In our unsettled but technologically sophisticated world, facilities, networks and personnel are exposed to more identity-related security vulnerabilities than ever before. For many, the first line of defense against these threats is the implementation of a secure ID card system.
ID cards are becoming extremely sophisticated, with biometric technology and embedded microprocessor chips that track time and attendance, facilitate monetary transactions, and enable or prevent access to buildings, rooms and even personal computers. While IDs can make these common functions easier and more efficient for qualified employees and guests, they also enhance the security of these individuals. Companies that embrace advanced ID card systems are able to reduce many of today's identity-related security vulnerabilities, including the loss of time, money and lives, while providing convenience.
Where Are Companies Vulnerable?
Points of Access
Access control is often the primary reason organizations adopt identification card systems. For some companies, a simple photo ID card is all that is needed. For others, the robust security offered by smart cards and the flexibility to incorporate multiple applications and functions, either now or in the future, ensure a higher level of comfort than ever before. By ensuring that only authorized cardholders are granted access to protected areas, all constituents will feel greater freedom to work, shop or learn in their daily environments.
Protecting employees against unauthorized intrusions is just one of a company's responsibilities today. For some organizations, the level of protection extends beyond employees to the whole community. The Wisconsin State Laboratory of Hygiene is a public health and environmental laboratory that, among other functions, performs bioterrorism testing of materials such as anthrax. Prior to September 11, 2001 anyone could enter the building, located in the middle of the University of Wisconsin campus. Now anyone who needs access to the lab must show an authorized identification card.
The Internet has increased the power of computer networks enormously. At the same time, advances in both wired and wireless technology mean employees and customers can interact with networks 24x7, whether inside a headquarters location or at a remote "virtual office," retail location or hotel room. This has multiplied the opportunities for corruption by providing tools to those who seek to damage or alter corporate computer systems or steal individual identities. Securing access to an IT infrastructure has risen in importance, and implementing a secure solution is no longer optional. Many networks are secured with passwords alone. Simple passwords are vulnerable in a number of ways: people tend to write them down as reminders and place them where they can be found by unauthorized employees; passwords are easily cracked through relatively simple searches; passwords can easily be shared when a second authenticator (such as an ID) is not required. These password systems are rapidly being replaced with sophisticated authentication systems, many of which start with an ID card. ID cards, especially those with smart card technology, can provide single-use access or administrative control. They can track network users and activities as well as allow secure file sharing within or between organizations. Not surprisingly, there is a growing demand for smart card readers that plug into personal computers to provide that extra level of security.
Security and privacy often go hand in hand. From customer credit card numbers to employee payroll data to insurance beneficiary information, companies need to protect data that is critical to their business. This is especially true in the health care market. The Health Insurance Portability and Accountability Act of 1996 encourages the move to electronic systems and mandates that systems guarantee privacy and security of patient information. Consequently, health care facilities are beginning to use smart cards, proximity cards and biometrics to secure their computer networks.
For most companies, time is money. Not keeping an accurate record of employee time and attendance is tantamount to watching money walk out the door. At the J.C. Penney distribution center in Forest Park, Georgia, managers keep careful watch over which products go to which customers on which days. The company also manages data related to its employee productivity with the same degree of detail, working hard to prevent intangible losses, such as time and efficiency. Using a simple card with a bar code on the back, the distribution center managers not only track employee time and attendance, but also collect valuable information for the loss prevention staff. They can tell how many times an employee has gone past a point of entry for an authorized or unauthorized break. Managers are alerted by the system if someone attempts to enter the building outside of his or her assigned shift. They also can view employee photos to immediately verify identity, or display an individual's appearance to authorities.
Money vulnerabilities often can be traced to inefficiency. Transit organizations are excellent examples of how revenue streams can be enhanced with automated collection systems. As a government buyer, Metro Transit, a unit of Minneapolis/St. Paul's Metropolitan Council, was obligated to look for cost effectiveness in its purchase of a printer to produce 20,000 two-sided cards per year. Bringing inside the production of its Metropass cards for bus and light rail transit improved the security of the cards and saved the organization money.
Colleges and universities provide another example of using ID systems to reduce money vulnerabilities by enabling and controlling student and staff purchases. Some college ID cards provide not only identification and access, but also debit privileges in food service areas, bookstores, vending areas, laundry, printing services and library checkout. Vulnerabilities are reduced because the cards provide secure transactions and lower the risks associated with currency exchanges.
What Technologies Can Reduce Vulnerabilities?
An important part of reducing identity-related security vulnerabilities is identifying the appropriate technology for each application. Today, the choices are wide and varied.
Basic Visual IDs
The principle behind basic visual identification cards is simple. If someone doesn't have a badge, they don't belong. If they do have a badge, their authorization can be quickly verified.
A basic element of a secure card is a color photograph. Being able to authenticate a cardholder by matching the photo on a card to the person carrying it provides low-tech visual security. From a design perspective, the larger the photo, the easier it is to authenticate the cardholder.
Some organizations choose to print ID cards that are larger than standard, making it easier to visually identify employees, members or guests from a distance. A specialty printer is needed to produce oversized cards.
