Crytptography is vital, still many default to weaker card serial numbers
When students at Sarah Lawrence College replace a lost student ID card, they unknowingly get a little something extra in that card – added security.
Every new ID card issued by the Yonkers, New York-based college is now equipped with a contactless chip embedded within. “We are not fully contactless yet,” says Brian Lutz, associate director of systems administration for the school. “We are doing it slowly as people get new IDs. It has been a more gradual migration.”
A few of the college’s offices are already fully deployed, using contactless credentials to unlock all doors, and a new building was just brought online that is fully equipped with contactless readers throughout. The plan is to have the entire campus switched over within the next few years.
As they make this transition, Sarah Lawrence is doing something that many campuses in the country have neglected to do. They are transitioning to a mutual authentication-based, secure, contactless environment.
“We are spending a little more money to use the full mutual authentication, but we saw that investment as worth the added security,” Lutz says.
The vast majority of college campuses in the nation are nowhere near that level of security, says Grey Bartholomew, product manager of CBORD, the company deploying the new ID system at Sarah Lawrence.
“If you look at the customer base, 90% of college campuses are still using mag stripe,” Bartholomew says. “Then you look at the 10% who use contactless and probably 90% of those are using the card serial number only.” He says that only the other 10% of that 10% are using mutual authentication – taking advantage of the true security enabled by contactless technology.
Credential security comes in levels, says Sami Nassar, vice president of cyber security at San Francisco-based NXP Semiconductors. “If we look at the most basic form of ID, it would be to write the serial number for a card on a piece of paper and laminate that,” he says. “Obviously you can put the same name on another piece of paper, meaning you would have more than one, and this would be very easy to duplicate and not be very secure.”
[pullquote]90% of campuses still use mag strip and of the 10% using contactless, probably 90% of those are using the card serial number only. Only the other 10% of that 10% are using mutual authentication – taking advantage of the true security of contactless.[/pullquote]
Slightly more secure would be to encode that serial number within a barcode, mag stripe or a chip. But if you are simply storing a serial number in an unprotected manner, it can still be readily changed or replicated. So it is still very unsecure.
Up another level, you can store the number on the card in a manner that cannot be changed or cloned. And at the highest level, mutual authentication comes into play. Using mathematical algorithms, mutual authentication prohibits ID numbers from being shared until both the card and reader have proven they are valid and authorized to share data, Nassar says.
But even when systems are capable of using that high-level mutual authentication, some implementations – including many college campuses – opt not to use it. Instead, some default to a low security approach in which the card broadcasts its serial number to any reader it encounters.
“With just the card serial number, the reader is broadcasting and saying ‘hey, is anybody out there,’ and then if a contactless card comes along, the card sends its serial number immediately without getting that mutual authentication,” Bartholomew says.
While there are some security conscious outliers on college campuses, Bartholomew says the vast majority of contactless campuses are satisfied with the lower level of security. “It is the entry-level way to get into contactless technology without breaking the bank or investing in specific readers to enable mutual authentication,” Bartholomew says.
From the perspective of most campuses, contactless is a means to ease transactions, adding convenience rather than increasing security, he explains. “They are looking at it as a way to make the transaction faster and more convenient. Contactless cards give you that capability,” Bartholomew says.
When convenience is the goal, the serial number-only protocol seems to be enough.
But not all college systems rely on a broadcast serial number, says Dan Gretz, senior director for market development at Blackboard.