Smart Card Solutions
A JANUARY 2013 STUDY CONDUCTED BY DELOITTE PREDICTED that throughout that year, more than 90 percent of user-generated passwords would be vulnerable to hacking. Related security research shows that a string of characters is not enough to protect against the ever-widening landscape of threats, both in the virtual and the physical world. A more robust solution is required to protect personal information, safeguard sensitive data, and secure buildings and assets.
Smart-card technology, a hardware-based security measure, is a rapidly growing market that offers an alternative to the traditional user name and password paradigm. The cards, normally plastic and the size of a credit card, are used for everything from identification and authentication to data storage and purchasing, enabled by a microprocessor that resides inside the card.
One of the chief uses of smart cards is for access control. Companies must adhere to industry standards for these microprocessors that control who goes in and out of their facilities. But it’s also important for an enterprise to invest in a system that can be changed over time as the technology evolves.
The smart chips that reside in smart cards are also being increasingly used for tasks beyond access control. Many financial institutions, for example, are migrating to smart chip technologies that allow their customers to complete mobile banking transactions securely. By storing user information in a chip located in the customers’ phone or on a Bluetooth device, rather than one centralized location, a bank can better protect its customers’ information. The following is a look at how one insurance company upgraded its access control system on a global scale, and how a credit union in Wisconsin is turning to smart chips to enhance mobile banking security for its customer base.
American International Group (AIG) is a global insurance organization that serves commercial, institutional, and individual customers in more than 130 countries. Its corporate headquarters is located in New York City, with office locations all over the world. Following AIG’s repayment of the $85 billion in bailout money that it had received from the U.S. government during the financial crisis, there was a resurgence of employee pride, and an increased focus on what the company could do to make operations as efficient and productive as possible, explains Allen Viner, director of security technology at AIG. This renewed focus coincided with bringing AIG’s Chartis Europe Limited organization under the AIG Europe Limited name, and rebranding the company with a new logo.
During this major rebranding project, AIG decided to upgrade its access control systems to one uniform structure. The organization had planned to simply phase out the old technology and replace it as it became obsolete or inoperable, but the rebranding created an opportunity for AIG to upgrade the entire system. “There were more than 2,300 different access control platforms serving approximately 25,000 AIG employees throughout the world,” explains Viner. “Some areas of the company maintained many independent legacy access control systems at multiple locations, none of which worked together.” As part of the rebranding, AIG would need to rebadge everyone in its directory—approximately 25,000 employees.
Viner tells Security Management that this array of access control technologies across multiple AIG locations posed several problems. For example, AIG typically leases its office space, and different technologies were used throughout those various facilities. “The Paris office, as an example, might use MIFARE card technology, while the United Kingdom office might use 26-bit prox solutions,” says Viner. AIG wanted to use one smart card system across the globe. “This would make it easy for employees to use their badges when visiting AIG facilities anywhere in the world, while also unifying reporting metrics.”
In addition to having one uniform system for metrics reporting, the upgrade would allow AIG to centralize security, migrating from a lower-security 26-bit proximity card solution to a new corporate standard for access control based on high-frequency contactless smart card technology. This would improve security, flexibility, and adaptability, Viner says. “With the new system, AIG could also expand issuance options, so that the insurance institution had the choice to outsource large-volume card runs or to handle a certain level of badging locally, on its own,” he notes.
To further enhance security, AIG instituted a new policy: any facility larger than 10,000 square feet would need to have both an access control system and an IP-based CCTV surveillance solution. “If none existed, or the current one required refurbishment, then the organization would be required to install a new, higher-security system that met corporate policy and could be connected to the corporate enterprise system,” Viner says. “This meant that approximately 2,300 legacy proximity readers at 300 locations needed to be upgraded to the corporate standard.”
To meet its demand for security and efficiency, AIG ended up choosing a multi-technology card from HID Global. This card is based on HID Global’s iCLASS SE platform, which uses a secure messaging protocol to send smart card information to the host server that grants access. “The iCLASS SE platform also ensures AIG can easily adopt new access control technologies in the future,” notes Viner, which he says made it an attractive option. “AIG can now easily add new technologies and capabilities over time without having to overhaul its system, whether it’s adding applications to its cards, moving credentials onto smartphones, or other enhancements,” he says. For example, the iCLASS SE allows for multi-authentication options, including the use of biometrics, should a customer want to increase the level of security. AIG is looking to use biometrics for authentication in the future, says Viner.
AIG worked with Tyco Integrated Security to integrate the HID Global access control technology throughout its global locations. “Tyco has played a key role in helping us take a proactive approach to change in our access control infrastructure,” Viner says. “AIG has been steadily giving Tyco increased duties and responsibilities, including programming and testing at locations where the new access control system is being deployed, and a variety of software support and hardware maintenance functions.”
