Most buildings today are secured using 125 KHz proximity card technology, a technology that was invented several decades ago to track animals. While the basic technology has not changed much, the world around us has. The people that threaten our companies have more information and better tools. ID cards have changed from largely visual identification credentials to electronic keys to a variety of buildings and systems.
Using an ID card to log in to a computer, punch in to a time-and-attendance system or access a medical record increases the security of those applications. But it also introduces a new set of risks. Let’s review the risks in today’s card ID world, along with some of the latest technologies introduced to mitigate them.
Cloning the Printed Image
Within a five-square-mile area of most industrial neighborhoods, there are dozens of card printers and the software to drive them. Add to that the card service bureaus available on the Internet, and it should be clear that while the scarcity of badge production tools may once have added a layer of security to our facilities, that edge is long since gone. In fact, anyone with a copy of PowerPoint, an inkjet printer, and a sheet of clear overhead transparency film can make a badge that will fool the casual observer.
Making matters worse is many companies’ lack of effort in designing their cards. Solid color boxes, Arial type, and a small employee photo make a badge not only dull, but hard to verify and easy to copy.
Optical Security Features. Desktop card printer manufacturers developed security features that will produce unique cards. Adding any optical feature that resists being copied using conventional office equipment increases protection against cloning. “These optical variable devices can be custom holograms, secure micro-printing, or guilloche patterns (fine-line artwork often found on passports or currency),” said David Tincher, supplies business manager for Datacard. Tincher reported that lead times, minimum purchase quantities and setup charges for these custom overlay materials are dropping significantly. “We have also introduced the ability to print dynamic covert text or images on the card that can only be seen with a UV lamp,” he added.
Dennis Caulley, vice president of AccessID, has seen a real upturn in the number of requests for holographics. “Putting a gross and apparent hologram on the face of the badge makes it easier for your employees to spot a fake badge as they walk by.”
Secure Supplies and Equipment. Of course, adding optical security features will not help to secure your facility if the bad guys (or your own employees) can use your equipment or supplies to make counterfeit badges. That’s why printer vendors are starting to tighten up the physical security of the printers. Some, such as Datacard, are offering new printer models with built-in locks to secure the card hoppers and the overlay cartridges to ensure that your supplies cannot easily walk away. The printers can also be physically locked to the desk, and revised printer drivers match the printer with its host computer and render it useless if connected to another PC.
Fargo has taken a slightly different approach with its Print Security Manager. Not only can the printer be set up to require passwords, but printing can be restricted to certain times. The system inhibits badge printing outside of those hours and covertly sends the administrator notification if an attempt is made. Additionally, an alphanumeric code can be printed on the face of each badge with a UV ink. The code can be linked back to the date and time, printer and username that did the printing. “Most of the bad people that are doing things to the company are people that are sitting next to you,” said Alan Fontanella, Fargo’s director of secure materials.
Fargo has also recently introduced a system called SecureVault designed to manage your inventory of printer supplies using a combination of RFID technology and a steel safe. Removal of any ID material creates an audit trail, thus increasing an organization’s control over customized laminates and ribbons.
Cloning the Badge Contents
Picture this. The president of your company is giving a speech at his favorite charity tonight. He is standing near the bar having a quiet drink with a friend when a well-dressed gentleman passes several feet behind him clutching a leather pouch. Remarkable? Of course not, unless you count the fact that this brief encounter was all it took to produce an exact duplicate of your president’s proximity badge—one that can, no doubt, open any door in your company, leaving only a record that the president was there. Worse yet, your president has no idea he was electronically pickpocketed.
Pure fiction? Impossible? Unfortunately, no. The scenario can be accomplished with a little Google searching and some parts from Radio Shack. “The industry is becoming increasingly aware of the relative straightforward means of surreptitiously capturing data from most 125 kHz cards and using it for nefarious purposes,” said Bill Nuffer, president of Deister Electronics USA.
Of course, the likelihood of this coming to pass at your company is low. Most bad guys would rather just break a window. Still, it is the corporate equivalent of leaving the key under the doormat; it generally doesn’t hurt anything, but if someone does break in, your actions will be tough to explain.
Fortunately, there is an answer to this problem. Smart cards provide a higher level of security through a process called authentication. The card and reader conduct a “friend or foe” conversation prior to revealing any secure information, thus making cloning significantly more difficult.
Not that long ago, the cost of smart cards was prohibitive for most commercial users in the United States. That has changed. “Today, to start building your (smart card) infrastructure from scratch won’t cost you any more money than starting with a proximity technology,” said Jim Colleran, product marketing manager of credential technologies for HID Corporation.
