ID MANAGEMENTdoc.mediaplanet.com/all_projects/831.pdfaccept certain risks. A proper trade-off...

your partner of choiceAccess Control, CCTV, Intruder Detection and

Integrated Security Solutions from Honeywell Security

www.honeywell.com/security/times

ID MANAGEMENT

AN INDEPENDENT SUPPLEMENT FROM MEDIAPLANET ABOUT ID MANAGEMENT, DISTRIBUTED WITHIN THE TIMES

29 JANUARY 2007 A SPECIAL REPORT ABOUT PROTECTING NATIONAL AND PERSONAL SECURITY

AN INDEPENDENT SUPPLEMENT FROM MEDIAPLANET ABOUT ID MANAGEMENT, DISTRIBUTED IN THE TIMES2

CONTENTS

● Is your voice more secure than your memory? p.4

● Hitting the right standard p.4

● Pay fines and check ID p.5

● Pay as you go p.6

● Protect ID data from hackers p.6

● Biometrics ID card plans to be published this year p.7

● In the palm pof your hand p.8

● ID protected on the road p.9

● Using Biometrics sensibly p.9

● Personal and business ID theft rocketing p.10

● Biometrics steps forward p.12

● Will smart cards outsmart the criminals? p.14

● ID checking on the move gets back up p.15

● Find me a suspect p.15

● Britain could be a biometric world leader p.17

● Are shared secrets the answer to online fraud? p.17

● Easy access at easyJet p.19

ID MANAGEMENT A TITLE FROM MEDIAPLANET

Project Manager: Kerren Triffon, Production Editor: Ulrika Fallenius, Editor: Sean Hargrave, Design/Produc-tion: Sophie Westerberg, Print: News InternationalFor more information about supplements in the daily press,please contact Carl-Philip Thunström 020 7563 8877

Mediaplanet is the leading European publisher in providing high quality and in-depth analysis on topicalindustry and market issues, in print, online and broadcast.

www.mediaplanetonline.com

www.mediaplanetgroup.co.uk

Current trends in national identity management have an undeniableimpact on the daily life of the citizens. The rise of virtual identitiesthrough the massive use of the internet poses a particular challenge toidentity management in general. A new balance of trust in identitiesand in the people who manage those identities is to be found.

We know that the costs in connection to identity fraud are high andjustify a case for improvement. But what prize are we willing to pay?Are the proposed measures proportional to the problems they shouldsolve? What new problems are being introduced?

This last question is being triggered to a large extent by the intro-duction of biometrics in national identity management systems. For-tunately we have gained a lot of knowledge and experience on bio-metrics in the last few years so that there is not much left to be discov-ered. However, we are increasingly being confronted as citizens withthe exchange of personal data with third parties across the world.These processes are hard to supervise and therefore hard to judge ontheir proportionality, data protection aspects and final purpose. Trans-parency, one of the basic human rights, might get compromised.

Biometrics introduce new solutions and challenges to privacy anddata protection: the biometric information is strictly personal and cannot be revoked or changed as easily as a PIN-code. This immediatelycalls for proper mechanisms for securely storing, using and exchang-ing biometric data, especially if it is connected to other personalinformation.

Max Snijder, CEO European Biometrics Forum

Biometricsthe key totrue IdentityManagement

The prize offreedom

Biometrics is the only technology that can trulyprovide a strong link between a living person andtheir associated electronic data. Biometric technolo-gies, such as fingerprint, face and iris are at the coreof all large scale identity management systems.

However, contrary to popular belief, biometrics cannot fulfil the roleof an Identity Management system on its own. Usability, portabilityand security are just as important factors and to this end system inte-grators turn to smart cards, public key infrastructures and other relat-

ed technologies to complete the circle.Standards too play a vital role. The effectiveness of any IM system is

dependant upon how well it works with other systems. Standards playa key role in this interoperability. An excellent example of standards atwork is the new ePassport (an IM scheme of sorts); issued in manycountries but read in many more. All ePassports, regardless of whoissues them, adhere to international standards ensuring they are inter-operable. It is only through organisations like the British StandardsInstitute (BSI) supported by the International Association for Biomet-rics (iAfB) and its member companies that biometric standards are asadvanced as they are today.

The iAfB is the UK National Body for Biometrics and is pleased toperform a co-ordination role with associations serving these relatedtechnologies. The iAfB was set up in the early 1990s by the DTI, withthe valued assistance of a few biometric “evangelists”, to foster thebiometric industry in the UK. Since inception the association hasgrown from strength to strength and is recognised as one of the lead-ing associations worldwide.

Our mission is: “To promote the development and implementationof Biometric technologies, standards and applications through educa-tion and awareness programs and the gathering and dissemination ofbest practices.”

Bill Perry, Director iAfB

If we would like to maintain our freedom we have toaccept certain risks. A proper trade-off betweenfreedom, privacy and security is a matter of nation-al debate and building international trust. Terrorismis an important threat, but so could be our counter-measures. If our security is getting too inconven-ient, it will fail one way or another.“The iAfB is the UK National Body for Bio-

metrics and is pleased to perform a co-ordi-nation role with associations serving these

related technologies“

www.iafb.org.uk www.smartex.com www.eubiometricforum.com

New rules set toreduce card fraud

The figures speak for themselves. In 2000,CNP fraud cost UK companies £73 millionand by 2005 this had rocketed to £180 mil-lion, up 21 per cent from £151 million in2004 and is continuing to be the majorarea for growth for card fraudsters.

One way to stop fraudsters is to preventthem from obtaining card information inthe first place. Visa and MasterCard areintroducing a new global standard knownas Payment Card Industry Data SecuritySpecification (PCI DSS), which sets out 12security criteria which must be certifiedannually and checked every three monthsby external auditors, to ensure that retail-ers and third-party processors protect carddata stored in their systems and that carddata is kept secure at all times.

“Visa and MasterCard have been the mainforces behind a set of standards whichmakes sure payments are handled moresecurely,” points out Peter Phillips,Business Unit Director, ElectronicPayments & Card Processing at AtosWorldline, an Atos Origin company.

“Adoption of this standard means that lia-bility for fraudulent Visa and MasterCardtransactions shifts to the card issuer, withthese initiatives being estimated to cutfraud and disputed transaction rates by 80per cent”.

Atos Worldline provides an outsourcedcredit and debit card payment processingservice used by many large corporations,leading retailers, hotel chains and banksacross the UK, France and Germany. Itauthorises more than 250 million cards per

month and handles 4.5 billion card trans-actions per year.

Atos Worldline operates two levels ofcard fraud and risk management protec-tion to its customers to assist the fightagainst fraud. Firstly, it operates a secureinternet payment platform over which itscustomers’ card-not-present transactionsare handled and it is this system, overwhich online, mail order and telephonepurchases are processed, for which AtosWorldline been awarded PCI certification.

Secondly, a fraud detection and preven-

tion solution, which is a cost effective toolfor reducing fraudulent card paymentsboth in traditional outlets and the Internet.This alerts companies financial or frauddepartments to early fraud recognition andthereby gives the ability to react quickly toany new identified fraud patterns.

“The accepted wisdom in the industry isthat if you’re not PCI compliant now orsoon about to be, you’ve left it too late,”says Nigel Freeth, head of Atos Worldline,an Atos Origin company. “It requires amajor overhaul of your systems; we esti-

mate it’s taken something like 3,000 to4,000 man hours for us to be PCI compli-ant. The rule of thumb in the industry isthat it will cost the average card paymentsprocessor something in the region of£100,000.”

The work has been carried out ahead ofnext July’s deadline, by which time allretailers and processors must be compliant.Those companies that are not there yet, ornot on the verge of compliance, run thevery serious risk of their clients switchingto providers who are, Freeth warns,because clients will naturally seek to pro-tect themselves against the ever-growingproblem of card-not-present fraud.

“Come next July, retailers and processorswho fail to comply face fines or even a banfrom accepting card payments. Manyretailers are beginning to realise that ifthey are compromised it will be a substan-tial drain both financially and operational-ly and therefore want to protect themselvesas far as possible.” Phillips advises. “Webelieve that not all payment processors willbe able to afford the investment to becomePCI compliant and so there is a hugeopportunity for one that is, such as our-selves, to provide a service for companiestaking card-not-present payments thatreassures them they are protected.”

Whilst there may be some that will wonderwhether the impact of PCI regulation willbe to encourage retailers to use their bankor their card acquirer to handle credit anddebit card payments, Freeth remarks thatmany more companies are choosing anexperienced payments outsourcer to givethem a competitive edge.

“An outsourced payments provider allowsretailers the flexibility of being able to nego-tiate with card and bank acquirers over MSCrates, yet have the assurance that they canswitch acquirer without affecting their pay-ment processing operation,” he points out.

“As far as we’re concerned, we providecontinuity in the processing of their pay-ments, in a secure and timely manner,enabling the company to switch from cardand bank acquirer at the drop of a hat ifthey get a more competitive deal else-where.”

Chip and Pin has had two huge impacts on credit and debitcard fraud. On the one hand moving away from signatures toPINs has significantly reduced the problem of fraudsters withcounterfeit or stolen cards going on high street spendingsprees. However, as one might imagine, it has instead shiftedthe problem of fraud to ‘card not present’ transactions, such asonline, mail order and telephone purchases.

Adoption of this standardmeans that liability for

fraudulent Visa and MasterCardtransactions shifts to the cardissuer,with these initiativesbeing estimated to cut fraud anddisputed transaction ratesby 80 per cent

”

”

PROMOTIONAL FEATURE


Is your voice more secure than your memory?

This could be about to change,though. In a landmark decision, thelargest bank in the Netherlands, ABNAmro, has decided to replace its PIN-based telephone service this year withone where customers need only speaktheir nine digit account number andthe answer to their security question.The voice verification system, provid-ed by Voice Vault, then decides if theperson is who they are claiming to beand allow them to proceed.

With you alwaysThe same system is already beingused in the USA to keep track of thou-sands of people on probation. At anallotted time, set by the probationofficer, the person on probation iscalled on their home number andasked to say, normally, a sequence ofnumbers. The system then analysestheir voice to decide whether it istruly them answering the phone.

