An Automation ANSWER
The MiFARE Classic card — used in physical access control systems (PACS), contactless payments, public transportation, etc. — was recently hacked. Government agencies converting from old access cards (non-smart cards) to PIV credentials and access cards should be especially cognizant of the ins and outs of smart card hacking and how they impact efforts to provide secure, credentialed access.
Similar to credit card or identity theft, smart card hacking refers to an imposter using someone’s personal identity information to obtain physical access to privileged areas and information. However, instead of stealing money or ruining one’s credit, they are after the bigger payout — gaining access (based on stolen credentials from the card) to secure areas, high assurance doors, high-level buildings and other sensitive areas and information.
What this means to HSPD-12 initiatives
As agencies make the necessary investments — in time and money — for deploying HSPD-12 / FIPS 201 PIV cards and PACS infrastructure, it is critical to put solutions in place to facilitate secure, end-to-end identity management and access.
Agencies should implement automation that correlates identity information across multiple access points, watches for and responds to unusual PIV card activity and automatically suspends or notifies cardholder/security personnel. These automated mechanisms must use intelligent policies and rules that act as a guard against fraud and foster real-time audit and compliance.
Here are some best practices for rolling automation into HSPD-12 initiatives:
- Multi-pronged verification
Access to secure facilities should be protected by several mechanisms such as multi-factor authentication. A system should be put in place to check current physical access permissions in real-time across multiple points (picture identification, biometric data, cryptographic keys, PIN) while simultaneously checking logical systems activity before allowing access. Such a system provides clearer verification that the cardholder is truly who they claim to be. Validation processes that depend on the correlation of identity data from multiple sources enables agencies to respond rapidly and more intelligently to a possible physical security breach.
- Round-the-clock alertness
Simple software practices such as policy-based data-mining should be applied across multiple PACS to alert cardholders/security personnel to potential instances of fraud, thus enabling security personnel to detect fraudulent transactions before the cardholder even knows a problem exists. These systems automatically place suspicious cards on a watch list that can be monitored. Information about confirmed fraudulent use locations can be fed back into the system to automatically identify assets and cards at risk. The system maintains a round-the-clock watch list, generating a list of at-risk cards or personnel for analysis and reporting. At any given time and within a few clicks, security personnel should be able to see correlated watch list information on the cards they believe are at risk or block cards believed to be high-risk.
- Safeguard from fraud
Taking a page from what credit card companies and banks are doing to fight credit/debit card abuse, an automatic “fraud protection” system can watch for uncharacteristic or unusually high card usage (swipes, etc.). Using pre-set, policy-based rules, the system takes a rapid course of action when multiple card swipes are noticed for one person, multiple swipes are detected from one card over a short period of time across different locations or there are multiple rejects for one card.
Hackers can obtain smart card identity credential data without having to break into anyone’s wallets. With minimal effort, hackers are proving that it is possible for these cards to be cracked, copied and used to impersonate someone else’s identity credentials in order to access the mother lode – data centers, networks, files and more. The MiFARE hack is fast, repeatable and just the latest example of how easy it is to gain access to facilities using someone else’s credentials.
Rolling out HSPD-12-compliant infrastructure is a major undertaking that costs time and money. It is critical to ensure that the effort going into the conversion is as effective as possible. Introducing automation and countermeasures is key to combating future smart card fraud.
Vik Ghai is CTO and vice president at Quantum Secure, San Jose, Calif., and director of Convergence Roadmap for the Open Security Exchange (OSE).