and the introduction of major mobile payment services like Google Wallet.

AOptix releases new SDK AOptix launched its Dash Six Iris Recognition Enterprise SDK. As a compliment to its InSight iris recognition systems, AOptix is rolling out Dash Six to increase matching accuracy to customers looking for openness, ease of integration and integration support. Dash Six offers iris image processing capabilities that include iris segmentation, encoding and matching. The new SDK offers strong support for oneto-one authentication – including a compact template-on-card format  – as well as largescale one-to-many identification, supported by powerful image quality and anti-spoofing metrics. Because of AOptix’s interoperability, Dash Six can be implemented with a wide range of iris recognition systems. Built for Windows and Linux operating systems, Dash Six is based on ISO 19794-6 standards for image format and quality.


SecureIDNews.com/VIDEOS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

Aptiq: More than just physical access Schlage’s Aptiq line of smart cards and readers is built on an open standard that enables organization’s to add their own applications to the cards, says Rajesh Venkat, vice president of marketing at Ingersoll Rand. The company is looking to work with application developers to create different programs for the credentials. “Aptiq is not only going to be used for physical access but other applications as well,” he says. It is aimed at any size issuer from the college campus and health care organization to small businesses, Venkat says.

ID Flow brings visitor management on campus Jolly Technologies’ ID Flow is a visitor management system that enables an organization to scan a driver license, capture a photo and fingerprint biometric, check that data against a watch list and then issue a credential, says Kurt Bell, vice president of sales and marketing at Jolly Technologies. The ID Flow system is built with an open architecture and is designed to easily integrate with existing physical access control systems. Companies can create their own watch lists or subscribe to law enforcement lists, Bell says.

USFI offering biodegradable ID cards to schools Issuers striving to be green may want to give USFI a look. The company offers biodegradable and recycled card stock for IDs. A typical PVC card will take between 200 and 300 years to breakdown in a landfill, where as USFI’s biodegradable cards will turn to dust anywhere from nine months to five years, says Brian Sterling, account executive at USFI Student ID Cards. USFI’s card stock has an enzyme that begins to break the card down once it’s placed in a landfill. The company also offers recycled cards as well.

NagraID shows off display-card functionality NagraID has been in the payment card space for more than five years producing display cards that consumers can use for an extra layer of security when making purchases, says Don Malloy, business development manager at the company. The cards, which can be EMV enabled, have a display that shows a one time passcode that can be used when conducting transactions. NagraID’s newest product requires the cardholder to enter a PIN into the card itself. Only then will it produce the one time passcode to be used when making a purchase. The display card technology can also show a cardholder the balance on an account or other custom data.

Fall 2011

23


For many, the use of biometrics for physical access to facilities – whether placing a finger on a scanner or looking at an iris camera  – continues to evoke futuristic images. But the technology is prevalent in applications that many use every day, for accessing the gym or tracking of time and attendance at work.

included in the first FIPS 201 standard for PIV cards, the credentials mandated for U.S. government employees and contractors. But the new draft FIPS 201-2 revision more specifically calls for match-on-card biometric technology for physical access control. Government applications paving the way

That said the high-security applications still exist and remain a primary driver for the technology. Biometric authentication was loosely

Governments across the globe are driving the use of biometrics, says Dave Adams, senior product marketing manager for Identity and Access Management at HID Global. India, South Africa and Brazil are looking at fingerprint technology to secure facilities. Iris is also on the radar, he adds, but not nearly as prevalent to date.

Biometrics FOR PHYSICAL ACCESS CONTROL Government drives match-on-card, new commercial uses emerge Zack Martin Editor, AVISIAN Publications

24

Fall 2011

Fingerprint continues to gain in popularity because of its improved accuracy and lower cost. In the past, Adams explains, biometric technology had issues. “The reality hit that you would be holding up people at the front door with false accepts and false rejects,” he says. “The technology has improved dramatically over the past decade.” Many countries are looking at what the U.S. has done with FIPS 201, trying to create a similar specification for use by their government employees, Adams says. The current FIPS 201 standard utilizes biometrics in a three-factor architecture: smart card, PIN and biometric. The fingerprint can only be accessed through the contact interface of the card and only after the PIN has unlocked it. This has been an impediment to its use for physical access control because it slows throughput at busy gates and doors. Both users and industry representatives have


long wanted the removal of the PIN requirement and the subsequent ability to use the biometric over the contactless interface.

Clearly, the most recent MINEX results released in March suggest the technology is ready for prime time.

A new revision to FIPS 201 is underway with the draft version calling for the use of match-on-card, a technology considered attractive for privacy protection, says Patrick Grother, a computer scientist at the National Institute of Standards and Technology who worked on the MINEX standardized match-on-card technology tests conducted by NIST.

The draft FIPS 201-2 specification calls for match-on-card to be enabled over the chip’s contact interface. Contactless may be added in the future, but the standards regarding encryption of the template from the reader to the card need to be finalized before Grother believes NIST would endorse that functionality. No coffee mugs allowed

Match-on-card is exactly what it sounds like – the biometric matching is performed on the card. The benefit is that the enrolled biometric template never leaves the card. The individual places the card in the reader and places a finger on a sensor to create a template. This template is transmitted to the card where it is matched against the enrolled template stored on the card. In other biometric architectures, the match is performed on the reader or in a backend database, which means the template could more easily be compromised.

Vendors say they can do match-on-card via the contactless interface already, says Neville Pattinson, vice president of business development and government affairs at Gemalto. The workflow for contactless match-on-card would require that both of the user’s hands are free. “It’s a two-handed operation, one hand to hold the card to the reader and one to present the finger,” he explains. “You need to leave the card in the reader field as you present the finger.” Seaport security

“The alternatives (to match-on-card) aren’t attractive,” says Grother. They include requiring a PIN to unlock the biometric or having the biometric as a free read. A PIN requirement is problematic because individuals forget PINs and the PIN entry process can slow throughput to unacceptable levels. “(With match-on-card) if I lose my card and someone else picks it up … because the biometric never leaves the card there is no possibility to read it,” he adds. NIST conducted a series of trials, called Minutiae Interoperability Exchange (MINEX) tests, to see if vendors could submit cards and fingerprint algorithms that could work with the ISO standardized templates. “Before 2008 nobody had published how well a minutia matcher could work on an unpowered smart card,” Grother says. Teams were invited to participate; typically it was smart card vendors with biometric providers. The card and algorithms were tested tens of thousands of times and then the software was also tested with a virtual card millions of times, Grother says.

Fingerprint technology is being used at seaports across the U.S. for physical access control using the Transportation Worker Identification Credential (TWIC), says Walter Hamilton, chairman of the International Biometric and Identification Association and a partner at ID Technology Partners.

The U.S. Coast Guard validates identity with the TWIC by visually inspecting security features, validating the digital certificate on the chip or checking the fingerprint template stored on the card against the cardholder’s finger.

They found that the speed and accuracy of the cards and matchers has improved, with transaction times less than a quarter of a second and sometimes less than one-seventh of a second, Grother says. The transaction time is negligible compared to the time it takes to place the card in the reader and finger on the sensor. The main reason for the tests was to determine if match-on-card technology could be used with government-issued PIV cards, Grother says.

There are a few ways the U.S. Coast Guard, which is in charge of security at ports, validates an identity with the TWIC, Hamilton says. The card itself can be inspected for visual security features, the digital certificate stored on the chip can be validated or the fingerprint template stored on the card can be checked against the cardholder’s finger. Both standalone and handheld readers have been used to authenticate individuals with TWIC credentials.

A final report on fingerprint reader performance is due shortly, Hamilton says. After that the Coast Guard will create a rule as to how biometrics will be used at ports. Due to the lengthy rule making process, it will likely be 2013 before wide scale deployment of fingerprint readers occurs. Commercial applications While the government may be a large future consumer of match-oncard technology, some in the commercial sector are already using it, Fall 2011

25


Pattinson says. “Enterprises want it for three-factor authentication. Card present, PIN and biometric for access to the highest-security areas, such as server rooms,” he adds. Both government and high security corporate applications want to use biometrics to strongly tie the individual to the access transaction, but in much of the commercial arena it’s a combination of security and convenience driving biometric use. This combination led 24 Hour Fitness to deploy biometric readers for access to its facilities, says Patrick Flanagan, senior vice president at the

fitness chain. The fitness chain was also looking to reduce the number of ID cards it printed in an effort to be greener. “We were printing more than one million cards each year and now we’ll be able to stop that,” he says. 24 Hour Fitness partnered with MorphoTrak to offer cardless check-in for its 4 million members and 420 locations. Some 97% of members have opted into the biometric check-in program with the remaining holdouts using a government-issued ID to gain access to the club, Flanagan says.

Match-on-card gains accuracy, speed The tests show that PIV compliance and the success of match-on-card deployments depend on more than the oncard matching algorithm. The minutia detection algorithm used to prepare the card’s reference template and authentication templates is critical, such that the selection of the template generator is now more influential on error rates than is the matching algorithm itself.

The MINEX II tests were conducted to evaluate the accuracy and speed of match-on-card verification algorithms. These run on standard smart cards and compare reference and verification data conformant to the ISO/IEC 19794-2 Compact Card fingerprint minutia standard. The test assesses the core viability of matching on personal identity credentials based on industry-standard smart cards. This latest test results were released in March, with the prior two releases published in Feb. 2008 and May 2009. The number of match-on-card implementations that passed the minimum government standards has increased each year along with the number of card-provider/algorithm-provider teams more than doubling in that same span. The results support the proposed inclusion of match-on-card in the U. S. government’s PIV program. Initial requirements appear in the recently drafted FIPS 201-2, and NIST is now developing match-on-card specifications for PIV.

Good minutia detection algorithms reliably find the same minutiae in two captured images of the same finger. Poor generators caused several match-oncard implementations to narrowly miss PIV compliance. This calls for further development, standardization, test and calibration work.

The increase in interoperable accuracy and in the number of PIV-capable commercial providers – from two in 2009 to five in 2010 – represents a maturation of the marketplace for standardscompliant products.

Match-on-card implementations from five providers met the minimum error rate interoperability specifications set for the PIV program for match-off-card solutions. The increase in interoperable accuracy and in the number of PIV-capable commercial providers – from two in 2009 to five in 2010 – represents a maturation of the marketplace for standards-compliant products. 26

Fall 2011

The technology does remain technically difficult to deploy. Algorithms from two providers missed the PIV requirements despite having PIV-compliant matchoff-card implementations. This shows that the porting of algorithms running on general-purpose computers to smart cards is a not an easy task. It also helps explain why the number of providers of off-card minutiae matching algorithms greatly exceeds that for on card.

The results of the tests give credence to the argument that matchon-card deployments should adopt template generators that report minutia quality values, such as those submitted to MINEX II. Reliable quality values are vital in the preparation of the compact-format templates sent to the card.


What do the Manchester City Football Club

and the Indian Government Health Department have in common? Evolis card printers: their choice for smart card personalization Manchester City FC chose the Evolis card printers to print subscribers’ cards, access control badges and employee IDs. The Indian Government Health Department also picked the Evolis printers to encode and print health insurance cards for 60 million beneficiaries. Evolis is trusted by companies and institutions all over the world for their identification needs. Simply because the Evolis solutions are innovative, user-friendly, reliable and cost-efficient. Call us today at 954.777.9262 or visit www.evolis.com


When registering with the system, members choose a 10-digit PIN and record the fingerprint biometric, explains Flanagan. Using the PIN, the club is able to do a one-to-one biometric match reducing the possibility of false accepts or false rejects.

Food production facilities have been adopting biometrics because of their potential vulnerability to terrorist attacks, Jones says. Manufacturing is using biometrics because it enables secure access for a large number of people.

“It makes it easy for our members to access the club,” Flanagan says. “All they need to bring is a towel.” Additionally, the biometric ties the membership to the individual ensuring friends don’t share ID numbers or cards.

It can also keep track of who’s coming and going, says Phil Scarfo, senior vice president of worldwide sales and marketing at Lumidigm. Manufacturing uses biometric not just to make sure the correct people are getting in the door but also to keep track of the hours they work. “There’s always been a desire for biometrics at the door because with time and attendance applications that use a card, (the card) can be shared,” Scarfo says.

The system started rolling out in the fall of 2010 and was fully implemented by spring 2011. It took about three months to enroll existing members. The embrace of the biometric access system at 24 Hour Fitness makes Gary Jones, head of sales for biometric access control at MorphoTrak, believe that the American public is ready for the technology. “This gave us confirmation that if you design a system correctly you can get great acceptance,” he says. Demand for biometrics access control has been growing, says Jones. “There isn’t a vertical market in which we don’t have a reader installed,” he says. “It ranges from consumer applications like health clubs and entertainment all the way to banking, manufacturing and agriculture.”

