It's in the cards.
Security managers are discovering that without additional features, ID cards cannot ensure true access control. Fortunately, manufacturers have attempted to keep pace with the evolving workplace environment by offering cards that incorporate a variety of technologies and features. Most cards now work with an automated access control system in which each badge card carries a unique number that identifies the wearer and his or her access rights. The technologies incorporated on these cards include magnetic stripe, watermark, Wiegand, proximity, and bar code. However, not every card fits every situation. The challenge for security managers is to determine which technology or combination of features best suits their particular workplace.
Magnetic stripe is currently the most popular technology used with access control systems. This technology has withstood the test of time and the cards are relatively cheap to produce, about twenty cents apiece. In addition, magnetic stripe cards can work with an enormous array of readers.
The stripe or tape - usually on the back of the card - is a carrier material coated with an iron oxide. The stripe is then encoded by subjecting the tape to a magnetic field. This force aligns the iron particles in a particular pattern to represent a series of data bits, or binary code. To read the data, the readers "play back" the tape's signal in the same way a cassette player plays a music tape.
Magnetic stripe cards can be encoded using standard or encrypted formats for different levels of security. Although magnetic stripe technology has been around since the early 1970s, encryption methods are still evolving and being incorporated as they are improved. Security managers typically will use encryption on their magnetic stripe cards when they wish to restrict access to a sensitive area within the corporate campus.
Data can be placed on three different tracks on each stripe. With standard encoding, track one is usually used for time and attendance applications, track two for access control, and track three for cashless vending. If one and three are not being used, track two can be widened to guard against misreads caused by incorrect card insertion.
Track two takes numeric data only. The number encoded can be up to forty digits and can be compared to a combination lock. Three of the forty digits are start, stop, and check bits. The remaining thirty-seven digits can use one of ten numbers; therefore, the number of possible combinations is [10.sup.37], enough for most applications. The resulting 40-digit number refers to a file on a company database that matches a card holder and his or her access privileges.
Tracks one and three take both alphanumeric and numeric data. Encrypted encoders place these letters and numbers onto the magnetic stripe using a scrambled code. The code, representing access privileges or account information, is then read by a special encryption reader that allows the user access or the ability to complete a transaction, for example. While encryption makes the system more secure, the company is tied to one vendor that offers a specific, copyrighted encryption format and reader.
The magnetic tape itself can be either high, medium, or low coercivity. High-coercivity (hi-co) - also called high-energy tape - needs a greater magnetic force to encode the data, ten times that required for low coercivity (lo-co), or low-energy, tape. Hi-co tape is more expensive but cannot be erased as easily as lo-co by magnetic fields from magnets, televisions, speakers, or other magnetic stripe cards.
Access control systems mainly use hi-co tape. Banks generally use lo-co tape for ATM cards, although many are now moving to medium coercivity (mid-co) for better data retention. Mid-co tape is less expensive to produce than hi-co tape but still reliable. This tape has also been tested and found to provide enough protection against accidental erasure of data from stray magnetic fields.
In addition, some tape has dual coercivity, combining hi-co and lo-co for multifunction cards. In this case, the hi-co and lo-co tape sit on top of each other across the three tracks. The hi-co tape on one of the tracks will contain the permanent user data, leaving the loco tape on the other tracks for read/write information like cash details in a cashless vending application. This application increases the cost of each card by a few cents and allows the card to be read or written to using older lo-co format heads.
Elida Faberge, a cosmetics company in Leeds, England, has used hi-co magnetic stripe technology for several years at its headquarters. The company chose magnetic stripe for its relatively low cost and high performance. In addition, because the cosmetics business is extremely competitive, Elida Faberge recently decided it needed a reliable photo ID card system for authorized personnel as well as a way to ensure restricted access to the manufacturing floor. The company decided to install an access control system at its manufacturing plant in the north of England and distribute photo ID cards to its 600 employees.
The ID cards were made up by the bureau division of Databac Limited, a manufacturer and supplier of ID cards and systems, and contain an instant passport-type photo and a company logo. The employee name is printed directly onto the central core during manufacture of the card. A 3M hi-co magnetic stripe is placed on the reverse of the card and is encoded at Databac's factory prior to dispatching them to Elida Faberge. The company also has its own photo ID and laminating system to provide new and replacement cards on site.
PolyGram - a popular entertainment company - also uses magnetic stripe technology at its state-of-the-art distribution center in Milton Keynes, England. The company chose magnetic stripe because of its proven reliability. The company's cards are multifunctional and operate with both its access control and time and attendance systems. The cards are also used for identification. To make the cards, an instant photo is produced using an instant camera, and the photo is then die-cut and laminated into the card together with an insert that contains variable information such as name and social security number. The systems have been relatively inexpensive to implement and operate.
