Card, mobile credential, payment and security
So zombies might not be the typical badge holders on campus but as the campus game known as Humans vs. Zombies spreads we may see a new use for the student ID. This week at Case Western Reserve University in Cleveland, zombie students tried to tag human students to turn them into zombies, while humans defended themselves with nerf dart guns.
Participants sign up online to play and receive a ‘human’ ID card. When a zombie tags a human, he claims his victim’s ID number and logs the kill online. The human then becomes a zombie and can join the hunt.
One zombie told a reporter for the Plain Dealer, “It’s a lot of fun … you meet people from every major and talk to people you would have never talked to.” And a faculty member added, “This school has a reputation of people sitting in their rooms doing chemistry homework so to see someone running around campus at full speed is good.”
Humans vs. Zombies first started at Goucher College in Baltimore but is now played on campuses around the world.
While the human ID at Case Western is not the official campus card, could this be the next application for our campus card system providers?
Read more about the Case Western battle here
Read more about the game, its rules and software support
Some scoff at the idea of emerging biometrics, saying that the identification technology as a whole is still emerging. In reality, however, fingerprints have been used to identify criminals for nearly a century and around the world biometrics are used to gain access to buildings, get cash at ATMs and authenticate online transactions.
The days when biometric scanners were merely props in James Bond movies are gone. The North American market appears to be on the precipice of a change. Use cases for secure authentication are everywhere, and the technology foundations to enable biometrics have matured.
Re:ID editors spoke with a group of industry leaders to get their thoughts on what's coming in the biometric market. The individuals deploy and look at biometric systems every day and the emerging trends they identified were remarkably consistent. They include the rise of two formerly outlying modalities and the coalescence of biometrics and mobile devices for two distinct applications.
Trend: Vascular biometrics gets under your skinVein pattern biometrics is a modality that is garnering a lot of interest, says Rick Lazarick, chief scientist at the identity labs for CSC. Some large-scale test results show that both finger vein and palm vein biometrics are extremely accurate, he says, and possess some really important convenience attributes.
The modality is being used in ATMs throughout Japan as well as in Brazil and Poland. "The ATM implementations show that they have the capability to be used in large scale and mainstream applications," Lazarick says.
The Japanese ATMs use three-factor authentication for transactions–card, PIN and a vascular biometric, says Walter Hamilton, a senior consultant at ID Technology Partners and chairman of the International Biometrics and Identification Association.
The technology is starting to show up in North America as well. The Port of Halifax in Nova Scotia is using vascular technology for physical access control and Baycare Health System in Tampa, Fla. is using it for patient identification, Hamilton says.
"It works well, and based on independent testing, I see the technology being just as accurate as fingerprint for one-to-one matching," Hamilton says. "I also see the general population having fewer challenges submitting a good sample of their vein pattern in comparison to the problem some people have with fingerprints."
Some individuals have difficulty with enrolling a usable fingerprint sample, Hamilton says. Very fine fingerprints are tough to pick up and others may have damaged their fingerprints making it difficult to get an image and then match later.
Vein pattern biometrics use light to map the vascular pattern underneath the skin so the surface doesn't matter. Failure-to-enroll rates for vein pattern technologies are very low, Hamilton says.
Test results have shown that the technology is very reliable, adds Lazarick. "Many times vascular outperforms iris," he says.
It can also be viewed as a privacy-enabling technology compared to fingerprints, iris and facial, Hamilton says. Fingerprints leave a residue that can be lifted off a surface and potentially replicated.
"Some people doubt (fingerprint biometrics') ability for credentialing because there's a chance someone may copy a fingerprint from a glass," Hamilton says.
Since vein pattern records the pattern beneath the surface it's virtually impossible to covertly observe. "Unions and certain segments that would object to fingerprints would not object to vein pattern," Hamilton says.
Vascular is also touted as the hygienic biometric, Hamilton says. Typically with this technology a user places his hand or finger on a guide above the scanner whereas with contact scanners there is the possibility of germ transfer between users.
But there still are challenges vascular technologies will have to overcome, Hamilton says. Fujitsu and Hitachi are the two main vein recognition providers and each uses its own proprietary algorithm for matching. This means templates from a Hitachi scanner cannot be read by a Fujitsu scanner and vice versa.
This may change, however, as the National Institute for Standards and Technology is working on a standard for vein recognition. But, Hamilton explains, the work is in the early stages.
Trend: Iris gets a second lookIris is the other modality that seems to be on the cusp of widespread deployment, says Bryan Ichikawa, vice president of identity solutions at Unisys. "Long distance iris recognition opens up whole new worlds and works very well," he says.
The U.S. Department of Homeland Security contracted Unisys to test the different long distance iris products last year. The test, says Ichikawa, showed that iris solutions from multiple vendors could be used for one implementation.