According to Nigel Phillips, Head of

Product Marketing at Voice Vault, theABN Amro and American justice sys-tem projects are testimony to howwell the technology has come along.

“Voice verification has progressed inleaps and bounds over the last coupleof years and it’s now at the level wherea major bank says it is better than aPIN-based system,” he enthuses.

“The great thing about voice is youalways have it with you and it caneasily be checked remotely. It’s proba-bly not something you would com-bine with an ID card because if theperson is present a picture or fingerprints can be used but we believe it’sthe best solution for remote verifica-tion because people forget PINs butyou cannot forget your voice.”

Voice ‘prints’Voice verification has now progressedto a stage where it does not have to bebased on the wave form created byspoken words. Instead biometric

Hitting the right standardIdentity management is already of great importance to the UKgovernment but it is set to become even more crucial once theNational ID card is introduced in 2009.

The skill in managing any identity system liesin ensuring people are who they say they arewhen they enrol for the card and that biomet-ric information taken at at that initial inter-view is standardised.

This way, the card issuer can be sure thebiographical data, such as name and address isaccurate, and that only one card is issued toeach person. At the same time, biometric datashould ideally be collected in a standard man-ner so a database can be searched thoroughlyat a later stage. Without keeping to a strictstandard, photographs and finger prints canbe of varying quality, curtailing the effective-ness of later searches.

Interview keyNigel Ward, Managing Director of Digimarcwhich produces driving licences for the major-ity of American states, several Canadianprovinces, Russia and the DVLA in the UK,

Proving who you are over the phone or online can bearduous. Secure services, such as banks and retailers,expect the public to remember a long list of passwords,security questions and PINs to protect their identity.

information is extracted from spokenwords to generate a ‘voiceprint’.

“The technology has been aroundcommercially since the early 1990’s.We’ve been tracking felons on parolein America for quite a few years. It’s ahighly effective way of ensuring thatthey comply with home detentionorders. However it’s been in the lastcouple of the years that the technolo-gy has advanced to the stage that itssecure enough for financial institu-tions to use,” Phillips continues.

“VoiceVault uses spoken words tocalculate more than 100 characteris-tics of a speaker’s voice tract. Thisbuilds us a biometric voiceprint thatreflects, for example, the size of yourtrachea, nasal passages and so on.”

“One of the benefits of thisapproach is that the system isn’taffected by someone having a coldbecause that might just affect onemeasurement but leave more than100 unaffected. It also has technologyto detect the use of a recording sosomebody cannot pass themselves offas someone else using a taped voice.”

Indeed ABN Amro recentlyrevealed that when they were testingthe system last year they used peoplewith colds, callers on different phonesat different times of the day (the voicecan vary according to time of day)and even used identical twins in a bidto find out how robust the system is. Ithas been impressed enough to roll outthe system this year to its customers

who make a staggering 35m calls peryear to its contact centres.

“Voice recognitionhas progressed in leaps

and bounds over thelast couple of years and

it’s now at the levelwhere a huge bank saysit is better than a PIN-

based system“

believes the move to a National IDcard will inevitably need a robustinterview procedure to protectagainst fraud.

“In America, where we provide themajority of driving licences, there is afederal move to what’s called ‘Real ID’where people have to bring in docu-ments to prove who they are and theissuing authority is compelled to veri-fy those documents,” he points out.

“Our systems can check andauthenticate the identity documentspresented as proof of identity, such asdriving licences, passports, birth cer-tificates, or other forms of ID, toensure they are real and then our Cap-ture Station takes photographs wheresoftware ensures the pictures are tothe International Civil AviationOrganization standard. Finger prints

and signatures can be recorded aswell, to ensure they are all standard.”

These Capture Stations are beingused in 231 locations across HongKong to roll out its ID card.

Copy proofOf course, an identity system can onlybe effectively managed if the cards incirculation are protected from beingcopied. In the case of the UK drivinglicence this involves incorporatingdigital watermarks which make thecard virtually impossible to copy.

“We’re specialists in digital water-marking, a covert, machine-readablefeature that can be used to authenti-cate identity documents, and incor-porate more than 20 security featuresin to the UK driving licence,” revealsNigel Ward.

“The average person can pick up ona few of these but people that need tocheck licences, such as a police officer,know where and how to look for theother digital watermark and securityfeatures. It goes without saying thatthe better you protect the card againstfraud the more secure you make theentire ID management system.”

AN INDEPENDENT SUPPLEMENT FROM MEDIAPLANET ABOUT ID MANAGEMENT, DISTRIBUTED IN THE TIMES 5

Police officers could be asking offenders to pay fines onthe spot and prove who they are before the endof the year with the aid of a new mobile pay-ment terminal and finger print reader.

More secure passwordsare neededThe need for companies to use pass-words that are not easy to guess wasrecently brought home to one ChiefSecurity Officer.

Whilst he had been used to individ-uals gaining access to personal emailaccounts with the name of a pet orchild he was surprised to discover thatone of the major telecommunicationscompanies in Latin America had setevery password in its system to a verywell known fizzy drink. “Any hackerjust guessing a very common wordcould have brought their whole sys-tem down, it’s just so scary. It showshow important multiple and unpre-dictable passwords are.”

The kit is supplied by Ingenico, thecompany behind Chip and Pin termi-nals in banks, shops and restaurants,and is due to go on trial within a cou-ple of months with an English policeforce. If the trials are successful, sev-eral more have shown an interest inusing the system. At first the unit willbe trialled in a dozen custody suites

but it is expected the reader couldthen be used in the field allowingpolice officers to print out PublicNotices of Disorder (PNDs) fines andaccept payment for them at the

same time as checking identities.“The police always face the prob-

lem of whether someone is who theysay they are and this will let themcheck,” says Paul Rodgers BusinessDevelopment Manager Ingenico.

“It’s designed to accept and readthe national ID card when it is in cir-culation, so an officer could check afingerprint against those stored onthe card. The officers we’ve shown it

Pay fines, check ID to are excited about this because theyreally don’t want to let someone gowho is wanted elsewhere and this willhelp them avoid that.”

Even before ID cards are issued, theunit can still take a finger print andsend it to a central computer systemwhere it will be checked against themillions of prints held on police files.If there is a match and the name onfile is not the same as the personbeing questioned has offered, or if theprint matches that of a person wantedin connection with other offences, thepolice can be informed in the fieldand take further action.

Rodgers also believes the mobilereader will be widely used to allowtraffic policemen to comply with thelatest Road Safety Act which enablesforces to take roadside deposits onfines to combat the problem ofmotorists, particularly from abroad,driving off with no intention of pay-ing any part of their penalty.


Pay as you goTicket to ride, and buyTrials are just about to start that couldpave the way for London commutersto combine their credit cards and Oys-ter travel cards.

Just three years after they weremade publicly available, 10m Oystercards have been issued. The creditcard sized travel cards allow people to‘touch in’ and ‘touch out’ at thebeginning and end of bus, tram, trainand tube journeys in London, cuttingdown greatly on queues at barriersand pay stations.

The cards can be topped up at sta-tion machines or online and can evenbe set up to automatically top upcredits when the stored value goesbelow a certain value. The cards areread when hovered over the familiaryellow touch pad through a technolo-gy known as RFID (Radio FrequencyIdentity) which works over short dis-tances using radio waves which is farquicker than having to slot a card inand out of a ticket barrier.

Credit trialTheir wide use has prompted TranSys,which supplies the Oyster card forTransport for London, to considerenabling the card to be combinedwith a credit card.

“We’re just about to begin on asmall scale trial with Barclaycard,”reveals TranSys Chief Executive, JohnStout.

“The trial card can be used to payfor goods in the same way it can beused to pay for journeys, you show itto a reader at an equipped till and the

money is charged to the card. If thetrial is successful it will be a greatway of us allowing customers to justcarry one card around with theminstead of two.”

Due to Oyster being read acrossradio waves registered cards have theextra security feature of being can-celled the next time they are shown toa reader. Not only do the cards pro-vide no information that is of use to athief but also the network of readerscan be set up to cancel a card andreject it the next time somebody triesto use it.

So unlike a lost paper ticket, theowner of a registered Oyster can sim-ply ask for a lost or stolen card to bereplaced and will not lose credits

stored on the card once it is reportedmissing. The same security featurescould apply to the credit card half ofthe combined card which will holdinformation that is stored separatelyfrom Oyster travel data and credits.

THE PROCESS TAKES A QUARTER OF A SECOND,SO QUEUES ARE SIGNIFICANTLY CUT

● Ticket fraud has now fallen to just 2%● Revenue lost through fare evasion has fallen by 40%

“Due to Oyster beingread across radio waves

registered cards have theextra security feature ofbeing cancelled the nexttime they are shown to a

reader“

Wi-Fi networks are springing up across the country allowing family members to surfthe Net in multiple rooms around the home as well as empowering offices to offerstaff access to computer systems without all the wires.The networks are even spreading now into ‘hotspots’ in airport lounges, bars, restau-rants and city centre areas, allowing laptop and personal organisers to stay connectedon the move.

As with any step forward in technolo-gy, however, there is a risk and withWi-Fi the fact that you can so easilyjoin a network and start surfing comeswith the risk of thieves using the sameconnection to gain access to your lap-top to steal vital information, such asbanking passwords and log on infor-mation for a company network.

Clever hackersWhilst most companies are aware ofthe issues and have invested in secu-rity for their corporate network, ethi-cal hackers SecureTest reveal that thereal problems are at home where peo-

ple do not have the same level of pro-tection against criminals eavesdrop-ping on a wireless connection.

“There are some really worryingaspects to Wi-Fi that companies andindividuals need to be aware of,”reveals managing director KenMunro.

“The main one is that as soon asyou use a Wi-Fi hotspot your com-puter will carry on looking for thathotspot so the next time you are thereyou can log on easily. The problem is,any hacker can pick up what wirelesshotspot you are looking for and thenpretend to be it. That will then allowthem to have a wireless link to yourlaptop and pull off all kinds of sensi-tive information.”

It is the same for home networks, hewarns.

“People just don’t tend to protecttheir home network and if they do, ittends to be what’s called WEPencryption which is a lot easier tobreak than WPA, which we wouldrecommend everyone to set up ontheir PC.