Magnetic encoders can transfer digital data onto a magnetic stripe. Magnetic stripe card technology is ideal for industries with low data storage needs. Cards can be encoded with updatable information about access privileges, membership status and employment history. A decoder reads the data and translates them for later computer processing.
Bar codes provide an inexpensive method of encoding text and collecting data rapidly and accurately. Bar codes are typically used to provide an index to more complete information in a database. Digital signatures can also be added for comparison to a handwritten signature during a security check.
Smart cards with internal microprocessors or memory chips with non-programmable logic are used as ID cards by the majority of organizations. Microprocessor chips can add, delete and manipulate up to 32,000 bytes of information, almost like a miniature computer. Memory chips are similar to small floppy disks that can hold up to 16,000 bits of data. Less expensive than microprocessor cards, memory chip cards are also less secure and must depend on the security of the card reader for their processing.
Contact smart cards, in particular, require physical insertion into a card reader that touches a conductive micromodule on the surface of the card. Proximity cards, on the other hand, use a radio frequency, electromagnetic interface. Proximity cards contain a microchip that releases the card's serial number when the card is held near a card reader.
Both contact cards and proximity cards communicate through an antenna (usually a few coils of very thin wire inside the card itself), and support robust security policies, as well as multiple physical and electronic security requirements. Hybrid cards also exist as a combination of contact and proximity technology on one card, with either one or multiple chips.
With all of the ID cards in production today, the business of counterfeiting has skyrocketed. Many companies need additional security elements on their ID cards to reduce the threat of forgery. There are a number of options on the market, from simple holographic seals to customized holographic overlaminates.
The quickest and most economical way for a company to add security is by applying foil-stamped holographic seals onto their cards. If the seal is removed from the card, it leaves a checkerboard pattern, indicating that someone has tampered with the card.
Some organizations opt for a hot stamp process to embed their text or graphics onto silver metallic foil. This is an inexpensive option for organizations that want to add low-cost, personalized visual security to a limited number of cards. The Indiana Department of Natural Resources (DNR) used this process to upgrade the identification badges of its Law Enforcement Division officers. The department now provides individuals with two ID cards, each embedded with DNR graphics. One is a horizontal card, which officers carry in an ID wallet accompanied by an official badge and used when they take official police action. The other is a two-sided vertical card, with a larger photo, that is clipped to an outer uniform pocket and used for easy visual identification in federal and state installations.
The ultimate solution is to apply a custom holographic overlaminate or transfer film to a card. Custom holograms are easy to validate and extremely difficult to duplicate These holograms may include visual security elements like hidden text, nano- or micro-text, morphing images, and sophisticated flip images that appear to be animated. Other visual security elements include fine lines that give the illusion of motion, pseudo color that changes when the card is tilted, and a complex background image printed with a 2D/3D ribbon.
In 2003, the research firm of Frost and Sullivan predicted a large growth in fingerprint and facial recognition biometrics, as much as $1.6 billion by 2009. While the cost of biometrics is still prohibitive for most companies, and there continue to be issues surrounding accuracy, the application of biometrics offers exciting possibilities for the future of identity-related security.
Because biometric software is proprietary, if companies want to store more than one biometric algorithm on a card, they have to create a biometric-enabled software application, or applet, for each algorithm. The U.S. Department of Defense is already testing match-on-card technology for its Common Access Card - matching biometric data stored on the card with a live image from a biometric sensor.
Some believe biometric data will replace existing technology. Others believe there is a need for three levels of security, made up of ID cards, PINs and biometric data such as a fingerprint, iris scan or other unique template. Either way, most agree that biometrics will continue to play an increasingly important role in the world of ID card security.
Securing The Card Issuance Process
While ID cards are ensuring the security of individuals and facilities, what is ensuring the security of the ID card printer against fraud, theft and lost identity? Some printers include a feature to ensure that only authorized staff is allowed to print cards. Others include lockable card hoppers to prevent theft of blank card stock.
A password control might be the first line of defense against unauthorized printing, reducing both internal and external threats by automatically disabling a stolen or illegitimately accessed printer. There also is a powerful 24x7 notification process that allows users to customize the authorized hours of their printer's operation. Violations trigger e-mail or text messages to security personnel.
The Bottom Line
Reducing identity-related security vulnerabilities does not have to be difficult or expensive. With increased awareness of the potential threats, along with a working knowledge of ID card technology on the market today, astute companies can stay ahead of the game.
ID card systems should lower overall management and administration costs, not add to them. Simplicity, user-friendliness and interoperability are key. System design must include factors such as the cost of integrating with or migrating from existing systems. Deliberation must be given to the effect of implementation on users. But above and beyond all of these considerations lies the opportunity to reduce identity-related security vulnerabilities.
A Fargo Electronics, Inc. white paper. REV0412
- ABC's of Visitor Control
- Badge Backer
- Card Designing
- Card Printing Tips
- Card Security Features
- Disaster Recovery
- FEMA Concept of Operations Plan ACRONYMS
- FEMA Concept of Operations Plan DEFINITIONS
- Federal Guidelines
- How an HID Card is "Read"
- ID Cards - Custom
- ID Systems
- Migrating to Smart Cards
- Smart Card FAQs
- Tips for a Successful ID Program
- Why ID?