Morphotrak’s Jones adds that companies need not switch all doors to biometrics, but only those controlling access to sensitive areas such as servers or IT rooms. “If they have 100 doors they may start off with five or six with biometrics and after they see how it works they expand,” he says. The Bank of America headquarters in Charlotte, N.C. went a different direction when it deployed iris recognition throughout the building, says Hector Hoyos, CEO at Hoyos, an iris recognition provider. Cameras capture the employee’s iris before they walk through a turnstile and, if approved, open the gate. The cameras are used on each of the 48 floors for access to different areas. There are 12,000 employees enrolled in the system, Hoyos says. Guests are also enrolled and allowed access to the approved areas. Bank of America had an existing card-based physical access control system but made the switch to iris to expedite access, Hoyos says. More than doors Most people think of physical access as opening and closing doors. But biometrics can also keep track of a fleet of trucks, individuals packing a shipping crates or operators of heavy equipment. Fleet and asset managers want to use biometrics to know who is driving a particular vehicle or who packed a particular container, Scarfo explains. “In essence there will be a biometric switch instead of an ignition that will enable the driver to be identified at the home office,” he says. A similar system could be used to verify that trained people are operating special equipment. For example, instead of using a key to operate a forklift at a warehouse or store, a biometric could ensure that the key isn’t left in the machine enabling an untrained individual to operate it.

“It makes it easy for our members to access the club. All they need to bring is a towel.” — Patrick Flanagan, 24 Hour Fitness

28

Fall 2011

Biometrics have long been touted as a technology to secure access, be it to a facility or a computer network. Such high-security government and corporate needs have driven its use and that will continue but as acceptance of the technology grows more commercial applications will also appear.


“Enterprises want match-oncard technology for three-factor authentication. Card present, PIN and biometric for access to the highest-security areas, such as server rooms.” — Neville Pattinson, Gemalto

Match-on-card for logical access, health care, banking

Photo: Oberthur Technologies

Match-on-card is often touted as an application for physical access control, but there is some debate as to whether the technology has an application in the logical access world. Walter Hamilton, chairman of the International Biometrics and Industry Association and partner at ID Technology partners, says match-on-card could be more useful for logical access. “I don’t see match-on-card for physical access because it would be a twohanded operation,” he says. He is referring to the fact that physical access is largely the realm of contactless and for match-on-card to be used over a contactless interface, the user must keep the card in the reader’s RF field while presenting the fingerprint. But logical security applications do not present the same two-handed challenge.

“Elimination of the PIN is the biggest thing match-on-card brings,” explains Hamilton. “Being able to authorize a transaction using cryptography without entering a PIN is a big deal.” This, he suggests, is an ideal solution for network access control. But Neville Pattinson, vice president of business development and government affairs at Gemalto, says match-on-card for logical access is tough because it’s more expensive. “It’s the cost of the readers on the logical access side that could be prohibitive,” he says. “Biometric readers are not cheap. In logical access there is a one-to-one correlation with the number of readers needed, (but) it’s not the same with physical access control.” Even with that said, Pattinson says matchon-card may take off in certain logical access

control settings. Health care providers might have to start using smart cards with matchon-card fingerprint capabilities to file Medicare claims. The idea is proposed as a way to reduce fraud in Medicare. There’s a possibility that Medicare recipients would use similar technology, but there’s debate on whether patients should use a biometric or a PIN. In addition to health care applications, Oberthur sees applications in banking. Match-oncard is being eyed in the financial services arena, says Patrick Hearn, vice president of Government and Identification Markets North America at Oberthur Technologies. Some banks in lower-income areas or areas with high rates of illiteracy are considering match-on-card at ATMs as a replacement to traditional PINs.

Fall 2011

29


It’s all about the walk

Gait biometrics enable identification and authentication

“I know his gait, ‘tis he.—Villain, thou diest!”

— Othello, act V, scene 1

William Shakespeare mentioned in several plays that you could recognize a person by the way he walked. Yet it’s taken hundreds of years for researchers to discover the science behind gait biometrics and make it a viable identification tool. 30

Fall 2011

Professor Mark Nixon of the School of Electronics and Computer Science at the UK’s University of Southampton became interested in gait in the early 1990s during the Jamie Bulger murder case.

Bulger was a toddler who was abducted and killed by two ten-year-old boys while on a shopping trip with his mother. Surveillance cameras caught the trio walking through the shopping center, but the footage didn’t show the faces of the abductors. They could, however, see the way the kidnappers walked. Nixon and his fellow researchers thought it might be possible to develop a computer program that could identify people by their

Photo: University of Southampton

Jill Jaracz Contributing Editor, AVISIAN Publications


Get security and convenience... along with durability, performance and a compelling ROI. With Lumidigm, you don’t have to compromise. We call this the Lumidigm Advantage™. Quite simply, our patented multispectral imaging approach to user identification is the best there is. Lumidigm technology was specifically developed to address the shortcomings of conventional sensors that force users to choose between security and convenience. For more information about the Lumidigm Advantage, visit www.lumidigm.com. We are available at +1 (505) 272 7057 and sales@lumidigm.com to answer your questions.

AdvantageTM


Professor Mark Nixon of the School of Electronics and Computer Science at the UK’s University of Southampton standing inside a specialized tunnel through which subjects carefully walk. “It’s quite hard to spoof gait,” says Nixon, adding that you can try to fool the system, but essentially the leg geometry doesn’t change, which means if you’re using body measurements for your algorithm, “there’s a space you haven’t changed.”

In the early 2000s, the Defense Advanced Research Projects Agency (DARPA) funded the Human ID Project, an exploration into image understanding and identifying humans at a distance. Professor Aaron Bobick, Chair of the School of Interactive Computing at Georgia Institute of Technology, was one of the researchers who received DARPA funding to study this area. Bobick focused on authentication as opposed to identification. While identification attempts to make a one-to-many match, authentication more narrowly performs a one-to-one match. “It’s more forgiving,” says Bobick, noting that measurements can be more consistent, and even if you have a large database, “for someone to pretend to be Joe, they have to match with a small percentage to get away with it.” Because verification is “a much easier bar to hit,” Bobick says it has immediate real world application, like physical access control. Someone can use a contactless smart card to assert an identity, for example, and the cameras can take measurements of the person’s gait to match with the stored identity. Gait biometrics utilizes measurements to quantify physical processes. Nixon’s group measures a variety of things including body shape or silhouette and the dynamics of a person’s leg motion. Researchers cre32

Fall 2011

ate an algorithm from these measurements, and from there, build databases of individuals to use for matching. In the early 2000s, some researchers found the science of gait biometrics to be inconclusive, citing that there were too many variables to create certainty. Still what it could do, says Bobick, was help police narrow down a field of criminals. They would have the ability to reduce 100,000 hours of footage down to 100 hours, a volume that could then be physically viewed by several men in short order. “It pulls out the one percent of the video and says in each of these clips, there is somebody who could be my guy. In that way it’s a success because you wouldn’t have found him otherwise,” says Bobick. Sudeep Sarkar, professor of Computer Science and Engineering at the University of South Florida, was another researcher who worked for the Human ID project. His research concluded that gait alone could not positively identify an individual. “You can recognize somebody up to 80 to 85% (certainty) based on gait and you can do it from a large distance. You cannot do definitive recognition with it, but combined with other factors, you could get a higher hit,” says Sarkar, adding that face and gait recognition together could get a positive hit in the 90th percentile. Although much of the research in this field ended when DARPA funding dried up, Nixon and his team kept on, creating a specially equipped tunnel to help populate its database with information about the legs and the way they swing. This tunnel, which looks a lot like a metal detector, is outfitted with 12 cameras that capture a 3D image of a person

Photo: University of Southampton

gait. “It proved to be a tough nut to crack,” says Nixon, explaining that a walking object on video creates a large volume of data from multiple viewpoints because perception changes as the subject moves. Add to that the fact that people wear different clothes and shoes, and the researchers had a difficult challenge.


walking over a set course. This image is then converted into numbers, which is then combined to give a person a distinct ID. A specialized tunnel through which subjects carefully walk may seem like an overly controlled environment for practical application. In the field, people walk over various terrains in different shoes, they gain or lose weight, and may even be a criminal trying to avoid detection. But the tunnel seems to work. Nixon and his team put it to the test using different shoes and clothing, obscuring faces and even adding padding. Along the way, the database did an impressive job of successfully matching subjects to their gait. In fact, flip-flops were the only shoes that did confuse the system. The researchers found that the action of the toes clinging around the thong in the shoe could adjust the way someone walks.

Photo: Georgia Tech Photo: Stanley Leary

“It’s quite hard to spoof gait,” says Nixon, adding that you can try to fool the system, but essentially the leg geometry doesn’t change, which means if you’re using body measurements for your algorithm, “there’s a space you haven’t changed.”

As the team built its database, it discovered that human walking is more unique than one might expect. Measuring people walking over 11 months, they found that individuals do walk in a very consistent way. Real world use In practical settings, gait biometrics may be reaching feasibility particularly in applications requiring one-to-one authentication. In situations where the police are trying to use it to convict a criminal, it can be effective if the video recorded gait is compared to a known suspect. One-to-many identification, however, remains a challenge. Unlike fingerprints or facial photographs, there is no significant database of gait biometrics. Even if there was such a database, some question whether the current accuracy of measurement would enable millions of records to be culled down to a reasonable sample for human review. Still, Nixon and his crew have had successes. They helped the British police locate a purse-snatcher his identifying features with a unique motorcycle helmet and gloves. They

compared two different video shots of the suspect confirming through gait that both were the same person. Using surveillance cameras to identify suspects through gait is difficult because today’s cameras are designed for human operators, says Nixon. They’re all sighted to see the face, he explains, and “we’re not interested in that.” In a practical setting it is still a ways off because of the sheer volume of work involved with building the database and the algorithms. Still, what was a pipe dream in the early days of biometrics is closer to becoming a viable option for identification. “In 1995 you couldn’t do what we could do now,” says Nixon. “It’s hard, but it does work … I like to think gait will become part of the spectrum of biometric solutions in the future.” If he is right, Shakespeare’s casual observations could be transformed into science. “Shakespeare knew it too,” says Nixon. “But he was a clever bloke.”

Professor Aaron Bobick, Chair of the School of Interactive Computing at Georgia Institute of Technology, focused on authentication as opposed to identification. While identification attempts to make a one-to-many match, authentication more narrowly performs a one-to-one match. Because verification is “a much easier bar to hit,” Bobick says it has immediate real world application, like physical access control. Someone can use a contactless smart card to assert an identity, for example, and the cameras can take measurements of the person’s gait to match with the stored identity. Fall 2011

33


ID Lifecycle 101: Credential management Part three in a series on identity issuance and management Issuing a credential is only the start of the identity lifecycle. As an individual moves around an organization, controlling and adjusting the systems he can and cannot access is equally important to the initial identity vetting. Throughout the ID lifecycle, this identity and credential management function is essential. As identification has evolved, “it’s gotten much more detailed and much more broad,” says Terry Gold, vice president of sales North America at idOnDemand. “Over the past 10 years, the importance of identification within an organization has skyrocketed.” When dealing with ID management, coordination of both physical and logical access points is key. However, different areas within an organization often have responsibility to control different access privileges. Security departments tend to manage the physical aspects, controlling who gets into buildings, garages, elevators, doors and doors within doors. IT manages the logical access functions, granting permission to devices, applications and networks. “It takes a great vision to put the two together,” says Neville Pattinson, vice president of standards and government affairs at Gemalto. “You have to have oversight over the two. If you do one without the other, it can be chaos.” Companies that don’t coordinate these two functions may waste a lot of money. “The bad way is to consider them separate (functions). Individuals are doing different things and buying incompatible equipment,” says Pattinson. This can result in having to issue separate IDs and credentials for each function, which can be a budget breaker.

