Common Industrial Practice on Smart Card Application 20

Section 2.1 investigates the smart card technology in general. In this section, this research will study the common functionalities that are involved in a smart card. This section will provide an in-depth knowledge on the smart card functionalities and will help this research to identify the functionalities that can be used for smart card implementation at Goon Institute, Kuala Lumpur.

According to Cobb (2004), smart card application has been used in many industries including health, banking, entertainment and transportation. According to a report produced by National ICT Security and Emergency Response Centre (NISER) in 2002, the worldwide smart card market is expected to grow to $7 billion by 2006 due to the expanding capabilities of the smart card functions. Based on this research investigation, below are the examples of smart card functions commonly used an industry.

a) Identification

Basically, a smart card can be used as an identity card to authenticate the identification of a person. Employee badge is one that is commonly used by most organization for personal identification, as the smart card will have the basic information of a user in the smart card chip including name, age, date of birth, height and blood group. The smart card also will have a digitised photo attached on the smart card to verify that the legitimate user is using the smart card. Smart cards, that has basic information of the user is normally used in manufacturing

industries to authenticate physical entry of the user into a building (Casset and Lanet, 2002).

Besides embedding basic user’s information, smart card also can be used in applications that require higher identification security. This is done by embedding the cardholder’s digital certificate and private key into the smart card chip. The chip can provide higher secure identification, as the digital certificate acts as online passport that verifies the identity of the cardholder and authenticate if the user is authorized to use an application. Moreover, the smart card also holds the cardholder’s private key, which is used to digitally sign electronic documents or transactions. This allows an application to ensure that a document has been validated and approved by an authorized user (Pleunis and Stala, 2004).

b) Physical Access Control

The smart card can be used as a part of an automated system that controls the individual's ability to access a physical location such as a building, parking lot, office, or other designated physical space. By implementing a physical access control through a smart card, an organization can achieve the followings (Josang, 1995):

Control and assign access Privileges

An organization can control the access privileges of a person through a single smart card. For example, a finance industry can control the physical access of a person through his or her smart card. Typically, the managers of the finance industry will be authorized to use the car park and physical

access to all the departments including marketing, human resource, sales and store. On the other hand, the executives’ physical access may be restricted by only those authorised to enter the building and certain departments according to their jobs and roles in the firm. The different level physical access can be controlled by writing the access privileges of their staff into their smart card. Hence, the organization will be able to control the staff access privileges based on their authorization.

Track/audit accesses

As smart card physical access can be monitored as each transaction from a smart card will be updated in a log of a system. This will ease an organization to audit or track the log file to identify the list of the individual who has steps in and out of a building when a fraud has taken place in the organization.

Generate access reports

Based on the log file that tracks the accessibility of a person, an organization can generate reports for their tracking or documentation purpose. In most cases, the organization will use the smart card to monitor whether their staff clock in and clock out of the office.

c) Logical Access Control

The smart card can be used as part of an automated system that controls an individual's ability to access one or more computer system resources such as a

workstation, network, application or database. Computer system security generally encompasses three functions (Whinston and Choi 2004):

Data Security

Data security schemes utilize mechanisms, such as data encryption to protect information

Authentication

Authentication techniques are used to prove the identity of an individual and provide access

Access Control

Access control techniques are used to manage and control an individual’s privileges to access workstations, databases, host systems, and other networks.

The tremendous expansion of interest in Internet access has generated increased concern over the security of data transmission and user authentication. This has introduced two-factor authentication, which uses the username and password and the smart card access with PIN number has been a wide focus remote access applications, such as home banking, wireless systems and satellite-based systems.

Hence, currently smart cards have been widely used in many industries to provide a secure and portable authentication token for secure logical access (Yazid, 2003).

d) Biometrics

According to RSA Security Inc report, Three-Factor Authentication, which is by using biometrics, is the strongest form of authentication practiced in the market (Willough, 2001). Biometrics involves the measurement of a unique biological feature used to verify the claimed identity based on a physiological or behavioural characteristic. The physiological characteristics measure a physical feature such as a fingerprint or face. The behavioural characteristics measure a reaction or response such as a signature or voice pattern. The biometrics available under the Smart Cards includes (Burr, 2004):

Fingerprint Scan.

The fingerprint is one of the most widely used biometrics in most countries government. For example, the US Departmental of Defense is currently using the fingerprint biometrics to authorize for an individual to access the confidential information. Besides, the Employment Provision Fund (EPF) in Malaysia is using the fingerprint that is embedded in the identity card of a person to request for their EPF statement.

Fundamentally, the use of a fingerprint requires that the user place one or more fingers on a platen on the fingerprint scanner. The scanner will capture the fingerprints and convert them to templates that will be used for verification against the fingerprint that is stored in a chip of a smart card.

Hand Geometry

Hand geometry is not a common biometrics used by an organization.

