Businesses have been always been able to deduct business-related equipment placed in service, but security systems did not qualify – now they do. Beginning in 2018, the Tax Cuts and Jobs Act allows qualifying businesses to deduct the full cost of new “Security and Fire Protections Systems,”up to $1 million. Prior to passage of the Act, companies had to be depreciate the system cost over a period of up to 39 years. The legislation was passed to encourage businesses that are considering capital investments in this critical area and promote industry investment.
The Security Industry Association (SIA) worked with industry groups to expand deductions under Section 179 of the IRS tax code which empowers businesses to deduct the full purchase price of qualifying equipment and/or software purchased or financed during the tax year. The revised tax code permanently expands eligibility for deductions to fire protection, alarm, and security systems along with other equipment placed in service in 2018 and beyond.
Talk to your accounting partner to understand the impact this could have on your business.
Enter your information below to receive a call or reach out directly
Access control solutions for any commercial, retail, public or business environment. A variety of access control readers, doors, gates and devices allow us to deliver the right equipment, products and technology for every installation. Our access control management solutions allow you to control, track and manage access to any facility for improved employee and visitor management. We add value to your operations with managed access control and handle all phases of access control system layout and configuration, installation, maintenance, inspections and testing with our local service and support. The benefits of Access Control The best access control systems in the business Prevent unauthorized visitor access Restrict employee access to sensitive areas Easily manage access credentials Accommodate trusted vendors and suppliers Generate traffic reports by time-of-day, day-of-week and more Track entry/exit times by employee or department Retrieve audit data for review in case of a workplace incident Perform centralized lock-down in the event of an emergency security threat Administer your access control system remotely, or have our company manage it for you Enhance the way you protect your people, assets and facilities Call for free estimate. 401-828-2271
This Total Cost of Ownership (TCO) model uses the following assumptions:
•The base system is for a single site with 16 card readers and a requirement for ID badges, wireless locks, and video surveillance.
•The initial capital and installation costs for the IT hardware and software licenses have been included.
•Items common to all systems such as card readers, locks, wiring, cameras and recording devices have not been included.
•We have assumed that the customer purchases the software maintenance that allows them to remain on a supported version of the application and database for the entire five years.
•In the on-premise model, we have assumed a one-time refresh in the computing hardware and operating system.
•We have assumed a data center infrastructure cost of $75 per month for the on-premise solutions. This cost includes rack space for a 1U server along with a 2 Amp power budget and 5 Mbps bandwidth allocation.2
•We have used either the competitors’ hardware/software bundle or a direct quote from a prominent computer hardware provider based on the datasheet specifications to estimate the cost of computing hardware for the on-premise solutions.
•For the on-premise solutions, we have estimated IT management and database administration costs basis at $800 per year. This includes 16 hours of IT services for general administration, monitoring, patch management, system back-ups and database administration at $50 per hour.Many additional factors are often included in a complete TCO analysis, but we found that these vary so widely from organization to organization that they could not be included in a meaningful generic model. Thus, we excluded such considerations as:
•Organizational cost of server downtime, including lost productivity and explicit cost of IT and security staff time to remediate failed systems.
•Business risk cost of system unavailability, including lost revenues, liabilities due to service level agreements, and loss of good will.
•The costs for continuous threat monitoring, intrusion prevention, data security audits, and data privacy protections.1All systems were configured to be “feature equivalent”. For example, any required software options to support video integration, wireless locks and ID badging, were included but not the actual hardware. These figures are derived from actual quotes received from a co-location service in December of 2015. The Gartner IT Key Metrics Data study estimates the total cost of ownership for a physical WINTEL server is $8,260 per year.
Annual Cost Comparison With Redundant On-Premise Solutions As should be expected, the charts below depict a wide variation in the distribution of costs between the various solutions. The majority of the expenses (54%) for the Brivo cloud solution are associated with the monthly subscriptions. These subscriptions incorporate the software and hardware expenses as well as operational costs for the overall platform. By comparison, 78% of the cost for the on-premise solution is tied up in on-premise and IT infrastructure. The total expenses over five years for the 16 door systems were calculated with the following results:Comparison Of Cost Distribution With Non-Redundant On-Premise Solutions Brivo Onair Total Cost Of Ownership (TCO)
Comparison Of Cost Distribution With Redundant On-Premise summary clearly shows that the SaaS solution is the most cost efficient option. SaaS solutions, owing mainly to the reduced operational and IT expenses, are generally able to provide a much greater variety of functions than server based solutions, which often charge additional fees for high availability and each piece of added functionality.The cost savings of using a SaaS solution for access control are clear. Extending the cost savings of a SaaS solution even further, the above example does not factor in less visible, yet just as important functionality such as automatic upgrades to applications and system software, active data protection measures and unlimited linear scalability. If this additional functionality were costed out, the SaaS solution takes an even greater leap forward in cost savings over the server-based solutions.Brivo Onair Total Cost Of Ownership (TCO)
Added Benefits Of The Brivo Onair SaaS Solution ..In addition to the direct cost advantage of the SaaS solution, there are a number of additional benefits, which have not been quantified in this study. The chart below provides a quick summary of the additional values inherent in the SaaS solution.The data represented thus far have primarily addressed the single-site case with 16 doors. Qualitatively, the SaaS solution fares even better in a multi-site application, primarily due to additional cost penalties that the server-based solution must pay during the initial setup, along with higher ongoing IT expenses due to the complexity of managing the security management applications over a far-flung network. The SaaS solution is particularly beneficial in this environment because, as a web application, it is intrinsically multi-site from the inception.Another major advantage to SaaS solutions over server-based solutions is scalability. Our analysis did not include the often-significant costs to enlarge on-premise solutions in terms of door capacity and administrative clients. Many server-based solutions require fixed client installations for each site, increasing the cost of acquisition and the on-going expense to manage remote client software. As mentioned with the case study example above, initial setup costs along with higher IT expenses during installation prove out the superiority of the SaaS model over server-based options.Brivo Onair Total Cost Of Ownership (TCO)
Conclusions: As we have shown, our study indicates that using a SaaS solution for a security management platform –specifically electronic access control, ID badging and video –provides major, demonstrable cost savings. In addition to ease of installation and ease of use, the market’s increasing awareness of the cost benefits of the cloud are driving the substantial growth in the installation of such systems.These findings have several implications for system integrators and end users. The first is that –other things being equal –both groups would be well advised to calculate the relative cost of any proposed physical security solutions before making a decision on what to offer a customer (in the case of integrators), or what to ultimately buy (in the case of end users). The second implication is that the savings provided by SaaS can also be extended to other security services, such as hosted video, intrusion detection, remote monitoring, and many others. This is an important implication for the vast majority of business owners, as most businesses are not large enough to be able to absorb the cost of dedicated server solutions into a larger IT infrastructure. What this means is that such business owners can expect to enjoy enterprise-grade service levels at lower TCO points than at any time in the history of electronic security.Brivo Onair Total Cost Of Ownership (TCO)
Introduction
To insure that the ever-changing security requirements of a facility are met, a periodic review of a
site’s access control system and its associated policies is a necessity. In fact, conducting an
annual access control system review is the first step in establishing a systematic process for
assessing the security of your organization; it is the principle best practice that provides the
framework for all the other guidelines.