“It’s a real problem because we’vefound that people tend to call theirhome network, something like ‘Home’and then we’re starting to find that ifthey are in, say, an airport lounge andsomeone else’s laptop is looking forthe ‘Home’ connection, the two lap-tops will link up. Obviously that couldmean a hacker could get data fromyour laptop.”

Steps to take SecureTest’s top advice to any wire-less user seeking to prevent ID pass-words and the like being stolen over aWi-Fi connection is to rename their‘Home’ network to anything but‘Home’ and to set up encryption onthe connection – this is normallyoffered on the laptop under its wire-less network settings.

A crucial final, and very simple,piece of advice is to learn how toswitch off a laptop’s wireless capabil-ity when it is not needed – some havea switch or button by the keyboard,for others you will need to look in theControl Panel of the laptop. This way,

when you want to use a wireless con-nection you can turn on the PDA orlaptop’s wireless capabilities so it isnot constantly searching to remakepast connections that make it vulner-able to hacker attack.

“There are some real-ly worrying aspects toWi-Fi that companies

and individuals need tobe aware of“

Ken Munro, managing director,SecureTest

Protect ID data from hackers


Biometric ID card plans to be published this yearAfter much parliamentary wrangling, concerted opposition from the House of Lordsand opposition parties, as well as back bench revolts that made votes too close to call,the UK finally committed itself last year to a national ID card which will be issuedfrom 2009 onwards.

Taken for granted across much of theworld, ID cards allow a citizen toprove who they are. Equipped with amicrochip, the photo card will be ableto store a photo of the person, whichmust obviously match the one printedon the card, as well as hold informa-tion about the person, such as theirname, gender, address and date,national insurance number and dateof birth, so they can prove who theyare and so make it harder for crimi-nals and illegal immigrants to fakeidentities.

Although the logistics behind thescheme are already being discussedand implemented, biometric data willnot start to be taken until 2008. Fromnext year on, anyone applying for anew passport will also be issued withan ID card for which, it is expected,although not yet known, they willneed to provide 10 flat finger printsand, perhaps also, a scan of each iris.

These biometrics will be taken at 69regional offices, which are in theprocess of being set up, to which peo-ple renewing a passport will be askedto report for interview. A mobileenrolment station is expected to driveout to the country’s more remoteareas to process applications.

Opt out to endThe biometrics will be added to anational database which will growyear on year as more people replacetheir passports. Although the first IDcards will be issued in 2009, they willnot be mandatory with all passport

renewals until 2010, due to a lastminute opt-out clause negotiated bythe House of Lords.

In addition, to allow fears ofinfringing civil liberties, having an IDcard is not compulsory for those whodo not have a passport to renew.However, Labour is committed to

making the scheme mandatory and,should it win the next election, it haspromised legislation to make owningan ID card compulsory for anyoneaged 16 or over.

The government has been keen topoint out that the ID cards will only

hold information about your identityand will not store details about raceand religion or criminal and medicalhistories.

Plans awaitedIn the identity technologies industry,all eyes will now be on the UK gov-ernment to elaborate exactly howthey expect the cards and the com-puter networks behind them to oper-ate when it announces tender detailsin the second quarter of the year or, asmost now believe, this summer.

According to many in the industry,the main criteria will be the back officesystem because the technology to pro-duce smart cards is advanced andreadily available. It is the integrationof the card technology and the data-base of biographical detail that is key.

In fact, it is most likely that theNational ID card system will need tofit in to three or more databasesbecause the government had to scrapplans to build a single database whereit was suggested all relevant informa-tion for identities to be checked wouldbe stored.

Although the idea was mootedagain in January by the Home Office,identity technology insiders areexpecting the eventual National IDcard system will need to work withmore than one government database.

Interview keyAnother crucial issue will be get-

ting the first stage right because oncean ID card is issued, with biometrics, aperson is locked in to that identity.

Hence, the interview stage is cru-cial, according to Andrew Henderson,Sales Director at Giesecke & Devrient,a company specialising in smart cardsolutions as well as its traditional corebusiness of producing secure banknotes such as the euro.

“That first interview is going to becrucial to make sure that people arewho they say they are when theypresent themselves,” he points out.

“People will wonder whether it willbe a great chance for criminals toassume another identity but the inter-esting point is that because the UKcard will have biometrics on the chip,you could only do this once. Peoplemight change details about them-selves but they can’t change their bio-metrics, they remain constant, sofraud should be far less of a problemthan paper documents.”

With the identity security industryconfident the technology is in placeto provide a secure national ID card, itjust now remains for the governmentto publish plans on the project’s finerdetails and issue the necessary tenderdocuments for companies to set for-ward their proposals. A process that islikely to make 2007 the country’smost important, and busiest, year sofar for the identity security sector.

Timeline

Spring 2006: Legislationapproved the national

ID card scheme

Spring/Summer 2007: Government will put the

project out to tender

2008: Biometric data will be collected

2009: First ID cards will be issued

2010: ID cards become compulsory on all passport renewals

Fingerprintsfor wardens

Staff at the former StrangewaysPrison in Manchester now have animproved means of ‘clocking on’and ‘off’ for work. Fingerprintscanners linked to high securityturnstiles have been introduced tonot only speed up the process andensure only those present canclock on for work as they arrivebut to also allow the governor ofthe prison to know which skilledstaff are available at any time.

“It is very helpful for the gover-nor to know who is on site andwhich particular skills they have attheir disposal, particularly, say,trained hostage negotiators,”explains Francis Toye, managingdirector of Unilink, the companybehind the new system.

Payne buys CSL

Payne Security has acquired CSLDigital Print, a digital print busi-ness specialising in the manufac-ture of plastic identity cards. Theinvestment enables Payne Securityto combine CSL’s expertise in vari-able data and other value-addingprint with its existing toolbox ofsecurity technologies, widely usedin passports and documentauthentication, to deliver securecorporate and national ID cardsolutions quickly and effectively.CSL has been incorporated into thePayne Security personal ID busi-ness and has relocated to thePayne secure card productionfacilities at Mold in North Wales.

“Although the logistics behind the scheme arealready being discussed and implemented, biometric

data will not start to be taken until 2008“

POLITICAL BACKGROUNDThe Conservatives and LiberalDemocrats both opposed the intro-duction of the ID card and theHouse of Lords rejected plans fivetimes. The Conservatives havepromised to repeal the legislation ifthey come in to power at the nextgeneral election. The governmentpredicts the project will be unstop-pable by then, should that happen.

INFO ON CHIPPicture, name, date of birth,address, gender and biometricinformation (expected to be 10 flatfinger prints and, possibly, irisscans)

INFO NOT ON CHIPNo reference to religion, race, sexu-al orientation, political views ormedical and criminal records

HOW MUCH?The card is expected to cost £30 onits own or around £93 when com-bined with a passport renewal


In addition, the technologies and solutionsbeing developed are offering more efficient,secure, means for businesses to manage ac-cess to their buildings and data – the con-cept of access control from ‘Doorway toDesktop’.

So claims Stephen Smith, Senior Con-sultant at Steria, one of Europe’s top ten ITservice companies. The company has beenworking on several access control and crossborder ID management systems, which usebiometrics to help identify people and hebelieves that, despite understandable privacyconcerns, such advances are beneficial tocitizens across Europe.

Steria Delivering Identity Management Solutions

Steria is currently supplying UK visas withthe biometric hardware to enable the capture

of fingerprint and face biometrics from visaapplicants at the UK’s ‘overseas missions’.Providing a ‘purchasing framework’ fromwhich appropriate biometrics can be drawnto meet the variety of needs in ‘missions’worldwide.

As prime contractor for the centralSchengen II/VIS (Visa Information System)and as a contractor supplying key elementsof the national Schengen systems in 13 ofthe 27 European Union (EU) countries, Ste-ria is also heavily involved in the SchengenVisa programmes.

Utilising technologies developed fromwork on its own fingerprint ‘interoperabil-ity’ projects, Steria is a supplier of the In-ternational Labour Organisation’s SeafarersID card, known as SID. This has also beenused for ‘fingerprint based’ biometric ac-cess control installations in very harsh cli-mates, using contactless ‘smart cards’.

Elsewhere in the EU, the company is be-hind the technology that allows over 16 po-lice forces across the EU to search oneanother’s fingerprint databases, not previ-ously possible due to differences in encod-ing formats used by each country. Steria hasdeveloped a means for prints to be transmit-ted to other countries using international im-aging standards and then encoded in thelocal manner. Steria also delivers a systemthat allows EU countries to check asylumseekers to find out if they have applied forasylum elsewhere within the EU.

“The authorities have a real problemidentifying people claiming asylum fraudu-lently using a false name and offering nodocuments,” Smith continues.“With our system, fingerprints are taken andstored in a central database, which can beaccessed by all EU countries. Checks canthen be made to ensure multiple applica-tions are not made, restricting asylum seek-ers ability to ‘shop around’ for a ‘better’country after gaining entry elsewhere.”

Collating and correlating data

To underline the potential benefit of ‘iden-tification data’ being shared by law enforce-

ment and government agencies Smith pointsto the lessons learned from the terribleevents of 9/11.“One of the findings of the U.S. commissionenquiring in to ‘9/11’ was that informationshould be shared between relevant depart-ments because in the U.S. case more than 20agencies held little bits of information sepa-rately about the plane hijackers,” he points out.

“They may have been tiny pieces of infor-mation but shared and correlated they mayhave provided ‘life saving intelligence’.

Properly managed, linking ID manage-ment systems allows vital information to beshared, so achieving a more accurate ‘threatassessment’ and more focused investigation,thus helping to protect each nation against se-rious/organised crime and acts of terrorism.”

Identity Management improving thefight against terror, crime and fraudID management systems and the biometrics that underpin themare giving government officials and law enforcement officersnew tools to fight global terrorism, tackle crime and manageasylum applications.

In the palm ofyour handKnowing something ‘like the back of your hand’ is acommon saying but the clue to proving identities couldactually lie on the other side of each hand.

Palm vein recognition claims severaladvantages over other biometricmeasurements and has recently beenput to use in a primary school in Scot-land to verify children against a list ofthose who have paid for their schooldinner or receive a free meal.

