What September 11 Means for Smart Cards

What September 11 Means for Smart Cards

"By Donald Davis

In the immediate wake of the Sept. 11 terrorist attacks, some politicians and prominent business executives, particularly in the United States, called for giving every citizen a smart card as an identification document. They argued this would make it harder for terrorists to use phony IDs to enter the country and to live anonymously, especially if the chip cards were combined with biometric technologies that identify a cardholder by such physical characteristics as a fingerprint, hand geometry, iris or retina.

Some observers predict all citizens will be carrying smart ID cards within a few years in major developed countries. If the terrorist attacks continue, they could be proved right.

But a more common view holds that the drive for tighter security will lead to a variety of initiatives incorporating smart cards and biometrics, rather than monolithic government ID card programs. These might include frequent travelers carrying chip cards to speed them through airport security checkpoints, and the addition of smart card chips to such existing identity documents as driver’s licenses and passports.

Such programs would build on efforts well underway before Sept. 11 that focused on using smart cards and biometrics to make it more convenient for air travelers to move from one country to another and for citizens to access government services on the Internet. “Our first idea was convenience, but now we are more aiming at security functionalities,” says Jan Van Arkel, co-chair of the eEurope Smart Card Charter, a European Commission effort to promote smart cards to enhance efficiency in government and industry. “It’s not so much that suddenly people are thinking of these technologies, but it has surely intensified the already ongoing discussion.”

In another important respect, smart cards are not starting from scratch, even in the United States, which has been a chip card laggard. Several agencies of the U.S. government have completed pilots and some are rolling out sophisticated, multifunction smart cards. This provides, for the first time in the United States, a cadre of experienced smart card users who can vouch for the technology.

“We’re committed to it; we’re big fans of smart cards,” says David M. Wennergren, the U.S. Department of the Navy’s deputy chief information officer for e-business and security, and chair of the Department of Defense smart card senior coordinating group. The Defense Department is leading the U.S. government’s smart card charge, with 70,000 chip cards already issued. The agency plans to distribute cards over the next 18 months to 4.3 million military and civilian personnel and outside contractors.

To be sure, there are implications to the Sept. 11 events that may negatively impact smart card rollouts. For instance, transit officials may be so occupied with security issues that they postpone discussions of new chip-based fare cards.

The Economy Heads South

The terrorist attacks may also have tipped the U.S. economy into a recession, and the ripple effects are being felt worldwide. “Sept. 11 has had an impact on all businesses in Asia, and the smart card industry is no exception,” says Greg Pote, general manager of the Hong Kong-based Asia Pacific Smart Card Association. “Both users and suppliers are tightening their belts and reviewing costs and expenses.”

An expected slowdown in consumer purchases of new mobile phones due to the deteriorating economy is likely to dampen demand over the next six months for the chip-based subscriber identity module cards used in GSM phones, says Maurizio Felici, general manager of the smart card division of chip maker STMicroelectronics.

But he sees a “a booming of ID applications,” if smart card players can convince government agencies that chip cards enhance security. That boom is likely to come only in 2003, Felici adds, because government programs develop slowly.

Others agree that Sept. 11 has led to many organizations taking a closer look at smart cards as national identity documents and for air travel and building access, often in conjunction with biometrics. Biometric technologies analyze a body part–such a finger or face–or a behavior–such as how you sign your name–and create a digital record of it that can be used to verify the identity of individuals subsequently. While those digital records, or templates, can be stored on a database, smart cards can make biometric projects run more efficiently, especially when many individuals are enrolled.

“Many biometric solutions work less efficiently when they have a database to work their way through,” says analyst Andrew Phillips of the Dataquest unit of Stamford, Conn.-based research firm Gartner. “Smart cards make a great solution for that, because you don’t have to do the biometric data capture and compare it against a huge database. You just compare it against a single piece of data on the card.”

A Card In Every Pocket?

If every legal resident had a smart card with a biometric identifier it would be hard for terrorists to circulate freely with phony ID documents, some reasoned in the wake of the Sept. 11 attacks.

That led to calls for issuing smart cards as national IDs in several countries, including the United States and the United Kingdom, where citizens have been wary of any document that allows government officials to track the movement of individuals. (Card Technology, November 2001.) Among those calling for such biometric-laden chip cards were the UK’s Home Secretary David Blunkett, and Lawrence Ellison, CEO of Oracle Corp., the world’s leading provider of database software. Ellison even offered to provide free software for a U.S. government identity card.