Enhanced security. One shortcoming of magnetic stripe technology is that in the past it could be duplicated with the right equipment. Thom Secure Science has improved magnetic stripe technology by adding a watermark. Watermark Magnetics, as the company calls its technology, has been around about ten years and is now being used in major banks, universities, telecommunications companies, and other organizations that require a high level of security.
During manufacturing, a unique pattern is permanently encoded into the magnetic stripe when it is still "wet." This pattern then becomes "baked" into the tape. The pattern consists in part of a nine-character code formed by orienting the particles in the tape to give each card a secure, machine-readable identity. Each pattern is known as a "word" of watermark information and consists of an application code, an audit code, a sequential identity number, and an LRC. (An LRC is a character within the data stream that allows the card reader to conduct error checks on the code.) Each word is produced to be placed into only one card, which guarantees that each watermark number is never duplicated. The Watermark Magnetics method ensures that the pattern can never be erased or altered without destroying the magnetic medium.
Cards with this watermarked tape are either swiped through or inserted into a special reader manufactured only by Thom. The reader checks the tape for a specific watermark pattern and either decodes the identity number or rejects the card. Unlike magnetic stripe readers, these readers do not look at tracks one, two, and three. Instead, they read track zero, located between track one and the edge of the card. In addition, the reader is driven by the reading circuitry, which causes an alternating magnetic field to penetrate into the tape rather than simply read the surface, as standard readers do. If someone tries to re-create a watermark number on standard magnetic tape, the reader will detect the attempt and erase the data completely.
Watermark technology costs slightly more than magnetic stripe alone and significantly more than bar code technology, but not as much as proximity or Wiegand technology.
The University of Cambridge uses this technology as part of its state-of-the-art access control system. The university also uses polyester rather than standard PVC cards because polyester is more durable and environmentally friendly than chlorine-based PVC. Polyester cards cost almost twice as much as PVC cards. However, depending on the number of cards purchased, polyester cards can be more economical since they are more durable, lasting twice as long as PVC cards.
In addition, photos and text can be printed directly onto the card's surface. The cards are worn by students and staff and incorporate a special Teflon coating across the Watermark Magnetics stripe to protect it against excessive scratching, abrasion, and wear.
Wiegand Wire. Wiegand Wire technology was developed in the 1950s and is now manufactured by HID Corporation (formerly Sensor Engineering). Wiegand cards are suitable for high-security applications but operate quite differently than magnetic stripe cards.
Short lengths of thin alloy wires are aligned in two rows across a strip about the width of a magnetic stripe to produce an ID code. Depending on how many wires are used in the strip, the card can produce hundreds of millions of codes. These code strips are embedded within the card during manufacture, which protects them from surface damage. Any attempt to reach the wires will destroy the card and impair the wires' pulse-generating properties.
A Wiegand card reader exposes the card to a changing magnetic field, which causes the wires to produce a strong yet discrete electrical output. The wire location in the code strip determines whether the output is a "one" or "zero" in binary code. This data is then sent from the reader to the control or reading system, which looks at the data and decodes it into the correct card number. Like Watermark readers, Wiegand card readers come in swipe or insert models.
While it is the most expensive card technology available due to the complex manufacturing process, Wiegand Wire offers better security, making it appropriate for use at airports, government agencies, power stations, and hospitals. The technology is also unaffected by external influences such as stray magnetic fields and radio interference.
Ernst & Young, a major accounting firm, uses Wiegand cards for access control at its head office in London. The firm prints out photo ID inserts from an all-photo camera system and laminates the inserts into a polyester pouch that contains the Wiegand code strip. "All-photo" ID cards contain a photo, signature, and identifying data on a single sheet of film. All-photo cameras use validation plates with information that remains the same, such as the company logo, as well as unique identifying information such as name, department, and signature. When the photo is taken, the data is superimposed on the card so that the developed film produces a card and photo together. Apart from the code strip, the cards also incorporate a hi-co magnetic stripe. Although currently unused, this stripe will eventually allow the cards to be used for cashless vending.
Proximity. Proximity technology does not require a card to be inserted or swiped through a reading device. Instead, proximity cards incorporate a laminated or embedded radio frequency (RF) circuit that consists of a small microchip and an antenna that merely need to be held near the reading device.
The card sends out a continuous signal that is recognized by the reader when it comes into range. Read distances generally depend on the size and power of the reader. When a card comes within a certain range, the reader picks up the card's signal, which is then deciphered to identify the number.
