the issues involved with trusting identities on NFC and other virtualized credential platforms 
Use of virtual credentials to manage identity is opening the access control industry to new solutions
Today's mobile phones are so much more than communication devices - they have become an indispensable consumer appliance for numerous personal, professional and entertainment applications. With the advent of Near Field Communications (NFC) technology, these mobile phones can now also be used to hold your identity keys and used to carry out numerous secure transactions, Dr. Tam Hulusi, senior vice president at HID Global, delves into the issues involved with trusting identities on NFC and other virtualized credential platforms.

Near Field Communication technology - Explained

A short-range wireless communication technology standard, NFC enables the exchange of data between devices over short distances such as a few centimetres. NFC is one of several new platforms that can be used to hold virtualized credentials that previously were stored on contactless smart cards and used to open doors. The same contactless credentials that are programmed to provide various levels of facility access can now be loaded onto a mobile handset and used with NFC for secure access. Users benefit immensely as it eliminates the need to carry any other access credentials, while making it easier for security managers to track who is entering and exiting monitored access points.

Benefits of Near Field Communication

NFC enables physical access, cashless payment and other exciting capabilities, but the only way to make them secure is by establishing an identity methodology. This methodology must be based on a comprehensive chain of custody in which all system end points can be validated. Only in this way can identity transactions between the end points be trusted at any time.

Contactless payments and contactless access control go hand-in-hand with NFC

The value of contactless transactions is expected to reach $5.6 billion, and there is also strong interest in mobile payments 

Contactless payments and contactless access control go hand-in-hand with NFC-enabled phones can make several contactless transactions including cashless payment and transit ticketing, data transfers including electronic business cards and access to online digital content. This makes it easy to combine multiple virtual credentials on a single device for things like secure facility access and the ability to make cashless payments at the facility's canteen. Cashless payment is rapidly growing in popularity, and contactless payments are becoming increasingly popular in Canada. According to an August 2010 study by Technology Strategies International, an Oakville, Ontario-based tech market research firm, a significant chunk of transactions in Canadian stores will be carried out using cashless payment systems by 2014. The value of contactless transactions is expected to reach $5.6 billion, and there is also strong interest in mobile payments.

The changing face of "identity" and identity management

We often think about identity in terms of the card that carries it. Clearly, though, "identity" can now take the shape of a mobile phone, a USB stick or some other medium. These and other virtualized credentials expand the concept of identity beyond traditional I.D. cards to include many different credential form factors.

This new way of thinking is driving fundamental changes in how we deliver and manage secure identity. Today's new form factors for credentials improve user convenience and flexibility. But they also raise questions about how to ensure that all identities can be trusted. For instance, if a user's identity resides on a mobile phone, how can one be sure that the device is trusted and secure? Or if a user loses a USB stick that houses his/her identity, how does one disable that device without affecting the user's identity/credential residing on another device?

Managing virtualized credentials can be a complex process 
Virtualized credentials will enable a new era of more convenient and secure transactions
Factors involved in virtualized credentials' authentication and management

Managing virtualized credentials can be a complex process. In one typical example, a server would first send a person's virtualized credential over a wireless carrier's connection to the person's mobile phone. To "present" the person's virtualized credentials at a facility entry point, the phone is held close to an IP-based access controller connected to another server. Throughout the process, there must be a way to ensure that the credential is valid. Both endpoints, plus all of the systems in between, must be able to trust each other. There needs to be a transparently-managed chain of trust going from one end to the other.

The basis for modern transactional systems has been the ability to trust the identification of a person, computer, web site, check, or a credit card. Unfortunately, the effort required to authenticate them has grown exponentially. There is, however, an aspect of secure identity systems that simplifies the problem: like mobile networks, secure identity systems are closed systems. To use them, you generally must complete a background check and sign a legal document to construct the basic blocks describing your identity. It's this strong authentication and binding that endows a secure identity system's basic blocks with inherent trust.