Analyst Ken McKay of Mountain View, Calif.-based research firm AsIs believes the U.S. government soon will require all citizens to carry a chip-based ID card. He predicts the government will issue 350 million smart ID cards by 2005.

“With the clear paradigm shift we’ve seen since Sept. 11, federal authorities appear to have gained a social mandate,” he says.

But Phillips argues that smart ID cards will not appear for years, if ever, in such countries as the United States and the United Kingdom. He points to privacy concerns and notes governments tend to move slowly.

David Birch of London-based Consult Hyperion agrees, and notes anyone seriously thinking about a national ID card would soon realize that it is not a quick or easy fix.

For one thing, he says, such a national ID card would have to be surrounded by extremely high security to prevent terrorists or criminals from stealing truckloads of ID cards or figuring out how to duplicate the secret identifying data on the chip.

For another, verifying identity “is more complicated than it first seems,” Birch says. “People get bogus passports now, so, therefore, they could obtain bogus smart cards.

“Both problems would take a lot of money and effort to fix,” he says.

Whether for operational or political reasons, both U.S. President George Bush and UK Prime Minister Tony Blair have taken their distance from any suggestion of national ID cards. Many observers believe it would take more terrorist strikes to make such ID cards politically palatable. Nonetheless, discussions about such cards continue, as officials prepare for all eventualities.

British publications claimed last month the government had secretly developed a prototype national ID smart card with biometric identifiers. But a Home Office spokesman says the work only had to do with the possibility of a chip-based passport, and not a national ID card.

Meanwhile, Sacramento, Calif.-based Search, a nonprofit organization focused on law enforcement technology, has scheduled an invitation-only conference for this month where ID cards are likely to be on the agenda, says one U.S. government official.

That does not mean anyone is actively promoting a national ID card, says another government source. But, he adds, “People are saying, ‘There are a lot of strange things happening. Let’s be ready for whatever the politicians decide to do.’”

Other countries also are discussing high-tech ID cards. Germany’s ministry of internal affairs has proposed adding a chip that would carry biometric data to Germany’s existing plastic ID cards, says Reinhard Kalla, general manager for chip cards at chip maker Philips Semiconductors.

Kalla says the discussion of adding a chip was going on before Sept. 11 as a way to prevent fraud. Since Sept. 11, he says, the discussion is more public and more driven by security. Germany’s Bundestag is to vote on the proposal next year.

Driver’s Licenses

Another initiative in North America could open the door to adding chips and biometrics to driver’s licenses to make them more reliable identity documents. In October, the American Association of Motor Vehicle Administrators, which represents officials in the United States and Canada, created a Special Task Force on Identification Security to develop “short- and long-term priorities and actions relating to improving the security of driver licensing and identification credentials.”

“Some key players in that area are convinced that smart cards are the best way to go,” says Tate Preston, vice president for marketing, government solutions, at Minnetonka, Minn.-based DataCard Group, a provider of card-issuance technology.

Because driver’s licenses are widely used as identity documents in the United States, by everyone from supermarkets to airlines, the motor vehicle administrators will be taking into account more than just their own needs, says Jay Maxwell, president and chief operating officer of AAMVAnet, the information technology arm of the association.

He says AAMVA does not want to get into an “arms race” with criminals, by relying too heavily on technology the authenticity of a license. Fraudsters would only use more advanced technology to create phony licenses, he says.

With that in mind, the association’s proposals are likely to include a range of security features, including checking with the agency that issued a license to make sure it is still valid, Maxwell says.

The less intelligence required on the card, the less driver’s licensing agencies are likely to need a chip on the card. Moreover, they recognize that a driver’s license is only useful as an ID document if the data on a card can be read by all the bars, stores, airline personnel and others who rely on licenses as ID. That means potentially spending millions of dollars to equip many locations with smart card readers.

At the same time, Maxwell notes, the association recognizes that many of the entities relying on driver’s licenses may want to add features to the license that might require a chip. They will take that into consideration in making their recommendations, he says.

“It could very well be for driver’s license purposes a smart card may not be necessary, but in order to accommodate other industries, it could be the smart card would be the better choice.”

The task force is preparing a proposal for AAMVA’s January board meeting. That could lead to the association recommending to the U.S. government a standardized driver’s license, along with funding to help states convert to more secure licenses, insiders say.

Preston says a recommendation from the AAMVA task force could go a long way toward convincing the federal government to provide the subsidies that would undoubtedly be needed to convince the 50 states to convert their licenses to chip cards.

