Card, mobile credential, payment and security
Some students at Utah Valley University, Orem, are looking for donations that will give them seed money to develop their own iPhone app that could double as a student ID card.
Trent Ewing and Mark Wilkinson are in the planning stages of making an app for the university. They want the app to replace student ID cards and have already spent time collecting donations from students.
“Our goal is to get our idea off the ground. Talking to people we have almost 100% approval rate,” Ewing said. “The main problem students have is that 43% don’t have smart phones.”
They also said the app could save the school money.
Read more here.
By Bob Fontana, President and CTO, Codebench
Physical security professionals are hearing about public key infrastructure, or PKI, more frequently than ever before. This is because the federal government, through the National Institutes of Standards and Technology and the Interagency Advisory Board (IAB), are pushing for higher security in the physical access control world.
The federal government says physical access control systems (PACS) need to be upgraded to be FIPS 201 and SP 800-116 compliant. Depending on the level of assurance required for entering the space, each door or turnstile will be secured by an authentication system capable of verifying one or more authentication factors before granting access.
A traditional access control reader provides one authentication factor, which results in "some" assurance. A single factor is the minimum standard for controlled access defined by SP 800-116. Readers with PIN pads can be used to provide two factors, and readers with a fingerprint sensor or iris scanner can provide three.
A FIPS 201-compliant contactless card reader must also ensure that the credential being presented is the one that was originally enrolled in the PACS rather than a forgery or clone.
Access control systems can use PKI at the door to accomplish this and determine a card's authenticity. The process uses private and public keys to sign and verify a random challenge sent to the smart card. Only an original, legitimate card can respond correctly to the challenge.
There are three basic configurations for PKI at the door:
The advantage of this approach is that it does not require extra boards or equipment, and it is highly resilient because the panel is designed to operate offline from the server for long periods of time. The downside is that the panel needs to be upgraded to perform PKI at the door.
This solution works with all panels today can handle hundreds of doors concurrently. It has an early advantage because there is no need to update panel firmware. The disadvantage is that its reliability depends upon server availability, although this is mitigated with a backup server.
There is no need to update the panel firmware with this approach. Because it operates closer to the door, it is designed to operate independently of a server for long periods of time - much like a panel. On the negative side, a separate controller adds cost in equipment and wiring.
With all three approaches, data is sent over multiple hops from the card edge to the PACS.
With each hop, the data needs to be secured using encryption.
All of this data processing takes time. Factors, such as the type of card and type of connectivity between devices, cause card authentication times to range from one to several seconds.
The good news is that once a cardholder has authenticated with the requisite factors to enter a particular area there is no need to re-authenticate unless a security area requiring even higher assurance is nested within it. Even then only the additional assurance factors are required. Therefore, security managers should plan their SP 800-116 security zones with an eye on minimizing cost while maximizing throughput and security.
While a physical card is the primary means for gaining access into a high-assurance area, near field communications (NFC) is quickly becoming standard in mobile phones. With NFC, the phone becomes both a credential and a reader. Combined with cloud services, NFC can dramatically lower the costs of PKI at the door by eliminating panels and reducing wiring to an NFC terminal connected to a door relay.
This type of solution won't work in every environment, but it will provide organizations with additional options, especially in the commercial market. NIST and IAB are already looking into this technology and security companies are gearing up for it.
The trickle down effect–where the mainstream market embraces technologies first implemented by the government–will play a large role in the adoption of PKI in the physical security market as a high assurance validation method.
The University of Tampa has increased security at one of its buildings, allegedly due to threats against a faculty member, although school personnel would not verify that. The university is now mandating that ID cards be swiped in order to gain entrance to the communications wing of the building.
An email from Andrew McAlister, associate chair of the communications department, seemed to indicate that some were propping the building’s door open to enable access to anyone.
One source, however, commented that the security measures are a response to a situation involving a former student threatening at least one professor in the communication department.
While students might find the new security inconvenient, they understand the reason behind it. “It’s kind of annoying but they are trying to do all they can to keep us safe,” commented one student.
Read more here.
Information for 1,600 freshmen and sophomores in the College Park Scholars program at the University of Maryland was inadvertently posted to a public Web site, university officials said.
The information, which was on the site for a month, included names, university ID numbers and student ID magnetic-stripe numbers.
While the university said the site only had 30 viewers, officials decided to issue new ID cards to students in the program. College Park Scholars is a residential community for academically talented freshmen and sophomores.
