Internet Changes Everything: Smart Cards Archives

Category Archive

March 14, 2006

Identity management requires card smarts

Building the brains behind mandatory ID card programs won’t be easy

ADVERTISEMENT

RELATED LINKS

“DOD sets real-world test of HSPD-12” [FCW.com, Jan. 18, 2006]

“GSA gears up for HSPD 12 buys” [FCW.com, Dec. 13, 2005]

“Feds cram to meet ID deadlines” [Federal Computer Week, May 30, 2005]
The ID directive behind it all

President Bush issued Homeland Security Presidential Directive 12 in August 2004. It requires agencies to issue standard identity credentials to employees and contractors as a way of increasing security and interoperability among agencies.

The National Institute of Standards and Technology later issued Federal Information Processing Standard (FIPS) 201, which sets the requirements for issuing the new credentials under the personal identity verification process.

By Oct. 27, 2005, agencies were required to have established identity verification procedures that comply with FIPS 201, and they must begin issuing compliant credentials by the same date this year.

All employees and contractors should have the new credentials by October 2007.

— Brian Robinson
Think big now, save money later

David Temoshok, director of identity policy and management at the General Services Administration, said he thinks it’s a mistake if agencies focus only on meeting Homeland Security Presidential Directive 12 requirements when designing their identity management systems (IDMS).

Although the request for information GSA released in December was a prelude to an expected HSPD-12 contract, the IDMS included in the RFI has capabilities that can be applied to a wider range of uses, he said.

“When we talk to agencies about [an] IDMS for HSPD-12, we also advise them to think about how best they can structure it for future applications, such as machine-to-machine services,” Temoshok said.

Such systems include the ability to enable trusted machine-to-machine information sharing and to establish authorization to access various services and applications.

“We urge agencies to be farsighted and think about how such things as these might fit with their plans for [an] IDMS,” Temoshok said. “Now is an excellent time to be planning capital investment for the future.”

John Gist, a program manager at Northrop Grumman Information Technology, has recommended to his senior managers that the company look ahead as it deploys its IDMS infrastructure, advice he would give to agencies.

“You could just go with someone that provides minimal HSPD-12 compliance,” he said. “But because there’s not that much more cost involved, then it seems wise to put as much of it in place as possible now, even if you don’t use all of it immediately.”

— Brian Robinson
BY Brian Robinson
Published on Mar. 13, 2006

March 06, 2006

Chip and PIN hailed as card fraud falls 13%

Scotsman.com News - Chip and PIN hailed as card fraud falls 13%

HUGO DUNCAN

CREDIT and debit card fraud fell significantly last year for the first time in a decade, thanks to the roll-out of chip and PIN.

Money lost through card fraud fell 13 per cent from £504.8 million in 2004 to £439.4 million last year, according to the UK payments association APACS. It said the fall - the first "significant" reduction since 1995 - came after chip and PIN made it more difficult for fraudsters to use stolen cards. A fall of £4 million was recorded in 2003, the year chip and PIN was introduced to the UK.

Sandra Quinn, of APACS, said: "Seeing card fraud losses come down is cast-iron proof that chip and PIN is doing its job. Back in 2002, we forecast that fraud would have risen to £800 million in 2005 if we didn't make the move to chip and PIN, so it is heartening to see total losses well beneath this figure."

But while total fraud was down, fraudulent payments where the card and cardholder were not present - such as over the internet, telephone and mail order - were up 21 per cent to £183.2 million.

There was almost a doubling in online banking fraud to £23.2 million, mainly as a result of "phishing" scams, in which fraudsters posing as banks e-mail customers to dupe them into disclosing security details.

Ms Quinn said: "Fraudsters clearly are not going to give up, so neither will we.

The banking industry is discussing how to better protect card-not-present transactions."

March 6, 2006 at 09:13 PM in Smart Cards | Permalink | TrackBack (6) | Top of page | Blog Home

January 26, 2006

Restore confidence in the exchanges of information

nCryptone

Along with the boom of online banking transactions and the rise of e-commerce, the number of hacking and identity theft attempts grows, and lead to ever growing losses, not only for banks, but also for their clients. Being “open” more often, information systems also become more vulnerable.

In the face of these risks, the usual protections, like the use of a static password, showed their limits. The only answer offering a real security guarantee consists in using an unpredictable one time password, generated by an object held only by the duly authorized user (a token), and completed by a code known only by him (the PIN code).

Nevertheless, these technologies around the dynamic password (OTP or One Time Password) have a major handicap: the tokens that are available on the maket nowadays are relatively cumbersome. By embedding a battery, a flexible screen, a button and a cryptoprocessor in a card that is the size of a credit card, nCryptone offers an ultraportable token displaying a 6 or 8 digit dynamic password.

Existing in several versions, this product benefits from work led jointly by and the American company InCard, linked to Visa International by nCryptone an exclusive agreement for the conception and marketing of financial cards.

January 26, 2006 at 02:55 PM in Smart Cards | Permalink | TrackBack (13) | Top of page | Blog Home

December 12, 2005

Clarkson University Engineer Outwits High-Tech Fingerprint Fraud

By: Clarkson University
Published: Dec 10, 2005 at 07:45
Eyeballs, a severed hand, or fingers carried in ziplock bags. Back alley eye replacement surgery. These are scenarios used in recent blockbuster movies like Steven Spielberg's "Minority Report" and "Tomorrow Never Dies" to illustrate how unsavory characters in high-tech worlds beat sophisticated security and identification systems.

Sound fantastic? Maybe not. Biometrics is the science of using biological properties, such as fingerprints, an iris scan, or voice recognition, to identify individuals. And in a world of growing terrorism concerns and increasing security measures, the field of biometrics is rapidly expanding.

"Biometric systems automatically measure the unique physiological or behavioral ‘signature' of an individual, from which a decision can be made to either authenticate or determine that individual's identity," explained Stephanie C. Schuckers, an associate professor of electrical and computer engineering at Clarkson University. "Today, biometric systems are popping up everywhere – in places like hospitals, banks, even college residence halls – to authorize or deny access to medical files, financial accounts, or restricted or private areas."

"And as with any identification or security system," Schuckers adds, "biometric devices are prone to ‘spoofing' or attacks designed to defeat them."

Spoofing is the process by which individuals overcome a system through an introduction of a fake sample. "Digits from cadavers and fake fingers molded from plastic, or even something as simple as Play-Doh or gelatin, can potentially be misread as authentic," she explains. "My research addresses these deficiencies and investigates ways to design effective safeguards and vulnerability countermeasures. The goal is to make the authentication process as accurate and reliable as possible."

Schuckers' biometric research is funded by the National Science Foundation (NSF), the Office of Homeland Security and the Department of Defense. She is currently assessing spoofing vulnerability in fingerprint scanners and designing methods to correct for these as part of a $3.1 million interdisciplinary research project funded through the NSF. The project, "ITR: Biometrics: Performance, Security and Societal Impact," investigates the technical, legal and privacy issues raised from broader applications of biometric system technology in airport security, computer access, or immigration. It is a joint initiative among researchers from Clarkson, West Virginia University, Michigan State University, St. Lawrence University, and the University of Pittsburgh.

Fingerprint scanning devices often use basic technology, such as an optical camera that take pictures of fingerprints which are then "read" by a computer. In order to assess how vulnerable the scanners are to spoofing, Schuckers and her research team made casts from live fingers using dental materials and used Play-Doh to create molds. They also assembled a collection of cadaver fingers.

In the laboratory, the researchers then systematically tested more than 60 of the faked samples. The results were a 90 percent false verification rate.

"The machines could not distinguish between a live sample and a fake one," Schuckers explained. "Since liveness detection is based on the recognition of physiological activities as signs of life, we hypothesized that fingerprint images from live fingers would show a specific changing moisture pattern due to perspiration but cadaver and spoof fingerprint images would not."

In live fingers, perspiration starts around the pore, and spreads along the ridges, creating a distinct signature of the process. Schuckers and her research team designed a computer algorithm that would detect this pattern when reading a fingerprint image. With the new detection system integrated into the device, less than 10 percent of the spoofed samples were able to fool the machine.

Addressing potential problems before they can occur is one of the goals of Schuckers' biometrics research. "As security systems based on biometrics continue to develop, it is important that people are reassured that their privacy is protected," she said. "How confident will someone feel giving his/her fingerprint over a public communication channel, such as the Internet? The technology needs to be solid and reliable and offer adequate privacy protection before biometric security systems will be accepted by the public."