34

Fall 2011

“The good way is to have one central repository for identity of the individual. You provide the same credential for the logical and physical world. All systems understand the same credential, even if they’re used in different ways,” says Pattinson. “Central identity management is key.” Along with making sure identity is centrally managed, Gold says it should also be managed in-house. While credential issuance can be outsourced, she believes it is risky to outsource the management functions as well. “Most enterprise and government agencies are very resistant to outsource much that relates to these controls,” says Gold. “Our philosophy is to segregate the credential issuance process from these controls and let the customer completely own these areas as they wish. This ensures that they remain in complete autonomous internal control of who accesses what, views data, etc.,” says Gold. Issuing identification to a new employee begins before the employee’s first day on the job. “When a new employee arrives, all the basic access should be there. All systems should be labeled for one credential and should be propagated,” says Pattinson. “You’re provisioning the person into the system from day one.” Preparing for that employee involves making sure that he is who he says he is, and this requires diligent effort before the person is put into the system. “Vetting is the key to the kingdom,” says Pattinson. Administrators of the identity system usually determine who accesses which applications within an organization. Many vendors provide solutions to make this process easier, through products such as Active Directory,

LDAP and dedicated ID management solutions. As a user gets into higher levels of access within a corporation, more authorization and verification is necessary, says Pattinson. Access levels can also be set for pre-determined periods of time. “Once the individual is using the credential, there is post-issuance lifecycle support for functions that handle lost cards/devices, forgotten PINs, PIN changes, remote delivery and activation or onsite bureau printing and programming to offload traditional help desk functions into a secure self-service model,” says Gold. Companies are beginning to explore different types of applications that can be added to a person’s identity badge. Functions such as time and attendance, transit ticketing and payment, parking and garage access, and cafeteria privileges are just a few of the applications being added to credentials. Going mobile The mobile device is also playing more of a role in identification and corporations are trying to figure out how to handle it. Enabling IDs on a mobile is a new area that many are still trying to figure out. Mobile identification is “getting increasingly interesting, but it’s not simple,” says Nichols. “Apple has this great ad where I can buy a Starbucks coffee (by waving my phone), but an ID has to be protected differently.” Identification using a mobile device is complex and requires careful consideration, says Nichols. How will photo ID be managed? How will lost, stolen and voluntarily upgraded handsets to be managed within the identity management environments?


“Are we going to allow two credentials, one physical and one digital?” asks Nichols. “What complication does that have?” As NFC phones become more prominent, companies will certainly look more into mobile as an identification tool. But Nichols cautions organizations to evaluate “the complete ecosystem when defining when and where identification can be provisioned onto the phone.” Organizations need to be sure that an ID on a phone can’t be easily cloned, compromising physical and logical security. “Be aware … pay attention (to mobile),” says Nichols, “but if you’re making a decision right now, don’t base it solely on NFC.” Shifting priorities As ID management has evolved, the systems now center on the individual rather than the application. Instead of protecting the array of disparate applications via dedicated processes, a focus on authenticating the individual has enabled a more centralized and cohesive approach to security. “Let’s present the same credential and let the system decide whether or not to grant the individual access,” says Pattinson. This convergence of physical and logical adds additional security. “For example, if you use your badge at the door in Denver, you can’t log in California,” says Pattinson. “It combines the physical presence with the logical presence.” In terms of adoption, there’s still a long way to go. Although large organizations and governments are leading the way to ID management, Pattinson says we are still in the early days of converged access and identity management solutions. While the government and companies that deal with sensitive information have hopped on the ID management bandwagon early, other companies are just now implementing these systems. “The take up is slow, but it’s beginning to get to critical mass,” says Pattinson. As companies continue to adopt identification management systems, more self-help options and automated processes will be de-

veloped. “Help desks can cost a lot of money,” says Pattinson. Users will be able to use web portals to perform simple tasks like PIN resetting. Certificate renewal is another process that can be automated “by plugging into a portal and renewing credentials, rather than getting a lot of people involved,” says Pattinson.

Still, pervasive ID management may be further down the road than some might think. “A lot of these solutions are very complex to deploy, requiring large budgets and multi-year timelines. As a result, we will continue to see maturity in ID management applications and their ability to scale, deploy more easily, and include more applications,” says Gold.

Technology for every one Contact Contactless Dual Interface EMV Sticker MicroSD GPR Retail Over the Air

At CPI we provide support globally for all Smart Card, Prepaid and Mobile technology solutions.

Learn more at our website: www.cpicardgroup.com Fall 2011

35


Java Card

vs.

MULTOS

What happened to the smart card OS battle? Once hotly contested, the operating system debate has cooled Jill Jaracz Contributing Editor, AVISIAN Publications Coke vs. Pepsi. Windows vs. Mac. Visa vs. MasterCard. These well-known rivalries are good for consumers because they create healthy competition. For many years, this seemed to be the case for smart card operating systems. The debate and battle was quite heated, but today, there’s little talk about the smart card OS. What happened the OS war? In order to know why the smart card operating system was a hot topic, you need to look at its evolution. The smart card operating system took off in the ‘90s when the memory card underwent a transition. The memory card, a product of the ‘80s transformed when it became feasible to add microprocessors to cards, explains Jean-Louis Carrera, vice president of system development at Gemalto North America. The addition of a microprocessor necessitated an operating system. In the early stages, the OS came from the card’s manufacturer. Each manufacturer had its own proprietary operating system and at times a manufacturer had a different OS for its different card types.

36

Fall 2011

This meant that applications had to be written for the specific card on which it would ultimately be used. For the most part, this resulted in both cards and applications being purchased from the same vendor. This worked out great for vendors but made it difficult for the end issuers. “In the late ‘90s smart cards were controlled by manufacturers who developed native operating systems,” says Anna Fernezian, principle leader and subject matter expert at CSC. “The native operating system made a lot of sense. It constrained the buyer to get cards from some specific suppliers.” The constraints on these operating systems extended to application development as each had to written specifically for a single, predetermined OS. “There was no development on the fly,” says Fernezian, “it was nothing like today’s applications.” As smart card capacity grew, issuers wanted to do more with their cards without waiting on suppliers for application development. A standardized OS was needed.


Two main operating systems emerged to fill the gap: Sun’s Java Card, and MULTOS, an OS developed for the banking community. Then in the late ‘90s, Microsoft jumped into the smart card operating system market with great fanfare surrounding its Smart Card for Windows OS.

MULTOS

The competitive landscape looked very much like the bankcard wars as Visa aligned with the Java Card and MasterCard backed MULTOS. “Smart Card for Windows was a Johnny come lately, a ‘me too’ operating system,” says Fernezian. “As a developer, you prefer having fewer operating systems,” says Fernezian. Having to know fewer OS’s means development of applications becomes easier in terms of structure, commands and responses. “Where am I going to get the biggest bang for my time?” says Fernezian. “You develop to the operating system that’s most widely used.” Over time, Java Card emerged as the system preferred by developers. By 2003 it was clearly the leading OS with 220 million units shipped versus just 8.3 million for MULTOS, according to Frost & Sullivan. The key to Java Card’s victory was its simplicity, familiarity and portability. Developers knew Java, explains Carrera, and the Java Card applet was portable and could be loaded onto different systems. Java Card’s simple structure also made it more acceptable to an industry where technology changes need to get to the market quickly. “Java Card makes time to market much simpler and faster,” says Fernezian. “(Applications) could be delivered in months instead of years.” MULTOS’ predominant use has been in Asia-Pacific and Brazil. “(MULTOS is) an operating system ahead of its time,” says Fernezian, due to PKI being inherent in its development. “It’s more complicated than Java Card, and that scared people away,” she adds. “The MULTOS organization has realized there’s complexity and has tried to simplify in the last five years or so, but Java Card has such a long lead and a huge development community that it’s hard to get (suppliers and vendors) to buy into it now,” says Fernezian. As for Microsoft, it became an also-ran. “Since there wasn’t a lot of progress, Microsoft seemed to lose interest,” says Fernezian. Java Card go-to OS for U.S. government When the federal government’s FIPS 201 specification was first written there was much discussion around smart card operating systems. MULTOS, Java and a file-based system were all discussed. Early on, many were concerned that NIST would ignore the Defense Department’s investment in the Java Card environment and create a specification that was purely for a file system based card.

38

Fall 2011

MULTOS history and timeline 1993 National Westminster Bank or NatWest (UK) develops MULTOS to support the Mondex stored value e-purse scheme 2001 MasterCard International assumes control of Mondex and MULTOS 2006 StepNexus is formed by Hitachi, Keycorp and MasterCard take over control and development of MULTOS 2008 Keycorp (Australia) acquires StepNexus and MULTOS 2008 Gemalto acquires Keycorp’s smart card business including MULTOS and forms Multos International to manage system

FIPS 201 ended up being operating system agnostic, though implementations have all been based on the Java Card OS. There were MULTOS-approved systems when FIPS 201 first came out but agencies have exclusively deployed Java Card, says Neville Pattinson, vice president of government affairs at Gemalto. To date U.S. government agencies have issued more than 4.8 million credentials running the Java Card OS. The aftermath The smart card OS war of the ‘90’s has turned into a more or less peaceful competition. Developers and manufacturers have been able to answer the security, performance and interoperability issues that were so important when the industry took off. “The challenges and the interoperability has been addressed,” says Carrera. The industry has matured to a point where it can focus on usability and applications rather than the underlying platforms. “The operating system has become a commodity,” says Fernezian. “It is so standardized and readily available that they’re not interested in it anymore.”


Become an

IEEE Certified Biometrics Professional

®

Why CBP? The IEEE Certified Biometrics Professional® (CBP) program has two major components: Certification and Training. Professionals and organizations both can benefit from the IEEE CBP program. Key advantages are: ■ Prove

your knowledge

■ Increase ■ Learn

your credibility

a baseline of industry knowledge

■ Train

employees

■ Gain

a competitive advantage

“The IEEE CBP program delivered on its promises. It strengthened some of the areas and aspects of biometrics that are less familiar to me and made me more well-rounded.”

Learn more and register today! www.IEEEBiometricsCertification.org

—Gregory Johnson, CBP, BRTRC


Can strong credentials prevent hacks?

Attack hits 70+ multi-national organizations and government entities It doesn’t seem as though a week goes by without the report of another corporation’s computer network being hacked. Some of the attacks have focused on user’s personal information, specifically the LulzSec hacks of both the Sony intranet that released PlayStation Network user data and the UK’s National Health Service that exposed patient data. In August a massive attack was revealed, dubbed Operation Shady RAT. In the software world, a RAT is a remote access tool that enables a user to administer another computer for afar. McAfee discovered this intrusion, and found it had impacted more than 70 global companies, governments and non-profit organizations during the last 5 years.

“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact,” states Dmitri Alperovitch, vice president of Threat Research at McAfee in his report on the attack. “In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.” Intrusion monitoring systems can help spot these types of attacks, but organizations should also shore up security by requiring the use of strong credentials. Operation Shady RAT and many other attacks were initiated by stealing a user’s login information through a

phishing email. If strong credentials or onetime pass codes were in place many of these hacks could have been prevented. What happened? Operation Shady RAT was a standard attack. A spear-phishing email containing malware was sent to an individual with high-level access at has or her company. When the malware reached an un-patched system it initiated a backdoor channel to a Web server that was quickly followed by live intruders jumping on to the infected machine. They then escalated privileges, established new footholds via additional compromised machines and targeted key data.

McAfee identified 71 compromised parties in the following industries - many more may have been impacted:

40

Fall 2011


multinational Fortune 100 company, a small non-profit think-tank, a national Olympic team, or even an unfortunate computer security firm.”

This attack hit 71 organizations in 14 countries, from state and federal government to defense contractors, non-profits and corporations. “After painstaking analysis of the logs, even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators,” Alperovitch states. “Although we will refrain from explicitly identifying most of the victims, describing only their general industry, we feel that naming names is warranted in certain cases, not with the goal of attracting attention to a specific victim organization, but to reinforce the fact that virtually everyone is falling prey to these intrusions, regardless of whether they are the United Nations, a

Nobody knows what happened to the data stolen, but Alperovitch states that it could pose a threat to national security. “If even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat not just to individual companies and industries but to entire countries that face the prospect of decreased economic growth in a suddenly more competitive landscape and the loss of jobs in industries that lose out to unscrupulous competitors in another part of the world, not to mention the national security impact of the loss of sensitive intelligence or defense information.” McAfee states that the attacks were most likely state sponsored, but did not release what country might have been behind the attacks. The threat to national security is a reason for the National Strategy for Trusted Identities in Cyberspace. An increase in fraud and identity theft poses a risk to national security and is a reason strong identity credentials are necessary, the strategy posits.