Long distance iris systems from Sarnoff and AOptix show tremendous promise, Lazarick says. "They are close to having something pretty phenomenal," he says.
"Mainstream iris adoption has already begun," says Dale Bastian, VP of Sales – Biometrics, AOptix Technologies. "There are many large scale, production and final stage testing deployments underway that demonstrate that important end-users have fully accepted the modality."
In the Middle East iris is being used for immigration applications and to track individuals expelled from the country, Hamilton says. Airports are also considering using iris for employee access control to secure areas.
"The data from real-world, large scale deployments will demonstrate that iris offers significant advantages over other modalities for appropriate applications," adds Bastian.
The real innovation that is bringing iris to the forefront is its newfound flexibility. In the past, iris capture required a user to precisely and purposefully place the eye in front of a camera. Newer solutions enable the images to be captured from long range, while the subject is in motion and even without his knowledge.
"Longer distance identification means that an officer no longer has to be close to a subject to identify him so there can be a larger safety buffer," explains Mark Clifton, Sarnoff's acting president and CEO. "Distance enables identification in large venues, perimeter control and discrete applications."
Additionally, Clifton explains that longer distance also enables one system to capture both the iris image and face image simultaneously, providing multiple modalities to improve accuracy, speed and ease of use.
Iris nullifies a lot of the hygienic concerns that people have with fingerprints. It also has the potential, like it or not, to be used for non-intrusive or surreptitious identification as shown by a recent announced deployment in northern Mexico.
Trend: Biometrics going mobileWhat may bring biometrics to the masses is its use in smart phones and mobile devices. These devices are being used more frequently for higher-value transactions and steps need to be taken to so they can be better secured. PINs and pattern-based applications exist but many argue they don't offer the level of security that biometrics can provide.
Traditionally the topic of biometrics and handsets has centered on hardware, most often the integration of fingerprint sensors into the phone. Globally a variety of handsets have launched with built-in sensors, and early this year LG released the first model with U.S. availability.
But it is software not hardware-centric biometrics that has the industry buzzing these days. Using the tools already built into phones, a range of biometric authentication is possible.
Adding biometrics to mobile devices could be relatively easy, says Cathy Tilton, vice president of standards and emerging technology at Daon. "The obvious (modalities) are face and voice," she says. "The devices already have cameras and microphones."
Adding iris to the mix wouldn't be much of a stretch either, adds Lazarick. "Without an additional infrastructure you could fuse them," he says. "As the functionality of these devices increases, the security of the transactions will more and more demand identity verification."
There is also the opportunity for multi-modal application via mobile devices. In a multi-modal environment, the system would take a score from a voice pattern, facial image and perhaps an iris image to determine if the individual is authorized to use the device or conduct the transaction, Lazarick says.
Getting acclimated to use the mobile device for biometric verification may be the biggest challenge. Because it is a one-to-one match, however, many of the issues that exist with large-scale one-to-many matches don't apply.
Because you are matching against a single known template, the captured image does not need to be as precise as it would to isolate a match from thousands or millions of templates in a one-to-many environment. "It's all manageable if you get used to using the device," Lazarick says.
And for most smart phones these features could be added with a software application and no additional hardware. "To coin a phrase, ‘there's an app for that,'" Hamilton says.
Enabling biometrics on mobile devices will take away the need for people to verify identity at fixed locations, says Ichikawa. A credential could be stored on the mobile device and confirmed via facial recognition iris, fingerprint or voice. "Once you create a level of mobility, you don't have to authenticate at fixed points," he says. "You can now identify them anywhere."
Trend: Law enforcement takes biometrics from the station to the streetsThe next trend again matches biometrics with mobile devices, but this time leaves the realm of the consumer world for that of law enforcement. The days of being arrested and having your fingerprint placed on an inkpad and rolled onto paper are already history for many police departments. Paper-based collection has been replaced by electronic scanners in the station. But what's coming next is the extension of the capability to the street, says Tilton.
Mobile biometrics devices have been used by the military in Iraq and Afghanistan for years to identify insurgents and make sure only authorized individuals enter restricted areas. The devices are also becoming popular to confirm access to U.S. ports with the Transportation Worker Identification Credential.
While many of the devices used by military officials are dedicated for those purposes, there are different peripherals that can be added to the iPhone and other mobile devices so it can be used to check biometrics, Hamilton says. Most of these are aimed at law enforcement applications to enable officers to enroll and check biometrics in the field.
BI2 Technologies has a sleeve that works with the iPhone and can capture face, fingerprint and iris, Hamilton says. A number of law enforcement agencies are already using the system, he says.