Schuckers is also a member of the Center for Identification Technology, a cooperative research center headquartered at West Virginia University that brings together the NSF, industry and government agencies, and university researchers. She is director of the Biomedical Signal Analysis Laboratory at Clarkson. Schuckers joined the faculty of Clarkson in 2002. She received her doctoral degree in electrical engineering from the University of Michigan in 1997.

Clarkson University, located in Potsdam, New York is a private, nationally ranked university with a reputation for developing innovative leaders in engineering, business, the sciences, health sciences and the humanities. At Clarkson, 3,000 high-ability students excel in an environment where learning is not only positive and supportive but spans the boundaries of traditional disciplines and knowledge. Faculty achieve international recognition for their research and scholarship and connect students to their leadership potential in the marketplace through dynamic, real-world problem solving.

December 12, 2005 at 11:11 AM in Smart Cards | Permalink | TrackBack (25) | Top of page | Blog Home

November 23, 2005

Contactless Credit Cards Work In The 'Blink' Of An Eye

InformationWeek > RFID > Contactless Credit Cards Work In The 'Blink' Of An Eye > November 18, 2005

Chase Bank USA is testing Visas and MasterCards with RFID technology called "blink," which eliminates the need for purchasers to sign and swipe. Instead, the buyer just waves the card in front of a scanner.
By Jennifer Lawinski
CRN

The day has arrived.
Credit card users are finally free of the burden of swiping their cards and signing their name thanks to advances in RFID technology and new programs from banks and credit card companies looking to make the shopping experience a little sweeter.

Contactless cards fitted with RFID chips are now available, and solution providers should expect to see opportunities in the POS market for new systems and upgrades.

The process involves waving a credit card with the embedded RFID chip in front of a scanning device that connects it with the credit account. The card must be within 20 centimeters of the scanner in order to be read. Purchases can be made almost instantly without a swipe of a magnetic strip or a signature.

Chase Bank U.S.A. last month rolled out Visas and MasterCards with the technology, which it calls “blink,” in the New York tristate area at establishments such as 7-Eleven, AMC Theatres, CVS and Duane Reade.

“The payment business is evolving rapidly and changing monthly,” said Erik Michielsen, director of RFID and ubiquitous networks at ABI Research, Oyster Bay, N.Y. “The key to this technology, why you’re seeing such rapid growth, is that it’s really got triangulated benefits. It benefits the consumer, the merchant and the card issuer.”

Consumers benefit by not having to wait in long lines and from the customer loyalty programs tied to the system’s ability to identify purchasers using the RFID system.

Michielsen said merchants benefit by reducing cash management issues and increasing customer loyalty.

“They’re really going after younger markets with these cards and basically the ‘cool’ factor. They’re actually finding that the average purchase increases by about 20 percent with the use of these cards,” said Bill Shaw, director of professional services at Nimax, the POS division of Ingram Micro, Santa Ana, Calif.

With a growing market among retailers, where do resellers fit in? “When it comes to the reseller channel market, we’re concerned with a couple of different things,” Shaw said. “One is the [RFID card] readers, and right now this is a closed market. It’s not a channel market. It has not reached critical mass. It is still considered in trial.”

When the technology is market-ready, he said, the channel will see opportunities selling both card reader devices and software that integrates the new system with existing systems or adds information-capture capabilities.

Mohammad Khan, president and founder of payment hardware company ViVOtech, Santa Clara, Calif., said the use of contactless credit card technology should be more widespread in 2006.

“There was a good track record of contactless technology to be accepted by the consumer,” Khan said. Contactless transit cards were popular in Hong Kong, he said, and devices such as the Speedpass, which is connected to an account to pay at gas stations, are popular in the United States. ViVOtech’s readers have been approved for use by MasterCard as part of its PayPass program, he said.

“The next two years is the time to build the infrastructure,” Khan said. “By the time millions of cell phones are enabled with near-field communications technology, the infrastructure should be in place.”

Khan estimates that shoppers won’t be paying with a wave of their cell phones until 2007 or 2008.

In spite of technological bells and whistles, credit cards will still carry magnetic strips for use at more traditional points of sale and will continue to display account numbers.

“It will take awhile for stores to adopt that technology. They’re not just going to throw out their pin pads and signature capture pads because a new technology came along,” Ingram Micro’s Shaw said.

“Just as with magnetic-strip cards now, we’ve got lots of different types of devices that can read them and then software to capture that information.

It’s just a matter of incorporating a new type of technology to do the same old thing, really,” he said. “Eventually those will become open systems as magnetic-strip technology is now, and when that happens, that’s when things [will] start snowballing.”

November 23, 2005 at 01:09 AM in Smart Cards | Permalink | TrackBack (50) | Top of page | Blog Home

September 06, 2005

Crooks steal a march on identity protection technology

FT.com / World / UK - Crooks steal a march on identity protection technology

By Clive Cookson, Science Editor
Published: September 5 2005 03:00 | Last updated: September 5 2005 03:00

New technologies such as chip-and-pin credit cards and biometric identity cards are more likely to exacerbate identity theft and fraud, a criminologist said yesterday.

Emily Finch, reader in law at the University of East Anglia, told the British Association science festival in Dublin that her research showed that criminals were adapting successfully to the arrival of chip and pin.

With the previous generation of credit and debit cards, criminals would get hold of a card and then forge the holder's signature. "The focus has changed to getting the pin first and then getting the card," Dr Finch said.

It was easy to obtain pin numbers by spying because many people did not bother to shield the pad properly as they entered the number. Criminals would then track the owner until a suitable occasion arose to steal the card. Dr Finch said her academic group won the trust of career criminals, interviewed them about their techniques and observed the way customers and retail staff responded to cards under varying circumstances.

"Our research has shown that fraudsters are tenacious, merely adapting their strategies to circumvent new security measures rather than desisting from fraudulent behaviour," she said.

The fundamental problem, said Dr Finch, was that "excessive reliance on technology to combat fraudulent behaviour leads to a breakdown in the vigilance that is customarily exercised, thus increasing rather than decreasing the opportunities for fraudulent behaviour". This was seen in shops, where chip-and-pin technology has made cashiers far less vigilant than they were.

One way a fraudster could take advantage was to present a stolen card and, when invited to type in his or her pin, enter four random digits. "Fraudsters are always so nice and plausible, so they'll apologise, chat for a bit and convince the assistant that they haven't got the hang of the new system," Dr Finch said. "The assistant will then fall back on the old system and fail to check the signature properly."

To demonstrate the lack of vigilance, she said that she and a male research colleague had used each other's credit cards for a long period without being challenged on the grounds that a woman was using a card with a male name or vice versa.

Since chip-and-pin technology was still being phased in, said Dr Finch, the banking and retail industries had no good data to show if it was working.

Although details of the national identity card scheme were not yet known, her research suggested that it would "exacerbate rather than resolve the problems of fraudulent identity".

September 6, 2005 at 09:09 AM in Smart Cards | Permalink | TrackBack (4) | Top of page | Blog Home

August 16, 2005

ID: the £15bn charge - The first detailed breakdown of the identity card programme's costs is now available

Kable - ID: the £15bn charge - 26 June 2005

The ID card scheme could cost up to £15bn, almost three times more than the government's estimates, according to the most detailed analysis issued so far.

A full cost breakdown, released today by Kable, estimates that the cards could cost up to £248 each with the entire programme reaching £15.6bn.

This figure is a top level estimate, the most conservative calculation being £6.8bn. The latest figures from the Home Office claim that the scheme will cost £5.8bn, which works out at £93 a card.

The figures, compiled ahead of the second Commons hearing of the identity cards bill, take all areas of the programme into account including running the database, staff costs for verifying biometrics and consultancy fees. They are based on research into existing government IT programmes and similar work taking place across industry.http://www.kablenet.com/kd.nsf/1f10e4b76062133880256a4f004f1960/762dd24ea5f58e1f8025702c00622d7d/$FILE/Listen%20to%20the%20experts%20-%20Kable%20comment%20on%20ID%20card%20situation%20by%20William%20Heath.doc http://www.kablenet.com/kd.nsf/1f10e4b76062133880256a4f004f1960/762dd24ea5f58e1f8025702c00622d7d/$FILE/Listen%20to%20the%20experts%20-%20Kable%20comment%20on%20ID%20card%20situation%20by%20William%20Heath.doc

Similar calculations using Kable's costings model form the basis of the London School of Economics (LSE) estimates for the programme, also due to be published ahead of the second reading.