“I don’t think we’ll see smart cards happening as driver’s licenses without a federal initiative,” he says. “It would be very difficult for one state on their own to say, ‘We’re going to spend four or five dollars more per card so the nation can be secure.’” Should the United States decide to add chips to its driver’s licenses, it could result in one of the largest smart ID card projects in the world, as there are more than 200 million U.S. driver’s licenses in circulation, according to AAMVA officials. However, such a program likely would take years to implement.

Immigrants Under Scrutiny

Meanwhile, immigrants, who wield less political clout and are seen by some as potentially more threatening after the Sept. 11 attacks, could soon be carrying chip-based ID cards in some countries.

The UK government has announced plans to distribute chip-based Application Registration Cards to seekers of political asylum, a group that numbered nearly 80,000 last year. The photo ID cards will carry a fingerprint biometric. Meanwhile, a bill has been introduced in the U.S. Senate to require immigrants to carry smart card visas deemed harder to fake than paper documents.

Asylum seekers in the Netherlands have been receiving smart cards with a fingerprint biometric for more than five years. The Ministry of Justice has issued some 600,000 chip cards as part of a program for keeping track of asylum seekers, says Oliver Burke, head of international sales at Bell ID, a subsidiary of UK-based Bell Group, which implemented the program.

He says more governments and airport authorities are inquiring about biometrics and chip cards since Sept. 11. Bell ID is close to finalizing a deal to sell its biometric and smart card technology in partnership with the division of German electronic giant Siemens AG that provides information technology to government agencies, he adds.

National IDs Advance

Meanwhile, other countries are moving ahead with plans to give every citizen a smart card as a national identity document. Among the nations expected to put projects out to bid soon are Israel, South Africa and Turkey, says Ian Povey, a London-based consultant for Plano, Texas-based information technology firm Electronic Data Systems.

What has changed since Sept. 11, Povey says, is that these projects “are more likely to be funded and implemented and accelerated.”

The terrorist threat may also affect the features that nine European nations put on smart cards they issue late next year as part of a test of an interoperable European ID card, says eEurope’s Van Arkel. Major government agencies, including the interior ministries of Spain and Italy and the Greek Ministry of Finance, plan to distribute more than 43,000 smart cards and 10,000 smart card readers as part of the test.

The focus of the eEpoch project has been on allowing citizens to fill out tax forms and apply for permits on the Internet. But, Van Arkel says, in the wake of the terrorist attacks, some countries could choose to add security features to the cards.

Another aim of the eEpoch project is to create standards that would allow government-issued smart cards to substitute for passports within Europe, Van Arkel says, allowing Europeans to quickly authenticate themselves when they cross borders.

Travel Documents

On an even broader scale, DataCard’s Preston notes, the International Civil Aviation Organization, which effectively sets standards for passports and travel documents, issued a call following Sept. 11 for making such documents harder to counterfeit.

He says some countries may add a chip to their passports–as Malaysia has done and the Netherlands plans to do next year–to carry biometric and other identifying data. “Biometrics should show up in virtually all these applications, where security and the need to authenticate someone’s identity is an important function,” Preston says.

Airports have been a special focus of attention since the Sept. 11 attacks, which began with terrorists hijacking four jetliners. As with national ID cards, there were several projects in the planning stages before Sept. 11 aimed at increasing traveler convenience that now will be studied as ways to boost security.

Amsterdam’s Schiphol Airport announced in October it would begin a one-year test of an iris-recognition system that would allow volunteer travelers to pass through immigration gates quickly. (See story on page 26.)

Several similar trials are in the works, as part of an initiative called Simplifying Passenger Travel, initiated by the Geneva-based International Air Transport Association.

Since Sept. 11, the idea has been picked up as a way to allow prescreened passengers to move through security checkpoints quickly, allowing officials to pay more attention to those who have not undergone the background checks needed to obtain the ID cards.

The U.S. Federal Aviation Administration, for instance, is considering the feasibility of the government offering such a smart card carrying biometric data to air travelers who agree to submit to a background check. “We’re looking into anything that might improve security, and this is one of many,” says an FAA spokesman, who would not speculate on when a decision would be made.

Backing the concept of a smart card with biometric data is the Air Transport Association, which represents 22 U.S. passenger and cargo airlines. A spokesman says the organization has proposed linking various government and police databases so that airlines could instantly be notified if a cardholder poses a security risk. The organization is proposing that the smart card be voluntary for U.S. citizens and residents, but mandatory for nonresidents.

