One of the most high-profile ways of managing risk is to use technology to
keep risky people out of your facilities. If you’ve ever considered installing
or upgrading card access control to achieve this, chances are you’ve looked
carefully at some form of radio frequency ID.
RFID proximity cards are a staple of business security. Their contactless nature makes them popular both with users and security managers; users like skipping the step of swiping the card, and managers like the low wear and tear on the readers.
But RFID no longer refers only to prox. Contactless smart cards have been popping up everywhere—in the news, in federal and industry regulations, on specs and in sales material. No doubt many of you have been following this news and researching the technology; others may know the term “contactless smart card” but know very little about it. Whichever camp you’re in, you likely have at least a few questions about this technology and what it might mean for you.
I contacted several security consultants and integrators to find out how they answer the questions many of you are asking.
What Are the Differences Between Prox and Smart Cards?
The “smart” in smart cards defines the real difference as far as application is concerned. Not only can smart cards can hold much more data than prox cards; they can also be written to during transmission, instead of just read like prox. This makes them useful for a number of applications that prox could never enable.
“There are more capabilities for smart cards,” said Chris Wetzel, COO of InterTECH Security LLC. “We’re seeing it develop to where we can use it for cafeteria purchases, time clocks, and holding information that’s associated with the individual in the event of an emergency.” If it doesn’t look like these types of applications are in your future, don’t feel like you’re getting stuck with primitive technology. Prox has its own strengths.
Added Wetzel, “Prox has allowed us to develop long-range technology, where we can read several feet away from a card, and we do not have some of the read range with the smart card as we do with the prox.”
Jim Coleman, president of Operational Security Systems, pointed out another strength of prox over smart cards: “When you get into an application where timing is of some importance, like an optical turnstile where people get into a rhythm or a cadence and they’re used to the thing letting them go through after half a second—with a smart card sometimes it takes just a little bit longer to read than a traditional prox card.”
Are They Secure?
Most people assume contactless smart cards offer more secure transmission than prox cards, but Greg Young, technical services manager for integrator RFI, warns against that assumption. “They can be more secure, but they’re not necessarily more secure,” he said. “Many manufacturers are touting readers that read multiple types of smart card technology—MIFARE, iClass—when really all they’re reading is the serial number sent unencrypted from the card, in the same way prox is. Unless you make sure that what you’re reading is from a secure sector on the card that can be truly encrypted, and there is a handshake procedure between the reader and the card before transmission, what you’re getting is no more secure than proximity technology.”
Duplication of prox and smart cards, another security concern, isn’t easy to accomplish. Young stated that prox cards are more susceptible to duplication simply because they’ve been around longer and fraudsters have had more time to work on them. “But (protection from duplication) isn’t really where you’re going to get the enhanced security from the smart card,” he reiterated. “The point is not whether the serial number can be duplicated, but that the smart card has sectors on it that can be truly encrypted, so someone can’t get their hands on that data without the appropriate keys.”
Manufacturers have worked diligently to protect both prox and smart cards from compromise when new frauds do appear. William Hawthorne, founder of consultancy William A. Hawthorne Associates Inc., said, “Intercept on wireless systems that are not encrypted do happen. People are finding ways every day to beat them, and (manufacturers) are finding countermeasures to those methods every day.”
Will My Cards for Access Work for Other Applications?
Smart cards open the door to a number of non-security applications, but it’s interesting to note that many security directors who’ve already implemented contactless smart card programs for access aren’t yet seeing these other capabilities being leveraged.
Operational Security Systems’ Coleman has seen this trend first hand. “When they get a chance, most people tend to go toward smart cards. But our industry doesn’t seem to want to use too much of the smart part of the smart card yet.” The price point for smart cards has dropped enough to make it a cost competitor with prox, and many decision makers are moving toward the newer technology now so they can use the capability later.
This is fine, as long as they have some idea of their future needs when they install the system, said Young. “Smart cards have different storage sizes, different storage types, different operating systems, and so you need to be careful you don’t oversell the interoperability. Two years down the road someone could come to you and say they want to use the card for X application, and it’s not necessarily going to be compatible. Users need to look carefully at their future plans before going with a certain type of card.”
InterTECH’s Wetzel suggested betting the favorite in this situation. “I know that if I provide (a card from a major manufacturer), more than likely it's going to be able to talk to services or functions as they become available.”
What About FIPS 201?
Government agencies and contractors want to know one thing about any RFID cards they’re considering: How do they fit into FIPS 201, the new federal credential standard? The government has set tight deadlines for FIPS compliance, but it has dragged its feet on nailing down the specifics. As a result, said Lou DeStefano, founder of consultancy LTD Inc., many federal agencies are being dragged kicking and screaming into the smart card arena. “They’re being told to do something that hasn’t been well defined yet and shaken out in terms of where the technology is. The concept (of the standard) is a sound one, but they haven’t crossed all their T’s and dotted all their I’s yet, and a lot of people are reluctant to make a hardware commitment not knowing how the thing’s going to be finalized.”
DeStefano broke his clientele into two categories—“people who have recently put a system in and are expecting a 10-year life out of it and want to know what they need to do to it to be FIPS compliant, and people that are looking to put a new system in and want to know if this is a good time to jump in, or should they hold off and wait until the guidelines mature.” There aren’t any short and sweet answers to these questions. Your choice will have to depend upon your agency’s needs, your budget, your flexibility, and, to some extent, your faith in the government. There are, however, things you can do to help you make an informed decision.
In this case, having a knowledgeable consultant who works specifically in the government market will likely be a big help to you. It will also help you to read through the standards and supporting documents yourself. Visit http://csrc.nist.gov/piv-program/ to find copies of these, as well as helpful links and FAQs. DeStefano keeps summaries of the documents to distribute to clients dealing with FIPS.
How Can I Migrate to Smart Cards?
The question of migration to smart cards for non-government entities is a little less sticky. Depending on your budget and corporate structure, you could try migrating slowly—floor by floor, or building by building. If you add contactless smart tags to your existing cards, then system users can continue using the same cards with the old and new readers, freeing you to install new readers as your budget and schedules allow.
InterTECH’s Wetzel advocates multi-technology cards for migration in many instances. “It’s not really realistic to think we’re going to be able to change everything out at one time, so if we have one credential that can be used with multiple technologies, we can migrate those out as they become obsolete.”
How Will I Justify the Cost?
As we’ve already said, pricing for contactless smart cards is approaching parity with prox. But when you’re looking at upgrading from a working system, you’re still facing increased expenditures on cards and readers.
If you really want to show ROI on this investment, Young suggests you start looking at the smart parts of the card. What else can you do with it? “Have you talked with IT about it? Do they want logical access? Do they want to go to a credential with a contact chip for access to the computer network? Depending on your environment, do you want to leverage the card for cafeteria purchases, point of sale, library privileges? Once it’s more than access control and you get some more people at the table who have budgets, you can split up the roll-out cost for the implementation.”
“You also have to consider the age of the system,” Young continued. “If it was installed six to nine years ago, the added features of the smart card may make it worth the upgrade.”
Marleah Blades is managing editor of ST&D. She can be reached at firstname.lastname@example.org.