June 2015 Monthly Member Bulletin
Executive Director’s Corner – Eliminating Cyber Threats
Dear Members of the Smart Card Alliance,
Having just returned from another great Smart Card Alliance Government Conference last week, my personal takeaways from listening to many of the 90 speakers which made up this intensive three-day government identity and access security event are:
Two-factor authentication based on almost any form factor (smart card, mobile device, or knowledge-based) is very difficult to get senior management buy-in to implement
We’re advancing towards unsustainable levels of cybersecurity threats, with cyber threat mitigation complex and post-breach mediation much more expensive after a breach occurs
Continuing to rely on single-factor (something you know) password-based security is like ignoring the red warning light on your car because you don’t have the time or money to fix the problem now. Then you’ll have a major break down on the highway which results in having to get the car towed, paying for a more expensive repair, and losing a day’s wages because you couldn’t get to work the next day. It just doesn’t add up in the end.
The really frustrating thing in the case of our federal government systems is that everyone has a PIV card – a two-factor authentication credential. That is more than half the battle. Instead of using the PIV card as a necklace, federal employees could actually be practicing safe Internet hygiene and preventing serious damage from breaches. Using the PIV card for two-factor authentication allows them to log into their work computers with the card and a personal identification code associated with the secure chip in the card, rather than remembering a long, complex, constantly expiring string of letters, numbers, and symbols every time they log in to their work computer to perform their job.
In the wake of the data breach involving the Office of Personnel Management (OPM) where 4.1 million federal employee records were stolen, one of the hot topics at the conference was re-energizing the federal government’s efforts to start using PIV credentials to secure information access and system privileges. According to the FY2014 Federal Info Security Act Annual Report to Congress (2014 FISMA Report), the OPM reported that 1 percent of its employees were using PIV-based strong authentication to log on to its computers. This is certainly not the first and won’t be the last federal system breach, yet the post-breach reaction is the same in each instance. In federal post-breach event action, “the number one mitigation is implementation of PIV. Every time,” said Trevor Rudolph, chief of the eGov Cyber Unit for the Executive Office of the President (EOP) and the Office Management and Budget. In further comments on how the entire civilian government is responding to increasing cyberthreats, Rudolph added that the biggest barrier they are working to overcome at non-complying agencies is cultural—the unwillingness of users and their leadership to use two-factor authentication.
Here is the Office of Management and Budget, the agency that controls the budgeting for the entire federal government, saying that “culture,” not money, is the reason that more agencies are not investing in two-factor authentication. I am sure that money remains a factor, but it is a convenient excuse for a lack of will to change.
So let’s imagine if available money actually could persuade agencies to act. I know where the government could come up with about $60 billion per year to pay for two-factor authentication – Medicare. The Centers for Medicare and Medicaid Services (CMS), the huge federal agency which oversees Medicare and Medicaid, has a well documented fraud problem of an estimated $60 billion annually. In a recent GAO report directed at CMS to consider using secure machine-readable identity credentials to reduce the gaping fraud hole in the Medicare billing system, CMS said issuing more secure credentials would be problematic, because they would have to make changes to claims processing. In effect, our federal tax dollars are going to pay criminals to steal money out of the Medicare system and we are also paying for the 4 million PIV cards that every federal employee could be using for strong authentication. This federal agency could fix its own problem and the savings could fund the cost of expanding the use of two-factor authentication using the PIV cards for the entire federal enterprise cybersecurity. But CMS is not willing to make this necessary change, because to do so would require changing some of their processes.
I believe that someday this fiscally conservative Congress will see the waste, fraud, and abuse that exists in one government entitlement program and understand that some of that $60 billion dollars they could be saving each year could be applied to fixing the broader civilian government agency cybersecurity problem. The government has the issuance of PIV credentials but additional funding is needed for implementing the use of these credentials as two-factor security tokens to better secure systems against the present and future data breaches that are surely to come. We don’t have to wait for a solution to this latter problem – it is already hanging around the necks of every person in government. The time is now to put the PIV card to work. It starts with altering the culture of CMS and these civilian agencies so that they stop resisting positive change and get to work.
Executive Director, Smart Card Alliance
In The Spotlight
A 2014 Smart Card Alliance Company of Excellence (COE) recipient, UL is the global leader in safeguarding security, compliance and global interoperability. Dedicated to promoting safe living and working environments, UL helps safeguard people, products and places in important ways, facilitating trade and providing peace of mind. For more than a century, UL has been one of the most recognized and trusted resources for advancing safety. Its Transaction Security division guides companies within the mobile, payments and transit domains through the complex world of electronic transactions. Offering advice, test and certification services, security evaluations and test tools, during the full life cycle of product development process or the implementation of new technologies. UL’s people pro-actively collaborate with industry players to define robust standards and policies. UL has accreditations from industry bodies including Visa, MasterCard, Discover, JCB, American Express, EMVCo, UnionPay International, PCI, GCF, GlobalPlatform, NFC Forum and many others.
What role does smart card technology play in your business?
UL has been involved with smart card technology since the early ‘90s. We have seen the industry develop and have helped smart card manufacturers with their security requirements since the beginning. UL’s history and future is strongly tied to developments in the smart card domain. Smart card technology has changed considerably over the years. This has also helped UL evolve and change service offerings to answer the ever-changing market demands.
What trends do you see developing in your market?