Key costs from Kable's analysis include:

* More than £4.1bn to run the ID cards service. This figure includes verification, enforcement and tackling fraud;
* A total of £265m for card readers if three biometrics are used on the cards;
* Over £670m for the national identity database. This figure includes £180m set up costs and over £490m running costs; and
* Costs of £1.1bn on promoting the scheme, and consultancy fees.

The low estimate of £6.8bn assumes that existing IT systems will not have to be modified, that advertising the scheme will come to £300m and that staff costs for verification will be around £400m rather than the high estimate of over £900m.

Click on the icon below to download the figures (in Microsoft Excel format)

http://www.kablenet.com/kd.nsf/1f10e4b76062133880256a4f004f1960/762dd24ea5f58e1f8025702c00622d7d/$FILE/ID%20Card%20-%20%20costs.xls

Click on the icon below to download Kable comment on the ID card situation (in Microsoft Word format)

http://www.kablenet.com/kd.nsf/1f10e4b76062133880256a4f004f1960/762dd24ea5f58e1f8025702c00622d7d/$FILE/Listen%20to%20the%20experts%20-%20Kable%20comment%20on%20ID%20card%20situation%20by%20William%20Heath.doc

August 16, 2005 at 09:19 PM in Smart Cards | Permalink | TrackBack (10) | Top of page | Blog Home

August 04, 2005

It's important that we all know who you are

It's important that we all know who you are - Jobs - Times Online

WHO are you, as those giants of existentialism The Who once asked. It’s a simple but pertinent question, and one that is increasingly being followed by another: can you prove it?

Identity is a hot topic and it has the photo card to confirm it. Everyone wants to know who you are, what your mother’s maiden name is and whether you know your PIN code.

But, as Computing (July 28) reports, the growing value attached to “identity” brings a disturbing corollary: identity theft. “Sadly, fraud as a whole is a growth industry here in the UK,” an expert says.

And up steps Building (July 29) to prove the point. It says that police are probing an international trade in counterfeit “CSCS” cards, used by construction workers to prove their competence, after a package containing hundreds of forgeries was intercepted by a British courier company en route from India. But an editorial turns this development on its head, saying that it proves that the cards now hold “real value” as a means of keeping out the cowboys. Huh?

Schools are not exempt from this national ID obsession. The Times Educational Supplement (July 29) says that pupils sitting exams may soon have to wear photo cards so that invigilators can be sure that they are who they say they are. One school in Lincolnshire is already using cards to “boost the efficiency of running exams”, although it describes its cards as “homemade”, which in terms of clamping down on exam cheats sounds a bit worrying.

But identity cards, even if they are called “opportunity” cards, can bring benefits. That, at least, is what the Home Office minister, Beverley Hughes, tells Young People Now (July 27). She says that young people who do not sign up for one of the new cards, proposed in a Green Paper last month, could be at a disadvantage. Cardholders will be able to earn “credit” by being kind to cats and old people and engaging in other “positive activities”. But Hughes says that those who snub the card will be unable to access discounts on goods and services.

Finally, The Job (July 22) carries a salutary warning that proving your identity does not always keep you on the right side of the law. A “notorious” teenage graffiti artist was nicked by an off-duty community support officer who spotted him daubing his “tag” — graffiti’s equivalent of a signature — on a bus-stop. Presumably he has blown his chances of an opportunity card.

August 4, 2005 at 01:49 AM in Smart Cards | Permalink | TrackBack (2) | Top of page | Blog Home

July 24, 2005

Identity Cards

The Government's decision to introduce a national Identity Cards Scheme was announced in the Queen's Speech on 17 May 2005 and the Identity Cards Bill was reintroduced to Parliament.http://www.publications.parliament.uk/pa/pabills.htm http://www.publications.parliament.uk/pa/pabills.htm http://www.publications.parliament.uk/pa/pabills.htm

* Identity Cards Video
* Identity Cards Bill and Explanatory Notes
* Regulatory Impact Assessment ( PDF File size 322kb)
* Race Equality Impact Assessment ( PDF File size 526kb)
* ID Cards Briefing ( PDF File size 487kb)

* Press Release

* The Government has produced a response to the London School of Economics 'ID Cards Costs Estimates and Alternative Blueprint' Home Office Response to LSE Alternative Blueprint ( PDF File size 627kb)

The UK Passport Service Biometrics Enrolment Trial report was published on 25 May. The trial gave more than 10,000 people across the country the opportunity to experience face, fingerprint and iris enrolment, sought their views on the experience, and surveyed their attitudes towards the use of biometrics.
The full report. is available for download here as well as a management summary.

* UKPS Biometrics Enrolment Trial Summary ( PDF File size 1,350kb)
* UKPS Biometrics Enrolment Trial Full Report( PDF File size 3,708kb)

The UKPS trials is now completed and we will announce the details of any further arrangements for volunteers for future trials on this website.

Further information can also be found on the Publications archive page

July 24, 2005 at 01:56 PM in Smart Cards | Permalink | TrackBack (10) | Top of page | Blog Home

ID card rebels cut Government majority to 31

ID card rebels cut Government majority to 31 - Britain - Times Online

By Times Online and Agencies

The Government’s majority slumped to 31 over the introduction of identity cards tonight in the first backbench revolt of the new Parliament.

MPs gave the Identity Cards Bill a second reading by 314 to 283, after a rebel amendment to block the measure was withdrawn.

It was the first real test of Mr Blair’s reduced 67-strong majority since Labour was returned to power in May.

The Bill is certain to face tough examination in committee, with critics demanding concessions on data privacy and costs.

Home Secretary Charles Clarke went some way to meeting those concerns today offering to cap the cost of ID cards but refusing to set a figure.

Mr Clarke insisted ID cards would act as a “bulwark against the Big Brother society,” providing “real benefits to the individual and society” by limiting the scope for identity theft.

There would be no open access to the information held on individuals and ethnic minorities had no reason to fear the scheme, he said.

Twenty one Labour backbenchers signed the withdrawn amendment to block the Bill’s second reading because it made “no significant contribution to the reduction or eradication of terrorism”.

Labour critic David Winnick (Walsall N) gave the Home Secretary an early taste of the strength of feeling, warning: “If this measure was on a free vote tonight, it would certainly be thrown out.”

The plans have also come under fire from the Information Commissioner Richard Thomas who dubbed them excessive and disproportionate, while a London School of Economics report warned the scheme could eventually cost £20 billion, or £300 per card.

Mr Clarke said Mr Thomas’s analysis was “incorrect,” adding: “I argue the ID card system is a bulwark against the surveillance society, the Big Brother society, and not a further contribution to it.”

Mr Clarke told critics of the cost of the scheme that he would set a cap on it before the Bill left the Commons. “It would be ridiculous to have an expensive card which people were, in some sense, forced to buy. But that is not what we will have,” he said.

Mr Clarke acknowledged there were serious practical concerns over the legislation and offered to look at resolving these in committee.

“I argue that the identity card has real benefits to the individual and society and the ID card is a means of limiting abuse in our modern information society, rather than a means of adding to it ... “It gives individuals the right to secure verification of their identity.”

Amid concerns raised on both sides of the House about the security of data held, Mr Clarke said: “There will be no open access to information on the register. “Private companies will not be able to access or buy national identity register entries.

The Bill made no difference to police stop and search powers and there would be no requirement for people to carry ID cards at all times.

The Muslim community would not be “unfairly targeted,” Mr Clarke vowed. “Ethnic minority communities, like other communities, have no reason to fear the ID card system.”

But Labour’s Diane Abbott (Hackney N and Stoke Newington) warned that while the Bill did not contain an extension of police powers it did have an “extension of pretext” by which the police could stop people.

“The last thing we need is a piece of legislation which will further turn the screw on community relations in our big towns,” she said. Shadow home secretary David Davis accused the Government of chipping away at the basic liberties of its citizens.

“Today, the party that in 1945 promised that generation welfare from cradle to grave is about to give this generation surveillance from cradle to grave,” he said. “The Home Secretary’s proposals represent a fundamental shift in the balance of power between the citizen and the state.