Safer Buildings

The government of Oman, an oil-rich sultanate in the Persian Gulf region, also is considering issuing such a card to its citizens, according to the Oman News Agency. And Philips’ Kalla says his company is in discussions with several unnamed airlines about offering a chip card that could carry ticketing, baggage and personal data, along with a biometric identifier.

Just as airlines are more concerned about who boards their planes, building managers are paying more attention to making sure that only authorized individuals enter their facilities.

Dataquest’s Phillips says he has had many more inquiries since Sept. 11 from companies seeking to control access to their buildings with smart cards. Until Sept. 11, he says, 2001 had been notable as a year of inquiries about using smart cards to secure enterprise computer networks.

While smart cards are touted as a platform for hosting multiple applications–such as building access and computer log-on–Phillips says the building managers often are unaware that their network administrator counterparts are considering smart cards, as well. Hence, multiapplication smart card programs aimed at both physical and network security may require collaboration between corporate executives who may be unaccustomed to working together.

Like Phillips, Bob Sawyer, president and CEO of Torrance, Calif.-based access control vendor Group 4 Securitas Technology Corp., says he has seen a sharp increase in inquiries since Sept. 11. “We’re certainly seeing a significant amount of increased interest in biometrics, and, partially because of that, smart cards, because in many cases the two go hand in hand.”

Sawyer notes that the most common type of card for automated building entry is a proximity card. Such cards, similar to the tags attached to merchandise in retail stores to prevent theft, carry a simple memory chip that identifies the cardholder to a host computer. The cards typically cost $2 to $3, whereas smart cards may cost two or more times that amount, depending on their memory and functionality.

But Sawyer believes many organizations will be moving to smart cards because they can carry multiple applications on the chip. In addition, the microprocessor on a smart card allows it to store data more securely than a memory chip.

One organization that will be using smart cards for building access is the U.S. State Department, which plans to issue 15,000 chip cards to its Washington, D.C., workers for use in the agency’s headquarters building, says Lolie Kull, access control smart card implementation manager in a unit of the department’s Office of Domestic Operations.

State Security

State Department employees will insert their chip card into a reader and enter a personal identification number to gain access to the building. Kull says the chip card boosts security because the PIN can be checked by the chip on the card, and not transmitted to a back-end system, which raises the threat of someone stealing the PIN en route. Also, the PIN need not reside in a host database, another security feature, she says.

There are no biometrics on the card, although the department has tested iris-recognition and hand-geometry systems with 150 employees, and may add a biometric feature in the future, Kull says.

She says the State Department had planned to issue smart cards, as other federal agencies are doing, before the Sept. 11 terrorist attacks. But the attacks, she says, have “provided us with more of a sense of urgency to make sure anyone who comes into our building is authorized to be there, and whoever is holding the card is who they are supposed to be.”

While the Sept. 11 attacks were not directed at computer networks, some observers say the focus on security has prompted a new look at smart cards for preventing attacks on enterprise networks.

The Navy Department’s Wennergren notes that both the Sept. 11 and subsequent anthrax attacks highlighted the importance of employees being able to authenticate themselves to computer networks so they can work from locations other than their offices.

“There is a greater emphasis on a mobile work force, whether you have to stay home because there’s anthrax in the mailroom or because airplanes are not flying,” he says. “Having these digital certificates on a smart card allows me to do secure transactions from wherever.”

Some vendors report more inquiries about network security, such as Malcolm MacTaggart, president and CEO of Kanata, Ontario-based CryptoCard Corp. He notes a conversation with a San Francisco insurance executive, whose company had been considering for two years requiring more than user IDs and passwords for network access. After Sept. 11, MacTaggart says, they decided it was time to act.

Better Alternatives?

But such customers are not necessarily going to use smart cards, biometrics or digital certificates, because “there are easier, less-expensive alternatives available,” MacTaggart says. Widespread use of smart cards in network security may still be a few years off, he says.

Indeed, many of the initiatives set in motion by the recent terrorist attacks are likely to take years to implement, both to develop technology and to deal with such policy issues as how to make sure you are giving credentials to the right person.

But smart cards and biometrics are being raised in practically every discussion of how to fight terrorism. Thus, it is very likely that by the time, a few years from now, when new office buildings open up on the site of the Twin Towers, the people entering those buildings will be carrying one or more smart cards designed to help prevent a repetition of the events of Sept. 11, 2001. "

December 2001"

http://www.card-technology.com/