The same secure chip technology that’s been rolled out in the banking world for ATM and credit card transactions is sweeping across sectors throughout the American economy. These “smart cards” are also not always necessarily cards anymore, with the same secure, programmable chips embedded in mobile devices, wearables and “Internet of Things”-connected devices, a development that has prompted the erstwhile Smart Card Alliance, based in Princeton Junction, N.J., to change its name to the Secure Technology Alliance.
The fundamental security advantage of smart cards and other secure technology permutations is that they have built-in features making it much more difficult for a would-be hacker to steal or alter the information stored, says Randy Vanderhoof, executive director of the Secure Technology Alliance. The second major feature is that since the chip has a microprocessor, “It has all the computing power of a laptop or mobile device. It can run applications, it can do calculations, and it can generate unique data as part of a secure transaction,” he says.
For example, when an older magnetic-stripe card is swiped at a payment terminal, the reader in the terminal simply takes in the static numbers off the magnetic stripe and passes that information along, Vanderhoof says. With a chip, the card combines that static data with newly generated information unique to each transaction.
“That way, if someone were able to intercept or read that information through the chip, and tried to re-present that information a second time, the back-end system would detect that was a duplicate transaction and reject it,” he says. “That technology is what makes smart cards effective.”
Smart cards also have the ability to retain biometric information like facial or fingerprint identity, Vanderhoof adds. “When I use my card to access the building, and [the entry gate] wants to read information off the card, it would find there was fingerprint information in that card and have it checked against the original fingerprint in the card, and send the message back to see whether the match was successful,” he says.
Corporate and Healthcare
The corporate market for secure ID badges is by far the largest, Vanderhoof says, having evolved beyond the “weak ID number” cards used 10 or 20 years ago that provided “no way to validate that they were the rightful owner of the card, or even an employee of the company.” He says greater awareness of breaches plus the added liability has created an environment in which major companies “have stepped up their security games” and moved to biometric security like facial or fingerprint recognition.
Hospitals and other healthcare facilities are among the other settings in which Vanderhoof has seen secure technology most frequently and effectively applied. Cards and other secure technology vehicles might be used in a hospital setting to authenticate a patient’s insurance carrier, or even to ensure that the right patient is being matched with the right medical record, Vanderhoof says, reducing medical errors and adding efficiency to the payment process.
“They might use the card to validate that I’m the right person,” he says. “I do need to get that particular medication. When the patient leaves the facility, the invoicing and the adjudication of the medical claim utilizes secure patient information at each service point of the stay to lay an electronic audit trail for submitting an insurance claim to the government or the insurance provider.” The security of the information also protects patient privacy, he adds.
Utilities and Critical Infrastructure
Public utilities and other entities within the federally defined critical infrastructure sector have been prompted to move in the direction of ever-more secure technology due in significant measure to mandates from the Federal Energy Regulatory Commission (FERC) and the North American Electrical Reliability Commission (NERC), says Dave Banegas, information protection specialist with PacifiCorp, based in Portland, Oregon.
Standards for those mandates were first rolled out in 2008-09 and more recently revised in 2014-15 to require utility industries to institute two-factor authentication security, without specifying exactly what those steps needed to be, Banegas says. “You could have PINs, like you use on your ATM cards, or fingerprint, facial or voice recognition,” he says. “All of those are considered two-factor, basically it means something you have with you, and something you know, like a password.”
PacifiCorp decided smart cards with a biometric fingerprint sensor made by Zwipe were its best option, Banegas says. “Every time you go through a building, or gate, you have to authenticate your fingerprint on the card, that’s the first factor. Then you can put the card up to a reader, and if the reader has the access level the person requires, that’s the second factor,” he says. “What that allowed us not to do is change any of our infrastructure, whatsoever.”
Previously, if an employee lost their card, somebody who found it could easily access the building, Banegas says. “The only detection was if somebody didn’t recognize the person and escorted them back out,” he says. “An unauthorized person could come in and do some damage. With fingerprint authentication, if your card were lost, the chances of somebody having the exact same print, it’s very rare.”
PacifiCorp started implementing the system in late 2015 and will need about 1,200 cards over time, Banegas says. The two-factor authentication is in place in the Portland headquarters, where subsidiary Pacific Power is based, as well as a secondary headquarters in Salt Lake City, where subsidiary Rocky Mountain Power is based, which are the two PacifiCorp sites that fall under the critical infrastructure mandate, he says.