RF cards can be passive or active. A passive RF card contains the basic coil and chip combination. The microchip relies on the magnetic field from the reader to become active; therefore, these cards tend to be read only over a short distance - about two feet. Security managers usually choose passive tags based on price, as they cost about one-fourth that of active tags. The active RF card is generally heavier and thicker because it carries an integral long-life battery. An active tag can interact with the reader from up to six-and-a-half feet away.
For visual identification, a photo ID can be incorporated directly onto the surface of passive cards. The active cards, however, need a special adhesive overlay to hold the photo.
New encryption techniques that have been incorporated into RF technology over the last four years have ensured that signals cannot be picked up and decoded by other devices, making the technology more secure than before.
Encryption is not an automatic feature of proximity cards, however. If an organization decides encryption is necessary, the security manager should request an on-site encoding system that will program the tag or keyfob with a unique site code.
Proximity technology is ideal for applications where employees do not always have a free hand to swipe or insert a card into a reader. Such is the case at Compaq Computer's UK headquarters in Richmond, Surrey. The company wanted to have a "hands-free" method of opening doors while at the same time incorporating photo ID. An electronic video imaging system allowed Compaq to capture photos "live" and store them with employee data on a password-protected database. The photos, data, and company logo are now printed in color onto a badge overlay that is then firmly attached to the RF card. Cards for temporary workers are issued at the start of every day as well as cards for those needing to access secure areas. All the cards are color-coded for easy identification.
Proximity cards are more expensive than magnetic stripe cards but less costly than Wiegand cards. In terms of durability, proximity and Wiegand are better than magnetic stripe, although the card material should be considered. As discussed above, polyester offers greater durability and temperature stability than standard PVC. With regard to security, proximity cards offer a higher security level than magnetic stripe cards but about the same level as Wiegand cards.
Bar code. A standard bar code consists of a series of spaces and black bars of different widths. These bars are called elements, and when scanned by a reader are interpreted as binary code. At their simplest, bar codes can be counterfeited with the use of a simple office copier and, therefore, offer poor security for access control cards.
The security manager can foil such counterfeit attempts by asking the manufacturer to overlay the code with an obscuration panel that is read by an infrared reader, but this process will increase the cost of the system by about 15 percent. Some direct card printers have the capability to print an infrared-readable bar code. In this case, there is no additional cost apart from the cost of the ribbon itself. However, this method can make cards more expensive than those that have been printed in bulk during original manufacture.
Another security enhancement for bar code technology is the two-dimensional bar code, on which data can be encrypted. (Data on a standard bar code cannot hold the required amount of data to support encryption.) A two-dimensional bar code (or multi-row bar code) is a bar code that has been dissected so that rows of bar codes lay on top of each other rather than side by side. A special reader can read many individual layers containing more information than a single layer of standard linear code.
Encryption will enhance security of a bar code card, but if the bar code itself is not obscured or covered, it can still be copied. To further enhance the security of bar code technology, biometric data such as a fingerprint or digital data such as a photo can be placed in the bar code to be used for verification along with other data such as name and signature.
While bar codes are accurate and inexpensive, the technology is not often used for access control because it does not always provide an adequate level of security. Rather, it is used widely as an additional technology on multipurpose access control cards for tasks such as time and attendance recording.
Smart cards. The latest development in card technology is the smart card, which contains a computer chip capable of holding significantly more information than other card technologies. The chip can be programmed to require a PIN or password after the card is swiped through a reader, and the information on the chip can easily be encrypted using a desktop computer. Encryption helps protect the information on stolen cards.
Smart cards can incorporate biometrics as well. For example, a fingerprint or small microphone with a voiceprint could be built into the card to provide user authentication. Smart cards are priced on a par with Wiegand cards.
It is likely that all of these card technologies will be around in the future. However, the use of magnetic stripe cards will probably lessen beginning by the year 2000, mainly because banks - who issue the majority of such cards worldwide - are expected to increase their use of smart cards due to their higher storage capacity and their ability to facilitate online transactions.
When deciding on which card to use, a security manager must bear in mind the requirements of the company as a whole as well as the users, level of security required, and budget constraints. The fate of the company's access control may well be in the cards - but it is the security manager who deals the hand.
Charles Balcomb is managing director of the Databac Group, based in Kingston upon Thames, Surrey, UK, Databac is a specialist manufacturer and supplier of ID cards and systems using advanced technologies.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||identification cards for access control systems|
|Date:||Oct 1, 1997|
|Previous Article:||Security consolidates banking gains.|
|Next Article:||Curing a claims crisis.|