Card, mobile credential, payment and security
Mobile devices are poised to become the ID credential of the future. In a recent video interview, Blackboard Transact president David Marr shared his views on mobile platforms in higher ed and the impacts on campus card offices. CR80News’ Chris Corum discussed the topic with Marr as well in a podcast.
He describes the mobile device as “the virtual front door of the institution,” but he stresses that you can’t just leave that door propped open. “The credential that is the key to opening that door will reside in the campus card office,” he says.
When it comes to service delivery on the modern campus, Marr explains, “geographic boundaries of a campus are no longer the primary driver, mobile devices and applications have blurred these boundaries.”
He suggests that campus card administrators get immersed in the conversations about mobile on their campus. “Let IT know that campus card solution providers are moving the credential to the phone,” he says, “I am confident that will get their attention.”
In the video, Marr highlights several exciting mobile initiatives underway at campuses across the country including Stanford University and University of Washington.
To listen to the podcast, click the play button below:
Thanks to a new pilot program between Cal State University San Bernardino and the local transit agency, CSUSB students can now commute to campus for free.
Starting this fall semester students can swipe their current valid student ID card to ride for free on Omnitrans buses throughout the 2011-2012 school year. CSUSB students can use their Coyote One-Card student ID card to ride Omnitrans at anytime on any route, not just trips to and from campus.
The one-year pilot program is being funded by participating colleges and the 16 city and county governments that Omnitrans serves. When cards are inserted in the fare box near the front door of the bus, their magnetic strip will be read by the Omnitrans system. This will allow the agency to capture usage data by school, by route and even individual ID.
Omnitrans will seek student support for fees through referendums next spring to maintain the program after the one-year pilot program expires. College students would normally have to pay $1.50 per trip or $4 for a one-day pass to ride the bus. Seven-day passes are $11 and student 31-day passes are $35.
Southeastern Louisiana University has expanded its campus card program with the addition of Cub Cash, according to The Lion’s Roar, the student newspaper.
Cub Cash is the university’s latest campus payment program which enables students to purchase meals at many different locations, including off-campus merchants like Subway and Starbucks; in addition to the Lion’s Den and both campus convenience stores, the Mane Market and the Mane Market Too.
“Cub Cash goes hand-in-hand with meal plans and has nothing to do with non-Campus Dining purchases,” said Robin Rodrigue, Director of Marketing and Strategic Initiatives with Auxiliary Services.
On the other hand, the university also offers the Lions Lagniappe account which accepts payment at most on campus kiosks. This includes the University Bookstore, the Document Source, most on-campus vending machines, copy machines, the residential laundry facilities, the Health Center, and the Student Activity Center. Lions Lagniappe can also be used at all campus dining facilities.
Left over Cub Cash rolls over from the fall to the spring semester, but any remaining funds not used by the end of the spring semester are supposedly kept by the university. Unlike Cub Cash, Lions Lagniappe rolls over every semester, and after graduation or withdrawal from the university, any leftover funds will belong to the student and will not be kept by the university.
Read the full story here.
The North County Transit District is partnering with schools in the San Diego area to provide students, faculty and staff with discounted transit passes, according to SignOnSanDiego.com.
The district issued approximately 449 discount bus-and-rail passes for the current school year at California State University San Marcos. With a 7,800-student population, the University of San Diego has also teamed with NCTD to launch a pilot discount transit program.
The current discount cards would are good for Coaster and Sprinter trains and Breeze buses, as well as San Diego’s Metropolitan Transit System trolleys and buses.
NCTD added that it wants to eventually create a program, attaching a sticker to the university ID cards of students and employees. The formal launch would be in January 2012.
Read more here.
Yapik, a new location-based mobile smart phone application designed specifically for college students to find, sell, barter and trade goods and services, is making its debut in several Florida schools.
The mobile app further offers a way for students to find and barter goods and services with the context of the campus experience. Yapik enables students to buy or sell products, chat with other students, post information about items they are seeking, view content feeds, create profiles and organize lists of their favorite friends.