To even have a current and valid set of identity blocks usually means that one has passed this bar and is a member in good standing of the closed system. It also means that the blocks and the systems supporting them can be simpler and constructed so that they use industry standards. This is the approach taken with TIP [Trusted Identity Platform], which enables the validation of all endpoints, or nodes (such as credentials, printers, readers and NFC phones) in the network so that transactions between the nodes can be trusted.

Data security, privacy and reliability are ensured in the TIP environment using symmetric-key cryptography, so that all nodes can execute trustworthy transactions 

Benefits of the Trusted Identity Platform [TIP]

TIP is a framework for creating, delivering and managing secure identities in a virtualized credential environment. At the heart of the TIP framework is the Secure Vault, which serves known nodes within a published security policy. TIP delivers three critical capabilities: plug- and-play secure channels between hardware and software; best-in-class key management and secure provisioning processes; and seamless integration with information technology infrastructures.

Data security, privacy and reliability are ensured in the TIP environment using symmetric-key cryptography, so that all nodes can execute trustworthy transactions. Once a "handshake" is accomplished between the Secure Vault and a node device, then the device is deemed to be "trusted" in the network. Trusted devices no longer must communicate with the Vault and may operate independently. In this way, the transaction between nodes, such as a credential and a reader, is trusted and the resulting transaction, such as opening a door or logging onto a computer, can also be deemed trusted.

NFC-based access systems and other virtualized credentials will enable a new era of more convenient and secure transactions. Delivering on this promise will require a simple but protected, fully scalable and standards-based identity delivery system. These systems will need to support a wide variety of identity nodes - ranging from readers and cards to NFC-equipped mobile phones - that each can be registered as a "trusted node" so that it can be securely provisioned anywhere in the world.

Dr. Tam Hulusi, senior vice president at HID Global Dr. Tam Hulusi,
Senior vice president

HID Global 

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

In case you missed it

Remote Monitoring technology: Tackling South Africa’s cable theft problem
Remote Monitoring technology: Tackling South Africa’s cable theft problem