“Make sure that everyone coming in as a user has a strong identity,” says Ray Wizbowski, global senior director of marketing for the Security Business Unit at Gemalto. “It could be a certificate-based PKI infrastructure or even an OTP which gives you a stronger posture than user names and passwords.” Network vulnerability tools will also be necessary to protect and organization, but making sure only authorized individuals gain access to network information is also a necessity, Wizbowski says. Organizations should use a risk-based approach to determine who has access to what systems. “Where there’s less risk most can use a one-time pass code device or application to gain access,” Wizbowski says. “When there’s privileged access and you’re talking about sensitive information, like people’s compensation, you need stronger authentication. And when it comes to privileged access – a super user or network administrator  – you need to make sure that person has a much stronger ID.” Network administrators, board members and executives all should be required to use strong identity credentials with verified identities, certificates and even a biometric element, Wizbowski says.

Fall 2011

41


White House demands agencies actually use PIV cards OMB memo mandates FIPS 201 compliance for all new systems

When the White House Office of Management and Budget released a memorandum in February mandating that all agencies to start using the FIPS 201 PIV credentials for physical and logical access, it was met with mixed responses. Vendors and consultants cheered. The credentials would finally be used for more than a flash badge and new contracts were in site. Agencies, however, bemoaned another unfunded mandate. Agency sources say it’s 2005 all over again referring to the original HSPD-12 document that mandated credential issuance with no additional budget. Agencies were required to submit plans on how they would implement PIV-enabled systems by the end of March, and all new physical and logical access systems under development following the memo’s release must be PIV-enabled. With more than 4.8 million PIV credentials issued to government employees and contractors, 84% complete, most would assume the IDs were widely used. The not so secret ‘dirty little secret’ is that with few exceptions the credentials are not used for much more than a flash badge. The OMB memorandum, M-11-11, aims to change that. “This will see systems being implemented and FIPS 201, PIV and ICAM taken seriously for the first time,” says Salvatore D’Agostino, CEO at IDmachines. As of early August there were very few agency requests for new physical or logical access systems that would use the PIV. This is likely to change before the end of the fiscal year on Sept. 30, explains D’Agostino. “Between now and then quite a few things will be committed,” he says.

42

Fall 2011


A big question surrounds deployment timelines, says Patrick Hearn, vice president of government and identification markets for North America at Oberthur Technologies. The OMB memo doesn’t specify a deadline for the new systems to be deployed and for some it could take years. “The question is whether OMB will be tolerant of the smaller agencies,” he says.

ported that it had, for the first time, issued credentials to all employees. Sources say the agency has historically been slow to rollout PIV-compliant systems.

due to see some pressure applied. But with no definitive timeline for deployment, it’s hard to say if agencies will feel any real pressure to rollout systems that take advantage of the PIV technology.

With only a handful of agencies using PIV credentials for their intended purposes it’s over-

Penalties for not deploying systems aren’t described in the memo, but in the past agencies failing to meet OMB’s guidance had funding pulled. This was the same threat agencies had when initially rolling out PIV. “OMB M-11-11 implies risk to budget if you don’t comply … it will be interesting to see if it bites anyone,” D’Agostino says. It’s mixed as to whether agencies are prepared to rollout systems that would take advantage of the PIV cards, Hearn says. “Some agencies have prepared and implemented hardware,” he says. Others are at a transition point waiting for further guidance from NIST and additional compliant products from vendors before moving forward, Hearn says. NIST Special Publication 800-73-3 deals with middleware for PIV and there’s an issue because few, if any, systems meet the current specification on the GSA’s approved product list. D’Agostino says deploying systems shouldn’t be difficult for most agencies. The specifications have been out there and products exist. “People understand what PIV and FICAM entail and it’s just a matter of building out the infrastructure,” he says. Using PIV for logical access is increasingly important as hacks on government agencies increase. “Part of the effort is to ensure on the logical access side that agencies use cryptographic algorithms as quickly as possible,” he says. While work is underway in some agencies, some question whether the U.S. Department of Homeland Security, the agency charged with overseeing deployment of systems that would use PIV, is taking the OMB memo seriously. As of June 30 Homeland Security re-

Current status of HSPD-12 HSPD-12 credentials issued as of June 1, 2011 Credentials issued to employees*: 4,151,358 (88%) Credentials issued to contractors: 842,946 (81%) Total credentials issued: 4,994,304 (87%) Background investigations verified/completed as of June 1, 2011 Background investigations completed for employees*: 4,128,415 (87%) Background investigations completed for contractors: 886,137 (85%) Total investigations verified/completed: 5,014,552 (86%) Additional stats 18 federal credential issuance infrastructures are in operation nationwide 59 system integrators 592 products on GSA Approved Products and Services List APL product details: www.fips201.com Agency specific status: www.whitehouse.gov/omb/e-gov/hspd12_reports/ * US Military Personnel are included in Employee Numbers Source: GSA

Fall 2011

43


Keying in to NFC

What will it take to use NFC for physical access? Ryan Clary Contributing Editor, AVISIAN Publications

Since NFC uses the same standard as contactless smart cards, the technology could enable employers to take existing smart ID cards that are used to get into the office and transfer it over to the phone – a process called “card emulation.” Making this a reality, however, is not as easy as it sounds, explains to Jeff Fonseca, director of business development and sales at NXP Semiconductors. “It’s not like you can just take somebody’s badge and put it on a phone and have it just work everywhere,” says Fonseca. “It doesn’t work that way.” The market is split with different companies providing different “flavors” of contactless technologies in different parts of the world. According to Fonseca, this makes interoperability a big hurdle. Agreements need to be in place to replicate card types, cryptography and unique IDs to NFC devices. Credential vendors such as NXP, HID Global, LEGIC and Sony will need to authorize one or more parts of the mobile chain – the NFC chip, the handset, the mobile operator – to enable card emulation. 44

Fall 2011

“You can’t just copy the credentials and (use) a different unique ID … it won’t work,” Fonseca says. “You have to have a commercial agreement with the enterprise to replicate and make those credentials virtual onto the phone.” These obstacles, though relevant, are less daunting for real world physical access systems than for a future globally interoperable vision. Most organizations select a single type of contactless credential to issue to employees. There may also be a preferred mobile operator and handset. Thus it is not a requirement that every flavor of contactless credential be approved for all handsets to have a working solution. Making all this work together will not fall to the issuing organizations. Rather, contactless providers will work with the mobile chain to offer solutions to issuers. In the near term, it is likely that the contactless provider will have one or more approved handsets and/or mobile operators that issuers can opt to deploy. It is likely that the current network of system integrators that provides hardware and cards to issuers will offer these new emulated NFC cards as a future option. To be clear, this work is ongoing and it is true that there are very few NFC-enabled handsets on the market today. But these limitations are temporary, according to Fonseca. “The industry is moving in this direction,” he says, adding that there are significant benefits to justify the switch to mobile.

Photo: HID Global

Say “mobile wallet” and most people think payment – tapping your phone against a reader instead of swiping a card. But the phrase may soon come to encompass not just your credit card, but your entire wallet: loyalty cards, work ID, access credentials and all – and potentially even the keys jingling in your pocket.


Unlike plastic cards, which are static, a mobile phone can be constantly updated with new permissions and apps for changing needs. Because NFC-equipped handsets can be updated dynamically over the air, new credentials can be provisioned without requiring the employee to physically visit company security or human resources. Another benefit is that the phone itself acts as another layer of security, explains Fonseca. For starters, each phone comes with an International Mobile Equipment Identity number. Since the IMEI is unique, it can be used to provide another identity aspect to the credential. The secure element in the phone that stores the credential adds yet another level of security. “You get the added benefits of those two aspects from the phone where you do have more real-time security,” he says. “And more real-time ability to re-commission cards to the phone over the air.” This dynamic nature of the mobile device will enable security postures to change in real time, says Tam Hulusi, senior vice president of strategic innovation and intellectual property for HID Global.

“You can create a lot more powerful use cases of your access control scenario,” Hulusi says. “Dynamically you will be able to add one, two or three factor identification. If the threat level goes up or the context changes, you can change the number of factors accordingly in real time.” HID Global’s iCLASS contactless cards are widely used in physical access and other applications. This fall the company will launch its first iCLASS emulation, enabling contactless credentials to be loaded onto NFC phones, Hulusi says. HID will provide applications to enhance its mobile security offerings, adds Hulusi, including a virtual pin pad on the phone in lieu of traditional wall mounted devices. This will enable companies to provide two-factor authentication and eliminate the need for added hardware.

According to Hulusi, it is similar to accessing information from NFC tags and posters, only in this case the tag is encrypted to ensure only authorized handsets can access the information. So there seems to be plenty of projects on the horizon, but what will we have in the mean time? Fonseca says to expect a transition period during which we’ll be carrying both our phones and smart cards as access devices. “From an enterprise security standpoint, most (issuers) do not yet accept a virtual security credential as the only ID,” Fonseca explains. “There are ways on the phone to tie a photo to the credential, but that part hasn’t been (completely) solved yet, so in the interim you’ll likely have physical cards that are carrying the employee’s credential and photo in case they don’t have a phone. And then eventually the phone becomes the redemption vehicle for everything.”

Hulusi says the company is working on a future architecture in which the NFC chip is embedded in the door lock itself and the handset acts as a reader. In this mode, the standard key/lock relationship is essentially inverted; the key is already in the lock, it just needs the right phone to “turn” it.

Fall 2011

45


RSA breach threatens trust in one-time passcodes Experts affirm technology’s security, viability While there are many one-time passcode devices on the market, RSA’s football-shaped key fobs are most often associated with the technology. In March a well-publicized hack of RSA’s seed code for its SecurID solutions sent shockwaves through the ID community. It led to attacks on the company’s end users, including military contractor Lockheed Martin. RSA has responded to the incidents by expanding its security remediation program. This program offers best practices and further expands two separate options to help assure customers’ confidence: • replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks. • implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting Web-based financial transactions. While RSA has taken steps to ease the burden of the hack, some say it should never have ever happened. This is the position of Kenneth Weiss, developer of the token-based authentication technology that became SecurID 25-years-ago. “When I was running RSA, every few years a well-intentioned member of the executive team would suggest that the secret seeds, which are programmed into every token, be stored on a corporate computer,” he says. “I would have to explain that that was grossly unnecessary and would put us at great risk.” At the time of the March hack, RSA had indeed put the seeds on a network computer and it was breached. “What they’ve done is stupid, arrogant, greedy … those words are really appropriate to the circumstance,” he says. “There was no necessity, ever, to put the secret seeds on a computer that is online,” he 46

Fall 2011

adds. “They did it for internal convenience and put everybody at risk.” The seed is a random binary pattern that is unique to each token, Weiss says. The seed is tied to an algorithm that is used to create a random number that changes every minute. “If you have that seed, you can create a SecurID token,” he says. “You may also need to capture a password, but in a major espionage situation which I think this breach was triggered by, you’ll have the password as well.” Weiss is now the founder of Universal Secure Registry and is developing a solution that combines voice biometrics with one-time passcodes on mobile devices for three factorauthentication. While he says the breach of RSA is unforgivable, it doesn’t affect the security of one-time passcodes. “The SecurID technology has never been breached in 25 years,” he says. “There have been contests where large sums of money were offered to break it, and there’s never been any success. The fault lies with the management of the information, not the technology, Weiss says. He compares it to a bank vault manufacturer who stored the combinations online. “If the combinations were stolen, you wouldn’t say there’s something wrong with the vault. You’d say there’s something wrong with the management of the company that would allow that type of information to be online and not in a secure computer that’s independent of online access,” he says. “That’s what happened with RSA.” RSA is going to have some damage control to undertake and 40 million tokens to replace, says Mark Diodati, a research vice president at Gartner. But, he says, “the death of RSA has been greatly exaggerated.” The underlying technology behind one-time passcodes remains unaffected, he says, noting this is the case for technology from other vendors and RSA tokens issued post-breach. “Tokens are secure as they ever had been,” he says.

Diodati does foresee a switch to other form factors though. In the future employees or customers won’t be issued a token, but instead will download an application to their mobile phone to perform the function that the token did, he says. “OTPs are one solution for the enterprise, smart cards are the other,” Diodati says. “Smart cards are good for organizations that want convergence (a single credential for physical and logical access).” It all depends on what the end user is looking for, Diodati says. For strong authentication on the desktop smart cards may be a better option than one-time passcodes. But for other applications, like remote access or logging into a virtual private network the tokens work just as well. Gartner is working on a roadmap that will walk organizations through whether smart cards or one-time passcodes are a better option. Gemalto has found that there are two distinct groups of users after the RSA breach, says Ray Wizbowski, global senior director of marketing for the Security Business Unit at Gemalto. There are those who already wanted to move away from RSA and are using the breach as an excuse and those who say it as a wake up call and are considering a move to stronger authentication. “Some are looking at one-time passcodes with new technology and in the case of companies that have already done OTP they are seeing what’s one step forward,” he says. Gemalto offers the Ezio line of tokens, but organizations are considering smart cards and PIV-I as well, Wizbowski says. “One-time passcodes will still be valid for (a certain) level of risk,” he says. “But when you start getting to more personal and private information we’ll see a move to stronger authentication be it hardware-based, softwarebased or the mobile handset.”


