 |
|
|
February 27, 2003 |
|
Welcome to the February edition of ACTion
News. Our newsletter is distributed each
month in order to keep you up to date with
events in the advanced card industry. This
complimentary service is provided by ACT
Canada; "building an informed marketplace".
It is also available in the Resource Centre
of our web site http://www.actcda.com. Please feel free to forward this to your
colleagues.
IN THIS ISSUE:
1. Editorial Content
2. U.S. GAO Report Highlights
Obstacles &
Successes In Government
Smart Card Projects
3. Smart Cards Can Protect
Privacy.
4. Datacard Group and Logicacmg
To Implement
World's First National
Multi-Application
Smart Card Program
5. Parkersburg-Marietta
Contractors and Trades
Education and Development
Fund Acquires Pace
Smart Card System
6. Another U.S. Visa Issuer
Offers A Smart
Card
7. Qunara Wins Security
Services Contract
To Supply Ontario Government's
'Smart Systems
For Health' Program
8. U.S.. DoD Investigates
Combined Contactless
& Biometric Technologies
9. Hospital Strengthens
Network Security
With Smart Cards and Biometrics
ACT CANADA WOULD LIKE TO THANK OUR NEW & RENEWING MEMBERS:
PRINCIPAL
SchlumbergerSema ~ member since 2000
GENERAL
Credit Union Central of Canada - Member Since
1990
Pace Integration - Member-Since
2000
|
| ATTENTION ACT CANADA MEMBERS: |
| |
 |
|
Upcoming Events:
We have negotiated
additional discounts
for
our members at CardTech/SecurTech
2003, May
12 - 15, Orange County
Convention Center,
Orlando.
Register early for
CTST 2003 & save:
Before March 1 -
save 35%: CDN$935
or US$594.25
Before April 1 -
save 25%: CDN$670
or US$424.25
After April 1 - save
15%: CDN$400 or US$254.25
For more information about the CTST 2003,
please visit their web site at http://www.ctst.com. Please contact Andrea McMullen for a link
to the CTST 2003 discounted registration
form - andrea(AT)actcda.com.
| |
|
1. EDITORIAL COMMENT
Source: Catherine Johnston, President &
CEO, ACT Canada (02/26) |
|
|
|
|
This month we saw an explosion of data theft
stories, as well as a number related to the
advantages of smart cards to protect privacy
and enhance security. While it is encouraging
to see governments and other issuers look
in this direction, we are concerned with
the general impression that two major incidents
were ultimately harmless. The reality is
that Canadians and Americans pay dearly for
data theft. It is time to stop writing a
blank cheque to those who steal our data
and identities and to employ advanced card
technology to stem the bleeding.
The first story concerned
a third party transaction
processor in western
Canada. Early reports
indicated that ISM
had lost a hard drive
containing the records
of 180,000 clients
of an insurance company.
Details included
"names, addresses,
beneficiaries, social
insurance numbers,
pension values, pre-authorized
checking information
and mothers' maiden
names", according
to wire reports.
Then
it was reported that
the data included
bank
account details.
In the end it was
determined
that an employee
had taken the drive
which
was destined for
the scrap heap, wiped
out
the data and was
using the drive for
his
own information.
This might have been
a case
of recycling, but
unfortunately it
had a
significant cost
to Canadians.
A number of the 180,000
people took steps
to counter what they
believed was an attack
on their personal
information, calling
their
banks to flag or
change accounts and
the
federal government
to flag Social Insurance
number records. They
called credit bureaus
to see whether there
was any unusual activity
related to their
credit records. They
called
insurance companies.
All these organizations
had to deal with
an unexpected volume
of
work and that costs
money. The companies
who had records on
that disk had to
identify
which customers were
at risk and quickly
communicate with
them. That too had
a cost.
You could put a dollar
figure on these costs,
but how would you
assess the value
of the
time the individuals
had to spend making
those calls? What
was the cost to their
employers
for time lost, as
they doubtlessly
had to
deal with the problem
during business hours?
What about the stress
they suffered from
not knowing whether
their identities
were
at risk?
The second was the
theft of more than
8 million
credit card numbers
from a third party
transaction
processor in United
States. Again, the
risk
is being downplayed
because we have not
yet
seen signs that the
card numbers have
been
used. It would be
naive to believe
that we
are out of the woods
on this one. ID thieves
often wait 12 to
18 months before
striking.