Currently, this biometrics is being used by the Departmental of Energy of United State (US). Hand geometry system uses the optical systems to map key geometrical features of the topography of a hand to verify an individual’s identity. Hand geometry technology uses a number of different measurements to create the template and the readings may include measuring finger length, skin translucency, hand thickness, and palm shape.

Facial Recognition

Facial recognition is commonly used by several motor vehicle departments in US to provide identity authentication in the issuing of drivers’ licenses. Facial recognition is based upon comparison of the characteristics of a life scan of a face against a stored template of facial characteristics in the smart card.

Biometrics is typically used in two approaches (Basu and Muylle 2003):

i) A one-to-many identification search

A one-to-many identification is performed by searching a database against a fingerprint, iris scan, etc. The search may include the entire biometric database, or it may be set to designated parameters, such as, “search all female fingerprints.”

ii) A one-to-one verification match

A one-to-one verification is performed by matching the biometric against a specified biometric template. The template can be stored in a database and/or on a

smart card. If stored on a smart card, it becomes a form of portable identity verification.

A one-to-many search against the database ensures that one and only one card is issued to an individual. When an iris or facial pattern stored on the card is matched using a one-to-one verification against the unique biometric identifiers held by the person, the system is assured that the correct person has correct access.

Generally, the Smart Card will use the one-to-one verification. To use the smart card in this way, there must be secure means to bind the biometric to the smart card and to ensure that the biometric is properly attributed to the correct individual. One approach advocates placement of authentication information, including the biometric template, in an attribute certificate that is placed on the smart card when the user is enrolled in the system and issued the card. The attribute certificate functions similarly to a digital certificate (and, in fact, can be a component of the digital certificate). In this approach, the identity of the cardholder is verified by an independent entity (typically a Registration Authority) that performs identity proofing and takes a life scan of the person’s biometric. The live scan is translated into a biometric template, which is placed in an attribute certificate, when an Attribute Authority issues it.

The Attribute Authority performs the same certificate issuance and verification functions for an attribute certificate that a Certification Authority performs for a digital certificate (and, in fact, a single Certification Authority could perform the same functions for both an attribute and a digital Certificate).

The attribute certificate can be retrieved from the smart card by any system component or application to authenticate the user’s identity. The system component or application verifies first the signature of the certificate, and then the authentication information via the means specified in the certificate (depending on the type of biometric template contained in the certificate). While this approach to binding the biometric to the smart card is highly secure, it is also costly to put in place the infrastructure needed to verify the authenticity of the attribute certificate.

Therefore, agencies with lower levels of risk may choose to implement biometrics without the use of an attribute certificate.

The issues concerning the security of physical locations, computer access, and access to large dollar funds have great complexity. Smart card technology, in combination with biometrics, offers some of the greatest levels of security available. Those agencies with higher-level security needs should consider the use of biometrics.

Based on the above smart card functionalities, identification, physical access control and logical access control will be the three functionalities that will be most suitable to be implemented at Goon Institute, Kuala Lumpur. Identification and physical access control can be used for student’s attendance and library usage, as the functions are able to store the attendance and library usage (borrowing and returning books) data into a database and able to generate report for monitoring purposes. On the other hand, the logical access control is useful for lab usage as the lab administrator is able to control the usage of Internet and printing facility. This research will not recommend biometrics at this stage, as it may be too expensive for Goon Institute to

implement and maintain a biometrics technology at their institute. Besides, the CEO of Goon Institute, Kuala Lumpur, Mr Thomas Mathew has mentioned that he prefers to deploy smart card application compared to biometrics due to the medium set-up of the Institution and the high cost involved in biometrics implementation. Hence, identification, physical access control and logical access control are the most suitable functionalities to be implemented in Goon Institute, Kuala Lumpur.

2.3) Common Smart Card Application at Institutions of Higher Learning

Section 2.2 investigates the common functionalities in a smart card that basically can be used in all industries. This section will study the common smart card applications that are being used in the Institutions of Higher Learning. The knowledge gained from this section will help to identify the applications that can be implemented in Goon Institute and to assist this research to develop the smart card conceptual framework for Goon Institute, Kuala Lumpur. Among the research done for smart card implementation includes some renowned universities including University Utara Malaysia, Multimedia University, Florida State University and University of Nottingham.

2.3.1) University Utara Malaysia (UUM)

University Utara Malaysia (UUM) smart card application is better known as the University Multipurpose Card (UMPC), is a multi-purpose card catered to be used by the entire community of UUM including the students, lecturers and the staff of UUM.