Durability, security, environmental-responsibility, flexibility, IC protection, and printability.

They’re all well within your reach.

Welcome to the world of TeslinÂŽ Substrate. Visit teslin.com for more information.


Feds recommend status quo for online banking New FFIEC guidance falls short on requirements for stronger ID credentials Attacks on financial service providers, like the one that claimed more than 210,000 names and account numbers from Citi Corp., are no longer the exception. Hackers are continuing attacks to gain account information to commit fraud. Businesses and consumers need to be aware of the sites they are accessing, and steadfastly guard user names and passwords. In recent years, financial institutions have taken steps to protect customers but with the recent spate of attacks and new malicious software keeping up is difficult. These problems aren’t new. In 2005 the Federal Financial Institutions Examination Council (FFIEC) released guidance recommending a riskbased approach to online account security, requesting that institutions provide periodic assessments in response to new threats. This led banks to offer different authentication mechanisms. Pictures and images were used to reinforce that a customer was on a legitimate bank Web site; secure browser cookies were required before enabling a login; one-time pass code generators were deployed. A supplement to the guidance was released in June, reinforcing the previous guidance. “Financial institutions should perform periodic risk assessments considering new and evolving threats to online accounts and adjust their customer authentication, layered security, and other controls as appropriate in response to identified risks,” the supplement states.

FFIEC suggestions for layered-security program controls • Fraud detection and monitoring systems that include customer history and behavior and enable a timely and effective institution response • Dual customer authorization through different access devices

• “Positive pay,” debit blocks, and other techniques to appropriately limit the transactional use of the account • Enhanced controls over account activities; such as transaction value thresholds, payment recipients, number of transactions allowed per day • Internet protocol reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities Source: FFIEC

Fall 2011

The FFIEC recognizes the emergence of malware and newer, more sophisticated man-in-the-middle and man-in-the-browser attacks that can circumvent one-time pass code tokens. The report recommends anti-malware software, transaction monitoring, out-of-band authentication and secure USB devices. Corporate accounts remain particularly vulnerable The guidance is focused largely on corporate accounts. “They’re a bit more vulnerable in that money can be moved around more quickly,” says Adam Dolby, director and eBanking manager for the Americas at Gemalto. Corporate accounts also lack the same protections enjoyed by consumer accounts. If a consumer’s account is hacked it’s protected and the money will be returned, but recent lawsuits have not upheld that same protection for corporations. If a corporate customer does something to give up information about the account and funds are stolen, the bank may not be responsible. This is not always the case, however, particularly if the bank has not put into place real and substantive protections. A recent lawsuit found in favor of a corporate account owner who was phished and lost more than half a million dollars, says Kevin Bocek, director of product marketing at IronKey. Though the bank had security measures in place, the court determined it had not met its good faith obligations and found in favor of the customer. Bank reaction up in air

• Out-of-band verification for transactions

48

Many were disappointed that the new guidance didn’t spell out stronger forms of authentication banks should deploy for access to financial accounts. The guidance does establish minimum controls for certain online banking activities, and it identifies controls that are less effective in the current threat environment. It also identifies certain specific minimum elements that should be part of an institution’s customer awareness and education program. But it is virtually silent on specific recommended methods for strong authentication.

Bocek and Dolby have differing views of how financial institutions will react to the latest FFIEC guidance. Bocek believes banks will show good faith and go beyond the recommendations, but Dolby feels banks will require more prodding before voluntarily increasing security. Banks will see that offering increased security is a differentiator for them, Bocek says. “Business customers are becoming more aware that they are liable and that means they want higher security,” he says. IronKey provides secure browsing via a USB token, one of the technologies specifically cited in the FFIEC recommendations. Its banking product has been available since July 2010 and has drawn a lot of interest from banks, Bocek says.


“Banks have gotten the message by the fraud and by the litigation,” Bocek says. “Compliance isn’t enough … banks are being proactive with security. They are also worried about reputation and that will drive action too.” Because basic compliance is the easiest path, Dolby thinks that is the route most institutions will choose. “Instead of focusing on protecting the customer they look at what they can do to get an examiner off their back,” he says. The FFIEC guidance released in June was supplemental to information released in 2005. Prior to that the FFIEC had released guidance in 2002. The 2005 guidance was stricter than its predecessor because most banks had failed to take action. “The FFIEC was hoping the banks would self regulate,” Dolby says. “If a critical mass moved in the direction of true security, the rest would follow.” That didn’t happen though and instead banks just went the compliance route, Dolby says. If banks don’t move to stronger authentication he predicts that the FFIEC will push for new regulations covering online access to accounts. The problem is banks don’t want to spend money on authentication. “Fraud losses have become an accepted cost of doing business, sort of like bad loans,” Dolby says. And changing existing systems could lead to more problems in the short term. Consumers are used to seeing that picture that tells them they’re at the correct site and changing it may cause problems. “People may think just because something is different it is not safe,” Dolby adds. “Part of the problem is when we rolled out Internet banking we educated people and told them it was safe, protected behind firewalls and secure socket layers,” Dolby says. “And now everyone thinks it’s safe.”

The Gemalto Ezio System lets banks segment their customer base and give each user devices for their specific requirements. For example, business customers and wealthy private clients need one device for use in the office and another, more portable one when they travel. Some need user-friendly, but inexpensive devices, others prefer to use their cellphones, and people with disabilities may need special devices.

As the customer base ages this will change, however, Dolby says. “As the 20 to 30-year-old group become the 30 to 40-year-old group they will demand stronger security,” he says. “You need keys to start your car … you need something stronger to access your online bank account.”

Fall 2011

49


Visa lays out plan for U.S. EMV, NFC

Includes merchant incentives, liability shifts but questions abound Visa Inc. unveiled plans and incentives for U.S. merchants to deploy EMV with an eye toward near field communication, the company announced in August.

Visa will provide additional guidance as part of its bi-annual Business Enhancements Release for acquirer processors to certify that their systems can support EMV contact and contactless chip transactions.

EMV via contact chip, contactless or NFC all use dynamic authentication to reduce a fraudsters ability to use stolen credit card data. The U.S. is one of the only industrialized countries in the world that hasn’t moved to EMV payments.

While waiving PCI might be the carrot for merchants, the stick is a liability shift that would take place in Oct. 2015 for counterfeit card-present POS transactions. At that time if a contact chip card is presented to a merchant that has not deployed EMV-capable hardware, liability for counterfeit fraud may shift to the merchant’s acquirer. Fuel-selling merchants will have till Oct. 2017 before a liability shift takes effect for transactions generated from automated fuel dispensers.

The new terminals must be enabled to support both contact and contactless chip acceptance, including mobile contactless payments based on NFC technology. Contact chip-only or contactless-only terminals will not qualify for the U.S. program. Qualifying merchants must continue to protect sensitive data in their care by ensuring their systems do not store track data, security codes or PINs, and that they continue to adhere to the PCI DSS standards as applicable. Visa will also require U.S. processors to support merchant acceptance of chip transactions no later than April 2013. Chip acceptance will require service providers to be able to carry and process additional data that is included in chip transactions, including the cryptographic message that makes each transaction unique.

50

Fall 2011

This liability shift is also intended to encourage issuing banks to begin providing EMV products to cardholders. The benefit of shifted fraud liability should be an asset in the equation as issuers attempt to cost justify EMV migration. Existing contactless upgrades While there are incentives for merchants to make upgrade to contact and contactless EMV, even those with existing terminals that accept one or both of the technologies will have to upgrade the software, says Mark Nelsen, senior business leader in fraud risk products at Visa. Most of the existing contactless terminals and contactless cards use an older specification that is based on magnetic stripe data emulation. These cards will still work, but merchants will have to upgrade terminals in order to accept contactless EMV, Nelsen says. The older contactless cards will still be read when the new software is installed because it is backward compatible. For issuers to benefit from the liability shift,

Photos: Visa

To encourage the transition Visa is doing three things. Effective Oct. 2012, Visa will expand its Technology Innovation Program to the U.S. and eliminate the PCI Data Security Standard requirement for eligible merchants in which at least 75% of the Visa transactions originate from chip-enabled terminals.


Datacard and CD800 are registered trademarks, trademarks and/or service marks of DataCard Corporation in the United States and/or other countries. Š2011 DataCard Corporation. All rights reserved.


however, they will need to switch from the current contactless payment methods to the new specification for contactless EMV. Visa will offer support to banks for issuance of the new cards, says Mark Nelsen, senior business leader in fraud risk products at Visa. “We have a variety of implementation services to help get issuers set up with personalization tools,” Nelsen says.

An area where issuing banks may have difficulty is authenticating EMV transactions, Nelsen says. When an EMV card transaction is being processed there are a couple of different steps it takes for verification. After the card is inserted into the reader it is typically switched through to VisaNet for validation and then to the issuing bank. Since issuing banks may not be able to handle the additional data that comes with an EMV transaction, Visa provides a complete chip validation and conversion service, relieving issuers of the issues of handling chip data. Visa’s fix will be dropping the additional fields after it verifies the transaction and then sending that data to the issuer. The issuing bank will basically see the same data that’s contained in a mag-stripe transaction and then provide the authentication. There’s no loss in security with this system because Visa validated the EMV transaction before dropping the other fields and sending it to the issuing bank. Cattle prod The announcement from Visa has been met with mixed reaction. “It’s not in itself the be all and end all,” says Dave McKay, technical sales manager at Bell ID. “What it has done is act as a cattle prod. It put a solid foundation that EMV is becoming inevitable.”

UN Credit Union’s EMV program a success It has been one year since the United Nations Federal Credit Union (UNFCU) issued the U.S.’s first EMV payment cards. The anniversary was marked with the release of the financial cooperative’s effectiveness study and some extremely promising findings. The credit union’s analyses demonstrates an increase in member demand, satisfaction and spend during the period October 2010 to February 2011, compared to the previous year: • 153% in card applications • 382% in credit lines booked • 20% for revolving balances • 15% in overall purchases With many of its members residing overseas and frequently traveling internationally, the financial institution recognized a need for a secure and internationally accepted pay-

52

Fall 2011

ment card. In October 2010, the Long Island City-based issuer became the first financial institution in the U.S. to introduce a credit card with the EMV standard. Through the World Traveler program, Gemalto provides UNFCU with an issuance service, including full card design, production and personalization. This program has aided UNFCU in serving members, particularly those located in the field and in extreme situations. For example, UNFCU reissued cards for members after the earthquake in Haiti. In response to members’ positive feedback, UNFCU is slated to launch another EMV credit card product in the first quarter of 2012 and will also expand its EMV functionality to all checking account holders with a new EMV debit card.

Merchants that don’t comply with the new Visa rules will shoulder a heavier burden of fraud expenses while those who do


will get some PCI relief, McKay says. “There will be a ballooning cost for those who don’t comply,” he says. “The sweetener is some relief from PCI compliance.” One or the larger questions looming is what will the other payment brands do in response to the Visa announcement, McKay says. “Most merchants aren’t just accepting Visa so they’re still going to have the cost burden from the other schemes,” he says. That said, it’s likely that American Express and MasterCard will take similar steps, McKay says. The true importance of the Visa announcement is putting some solid dates around a U.S. EMV rollout, McKay says. “It’s not a great paradigm shift but puts some focus on the roadmap and forces the other schemes to come up with their measures,” he adds. Not really a push for EMV? Richard Crone, CEO at Crone Consulting LLC., says the Visa announcement is a move to push merchants toward accepting NFC-enabled payments and not EMV. With very few EMV cards issued in the U.S. there won’t be the opportunity to reduce fraud because customers won’t be using the cards. “Until we get to chip and PIN and see the exponential benefits the merchant is carrying the burden to upgrade the point-of-sale,” he says. Visa is trying to extend its payment infrastructure with the latest move and have merchants pay for it, Crone says. While there may be questions as to the ultimate motivation for the Visa announcement, one thing seems clear. It will almost certainly be a catalyst to expedite change in the U.S. payments infrastructure.

