- Security TWENTY
- Women in Security
Eliminate the word “portals” from mobile access control discussions, writes Scott Lindley, General Manager of Farpointe Data, the US-based manufacturer of private label OEM RFID cards, readers and mobile apps for electronic access control companies.
For the past several years, there has been a focus by integrators and customers to assure that their card-based access control systems are secure. To give businesses an extra incentive to meet their cybersecurity threats, the United States Federal Trade Commission (FTC) has decided to hold the business community responsible for failing to implement good cybersecurity practices and is now filing lawsuits against those that don’t. For instance, the FTC filed a lawsuit against D-Link and its US subsidiary, alleging that it used inadequate safeguards on its wireless routers and IP cameras that left them vulnerable to hackers.
Likewise, in Canada, data protection and cybersecurity are governed by a complex legal and regulatory framework. Failure to understand this framework and take active steps to reduce risks, or the impact of such risks when they materialise, can have serious legal and financial consequences for an organisation.
In Europe, the “Network and Information Security Directive” (NISC) is the main strategy taken to harmonise continent-wide provisions on cybersecurity. As such, the European Union Agency for Network and Information Security (ENISA) is its centre of expertise. The main goal is to set high standards of cybersecurity to be respected by each European Union (EU) member state. Now, as leading international companies are learning how to protect card-based access control systems within these relatively new standards, along comes mobile access credentials and their readers which use smart phones instead of cards as the vehicle for carrying identification information. While many companies still incorrectly perceive that they are safer with a card, when done properly, the mobile can be a far more secure option with many more features to be leveraged. They deliver biometric capture and comparison as well as an array of communication capabilities from cellular and Wi-Fi to Bluetooth LE and NFC. Nonetheless, there exists a major caveat emptor with switching over to mobile access control.
A special word of caution needs to be emphasised when changing over to mobile systems. Many legacy access control systems require the use of back-end portal accounts. For hackers, they have become rich, easy to access caches of sensitive end-user data. These older mobile systems force the user to register themselves and their integrators for every application. Door access – register. Parking access – register again. Data access – register again, with each registration requiring the disclosure of sensitive personal information.
The book-keeping alone can be confusing. Who signs you up? The integrator? The end-user? Both? Who is in charge of security? The portal provider? The integrator? Does the end-user have responsibilities? Oftentimes, these portals include hidden fees. What are these? One-time or annual fees? Are the rates fixed through the life of the system? And who’s responsible for paying? It can become both an integrator and end-user frustrating nightmare and another reason to simply avoid these types of systems.
Newer answers provide an easier way to distribute credentials with features that allow the user to register their handset only once and need no other portal accounts, activation features or hidden fees. Users don’t need to fill out several different forms. Today, all that should be needed to activate newer systems is the phone number of the smart phone.
And, smart phone credentials are best sold in the same manner as traditional 125-kHz proximity or 13.56-MHz smart cards – from the existing OEM to the integrator to the end users. In this distribution mode, integrators will find smart phone credentials will be more convenient, less expensive and more secure. They can be delivered in person or electronically. They are quicker to bill with nothing to inventory or to be stolen. End-users will find, in most cases, soft credentials can be integrated into their existing access control system. Distribution can also be via independent access control software.
When mobile credentials are sold from OEM to integrator to end user, it avoids setting up multiple accounts and eliminates sensitive personal information from being available for hacking. By removing these and additional intrusive information disclosures, vendors have also eliminated privacy concerns that have been slowing down adoption of this technology. They are also protecting themselves from the wrath of governmental standards organisations.