The information stored on the site has no use outside the university, a spokesman said, but it could be used to enter a residence hall or use dining points if someone had the means to reproduce a student ID card.
It was “purely by human error” that the information landed on the site, said a university official. The information posted did not include Social Security numbers, email addresses or phone numbers.
Read more here.
The University of Glamorgan in Wales has installed new security measures that require a swipe card to enter certain parts of the building. Access to the building from the main entrance will not be restricted, but students and staff will have to swipe their card to enter the main teaching areas.
“The University of Glamorgan is currently enhancing security at its Cardiff city center campus,” said a university spokesperson. “In line with other city based universities, the swipe card system will maintain the security of students, staff and equipment at our busy city center building.”
The new security has drawn mixed reactions from students. “I think it’s a really good idea. It’s good to have some sort of security seeing as the university provides so much equipment for us,” said one student.
Another student disagrees. “I don’t really like the idea of the swipe cards. They are just more hassle than they’re worth.”
Read more here.
A new laundry payment and management system at the University of Florida accepts the GatorOne campus ID card as well as credit and debit cards.
The previous system accepted the campus card as well as cash, explains Mark Hill, assistant director of housing for Facilities Management at the school’s Department of Housing and Residence Education. The university made the switch because the mag-stripe reader on the 12-year-old machines often didn’t work making it difficult for students to use laundry on campus. “We’d seen a decrease in the usage of our machines on campus and in some cases it was because the card reader wasn’t functioning properly,” he explained.
The readers used in the system were out of production and getting replacement parts wasn’t possible, Hill says. To try and drive more student use of the laundry facilities the university decided to deploy the WaveRider system from Heartland Payment Systems.
Heartland’s WaveRider Laundry System offers wireless payment and account management and provides a secure method of accepting credit and debit cards to enhance convenience for students and staff.
Previously, when a student wanted to use the campus card to pay for laundry he would swipe the card at the room’s single, wall-mounted “gang” controller. Then the student would enter the number for the washer or dryer to be used, Hill says. With the new system each washer and dryer has its own magnetic stripe reader.
Each individual WaveRider reader communicates with a single room controller using the short-range Zigbee wireless standard. Up to 40 individual machines can be controlled by a single controller. The controller talks to the outside world via an onboard cellular modem to authorize payment transactions.
“The system meets all Payment Card Industry data security standards to protect cardholder data,” says Ron Farmer, executive director, Campus Solutions and Micropayments at Heartland Campus Solutions. Credit and debit card transactions are sent directly to Heartland for processing. This keeps campus networks and systems completely clear of payment card data, he explains. Campus card transactions, on the other hand, are sent directly to the GatorOne system.
In the past, UF laundry payments have been split fairly evenly between cash and the campus card. With the new system the university hopes to see campus card usage go up and cash usage decrease. “Based on our experience at other campus laundries, card use should go up dramatically,” says Farmer.
The campus’ laundry contractor, ASI Campus Laundry Solutions, deployed the new system in less than three weeks. The University of Florida has 520 washer and dryers for its 7,590 students in residence halls and 1,600 graduate students in university run apartments. The new system cost $220,000 to install and is expected to pay for itself over time, Hill says.
WaveRider features new reporting capabilities that can be run on a daily basis, which will make it easier to determine if a machine is out of service. “In the past we weren’t able to tell if a machine was working until a student complained but now we’ll be able to find out on a daily basis,” Hill adds.
The WaveRider system also features a Web-based portal called WaveVision that enables students to view the status of washers and dryers from a computer or mobile phone. They can register to receive text messages, alerting them when their laundry cycles are complete. “This helps reduce unnecessary congestion in the laundry room,” explains Farmer.
This online visibility is not unique to the Heartland solution but, according to Farmer, WaveRider is the only solution that provides it out-of-the-box with no extra hardware required.
Heartland has deployed the WaveRider system at a number of campuses and off-campus residence halls. “We’ve learned that student don’t carry cash and they love the convenience of using the debit card that is already in their pocket,” says Farmer.
According to Farmer, across their installations credit and debit card payments are most common at 41%, followed by student ID card payments at 33% and cash accounting for 26%.
“It is our objective to accept whatever someone has in their wallet in order to increase revenues for campus auxiliaries,” says Farmer. “We’ve designed all of our payment terminals–vending, printer, point of sale–to accept credit, debit and campus cards.”