U.S. EMV issuers United Nations Federal Credit Union (New York, N.Y.) May 2010 Numbering 6,000 cardholders, became first financial institution in the U.S. to issue EMV cards because of the large number of members who work and or travel overseas. State Employees’ Credit Union (Raleigh, N.C.) February 2011 Issuing new EMV-enabled debits cards to its 1.7 million members. Chase Card Services (New York, N.Y.) April 2011 Unveiled its JPMorgan Palladium EMV credit card for customers who frequently travel abroad, with other cards receiving the feature within the year. Wells Fargo & Company (San Francisco, Calif.) April 2011 Piloting Visa EMV card to 15,000 consumer credit card customers who travel internationally. U.S. Bank (Minneapolis, Minn.) June 2011 Issuing dual interface card combining Visa contactless PayWave and EMV chip technologies to more than 20,000 cardholders. Andrews Federal Credit Union (Suitland, Md.) August 2011 Issuing EMV credit cards for international travelers with the help of PSCU Financial Services (St. Petersburg, Fla.). Citi (New York, N.Y.) August 2011 Launched Citi Corporate Chip and PIN card, a smart card designed for U.S. corporate cardholders traveling abroad. Star One Credit Union (Sunnyvale, Calif.) August 2011 Beta testing Visa-branded EMV credit cards through financial service provider Jack Henry & Associates. Fall 2011

53


Spoofing biometrics: Research nascent but standards developing A common refrain for those opposed to biometrics is that the identification technology is easy to spoof. It’s widely touted that fingerprint scanners can be fooled by fashioning a simple “gummy finger” from common household products. These attacks were first revealed in the early 2000’s when Japanese and German researchers successfully fooled fingerprint scanners with relative ease. A lot has changed since then as vendors stepped up efforts to ensure validity of presented biometric samples. But at the same time new attacks have been developed forcing vendors to keep ahead of the curve so systems can’t be fooled. “Many vendors are pursuing techniques that minimize the vulnerabilities,” says Stephanie Schuckers, associate professor at Clarkson University who studies biometric spoofing. The attacks on systems vary from the obscure to the overt. As countries started collecting biometric samples from travelers at border crossings, criminals began working to defraud these large, one-to-many fingerprint systems. The difficult thing in fooling these systems is that a border agent is typically present watching an individual provide the biometric sample.

At the other end of the spectrum systems used to protect a door or a computer network are typically unattended, so no one is watching the individual presenting the biometric sample. Though spoofing attacks are not new, standards for likeness detection to spot possible spoofs do not yet exist. The National Institute of Standards and Technology is, however, working with standards making bodies to establish initial approaches. But spoofing is hard to quantify. “If someone successfully spoofs a system we don’t know about the attack,” Schuckers says. “It’s hard to say how much of a threat it really is.” The fingerprint attacks of the past involved making fake fingerprints out of gelatin, silicon, wax or other materials. Either a complete fake finger would be produced or just the fingerprint and then placed over an individual’s actual finger. Some of these attacks are still valid, Schuckers says, though new more invasive ones are emerging. Though hard to imagine, there are cases of individuals undergoing surgery to alter physical features in an attempt to fool biometric systems. In 2009 a 27 year-old Chinese

woman was arrested attempting to illegally gain entry into Japan following a deportation in 2007. The fingerprints of her right hand were surgically switched with those of her left hand in attempt to fool the biometric checks the Japanese government performs on noncitizens entering Japan. She had successfully fooled agents collecting data at the Kansai Airport in 2008 before being caught the following year. She spent around $17,000 for the surgery that was performed in a private home in China. More commonly, individuals have placed thin films over their fingerprints to obscure patterns or make them look like another pattern, says Robert Rowe, chief technology officer at Lumidigm, a fingerprint vendor whose technology includes multi-spectral imaging designed to spot spoofs. Others have purposefully obscured or damaged their fingerprints to prevent detection. How to prevent it There are two routes vendors can take to protect biometrics from spoofing, Schuckers says. One is a software approach that conducts additional analysis on the captured data. The

The Lumidigm Venus fingerprint sensor has anti-spoof capabilities and can detect common spoof materials such as the one shown with this sensor.

54

Fall 2011


other is a hardware fix where additional sensors are placed into the biometric readers to capture additional physical features. The problem with both of these fixes is that additional analysis or hardware adds cost and can diminish system performance, Schuckers explains. “You can put in additional measures that reject spoofed fingers but you have to realize the costs, which can include increased false rejections,” she adds. “You can set up a system where 90% of spoofs would be recognized but you may be dealing with a 5% increase in false reject rates.”

Common approaches to combat spoofing Spoofing is an attempt to defeat a biometric system through the introduction of fake biometric samples. Common spoofs include photos of face or iris, latent fingerprints, artificial fingers, and voice recordings. There are several categories of anti-spoofing approaches commonly used by vendors and users of biometric systems. Attended, supervised sample collection By placing a human watcher at the point of biometric sample collection (e.g. a border control agent at an entry point), spoofing attempts can be made more complicated. In most cases, however, this is an unpractical and cost prohibitive approach. Challenge and response procedures With certain modalities, the specifics of sample can be customized and changed at the collection point. Facial recognition systems can randomly ask for changes in face characteristics (e.g. smile and alter gaze direction). Voice systems can specify the words to be submitted for the sample or the sequence of the words presented. Liveness detection Making sure a biometric sample is from a living, breathing human being is a key tool in the prevention of spoofing. Techniques for liveness detection vary from modality to modality and vendor to vendor. Iris and face vendors look for subtle, often involuntary movements that occur in human samples. There are a number of different approaches fingerprint vendors take to ensure that the biometric is not coming from a plastic mold or other spoof. Some look below the surface of the skin to detect the presence of tissue, veins or other features. Others look for the naturally occurring pulsation, electric conductivity, radio waves, perspiration, heat or other byproducts of live tissue.

56

Fall 2011

Another way to prevent spoofing is requiring multiple forms of identification, Schuckers says. PIN or an ID credential plus a biometric would make it more difficult to spoof a system because all the authentication factors would be needed. Spoofing a single factor would not be sufficient to pass the overall authentication process. Some pattern recognition software would also be able to analyze the fingerprint pattern to determine if it’s fake or has been tampered with, says Rowe. “It’s generally possible to look at a pattern you’re measuring and see that the lines or ridges and valleys aren’t something you would expect in a regular space,” he says. “You’ll see evidence of abrupt transitions, scars and marks that are obscuring patterns.” Keeping up to date with potential spoofs is crucial for biometric vendors. Rowe explains that when Lumidigm hears of a new attack they create software fixes to address it and then download the new code to the sensors. Standards activities NIST posted a special publication on electronic authentication, which lays out the case for authentication over a trusted network. Biometric technology is not included in the publication at least in part because measurable liveness testing is needed, says Elaine Newton, a scientist at NIST. “Biometrics aren’t included in the authentication piece because they aren’t secrets,” she says. Every time an individual touches a surface his or her fingerprint are left behind for someone to potentially replicate and use. In 2008 German hackers published the fingerprints of the German Interior Minister to protest the biometric being placed in electronic passports. This has lead NIST to begin the creation of an international standard for liveness detection, Newton says. “All this is very nascent work,” she says. “There hasn’t been a lot of work done on this.” The lack of standards for liveness detection has held back biometric use in key applications, Newton says. Even though some vendors have addressed liveness testing in their products there still need to be standards so the government or corporation buying the product can use the same measuring stick to make sure the system is protected against spoofing. It’s early in the process with the group just getting through a first working draft for the International Organization for Standardization. The group is working on defining terminology and data formats with additional efforts coming down the road. “What information can be sent in a standard data format for a relying party to know how confident they are that the subject is who they claim to be?” she asks. Addressing this will build a foundation to standardize liveness detection, freeing biometrics from its early days of gummy fingers and spoofing.


Register Today for the 25th Biometric Consortium Conference and Technology Expo! www.biometricconference.com Presented by:

September 27 – 29, 2011 | Tampa Convention Center | Tampa, Florida Sessions and Moderators: Department of Defense: • Mr. John Boyd Director, Defense Biometrics & Forensics, Assistant Secretary of Defense, Research and Engineering • Dr. Thomas Killion Director, Biometrics Management Agency (BIMA) System Integrator Industry Panel: • Ms. Barbara Humpton Vice President, Booz Allen Hamilton IEEE Biometrics, Identity & Security (BIdS) Research Showcase: • Dr. Stephanie Schuckers Associate Professor, Department of Electrical Engineering and Computer Engineering, Clarkson University • Dr. Michael Schuckers Associate Professor of Statistics and Director of the Quantitative Resource Center, St. Lawrence University

Standards: • Mr. Fernando Podio Co-Chair, Biometric Consortium, Computer Security Division (CSD), National Institute of Standards and Technology Information Technology Laboratory (NIST/ITL) International: • Dr. Raul Sanchez-Reillo Associate Professor, Manager of the University Group for Identification Technologies, Carlos III University of Madrid, Spain • Dr. Young-Bin Kwon Professor, Chung-Ang University, Seoul, South Korea National Institute of Standards and Technology: • Mr. Michael D. Garris Image Group Leader, Information Access Division (IAD), National Institute of Standards and Technology / Information Technology Laboratory (NIST/ITL) Department of Homeland Security: • Ms. Patricia Wolfhope Biometrics Transition Program Manager, Department of Homeland Security (DHS)

Register today and join nearly 2,000 participants, including: • 100+ speakers • 60 Federal, State & local agencies • 25 Universities • Biometric Industry, System Integrators & Users Two and one half day program: • Three track sessions • Panel discussions w/Q&A • Workshops 60,000 sq ft Biometric Technology Expo • 80+ technology exhibitors/demonstrations

Special Rapid DNA: • Dr. Thomas Callaghan Senior Biometric Scientist, Federal Bureau of Investigation (FBI) Laboratory Face Technology: • Dr. Richard Vorder Bruegge Senior Photographic Technologist, Federal Bureau of Investigation (FBI) Science and Technology Branch Iris Technology: • Dr. James R. Matey Research Professor, United States Naval Academy Biometrics as a Service • Ms. Cathy Tilton Vice President, Standards & Technology, Daon Department of Justice: • Mr. James Loudermilk Senior Level Technologist, Federal Bureau of Investigation (FBI), Science and Technology Branch Department of Transportation • Mr. William Baron Program Manager, US Department of Transportation Volpe Center

Keynote Speakers: Dr. Ernest Reith Associate Executive Assistant Director Federal Bureau of Investigation (FBI), Science and Technology Branch Mr. Robert Mocny Director Department of Homeland Security (DHS), US-VISIT MG Douglas P. Anson, USAR Deputy Director J-3, U.S. Special Operations Command

Supported by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA), the Biometric Consortium Conference is focused on Biometric Technologies for Defense, Homeland Security, Identity Management, Border Crossing and Electronic Commerce.

Exhibit and Sponsorship Opportunities Available. Visit www.biometricconference.com for details. Exhibitor contact: J. Spargo & Associates, Inc. 800-564-4220 or 703-631-6200, biometrics@jspargo.com Patron/Sponsor contact: Julie Lama/AFCEA International 800-336-4583 or 703-631-6174, jlama@afcea.org Conference contact: Dick Bailey/BAE Systems 301-738-5126, richard.bailey@baesystems.com


Tech 101: Digital certificates secure the Web With so much business conducted online and via email, parties to a transaction have frequently never met face to face. Whether you’re signing a multi-million dollar contract or purchasing a $50 pair of shoes, it’s important to be able to trust that the entity on the other end of the transaction is who it claims to be.

To be able to perform these processes you need to have a digital signature, an encrypted piece of data that’s tied to one person and can’t be forged. When a user attaches his digital signature to an electronic document, the recipient can verify the origin of the data and know that the data hasn’t been altered in any way without the originator’s knowledge.

Companies today need higher levels of assurance when it comes to transaction integrity. That’s where digital certificates excel. These electronic documents are encrypted forms of identity that assure the involved parties that the holder of the certificate is who he says he is. “Digital certificates are the mechanism for enabling trust in cyberspace,” says Bryan Ichikawa, vice president of identity solutions at Unisys Corp.

This is where the digital certificate comes in. “The digital certificate contains information about me,” says Ichikawa. This information includes your name, company, who issued the certificate and cryptographic information. “It verifies transactions going forward and verifies identity going backwards,” says Ichikawa.

This is the simple explanation. To understand digital certificates, first you have to understand Public Key Infrastructure (PKI). PKI enables paper-based processes to be performed electronically using encryption to improve speed and efficiency. “It’s a set of policies and protocol standards used to encrypt and sign a document,” says Michael Lin, senior director of product management at Symantec.

