Crytptography is vital, still many default to weaker card serial numbers
“Predominantly in our environment the contactless cards are being used in a secure fashion,” Gretz says. “We don’t recommend using card serial numbers, because the reason to move to contactless is added security. If you are paying the premium for a contactless credential, but deploy it in a manner where you are only reading the card serial number, you are not doing yourself any favors.”
[pullquote]We don’t recommend using card serial numbers, because the reason to move to contactless is added security.[/pullquote]
The decision of what level of security is needed comes down to what the campus is trying to protect, NXP’s Nassar explains. “If a student ID grants access to secure campus facilities, you may want more than low-end type security,” Nassar says. “But if it is just used to get a discount or something, you may not need to be as careful.”
The thinking at Sarah Lawrence was that if they were simply migrating to another technology that would also be vulnerable, why not just stay on mag stripe, explains Lutz. “Instead of wasting time and money for just another vulnerable technology, we were determined to make it as secure as possible,” he says.
That concern for security is the unifying theme for campuses that are moving over to the full mutual authentication capabilities of contactless cards, Bartholomew says.
As more campuses expand into the contactless realm, many are finding innovative uses for the technology. The first applications that most universities jump on are access control and financial transactions. But other lower security uses are also common. In any case, the question of card serial numbers or mutual authentication-based secure transactions is relevant.
While securing residence hall access should always be a secure transaction, it can be argued that card serial number use would be sufficient for checking out a basketball in the rec center.
“We have an entire suite of secure contactless readers that campuses can deploy for any application,” says Blackboard’s Gretz. The student can use it for highly secure contactless transactions in a whole host of use cases.
As CBORD’s roll out at Sarah Lawrence progresses, the college is examining each potential use on a case-by-case basis. “Some of our contracts are coming up – laundry, copier, things like that – so we are including secure contactless readers in the new contracts,” Lutz says.
And then Sarah Lawrence will be a more secure campus.