“They are not just excessive, but also expensive. Not just illiberal, but also impractical. Not just unnecessary, but also unworkable.”

For the Liberal Democrats, Mark Oaten said the costs of the project were “spiralling out of control” and it might be this that ultimately defeated the scheme.

The whole thing was a mess that would make “the Child Support Agency mess-up look like a tea party”, he said. “It is illiberal. It is wrong and it won’t work.”

Leading Labour rebel Lynne Jones (Birmingham Selly Oak) said the “dumb and dangerous” legislation should be “killed at birth”. It was not the idea of ID cards that was objectionable but the creation of a database of personal details.

Urging party colleagues to join the opposition to the Bill, she said the vote was “more serious than the decision to go to war”.

But Labour former Home Office minister John Denham said he believed ID cards and the National Identity Register were necessary and would vote for second reading. He accused critics of overstating the level of intrusion they posed, the cost, and the risk of failure.

July 24, 2005 at 01:44 PM in Smart Cards | Permalink | TrackBack (6) | Top of page | Blog Home

ID cards are to Blair what poll tax was to Thatcher

ID cards are to Blair what poll tax was to Thatcher - Comment - Times Online

MICHAEL PORTILLO

We are in 1987. The prime minister has just won an election with a reduced majority and is celebrating by handbagging the European Union. As problems at home well up, she diverts attention by striding the world stage. Immediately after polling day, the government promised to listen to people more carefully, but it has lost no time in trundling out a piece of misconceived legislation that will bring it to the brink of catastrophe. The prime minister will not survive to the end of the parliament and neither will the new law.

In 1987 Margaret Thatcher occupied Downing Street and her ill-fated bill enacted the poll tax. Today Tony Blair presses on with identity cards. I have seen this movie before and I know how it ends.

The poll tax fiasco began when Scotland updated the valuation of homes under the old rates system.

It caused a problem because the middle classes would have to pay more. A little petty cash could have solved the difficulty. Instead, it spawned an idiotic idea that brought down Britain’s greatest post-war premier. I am not often prescient but that was one disaster I foresaw.

When Michael Forsyth, then a young Scottish Tory MP, told me that England must introduce the poll tax because the government had already decided to impose it on Scotland,

I told him that his argument was illogical and dangerous.

At first many thought we were on to a winning policy. Abolishing the rates was as popular then as deporting failed asylum seekers is now. But soon we faced riots on the streets and, more seriously for Thatcher, panic among our MPs. By then I had assumed ministerial responsibility for the poll tax. Holding office may have rendered me dishonest but it did not make me stupid. I could see that the law was doomed.

Last week Charles Clarke, the home secretary, reintroduced the identity card bill. In the few months since he last brought it to the Commons, it is striking how much closer to doom his scheme has already moved. Then he argued that the cards were needed to fight terrorism. Not now. That reasoning has been ditched. You cannot play the terror card and simultaneously promise the scheme will be voluntary and take a decade to roll out.

His reassuring estimate of what the scheme will cost has been demolished by two independent reports that put the number three times higher at between £10 billion and £19 billion. Blair and Clarke try to discredit those figures but the public would rather believe Pinocchio than any minister of the crown.

What’s more, the bill now faces parliamentary opposition. When it was last debated the Conservatives, with Michael Howard in the ascendant, backed the government. The party that claimed to stand for the bigger citizen and the smaller state made an ass of itself.

Last week, with David Davis at the helm and Howard absent, the Tories tore into the government, demolishing every one of its flimsy arguments. Ministers won the vote in the Commons but lost the argument. Their majority understates the degree of discontent on all sides. Labour backbenchers savaged the bill and its authors. The Lords will maul it further.

The identity card bill is fatally damaged. A wise government would turn around now and head for port. In a matter of weeks the whole debacle could be quietly forgotten.

But third-term prime ministers are not wise. They are too busy with their global agenda to study the detail of what their ministers have devised. A flood of testosterone dulls the messages from their political antennae. Machismo distorts their sense of proportion.

The government now argues that identity cards would help to end fraud and identity theft. But in social security the biggest scam is people pretending to have a disability that they do not have, rather than assuming another name.

Clarke pleaded that the banking sector loses £50m to identity deception. The banks’ problem does not validate spending on identity cards 380 times the sum lost through fraud, just as a small local difficulty over Scottish rates did not justify introducing the poll tax.

In truth, the government is establishing a mouth-watering target for fraudsters and terrorists. Anyone who hacks into the national identity register can make a fortune or reduce Britain to chaos.

Clarke said that the Madrid terrorists had been traced because they had produced genuine identity cards when they bought their mobile telephones. I assure him that Al-Qaeda operatives will produce fake ones next time. Meanwhile, I do not want to live in a society where I have to prove my identity to buy a mobile, or a piece of rope, video recorder, torch or anything else that the government fears a terrorist might use.

The death of privacy is a worrying challenge for this new century. Technology enables us to spy on one another. Hackers can intercept our e-mails and tap our telephone calls. They may do it for fun or to do us harm. With the miniaturisation of components, anyone you meet could be filming you and recording what you say. It would be easy for someone to bug your house. It is child’s play to access your bank account and track your movements through your mobile or by the cash withdrawals that you make. It is legal to train a camera on your front door and display your comings and goings on the internet.

So far such problems have largely affected only celebrities and so the issue has not been taken seriously. When the media achieves a scoop by printing the transcripts of the Prince of Wales’s phone calls, nobody, it seems, cares much about the implications of such espionage for our society. Our lives would be intolerable if no remark and no act were private. Think of it, because any one of us could become a victim.

The government ought to be leading the fight to protect British citizens from intrusion. In fact, it does nothing because a law to protect privacy would offend the media (although media intrusion is just a small part of the issue). Compounding its inaction, the government now seeks to maximise its own scrutiny of our lives. People arrested but not charged are fingerprinted. Ministers cheerfully propose to record the movements of our cars so as to make us pay for using the roads.

The government is excited rather than alarmed by what technology can do. It sees utility, not danger, in each opportunity to increase its surveillance. If more of our movements and purchases are logged, it will help the police to fight crime. If more of us have been fingerprinted, it will be easier to nab suspects after a robbery.

But new technology has not altered the question of balance. It has always been open to government to spy on us more closely. However, prudent governments remember that in a common-law country, the citizen is assumed to be free to do whatever the law does not forbid. That thinking underlay the abolition of identity cards in Britain after the second world war. It is presumably why the United States, despite being attacked on September 11, 2001, is not planning to introduce them now.

Crime is a scourge in a free society. But when privacy dies, the free society dies with it.

As the G8 summit approaches, the government is whipping up public demonstrations (a practice usually confined to authoritarian regimes).

It should be careful about giving others ideas. The identity card bill could provide a new opportunity for citizens to march.

As people begin to discover that they cannot receive benefits or open a bank account or borrow a book without buying an expensive card, the political temperature is going to rise. When they realise that it contains 50 pieces of private information about them, the mercury will climb higher.

As they find that some of their personal data are wrong and some are being kept secret from them, tempers may fray. If parliament cannot defeat the bill, maybe it will perish on the streets.

The poll tax is, I believe, a unique example of legislation enacted and repealed by the same government within the same parliament. The identity card bill looks set to suffer the same fate. In the case of the poll tax, the U-turn was made possible only after a change of prime minister. You see why now feels like 1987.

July 24, 2005 at 01:43 PM in Smart Cards | Permalink | TrackBack (3) | Top of page | Blog Home

June 29, 2005

Embattled Clarke's vow to cap cost wins vote on ID cards

Britain, UK news from The Times and The Sunday Times - Times Online

By Philip Webster and David Charter
CHARLES CLARKE promised to set a maximum figure for the cost of an identity card as he hinted at a string of concessions to secure a narrow victory for the legislation last night.

In a key admission, the Home Secretary suggested that if the cards eventually became compulsory they could be made free. Facing a wave of concerns from Labour MPs he said: “It is best that we do give the assurance of a cap.”

“It would be ridiculous to have an expensive card which people were, in some sense, forced to buy. But that is not what we will have.”

A total of 20 Labour rebels joined the Tories and Lib Dems to vote against the Second Reading of the Identity Cards Bill, reducing the Government’s majority to 31. It passed by 314 votes to 283.

