July 9, 2003 – There has been a drastic rise in breaches of corporate computer networks this year. In the first quarter alone, there were 42,586 security incidents, compared with 80,094 for all of 2002, according to the Cert Organization, which specializes in computer security issues. A panel of experts says smart cards can help solve the problem.
Smart cards can use chips that must touch a reader, or they can use RFID technology to communicate wirelessly (these are called contactless cards). Both varieties can store encrypted photos, birth dates, ID numbers, passwords, and biometric information to help identify and authenticate individuals gaining access to networks that link to databases with sensitive customer data.
“All aspects of security are essential to maintaining privacy,” said Randy Vanderhoof, executive director of the Smart Card Alliance, a not-for-profit association representing more than 185 companies in the banking, financial services, computer, and retail markets. The alliance brought the panel together recently to discuss the problem of corporate security and privacy.
The issue is serious because once someone has breached a corporate network and gained access to personal information about a company’s customers, they can then steal a customer’s identity. One research firm projects that identity theft will cost the financial industry $8 billion a year by 2006. The panel members urged government agencies and businesses to integrate smart cards into their data management systems to help ensure that security and privacy are enforced.
The problem is becoming more acute because companies are collecting, maintaining and using more customer information than ever before, so ensuring data integrity, customer privacy and systems security has become an increasingly difficult and complex task for corporate IT departments. At the same time, the experts said, IT systems themselves are becoming more vulnerable to attack. Networks are decentralized, and companies are opening them up to customers and business partners, creating the potential for a security failure.
When designing a system to use smart cards, it’s imperative to set clear business practice guidelines and implement those guidelines with the technology, says Jeff Katz, VP of marketing for Amtel, a semiconductor company that makes chips for smart cards. For example, companies should develop and publish privacy policies, and these should include details on how information is handled and by whom.
When designing the IT system, the company should grant access rights to staff on a data-field level, so low-level employees might have access to the name and address data fields, but not the credit card field. That would prevent anyone from retrieving information they aren’t authorized to view.
In addition, Katz suggests keeping personal information only as long as it’s necessary to complete a specific operation. So, let’s say a business traveler walks up to an airport terminal that uses a contactless smart card technology and performs an Iris scan to authenticate the individual. Once that individual’s data is matched to the biometric template stored in a database, the original unencrypted biometric data that the user transmitted should be deleted to prevent a security breach.
Smart cards are highly secure and can be used as a privacy-enabling technology, says Gilles Lisimaque, senior VP and co-founder of Gemplus, a French smart card provider. “Being able to execute application programs, smart cards not only protect information by ciphering it when stored or transferred, the cards can also verify the rights of the employee who asks for it,” says Lisimaque.
But smart card technology has a major hurdle to overcome: public perception and acceptance. Privacy groups have raised concerns about the use of RFID to track individuals, and the concerns relate particularly to the use of contactless smart cards. The fear is that stores could put readers near their entrances and read the smart card in your wallet or purse as you arrive. You could then be tracked as you move through the store.
Lisimaque says the public needs to be educated on the uses of smart card technologies, and the security surrounding those technologies. The key, he says is, is to let consumers know that contactless smart card technology actually puts power back in their hands because they can decide what information they wants to share and with whom. — By Jennifer Maselli