It works through a reader project-ing a beam of near infra red light onto palm, held a couple of centimetresaway, so it can map the veins justunder the surface of the palm whichare unique to each person yet invisi-ble to the naked eye. Fujitsu, the com-pany behind the school project claimsthere are advantages to a contactlessapproach.

“When biometrics start to be widelyused, nobody’s going to really wantto put their hand on a finger printreader where thousands of otherhands have been,” argues Mike Nel-son, General Manager of Sales andOperations at Fujitsu.

“Fingers prints are also associated

with criminality and not everyonecan give them all the time, particular-ly manual workers whose finger tipscan be worn. That’s the beauty of apalm vein system, you can’t leave itanywhere because it’s under yourskin so people know it’s not connect-ed in any way to crime or police data-bases of finger prints.”

Several banks in Japan use palmvein recognition at cash pointsinstead of PINs and hence Fujitsu istalking to UK banks about how thetechnology could be used to help cus-tomers who forget numbers as well ascut down on card fraud.

“Several banks inJapan use palm veinrecognition at cashpoints instead of

PINs“

Caesar the encryptorEncryption may well be the latest technology to be used toscramble valuable identity data on smart cards but did youknow that a certain Julius Caesar is widely regarded as oneof the first figures in history to regularly use secret codesonly he and the person he wanted to read the message knew.

Modern communications may have come a long waysince, but the principle to safe business and secure homecomputing is exactly the same. If only you and the per-son you are communicating with can read a message, itis secure from a third party – in Julius Caeasar’s case, themessage could not be read by the soldier carrying themessage or any enemy soldier who intercepted it.


Using Biometrics sensiblyThe public debate about undue intrusion into, and per-haps control over, our daily lives will doubtless rumbleon for decades as biometrics enters our daily lives butthere are some more fundamental issues that should firstbe understood and considered.

Verifying identityVerifying absolute identity is a com-paratively rare requirement, unlessyour name is on a wanted list. It isalready abundantly clear that IDcards do nothing to prevent terrorismor indeed more common criminalacts, as crooks may just forget to pop

them into their wallets, and suicidebombers could not care less.

Much more important are my cre-dentials and entitlements, especiallywhen these need to be validated dur-ing financial transactions or personalinformation provision over remotenetworks, rather than face-to-face.

What can smart cards and biometricsdo to enable this process?

The missing linkWell designed smart cards are highlycounterfeit-resistant. They can storesecrets such as encryption keys verysecurely but there has to be a strongand verifiable link between cardhold-er and card – exit PINs and enter bio-metrics; the perfect cardholder verifi-cation methodology (CVM).

This still leaves the weak link in thechain; is the person enrolling the bio-metric the one with those particularentitlements and credentials? Weshall be seeing a lot of enrolmentfraud in the near future – indeed, wealready are, just look at the horrorstories of identity theft.

Furthermore, biometric compar-isons do not need to be made againsta central database – much as the pres-ent Government would like – as thepattern can be stored in the smartcard itself, with the comparison exer-cise also be performed in the card.The card then simply says ‘yes’ or ‘no’to the system. Multiple enrolmentscan be tackled by means other than aone-against-many comparison car-ried out by a central database.

Which biometric?Lastly, which biometric should beused? Horses for courses here, but foreveryday use, iris and facial geometrychecking are impractical and expen-sive. That leaves fingerprints; cheapto check, well understood, but per-haps capable of being lifted and repli-cated fraudulently. Sales of gelatinecould skyrocket.

No, the one that interests me is fin-

ger vein pattern; appparently unique,stable from an early age and evencut-off fingers cannot pass. Mostimportantly, no finger imprint is leftbehind on a reader.

ID protected on the roadModern staff expect to be able to work as productivelyon the road as in the office, presenting companies withone of the largest challenges in ID management; how toallow flexible working yet ensure only the right peopleget access to the right information.

This then leads to the further issues ofhow to manage a person’s identity inand outside the office so a companycan manage what data they canaccess at their desk as well as manag-ing integrating in to company sys-tems data downloaded by an execu-tive at home.

As Kevin Regan, Security Consult-ant at Cisco Systems points out themodern day worm is as likely to be‘brought in under an executive’s arm’as it by a hacker. Hence the infra-structure company has developed

technology that builds up ID profilesof staff so it can learn what they nor-mally do on a computer. The systemcan then notice abnormalities thatwould suggest a virus infection, mostprobably from data being brought into the company system on a laptop, oreven or a thief trying to access datafraudulently.

“You cannot let your guard downonce someone is logged on and with-in your perimeter,” he warns.

“Our software builds up behaviour-al models of what people normally do

and so if they start to try to look atdata they shouldn’t be looking at orbehave in an abnormal way we canquarantine them or completely rejecttheir connection.”

Three PIN attemptsTo help prevent mobile data lossmany companies are now switchingto systems that use encryption toensure that even if a laptop falls in tothe wrong hands, the information onits hard drive is scrambled and thereis no facility for the thief to try to logon to the corporate network.

“It means if you lose a laptop youknow that at the very best that thiefhas got three guesses what the pass-word is, after that they’re locked out,”explains Martin Allan, managingdirector of encryption firm, Pointsec.

“Around about 60% of all informa-tion theft comes from lost or stolenequipment so it just makes so muchsense to encrypt what’s on the deviceso the data is not lost with it.”

No ID, no dataAnother approach is to ensure thatthere is actually no data on the smartphone, PDA or laptop in the firstplace. Taking the position that youcannot steal what is not there, net-work security firm Citrix specialisesin networks where remote devices logon to, and work from, the central net-work.

“It’s like the old days of terminalsrather than PCs in the office,”explains Chris Mayers, Senior Securi-ty Architect at Citrix.

“The data isn’t actually stored onthe laptop, it’s still on the network butthe laptop allows you to view the

information and create new data,which is stored on the central net-work. Then if the laptop gets in thewrong hands, there’s no data on it toworry about.”

If, on the other hand, laptops are tobe given access to the central office’snetwork and to also store that infor-mation on their own hard drive, theNortel approach is to make sure thatan ID management policy is in placeto ensure staff only have access towhat they need, explains ShirleyO’Sullivan, its Head of Security inEMEA.

“The safest approach is to not giveaccess to everyone for everything,”she suggests.

“You need to work out what eachperson needs to work on and restricteverything else so it can’t be compro-mised. Then as soon as the device isaway from the corporate network youcan’t be sure of its safety, so beforeyou let it on again you need to probeit to ensure its firewall and anti-virussoftware are up to date. If not, youbring it up to date remotely and onlythen do you let that device log on tothe network.”

“They can store secretssuch as encryption keysvery securely but therehas to be a strong andverifiable link betweencardholder and card –

exit PINs and enter bio-metrics; the perfect card-

holder verificationmethodology (CVM)“

“Around about 60% ofall information theft

comes from lost or stolenequipment so it just

makes so much sense toencrypt what’s on the

device so the data is notlost with it“

RICHARD POYNDER, CHAIRMAN SMARTEX GROUP


Fujitsu PalmSecureWith exceptional recognition precision, a host of versatile usability options, natural hygienic handlingand maximum security, Fujitsu’s contact-less PalmSecure sensor answers today’s application require-ments for increased security and secure non-evasive methods of identifying people.

PalmSecure works by emitting a near-infrared light which is absorbed by the oxygen-reduced bloodon the way back to the heart.This in turn maps a vein pattern thereby creating a raw-image recordwhich is then stored as encoded data in a template library. Once stored these templates can then serveas comparative data to either allow or refuse access.

PalmSecure is available in three separate packages, a ‘PalmSecure Developer Package’ which includesthe sensor and a software development kit, ‘PalmSecure sensor guide kit’ for logging in directly to aPC and a ‘PalmSecure Sensor OEM Set’ with multiple sensors allowing the user to develop a solutionfor many applications including kiosk terminals,ATM’s or access control systems.

PalmSecure can be used to provide access control to buildings and networks as well as PC and weblogin and can also be applied to a whole range of vertical markets including healthcare, banking, gov-ernment, education and public transport.

For further informa-tion please visit:www.fel.fujitsu.com/palmsecure or call uson: +44 208 5734444

PC log in using PalmSecureand sensor guide

Cashless payment ina school cafeteriaPalm vein biometric authentication replaces can-teen cash payment at Todholm Primary Schoolin Scotland as part of a government project

Yarg’s PalmReader in useat Todholm Primary School

Fujitsu Europe Ltd have worked with Yarg Biometrics, an innovative Scottish biometrics company,to develop Yarg’s PalmReader™ device which is based on Fujitsu’s PalmSecure technology, such a sys-tem is the first of its kind in Europe.

The system installation byAmey Group at the primary school addressed the need for a secure non-token or cashless system to provide Electronic Point of Sale (EPOS) for their catering facilities.The sys-tem uses pre-registered palm vein patterns from the pupils and staff to manage individual accountsthereby creating a cashless catering solution.The flexibility of Yarg’s PalmReader design means that thetechnology can be expanded to provide leading edge biometric access control applications to monitortruancy levels, to facilitate accurate attendance at classes and overall better time management.

The technology used here has positive applications well beyond the school canteen. Easy to usebiometrics could be of value to large companies that want to protect theirpremises and employees; or for example to hotels that want to offer gueststhe benefits of keyless entry to their facilities.

For further information please visit:www.yargbiometrics.comor call Yarg on: +44 141 303 8396

Personal and business ID theft rocketingThe figures speak for themselves. Whilst everybodyknows that ID theft is one of the country’s biggest grow-ing crimes, it is not until the government’s estimate thatit costs the country £1.7 billion per year, that one startsto get an idea of the sheer scale of the problem.

The crux of the issue is that pretend-ing to be someone else and orderinggoods and services or breaking in totheir bank accounts would appear tobe disarmingly simple. Crime gangstarget the UK because people are gen-erally assumed to be trusting and thecountry has no national ID cardscheme and so identity checks cannotbe as stringent as other Europeancountries.

Traditionally identities have beenstolen from peoples’ bins or waste tipswhere there is an abundance of utilitybills and other documentation with aname and address that a fraudster canuse as fake ID to walk away from shopswith goods that will never be paid for.

