Contactless cards: Know your enemy (and your friends)

 

Connecting state and local government leaders

Recent controversy over the use of radio frequency communications in government documents has spurred the smart-chip industry to form yet another coalition.

Recent controversy over the use of radio frequency communications in government documents has spurred the smart-chip industry to form yet another coalition.The Secure ID Coalition was announced at the National Conference of State Legislators in August. Founding members include card makers Gemalto Inc. of Washington and Oberthur Card Systems of Rancho Dominguez, Calif., and chip makers Infineon Technologies North America Corp. of San Jose, Calif., Philips Semiconductors NV of Amsterdam, and Texas Instruments Inc.They are all also members of the Smart Card Alliance, and the message of the two groups is the same: Contactless digital technology can be secure as well as efficient. The difference: The Secure ID Coalition is a lobbying organization.'Where we will engage, where the Smart Card Alliance can't, is in Congress,' said James Sheire, manager of government programs for Philips. 'That's where they cannot tread and we can.'Contactless ID is a 'hot new technology' being driven by government, Sheire said. The Common Access Card, Personal Identity Verification card and electronic passports have adopted RF communication between the chip and a reader.Well-publicized privacy concerns over RFID tag technology and a high-profile debate on which RF technology should be used in the Western Hemisphere Travel Initiative spurred formation of the coalition. Industry wants to ensure that legislators hear their point of view directly.A large part of the group's mission is to explain the differences between two sets of protocols using different parts of the RF spectrum. The ISO 14443 family, in the high-frequency range, is commonly used in cards read by proximity or short-range readers. The ISO 18000 family uses the shorter wavelengths of the ultra-high frequency and is commonly found in RFID tags used to track materials.'This is all contactless technology,' said Tres Wiley, director of e-documents for Texas Instruments. Because they all use RF communications, they have certain characteristics in common.But the characteristics of the frequencies the technologies use define the strengths and weaknesses of each. Texas Instruments makes both chips, and Wiley said he has no axe to grind in the dispute between them.In general, more security now is available on the HF proximity platforms, making them more appropriate for sensitive data.'There are vendors proposing solutions we consider inappropriate for security and privacy concerns, especially for government IDs,' Sheire said.Signal range and penetration with a given amount of power depend in part on the wavelength for each technology. Effective antenna length is a function of wavelength, and HF transmitters require longer antennas. That means power drops off quickly with range in small HF devices. For this reason, HF proximity readers usually have an intended range of no more than four inches. UHF readers, used to track inventory, can work well up to 32 feet.'A little bit of power goes a lot farther,' with UHF, Wiley said.UHF also does not go through ionic liquids, which are organic salts, as well as HF. Because the human body is largely saltwater, processors carried on your person, like an access card, work better with HF.The shorter range of HF technologies means that surreptitiously reading a chip or eavesdropping on a transaction between chip and reader is more difficult. This is one of the reasons why applications with sensitive data, such as ID cards and passports, have tended to use HF. Longer-range RFID tags, which can be more easily scanned, tend to carry less data and less-sensitive information.For these reasons, there has been more concentration on security features such as access control and encryption for HF proximity devices. That does not mean that security on UHF tags is not possible, but that encryption takes power.'It hasn't been done today,' Wiley said. 'Can you do it? Yes. But nothing is free; there will be trade-offs. You would lose some of that range.'In the end, neither technology is perfect or perfectly safe.'You choose the one that gives the best performance,' Wiley said.How much thought has been given to these technology choices? More in some cases than in others. Payment systems offered by major credit card companies have been 'well thought out,' Wiley said. The e-passport 'is pretty well thought out.' The Western Hemisphere Travel Initiative? 'I think that's one that has not been well thought out.'The real risk in any system is not the technology, but how it is used, Wiley said.'The threat that deserves the most attention is using the system for ways it was not originally intended,' he said. 'Security vulnerabilities will come about because it is used in ways for which it was not designed.'Wiley said this threat is real, but that it is a policy issue rather than a technology issue. With proper planning, he said, electronic documents can be created that are more secure than current paper-only documents.

Inside out: The inner workings of a smart card.













































NEXT STORY: RFID technologies duke it out

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.