At the same time companies providing systems to the military are releasing updated products with increased functionality. Analysts predict that these dedicated devices will be used for both military and law enforcement applications while add-ons build biometric functionality into other mobile devices such as smart phones.
While biometrics have been teetering on the edge of mass adoption for years in North America, the momentum may finally exist for widespread adoption.
Interestingly, the trends identified for this article suggest that it may be different modalities and use cases that ultimately provide the spark.
In the past, facial images and fingerprints were the modalities of choice, and most looked to physical security and one-to-many identification as the applications to drive adoption.
While these modalities and applications are certainly still important and even dominant, it may be this newer generation–call it Biometrics 2.0–that finally gives Sisyphus his much needed break from pushing the biometric rock up that adoption mountain.
Hitachi's VeinID finger vein scanners have been deployed since 2004 by major banks in Japan and more recently Poland," says Lew Iadarola, VeinID sales manager for Hitachi Security Solutions. "Some South American banks are conducting trials as well."
"In total we have more than 100,000 embedded modules in ATMs, time and attendance readers and other devices," says Iadarola. Another 100,000 of the company's USB-connected logical access readers have also been deployed for authentication to various networks and applications, he notes.
According to Iadarola, one of the largest use cases in the U.S. is with Konica Minolta's bizhub multi-function printers. The finger vein scanner secures document output in government, military and health care environments. Additionally, Japanese telecom giant KDDI has deployed more than 10,000 VeinID scanners for employee logon.
Rather than using the biometric to identify an unknown individual from a population, Iadarola sees vascular technology as ideal for operational biometrics. "Use the vein pattern to ensure the individual is who they claim to be and only then initiate the service, access or transaction," he says.
"Our focus with VeinID is one-to-one matching on a smart card or device," he explains. This comes from the company's historical preference to enhance privacy in public facing applications.
Many of our large customers preferred to minimize the liability that comes with handling personally identifiable information by performing match-on-card transactions rather than storing information in a database, he says. Government Integrators and end-users worldwide did not want to use the same technologies used and stored in databases by law enforcement.
"Some people want to buy a coke, rent a car, and pick up their prescriptions without providing something personally identifiable," he concludes. "People prefer to verify identity and walk away leaving nothing behind."
Sarnoff Corp., a subsidiary of SRI, is a leader in long distance iris recognition technology. The company offers two models in its Iris On the Move (IOM) line: a walk-thru gate called the IOM PassPort and a small mountable unit called the IOM Glance.
"Sarnoff revolutionized iris recognition by providing longer distance, higher speed, and higher throughput than traditional systems," says Mark Clifton, Sarnoff's acting president and CEO. "We have improved upon systems that require you to be uncomfortably close," he explains, "and have enabled recognition up to 3 meters in distance while walking at a natural pace. Because of that we can process up to 30 people per minute."
The initial adopters include airports, banks, stadiums, construction sites, he explains, "any place where you have need to get people in and out very quickly."
AOptix Technologies, a Campbell, Calif.-based iris innovator, launched its first "iris at a distance" product, the InSight VM, early in 2009. "It puts the advanced adaptive optics technology of the original InSight into a new form factor appropriate for access control, immigration control and eGate applications," says Dale Bastian, VP of Sales – Biometrics, AOptix.
Immigration control is a key application being addressed by the InSight line. "We recently completed three highly successful proof-of-concept studies in the Middle East where the adoption of iris recognition for enrollment of deportation subjects and the screening on in-bound travelers is underway," he explains. "They demonstrate extraordinary results on key criteria including failure-to-acquire and failure-to-enroll rates, average time of capture and accuracy."
Leading the adoption of iris are national identity programs following closely behind immigration applications, Bastian says. He suggests that governments around the globe are evaluating iris recognition technology, which could lead to cooperation between governments to share methodologies creating more secure immigration and travel environments.
Animetrics is offering facial recognition for Android, Windows Mobile and RIM (Blackberry) operating systems. Using the phone's embedded camera, a facial image patterns is generated at the point of access and compared to the enrolled pattern to grant or deny access.
On the voice front, PerSay, a spinoff from Verint Systems, SecuriMobile, Palo Alto, Calif., VoiceVault in the UK and Germany's VoiceSafe all offer voice biometric solutions to secure mobile devices and transactions.
Other companies are using mobile biometrics to add an additional factor to out of band authentication solutions.
PhoneFactor, Overland Park, Kan., uses the phone as the second authentication factor, ‘something you have.' They also use voice pattern biometrics via the phone to add the third factor, ‘something you are,' to the authentication process.
When a user authenticates to a PhoneFactor-enabled site, he enters his username and password. The PhoneFactor technology calls the user's pre-supplied phone number. The user answers the phone and hits the #-key to affirm the transaction and only then is the online access granted. Additionally, a secret passphrase can be required for voice pattern recognition to further increase security.