There has also always been theinside threat of rogue staff stealingcustomer’s identities and selling themto criminals. This is made all the easi-er by technology now allowing thou-sands and thousands of customerdetails to be stored on devices nolarger than your little finger.

However, the latest trend is forcriminals to gather information fromweb surfers through a scam known as‘phishing’ (pronounced, fishing).

Gone phishingThe idea behind the scam is very sim-ple. Phishers will send millions ofemails around the world claiming tobe from a bank, credit card issuer oronline payment house (PayPal is acommon target).

The email asks a person to updatetheir account details, normally as partof some fictitious maintenance on thesite. The problem is, the site the per-son clicks on to is fake and when theyenter their account details, they givethe scammers everything they need tothen log on to the real account andsteal that person’s money.

This is the traditional phishing

approach but, according to MarkMurtagh, Technical Director of onlinesecurity firm Websense, this year hasseen the fraudsters trying ever moreclever ways of getting confidentialdata from people.

“The problem for the phishers isthat there is now a lot of recognitionamong web users that the problemexists so the more tech savvy willnow avoid emails in bad English thatask them to log on to a bank thatthey’re probably not a customer of,”he points out.

“So what we’ve been noticing isfraudsters setting up sites that looklike everyday services that do not askfor log in details. Instead they willoffer a news story or something thatmight interest the reader to click onthe link but, when they do, the site isinfected with software that sits on thePC and monitors passwords that aresubsequently typed in and transmitsthem to the criminal gang.

“There are even kits out there thatenable the less tech savvy set up thesesites that will place malware onunsuspecting people’s PCs.”

The best advice to beat this kind ofID theft is to use anti phishing soft-ware as part of your PC protection.These services keep a log of suspi-cious sites and alert users when theyattempt to access one.

Data in tattersFor life away from the PC the bestadvice is to shred anything that goesin the rubbish which has your nameand address on it. It may sound para-noid, but it is a vital step in beating ID

theft, according to Doug Badger,Managing Director at Shred-It, acompany which runs large truckswith industrial size shredders thatvisit companies to speedily shredtheir confidential data.

“You only have to look at ‘Benjythe bin man’ to see what people throwin their bins,” he says.

“He kept Fleet Street buzzing withstories about famous people just fromwhat he’d take out of their bins. Peo-ple just don’t realise what they throwaway. It contains so much usefulinformation. That’s why companiesuse us to drive to their site and shredinformation for them. They don’twant their confidential data getting into the wrong hands and they certainly

don’t want to compromise their cus-tomer identities and break the DataProtection Act.”

Director ID theftBusinesses not only need to protecttheir customer’s data, they need to bevery wary that directors do not havetheir identities stolen and that they aredealing with companies run by peoplewho are not who they claim to be.

According to John Lord, Sales Direc-tor at business credit checking agency,Dun & Bradstreet, it is a problem that isgrowing at an alarming rate.

“It is incredibly easy to get details atCompanies House changed so you canmake yourself a director of a companyand then go around presenting your-

A

“For life away fromthe PC the best advice isto shred anything that

goes in the rubbishwhich has your nameand address on it“


Secure ID Solutions• Quality Image Capture • Biometric Identification• Secure Production • Secure Credentials

Digimarc Delivers!

ICAO Compliant

tel: UK+44 (0)1784 898326email: [email protected]

www.digimarc.com

self as such and backing it up byadvising people to check you out atCompanies House,” he points out.

“Then as a fake director the fraud-ster will buy lots of goods and placehuge orders they will never pay for.Another way is for a company to beset up by fraudsters who can create atrading history by dealing betweenother fraudulent companies or evencutting and pasting accounts ofanother company in their records atCompanies House.

“They use this to pretend to be alegitimate company but they’ve basi-cally stolen the identity, via theaccounts, of another company toappear legitimate. As you can imaginethey then place large orders which

BEATING ID FRAUD THE CIFAS WAY

CIFAS is an identity security industry body set up to combat ID theft by advising consumers to take some simple stepswhich, among many, include:

- Treat your data carefully, never throw away anything with your name and address on it- Do not give personal data to telephone canvassers, a legitimate company would never ask for your password over thephone- Check credit card and bank statements thoroughly as soon as you get them- Close any accounts you no longer use- Consider using a password with companies that is not your mother’s maiden name as this can be researched easily- Never store all valuable documents in the same (unsecured) place- If you move house have your mail redirected for a year and make sure you have informed every relevant company ofthe move and enrol on the Electoral Register with your new address as soon as possible- Consider buying your credit file from a credit research agency and check it to make sure nobody has been applying forloans or credit in your name

they don’t pay for. We’ve got a data-base of 5,000 fraudsters who are doingthis all the time and they get awaywith it because people are trusting andthey never check up on them.”

Lord’s advice is to use a credit ref-erence agency when dealing with newcompanies and be very suspicious ofa company you have only been deal-ing with for a small amount of timewhich places lots of small orders andthen one huge order.

This technique is used to goodeffect by fraudsters who know thismakes them appear trustworthybefore they hit an unsuspecting com-pany with an order that will never bepaid for.


Biometrics steps forward

The application of biometrics is becoming increasingly common in everyday life. What is driving that change tak-ing identification from a principal concern of Police and Immigration authorities to something that is increasinglyprevalent and how is it going to continue? What has happened to our concerns about privacy and the technology?It is something to think about because if school children can use a system to purchase school dinners or late nightrevellers identify themselves going to bars and clubs everyday use of biometrics is no longer some fanciful scenefrom Mission Impossible.FRANCIS TOYE, MANAGING DIRECTOR OF UNILINK

Throughout the UK there are success-ful implementations of biometrictechnology in a wide range of newareas including airport frequent flyerprogrammes, supermarket payments,club memberships, prison identifica-tion, school libraries and canteens,staff attendance system, access con-trol and police mobile identification.

It is clearly becoming increasinglycommonplace and biometrics isbecoming better understood. It hasbeen a long process of gestation asmuch of the technology has beenavailable for 20-30 years so whynow? The delay has been frustratingto biometric professionals but therehave been a number of reasons.

Past delaysFirst the process of biometric meas-urement and matching is prone toerror. Although we have biologicalcharacteristics - fingerprint, iris, 2Dand 3D facial images, voiceprint andDNA - which can together identify usuniquely, there is the mathematicalpossibility of individuals being iden-tified as the wrong person (FalseAcceptance) and there is also thegreater possibility of identificationcharacteristics not being identifieddespite a person being on the data-base (False Rejection).

Add to these claims by over-enthu-siastic salespeople of what systemscan achieve and disillusion sets in. Afew over-ambitious projects such asthe facial recognition system at PalmBeach International Airport with anaccuracy rate of less than 50%, which

was discontinued, can lead to thepostponement of many more.

Also what about the “gummy fin-gerprint”? In 2003 I was luckyenough to visit Japan and meet Pro-fessor Tsutomu Matsumoto of Yoko-hama National University whodemonstrated fooling both finger-print readers with a gelatine finger-print and an iris reader with no morethan laser printout.

And we must not forget concernsabout privacy. Will the police gain myfingerprint from your access controlsystem and do I believe you?

Finally biometric vendors, any ofthem major international companies,have concentrated, quite naturally, onthe technology. Making that technol-ogy easy to use has not been a prioritybecause there have been more funda-mental issues to resolve. A conse-quence is that biometric systems sup-plied have been tools to be used ratherthan complete solutions.

In use nowSo uncertainty in measurement andmatching, over-ambition projects,illustrations that biometrics can befooled, concerns about privacy andpoor ease of use has hindered the bio-metric industry’s progress. So why isit now that this technology comingout of the lab and into mainstreamuse?

First of all, understanding of thetechnology and its uses both withinindustry and outside has improved.This means that although the uncer-tainty in measurement still exists sys-tems can be built that are “fit for pur-

pose” and adapted to meet therequirements of the application. Forexample biometric measurementthresholds can be set that are appro-priate to the system: it is critical that ahigh security prisoner is not releasedin error so systems are set to ensurethat in a prison False Acceptance isalmost impossible (and such checksare repeated multiple times). By con-trast in a school dinner queue thespeed at which pupils go through andhow easily they are identified is key tohow well the system works, so thresh-

olds will be raised to allow easieridentification (while raising the riskof a false match where such an errordoes not matter so much).

The technology is advancing mean-while. Today fingerprint sensorsemploy several different techniquesvarying from the small swipe sensorwhich works using pattern algo-rithms, through capacitive and opti-cal static fingerprint sensors, to highend ‘Livescan’ systems which allow arolled fingerprint to be taken in thesame way as ink prints were rolledonto forms (but without the ink of

course).In the end each need will find its

own technology; Livescan for Policeidentification of scene of crimemarks, static fingerprints for accesscontrol and swipe prints for loggingonto your laptop. So we have a vari-ety of technologies to employ, each ofwhich has technical characteristics,price or size that make it suitable.

The industry is still full of extrava-gant claims and expectations havebeen set high. Biometrics is often stilla significant investment but the mar-ket is being flooded with cheaper sys-tems, many of which will not meet thegoals for which they are intended. Itwas ever thus. However, there aremore and more examples of good ref-erences so buyer beware, and ask tospeak to other customers.

Although biometric systems can befooled with the use of gummy finger-prints or similar is obvious to anyobserver and would be possible onlywith unattended systems. Biometricsecurity tends to be one part of theoverall security, not the only part.

Privacy not keyPerhaps surprisingly privacy hasproved an ephemeral concern. Inpractice most users of systems arereassured by the fact that it is asequence of numbers generated fromthe biometric (the template) not theimage of the fingerprint, iris or facethat is used within systems and fromwhich the image cannot be recon-structed.

Finally biometric systems are get-ting easier to use. They do not yet fit

well with web services based applica-tions because local processing isneeded for easy to use applications,but the price and performance oftoday’s computing is presenting theopportunity to build easy-to-use sys-tems that employ biometrics as anessential element.

Perhaps the most important factoris the development of small scale“closed population” biometrics appli-cations as opposed to the massivepopulation wide systems needed byimmigration and national ID systems.The extra complexity of systemsneeding to be open means that almostall such systems are “multi-modal”e.g. using face and fingerprint work-ing together to reduce false readings.On the other hand closed systems canusually employ just one specific tech-nology to achieve success and that isperhaps the biggest area for advance-ment in biometrics that we are seeingtoday.