“We run an access control system that has the capability to not only know the person by their company ID number and name but also knows the access levels, the places people can get into,” he says. “The systems send information through a secure network to all these readers – at doors, gates and so forth. We can track when people use the card in a certain reader or not, we know what access levels they have and whether or not they can get into secure areas.”
For the time being, PacifiCorp, which provides power to six states, is using the smart cards only for physical security, but Banegas can envision cybersecurity purposes in the future, leveraging technology similar to that of keyless remote entry to an automobile.
Smart cards from Valid Identity Solutions are being used to provide secure electronic benefit transfer for people eligible for the federal Women Infants Children (WIC) nutrition program in seven states and two Native American nations through SoliSYSTEMS.
Traditionally a program that operates based on paper vouchers, the application from Valid provides secure authentication of the users’ identities protected with a PIN, says Roque Solis, president and CEO of SoliSYSTEMS. “It allows benefits to be issued electronically but also allows smart cards to make decisions and protect benefits, and address the security aspect,” he says.
Texas, the largest customer of SoliSYSTEMS with 600,000 participants in the WIC program, has not reported any fraud since the state implemented the smart card program a decade ago, Solis says. If a card were compromised, he says, each one has a set of keys unique to that card, so “it’s only that card that is compromised, not the entire system.”
Given the level of security embedded and the power of the microprocessors, cards have been used to store demographic information for each household, including health information such as blood tests and lead count that’s relevant to the state program, Solis says. “It’s both allowing the benefit, and securing it with smart card security, and then at the same time, there’s the portability aspect of it,” he says.
In the university setting, secure chips are being embedded in the ID badges that students carry around to gain access to their dormitories as well as other facilities like cafeterias and libraries, Vanderhoof says. “Universities are storing a digital identifier on those cards,” he says. “As they move about the campus facility, the card again is secure, from the standpoint that you can’t make a duplicate copy of Randy’s ID badge. It’s nearly impossible to alter or copy that information onto a second form of identity.”
George Mason University, with about 33,000 undergraduate students and 5,000 staff distributed across five campuses in northern Virginia, started looking into smart card technology about four or five years ago, says Daniel Anthes, senior manager of information technology, who adds that a few outlier departments had been using some proximity credentials previously.
The university evaluated a few different options before settling on a card technology and system from HID Global that they purchased about three years ago, around the time they also had decided to replace building locks across campus, Anthes says. Given the population of the school and available funding, George Mason has gradually rolled this out and will be completing the deployment this fall, he says.
“Mason has a whole lot of door access, to our data center, residence halls, academic and classroom buildings – and every new install has [received] the multi-tech reader,” he says. Until now, door access points also have accepted the old magnetic stripe cards “so we don’t leave you out” if a student or staff member has not yet received a new badge. “Mason will start replacing readers, leaving out magnetic readers, when we complete our migration and fully utilize the new secure contactless SEOS cards,” he says.
George Mason has been testing the cards on its point-of-sale system in dining operations, and “we’re mostly confident that we’ll be able to migrate to that credential at the cash register this fall, as well,” Anthes says. “We will use it for attendance check-ins at offices; we will use it at the sports and rec centers.” But improving campus security was the major driver for moving to smart cards, Anthes says. “For us, it was a really clean, nice way to jump a few levels of security,” he says, “and get a card that could allow us to not just use it for physical access but also have other things on it that, now we can do this. There were a whole lot of reasons, but security was the primary driver.”
Indiana University in Bloomington started issuing smart cards from Allegion in May 2013 for many of the same reasons, says Jeff Vonderschmidt, manager of systems and development. “The idea was the mag stripe was absolutely, for access control, a pretty insecure technology,” he says. “Primarily, the smart chip is used for access control at this point.”
Indiana chose to purchase a unique encryption key instead of using a standard key from Allegion, Vonderschmidt says, which adds a layer of security in that a hacker would have a more limited score even if they somehow got into the network. “If you spend the time and effort to hack the encryption key for Indiana University, all it’s going to do for you is [provide access to] Indiana University. Whereas if you had the standard Allegion key, who knows where that could apply.”
For the time being, the university will use magnetic stripe and bar codes for other functions like gaining access to the dining hall, tracking attendance, checking out library materials and entry into the student recreation facilities, Vonderschmidt says. “But I’m sure in the future, as the technology becomes cheaper, [smart cards] will be used for financial [transactions], as well,” he says.