58

Fall 2011

Companies that handle e-commerce, sensitive personal information and have a Web presence need to prove their sites are secure. “This is important because as a consumer, when you see the lock icon (an indicator of a certificate-enabled site), you know it’s secure,” says Lin. The digital certificate also tells consumers your Web site is the authentic representation of your company. The most common uses of digital certificates are in e-commerce and online banking, but

a certificate can also work through e-mail. “Somewhere inside (a computer) a digital certificate that sits in the background. When I want to sign an e-mail, (the email client) goes out and gets the keys, encrypts the e-mail and sends it off,” explains Ichikawa. The encryption process doesn’t mean that the certificate turns your e-mail into a coded message that no one can read. “It’s open encryption in a way that people can still read it … it’s not to make things secret,” says Ichikawa. Rather certificates are used to verify the authenticity of a site or sender. How it works Procuring a digital certificate requires the assistance of a certificate authority, an authentication services provider, explains Lin. The organization wanting the digital certificate generates a certificate-signing request. The request contains basic information about a company, location and server. Organizations also need to generate a private key off of servers that can encrypt and decrypt transactions. “This is the key to being able to do an SSL transaction,” says Lin.


The certificate authority then uses the signing request to create a digital certificate. The certificate comes in the form of software that a company installs on its server. A company needs separate digital certificates for each server and domain name, says Lin. For a large enterprise, this could mean the need for thousands of digital certificates. The need for so many certificates can be a deterrent certificate adoption. However, companies trying to procure cheap certificates should carefully investigate the certificate authority providing them. “Not all digital certificates are created equal,” says Ichikawa. Some authorities will issue certificates just on a name while others make a company prove its existence. Cost can be an indicator of how well the certificate will be trusted. “In order to do it correctly, it costs money,” says Ichikawa. “The cost depends on how trustworthy it may be and who it’s trusted by … Your company? The U.S. government?” Once a company receives its digital certificates, it must continue to manage them

throughout their lifespan. Many companies handle management in house, either with IT security person or a Web administrator. When the certificate expires, within a set length of time determined at the initial certificate purchase, the company buys a new one. The certificate authority then sends new software with a new certificate that the company installs on its server. “Symantec’s (digital certificates) are good for one to four years,” says Lin. The length of time a certificate is valid depends on three customer variables: price, how often the customer is willing to update its certificate and security. The longer a digital certificate is on a server, the more prone it is to “stale keys,” Lin says. “You wouldn’t want a digital certificate out there for 10-years because those keys deprecate over time,” says Lin. Certificate authorities maintain the integrity of their certificates through encryption algorithms. “They are the backbone to keep everything safe,” says Lin.

The industry works hard to stay ahead of hackers by coming up with new algorithms, Lin says. But, he stresses, not all security authorities are as stringent with their infrastructure, which can lead to security compromises within the digital certificate. “As computing strength increases, it becomes deprecated,” says Lin, adding that every five years or so, his company moves on to the next algorithm to stay ahead of hackers. As the next generation of algorithms is developed, some companies are finding new ways to use digital certificates by attaching them to devices. One example is in the cable television industry, where some companies are putting digital certificates on cable boxes. “It’s not encryption, but it identifies the box. It authenticates a device to a network,” says Lin. Companies migrating toward the cloud also need digital certificates. “It helps them offload infrastructure and applications become more ubiquitous,” says Ichikawa. But it increases the need to positively identify the people who try to access these applications, and he says, “stronger identification means using digital certificates.”

Become a Certified Smart Card Industry Professional About CSCIP Professionals now have the opportunity to increase their industry knowledge, sharpen their professional skills, and take charge of their personal professional development. A CSCIP certification means you have passed a rigorous, comprehensive smart card technology and applied business applications education program and gained recognition as a certified smart card industry professional.

Join LEAP and make the SMART career move LEAP is an individual membership option offered by the Smart Card Alliance that offers exclusive industry knowledge, professional networking, and access to the only accreditation program (CSCIP) available for smart card industry professionals. LEAP is available to everyone, with special discounts offered to Alliance members. For more information, visit http://www.smartcardalliance.org/pages/activities-leap.

The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. http://www.smartcardalliance.org.

Next test dates NOVEMBER 4, 2011 Washington, DC NOVEMBER 16, 2011 Paris, FRANCE Visit the LEAP web site for future exam locations and dates in 2011 and 2012.

Fall 2011

59


MOBILE, LOCAL, SOCIAL …

Modern market trends drive Google to NFC “We are committed to NFC at Google.” That is what the company’s Vice President of Payments Osama Bedier, told an audience of bankers and mobile operators in London on a summer afternoon. Less than a month following the announcement of Google Wallet and Google Offers, Bedier was nothing short of a rock star at the NFC Payments Europe event. It was, in a strange way, both encouraging and pitiful to see the banks and mobile operators laud the Google announcement. 60

Fall 2011

He was praised for his insistence on openness, interoperability and the ‘help us, help you’ nature of the offering. To the side, however, the same proponents expressed concern. • “(Google) doesn’t understand the complexities of the ecosystem.” • “They just want our customer purchasing data.” • “They want to control it all, just like Google … oh wait, they are Google.”

Bedier says he is surprised by all the attention paid to the announcement from consumer media outlets. It was made at a B2B event designed to spur on the ecosystem by attracting more partners, he explains. But this surprise, while ingratiating, cannot be totally genuine. He came to Google via Paypal, so this is not his first foray into disruptive payment technologies. He has riled the banks before.

Photos: Google & Joe Schildhorn/Billy Farrell Agency

Chris Corum Executive Editor, AVISIAN Publications


Certainly he would have had some inkling that the words Google, near field communication and payments in a single press release would garner attention … even on Bing.

But why payments, and why now? Bedier harkens back to the earliest days of the Web when the discussion focused on whether it could progress beyond brochure-ware, pretty pictures and animated gifs. Most were unsure, but in the latter half of the 90’s e-commerce was born and early payment gateways emerged. Fast-forward fifteen years and Goldman Sachs reports the global e-commerce market approaching $700 billion with 30% coming from the U.S. Still, while impressive, e-commerce only accounts for 8% of total commerce in the U.S. and a meager 2% globally. Is Google really that important in the physical world? So much so that leaders from the largest communications and payment companies would treat Google’s payment guru like a celebrity?

But why now for Google Wallet? ‘Now’ sees the convergence of three massive, society-altering trends that are reshaping modern markets. Mobile, local, and social. These three qualities are the very definition of ultra-modern society. And while these concepts are not unique to Bedier and Google, they fit them like a perfectly tuned search algorithm. Mobile: The world is mobile and Google is in an ideal situation to see this. Their fastest growing area of the core search business is mobile search. Their mobile operating system, Android, has literally exploded taking the leadership position in market share in just three years. During a recent earnings call, Google CEO Larry Page reported that 550,000 new Android-enabled devices are activated every day. Local: Check-in services are the new norm for tens of millions of avid users and virtually all sophisticated apps now include some level of locationbased functionality.

Perhaps the real power of Google lies not in what it ‘sells online’ but in what it ‘sells.’ A Pew Research Center study found that 60% of consumers research at least some purchases online before they go to the physical world to buy.

Social: Research suggests that individuals are twenty times more likely to consummate a purchase if friends have recommended the product. The definition of the modern Web is its interconnectedness, its socialness.

If this is true, Google is a big fish in a proportionately small e-commerce pond, but it is also a big fish in the huge physical commerce pond.

So these overriding trends – mobile, local, social – fit right into Google’s sweet spot. This, explains Bedier, is why the time is right for Google and NFC.

Think of it another way. If the Web influences the purchasing decisions of six out of 10 consumers, Google likely plays to some degree in five of ten consumer’s buying patterns. If the company could add the actual payment to their payment influence, you’d have an evolution and revolution.

Not without critics While the U.K. audience applauds Bedier’s presentation, most would rather he’d just go away. It is reminiscent of the mid-90s in the smart card industry when Microsoft decided to throw its hat into the smart card operating system battle. In the early years, the OS was proprietary to the card manufacturer. Gemplus had PCOS. Schlumberger had OPUS. A drive for crossmanufacturer, standardized options was underway with MULTOS and Java Card emerging. Then came the announcement from Redmond that Microsoft planned to do for the smart card what it had done for the personal computer. Again a rock star was born as the Microsoft exec made the rounds promoting the initiative. Industry leaders lined up to praise him, but most secretly celebrated his exit when Microsoft abandoned the product.

Google’s Osama Bedier fields questions at the Google Wallet launch event

Fall 2011

61


Consumers don’t intellectually separate commerce from e-commerce any longer, but the payment industry still segregates the channels offering different products and complicating the consumer experience. Bedier stresses that to be successful in the modern market, a company needs to serve customers seamlessly online and in person. “Groupon has done a great job of crossing the Web and local worlds,” he says, “connecting the dots through payments.” Groupon enables local, non-internet businesses to cross the digital divide and bring consumers from the virtual world to the physical shop. It is a case study in how Web search, marketing and couponing can impact totally offline businesses.

ward indications from Google suggest that other issuers will be welcomed. “We feel every card should be in that wallet,” says Bedier. Google Offers What is a wallet without coupons and loyalty cards? This may be where Google brings a unique benefit, perhaps even the so-called killer application, to the mobile wallet. What will Google Offers offer? • Daily deals that leverage the handset for distribution rather than relying solely on email like prior Groupon-style offerings. • Location-based, check-in promotions enable users to tap on arrival and start an in-store dialog with merchants. • Place-centric offers driven via search enable special deals to influence consumer choice. • Merchant loyalty and rewards.

What is Google offering? Google Wallet There have been numerous approaches and technologies around the rather ubiquitous concept of the mobile wallet. But when it comes to actually making the handset function as a wallet, Google likes near field communications. “We bet big on NFC phones,” explains Bedier. “We believe it is at the very early days of its evolution.” Mobile payment is just one application in a mobile wallet, but it is a crucial one. Initially, Google will support two payment types with Wallet – its own prepaid card and Citi-issued MasterCard credit cards that support PayPass contactless technology.

In the near term, the functionality will require manual input or barcode scanning at most merchant locations. As merchants modify their point of sale infrastructure to support it in an integrated manner, NFC data will replace keystrokes, visual inspection and barcodes. Single Tap experience Ultimately, the seamless integration of payments, coupons, loyalty and marketing promotions is the goal. With Single Tap, Google hopes to integrate these functions together such that a single tap at the point-of-sale consummates the range of services, vastly improving the customer experience.

“We started with our own Google Card so every phone would have a payment instrument,” says Bedier. The Google Prepaid Card is purely virtual MasterCard product, so no physical card is issued. It is powered by Money Network from First Data and issued ultimately by Metabank. The account is FDIC-insured and funds can be added using any existing credit card.

“Goodbye Wallet. The phone will take it from here.”

The Citi tie-in enables cardholders to have their Citi MasterCard credit card added to the Google Wallet assuming the account is eligible for PayPass. Though Citi is billed as the “lead bank” for the launch, all out-

“I believe we are on the verge of changing more than a century of payment and shopping behavior,” he says.

That was the concluding tagline from the not-surprisingly polished video Bedier showed the European bankers. It was a typical day-inthe-life piece in which a group of individuals interacted with the new functionality in compelling ways.

Comments like this had to leave some of the more cynical in the bunch mentally altering the video tagline, substituting ‘Bank’ for ‘Wallet’ and ‘Google’ for ‘phone.’ “Goodbye Bank. Google will take if from here.” But he seemed genuinely excited and desirous of collaboration. “This is an open invitation for you to partner with us to create an ecosystem that benefits consumers and merchants,” he said. “Open is who we are at Google.” The invitation worked. People line up to slip a business card into his hand. Whether they are attracted by the opportunity to share in the creation of an ecosystem or by his casual comment about “leveraging the 600 million active consumers” is tough to say.

62

Fall 2011


PIV, PIV-I and FIPS 201 approved products Research detailed product listings and compare different vendor offerings online at FIPS201.com, the most robust source for FIPS201, HSPD-12, ISO 24727, PIV and PIV-I products and services. Recently approved products Caching Status Proxy Quintron AccessNsite HSPD-12 Plug-in Symantec Corporation

Electromagnetically Opaque Sleeve ShieldID II Badge Holder Desco Industries, Inc /Menda ID Smart Card Holder West TX Lighthouse for the Blind

Facial Image Capturing Station (Physical) PreFace SDK with Canon EOS Rebel T3 Aware, Inc.