Labour rebels gave notice that they would fight on against the scheme during its later Commons stages. John McDonnell, chairman of the Socialist Campaign Group, said: “This is only the beginning of the battle. Such ill thought-out legislation will inevitably face difficulties throughout its passage and we will be using every parliamentary tactic available to force the Government to re-think.”

A later vote on the timetable of the Bill passed with an even slimmer majority of 27, with MPs concerned that too little time was being allowed for debate. Mr Clarke had earlier attacked some of the “fantastic” figures that had been quoted over the cost.

But his promise of a ceiling on the price of the card left open questions about how the Government would finance the scheme if income from it failed to meet the cost, which has been put by ministers at £5.8 billion, although other estimates have gone as high as £18 billion.

Mr Clarke, in a speech during which he allowed numerous interventions, was assailed with questions about the scheme and given a taste of the strong feelings when the loyalist Labour MP David Winnick (Walsall North) told him that if there were a free vote on the Bill it would be thrown out.

Mr Clarke insisted that ID cards would act as a “bulwark against the Big Brother society”, and he told critics that they would provide “real benefits to the individual and society” by limiting the scope for identity theft. He acknowledged that there were practical concerns over the legislation and offered to look at resolving them later.David Davis, the Shadow Home Secretary, accused the Government of chipping away at the basic liberties of its citizens.

# The ID card scheme will have benefits of up to £1.1 billion a year through reducing crime, increasing immigration control and preventing fraud, according to two documents published by the Home Office last night.

THE 20 REBELS

Ms Diane Abbott (Hackney North & Stoke Newington); Katy Clark (Ayrshire North and Arran); Frank Cook (Stockton North); Jeremy Corbyn (Islington North); Mrs Gwyneth Dunwoody (Crewe & Nantwich); Mark Fisher (Stoke-on-Trent Central); Paul Flynn (Newport West); Ms Kate Hoey (Vauxhall); Kelvin Hopkins (Luton North); Ms Glenda Jackson (Hampstead & Highgate); Dr Lynne Jones (Birmingham Selly Oak); John McDonnell (Hayes & Harlington); Robert Marshall-Andrews (Medway); Linda Riordan (Halifax); Ms Clare Short (Birmingham Ladywood); Alan Simpson (Nottingham South); John Smith (Vale of Glamorgan); Robert Wareing (Liverpool West Derby); David Winnick (Walsall North); Mike Wood (Batley & Spen)

June 29, 2005 at 05:46 PM in Smart Cards | Permalink | TrackBack (2) | Top of page | Blog Home

June 16, 2005

Bank bets on smart card security plan

ITBusiness.ca

6/15/2005 5:00:00 PM - InfoSecurity Canada The bank is designing a role-based solution that has to serve 35,000 employees. An executive discusses the challenges, while Microsoft, Bell and others share user experiences

by Sarah Lysecki

TORONTO -- The Bank of Montreal has spent the last five years creating a smart card strategy to address compliance, productivity and client issues, but an executive in the bank’s information security division said there have been some hiccups
along the way.

“It’s not all rosy and nice without the hurdles,” said BMO’s Jimmy Don, one of four speakers on a panel looking at the challenges of merging physical and logical access at this year’s Infosecurity Canada conference. “It’s not a technology problem, it’s a process problem.”

With 35,000 BMO employees, enforcing a role-based system is a massive undertaking. To do this, the bank needed to have a solid organizational structure with clearly defined roles across all business units. Like many large organizations, BMO has many pockets that have their own rules, settings and infrastructure. When BMO started researching smart cards in 2000, it started with three streams: compliance, productivity and client.

Since then, BMO has rolled out tactical deployments across these pockets, including the most recent implementation for the trading floor. BMO is eventually looking to expand its strategy to a large-scale deployment of smart cards within the next two to three years.

Because every minute of stock brokers’ time counts for revenue, they require quick and easy access to applications and the network.

“All they want to do is come in the office in the morning, stick a card in and everything works,” said Don.

To enable users to start work fast, BMO used password synchronization to achieve single sign-on capability and built card and thumb-print readers into the machine. This capability, however, requires a lot of work in the back end to secure the infrastructure.

“The faster they get access, the more security we need to put in the backend,” said Don.

He added some initial problems included people leaving cards in their machines and manual work associated with password synchronization. If a user, for example, forgets his or her password, every application needs to be synchronized when the new password is created.

Tom Moss, senior director of managed security services at Bell Security Solutions Inc., added users are often aware of password authentication issues. Single sign-on was one of the first areas Bell Security Solutions focused on when it got into identity management five years ago.

“Today, we’re looking at much more sophisticated management of lifecycle identities across a variety of enterprise infrastructures,” said Moss. Bell Security Solutions, for example, manages the government of Canada’s credentialing process for citizens who file their income taxes online as well as a large project for the government of Alberta called secure access services.

Despite advances in smart card technology in recent years, Moss added, “most organizations are not at a point where they’re talking about converged physical and logical access because of the cost and the scale of those things.”

In terms of cost, Microsoft Corp., which has implemented smart cards across its 61,000 full-time and 30,000 contract employees worldwide, said the average cost per user has gone down significantly since it first piloted the cards in 2001 from $55 to $75 per user to $5 for a card at present. The cards that Microsoft is currently using have up to 32 kilobits of memory, half of which is used by the operating system and applications, said Microsoft Canada Co. security lead Michael Nowacki. He added cards are now capable of four to eight times that amount of memory.

Microsoft currently uses smart cards for system access, digitally signing e-mails, decrypting e-mails and rights management services, which combines encryption and policy to determine how an individual can use a document like print or save, for example.

“At Microsoft we combined RFID for physical access to the building along with smart card technology for logical access to the network along with a photo ID card that you must wear around as an ID badge,” said Nowacki.

Both Moss and Cryptocard Corp. president and CEO Malcom MacTaggart noted the increasing demand for smart card technology.

“We’re starting to see it in areas where high trust is essential,” said Moss referring to data centre deployments that use three-factor authentication. He added Bell Security Solutions has also seen an uptake in health care and manufacturing.

While the demand is there in certain sectors, MacTaggart pointed out that less than five per cent of the world’s computers use anything less than a static password.

“Security is only as strong as the weakest link,” he cautioned. “No matter how much money spending on firewalls, routers and switches, all of which are good things, it’s always useful to keep in mind where the weakest link in your network is.”

InfoSecurity Canada continues on Thursday.

June 16, 2005 at 08:05 AM in Smart Cards | Permalink | TrackBack (5) | Top of page | Blog Home

March 16, 2005

Chip and PIN security flaw uncovered

Finextra: Chip and PIN security flaw uncovered

An investigation by the UK's London Programme has uncovered a security flaw in Chip and PIN payment cards which allows fraudsters to disable and over-ride chip security measures using information embedded in the magnetic strip.

The television programme, which aired last night, showed an anoymous "industry insider" cloning a chip-based payment card using software and a skimming device bought on the Internet.

The skimming device records data embedded in the magnetic strip on a smartcard, but information stating that the card contains a chip can be changed using the illegal software. The data is then copied onto a basic plastic card, such as those used for mobile top-ups. Programme makers were able to use the cloned card to withdraw cash from an ATM.

The findings of the investigation were presented to the UK's Association for Payment Clearing Services (Apacs). In a statement issued to the programme makers, Apacs says: "When fully in place, chip and PIN technology will identify chip and PIN cards that have been fraudulently tampered with in this way, and also fraudulent copies of those cards."

But in the programme, Sandra Quinn, director of corporate communications, Apacs, did admit that data embedded in the magnetic strip on a card can be accessed and copied by fraudsters but insisted that it cannot be changed: "That data will always say 'there is a chip on this card' therefore if there's no chip on the card the fraudster can't use it."

But research conducted by Ross Anderson, head of security engineering at Cambridge University, found that if a card with a damaged chip is presented at an ATM or POS terminal, then the device falls back to magnetic strip operation.

David Cooper, risk management, Lloyds TSB, told the programme that although banks in Europe were committed to using chip-based technology, financial firms in the US have not made much effort to move into chip and PIN yet, so the industry isn't able to drop magentic strips from payment cards.

Despite the security risks uncovered, Quinn says cards containing both chips and magnetic strips will be around "for a very long time".