The smart card at UUM has two vital roles:

a) Multipurpose Card to be used for University Applications

Basically, the multipurpose card is used by the students and UUM staff as a form of identifications and used for UUM applications. The functions of the multipurpose card used at the university are listed below:

i) Identification Card

The smart card acts as a matrix card for students and ID card for staffs, which store the owner’s personal, academic and medical information. The identification card will also be used for door access to enter the campus, library and lab rooms.

ii) Library System

The smart card will interact with the library system for borrowing books, payment of fines and keep an audit log on books that have been borrowed

iii) Staff attendance System

The staff is required to insert their smart card when they come to work and when they attend classes. The system will capture the time their smart card is being inserted and generates report for tracking and monitoring of staff attendance.

iv) Medical System

The smart card acts as an interface with the medical system. The students and staffs need to swipe their smart card when they visit the campus clinic.

b) Multipurpose Card to be used for Banking

The multipurpose smart card can also be used for conducting banking transactions.

Among the functions used for the banking purposes are as below:

i) ATM

The multipurpose card is catered to conduct transactions at bank ATM machines including cash withdrawal, fund transfer, internet bank registration, SMS banking registration and utility bill payment

ii) e-Debit

The UUM staff and students are able to conduct electronic funds transfer at point of sale, whereby they can pay their purchase by using their UMPC and Personal Identification Number (PIN). This is done by deducting directly from their saving account when the staff or students purchase from their smart card using the e-debit service.

iii) MEPS Cash

MEPS cash is an e-Purse application in the UMPC. Basically, the UMPC can load some monetary amount into the smart card from the ATM machine and can use the amount for small amount purchase.

2.3.2) Multimedia University, Malaysia (MMU)

The Multimedia University (MMU), Malaysia smart card holds different types of information in electronic form with sophisticated security mechanism. The smart card has all three technologies embedded into a single smart card, which are the contact chip, contactless chip and the magnetic ship. The smart card has two main functions:

a) Financial Applications

Among the financial applications in the smart card includes the following:

i) Electronic Purse

The smart card is able to store certain amount of monetary value, which the staff and students are able to purchase goods and services by using the smart card

ii) ATM Card

The smart card will also act as ATM card, whereby the owner is able to conduct banking activities on the services available in an ATM bank. This includes withdrawal of money, fund transfer, bill payment and so forth.

iii) Touch N Go

The MMU smart card can also be used at Touch N Go. Similar to MYKAD, the MMU smart card is able to store some monetary values in the smart card and the contactless chip enables the smart card to be used at any Touch N Go services including the highways, LRT stations and bus terminals.

iv) Debit Card

MMU smart card also will interface with the saving account of the MMU staffs and students. This enables the staff and students to use their smart card to purchase small amount of purchases and the money will be deducted directly from the savings account.

b) Non – Financial Applications

As for non financial applications, the MMU smart card has the following functions:

i) Access Control System

The access control system is authorization system which integrates with MMU door access existing system to allow authorized person to enter certain premises.

MMU staff and students will need to use their smart card to enter the any of the premises (i.e.: classroom, lab, library, etc) within the MMU campus and this allows the campus to control and monitor the access of the staffs and students to the MMU premises.

ii) Time Attendance System

Time attendance system is a attendance system used by the MMU staff and students. The staff and students will need to swipe in and out their smart card when they enter or leave a class or lab. This enables the MMU management to keep track of the staff and students attendance to their classes.

iii) Parking Management System

The parking management system controls the cars entering a parking lot.

Basically, MMU staff and students will need to use their smart card to swipe for them to enter the car park. The parking management system will authenticate the staff and students validity of entering the car park when they swipe the smart card and will not allow invalid users to enter.

iv) Booking Facilities

The smart card is also used for the staff or students to book a meeting room and books at the library. A staff or student must insert their card in the library or meeting room and the booking system will automatically book the requested book or room by extracting the usernames from the smart card and register the time and date of booking.

In addition to the above non financial system, MMU smart card also has similar functions as UUM, which the smart card can be used as an identification system to be used in at the library for borrowing and returning books and finally for medical system.

2.3.3) Florida State University, USA

The Florida State University smart card is called FSUCard. Fundamentally, the smart card system functions the same as UUM and MMU for financial and non-financial system. This includes that the FSUCard will be used as a form of identifications, used at the library for borrowing books, keep track of the attendance of the lecturers and

students, withdrawal from ATM, e-Debit and e-Purse. However, in addition to the standard smart card applications, the FSUCard has the following functions:

a) Transfer Financial Aid

The FSUCard enable financial aid easily to students by allowing their scholarships, grants, and student loans, electronically transferred to their FSUCard Account. This can be done when students’ apply for the FSUCard Account services and when they first enroll into the university and holder the scholarships provider the account number for them to directly bank in FSUCard account. The account will have a Disbursement Authorization Statement for the students to keep track of the money in the account.

The FSUCard enable financial aid easily to students by allowing their scholarships, grants, and student loans, electronically transferred to their FSUCard Account. This can be done when students’ apply for the FSUCard Account services and when they first enroll into the university and holder the scholarships provider the account number for them to directly bank in FSUCard account. The account will have a Disbursement Authorization Statement for the students to keep track of the money in the account.