Present at the National Association of Campus Card Users (NACCU) 18th Annual Conference, April 17 – 20, 2011 in Baltimore, Maryland. It is the most important event in the campus card industry and its quality relies on the presentations made by industry professionals like you.
The deadline for proposals from institutional members and corporate members is Monday, October 4, 2010. The proposal should include the session title, description and learning outcomes. Educational Sessions are 60 minutes in length and should include time for questions.
If you are interested in presenting, please visit http://www.naccu.org/2011/callforpresenters.htm for more information or to submit a proposal.
Free webinar: Thursday, August 5, 2010 2:00 PM - 2:45 PM EDT
During this webinar, industry veteran Brad Jarvis of HID Global will explore the current and future industry requirements and challenges facing the physical and logical access control (PACs) market. The discussion is based on the Avisian, Inc. 2010 PACs market research study and provides revealing insights on next-generation physical access control systems along with the market drivers behind these trends.
This session will also provide beneficial tips on leveraging secure identity solutions to address rising security challenges, the growing need for higher levels of convenience, and customer demands for reducing the lower total cost of ownership.
Presenters:
Brad Jarvis, vice president of product marketing at HID Global
Chris Corum, editor and publisher at AVISIAN Inc.
U.S. attendee sees similarities and differences between American and European card programs
By Danny Smith, Vice President, ColorID
More than 120 university attendees traveled from all across Europe to Lodz, Poland to attend the 2008 European Campus Card Association (ECCA) Conference. As the only attendee from North America at this year’s conference, I wanted to share an overview of my experience.
ColorID has been a sponsor and has attended the ECCA conference since the inaugural conference in Waterford, Ireland in 2002. Each year attendance of the ECCA conference has grown and this year’s event set an attendance record.
The Technical University of Lodz hosted the conference. The university is one of Poland’s largest universities and serves a student population of more than 20,000. Michał Strzelecki of Technical University of Lodz was the main organizer of this year’s event. In addition to being well organized the conference had the right blend of exhibits, presentations and social/networking opportunities.
It is really interesting to see the common challenges between the U.S. and the European card programs. In the end it’s the same, we’re still trying to maximize the available card system technologies to its fullest. Our European counterparts face similar systems limitations and obstacles.
In North America, the National Association of Campus Card Users (NACCU) has done a tremendous job promoting and encouraging card system development by bringing institutional and corporate members together. The ECCA has taken a similar approach in this direction and it is really evident with the European Education Connectivity Solution (EECS) project.
Eugene McKenna of Waterford Institute of Technology, Ireland and Tor Fridell of Linkoping University, Sweden gave a presentation on the connectivity solution, which has been driven by ECCA, at the conference. The goal of this project is to provide standards, mobility and interoperability among European campuses. A comprehensive project proposal has been submitted for funding to the European Union (EU) and ECCA members are waiting to hear the outcome.
While there are many common characteristics between the European and North American card systems, there are also significant differences. For instance, it would be the exception to see a magnetic stripe on a student ID card in Europe. Most schools are using contact or contactless technologies and in some cases, both. Most of the contactless technology is MIFARE.
Also some countries, such as Croatia, Poland and Hungary, have a national university ID cards that are mandated by their government. Several in-depth presentations were given highlighting these programs. I was surprised to learn that many of these ID programs are highly developed and a good number utilize “home grown” solutions involving contact or contactless technologies.
Overall, the ECCA membership is very much like the NACCU membership. Everyone is willing to exchange information, ideas and suggestions. The camaraderie of the attendees has grown each year and many attendees stay in contact throughout the year.
Next year the ECCA conference will be held on the coast of the Adriatic Sea in Croatia, hosted by the University of Zagreb. The specific details will be announced in the near future. The Europeans have embraced advanced technologies and are moving forward with solid applications and solutions. I’m sure you would find attending to be a worthwhile investment and will come away with new ideas and solutions.
Learn more information about ColorID & ECCA at www.ecca.eu / www.colorid.com.
By Jerry Banks, Co-author of RFID Applied
The issues of privacy and security, although interrelated, are different. With respect to RFID, we define these issues as follows:
Privacy: the ability of the RFID system to keep the meaning of the information transmitted between the tag and the reader secure from non-intended recipients.
Security: the ability of the RFID system to keep the information transmitted between the tag and the reader secure from non-intended recipients.
