Are Smart Cards Really That Clever?

New smart card technology holds great potential for wide range of applications, says Karel Rode

  • E-Mail
By  Karel Rode Published  February 27, 2008

Access to systems, buildings and our own financial resources are all now protected with different but similar technologies. They have one thing in common: the triad of information security, which is made up of confidentiality, integrity and availability.

Still, having so many disparate systems means more cost-effective access to these resources is necessary. This is where the corporate smart card, which will come in different forms for banking and merchant transactions, enters the picture.

A few years ago an innovative company decided to add a magnifying glass to the credit card they issued, so that people could read the fine print on restaurant bills before settling them.

Not long afterwards they managed to include a battery and a light so that this could be done in more romantically illuminated eateries. This was some of the groundbreaking work that had to take place for common plastic cards to gain a higher level of functionality.

Today we have cards that include magnetic stripes, bar codes, RFID chips and EMV (EuroPay, MasterCard, Visa) chip cards.

These are all access control mechanisms that rely on hi-tech to provide their different functions, and they all strive to make our lives easier and safer.

Dongle deployments

The most innovative of the lot will be the new smart card or chip card that some financial institutions (mostly international) are issuing today.

This includes the EMV chip, a component much like the smart card inside cellphones. Cellphone smart cards are used to authenticate the user to the service provider. The phone challenges the user for a PIN, and this PIN is interpreted by the phone software to unlock the much stronger authentication key that is presented to the cellphone provider.

New credit cards with EMV chips will not be able to just pass through a card scanner without the user entering a PIN. For some this may be an inconvenience but is necessary to enhance security and verify transactions. EMV cards, though more expensive to manufacture, will be with us very soon.

A different form of smart card is the USB authentication dongle or a smart card that is inserted into a dedicated PC reader. Once deployed, these devices allow for much stronger authentication, as they require having something (the card) and knowing something (the PIN or pass code) versus just knowing the password.

Moreover, a smart card like this (or USB device) has additional memory where digital certificates and additional information can be stored. In the case of the US Defence Force, personnel will have their medical history encoded onto these cards. This means that when they enter a field hospital, the doctors can access their full history and work with assurance that the patient is not allergic to a specific medication.

The above is a good example of how sensitive information can be exposed to selected third parties within a tightly controlled process. The soldier may not be capable of indicating what his blood type is or what his pass code is to his smart card, but a defined process will store that information on a secure sector of the card, which demands different access control mechanisms to read the data.

Clever access card

Similarly, I have a building access card that allows me access to my local office. It also functions in all of the EMEA and US-based offices, and where there is a local canteen I can present the cash wallet on the card as currency to pay for goods and meals.

I may not have access to every corner of the company, but I can gain access to all areas needed to perform my job. And the tight integration of the physical access control system with the user provisioning system brings additional benefits to me and the company.

As such, I can gain access to those restricted areas when I move into a new position or when I apply for it (if it is granted by the owner), and when I terminate my employment, I will automatically be removed from all IT systems as well as have my physical accesses revoked.

Smart cards are really smart. They have the potential to improve our personal security (access to physical spaces) as well as our logical security by protecting our financial resources and computing systems in a much stronger way than we are accustomed to. We may soon have to enter a pass code in a few more places, but this minor inconvenience will be for our own good.

Karel Rode is security solutions strategist at CA Africa.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code