OCSP Responder ADSS Server Ascertia Limited

PIV Card SafesITe FIPS 201 w/ HID Prox Card (version GCX4M2569422) Gemalto SafesITe FIPS 201 w/ HID Prox Card (version GCX4-A1026517) Gemalto ID-One PIV (Type A) Large D (version 2.3.2-a) Oberthur Technologies Protiva PIV v1.55 on TOP WM Gemalto

Ready to explore compliant credentialing for your enterprise? FIPS201.com is the best place to learn about the array of products certified by the US federal government for PIV and PIV-I use. Heralded as the future of standards-based identity systems, PIV-I solutions are launching or being evaluated by corporations, first responder groups, campuses, hospitals and other organizations where security is key and standardsbased solutions are embraced. Begin your investigation at FIPS201.com to find the latest project news, access documents and presentations from pioneering organizations, and evaluate products ‌ from cards and readers to biometrics and cryptographic elements.

Protiva PIV v1.55 on TOP DM Gemalto

FIPS201.com

Protiva PIV v1.55 on TOP DL Gemalto

the premiere resource for compliant credentialing

Single Fingerprint Capture Device BioMini Plus (OEM SFU500 & fingerprint sensing module OH) Suprema, Inc.

an

id technology resource

DSV3 Datastrip, Inc.

Transparent Card Reader GSR202 Smart Card Access Reader ATEN Technology, Inc DBA IOGEAR O2 Micro Integrated Smart Card Reader Fujitsu America, Inc.

Get your FIPS 201 Approved Product listed on FIPS201.com customizing photos, links, brochures, contact information, and more. Contact info@fips201.com for more information. Contact:

Ryan Kline 850-391-2273 ryan@avisian.com info@fips201.com

visit FIPS201.com to research and compare approved products


Open, free and experience I watched a film on the Documentary Channel called Festival Express that chronicled a series of rock festivals held across Canada in the summer of 1969. It was less about the concerts than the train trip as Janis Joplin, the Grateful Dead, the Band and dozens of other 60s rock groups bounced from cabin to cabin talking and playing music. The terms open, free and experience were used only slightly more on that train than in the Google Wallet presentation. Perhaps the biggest gasp in the room occurred when someone challenged Bedier’s passing comment that this all would be free. He took a bit more time explaining that indeed Google did not intend to charge users or merchants for payment transactions or the Google Offers functionality. Could this be real? Payments without fees? Well kind of. Google has stated it will not charge additional fees, but merchants will still pay the same transaction fees that would be incurred for other card-based payments. Merchants with PayPass-capable point of sale terminals should be ready to accept Wallet payment transactions out of the gate, but the integrated functionality of Offers and Single Tap will require specialized software and perhaps hardware. It is not yet clear what charges will be applicable for such upgrades. Google has also stated it does not intend to charge consumers for the Wallet application, and it is foregoing load fees for the Google Prepaid Card at least until the end of 2011. Bedier stresses that the wallet would be open and that a user woill be able to add all cards of his or her choosing in the same way they do

with a leather wallet. Of course, as other cards are added those issuers and the payment networks would access their normal fees. Though it is unclear what will be required for issuers to have their payment cards included, supporting contactless payments is a likely first step. Banks that already issue PayPass cards will almost certainly have a leg up when considering, or being considered, for Google Wallet. Bedier describes free ‘Object Issuing APIs’ to enable anyone to create wallet objects and he stresses that they have no plans to charge for space on the secure element. ‘Offer Clipping APIs’ will enable any merchant to create coupons and customer loyalty campaigns at no cost. A business model hiding in there somewhere Though Google may be the only company in the world that could actually afford to do this and not make money, there has to be a business model hidden behind all that free and open. Is it the land grab mentality from the early dotcom era? Get the customers hooked and figure out how to monetize them later? Or is it tied to the company’s core ad business? Bedier says this is certainly a big part of the opportunity, providing a way for the company to extend its online and search-enabled ads into the new world dominated by mobile, local and social. But to Bedier it is not being in both the online and physical worlds that is key. It is moving seamlessly, stealthily between the two … in and out as if there were no separation. Where Groupon connected the dots between physical and online, Bedier wants to erase the dots. He talks about the future retail experience like a kid describing a new game console. Imagine when any offer you see online can be instantly added to your phone with a quick tap. If you choose, these offers can even be pushed to you based on your preferences and current location. Enter your local grocery store and receive a reminder of your frequently purchased items, your shopping list and a series of special offers on items you might enjoy. He says that eventually the actual items will be tagged with NFC chips rather than bar codes. Tap them as you fill your cart and then tap the phone on the payment terminal as you exit the store. No more lines. Even in this idyllic discussion, he can’t avoid one more inadvertent nose tweak to another audience subset. He circles back correcting himself, explaining that you won’t even need to tap at the payment terminal because the phone will be the POS too. “The consumer holds the payment tool and the terminal,” he laughs. “POS today is an artifact of the old way. Smart phones are more capable.”

Bedier demonstrates a vending transaction using a Nexus S handset and Google Wallet 64

Fall 2011

The conference moderator reminds him, only half-jokingly, that a number of POS terminal manufacturers are also in the room. He grins. “That comment wasn’t for them.”


New HID readers, credentials enable identity across platforms Cards, keyfobs, smart phones available with iCLASS SE A new line of readers and credentials from HID Global makes technology-independent digital keys and portable identity credentials a reality for access control markets. The iCLASS Secure Identity ObjectEnabled platform (iCLASS SE) enables credentials to be deployed on smart phones, contactless smart cards, contact chip cards, USB tokens and other devices. This is an evolution in security technology, says Brad Jarvis, vice president of product marketing at HID Global. Twenty-years ago proximity technology was the de facto standard for physical access and then the last decade saw the rise of contactless smart cards. “The emergence of smart card technology expanded the security, usability and capabilities of the cards but it was still difficult,” Jarvis says. “You had to have the knowledge of how to put more than one application on a card and the cards were chip dependent.” This new line aims to take the Secure Identity Object and place it anywhere. “Make it independent of the silicon,” Jarvis explains. “An identity object can sit on any card technology … it doesn’t even have to be a card, it could be on a mobile device and be communicated via an NFC reader.” The SE platform is based on open standards to support an array of smart card technologies, including iCLASS, MIFARE, DESFire, EV1, Indala and others.

HID Global’s next generation platform 13.56 MHz smart cards and readers include: iCLASS SE Readers: • Feature multi-layered security with a tamper-proof design using EAL5+-certified secure element hardware to protect keys and cryptographic operations for additional data security. The fieldprogrammable readers also feature energy-efficient intelligent power management and use recycled content to help build LEED credits. • Available in two configurations: iCLASS SE Readers and multiCLASS SE Readers that enable seamless migration by supporting multiple credential technologies including 125 kHz HID Prox, Indala, AWID and EM4102. iCLASS SE Cards: • iCLASS SE Cards: available in 2k-bit, 16k-bit or 32k-bit versions. Users can add a magnetic stripe/bar code and anti-counterfeiting features including custom artwork and photo IDs. • iCLASS SE Clamshell Cards: feature an ABS shell construction for durability in harsh environments. • MIFARE SE Cards: use mutual authentication and data encryption with a 32-bit serial number, and feature securely separated sectors to allow complex applications and future expansion. • MIFARE DESFire SE Cards: available in PVC and Composite PET/PVC construction, they can accept an embedded contact chips for logical access and biometric ID systems.

Secure Identity Objects operate within HID’s Trusted Identity Platform (TIP) framework, which creates a secure and trusted boundary for cryptographic key delivery in access-control applications. The TIP framework ensures that portable credentials can be securely provisioned on credential platforms, including mobile devices, no matter where users are located or how they are connected. Secure Identity Objects also ensure data authenticity and privacy. Data cloning is prevented by binding information to a specific credential for additional authentication and encryption on top of device-specific security. Such features enable the iCLASS SE platform to improve security in traditional card and reader applications while enabling new market opportunities for carrying secure portable credentials on smart phones and other devices. The new line also has some sustainability features that promote “green” efforts, Jarvis says. The readers have a power management features that limits energy consumption during non-peak usage times. “This can save up to 75% of energy consumption over standard readers,” he says, adding that the device can help contribute to LEED certification.

Fall 2011

65


Review: Starbucks payment app Not NFC, hard to register but easy to use Zack Martin Editor, AVISIAN Publications Not a day goes by where there isn’t some news about near field communication and mobile payments. People are expecting big things from Google Wallet and ISIS, but with limited rollouts and handsets NFC simply isn’t available to most of us. Contrast that with the Starbucks Mobile Card application for iOS, Android and Blackberry. Since Sept. 2009, smart phone users have been able to download the app, load a prepaid card and then use the handset to make purchases at Starbucks. In addition to payment, it also tracks the customer loyalty program, basically a high-tech punch card that rewards caffeine junkies for frequent purchases. Customers activate the application when they’re in line. A bar code appears on the handset’s screen, and the user scans that into the point of sale device. The purchase is deducted from the stored value account and a credit is given to the loyalty program. In the store the app works very well. Just hold your phone’s screen to the scanner and wait for the beep. The application seems to be popular, at least according to my local Starbucks’ barista. He tells me that about a third of the store’s customers use the application. These applications are a way for retailers to offer new payment types without having to deploy any new point-of-sale infrastructure. Starbucks already had bar code scanners in place. And because the app uses the company’s existing stored value card as the payment account, they reuse that infrastructure and earn money on the float (not the float atop the cappuccino but the unspent value sitting in all those accounts). Starbucks also saves money on payment card transaction fees. Instead of having to pay interchange on every $4 coffee purchased, Starbucks only pays when the card is reloaded. 66

Fall 2011

Some payment card analysts suggest these types of payment applications may win the mobile payment battle, as merchants prefer them because they don’t have to invest in new infrastructure. Personally, I’m not so sure. I don’t know if I want a separate app for each of the stores I frequently visit. As for the Starbucks app, it’s easy to use but signing up for it and figuring out registration and reloading wasn’t as easy or intuitive as I would have liked. First you have to go to Starbucks.com to create an account, that part is easy enough despite the fact that they want a minimum six-character password with a capitalized letter and a number – tough enough to rekey at the desktop but ultra challenging on a smart phone. But in order to set up the mobile app I had to have a Starbucks stored value card. I couldn’t just set up the app and use my debit card to fund it. Since I didn’t have a Starbucks stored value card, I had to send myself an online, virtual card. After waiting for that email to arrive I clicked on the link to have it associated with my mobile app. All these steps to get registered were frustrating. For my first use of the app, I was purchased some coffee beans as well as a drink, which just about wiped out the $20 in funds I had loaded. I couldn’t figure out how to do a reload from the mobile app so I had to wait until I got home to search Starbucks.com. This should be available on the mobile app. I suspect they opted against it to deter fraud, but it sure would be convenient. For other retailers considering this type of app, please make sure the registration process is simple and don’t challenge me to reload my account. Even with these assurances, however, I doubt I’d go through such involved steps again for a payment application that I can only use at a single merchant.


Dynamic Duo The New AOptix InSight ÂŽ Duo Combines the Performance of Iris and the Utility of Face

The AOptix InSight Duo is the first and only system to simultaneously capture both an ISO / ICAO compliant face image and one or two ISO-standard iris images. The fast, automatic, non-contact capture takes mere seconds and is effortless for subjects, and if present, operators. Bringing seamless multi-modality and potential for biometric fusion, InSight Duo heralds a new era in conclusive authentication for identity-dependent applications including aviation security, expedited passenger processing, transportation, and border security.

See InSight Duo at BCC in Tampa FL, September 27- 29, Booth #523 or visit us online at www.aoptix.com/iris-recognition Š 2011 AOptix Technologies

T. 408.558.3300


Now, the future really is wide open. Introducing iCLASS SE™, enabled with the Secure Identity Object (SIO) model.

Learn about SIO. hidglobal.com/sio or scan this with a QR reader

More portable, more flexible, and more secure than ever before. iCLASS SE — the platform that simplifies everything. iCLASS SE protects the integrity of your identities, regardless of the card platform. It’s also amazingly flexible — use multiple form factors with an access control solution to create your ideal product today, then change it down the road as your business needs evolve by simply re-programming it. Powerful, adaptable and designed to be energy efficient, iCLASS SE is truly the next generation in access control. For more information, visit hidglobal.com/future-REID

Regarding ID Fall 2011  
Regarding ID Fall 2011  

Regarding ID Magazine features the best editorial insight from across the ID technology landscape.