Smart Cards Get Smarter

• By David W. Dodd
• 10/01/18

For years, campuses have used plastic cards as part of what were called “one card” solutions. Initially, these were plastic cards with magnetic strips on the back that encoded information about the student’s personal profile. This, coupled with a backend computer system, made it possible to replace physical keys, photo IDs, credit cards, and other entities with a single card. But these cards were easily lost, and nearly as easily reproduced by hackers with equipment that became readily obtainable. Advances in technology led to chip-embedded cards that could be read within proximity of a scanner through wireless communication; thus, the term “prox cards.” These were soon followed by ways of compromising the respective security on the cards. More recently, “smart cards” have gotten significantly smarter and, at least for now, more difficult to compromise and counterfeit.

Increasing Sophistication

Smart cards typically incorporate a combination of microprocessor and memory. The security employs current encryption technology and standards. Depending on the nature of the cards, they can store significant amounts of information such as identity, financial accounts, health records, access rights, and more. Alternatively, the cards store little more than authentication mechanisms that establish the identity of the owner, with information stored in secured servers for access and use as needed.

In the future, cards with sensory and intelligence capabilities sufficient to actively confirm that the holder is the owner will be common. Techniques are being developed to enable this function, with most involving biometric characteristics of the owner. For now, a fundamental requirement involves the use of two-factor authentication (2FA). The most common mechanism uses a PIN that should only be known to the card owner. We insert our smart cards and then are asked to enter a PIN, with ubiquitous and highly visible warnings to “protect your PIN.”

The most common form of chip-enabled cards are those that require insertion into a reader in which contacts on the card enable communication with a security device. A card could be lost or stolen, but as long as the other ways of confirming identification are used there is reasonable security. It’s possible for hackers to disassemble the cards or scan them with unauthorized equipment, but encryption makes compromise difficult for now. Ultimately, hackers will catch up to this technology as well.

Wireless Developments

A number of companies are developing ways to return to wireless communication between the card and the security scanner. Technologies, including near field communication (NFC), enable two properly equipped devices to be brought within the required distance, usually one to two inches, and the two devices then connect, authenticate, and complete the intended operations. Using a distance-limited technology such as NFC with these cards has benefits.

Smart cards are increasingly becoming part of comprehensive campus security programs. Among the uses are tracking access to campuses to reduce crime and risk, debit card maintenance and promoting easy purchases on and around the campus, facilities access, library resource and equipment checkout, attendance verification for compliance reporting, and numerous others. These systems not only know whether an individual has access to a research facility, but also on what days and times. Changing or removing access is nearly instantaneous. Although communication with backend servers is an important component of these systems, on-premises caching of information is often used in the event of communication or power failures until resynching and interactivity is restored.

The microprocessors built into leading cards today can execute software associated with the purpose of the card. For example, they can be programmed to detect anomalies that could indicate attempted theft or counterfeiting, and to then cease operation. In a set of predetermined circumstances, they could be configured to require separate methods of authentication by the holder—including prompting for additional information or even fingerprint verification—before conducting the transaction.

Excellent smart card systems are not cheap. On a total-cost-of-ownership basis and when incorporating a risk-benefit analysis, however, they are very good investments for campuses seeking to promote safety and security. Increasingly, smart cards can legitimately be called “one cards” because they consolidate numerous functions into a single technology-enabled solution that is more robust and secure than predecessors. This is yet another area where holding onto older, legacy solutions is misplaced. The benefits, including safety, security, and added functionality, more than outweigh the costs. At a minimum, smart cards should be in the planning stages at all institutions.

This article originally appeared in the College Planning & Management October 2018 issue of Spaces4Learning.