Some people have
been quick to assume
that
it was a hacker,
but no one has claimed
credit.
If it was a hacker,
the information could
still be sold to
organized crime,
since hackers
are primarily motivated
by fame or money.
The most likely scenario
is that organized
crime either stole
the data to begin
with
or will acquire it.
If that is the case,
they will use the
card numbers to make
money
as they have in the
past. Law enforcement
agencies will tell
you that they are
very
good at this type
of crime. Their profits
will come back into
our neighbourhoods
in
the form of drugs,
weapons and other
crimes.
Financial institutions
do an excellent job
of protecting cardholders
from direct costs
when their cards
are defrauded. We
could
not ask for more
as cardholders, but
as a
society we need to
insist upon two new
levels
of protection.
To protect our data,
organizations must
start
identifying and authenticating
all those
who access that information,
whether it is
employees or outsiders.
They must assign
access rights, such
as who may look at,
change,
delete or add data
to our records. They
must
provide a secure
means for authorized
individuals
to prove their access
privileges. This
could
take a number of
forms depending on
the value
of the data in question.
At a bare minimum,
the access rights
should be on tamper
and
counterfeit resistant
tokens such as smart
cards. With the state
of data theft today,
it is also important
that individuals
be
challenged to prove
that the card and
its
privileges belong
to the person presenting
it. As the sensitivity
and value of the
data
increases, so should
the security measures.
They could range
from a PIN or password
to
the use of biometrics
and digital certificates.
Security measures
can be stacked as
needed.
Issuers must also
make it harder for
thieves
to use our information.
Today it is possible
to produce 8 million
counterfeit credit
cards
using magnetic stripe
technology. Again,
we must move to counterfeit
resistant technology
such as smart cards.
It is no longer enough
to put locks on our
doors when the thieves
are coming at us
electronically.
When do we acknowledge
that we are under
attack and move to
protect ourselves?
North
Americans are beginning
to understand the
risk. We can only
hope that card issuers
and corporations
move quickly to keep
ahead
of the concerns of
their customers and
citizens.
| |
|
2. REPORT FROM THE US GENERAL ACCOUNTING
OFFICE HIGHLIGHTS OBSTACLES AND SUCCESSES
IN GOVERNMENT SMART CARD PROJECTS
Source: ContactlessNews Weekly Digest (02/13) |
|
|
|
|
The US General Accounting Office (GAO) released
a report called "Progress in Promoting
Adoption of Smart Card Technology" in
response to Representative Tom Davis' request
to review the state of affairs regarding
smart card technology in the federal government.
Rep. Davis serves as Chairman of the House
Subcommittee on Technology and Procurement
Policy, Committee on Government Reform.
As stated in the
document, the purpose
of
the study was to
"assess (1)
the extent
to which federal
agencies have adopted
smart
card technologies
and realized the
associated
benefits, (2) the
challenges of adopting
smart cards within
federal agencies,
and
(3) the effectiveness
of GSA in promoting
the adoption of smart
card technologies
within
the federal government."
As of November 2002,
18 agencies had initiated
a total of 62 smart
card projects. Most
were
small pilots though
larger rollouts have
been undertaken since
2000. The report
suggests
that many agencies
have struggled with
the
technology, its issuance,
and utilization.
Major challenges
highlighted in the
report
include: sustaining
executive-level commitment,
recognizing resource
requirements, integrating
physical and logical
security practices
across
organizations, achieving
interoperability
among smart card
systems, and maintaining
the security of smart
card systems and
privacy
of personal information.
The report reviews
projects undertaken
by
the Department of
Defense, Department
of
Interior, Department
of Treasury, Department
of Transportation,
Department of Veterans
Affairs, Immigration
and Naturalization
Service,
and the Western Governors
Association.
Read the entire GAO report - http://www.gao.gov/new.items/d03144.pdf.
| |
|
3. SMART CARDS CAN PROTECT PRIVACY
Source: ICMA Daily News (02/13) |
|
|
|
|
Smart cards can strengthen the security of
personal identification systems and help
to protect the privacy of individuals and
the personal information they entrust to
businesses and government agencies, according
to a new Smart Card Alliance white paper.