The issues have very different repercussions and different solutions. In a given environment, an RFID solution may pose security risks without affecting the issue of privacy. An example of this scenario is when a tag broadcasts its unique identification number in a consistent and unencrypted manner. This enables the tag to be detected by any reader that can decode the RF signal. If all that is read is the tag's unique identifier – and no association can be made to what that identifier means without access to the backend database that maintains the relationship between the tag IDs and the objects that they represent – there is no privacy issue. However, issues of traceability and inventorying may remain.
Traceability and inventorying relate to the ability of an unauthorized entity to read the identifiers sent by RFID tags without necessarily being concerned as to what the tag is affixed to or who/what is carrying it. In other words just by capturing the signals emitted by an RFID tag, a third party could trace where the tag is or has been (traceability) as well as to what tags have been detected (inventorying).
A standard EPC tag conveys information associated with a particular item, its model or product class and its manufacturer. Anyone with a standard EPC reader could get close enough to a shopper leaving a store to determine what products and what quantities were purchased. Furthermore, the unauthorized reader could track the shopper from a distance utilizing a high-powered reader.
RFID is an excellent technology for object tracking. In this case, we can define an object as a physical asset that occupies 3-dimensional space. This means that the whereabouts of any physical object (including animals and humans) can potentially be tracked within the scope of the RFID infrastructure. As RFID technology development progresses, this scope can become larger and larger.
This fact has raised many questions and concerns from people because of the potential invasion of privacy that can be attributed to RFID technology. But, before we get deeper into the privacy issues and their repercussions, let's look at a few examples of what privacy advocates and the concerned public claim can go wrong with the use of RFID technology.
Consumer and privacy advocates have closely followed the deployment of RFID enabled solutions in the supply chains of major retailers such as Wal-Mart, Tesco, Target and others. They contend that by using the same technology adopted by the retailers to track individual items through their supply chains, consumers could potentially be tracked after buying the merchandise and leaving the retail stores.
The U.S. government has made a decision to implement contactless chips in U.S. citizen's passports. These chips contain the passport holder's information as well as a digitized picture of the holder. Initially, the U.S. Department of State's proposal did not include any security protocols. The information would be contained unencrypted within the passport's chip. Therefore, anyone with the right reader technology could potentially scan a traveler's passport, perhaps while still in the traveler's possession, and obtain personal information. This, it is argued, could help terrorists, thieves or others to determine the traveler's identity or nationality.
After much negative feedback from the public and different organizations the Department of State changed its proposal and added 3 layers of security:
Security experts still raise a debatable issue relating the fact that the chip's unique identifier can be read by any reader since this falls below the layer of protection provided by the encryption methodology. This could create an issue of passport traceability.
Many libraries, primarily in Europe, have implemented RFID technology in their operation. In the most advanced scenario, the idea is to tag every book in the library with an RFID chip and allow patrons to "automatically" check out the books by means of carrying an RFID tag and making the proper association of books-to-patron as the patrons exit out though the checkout portal. Privacy groups contend that patrons' right of privacy could be violated by someone with the proper technology within close proximity of the patrons. This would allow the malicious person to determine what books have been checked out by the patron.
The most aggressive privacy concern groups claim that governments could potentially gain access to all commercially controlled RFID databases and, therefore, have full access to the consumer, travel, and general habits of its population. Or governments could achieve this by deploying wide-area RFID infrastructures where all the activities of its citizens could be tracked, from what they buy, to what they read, to where they travel, to what they watch on videos.
Initially, commercial applications of RFID did not emphasize security. RFID readers and tags communicated with each other using open, unencrypted messages. Even today, most RFID readers and tags transmit information without any encryption.
There are a few reasons why this has been the case:
The fundamental issue is that in order to create a widespread market for RFID, the cost of its infrastructure must be kept to a minimum. This fact limits the complexity of the tag, thus limiting its capability to process information. So the dilemma of how to create a secure RFID infrastructure remains an elusive target.
High security RFID systems should have the ability to guard against the following categorized security and privacy threats:
Eavesdropping
RFID tags are designed to transmit stored information to an inquiring reader. This allows unauthorized users to scan tags by eavesdropping on the wireless RFID channel. The unrestricted access to tag data might reveal private information if it is stored on the tag.
If the security protocol used in the RFID channel is revealed, attackers can write blank RFID tags with the same formatted data that has been collected. For instance, dishonest persons could replace the RFID tag on an item to get a cheaper price when checking out from a supermarket.
Relay devices can intercept and retransmit RFID queries. With this kind of device, offenders can abuse various RFID applications by replaying the data in order to imitate a genuine data carrier.
There have been many proposals put forth that aim to create a secure RFID environment. Some of these rely on encryption algorithms, some on cleverly designed communications schemes, and others on taking advantage of the basic physical properties of RFID communication.