But one fact remains: while thedelaying factors (extravagant claims,poor technology, gummy fingers, easeof use and privacy) have diminshedand been superseded by systems thatare fit for purpose, easy to use, tech-nologically advanced and possessingcustomer references, the overridingfactor for the latest advances has tobe the war on terror. But that isanother subject altogether.

“A consequence isthat biometric systems

supplied have been toolsto be used rather thancomplete solutions.“

“we have a variety oftechnologies to employ,each of which has tech-

nical characteristics,price or size that make it

suitable.“


www.gi-de.com

Giesecke & Devrient

Our products are trusted by billions theworld over.

We supply entire nations with passport systems, ID card solutions, and driving

licenses, while our banknotes are used to make payments in over 80 countries.

In the fields of IT security and document security, we have become a trusted adviser and supplier to

governments, printing works, and central banks around the world. We provide the technology for

integrating state-of-the-art security features into passports, other ID documents, banknotes, and for

brand protection, in addition to being among the global leaders when it comes to designing and

implementing complete ID solutions for governments and enterprises. You’ll find us wherever security

solutions are needed in the virtual economy, ensuring the authentication, integrity, and confidentiality

of each and every transaction. As a technology leader and full-service provider of smart cards and

digital signatures, we can offer custom applications and comprehensive solutions to help build the

public key infrastructures of the future. To find out more about us, visit www.gi-de.com.

security printing · currency automation · cards and services · paper manufacturing · banknote printing · brand protection · id systems · security printing · currency automation · cards and services

Identifying loved onesEvery year, the Secretaría de Relaciones Exteriores (SRE), the Mexican Ministryof Foreign Affairs, receives approximately 80,000 requests for assistance fromMexican citizens in search of missing relatives and loved ones.

To help families track down their lost loved ones, the Mexican federal gov-ernment has implemented a database called SIRLI, (System for the Identifica-tion of Remains and Localisation of Individuals) created by ImageWare Sys-tems, which specializes in biometric identity-management software.

It claims SIRLI is the only system in the world that employs four biometricidentifiers – facial recognition, fingerprint search, signature verification andcomparative mitochondrial DNA matching - allowing SRE to conduct compre-hensive biometric and text-based searches of known migrants to the UnitedStates and unidentified deceased individuals in American morgues.

Security software boomAccording to a recent report from IT market research analysts IDC, the SecurityInformation and Event Management (SIEM) software market is expected togrow from $379.8 million in 2006 to $873.2 million in 2010, a compoundannual growth rate (CAGR) of 25.2%.

The IDC report provides sizing of the security and vulnerability management(SVM) software market, of which the SIEM market is the largest segment, whichis projected to continue to at least 2010. The report currently forecasts that theSVM software market will increase at a 16.7% CAGR and reach $3.4 billion in2010. The report also projects that by the end of the forecast period three sub-markets, policy and compliance, SIEM, and patching and remediation, willeach exceed half a billion dollars in vendor revenue.


Will smart cards outsmart the criminals?

If something has value then it’s agood idea to keep it safe. Value maybe attached to many tangible things,including family, money and posses-sions as well as less tangible itemssuch as reputation, intellectual prop-erty and privacy.

To safeguard all of this, generallyrelies on a combination of physicaland IT security measures that yieldonly to an authorised person. Thisapproach creates a critical dependen-cy on proof of identity to such anextent that identity credentials arethemselves valuable assets that mustbe held in a protected environment.Indeed this is absolutely vital becauseif these credentials are compromisedthen all the related and valued assetsare at risk. Identity credentials can besplit into the three classical categories;something you have, something youknow and something you are.

Three setsThe ‘something you have’ might be anidentity card, the ‘something youknow’ could be a Personal Identifica-tion Number (PIN) or a password andthe ‘something you are’ is usuallyrepresented as a biometric such as a

picture of the face, a fingerprint or irisscan. Biometrics are promoted assecurity identifiers but they are not atall secret and so with sufficient moti-vation they could be captured andcopied.

Knowledge of a complex secret isharder to fake, however, humanbeings are not great at keeping suchsecrets. PINs and passwords tend tobe short and predictable and too easi-ly revealed by trickery or simpleobservation. This leads to the conclu-sion that the “something you have”must be far better at keeping complexsecrets than the average humanbeing.

Smart cardsA popular candidate for keepingsecrets is the smart card that comes inmany forms such as credit cards,mobile communication SubscriberIdentity Modules (SIMs) or the con-tact-less versions embedded in IDs,passports or e-tickets etc. The formatis less important than the securemicrocontroller chip at the heart ofthe device.

A typical and proven use of thechip would be to store a long secret

number linked to identity (oftenreferred to as a key) and to run a secu-rity algorithm that can act on thatsecret. A challenge would be sent tothe chip that would then be usedalong with the algorithm and secretkey to compute the correct response,whilst at no time revealing the secretkey. The design of the algorithms andkeys is of course critical and is basedon sound cryptographic principles.

Cryptography exploits mathemati-cal techniques to satisfy the corerequirements of information security,notably confidentiality, integrity andauthentication. The field is very wellresearched and there are published

algorithms designed to render attacksuseless by virtue of the requiredresource and time to extract a secret.However, it is very important torealise that the best-designed algo-rithm could be virtually useless ifimplemented in an unprotected envi-ronment. This would be analogous tobuying a state-of-the-art door lockand then leaving the key in a flower-pot. Fortunately, the smart card chipis a protected environment because ithas evolved to a sophisticated level oftamper resistance by incorporating anumber of security attack counter-measures.

Three attacksThe most sophisticated attacks usephysical means to try and underminethe chip. For example they usemicroscopes and probes to monitoror modify the circuitry. The chiphowever is far from defenceless anduses physical and active barriers tothwart intrusion. Furthermore, thecircuit layout may be scrambledmaking it difficult to find the areas ofinterest. Data buses and memories areoften attack targets so they can befurther protected by encryption (acryptographic means to disguiseinformation).

Physical attacks are thereforestrongly resisted but given a greatdeal of time, resource, money andexpertise an attacker might extract asecret from a card, but it is hard to seehow this would be worth all the effort.

Another attack strategy is to try to

If smart cards are to be entrusted with protecting the national ID card system, theywill surely be subjected to vigorous attacks from criminals. Keith Mayes and Konstan-tinos Markantonakis reveal all

“Cryptography exploitsmathematical techniques

to satisfy the corerequirements of informa-

tion security, notablyconfidentiality, integrityand authentication“

BY: KEITH MAYES, DIRECTOR OF THE SMART CARD CENTRE AT ROYAL HOLLOWAY, UNIVERSITY OF LONDON

induce a temporary fault into theoperation of the chip and then useanalysis techniques to extract secrets.This requires relatively little analysisequipment but it is dependent on cre-ating the fault, either by means ofintense pulses of light, voltage glitch-es or temperature variations. Howev-er, the modern smart card chip isequipped with a range of sensors todetect fault injection attempts andprotect against such attacks.

Finally there are side-channelattacks that exploit the fact that elec-tronic circuits leak information due totransistor switching and currentsurges. These surges may bedetectable via the current consump-tion of the device or in the form ofweak radio emissions. Some yearsago, researchers developed practicaltechniques to extract secret keys fromside-channel leakage during the run-ning of algorithms. Fortunately, theleakage methods are now well under-stood and there is a range of counter-measures implemented within a mod-ern smart card chip that effectivelyremove or mask key related leakage.

Of course nothing can be completelytamper-proof but if you use the mostsophisticated smart card chip in aproven manner then you have animpressive level of tamper-resistance.Indeed for a few square millimetres ofsilicon the modern smart card chip isfar from being a pushover for attackers.

Identity Management – Delivering ChangeCurrent political debate, which focuses almost exclusively on the introduction of IDcards, risks missing the fundamental fact that identity management is a dynamicprocess that is already part of everyday life and has considerable public support. Citizens and consumers are already embracing identity assurance technologies tofacilitate transactions and safeguard entitlements. Research by the Unisys TrustedEnterprise Index has recently highlighted the high degree of support for biometricswith 82% of the public believing that fingerprint and voice recognition systems areacceptable and half believing biometrics to enhance security.NEIL FISHER, VP IDENTITY MANAGEMENT, UNISYS

Certainly there is an acceptance ofidentity management in the privatesector but there are also a number ofon-going public sector people-centricprojects that aim to transform UKsociety by locking individuals in thatsociety to one identity.

These projects, which encompassmanaged migration and the registra-tion of UK citizens, make it impossibleto switch from an original identityonce a citizen has been entered ontothe system. Although some criticsargue that this process impacts the

rights of citizens it actually enhancesthem. UK biometric visas, biometricresidents permits, biometric identitycards and identity register, theNational Schengen database, e-bor-ders and others constitute an identityportfolio template that enablescheaper services to all those enrolledin the UK plus a better quality of lifethrough seamless and transparentautomation. Authentification ofidentity is now the essential changeagent for society.

For the government however, to

deliver real benefit to citizens, identi-ty management policy needs to bevisible and coherent, with a clear lineof responsibility within government.This will require a central figure whocan bring harmony and coherence tothe many identity management proj-ects as well as weave in the manysafeguards needed for the generalpublic and our businesses. The gov-ernment should look to deliver trans-parency to this process by consider-ing the creation of a Department forIdentity Management that would

embrace IPS, IND and UKVisas fromthe Home Office and Transformation-al Government from the CabinetOffice plus the General Registrar’sOffice from ONS.

Parliament must also have an openminded debate regarding the use ofdata in the UK. It is likely that legisla-tion will need to be updated toaddress consumer and citizen rightsthat allow ethical sharing of data withthe proper set of checks and balancesto protect the individual.

Comments by Lord Harris ofHaringey provide an excellent start-ing point for politicians to debate a‘data protection charter’. His pro-posed ‘Bill of Rights’ identified sixpoints for Government to considerregarding handling and collectingdata in order to gain and retain publictrust, namely: do not give others datawithout permission, do not lose dataand do not abuse data, do not wastepeople’s time, make the process ofestablishing identity simple and accu-rate and make the process for correct-ing information simple and accurate.