"Individuals,
businesses and government
agencies all want
better protection
for individual
identities and personal
information. At the
same time, our wired
world opens possibilities
for privacy abuse
and identity fraud
on an
extraordinary scale,
as the recent theft
of tens of thousands
of credit records
vividly
demonstrated. Smart
card technology can
solve
these problems today,
and our new white
paper
shows how,"
said Randy Vanderhoof,
executive
director of the Alliance.
"Privacy and
Secure Identification
Systems:
The Role of Smart
Cards as a Privacy-Enabling
Technology"
examines the privacy
and
data security issues
that must be considered
when developing a
system for individual
identity
verification. Clear
guidelines to assist
in designing processes
and using smart cards
in these systems
provide practical
steps
any organization
or system architect
can
put to immediate
use.
"Smart cards
provide a powerful
tool
for protecting an
individual's privacy,"
said Robert Donelson,
senior property manager
of the Bureau of
Land Management at
the Department
of Interior (DOI).
"For those who
have
access to private
information, smart
cards
ensure only legitimate
users can access
information,
and they can only
access the information
they need to do a
specific task. Other
information
that may be in the
system can be kept
confidential.
Of course, privacy
must be protected
throughout
the system, not just
at the card level."
The report is available
to both members and
non-members at no
charge at http://www.smartcardalliance.org/.
The Smart Card Alliance is a member of ACT
Canada. For more information, please visit
their web site at http://www.smartcardalliance.org.
|
|
|
4. DATACARD GROUP AND LOGICACMG TO IMPLEMENT
WORLD'S FIRST NATIONAL MULTI-APPLICATION
SMART CARD PROGRAM
Source: Datacard Group (02/03) |
|
|
|
|
Datacard Group announced the implementation
of the Datacard® Affina™ life cycle management
system through a partnership with LogicaCMG,
who have been appointed by Luottokunta to
provide Finland's first national smart card
payment program. Datacard Group will implement
the Affina™ life cycle management system
which will provide all the card management
needs for the initial launch, and ultimately
manage the life cycle of the card population,
including adding, deleting or modifying applications
to any issued card. LogicaCMG will provide
proven systems integration services to manage
Luottokunta's successful migration to the
next-generation smart card payments processing
platform.
Luottokunta's implementation
of the new smart
card issuing, management
and processing solution
will reduce the time
to bring new payment
services to market
and provide a flexible
architecture that
can expand to meet
the
changing market demand.
The integrated platform
is developed with
an open systems technology
to allow EMV (Europay/
MasterCard/Visa)
migration
to multi-application
chip cards based
on
GlobalPlatform® established
standards. The
application will
support 1.5 million
cards,
which will be issued
in two phases. The
first
phase will be launched
in the 3rd quarter
of 2003 with completion
projected in January
2004.
The Datacard® Affina™
life cycle management
system is designed
to manage the multi-application
smart card program.
It manages all phases
of pre-issuance,
as well as enabling
management
of the card after
it reaches the consumer.
Applications can
be loaded, blocked
or deleted
at any time, and
new card-based services
will be available
for downloading quickly
and efficiently via
the Internet or private
network. Affina also
provides complete
knowledge
of every smart card
issued, making it
fast
and simple to replace
lost or stolen cards.
In addition, Datacard
will provide project
management services
to ensure a complete
integration of the
Luottokunta and LogicaCMG
solution.
Datacard is a ember of ACT Canada. For more
information about the above listed companies,
please visit their web site: http://www.datacard.com; http://www.logicacmg.com & http://www.luottokunta.fi.
| |
|
5. PARKERSBURG-MARIETTA CONTRACTORS AND TRADES
EDUCATION AND DEVELOPMENT FUND ACQUIRES PACE
SMART CARD SYSTEM
Source: PACE Integration (02/14) |
|
|
|
|
Pace Integration is proud to announce that
it has entered into an agreement with the
Parkersburg-Marietta Contractors and Trades
Education and Development Fund to implement
Pace's "SmarterSkills Credentialing
System" (SSCS). The Fund will oversee
the issuance of over 4,000 smartcards to
its union membership. The smartcard has been
designed to provide greater convenience for
the worker by eliminating the need for workers
to carry their various trade credentials,
safety training and health test paperwork
around with them to the jobsite. Instead,
key information from the paperwork such as
issue dates, expiration dates, and certificate
numbers are securely stored on the smartcard.