This is a relatively low-tech approach to the issue of RFID security. Faraday cages are based on the principle that meshes made of certain metals provide a natural barrier to radio waves. It is the same principle that creates one of the challenges for the application of RFID. While extremely effective, this solution requires a conscious, manual action in which the user must cover and uncover the tag every time he or she wants the tag to function. This method does not offer any protection when the tag is not within the Faraday cage.
There are, however, some applications where a Faraday cage may make sense. The use of a Faraday cover on a passport is one that probably works well for most users since passports are usually only open when they need to be presented. For product RFID, however, a Faraday cage is likely cost prohibitive.
This method relies on the attenuation of the RF signal so that it can only travel a few centimeters. The assumption is that an unintended reader would have to be in close proximity to the tag and therefore probably easily identifiable. Actually, this is a very weak method for security protection. Imagine a person carrying products with limited range transmission RFID tags at rush hour in a subway. It is probably next to impossible to avoid potentially malicious persons with readers getting very close.
The KILL command renders the tag unreadable. This is a command built into the chip that can be activated from a reader at the point of sale. In order to execute the KILL command, the reader must transmit a PIN to the tag to ensure that it has the right control access.
Although extremely effective once the command has been successfully executed, it presents two major limitations:
It is not effective until the command has been executed. This means that it must be combined with some other solution to provide protection during the lifecycle of the tag.
It prevents use of the tag for future applications after the item has been sold.
To illustrate this, imagine the following scenario. Richard, a techno-savvy consumer, chooses to buy the latest model of a washing machine which incorporates RFID functionality. The great thing about the washing machine is that it can use its embedded RFID reader to detect what garments have been placed in it by reading the RFID tags embedded in the garments. This information enables the washing machine to automatically control the temperature settings and washing mode so that the delicate garments are not damaged. However, if the articles that Richard bought at his favorite clothing store implemented the KILL commands, Richard would certainly complain about the inconvenience presented by the washing machine not being able to identify the garments.
Albeit, this is not the most tragic scenario that one could devise, but it portrays the issue at hand. The KILL command can severely limit the functionality and applications of RFID downstream from the point of sale.
The use of SLEEP commands on tags is an attempt to answer the shortcomings cited in the KILL command proposal. The SLEEP command, a more commerce-friendly proposal, has been put forth. Instead of killing the tag at the point of sale, this proposal renders the tag temporarily inactive, until the consumer physically reactivates the tag. The fact that the tag must provide a way to allow a consumer to reactivate the tag creates problems. For instance, imagine when Richard (from the previous example) returns to his home after an afternoon of clothes shopping. In order to achieve the benefits of his RFID-enabled washer, he would have to physically reactivate each tag.
This approach, introduced by IBM, provides a seemly simple, yet effective solution to minimize tag recognition from standard read distances. The procedure uses a tag with a full antenna that can be clipped at the point of sale by the consumer in order to reduce the span of the antenna and therefore reduce its readable range from a few meters to only one or two centimeters.
As you can see, there are many challenges to creating a secure and privacy-enabling RFID solution. There are, however, a variety of technologies and mechanisms in place to assist issuers and consumers. Certainly, we are only beginning to understand the challenges and the solutions to this complex technological and societal question.
This article is part of an ongoing series that explains the principles of RFID. It was created for RFIDNews by Jerry Banks, Tecnologico de Monterrey, Monterrey, Mexico, one of four co-authors of RFID Applied, John Wiley, 2007, ISBN-10:0471793655; ISBN-13:978-0471793656.
A series of free seminars covering card-related topics including off-campus merchant rollouts, electronic financial aid delivery, and credit card tuition payment acceptance will take place in cities across the country. The newly announced series titled, “the future of campus payments,” is being offered by Heartland Payment Systems, recent buyer of General Meters and provider of cell phone payment solution at Slippery Rock University.
During the next 6 weeks, the free events will be held in Pittsburgh, Dallas, Orlando, Philadelphia, Chicago, Minneapolis, Boston, New York, Los Angeles, Seattle, Raleigh, and Denver. To check out the agenda and consider registering for these one-day free events, click here.
Higher One is working with Intuit, maker of financial software page Quicken, to build “unique solutions to help students” with financial education. Beginning in February, students will be able to access Quicken Online to use in tandem with their Higher One accounts.
Quicken Online enables students to keep track of their finances
New Haven, CT – January 2, 2008 - Higher One, a financial services company focused exclusively on higher education, will work together with Intuit’s Quicken, the industry leader in personal finance software. The two will work in concert to develop unique solutions to help students get the early best practices about financial management and succeed in the future.
“We are always looking for ways to help teach students how to better understand their finances,” explained Dean Hatton, President & CEO, Higher One. “It is important for us, as a financial services company serving higher education, to assist students as many begin to use banking services for the first time. Higher One is very excited to work with Intuit to deliver Quicken Online to students.”