Yapik will also offer location-based recommendations and college-specific content feeds with live updates from the most recent posts. Students can make three posts for free, and all posts after that are charged on a monthly basis to their iTunes or Android accounts.
The app will be introduced this month as a pilot at Florida International University, the University of Florida, and the University of Miami with 12 other schools set to launch in January. A nationwide roll out is slated for July 2012.
The University of Minnesota has launched a pilot reward program, leveraging RFID technology to encourage more students to ride their bike, according to the Minnesota Daily.
The campus started by installing some 20 RFID checkpoints along major bicycle corridors around campus. In order to earn points, students can register to receive an RFID tag which can be attached either to the students’ bike or helmet.
As students pass by these designated checkpoints they will receive points. The points can be redeemed for discounts on bike repairs, bike equipment and even reduced health insurance premiums.
The system will be based out of the University’s Bike Center, which will begin installing chips and registering riders for free when it opens this week.
Read the fully story here.
Southeastern Louisiana University is working together with ASI Campus Laundry Solutions (ASI) to deploy Laundry Alert, an automated service designed to make washing clothes on campus easier.
According to an official newspaper for the university, the system enables students to view which machines are available or in-use and approximately how much time is left on each machine, before making the trip to the laundry facility. Students who sign up for the Laundry Alert service will also be receive an email notification or text message when “their” laundry cycle is complete.
All dorm hall laundry rooms on campus will utilize the system to provide students with a means to monitor the availability of dorm washing machines, thereby reducing the amount of unnecessary congestion.
Read the full story here.
HID, Arizona State pilot multiple handsets, carriers and apps on campus
As the Fall semester geared up at Arizona State University, something revolutionary was happening in one of the residence halls. Select students living in Palo Verde Main were no longer using their Sun Card to gain access. Instead they were using cell phones.
Compared to most residences, Palo Verde Main was already considered advanced in access control circles. For six years, contactless technology in the student ID card had granted access to the building. But in August, a group of students and staff became the first in the country to use smart phones equipped with near field communication (NFC) technology instead of keys or cards.
ASU worked with HID Global on the pilot. The company’s contactless iCLASS technology powers the student ID known as the Sun Card and HID readers secure residences, offices and labs throughout the Tempe campus.
Though the pilot came together rapidly, the spark for it was years in the making. “Three-years ago I began to notice a lot of press around NFC,” says Laura Ploughe, director of Business Applications and Fiscal Control for University Business Services at Arizona State University. “I mentioned it to my HID rep and about a week later he sent me news clip from ASSA ABLOY hospitality with a photo showing a phone opening a door.”
It was an “aha” moment. She realized the phone was the ubiquitous device that would really change things. “I stuck the news clip on my wall with a pushpin and it has been there ever since,” she says.
At a trade show this spring, Ploughe saw a demonstration of HID’s new iCLASS line based on its Secure Identity Object concept. Called iCLASS SE, short for Secure Identity Object-enabled, it allows the access credential to be stored on cards, fobs, phones and other devices. “It was a dream come true,” she explains. “I could see live what was under that pushpin on my wall.”
Ploughe told her contacts at HID that she would love to be involved if they needed a pilot location. “Never in my life did I think they’d say yes,” she laughs. But by early summer, agreements were in place and planning commenced.
“I thought we’d take a 24-week timeline for a pilot,” says Ploughe. “But the timeline was shortened when we began talking to stakeholders.”
Ploughe works in University Business Services. Among other things, the division oversees the Sun Card program and the Electric Door Access and Surveillance program. She approached her colleagues in University Housing for support, as they would be crucial to the success of the pilot.
“We looked at where it would best fit in the school calendar,” she says. “Housing agreed to participate but wanted to do it during early move-in to ensure there was no disruption to student learning.” That dictated an August launch, so a single discussion shortened the original timeline from 24 weeks to just eight weeks.