Of course, moving an existing proximity system to smart cards for security reasons alone might be a hard sell to management. The answer to that challenge is often found in the other applications that the smart card can bring to the table. “We are seeing a lot of people wanting to do many more applications other than just opening a door,” said Colleran. “We see point-of-sale applications, time and attendance, but the biggest one to-date is biometrics, because it eliminates having biometric databases and having to update the templates in the readers. It’s much easier to do it at the time of enrollment, put it on the card, and now it’s with you wherever you go.”
One of the much needed applications for IDs continues to be computer login. To meet the requirements of most IT departments, however, that application requires the memory and security of a smart card. While IT has long understood the shortcomings of passwords, they have often not addressed the issue due to the cost of new hardware and software to support tokens or smart cards. This in spite of the fact that the Meta Group and Gartner report that the average user calls the help desk more than eight times per year to reset their password at a cost of $25 per call.
Companies are now starting to address this issue. “As we look at the larger re-badging efforts out there, without a doubt, one of the prime motivators has to do with logical access,” said Colleran. Beyond the clear ROI, badges for login offer a security advantage, since technology has advanced to the point where hacking passwords can often be done with simple tools widely available on the Internet. It is this risk that has caused the Federal Government to adopt a common approach for computer login and physical access control with their new FIPS 201 standard.
Issued in February of this year, FIPS 201 calls for all government agencies to begin issuance of this new card by October 2006. The standard outlines a card that is at the upper end of the market in terms of both performance and price. With both contact and contactless interfaces and enough memory space for multiple biometrics, this card, at least initially, will be beyond the reach of most commercial organizations wishing to use smart cards to replace passwords. The good news, however, is that much of the standards work is expected to trickle down into less powerful cards. Moreover, the massive quantities of cards involved will spur competition and reduce prices.
The Risks of the Transition to Smart Cards
One of the trickiest parts of changing technologies in a large company is the seeming need to re-badge the entire population and change all of the readers at the same time. One traditional approach has been to methodically hand out ID badges with both the old and the new technologies on board. When the transition to these new “multi-tech” badges is complete, the readers can be changed with no service interruptions. The downside to this had been the high cost of these multi-tech badges. Thankfully, that is changing. “Multi-tech cards are one of our most popular offerings today. Prices have come down an incredible amount over the last couple of years,” stated Colleran. Another option hit the scene in the last year: the multi-tech reader. Companies such as Tyco, GE, HID, Deister, and XceedID all offer readers that can read both conventional proximity cards and smart cards. These readers have become a hot item because they offer companies a flexible solution to the transition problem. For some, they also offer a practical way of having a permanently mixed card population. “The introduction of multi-frequency, multi-technology readers now gives end users a choice of transition methods, and they are beginning to respond enthusiastically—not just because of the transition problem that may now be (solved) but also to meet the additional challenges of mergers, acquisitions and multi-tenant facilities,” said Nuffer.
Adding Biometrics to an Existing System
While adding biometrics to your security system will lower your security risk, the complexity involved often raises your project approval risk. An interesting new twist in the world of biometrics is typified by two companies that have managed to combine a fingerprint sensor and the functionality of a smart card into a single device that you can carry in your pocket.
Digital Defense introduced their Factor4 product in April of this year. “We discovered that customers wanted to use a smart card and a fingerprint sensor for physical security and computer login, but they did not want to change their reader infrastructure,” said Digital Defense President Steve Campisi. The Factor 4 product is the shape of a conventional credit card and approximately four times the thickness.
Privaris has introduced a similar product designed to fit on a key ring. Both products can communicate with an existing access control system by emulating an HID card.
While these devices are pricey when compared to a standard access-only card, they make sense for systems that combine multiple applications because they eliminate the need to purchase a fingerprint reader for each login or access point. “Our customers are also buying our concept because it eliminates the central database of fingerprint data, with all of the system changes, administration, and privacy concerns that go with it,” said Campisi.
Whose Job Is It Anyway?
There is so much to the selection of an ID card environment, particularly if applications other than access control are involved, that the typical physical security group may be tempted to limit the scope and continue using their current technology. Many of us in the consulting community right now are telling our clients that sort of tunnel vision is very dangerous.
There should only be one group in your organization responsible for identity management and credential issuance. Today, that function often gets split across physical security, human resources and IT. The result is generally multiple credentials and the lack of a holistic view of the threats that face your company. Tomorrow, however, cost pressures could force your company to move to a single solution that was designed for computer login, not opening doors. Do yourself a favor and start investigating these new technologies. This is a convergence area where security can and should be leading the charge.
Rich Anderson is the president of Phare Consulting, a firm providing technology and growth strategies for the security industry. A 25-year veteran of high tech electronics, Mr. Anderson previously served as the VP of marketing for GE Security and the VP of engineering for Casi-Rusco. He can be reached at email@example.com.