With new innovations and technologies boosting the dynamic (mobile) payments landscape, the industry is changing at a rapid pace. Google’s introduction of HCE, Apple’s introduction of Apple Pay, Samsung’s introduction of Samsung Pay and others have garnered quite a bit of attention in the NFC and mobile payment industry. It has also raised questions with the traditional players in the smart card domain. While the trends are market-changing, we foresee that traditional players and new players can complement each other, partnering together to offer a new way of storing credentials securely. Furthermore, we see the adoption of EMV happening now in the US, which is a huge step forward in the smart card industry.
What things must you overcome to leverage those trends?
While new players in the field can be daunting, we foresee that both traditional players and new players in the domain can complement each other. Security will always be a top priority and by encouraging partnerships, stakeholders can leverage each other’s knowledge.
Visit UL at http://ul.com/
Webinar This Week on Host Card Emulation
“Host Card Emulation: An Emerging Architecture for NFC Applications,” a webinar sponsored by the Smart Card Alliance’s Mobile and NFC Council, will take place on Thursday, June 18, 2015 at 1pm ET (10 am PT). To register, visit https://attendee.gotowebinar.com/register/15280279415829250. The one-hour webinar will discuss HCE at a non-technical management level, and will include an overview of HCE, security implementation considerations, examples of HCE use cases and implementation challenges. This webinar is an ideal educational resource for issuers, mobile wallet providers, merchants, transit agencies, and any other stakeholders implementing, or considering implementing, an HCE application. For more resources on HCE, download the recent “HCE 101” white paper at http://www.securetechalliance.org/publications-host-card-emulation-101/.
Welcome New Member
Councils have been active in developing and delivering workshops and webinars and have nine white paper projects in process. The Access Control, Identity and Health and Human Services Councils also held well-attended in-person meetings at the 2015 Government Conference.
The Access Control Council and Identity Council collaborated to produce the 2015 Government Conference pre-conference workshop, “Best Practices and Technology Trends for Strong Multifactor Authentication and Managing Identities of People and Internet Devices.”
The Health and Human Services Council has two active projects: a white paper to respond to the GAO report, Medicare: Potential Uses of Electronically Readable Cards for Beneficiaries and Providers, and a white paper on EMV and the healthcare industry. The Council is also actively submitting speaking proposals for key healthcare industry conferences.
The Identity Council is working on a white paper on the FIDO protocol and smart card technology.
- The Mobile and NFC Council is hosting a webinar, Host Card Emulation, on Tuesday, June 18, at 1pm ET/10am PT. The webinar will provide an overview of HCE and discuss security implementation considerations, examples of HCE use cases, and implementation challenges. The Council is also working on two new projects: a white paper on EMV and NFC (in collaboration with the Payments Council); a white paper on “NFC beyond payments.”
The Payments Council is working on two new projects: a white paper on EMV and NFC (in collaboration with the Mobile and NFC Council); a white paper on tokenization.
The Transportation Council held a successful two-day members-only Council meeting, June 9-10, 2015, at the Walter E. Washington Convention Center in Washington, DC, with over 100 members and transit industry guests participating. The Council is also working on three white papers on: EMV and parking; EMV and transit; reference enterprise architecture for transit open payments system.
Council participation is open to all Smart Card Alliance members; to participate, for information, contact Cathy Medich or Mike Strock.
New EMV Resources
The EMV Migration Forum completed four new educational resources for the payments industry in the second quarter. All EMV Migration Forum resources are available on the EMV Connection web site.
The new white paper, Near-Term Solutions to Address the Growing Threat of Card-Not-Present Fraud,was published, providing an educational resource on the existing best practices for authentication methods and fraud tools to secure the CNP channel.
The EMV Migration Forum collaborated with the Payments Security Task Force to develop and publish educational chip education webcasts for U.S. value added resellers, independent software vendors and merchants.
An updated U.S. Debit EMV Technical Proposal white paper was published, incorporating a new addendum on U.S. Common Debit Contactless Acceptance. The addendum provides an example to help financial institutions successfully achieve contactless multi-network transaction processing while preserving global interoperability using a U.S. Common Debit compliant EMV application configuration.
The white paper, Understanding the 2015 U.S. Fraud Liability Shifts, was published. This resource provides information that was collected from Accel, American Express, China UnionPay, Discover, MasterCard, NYCE Payments Network, SHAZAM Network, STAR Network and Visa on the counterfeit and lost or stolen liability shifts to assist merchants, acquirers, processors and others implementing EMV chip technology in the U.S. with their migration.
The EMV Migration Forum also collaborated with the Payment Security Task Force to develop and launch the new GoChipCard.com web site. GoChipCard.com was designed for consumers, merchants and issuers to provide easy-to-use and simple resources, and consistent messages about chip cards and their use.
Upcoming CSEIP Training
The next training session for the CSEIP course will be held in Gaithersburg, MD (outside of Washington, DC), June 30 – July 2. This GSA-approved training program will provide certification required for E-PACS engineers employed by commercial organizations looking to bid on GSA procurement agreements for access control systems. The class fills up quickly, so register now if you’re planning on taking the class; the website lists other dates and locations of the training.
Save the Date – 2015 Member Meeting
The Smart Card Alliance Member Meeting, an exclusive conference for members only, will be held Oct. 4-6 at the Arizona Grand Resort in Phoenix. Registration will open soon so mark your calendars now. Training classes for CSCIP, CSCIP/G and CSCIP/P will be held on Oct. 4, with exams scheduled for Oct. 5. Plan ahead and register now for the training or exam.
Register for NFC Solutions Summit
The NFC Solutions Summit, presented by the Smart Card Alliance and NFC Forum, will be held Oct. 7-8 at the Arizona Grand Resort in Phoenix. Do not miss this high-level meeting featuring speakers and presentations ranging from carriers, application developers, technology providers to end-users.