March 16, 2005 at 11:06 PM in Smart Cards | Permalink | TrackBack (72) | Top of page | Blog Home

Smart Cards at the Crossroads:

Smart Cards at the Crossroads: Authenticator or Privacy Invader

By Ari Schwartz, The Center for Democracy and Technology

Published by the Direct Selling Education Foundation, in "At Home With Consumers," Volume 19/Number 3/December 1998

As our economy moves increasingly into a networked world, more information is collected and retained on the daily interactions of individuals. Everyday individuals unwittingly hand over personal information that quickly finds its way into a consumer profile or "digital dossier." In the supermarket we hand over our frequent shopper card and pay with a credit or ATM card. The information collected from this transaction is captured and stored and often combined with other information gleaned from "public records" and private sources. Concerns over these "digital footprints" are the basis for growing consumer concerns with privacy in the networked economy.

In the mind of a thoughtful consumer, smart cards escalate these concerns. Creating a single card that could merge their financial affairs with health information and even interactions with government raises unease and mistrust. Individuals fear that a single card will accelerate the centralization and sharing of personal information in ways that will erode privacy. While the increased use of smart cards poses challenges to protecting privacy, smart card designers and policy makers have the opportunity to devise privacy protections that many believe are crucial for gaining the trust of consumers in the digital economy.

Authentication and Smart Cards

Creating tools that will both protect privacy and provide the convenience of the networked world require us to examine the nature and purpose behind each function of the card or "application." Smart cards are diverse, ranging from simple single function cards like credit cards to cards serving multiple functions such as a student ID on a university campus which allows access into buildings, pays for meals and serves as a library card. While diverse all share a common basic function: authentication. A driver�s license, e-cash and even a door key are simply tools that authenticate or certify different things about the individual: a drivers license � their ability to drive and identity; e-cash � their ability to pay for goods; a door key � their authority to enter a building. Simply put, authentication is different from identity. We can break authentication into three boxes:

* Identity �
Birth certificates and state issued identification cards prove that we are who we claim ourselves to be.

* Eligibility �
Various keys allow us or those with whom we share them to enter our home, car or office. Documents such as a frequent flyer numbers allow us to prove membership in an organization.

* Value �
Currency acts as one form of certifier, performing the narrow function of proving that an individual is able to pay for a good or service.

While authentication mechanisms are necessary for a thriving and rich networked economy, their development and implementation raise important individual privacy, system security, and social concerns. These concerns multiply as we begin to use single cards � smart cards � to bundle different services and with them authentication systems created to support them. For example, when we pay cash we do not expect people to ask for our identity but on a smart card it is quite possible that someone will be providing this information and more when paying with e-cash. The merging of services could have extreme social effects on consumers, some examples are:

* Centralization of personal information collection
� A single card used for different purposes runs the risk of creating a centralized warehouse of data about an individual�s activities. Today various record-keepers have information that reflects different aspects of an individual�s life. The bank has banking records; doctors have medical records; and credit card companies have records of credit transactions. The walls between these records protect individual privacy in two ways. First they limit, to some extent, the damage to individual privacy that occurs through either misuse by an authorized user or unauthorized access by an intruder. Second, they place checks on the surveillance and monitoring capacity of each system. If all of an individual�s transactions occurred through, or were recorded at, the same source we would create a powerful center of data on all citizens that would be ripe for misuse and abuse.

* Means for new social controls
� The issuing, revoking, or withholding of such a card could be used to control social behavior, limit an individual�s activities, or punish unrelated activities. Today, specific tokens enable specific activities. While losing a driver�s license may limit a person�s ability to drive, it does not impact on her ability to purchase goods in the market, seek health care, or engage in other transactions. A single card does not provide the same flexibility.

* Greater collection and use of personal information
� When a single card is used across all transactions, it could become a default personal identification or a national ID card. As mentioned above, many of our daily activities require far less "personal" means of certification. A single certifier will result in more data being collected than is needed for many interactions. In the most extreme case it could lead to every online interaction being fully identifiable and traceable to an individual. Utilizing a single card for all purposes could create an electronic trail of all personal interactions.

Keys on a Key Ring

Perhaps the best real world metaphor for the problems that smart cards pose to personal privacy is the key ring. Given the choice between a ring with multiple keys or a single key to open all doors, most consumers would stick with the key ring � despite the initial appeal of the single key. The single key could be easily lost or misused and its functions could not be isolated; the keys would have to remain connected at all times � by giving someone the key to your car you would be in effect giving them the key to your life. The popular conception of smart cards has been this single key with the related possibility of tying all data inexorably together, but this does not have to be the case. Cards with complex operating systems are already being devised, but questions remain as to how to maintain the walls between different kinds of personal information. How will the data be stored and who will have access to it?

Fortunately, at this nascent stage in the adoption of smart cards in the marketplace, smart card designers and policy makers still have the opportunity to heed the advice of consumer and privacy advocates and create a tool offering the convenience intended and protections for privacy. In order to accomplish this goal, smart card designers should be asking themselves questions about privacy, such as:

* What type of authentication is required for this application? Do we need to know "who" the individual is or not?

* How can the collection of information be limited to only what is necessary? Can any of the applications utilize and maintain anonymity (e.g. electronic cash)?

* Has the application changed (technologically or otherwise) since the creation

of the application, that may warrant a rethinking of the authentication needed?
* Are there risks of placing this application onto a card with other applications?

* What safeguards are employed to limit the ability to combine and warehouse data elements collected by different applications?

* What protections can be utilized to prevent the disclosure of information across applications?

In short, designers should not be afraid to think about changing the way that old applications were used if the changes will help to protect the consumer on the new format of the smart card.

While technology can be implemented with an increased focus on protecting consumer privacy, there is still a role for policy makers. Policy makers will need to look into such issues as:

* the ability of government to use the card to track individuals;

* the information handling practices of the different applications on the card; and

* the ability of smart card companies to warehouse and package data for sale to third parties.

Conclusions

Ultimately, smart cards will not be able to succeed if consumers do not trust them. If the tracking ability of the cards weighs greater in the minds of consumers than convenience, the cards will not succeed in the market. Now is the opportune time for those who would like to see smart cards succeed to build in privacy enhancing features and eliminate the valid privacy concerns of consumers.

March 16, 2005 at 09:38 PM in Smart Cards | Permalink | TrackBack (35) | Top of page | Blog Home

March 15, 2005

Security through viral propagation

Economist.com | MONITOR

Dec 2nd 2004
From The Economist print edition

Security technology: A new kind of door lock combines low-tech and high-tech approaches to enhancing security�but is it really safer?

IN THE security industry today, one part is decidedly sexier than the other. The sexy part deals with digital security, which includes everything from fighting computer viruses and fending off malicious hackers to controlling which employees have access to which systems. All of this has overshadowed the less glamorous part of the industry, which deals with physical security�in essence, door locks and that sort of thing. At parties, the digital guys come across as cutting-edge, whereas the door-lock guys soon have to admit that their last truly stunning innovation, the pin-tumbler lock, was devised in ancient Egypt but then got lost for 4,000 years until Linus Yale, an American inventor, rediscovered it. And even that was a century and a half ago.

Assa Abloy, a Swedish company that is the world's largest lockmaker, wants to change that. So it has teamed up with CoreStreet, a software company based in Cambridge, Massachusetts, to merge digital and physical security into a single system. The idea is that the same computer database that gives employees of a firm or government access privileges online also opens (or closes) doors for them. The twist, however, is that the doors need not have a permanent, hard-wired connection to the central computer.

Today, the only way to allow door locks to authenticate (�Are you who you claim to be?�) and validate (�Are you supposed to be entering at this hour?�) people in real time is to install electronic card-readers on doors, and then hook those readers up to a secure computer network. If an employee named Jane then gets fired, the central database will immediately inform all the connected card-readers, which will stop accepting Jane's key card.

The problem is that this sort of network is very expensive. An electronic lock costs between $3,000 and $5,000, 80% of which is the cost of network wiring, says Phil Libin of CoreStreet. Wiring up all the locks of, say, a nuclear power plant, university campus, airport, or military base therefore becomes extremely costly. Hard-wiring the doors of trucks, containers, aeroplanes and other moving things is out of the question. This is why, even in the most secure settings, at most 3% of locks tend to be connected.