Fundamentally, authentication ofidentity and thereby a National Iden-

tity Management Policy, is essentialif we want to see the UK economyand society not just hold its ownagainst other nations but to improvesignificantly in a safe, secure andassured manner. Accordingly it isessential for politicians and policymakers to understand that theNational Identity Register may wellrepresent an Identity Utility for Gov-ernment, but that the utility of identi-ty for the Public has to be the primaryachievement of such a transforma-tional change to society.

� Neil Fisher, VP Identity Management,Unisys


ID checking on the move gets back up

People are used to having passwordsbut they can be lost or forgotten and,in the worst case scenario, accidental-ly revealed to a third party.

One means of helping to furtherprotect log on identities is to not relysolely on a password but to issue keyworkers with a separate key fob orsmart card that displays an additionalnumerical code that is always chang-ing and which needs to be enteredalongside a password, as Tim Pickard,Area VP of International Marketing atRSA explains.

“Our smart cards and fobs are con-tinually counting in perfect time witha device on the server so an employeejust looks at their matching code andenters it, along with their normalpassword,” he says.

“This numerical code is constantly

changing and is only good for oneminute, so a thief would have to gethold of the laptop and the smart cardwhich is unlikely as you would not nor-mally have one in your pocket or walletso it couldn’t be taken at the same time.If it were, the thief would still need toknow the person’s password.”

Long lifeAs one would imagine, these cards orfobs need to have enough battery lifeto carry on working for as long asRSA promises.

“They’re pretty robust, so the bat-tery never runs out, so they never stopworking,” Pickard explains.

“We have a rolling programme thatreplaces them every year or every cou-ple of years depending on what theclient has asked for. They’re not just

for companies to give out to staff, insome countries our cards are beingused by banks to give to their cus-tomers as an extra level of security so acon man would need to have a per-son’s smart card as well as their logindetails to gain access to their account.”

No to scamsOf course, the most effective way forstaff and home computer users to pro-tect their identity is to not fall forscams where ‘phishers’ pretend to befrom a bank or online payment sys-tem and ask their customers to entertheir banking and credit card details

The most pressing concern for a company encouragingits staff to be productive outside the bounds of the officenetwork is to know that his or her staff are who theypurport to be when they log on to the company network.

on a fake site. Neither should they betempted to download attachmentsfrom untrusted sources and shouldalways ensure their anti-virus, fire-wall and spyware defences are up todate to prevent malicious code get-ting on to their machine and stealingtheir passwords.

If in doubt, the advice to computerusers from all security experts is tolook for the reassuring golden pad-lock symbol at the bottom of thebrowser. This can be double clicked toconfirm it is validating the site youare viewing. If another web address isdisplayed, do not trust the site.

Logging onunprotectedOnly 1% of companies are doingeverything possible to ensure theyprotect the ID of staff logging on totheir corporate networks, accord-ing to the DTI’s Information Secu-rity Breaches Survey 2006.

Whilst use of keyfobs and smart-cards has increased, 80% of firmsare still relying solely on pass-words. Hence one in five largecompanies has reported staff gain-ing access to data they should nothave and a little more than one intwenty have suffered an attackfrom an impersonator.

Greek rootsDid you know where the term bio-metrics comes from? It is actuallyfrom the ancient Greek for bios,meaning life, and metron, meaningmeasure.So biometrics literally means themeasure of life.

Find me a suspectPolice officers across the country need no reminding ofthe need for identification photographs to be standardised.

Years of pictures taken in a non-stan-dard form has left forces with millionsof photographs, spread around thecountry, which are sometimes justdifferent enough to prevent thembeing searched by a computer pro-gramme.

It can be the angle of the photogra-pher, the tilt of a suspect’s face orsimply an unusual expression but

without a standard appearance to pic-tures, computers are unable to searchdatabases.

Find a faceHence the UK police forces are joiningtogether to build the Face IdentityNational Database (Find) which aimsto build a single source for policephotographs that conform to the

same standard. The technologybehind the project is being suppliedby facial biometrics specialist,Omniperception, whose founder,David McIntosh, was surprised to findout there is no single database alreadyin operation.

“I think most people assume allpolice photos are stored in one placeso the system can be scanned to see if

somebody in a custody suite is want-ed elsewhere, perhaps under a differ-ent name to the one they’re offering,”he reveals.

“So we’re helping forces go throughtheir photographs and letting themknow which can be used for Find andwhich cannot. Unfortunately it meanssome old photographs will not be ofuse and they may have to wait for theperson to be in a custody suite againbefore they can have another, stan-dardised picture taken.”

Face mapsThe ultimate aim is to not just build adatabase of pictures that conform tothe International Civil AviationOrganization (ICAO) standards but toensure that each of those photographscan be turned in to a biometric ‘facemap’ at a later stage.

“If you have a facial map you cantake a picture of somebody in custodyand then check it against the databaseand it will find a match even if theperson has changed their appear-ance,” McIntosh continues.

This will enable the police to checkif somebody is wanted for question-ing for another offence even if theyare lying about their true identity orgave a false name the last time theywere photographed because the sys-tem is looking for facial matchesregardless of any name given by asuspect in custody.

The company is also working withthe Foreign and CommonwealthOffice (FCO) to ensure that picturestaken for UK work visas conform tothe same standard. This not onlyensures the pictures are standard but

will enable them to be later turned into biometric face maps to ensure thatthe person granted the visa is the per-son using it and that it has notchanged hands fraudulently.

Fraudsters rely on bad identity pic-tures which can make it hard for offi-cials to say for certain whether theperson presenting the visa is truly theperson it has been granted to.

“If you have afacial map you cantake a picture of

somebody in custodyand then check it

against the databaseand it will find amatch even if the

person has changedtheir appearance,”

McIntoshcontinues“


Laminate launchVer-tec Security Systems, which specialises in holographic technology forapplication in document security, personal ID and brand protection is launch-ing an HD3D laminate as the world’s first full colour 3D personalisation lami-nate for passports, driving licences and other security documents.

Ver-tec’s HD3D laminate has been developed to provide security printers,government authorities and pharmaceutical markets with an alternative to theexisting process of incorporating laminates with a High Refractive Index (HRI)coating. HD3D laminates from Ver-tec offer full colour 3D or floating imagesthat can be personalised and customised to any specifications. In addition tothe HD3D laminate, Ver-tec has also been piloting under test conditions with anumber of customers, the Biometrigram, a 2D3D reflection volume hologramincorporating biometrics and barcodes as complementary and overt technolo-gy to support biometric storage devices on ID documents.

ID around the worldIt can be easy to think that the 100 countries around theworld which have identity card systems means that mostcitizens are used to carrying ID cards. However, the follow-ing countries do not have ID card systems: Denmark, UK,Ireland, Japan, USA and New Zealand. The following dohave a scheme but it is not compulsory: Australia, Austria,Canada, Finland, France, Iceland, Sweden and Switzerland.

Whilst France is arguably the country most Britons wouldlist as having a compulsory card, it is not against the lawnot to have an ID card, although citizens must be able toprove their identity to the authorities, for which a passportwill suffice. The French ID card has the ignoble record ofhaving been introduced during World War II and helped theVichy regime select 76,000 people to be deported as part ofthe Holocaust.

ID tricked from peopleJust in case IT professionals needed reminding how easyit is for criminals to get people’s passwords, at least year’sInfosecurity Europe organisers conducted research thatshowed that 92% of people were willing to give away allthe information needed to steal their identity.

Under the guise of a competition for £20 theatrevouchers members of the public were willing to giveaway their name, address and information, such asmother’s maiden name, that is required by banks toprove identity.

More than 100,000 people are affected by identitytheft every year.

Who helps governments process

biometricdata in seconds?

Lockheed Martin.

www.lockheedmartin.co.uk

Whether it’s transportation, critical infrastructure, or border protection,

Lockheed Martin provides sophisticated security solutions to match the

challenge. Our unique, end-to-end systems ensure the highest levels of security

and privacy. A recognised leader in the integration of large, complex informa-

tion technology systems, Lockheed Martin has developed a broad spectrum of

biometric products and services that provide reliable methods for personal

identity and credentialing verifi cation.


Britain could be a biometric world leaderBiometrics is fast becoming a key element in security solutions, be they for govern-ment or private sector customers, and the UK has an excellent chance of being aleader in the integration of the less mature biometric solutions into more establishedsecurity focussed products.The hub of the UK security and biometrics industry sectors are focussed in the southof England and there is a need to ensure that the UK biometrics industry is able togrow and align its products and services with those delivered by the wider securityindustry.

“The UK is well placedto take a lead in this areaof innovation, providedthat adequate support isgiven to our immaturebiometrics industry“

Combining securityThe fusion of biometric solutions withsecurity based applications in arobust and effective manner has notyet been achieved with any high levelof success in any part of the world.There is still a need for innovativeresearch and development that willresult in a better understanding of theoverall security proposition and howbiometrics can be aligned and inte-grated with that proposition. The UKis well placed to take a lead in thisarea of innovation, provided that ade-

quate support is given to our imma-ture biometrics industry. This supportof a small, but expanding sector isvital if the UK is to realise a high mar-ket share and take the lead on innova-tive thinking and product deliverythat will place it up with, or ahead of,other countries.

Giving supportTo foster the innovative approachrequired and to ensure that our homespun industry is able to respondeffectively to the rapid upturn in the

growth of biometric usage in both theGovernment and Private Sectors, theBritish Biometrics Industry Associa-tion (BBIA) has been formed to lookafter their interests.

The support it gives to companies isdesigned to provide its member com-panies with the best opportunity tofind new routes to market andimprove their overall performanceand therefore profitability.

With personal and national securi-ty so high on the agenda and with theever increasing rise in identity theft,

biometrics are becoming a seriousalternative to some of the more ‘tradi-tional’ security technologies. Now isthe time for the UK to ensure that it isset on a path that makes it a majorforce in developing and marketingworld class biometric products andservices. With effective coordinationof effort by the BBIA and a number ofother UK based representative bodiesthe UK Industry will be placed firmlyon the biometrics map.