Higher One’s Refund Management capabilities enable Colleges and Universities to distribute refunds to students electronically. The service streamlines the disbursal process and provides students with a more convenient means for receiving refunds. With Higher One, students also have the ability to open a fully functioning, FDIC-insured checking account known as the OneAccount. Linked to a Debit MasterCard®, students can use the OneAccount to purchase items anywhere MasterCard is accepted.
With increased enrollment in institutions of higher education and Colleges and Universities offering a vast array of financial services to these students, teaching students fiscal responsibility has become increasingly important. Thanks to Quicken Online, students can now use this powerful software to help track their finances and manage their financial well being.
Students will be able to access Quicken Online via www.higherone.com beginning in February of this year.
About Higher One
Focused exclusively on higher education, Higher One provides Refund Management to higher education institutions and banking services to members of their community through a card based solution. Higher One’s integrated solution helps it’s clients reduce administrative costs, streamline business processes, create new revenue streams, increase student customer service and strengthen the campus community. Higher One’s OneDisburse® provides students with more choices and better services for receiving financial refunds and payroll. Higher One also offers a suite of banking services called OneFinanceSM, which includes the OneAccount, a no minimum balance, no monthly fee checking account with the OneCard, a Debit MasterCard® for ATM withdrawals and purchases, and exclusive features such as “Send Money”, Easy RefundSM, and Campus AutoLoad. The OneFinanceSM and OneDisburse® solutions can be integrated with the institution’s ID card or provided through a separate “refund only” card.
To date, Higher One has disbursed $3.2 billion dollars in refunds for its clients. Almost 1,000,000 students, faculty, and staff at distinguished public and private higher education institutions use Higher One’s services through their ID or refund card.
“It’s no longer simply about putting a photo on a white piece of plastic,” says Ryan Park, Fargo Electronics’ director of product marketing for secure printers/encoders. “It’s just not secure. Unfortunately, that represents a lot of the ID vehicles out there today. There are very few applications in the ID card world that don’t have a need for security.”
The need for greater security in the issuance process is what’s driving Fargo today. “Two years ago, we (Fargo) decided to step off the path, to not be a printer company anymore but a secure card program producer. We’re looking at all the places, cradle to grave, that could be vulnerable. Our message as a company is that we’ve expanded from printers to helping our customers issue secure credentials. In a post 9-11 world, we’ve seen a rapid increase in ID theft. Previously, we’ve focused on our printers, simply putting photos on cards. We now also want to be the best at securing the entire process.”
He said there are three elements to security: “The printer you choose, securing the card itself and having the process and personnel in place for when it comes out of the machine.”
Printer
As to the printers themselves, many have their own security features, he said, such “as the ability to load cards into the machine, then lock the access doors, or the ability to lock up the materials section of the printers so operators can’t access them.”
Some Fargo customers have gone so far as to bolt the printer to something immoveable, like a vault. “One of the things we’ve learned is you can have all the alarm bells in the world, but if someone is willing to crash a truck through a wall, you want to bolt the printer to something that can’t be moved,” said Mr. Park.
He calls it “lock and bolt. It’s your best defense.”
Another solution: “Give your printer some business rules,” he said. “For example you could define at what hours should the cards be produced. We know that cards being produced on the weekend may still may be legitimate, but it’s something we need to know about. Or you can determine which operators can physically use the product. The printer can periodically ask for code words that only certain parties should know.”
He said there are a “handful of features where a printer can be self-aware. You can set it up so every time a job is produced, a password is needed. Or you can use biometrics, where the operator might have to give his thumbprint. But at same time, you might have this bad person in the office and you want to prevent him from grabbing the materials so he can produce an ID outside the office. That’s where something like a secure vault comes in handy. You make sure the cards are locked up in the printer. Outside the printer you need to do inventory counts.”
Securing the Card
“The first thing you have to identify is what are the truly sensitive pieces of the process,” he said. “Are you a university utilizing a tamper-proof hologram? While anyone can buy a card printer, a hologram is something you can control.”
The purpose here – whether at a university, a major corporation, or as a federal agency or one that is supplying the feds – is to make the card counterfeit-resistant.
“At the very highest level, such as with a government agency, you want to control the movement of your hologram at all stages,” said Mr. Park. “For example, a hologram could be shipped by armored car, controlling the entire process. These are services we offer for very sensitive applications.” He said the street figure for these kinds of holograms would reach six figures, which is why securing them is so important.
Process and Personnel
“You’ve got this fantastic card you’re producing with smart encrypted chips and holograms, but you’re using temp labor to produce the cards, and all of a sudden 1,000 cards end up on the black market,” said Mr. Park. “You actually have to secure the production of that card.”