CoreStreet's solution is �to make the cards themselves the network�, explains Mr Libin. There is still one central access list that says who is allowed to open what, and it is regularly sent out to the 3% of locks that are connected. The cunning part is how the list is propagated to other, unconnected locks: by the users themselves. Whenever an employee swipes his card through a connected lock, the list is copied, in encrypted form, on to the card. As he then walks through unconnected doors, the card transfers the latest copy of the list on to their locks, replacing their older versions. These locks in turn pass the new list on to any other cards passing through, and so on.

As long as people keep moving through doors, says Mr Libin, the freshest list of privileges spreads by �viral propagation�. The trick is to position the few connected locks carefully, to ensure that updates to the list spread within minutes to all the other doors. That way, Jane, having been fired, will find that her card no longer works. The new �intelligent� locks from Assa Abloy and CoreStreet that do all this cost about $1,000 each.

Not everyone is convinced, however. Marc Tobias, an expert on locks who has literally written the book on the subject� all two volumes and 1,400 pages of it�has heard grand claims being made about new kinds of lock before. He has been picking locks since he was 15, though he has not yet picked one of the new Assa Abloy locks (which have so far been supplied to ten trial customers). But, he says, �I'd be really paranoid about this until it has been thoroughly vetted.� As Bruce Schneier, a security expert, likes to point out, security is like a chain, and is only as strong as its weakest link. The new system's security depends on protecting both the encrypted access list and the network that links up the connected doors. Making physical locks as secure as computer networks, in other words, means precisely that.

March 15, 2005 at 09:30 PM in Smart Cards | Permalink | TrackBack (6) | Top of page | Blog Home

February 11, 2005

Axalto Declares World�s First Commercial Deployment of Microsoft .NET-based Smart Card

Axalto : News - Axalto Declares World’s First Commercial Deployment of Microsoft .NET-based Smart Card

Cryptoflex .NET powered Card from Axalto Makes Smart Cards Easier to Deploy

Amsterdam, November 16, 2004 - Axalto (Euronext:NL0000400653 AXL) announced today the first commercial deployment of Axalto’s .NET-based smart cards to help secure access to Microsoft’s corporate network. Axalto’s Cryptoflex .NET powered smart card is a secure, ultra-miniature personal computing technology that runs a small footprint version of the .NET Framework. The .NET-based smart card provides customizable two-factor authentication as well as full cryptographic capabilities, seamlessly via the standard Microsoft .NET programming tools and interfaces. Microsoft marks the first enterprise deployment of the .NET-based smart card.

�We�re delighted to see smart cards based on the ECMA standards for the core Microsoft .NET technologies,� said Charles Fitzgerald, general manager of platform strategy at Microsoft. �Axalto�s new .NET-based smart card is both a great solution to bring strong, two-factor authentication to the enterprise as well as yet another way for .NET developers to take advantage of their skills and code.�

�The best approach to network access security is to add a microprocessor card into the authentication process. And adding smart cards to Microsoft environments is made even easier by Axalto�s Cryptoflex .NET powered cards,� said Marvin Tansley, vice president, Access, Axalto. �Supporting Microsoft .NET is a natural extension of Axalto�s commitment to innovation around industry standards which enable secure access for many with varied identity management solutions.�

Tens of thousands of Microsoft employees worldwide carry a corporate access badge that secures Microsoft computer systems and facilities. Microsoft will be deploying Axalto�s Cryptoflex .NET powered smart card to its employees for secure remote network access in 2005.

Background:

Despite strong password policies, Microsoft determined that additional forms of authentication were required, especially for those that needed remote access to their corporate network to ensure that remote connections to the network are initiated only by authorized users. To counter the threat of unauthorized access to the Microsoft corporate network, Microsoft chose to deploy smart cards because of the cumulative sum of the products� reliability, performance, cost, security features, convenience and portability benefits. This approach to logical access security, completed worldwide in 2002 for Microsoft�s 61,000 employees, has substantially increased the overall security of enterprise network assets and data at Microsoft.

Microsoft �s selected .NET-based cards are smart IDs that support both physical and logical access on one smart card. A contactless feature embedded in the card provides the physical access to buildings and offices. The logical access control is provided via a microprocessor contact smart card with specialized security features, large memory for application storage, and implements Microsoft .NET. Secure and reliable cryptographic operations, such as symmetric (DES, AES) and asymmetric (RSA) algorithms are accessible via an implementation of the standard Cryptographic Services architecture of the .NET Framework. This empowers existing solutions that use .NET cryptographic services to be easily modified to use smart cards, bringing enhanced security and customization to .NET solutions, and allowing Microsoft�s internal IT organization to use the same programming tools and skills they employ for other development projects. The .NET-based smart card represents a breakthrough in security technology by providing developers with an innovative and crucial component for building secure. NET connected systems.

The implementation includes a MSIL (Microsoft Intermediate Language) interpreter, application programming interfaces (system libraries needed for execution and smart card specific libraries for communication and security), a converter that turns a CLI (common language infrastructure) compliant binary into a binary file for loading onto the smart card, a set of relevant ECMA specifications of the reference implementation and a comprehensive test suite that verifies the compliance of the reference implementation to the specifications.

About Axalto

Axalto (Euronext: NL0000400653 AXL) is the world's leading provider of microprocessor cards (Gartner Dataquest 2004) � the key to digital networks � and a major supplier of point-of-sale terminals. Its 4500 employees come from 70 nationalities and serve customers in more than 100 countries, with worldwide sales reaching 3 billion smart cards to date. The company has 25 years' experience in smart card innovation and leads its industry in security technology and open systems.

Axalto continuously creates new generations of products for use in a variety of applications in the telecommunications, finance, retail, transport, entertainment, healthcare, personal identification, information technology and public sector markets. Microprocessor cards provide convenience, security and privacy to public and private services operators, their customers and end users.

All trademarks are properties of their respective owners.

For more info, please visit www.axalto.com

February 11, 2005 at 09:16 PM in Smart Cards | Permalink | TrackBack (11) | Top of page | Blog Home

February 10, 2005

Nokia releases phone shell for contactless payments

Finextra: Nokia releases phone shell for contactless payments

Nokia has released a shell for its series 3220 mobile phone that will enable consumers to use the hand set for making contactless payments.

The shell uses near field communications (NFC) technology and allows customers to make payments by pointing the phone at a point-of-sale terminal. Payment information, such as debit and credit card details, is stored in an integrated smart chip in the shell.

Nokia says the NFC system is compatible with existing contactless payment infrastrucutres. Visa says the NFS shell is a natural extension of Visa's contactless programmes, while MasterCard says the development is a natural extension to the PayPass trial it carried out with Nokia in Texas in 2003.

In addition to payments, the NFS technology can also be used for ticketing and Nokia is teaming with German transport firm Rhein-Main-Verkehrsverbund to trial the system on the bus network in Hanau, near Frankfurt.

Peter Preuss, head of strategy and innovation at RMV, says: "NFC enables us to securely store and electronically control tickets in mobile phones... Another important feature of the project is, that the NFC enabled phones are compatible with the contactless smart card infrastructure already installed in Hanau."

Commenting on the new product, Petri Vesikivi, director at Nokia's ventures organisation, says: "Mobile operators can provide payment and ticketing applications to the phone together with service providers such as banks and transportation companies."

The Nokia NFC shell for payment and ticketing will be available in mid 2005 and will be distributed to customers by mobile network operators.

February 10, 2005 at 08:58 AM in Smart Cards | Permalink | TrackBack (6) | Top of page | Blog Home

February 06, 2005

China's Ningbo Bird to market fingerprint ID handsets

China's Ningbo Bird to market fingerprint ID handsets - Yahoo! UK & Ireland News

SHANGHAI (AFP) - Chinese mobile phone maker Ningbo Bird has unveiled the country's first fingerprint identification phone, which guarantees security for Internet-based transactions, state press reported.

Ningbo Bird's phone is thought to be reliable enough to ensure information security on the Internet, which would create a new channel for shopping, banking or securities trading on the web, Xinhua news agency reported.
"As a self-developed technology, it will be particularly useful to e-government, which demands information security," said Jin Guangtao, Ningbo Bird's vice-president.

The phone, expected to go into mass production soon, was jointly developed by Ningbo Bird, the Chinese Academy of Sciences and Beijing-based Digital Fingerpass Technology Co.

The company, which had estimated sales revenue of one billion yuan (120 million dollars) last year, claims to be the third in world to develop such technology after South Korea and Japan, the report said.