Palms aresecureLatest figures for Japanese banksthat have replaced PINs with palmvein authentication show thatfalse rejection rates are around 1in 10,000 and false acceptancerates are virtually immeasurablebecause they are so low.

The technology relies on bankcustomers registering their palmvein pattern – literally, the patternof veins just below the skin in thepalm – which (under near infra redlight) can be scanned by a cashmachine. If it matches the scan onthe customer’s bankers card, theperson is allowed to continue withthe transaction. The technologysolves the problem of people for-getting PINs or other people dis-covering them.

PAUL STANBOROUGH, CHAIRMAN OF THE BRITISH BIOMETRICS INDUSTRY ASSOCIATION (BBIA)

Are shared secrets theanswer to online fraud?

According to the Anti-Phishing Work-ing Group http://antiphishing.org inNovember 2006 there were more than37,000 such bogus web sites. This hasled to a multi-million dollar internetfraud scenario for banks, retailers andother companies, costing more than$2 billion by Gartner’s estimates.

How can we be so easily duped toend up connecting to a bogus website? The ingenuity of the fraudster inusing the techniques of social engi-neering has no bounds and the sce-narios created in the email or even thetext message on our phone can beapparently very innocent. A simpleplease contact your bank or creditcard company (which account for91% of attacks) would probably havemany of us responding in panic, fear-

We have probably all received one of those emails invit-ing us to contact the bank to update our account details.The link in the email is, of course, false and leads straightto a fraudster whose web site is fishing, or ‘phishing’, forour financial details, username, password, accountdetails and any other relevant information. Phishing isthe internet version of identity theft.

ful of some miscalculation. When connecting on the internet

the link in the browser may looktotally correct, who would notice oschanged for 0s in the web site’s URL?Microsoft and others have been work-ing on improving the new version oftheir browsers with filters to detectknown phishing sites and alert theuser accordingly. The trouble ofcourse is they need to be known andthat is an ever losing battle. Thefraudster can also go a little furtherby interfering with the DNS systemthat translates our URLs into IPaddresses, the actual numeric addressof the server. This DNS spoofingwhich directs the user to a bogus IPaddress and server for a genuine URLdomain name is often called Pharm-

ing. In this case of course the URL inthe browser window will look perfect-ly correct.

You might think that technologymust already have a solution, but it ismore difficult than it seems. A lot ofattention has been given to 2-Factorauthentication (something you ownand something you know) where thecustomer is provided with say a smartcard and a PIN. The banks are soon tostart issuing authentication deviceslike a small calculator to be used withthe Chip and PIN cards. This will pro-vide 2-F authentication over the inter-net or even over the phone. Insertionof the smart card into the device andcorrect PIN entry will result in asequence of apparently random codesdisplayed on the device which the hostcan check. The problem is that phish-

ing is really all about a Man in theMiddle (MITM) attack. The phisher ismasquerading as the genuine host, thebank for example and can use the cus-tomer’s data to connect with the bank.The 2-F authentication is for the bankto authenticate the customer, itdoesn’t help the customer authenti-cate the bank.

Then there is TLS (Transport LayerSecurity, originally SSL, shown withthe padlock) used by the client’sbrowser to provide secure communi-cations with the host. Unfortunatelybasic browser TLS security is againonly one way where the host providesa public key certificate that even themost observant user would probablynot notice was duped if carefullycrafted by the fraudster. Client certifi-cates don’t solve this problem eitherbecause that only allows the host toauthenticate the client which is reallyan additional service to the 2-Fauthentication referred to previously.

The only viable technological solu-tion to this problem is for the genuinehost to provide some indication to theclient that it is authentic, this needssome protocol that provides evidencethat the host knows a secret sharedwith the client. It could be the simpledisplay of say some pre-registeredphotograph but the use of authentica-tion devices in the hands of the clientwould actually allow a more sophisti-cated cryptographic protocol to bedeveloped.

Just for now the best solution isnever to use links to connect to finan-cial or other important websites hold-ing identity information, but remem-ber it’s easy to be tricked when youare in a hurry.

DR DAVID EVERETT, PRINCIPAL CONSULTANT AT MICROEXPERT

“Phishing is reallyall about a Man inthe Middle (MITM)

attack“

The Ingenico 8550 offers amulti-functional solution for awide range of mobile applications:

• BIOMETRICS – integrated biometric fingerprint reader

• PHOTOGRAPHIC – built-in imagecapture capability

• SCANNING – integrated bar code scanner

• SIGNATURE CAPTURE –colour touch screen allowssignature capture

• DUAL BAND GSM/GPRS – provides online, real time verification

S E C U R E T R A N S A C T I O N A N D P A Y M E N T S O L U T I O N S

W W W . I N G E N I C O . C O . U K + 4 4 ( 0 ) 1 3 1 4 5 9 8 8 0 0 I N F O . U K @ I N G E N I C O . C O M

FUTURE READY!!THE INGENICO 8550

IS DESIGNED TO TAKE

IMMEDIATE PAYMENT

MOBILE BIOMETRIC CAPABILITY…

FOR THE 21st CENTURY

FINGERPRINT RECOGNITION


Easy access at easyJeteasyJet had been using a number of stand-alone access control systems that hadbecome outdated and could no longer accommodate the changing requirements of thegrowing business. The access control had become expensive and time consuming tooperate, as the numbers of users grew.

The airline currently employs 4000staff of which 3500 are cabin crewand another 500 management andadmin staff. Any member of crew maybe required to fly to and from any ofeasyJet’s European destinations at anytime. This is a unique approach, whicheasyJet considers to be more costeffective and flexible – meaning thatno aircraft or crew are idle.

As a result, easyJet required anaccess control system that could cen-trally manage all doors at all basesaround the UK and Europe – allowinga more efficient, manageable butsecure process for staff access to allauthorised areas, whilst improvingthe responsiveness of the system tochanging situations. easyJet’s Proper-ty Department manages its accesscontrol requirements, and easyJet’sRegional Facilities Manager wasresponsible for sourcing the newaccess control solution.

As the project commenced itbecame obvious that the TrainingAcademy, then relocating to a newly

refurbished building, would also needan access control system. This becameeven more important following theinstallation of a new £1m cabin andemergency evacuation training facili-ty within the Academy.

The solution:Using easyJet’s internal IT network,the Property Department can nowmanage the access control for allbuildings across Europe - from anylocation. The Honeywell Securityaccess control software allows eachreader to be programmed individuallyif required; for example at one ofeasyJet’s crew rooms at an airport, orfor all readers across the system to beupdated simultaneously with infor-mation regarding access requirementsor changes for staff and contractors.It also provides system reports onusage at different locations, times anddays. The reporting system is easy touse and provides extensive informa-tion.

ID card productionThe Department of Transport autho-rises approval for airlines to producetheir own ID cards and so far, onlyeasyJet and one other airline havethis licence. To maintain simplicityand reduce costs, easyJet wanted theID and access control functions tomerge, working towards a systemwhereby staff would only need onecard for all ID and access require-ments, enabling operational integrityand flexibility

– wherever staff work. To date, thishas been implemented for all noncabin crew staff. The photo ID cardsare produced and managed via theaccess control software.

Seamless transitionThe key requirement was for the tran-sition from the old to the new systemto be quick and smooth. Total Securi-ty Protection, the integrator whoinstalled the Honeywell solution,managed a seamless transition to thenew system. The door readers werechanged in just two days to minimisedisruption to staff.

Should a member of staff lose theirID card it can be cancelled centrallywith immediate effect – so that accessis denied at all bases - and a replace-ment card can be created quickly andeasily with a new access code.

In addition, the access system auto-matically disables any staff cards thathave not been used at any of the read-ers within a 30-day period. The solu-tion enables most issues to beresolved at the touch of a button.

“Using easyJet’sinternal IT network,

the PropertyDepartment cannow manage theaccess control forall buildings acrossEurope - from any

location“

Checking ID on the moveOne of the major tasks for governments and commercial organisations in recent years is to positively identify andverify individuals for greater security.New technologies are making it possible to solve these problems with mobile identity verification systems thatenable identity checks to be carried out on the spot against the information stored on the card, even if a central data-base is not accessible.

Datastrip is a leading provider of biometric verifi-cation devices in today’s mobile arena, enablingfast, accurate identity verification across multiplemarkets and harsh environments through provid-ing rugged, ergonomic, and feature rich mobileidentification terminals.

This line of handheld readers provides the flexi-bility and customisation needed for specialisedapplications and interoperability into existing sys-tems for ease of deployment into mainstream verti-cals such as law enforcement, government, militaryand commercial markets.

These handheld readers have been specificallydesigned to read contact & contactless smart cards,2D barcodes and OCR-B and therefore are ideallysuited for the majority of ID card and documentapplications including; E-passports, Machine read-

able travel documents, Driver’s licence, National IDcards and Worker’s ID cards

Standalone systemHandheld readers can decode and display the digi-tised photograph and text stored on the card ordocument without being connected to a back-enddatabase and by adding biometric information suchas fingerprints they can perform on-the-spotmatches against stored biometric templates,enabling all decoding functions to be performedquickly with the same unit.

In this scenario, each ID card essentially containsits own “database,” and the readers are sufficientlysmall and lightweight to be used while walkingaround. Security can be maintained even under themost difficult circumstances with no need for an

installed or stationary ID system, laptop computer,or Internet connection.

There are two important fringe benefits to usingmobile readers. First, on-site identity verificationwill typically be faster than retrieving records froma centralised database. Second, with the use ofwireless technology, the same readers can be usedto transmit the information, such as a photographor biometric, to a database so that a suspect or indi-vidual can be verified almost instantly. In this way,it will be possible to quickly alert personnel at secu-rity checkpoints, immigration or police officers onthe beat.

Determining whether the cardholder is whohe/she says they are takes very little time (between5-10 seconds) and therefore saving valuable time ina sensitive or emergency situation.

PROMOTIONAL FEATURE

ID MANAGEMENTdoc.mediaplanet.com/all_projects/831.pdfaccept certain risks. A proper trade-off...

Documents

Transcript of ID MANAGEMENTdoc.mediaplanet.com/all_projects/831.pdfaccept certain risks. A proper trade-off...