The initial rollout in November 2012 included issuing cards to roughly 25,000 employees. In the subsequent nine months, AIG issued another 5,500 cards. “The company expects all locations to be converted by 2018 and, in the meantime, hundreds of other locations worldwide are replacing their readers,” says Viner. “As more locations come online with the new system, it is becoming easier for employees to use their badges when visiting AIG facilities anywhere in the world.”
In the future, AIG hopes to migrate the smart-card technology to smartphones, a capability that the iCLASS SE platform supports. It is also exploring the use of smart cards for employees logging onto computers, and adding biometrics to the system to support multi-factor authentication in those areas that require higher security, says Viner. “We also want to further integrate our access control system with identity management to improve the process of on-boarding and offboarding employees so it is more convenient and secure,” he adds.
Viner says that, overall, AIG’s major corporate rebranding provided the trigger for upgrading its access control system, leading to improved security. “In addition to rebadging thousands of employees as part of the rebranding, AIG took the opportunity to move to a higher-security HID Global access control platform that has also future-proofed the company’s access control infrastructure,” he notes. He adds that AIG will easily be able to add new capabilities and technologies as time goes on, taking advantage of all the benefits smart cards have to offer.
While widely used for access control at the enterprise level, smart cards aren’t just about opening physical doors. Sometimes, those gateways are virtual in nature. Another application for the hardware inside of smart cards is securely logging onto sites where sensitive transactions take place, such as mobile banking.
One company developing this smart chip technology so that it fits easily into a mobile device is Tyfone. “We focused on building the technology so the smart card doesn’t fit in your back pocket or in your purse, but it’s actively connected to the device,” says Siva Narendra, CEO of Tyfone, explaining the name of its product—the connected smart card (CSC). The tech company recently implemented a pilot program at CoVantage Credit Union, headquartered in Antigo, Wisconsin, where a select group of 50 employees and banking customers are having the smart chips installed on their phones to complete limited mobile banking transactions.
“From a competitive advantage, our goal is to be that central wallet for our members and enable them to conduct whatever payments they need, to facilitate the ease of doing business,” explains Bob Van Abel, senior vice president and chief information officer of CoVantage. “We’re stretched across northern Wisconsin, which is an underserved area. The large banks don’t have a lot of interest in the communities we serve. But we do feel that we have a responsibility to our members…to provide secure banking and services.”
A couple of years ago, CoVantage started looking into providing a robust mobile banking solution for its customer base, to differentiate it from an Internet-based banking solution. “Mobile banking is our fastest growing channel and we’re committed to making that a fully viable solution,” Van Abel tells Security Management.
Van Abel says mobile baking transactions—like changing passwords or online IDs, moving money out of one’s account, paying bills, and transferring money from one account to another—are high-risk in nature. He points out that those transactions all represent threats to the way the typical password paradigm for mobile and Internet banking has worked in the past. “And that threat is what’s driving our commitment to working with Tyfone on developing this type of a technology so that we have a true multifactor and device-based solution that’s auditable so that we can tell where the transaction originated.”
In late 2013, CoVantage began working with Tyfone to roll out a pilot program to integrate Tyfone’s side-tap microSD card for near field communication (NFC) and contactless Europay-Mastercard-Visa (EMV) transaction processing. This smart chip technology for payment transactions recently came to light after the notorious hacking of point-of-sale units at Target stores, in which the payment card data of roughly 40 million Americans was compromised. Many security experts noted that replacing magnetic stripes on credit cards with smart chip technology would have prevented such a breach. (For more on the Target breach and the EMV payment method, see “Cybersecurity” in the April 2014 issue of Security Management.)
Narenda notes that storing customer data in one smart chip, which can communicate with the bank’s payment server, is much more secure than all that information residing in one central location. When a single hacking event happens, millions of identities can be lost at one time because it’s all consolidated in a single location, says Narenda. When information is stored on a smart chip, identities can only be stolen one at a time.
CoVantage customers participating in the pilot program receive a microSD card that they then insert into their smartphone. Any time they log onto the mobile banking site, they are authenticated through the smart card communicating with the server. All the information about the user needed to authenticate onto the bank’s network is contained within that tiny chip. The smart chip adds an extra layer of security through cryptography so that even on unsecure networks, such as public Wi-Fi, the data is still secured.
CoVantage has plans to roll out the smart chip to 4,000 customers with even more options for mobile banking, like person-to-person money transfers. Because the microSD card is not supported by as many smartphones as it was in the past, Tyfone is ironing out more form factors for the chip—specifically, the configuration and design of the device that houses the smart chip–including a Bluetooth keychain.
Van Abel notes that offering better service in today’s digital world means providing enhanced security. This philosophy ultimately led the company to select the Tyfone smart chip. “People don’t want to come in [the bank] and be hassled with doing a bank deposit or cashing a check—they want remote deposit. You want the ability to move those transactions. Good service is being able to support those transactions 24/7 when you need and want to have them done,” he says. And increasing security while offering that convenience is a smarter solution for everyone.
HOLLY GILBERT IS AN ASSISTANT EDITOR AT SECURITY MANAGEMENT.