For decades, cable theft has caused disruption to infrastructure across South Africa, and an issue that permeates the whole supply chain. Here, Ian Loudon, international sales and marketing manager at remote monitoring specialist Omniflex, explains how new cable-alarm technology is making life difficult for criminals and giving hope to businesses. In November 2020, Nasdaq reported that, “When South Africa shut large parts of its economy and transport network during its COVID-19 lockdown, organised, sometimes armed, gangs moved into its crumbling stations to steal the valuable copper from the lines. Now, more than two months after that lockdown ended, the commuter rail system, relied on by millions of commuters, is barely operational.” Private security firm Despite this most recent incident, cable theft is not a new phenomenon to sweep South Africa Despite this most recent incident, cable theft is not a new phenomenon to sweep South Africa. In 2001, SABC TV broadcast a story following two members of a private security firm working for Telkom, a major telecoms provider. In the segment, the two guards, working in Amanzimtoti on the south coast of KwaZulu-Natal, head out to investigate a nearby alarm that has been triggered. They reach a telecoms cabinet and discover that it has been compromised, with the copper cable cut and telephone handsets strewn across the ground. In the dark, they continue to search the area when one of the guards discovers the problem: 500 metres of copper wire has been ripped out. In their haste, the thieves have dropped their loot and fled. Widespread cable theft Had they managed to get away, they would have melted the cable to remove the plastic insulation and sold the copper to a local scrap dealer for around 900 Rand, about $50 US dollars. For the company whose infrastructure has been compromised, it may cost ten times that amount to replace and repair the critical infrastructure. The disappointing takeaway from this story is that two decades on from this incident the country still faces widespread cable theft, whether it’s copper cables from mines, pipelines, railways, telecoms or electrical utilities. In fact, the South African Chamber of Commerce and Industry estimates that cable theft costs the economy between R5–7 billion a year. The answer to the problem must go further than the existing measures used by companies. Detect power failure Most businesses already invest in CCTV, fences, barriers and even patrol guards, but this is not enough. Take the mining sector, for example. These sites can be vast, spanning dozens of kilometres - it’s simply not cost effective to install enough fences or employ enough guards or camera operators. As monitoring technology gets better, the company has seen site managers increasingly use cable alarms in recent years that detect when a power failure occurs. The idea is that, if one can detect a power failure, they can detect whether the cable has been cut The idea is that, if one can detect a power failure, they can detect whether the cable has been cut. The problem is though: how does one distinguish the difference between a situation where a cable has been cut intentionally and a genuine power outage? Power outages in South Africa are an ongoing problem, with the country contending with an energy deficit since late 2005, leading to around 6,000 MW of power cuts in 2019. Remote terminal units Eskom Holdings SOC Ltd., the company that generates around 95 per cent of South Africa’s power has already warned of further blackouts as the company works to carry out repairs to its power plants. According to a statement on the company’s website, “Eskom spends in the region of R2 billion a year replacing stolen copper cables." The result is that criminals take advantage of the gaps in power to steal cable, timing their robberies to coincide with the published load shedding schedules. The basic alarms used to detect power outage won’t recognise the theft because they register a false-positive during a power cut. By the time the power comes back on, the deed has been done and the criminals have gotten away with the cable. The good news is that recent breakthroughs in cable monitoring technology are helping tackle just this problem. New alarms on the market now combine sophisticated GSM-based monitoring systems that use battery powered remote terminal units. Legitimate supply chain Unlike the basic alarms that look for the presence or absence of power, these new systems monitor whether the cable circuit is in an open or closed state. In the event of a power outage, the unit continues to run on battery power and can detect if a cable has been cut, sending a priority SMS alert to the site manager immediately, giving them a fighting chance to prevent a robbery in progress. Beyond the opportunistic theft carried out by petty criminals, the theft of copper cables forms a wider problem Beyond the opportunistic theft carried out by petty criminals, the theft of copper cables forms a wider problem across the supply chain in South Africa. In recent years, the combination of unscrupulous scrap dealers, the alleged involvement of large scrap processing companies and lax penalties meant that much of the stolen copper ended up back in the legitimate supply chain. However, recent changes in the law have sought to take a tougher stance on copper theft. Alarm monitoring technology According to the Western Cape Government, “The Criminal Matters Amendment Act, regulates bail and imposes minimum offences for essential infrastructure-related offences." The act, which came into effect in 2018, recommends sentencing for cable theft, with the minimum sentence for first-time offenders being three years and for those who are involved in instigating or causing damage to infrastructure, the maximum sentence is thirty years. It seems to be working too. In January 2021, the South African reported that a Johannesburg man was sentenced to eight years behind bars for cable theft in Turffontein. While the longer-term outlook is a positive one for industry, the best advice for businesses seeking to alleviate the problem of cable theft in the immediate future is to invest in the latest cable-theft alarm monitoring technology to tackle the problem and make life difficult for criminals.

What are the positive and negative effects of COVID-19 to security?
What are the positive and negative effects of COVID-19 to security?

The COVID-19 global pandemic had a life-changing impact on all of us in 2020, including a multi-faceted jolt on the physical security industry. With the benefit of hindsight, we can now see more clearly the exact nature and extent of that impact. And it’s not over yet: The pandemic will continue to be top-of-mind in 2021. We asked this week’s Expert Panel Roundtable: What have been the positive and negative effects of Covid-19 on the physical security industry in 2020? What impact will it have on 2021?

Maximising supermarket safety with real-time surveillance solutions
Maximising supermarket safety with real-time surveillance solutions