With cards that are instantly produced, “you’re basically postponing production of the card as long as feasible so the card is produced and given to the customer as soon as possible. It’s encoded in the machine and it goes directly to you. Once it’s produced, it’s now a valid entity. The more you can shrink that time the more secure it is.” Driver licenses are a good example. Some states utilize a central issuance facility, while most instantly produce the licenses and distribute them right away to applicants, he added.
“We’re talking about back-end production, but it’s very critical at the front end, too,” he said. “A driver license can be produced in a valid way but you could still end up with a forged driver license.”
The chain and its weakest link
As the old saying goes, a chain is only as strong as its weakest link. When it comes to issuance of secure identity credentials, the chain involves the securing the printer, the card, and the process. To improve your issuance security, make sure all three are evaluated on a regular basis.
Colleges have other options for cell phone alerts, of course. They could go off campus and hire a company specializing in text messaging. That’s what Rave Wireless and Mobile Campus are offering to universities.
Rave offers what its COO, Raju Rishi, calls “an alert solution, which basically gives the university the ability to get emergency broadcasting to the entire school or a subset of the school (like students who live on campus), whether it’s about a gas leak or orientation. The university pays us for that capability yearly. We tie into Blackboard (campus card solution),” he added, “so we don’t have to recreate the lists.”
This alert solution costs a college about $10,000 a year. “It gives students unlimited text messaging plans,” added Mr. Rishi.
He said the plan works with all cell phone carriers, email, and web mail. So if the student doesn’t have a cell phone, he can still receive an email alert.
Rave also offers a full-blown cell phone solution called Rave Campus that is tied to a specific carrier. At Atlanta-based Mercer University, Rave Campus recently announced a tie-in with Sprint. “With this you get additional features like really reduced phone rates and other options,” said Mr. Rishi. And of course, the program includes the emergency text notification feature.
“Rave Alert is designed to work with any cell phone. Rave Campus is designed around a (specific) phone model (and carrier),” he added.
The company currently serves about 25 campuses, about half which use just Rave Alert and the other half Rave Campus. By the end of the year, Mr. Rishi said he expects to have 60 or 70 campuses in one or the other program.
While Rave’s alert feature is nice, said Michael Belote, Mercer’s vice president of information technology, that’s not the reason the Macon, Ga.-based school went with Rave. “Most students are into instant communication instead of email. They’re using MySpace, Facebook and text messaging. We’re just adapting our communications technologies to meet the needs of today’s students.”
In fact, the decision to go with Rave, and its enhanced text messaging features, came in March, about a month before the Virginia Tech shooting.
“There is certainly a safety component of Rave Wireless but we see a lot of value in some of the applications that Rave provides in building the community, enhancing student learning as well as the safety features,” added Mr. Belote.
The phones are free to students and the $32.50 base plan includes unlimited text messaging, free nights and weekend calls and unlimited calling using Mercer’s Mobile Network, explains Mr. Belote. Full deployment is expected to take place this August, in time for fall enrollment.
He said if a student decides to keep his existing phone, he can still sign up with the college to receive emergency or other types of text messaging alerts.
Mobile Campus uses advertising to support free alert messaging
Another option is Mobile Campus, Atlanta, GA. It offers free text messaging to university students in exchange for the students agreeing to receive advertisements a couple times a day.
Jim Ryan, president and CEO for Mobile Campus, said the company gives university administrators a web-based interface to communicate with students.
“The first thing you need is for students to opt in to receive the messages. Probably the most effective means to reach your students is via SMS,” said Mr. Ryan, former head of AT&T’s wireless data services division. “When Virginia Tech happened, people became more interested in SMS as a way to communicate with their student bodies and we got a lot of calls.”
In a perfect world, that would be all that’s needed. But cell phones aren’t perfect. “The challenge is we don’t own the SMS infrastructure,” said Mr. Ryan. “All we can do is place the message out there for delivery. But (carrier) capacity and various other challenges will determine how long it will take to get the message to the individual,” he said.
Text messages delivered around the country shouldn’t be a problem, “but when you’re delivering SMS in a given geography, when you try to send 30,000 messages through one cell site, that’s when you run into capacity (problems),” he added.
That’s why he believes universities should concentrate on delivering “something that’s multi-modal–text messaging and email–so if one fails, the other works,” he said.
While Mobile Campus’ text messaging service can reach “a significant portion of the student body,” says Mr. Ryan, “we don’t have to reach 100% of the students to get the message out. Even if you hit 40%, the rest will know pretty quickly simply by word of mouth.”
He said 14 universities have signed so far with Mobile Campus and “we’re actively seeking to serve another 11. We expect in the fall to have quite a large constituency signed up.”