On Aug. 1 the hardware and equipment for the pilot was installed. Internal communications were sent to stakeholders including the police department and facilities to make sure they weren’t alarmed when news spread that cell phones were opening residence hall doors.
The following week HID Global staff trained campus technicians and the lock maintenance group.
On Aug. 10 new phones were given to the students and staff participating in the pilot. In all 32 participants – 27 students and five staff – were provided NFC-equipped phones to use as they lived life in and around Palo Verde Main.
The hall was not selected by accident. It houses many of ASU’s engineering students, individuals with an obvious technical acuity. “We picked Community Assistants (resident assistants) because they have single rooms and are both responsive and responsible,” says Ploughe.
As for the staff participants, Ploughe explains, “we wanted a couple of people from facilities to be able to test the system and we also chose staff from the residence hall to assist with technical support.”
“Because this was a pilot, we decided it would be good to have multiple brands of smart phones,” explains Deb Spitler, HID Global ‘s VP of HID Connect. Participants were outfitted with one of three handsets: RIM’s BlackBerry Bold 9650, Samsung’s Android (multiple models) or Apple’s iPhone 4G.
Handsets with embedded NFC functionality are not widely available so the pilot relied on microSD cards and sleeves for the NFC functionality. Three separate carriers – AT&T, Verizon Wireless and T-Mobile – were used for mobile services.
Two separate apps were used to carry the electronic credentials. The BlackBerry and iPhone users ran ASSA ABLOY’s Mobile Keys Application while Android users ran a mobile access application from HID.
Each participant received a fully provisioned phone with unlimited voice and text service. At the outset, the hope was to use the students’ existing smart phones. “We surveyed them to find out if they had a phone that we could enable with a microSD card,” explains Spitler. “There was a very small number that actually had a workable handset … well over half had a basic phone and not a smart phone.”
So the school and HID put new smart phones into all their hands. Because participants would keep the handset after the trial, Spitler says, they matched the mobile carrier and handset model to the individual’s current service. In that way, they could transition their new smart phone to their current carrier post pilot.
“We hoped this would help to engage them and show them that their participation and input to the pilot was important to us,” says Spitler.
ASU already had HID iCLASS readers across the campus and at key points in Palo Verde Main. But to accept the new NFC keys, readers needed to be upgraded to accept the company’s Secure Identity Object credentials. At six entrances, iCLASS SE readers replaced the existing contactless readers. Four new locations were also enabled with the SE units.
Additionally, four individual rooms within the residence hall were equipped with an offline door lock from ASSA ABLOY’s Sargent line. These locks require the use of a PIN in addition to the credential on the phone.
To gain access, students present keys, cards or phones at as many as four separate points within the residence hall. A main entrance, a courtyard entrance, a wing door and finally a room door each are secured. Most of the students still required the key to gain ultimate entry to their room, but four participants used the phone at all entry points thanks to the Sargent locks.
“When a student approaches a door they click the icon on the smart phone to launch the app and then present it to the door,” explains Ploughe. For the pilot, the countdown was set to 30 seconds before the application closes.
“The sweet spot was different on each phone,” she says, referring to the ideal physical place on the phone to hold next to the reader for optimal use. “We put a Sparky emblem (ASU’s mascot) on back of each phone to make it easy and convenient.”
At the midpoint of the pilot, an initial survey of participants revealed promising results. Key questions pertained to training and support on devices, functionality of the application and comparison to the card in terms of convenience and speed. Other questions asked for suggestions to improve the current functionality and ideas for additional applications.
At the conclusion of the pilot, a second survey was conducted to address changes in perceptions over time. Have you changed your mind on things? Are you more or less happy with the functionality? Would you like to see the functionality continue to be supported on campus?
Results of these surveys will be released during a panel discussion on Monday, Sept. 19 at the ASIS conference in Orlando. Look for additional details here next week on the survey results.
The pilot concluded on Sept. 6. At press time, ASU was reviewing the survey data to determine next steps.
For Spitler, the pilot was a lesson in reality meeting new technology. “It enabled us to explore how people use mobile credentials and NFC in the real world,” she says.
