Uncle Sam Gets Smart About Security

There couldn't be a better time to be in the smart card business. The government, principally through the Department of Homeland Security, is working on a handful of different new identification cards for transportation workers, foreign temporary workers, federal employees and Americans without passports traveling to Canada, Mexico and the Caribbean.

"There's a boatload of them. There are so many of those card programs they are overlapping," says Jay M. Meier, senior securities analyst at MJSK Equity Research.

Meier estimates the government will spend hundreds of millions of dollars on card technology not just for ID cards to cross borders and access buildings and computer networks but also on for things like integrated circuit chips placed on the cards, as well as readers, software, printers and even special door locks.

Michael Chertoff, the secretary of Homeland Security, has stated his preference that the different cards all use the same type of technology - computer chips that link to centralized databases. Such smart cards have embedded integrated circuits that act like a tiny computer, processing commands, with data stored on the card or in a separate database.

Meier wrote in a recent report, "Secure Credentialing and Identification," that the market for smart cards is "conceptually enormous." He cited a Forrester Research projection that logical and physical security applications will cost a combined $11 billion in 2008, ten times the amount in 2005, and a forecast by Frost & Sullivan that the number of contactless smart cards will reach 1.2 billion in 2010 from less than 200 million in use two years ago. Government ID cards will account more than half the total.There are two types of smart cards: those that are inserted into a reader are known as contact cards as opposed to contactless cards with an antenna embedded inside them that transmit via radio frequency identification with no physical contact required.

The U.S. government hasn't decided which type of RFID it will use, but it is definitely moving toward adopting smart cards. President Bush's Homeland Security Presidential Directive No. 12 required a new smart card credential for federal employees and contractors by next year and produced the Federal Information Processing Standard 201.

Meier believes "the vast majority of secure credentialing applications will resemble FIPS," which requires a smart card, public key infrastructure to encrypt data and a biometric element to connect the cardholder to the card.

This is bad news for LaserCard Corp., the company that since 1997 has made more than 14 million Green Cards for Homeland Security using its proprietary optical memory technology. It's also made 8 million Border Crossing Cards for the State Department to issue to Mexican citizens and another 2.4 million for Canadians. Neither card complies with FIPS and both will be replaced by the PassCard, or People Access Security Services card, which will be used instead of a passport once it's adopted at least two years from now.

The biggest advantage for optical stripe technology is that it can carry up to 2.8 megabytes of machine-readable data where biometric information can be encrypted. The stripe also contains personalized unique images etched into the card's strip that can be verified by the naked eye, without an actual reader.Still, the company could be on the outside looking in when it comes to the government's new wave of ID cards. "Long-term, we still believe LaserCard is unlikely to hold on to its U.S. ID card business," Stanford Washington Research Group analysts Jeremy Grant and Erik R. Olbeter wrote in a report last week.

Meier put it another way: "Optical storage is old technology and is getting passed up by smart cards, not unlike VHS passed up Betamax." It doesn't help that LaserCard has developed a proprietary technology. "The world is running toward standardized and interoperable smart cards rather than optical storage."

But the company believes its technology should be a part of future ID cards. "This should not become smart cards and RFID versus optical stripe. The technologies are not mutually exclusive. Walking away from optical memory technology would absolutely compromise the overall security of these identity documents," says Kathy Alsbrooks, LaserCard's federal government account director.

"We want to make sure the US government card issuing agencies understand that chip-based cards are not capable of replacing the document security tamper resistance protections of optical memory technology," she says.James R. Hesse, who retired last August as the chief intelligence officer of the Forensic Document Laboratory, part of the Homeland Security Department's Immigration Customs Enforcement agency, says it's important that the unique images etched into the card's strip can be verified by law enforcement without a reader, the circumstances for the majority of inspections involving the card, he says.

Hesse, who had been responsible for designing secure travel documents and worked with LaserCard's products, wrote a letter in April to Wisconsin Rep. James Sensenbrenner, chairman of the House Judiciary Committee, stating that a PassCard with multiple technologies would be the most secure."It would be extremely shortsighted to limit the technology of this card to the unproven and limited capability of a contactless chip," Hesse wrote. "Further, it would be criminal to disregard the proven and secure technology of the optical memory chip cards. A card that utilizes both a RFID contactless chip and optical memory would address both speed and true security."

He added that using optical memory in the PassCard would serve as a backup to the chip, as well as provide flexibility to collect, store and retrieve additional information in the future, should that be necessary.

"When you need to absolutely validate the bearer, [optical memory] is the most secure card there is," Hesse says. "When you want to guarantee that the holder is the same person and verify the biographical data can be read, it's the most secure."

However, a researcher familiar with the LaserCard technology disputes some of those claims. Simson L. Garfinkel, a postdoctoral fellow at the Center for Research on Computation and Society at Harvard University, says "lots" of counterfeit Green Cards have been made since the Lasercard was adopted. "Most people who get the cards don't verify the laser strip on the back."

"Nothing makes an optical stripe any more difficult to forge than a magnetic strip or an RFID chip. If systems are distributed for creating the cards, those systems can be stolen and used to forge the cards," says Garfinkel, who is also an instructor at the Harvard Extension School, where he teaches courses on computer security and application design.Keeping those production systems in a single location makes them harder to steal but adds a delay of one or two weeks for getting a card, he says.

LaserCard says that because optical stripe cards carry personal data for each bearer, they are more secure than integrated circuit chips, which link to centralized database that could be hacked. But Garfinkel says the distinction is not important.