February 6, 2005 at 11:34 AM in Smart Cards | Permalink | TrackBack (5) | Top of page | Blog Home

Dell Unwraps Trusted Security Notebooks

Dell Unwraps Trusted Security Notebooks - Yahoo! UK & Ireland News

ComputerWire Staff

Dell (NASDAQ: DELL - news) has made good on promises to offer built-in support for the Trusted Platform Module on selected desktop and notebooks systems in early 2005, releasing three new notebooks that are built around the TPM security technology.

The TPM can be thought of as a smart card that is embedded on the system board and acts as a security key for the PC. The problem with existing PC security is that there has to date been no standardized way to securely store keys that are used for machine identity so that the keys cannot be discovered if the system is stolen or otherwise compromised. The TPM is designed to address this weakness.

Dells new $1,677 Latitude D410 and two other new notebook machines are the first in what can be expected to be a series of TPM-compliant PCs from Dell. The PC vendor has committed to releasing a variety of TPM 1.1. enabled OptiPlex desktop, Precision workstation and Latitude notebooks in early 2005. Dell plans to offer a TPM 1.2 option in the summer of 2005.

TPM describes a protected part of a PC that can store encryption key pairs and do cryptographic processing. This module can be leveraged by software to perform security functions in a way that is supposedly tamperproof and "trusted". Microsoft (NASDAQ: MSFT - news) , HP, IBM (NYSE: IBM - news) , Intel (NASDAQ: INTC - news) and AMD (NYSE: AMD - news) , Sony, Phillips, Nokia (Helsinki: news) , VeriSign (NASDAQ: VRSN - news) , National Semiconductor (NYSE: NSM - news) and Wave Systems (NASDAQ: WAVX - news) are companies that are behind the Trusted Computing Groups version 1.2 of the TPM component.

With version 1.2, the group has addressed some privacy concerns with new features such as support for the ability to create multiple keys for dealing with different parties. It also allows users to specify the level of access to the module different applications can have.

Use of TPM 1.1 in the Dell D410 means systems administrators can choose to lock digital content to specific PCs. Computer files can effectively be linked to specific machines to prevent network intrusions or theft of intellectual property, the vendor said.

The unit also comes with an environmentally friendly nine-cell extended life battery, that is not based on mercury, lead or cadmium technologies and so is in compliance with latest EU Directives. The new battery type is said to allow the D410 to run for up to 7 hours, something that is being called nearly all-day computing on a single battery charge.

February 6, 2005 at 11:19 AM in Smart Cards | Permalink | TrackBack (32) | Top of page | Blog Home

January 14, 2005

Bell ID joins Multos Consortium

Bell ID and MAOSCO, today announced an agreement for Bell ID to join the MULTOS Consortium. As a result Bell ID will gain an influential seat on the Systems Forum and Business Advisory Group of the MULTOS standards body. As a Systems member, Bell ID has voting rights over the further development of specifications relating to off-card data preparation and personalisation of MULTOS applications. Bell ID will also have automatic rights to implement the recently released MULTOS step/one off-card specifications for key management and data preparation of EMV and other value added applications.

MULTOS step/one is the entry level MULTOS platform for financial institutions migrating to EMV.

Bell ID has a significant level of MULTOS expertise. In 2002, Bell ID ANDIS system was the first CMS to demonstrate the post-issuance loading of value added applications to MULTOS v 4.0 cards over the internet, and in 2003 was the first to show data preparation and personalisation of the MasterCard M/Chip 4 for MULTOS application. Since then Bell ID's ANDIS CMS has been used to perform data preparation and issuance of MULTOS cards in major multi-application smart card projects in Asia. In the course of 2005, Bell ID, MAOSCO and MasterCard will jointly develop new smart card issuance solutions for financial and ID MULTOS projects.

Igno Peters, Managing Director of Bell ID, stated: "As a leader in the multi-application smart card management business, we already have extensive expertise in MULTOS. By joining the MAOSCO consortium, we can contribute our knowledge to the future development of the off-card MULTOS specifications for the benefit of our growing number of MULTOS customers."

Steve Everhard, CEO of MAOSCO Ltd, said: "For Bell ID to join the Consortium at this new Systems Member level adds to their impressive list of 'firsts' in the multi-application smart card sector. We look forward to the added value their participation will bring to the development of MULTOS and MULTOS step/one and welcome them into the Consortium."

January 14, 2005 at 08:47 AM in Smart Cards | Permalink | TrackBack (3) | Top of page | Blog Home

January 05, 2005

One in five shoppers shun Chip and PIN - Visa

Finextra: One in five shoppers shun Chip and PIN - Visa

One in five UK Chip and PIN cardholders are still using a signature rather than a PIN number to verify payments, according to research conducted by Visa.

Currently three in five cardholders in the UK have a Chip and PIN card. But the Visa research suggests that 20% of Chip and PIN cardholders in the UK are not using their PIN because they can't remember it.

Alomst a quarter (24%) of respondents said they didn't use their PIN number because retail staff did not encourage them to. Furthermore, the same number said they were not even given the option to enter their PIN, even though they would feel comfortable to do so.

But the research found that five per cent of respondents chose not to use a PIN because they were "nervous" about the new way to pay.

From 1 January 2005, retailers will be liable for fraudulent transactions and can refuse to accept signatures if the customer has a Chip and PIN card.

January 5, 2005 at 08:32 AM in Smart Cards | Permalink | TrackBack (16) | Top of page | Blog Home

Chip and PIN programme hails successful transition despite retailer criticism

Finextra: Chip and PIN programme hails successful transition despite retailer criticism

The UK's Chip and PIN programme says the nationwide transition to the new point-of-sale security technology has been a success, despite fierce condemnation of the effort by the Forum of Private Business (FPB).

More than 45 chip and PIN transactions took place every second across the country over the bank holiday weekend, with more than 12 million transactions verified by PIN rather than signature, according to the Chip and PIN programme.

But despite the threat of a liability shift from banks to retailers, two in ten retailers have yet to upgrade tills to accept both chip and PIN and signature cards. Retailers that haven't upgraded to the new technology will now be liable for fraudulent transactions rather than banks.

The Forum of Private Business has accused banks of pushing implemention of the system before retailers and consmers are ready. According to a Press Association report, FPB says more then 50 million chip cards are still to be issued, with Barclays and HSBC both admitting that one in three of their customers haven't received a chip and PIN card.

FPB chief Nick Goulding told PA: "FPB members have been contacting us complaining that they are still waiting for their chip and PIN machines, and it is estimated a quarter of business have not installed the technology."

But the Chip and PIN programme says retailers were pleased with the first weekend, with Nick Mourant, group treasurer at UK supermarket Tesco saying: "Contrary to media reports we found that thousand of cardholders used their PIN every hour with no problem. Queuing times have stayed the same or got shorter."

January 5, 2005 at 08:31 AM in Smart Cards | Permalink | TrackBack (6) | Top of page | Blog Home

November 29, 2004

Identity Cards: The Debate Hots Up

Yahoo! UK & Ireland News - Identity Cards: The Debate Hots Up

The Government is set to reveal details of its plans for compulsory identity cards, which it says will help tackle problems such as terrorism and illegal immigration.Controversially, the cards will include the use of biometric data such as fingerprints or iris scans to confirm the holder's identity.

The Prime Minister has given his strong personal backing to David Blunkett's �3bn proposals as a Bill introducing the controversial issue is published later today at Westminster.

Tony Blair argued at his monthly press conference that ID cards will help improve people's security and improve access public services.

He said ID cards were not a "silver bullet" to defeat terrorism but were an important weapon in the fight against terrorism and organised crime.

But the Identity Cards Bill is likely to receive a rough passage through Parliament.

The Liberal Democrats have voiced strong opposition to what they call the "deeply flawed" legislation, while the Conservatives also have strong misgivings.

Many Labour backbenchers are also believed to be uneasy about the impact of compulsory ID cards on civil liberties.

Lib Dem home affairs spokesman Mark Oaten has published figures showing that almost a quarter of a million passports are lost or stolen each year.

He warned of potential "chaos" if this rate of loss is repeated with ID cards, which holders will need to access vital benefits and most health treatment.

The plan is to introduce the cards in 2007-8 and for them to be made compulsory between 2010-2012.

November 29, 2004 at 09:17 PM in Smart Cards | Permalink | TrackBack (3) | Top of page | Blog Home

Internet Changes Everything