That is the real value of a pilot. It forces stakeholders to forget their preconceptions of a technology and address how people actually live and work.
As Spitler points out, this is why it was great to have a number of different devices, readers and apps. “It gave us different feelings and that is what a pilot is all about,” she adds.
“It’s my hope that we do a secondary pilot,” says Ploughe. “Ideally I would like the smart phone to be the tool for everything. Lots of people are driving a mobile app to smart phones but there is some risk.”
She hopes that one outcome of these pilots and this user directed research is the establishment of some best practices. “Take care of the risk,” she explains, “and we can open up other applications.”
Ultimately, for ASU it’s all about student success. “The key is engaging them the way they want to be engaged – the same way they do with their friends and with the same tool that connects them socially,” explains Ploughe. “It means that we provide our services to students with devices like this or we have failed in helping them be successful.”
Schenectady County Community College has inked an agreement with the Capital District Transportation Authority so that students, faculty, and staff can get more out of their campus ID cards.
According to the Times Union, the agreement will enable campus cardholders to access the entire CDTA system, including regular transit buses, express and shuttle routes, the STAR paratransit service, and the Northway Express commuter buses.
In addition, the CDTA also has transportation partnerships with the University at Albany, The College of Saint Rose, Rensselaer Polytechnic Institute, Russell Sage College, Skidmore College, and with Albany High School.
Read more here.
Manufacturers try to rein in the supply chain, but is it in vain?
When it comes to securing the ID card printer supply chain, the process can be a lot like selling a car. Once a dealership sells a car to an individual, the dealer no longer has insight into whether the buyer sells that car to someone else.
“That’s the point where we lose visibility,” says Ryan Park, senior manager of product marketing for secure issuance for HID Global, which manufacturers the FARGO line of card printers.
For this reason, protecting printers and supplies is an ongoing challenge for manufacturers in the industry. Ultimately printers can end up on eBay or other online sites, where fraudsters can buy them to create fake driver licenses, campus IDs or credit cards with mag stripes. “At some point, you as a manufacturer lose control of the printers you sell,” Park says.
But there are measures manufacturers can take to reduce the chances that printers will end up in the wrong hands, or that if they do they won’t have the capabilities needed to replicate authentic cards. The key is working with authorized dealers, creating layers of security on cards to make them harder to reproduce and educating dealers and end users on how to safely get rid of unwanted printers, manufacturers say. There is also an initiative in the UK for law enforcement and printer companies to work together to prevent the cards and printers from falling into the wrong hands.
In protecting its printers, one of the first safeguards that card printer manufacturer Digital Identification Solutions (DIS) takes is making sure that the retailers its dealers hire are authorized by contract to sell the company’s products.
“What we’re looking for is when a dealer comes back to us and says a bid is being awarded to some company we haven’t even heard of,” says Jonathan Bowen, business development manager with DIS.
In the past, DIS has cautioned its end users about buying printers from unauthorized resellers. “You don’t know the age of those supplies, or how they’ve been stored and handled, and that puts us at risk,” Bowen says. “It’s not just about fraud for us; it’s about how we do business every day.”
Adding layers of security onto the actual card is key to protecting the printer supply chain, manufacturers say. That way even if a printer ends up being used fraudulently, the person would not have all the tools needed to add those security features and make a card that appears legitimate.
Holographic foils, special laminates and UV printing are examples of security features that can help prevent card duplication.
“An ID document, if well done, will have some exclusive security features that are not commercially available on the street,” says Benoit Guez, director of smart cards and new technology for card manufacturer CPI Card Group. “Those can be on the material of the plastic, the printing, the personalization and on the overlay protecting the personalization.”
Most of CPI’s cards start with white plastic on which the issuer prints cardholder information. That information is protected with a secure overlay that may contain a hologram or some other feature.
Some printers contain UV printer ribbons, so that when someone uses a UV black light to verify an ID, they can examine the card to make sure it contains certain security elements. This tends to be the case on driver licenses and national IDs.