The new system will be eventually introduced
to the contractors and owners who will find
verification of worker documents a much faster
and easier task.
"Our goal
is to improve
the administration
of our safety
and health
testing records,
provide greater
convenience
for our members,
and to quickly
provide qualified
trades people
to our signatory
contractors"
said Sam
Davis, Chairman,
Parkersburg-Marietta
Contractors
and Trades
Education and
Development Fund.
"Pace
Integration's
smartcard system
provides us
with a convenient
mechanism to
track worker
drug screening,
vaccinations,
background
checks, safety
training, lead/
Zpp tests,
PFT and FIT
testing, as well as
our annual
training courses."
According to
Paul Gallagher,
President and
CEO of Pace
Integration,
" Pace's SmarterSkills
Credentialing
System has
been developed to
address the
specific needs
of the construction
industry. Our
solution helps
organizations
such as the
Parkersburg-Marietta
Contractors
and Trades
Education and
Development Fund,
their contractors,
and third-party
testing
organizations
to quickly
and accurately verify
and track worker
credentials
thus improving
safety and
security on
the jobsite."
Pace Integration is a member of ACT Canada.
For more information about Pace, please visit
their web site at http://www.paceintegration.com.
|
|
6. ANOTHER U.S. VISA ISSUER OFFERS A SMART
CARD
Source: CardTechnology Magazine (01/31) |
|
|
|
|
First National Bank of Omaha has become the
fifth Visa credit card issuer in the United
States to offer a smart card. First National
is promoting the smartOne card on its Web
site. The card's "smart Access"
feature promises greater online security
by allowing the cardholder to select a 4-digit
personal identification number that must
be entered to log onto the First National
Internet banking site. It also promises cardholders
exclusive access to "Visa smart space,"
a Web site with special offers for holders
of Visa smart cards. The bank is offering
a free smart card reader that cardholders
can hook up to their personal computers.
A First National spokesperson declined to
comment on the smart card. Besides First
National, other issuers of Visa smart cards
include Fleet Credit Card Services, Providian
Financial Corp., Target Corp.'s Retailers
National Bank and Bank One Corp. Citibank
and the Direct Merchant Bank subsidiary of
Metris offer MasterCard-branded smart cards.
American Express was the smart card pioneer
in the United States with its Blue card,
which now has some 6 million cardholders,
sources say. Visa USA says there were just
over 12 million Visa-branded smart cards
circulating at the end of 2002. MasterCard
smart cards are believed to number in the
thousands.
Visa Canada Association is a member of ACT
Canada. For more information about Visa,
please visit their web site at http://www.visa.com.
|
|
7. QUNARA WINS SECURITY SERVICES CONTRACT
TO SUPPLY ONTARIO GOVERNMENT'S 'SMART SYSTEMS
FOR HEALTH' PROGRAM
Source: Qunara (01/27) |
|
|
|
|
Qunara Inc. announced the signing of a contract
worth close to $13.6 million over five years,
with the Government of Ontario's Ministry
of Health and Long-Term Care (MOHLTC) to
develop and deploy the entire Public Key
Infrastructure Subscriber Registration (PKI-SR)
Solution, which will form the security foundation
for Smart Systems for Health Agency (SSHA)
the information infrastructure for Ontario's
integrated eHealth strategy.
Smart Systems for Health plays a critical
role in the government's reform of the health
care system. The creation of a province-wide
electronic information network will ensure
the integration of a transformed health system
providing security and confidentiality of
personal health information. The scope of
the PKI Solution that Qunara will deliver
includes the development of a PKI governance
model, certificate policies and certificate
practices, as well as the complete architecture,
design and implementation of a highly available
PKI in all operating environments. Qunara
will also implement a registration management
system to assist in the deployment of the
PKI within the Ontario health community.
In addition, Qunara will be providing Tier
2 support services, assistance for ensuring
readiness for cross certification and a suite
of training programs for SSH registration
authorities, end users and the Certification
Authority Operations staff. Qunara will also
assist in registration activities, and develop
and implement the on-going PKI operating
procedures, disaster recovery and business
continuity plans.
This contract has resulted from a culmination
of seven years of credibility achieved by
Qunara's PKI deployments. The successful
award of SSH means Qunara is now intimately
involved in the single largest new PKI project
in Canada, with enhanced potential for additional
contracts in the future.
