There are a number of reasons for a university to consider changing its campus card whether it’s new aesthetic designs, new card technologies or a current system simply reaching the end of its intended lifespan.
Whatever the reason, however, when the decision involves a change of card technology, the contactless smart card always seems to be a topic of discussion. It’s a decision that many universities and colleges grapple with, weighing the pros and cons of a more robust card technology with the cost its implementation will require.
For many universities, the jump to contactless comes down to three main considerations. “It’s stronger card technology with encryption to prevent counterfeiting, additional functionality, and future proofing the campus,” says Brett St. Pierre, director of education solutions at HID Global.
Understanding the difference
Despite the more secure card technologies available to universities, many still rely on the so-called convenience technologies of mag stripe, bar code and prox.
At its core, the 125 kHz prox card is created for the purpose of convenience. It’s great for providing a student quick access to an academic building, residence hall or rec center, but it’s doesn’t have the same security capabilities of a 13.56 MHz contactless card.
“Proximity is a 30-year old technology that does not have security built into the communication,” says St. Pierre.
Like bar codes and mag stripes, the lack of cryptographic capabilities leaves proximity cards susceptible to cloning and counterfeiting. Smart cards – both contact and contactless – contain integrated circuits or chips that virtually eliminate the potential for card cloning via cryptographic controls. “With contactless smart card technology, you get a hand shake that is much more secure,” explains St. Pierre.
St. Pierre goes on to explain that contactless smart cards also provide the ability to store multiple identities or credential numbers. “Multiple identities can provide a university ID for use on campus, a medical center ID and third-party research labs,” he adds.
This flexibility enables a campus to tether additional functionality to its credentials beyond just physical access. “With contactless smart cards, you open the door to many more uses on campus, including physical access control, payments, library, logical access, mobile and transit functionality just to name a few,” says St. Pierre.
In addition to the added functionality, the ability to add multiple applications helps an issuer to future proof the system. Building in flexibility to address unforeseen needs that may arise during the life of the program, provides peace of mind and improves the overall return on investment.
Removing vulnerabilities at Northern Arizona
Northern Arizona University recently made the jump from prox cards to contactless smart cards. “As we became aware of vulnerabilities and limitations with proximity chip technology, we began to investigate options for a more secure and future-resistant technology,” says Joe Harting, systems administrator for campus services and activities at Northern Arizona University (NAU).
Last year, Northern Arizona was the subject of an on-campus demonstration wherein the university’s then-prox credentials were shown to be vulnerable to counterfeiting.
Harting says that he and the administration were aware of prox’s vulnerability to the “bump-and-clone” attack that made headlines, and that they had been making plans to migrate to contactless for some time. “Prox technology lends itself to cloning using inexpensive materials purchased on the Internet,” he says.
To better paint the picture, the bump-and-clone attack goes something like this:
Depending on the type of equipment used, a prox card can be read at varying distances, through wallets, purses, backpacks, etc. without the victim being aware their card was scanned. Once the prox data is read, it can be transferred to another prox card or prox-emulating device.
As long as the data from the victim’s card is identical, there is no need to decipher anything, says Harting. “Once the raw data from a credential is presented to a prox reader, it will treat it the same, whether it is the original credential or a clone.”
One of the security features of contactless smart cards prevents such attacks. By cryptographically challenging the card’s chip prior to any transaction, a reader can identify a cloned card and deny its attempted use.
While NAU was already planning a jump to contactless cards, the demo on campus expedited the transition. “We had no instances of anyone experiencing any theft or unauthorized access as a result of the vulnerabilities with prox, but we believe in taking a proactive approach to overall campus safety,” says Harting.
Handling the transition from one card technology to another is a case-by-case consideration, as each university has to make a decision based on how it wants to impact the student, St. Pierre explains.
As the name suggests, multi-technology readers can facilitate this transition, offering flexibility as the university navigates the issuance and re-carding process. These readers accept multiple card technologies – for example prox and contactless – to facilitate a transition over time.
“Installing multi-technology readers gives existing students the ability to keep their current card until they graduate, but lets the institution provision contactless cards for incoming freshman,” says St. Pierre. On the other hand, all cards can be reissued in mass. “A rebadge is a quicker transition, as everyone would receive the technology card in a short period of time,” explains St. Pierre. But it is often difficult to time such a transition in a campus environment.
NAU had installed multi-technology readers from HID – called multiCLASS – across much of its campus prior to the changeover. “We chose the multiCLASS reader, along with a multi-technology card – mag stripe, prox and SEOS (contactless) – to allow for as smooth of a transition as possible,” explains Harting. “The flexibility meant that we could turn off the portion of the new readers that accepted prox, leaving only the contactless portion on.”
Harting says that the university prioritized its facilities and performed a phased re-carding campaign accordingly. “Students living in residence halls were among the first re-carded, and as soon as we verified that all that needed access to a facility were re-carded, we switched those readers to only accept SEOS.”
The cards are just being used for physical access for now, Harting says. “In the future we will consider other functions such as attendance, event access and retail transactions,” he adds.
What will it cost me?
Simply put, re-carding an entire campus population is an expensive venture, but as St. Pierre explains, contactless smart cards have come down in price and are comparable to their proximity counterparts.
The overall cost of the credential was roughly 25% higher than what NAU had paid for prox, and the readers were comparably priced to readers we had in the field, says Harting. “One of the major cost considerations, aside from having to re-card our campus and trade out our readers, was the rest of our infrastructure – system controller boards, software, wiring and so on. That did not have to change at all,” he says.
While Harting admits that cost is always a consideration, there were other considerations that went into the decision at NAU. “The first was the degree of security provided compared to other credential technologies, and we also considered how we would best leverage our investment for long-term usability,” he explains.
Preparation and advanced planning will be key for universities contemplating a migration. “It is extremely important to start thinking about and deploying ways to migrate,” says St. Pierre. “When or if an incident happens, it’s much better for if there is already a working plan in place.”