“That’s a really easy-to-add security feature for the end user, but we had to have a way to secure it so UV ribbons wouldn’t end up everywhere on the market,” Bowen says.
To address this, DIS requires dealers who sell the special printer ribbons to sign an appendix to their contract, agreeing to a multi-step process in which they track every printer they sell to an end user. They must log the date the printer was sold and how many supplies went out. There is also a form the end user must sign.
Anytime a user prints with one of Digital ID’s UV panels, the MAC address of that specific printer is printed directly onto the card as a unique identifier. Without a black light, the number is invisible to the naked eye.
“Let’s say a counterpart of mine in Europe is going to use UV on the cards, and a year after selling that, they start finding there are fake national ID cards being sold for 2,500 euros. The cards look so legit that they actually have the printer number printed on it. We can go back and find out where the printer was sold (since) we’ve had these machines on the market,” Bowen says.
Manufacturers can also code their printer products to work only for the appropriate user. For instance, if the federal government purchased card printers from HID for a large installation, HID could encode the printers ribbons to work only with printers sold to the government client, Park says.
Printers being resold on sites such as eBay or craigslist are usually the real deal. “It’s just generally the older real deal,” Bowen says. Such printers may be five or six years old, or may be damaged and need some repair to become functional again.
Sometimes schools or other legitimate organizations purchase the used printers to create badges for students and employees. But this isn’t always the case.
“There are definitely printers out on eBay that someone who knows what they’re doing can buy and create realistic looking (fraudulent) badges,” Bowen says.
HID gives directions on how to properly dispose of old printers. However, much like auto dealers cannot control the resale of their cars, printer manufacturers cannot legally restrict suppliers in the U.S. and Canada from reselling printers online.
“We haven’t found a good recourse legally to prevent that,” Bowen says, adding that the only thing they’ve been able to do is offer trade-in values to pull those printers back in. “It’s a hard one to control for sure.”
That doesn’t stop the individual end users from implementing their own safeguards. Airports, government agencies and other entities where ID security is paramount often have their own systems in place for safely phasing out printers and supplies to ensure they do not go back into the market on eBay.
Within the Department of Defense, for example, there are only a few suppliers qualified to sell government-marked material, Park says, adding that a fraudster would actually have to buy a printer from one of those qualified vendors.
The rules can be different in the corporate world when companies are ready to unload their old printers. If a corporation wants a new printer to produce its employees’ ID badges, HID allows them to participate in a trade-in program within its dealer channel.
“Or you can throw it up on eBay, which may be why more often than not, you see printers for sale on the Internet,” Park says.
To some degree, dealers are on the honor system. “In the U.S. you may be able to trust, but there are parts of the world where bribes and kickbacks are an everyday part of life,” Bowen says.
Forged documents are easily detected by the trained eye. But an untrained individual wouldn’t know how to differentiate cards, which is why Guez says education is key in protecting the printer supply chain.
“People can scan a real card and try to change the name and photo, and then print it on plastic. And they usually miss all the security features. So a forged document is just a basic document, and that’s obvious to anyone who knows a little bit,” he says.
Requiring two or more forms of identification, such as a passport or birth certificate, can also help rule out fraudulent cards, he says.
Of course, not all fraudulent IDs are created using purchased or otherwise-obtained printers. Often, fake national IDs and driver licenses turn out to be cases of internal fraud where someone within the organization uses actual printers and supplies. “They’ve forged IDs that they issue on real machines in real offices in real time … when no one notices (they’re making) a fake ID,” Bowen says.
For now, taking precautions by adding security layers and educating and vetting printer dealers and users may be the only real recourse printer manufacturers have against fraudsters.
“In the end, I don’t think there’s a perfect way to prevent legitimate supplies from falling into the hands of illegitimate people,” Bowen says. “As we distribute legitimate supplies around the world, it takes constant vigilance to make sure these aren’t distributed into the wrong hands.”