Supermarket employees have been the hidden key workers of the past year, keeping shelves stocked and queues under control as panic buying gripped the nation. As a result of being expected to enforce face covering and social distancing regulations, they also been asked to act as de-facto security guards alongside their existing duties. This is problematic as many employees have never had to deal with this kind of responsibility before, let alone received any conflict de-escalation training. In order to maintain the safety and security of their staff retailers must take additional steps to uphold their duty of care, with the NPCC recently specifying that it is the responsibility of retailers ‘to manage entry to their stores and compliance with the law while customers are inside’. Supermarkets in particular need to be aware of this requirement, as the big four recently announced that their employees would now be challenging customers shopping in groups and those not wearing masks. Verbal abuse from the public Crime against retail employees has already been a major issue over the course of the pandemic, confirmed by research from the Union of Shop, Distributive and Allied Workers that found 90% of retail staff in the UK experienced verbal abuse last year. The Co-op has recently been vocal about the effects of the pandemic and lockdown-related frustrations on its employees.90% of retail staff in the UK experienced verbal abuse last year The supermarket reported a 140% increase in crime within its stores over the past year, with many of the 200,000 cases related to verbal and physical abuse experienced by employees. Jo Whitfield, Co-op Food chief executive, confirmed that the number of issues has already increased drastically as a result of staff enforcing COVID-secure guidelines. So, what steps must retailers take to ensure their duty of care remains intact as employees take on new enforcement responsibilities? Introducing real-time surveillance technology to support security guards and shop floor employees alike is vital. Bolstering front line defences Security guards posted at supermarket entrances are the first line of defence against shoppers determined to break the rules. However, they are now being pulled in multiple directions with queues to monitor and occupancy to manually keep track of, along with the usual security alarms to respond to. With one person usually posted at the entrance at any one time it’s simply impossible to have eyes everywhere, which is where automated video surveillance comes in. COVID-specific technologies, such as mask detection and occupancy management systems, are now the golden bullet to retail safety and security.Mask detection and occupancy management surveillance tools can automatically alert a shopper Mask detection and occupancy management surveillance tools can automatically alert a shopper whether or not they are allowed to enter the store on their approach to the door. The system surveys the person and a screen will automatically display different instructions depending on the situation: whether they must put a mask on before they enter, wait until capacity is low enough to enable social distancing or, if the previous criteria are fulfilled, that they are free to enter. COVID-secure safety This stand-off technology minimises the need for contact between security personnel and shoppers, allowing security guards to complete their usual duties, safe in the knowledge that the store is being managed in a COVID-secure way. With a hands-off approach enabled by surveillance technology, the potential for tense confrontation is greatly diminished as customers will usually comply to the reminder shown to them and put on a mask or wait without further prompting from staff. With security personnel able to better focus their attention on the stubborn rule-breakers,It is crucial that retailers choose a solution embedded in real-time connectivity this responsibility will no longer land with staff on the shop floor who are often ill-equipped to deal with this situation. It is crucial that retailers choose a solution embedded in real-time connectivity that will allow all store entrances to be screened simultaneously. Nobody can be in multiple places at once, but this connectivity allows alerts to be streamed instantly to any connected device that can be monitored by just one employee, meaning they can review the alerts that require their attention without needing to be physically present or re-tasked away from their day-to-day duties. Instant reassurance with body worn tech As a customer-facing role, there can be no guarantee that shop workers will never experience a potentially violent confrontation with a customer, which is where the presence of live streaming body worn cameras can help. While they may not always be trained to de-escalate a risky situation, being able to discreetly call for assistance can provide the reassurance employees need to feel safe and supported at all times. If an employee asks a customer to put a mask on while they’re in the store or step back from another shopper and the situation turns abusive – verbally or physically – a live streaming-enabled body worn camera can be triggered to stream a live audio and video feed back to a central control room manned by trained security personnel.A live streaming-enabled body worn camera can be triggered This real-time footage gives security staff exceptional situational awareness, allowing them to fully assess the situation and decide on the best course of action to support the employee in distress, whether that is going to the scene to diffuse the situation or contacting the police in more serious circumstances. Bolstering front line security This goes one step further than record-only body worn cameras, the capabilities of which these next generation devices match and exceed. Record-only cameras are well-suited to provide after-the-fact evidence if a customer interaction turns sour, but they do little to provide reassurance to out of depth employees in the moment. The duty of care grocery retailers must provide to their employees has never been more important, with staff taking on new mask and social distancing enforcement responsibilities and managing interactions with frustrated customers. Bolstering front line security and giving staff extra reassurances with the introduction of real-time video surveillance technology is a crucial step for retailers striving to keep employees and shoppers safe during these challenging times.