Qunara is a member of ACT Canada. For more
information about Qunara, please visit their
web site at http://www.qunara.com.
|
|
8. US DEPARTMENT OF DEFENSE INVESTIGATES
COMBINED CONTACTLESS AND BIOMETRIC TECHNOLOGIES
WITH BEARINGPOINT
Source: ContactlessNews Weekly Digest (02/13) |
|
|
|
|
BearingPoint, formerly KPMG Consulting, has
been selected by the US Department of Defense
(DoD) Biometrics Management Office (BMO)
to evaluate the use of biometrics on contactless
cards. The evaluation is to test the viability
of secure access to military facilities via
a biometric indicator and a contactless chip
on the Common Access Card (CAC).
The CAC is the U.S. military ID card that
will ultimately be issued to more than 4
million active-duty, selected reserve, and
civilian employees/contractors. To date,
more than one-million CACs have been issued.
These cards contain a contact chip but future
orders will include a contactless chip as
well. Project leaders are initiating pilot
trials of ISO 14443 Type A contactless technology
in preparation for full rollout.
BearingPoint was awarded the $1.2 million
contract and is scheduled to report on project
findings in just 90 days. Other participants
in the project include SPYRUS, Inc., SAFLINK
Corporation, Precise Biometrics, XTec, NetVersant,
and Datastrip. The team will provide development,
training, testing, and post-delivery support
to the Department of Defense' Biometric Working
Group, Biometrics Management Office, and
Biometrics Fusion Center.
|
|
9. HOSPITAL STRENGTHENS NETWORK SECURITY
WITH SMART CARDS AND BIOMETRICS
Source: CardTechnology Magazine (01/31) |
|
|
|
|
| Employees of the University of Connecticut
Health Center used to carry up to six cards
while at work, says Rob Bradner, the hospital's
deputy CIO. "One card gets them into
the parking lot, another gets them onto the
computer network, and another is used for
time and attendance," he says. "Some
employees look like a tile salesman with
flooring samples." The hospital wanted
to integrate these card programs into one.
It also wanted to test using a smart card
that employees use with a personal identification
number to access software applications on
the computer network. It is using Datacard's
ID Works software to issue the new ID cards
to its 4,200 employees. The cards also may
have a magnetic stripe or bar code to enable
certain employees access to various parts
of the hospital. Employees who need access
to the hospital's computer network receive
a Java Card-based ID card with a 16-kilobyte
chip, says Bradner. The card stores a digital
certificate to enable employees to digitally
sign and encrypt electronic documents, says
Bradner. For example, doctors use their smart
cards digitally sign patient orders for tests
and prescriptions, says Bradner. The hospital
has issued 500 smart cards so far, says Bradner.
It is using Activcard's Trinity software
to manage users' passwords for access to
200 computer applications, says Bradner.
The Trinity software eliminates the need
for employees to remember a password for
each application they need to access. "It's
not unusual for a single employee to require
access to five or six different applications,"
he says. "When you have that many user
names and passwords, you can't survive without
writing them down." In addition, the
Trinity software allows the hospital's network
security managers to add on different types
of log-on methods, such as using a biometric
identifier, without have to write a separate
software program, says Bradner. The hospital
plans to test having the doctors place their
finger on a sensor and typing in a PIN to
log onto the network because the doctors
are too impatient to insert the smart card
into a reader, says Bradner.
|
|
|
| ACT Canada is an international non-profit
association for the advancement of card technologies.
We work on behalf of our members to promote
the awareness, understanding and use of all
advanced card technologies; including optical,
smart, capacitive and emerging technologies.
If you would like to learn more about ACT
Canada membership please visit http://www.actcda.com or contact our office at (905) 426-6360
ext. 22. |
|
|
|
| Please forward any comments, suggestions,
questions or articles to andrea(AT)actcda.com.
If you would like to be removed from our
newsletter distribution list please reply
to this email with the word "REMOVE"
in the subject field. Please note that articles
contained in this newsletter have been edited
for length. |
|
|
|
Andrea McMullen
AVP
ACT Canada
tel: 905 426-6360 ext. 24
fax: 905 619-3275
email: andrea(AT)actcda.com
web: www.actcda.com
mail: 85 Mullen Drive, Ajax, ON, L1T 2B3 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