Once a yearly review process is in place, the fundamental best practices concept is that an effective
security system uses a layered approach to security. A good analogy of this concept would be one
where a home protected by a burglar alarm might use both glass break detectors and motion
sensors to detect when an intruder enters the house.
This white paper contains important guidelines for all of the stakeholders in an access control
installation including the facility owner, the system specifier, the installer, and the end user.
Choosing the Right Reader and Card Technology
Contactless smart cards are fast becoming the technology of choice for access control applications.
Security, convenience, and interoperability are the three major reasons for this growth. Since there
are a wide variety of reader technologies being offered by today’s manufacturers, it is important to
make sure that the correct technology is chosen to match the desired level of security. Using a
good, better, best grading system will help make the correct choice easier.
Recognizing that there are many legacy card technologies still in use and that replacing them with
the latest contactless smart card technology may be expensive or logistically difficult, implementing
the recommendations included in this paper will raise the level of security of an installation and
should be done regardless of the card technology employed.
Relative Security of Commonly Used Card Technologies
Figure 1 illustrates and ranks the relative strength of commonly used card technologies based on
how much publicly available information there is about the technical details of the card technology
and the degree of difficulty required to illegally read or copy from the technology. The higher the
number, the more secure the technology: \
Figure’1:’Relative’Security’Levels’of’Commonly’Used’Card’
Technologies'(lowest’to’highest)
3
Magnetic stripe (magstripe) has the lowest security with its technical details being well documented
by ISO standards. This technology typically uses little or no security protections. Additionally, offthe-shelf devices are widely available to encode magstripe cards. Although there are some
techniques that can make magstripe more secure, widespread adoption of these techniques in the
access control industry have not occurred due to the convenience, security, and increased memory
available in contactless smart cards.
125 kHz proximity (Prox) card technology and the use of the Card Serial Number (CSN) of a
contactless smart card are better than magnetic stripe but are not as secure as contactless smart
cards. Prox card devices that can copy and emulate (mimic) Prox cards have been demonstrated.
Similarly, because there is no secure authentication of the CSN and the knowledge of the CSN
workings are published as part of the ISO standards, CSN emulation is also easily accomplished.
(For more details on the dangers of using CSN readers, see the Appendix that describes these
dangers in greater detail.)
Contactless smart cards, when properly implemented and deployed, offer the highest level of
security and interoperability. These cards use mutual authentication and employ cryptographic
protection mechanisms with secret keys. They may also employ special construction and electrical
methods to protect against external attacks.
Use Proper Key Management
Key management deals with the secure generation, distribution, storage, and lifecycle management
of cryptographic keys. This important subject deserves an entire white paper by itself, but here are
a few of the essential key management best practices.
Whenever there is a choice, choose a manufacturer that allows you to utilize your own
cryptographic authentication key that is different that its other customers so you have a unique key
for your facility or organization. Although it may be easier not to have the responsibility of managing
and safeguarding your own keys, utilizing your own authentication keys will protect your
organization from a key compromise that occurs in someone else’s readers purchased from the
same manufacturer.
Do not choose a manufacturer that stores the same key in all of its credentials. Extraction of the key
from a single card compromises all of the cards in use. Use a manufacturer that uses diversified
keys, which means that each card uses a different key that is cryptographically derived from a
master key. Ideally this diversification would use a public scrutinized algorithm such as DES or
AES.
If offered a choice, use readers that protect their master key from being easily extracted from the
reader. Reader manufactures that use a secure element such as a Trusted Platform Module (TPM),
Secure Access Module (SAM), or other equivalent device to store cryptographic keys. Some
manufacturers even go one step further and actually do all of the cryptographic operations inside
the secure element making it even more difficult to compromise the integrity of the key or data.
Be prepared to act quickly in case a key compromise does occur and know how to use the
manufacturer’s procedures to roll or change the keys in both the readers and cards. Some
manufacturers have the capability to move cryptographic data, such as keys as well as reader
firmware upgrades, securely from a secure ‘vault’ on their premise directly into the secure element
inside the reader using end-to-end security among trusted devices.
4
Protect the Communications
The individual components of an access control system need to communicate with each other.
Typical data includes card read messages, door unlock messages, audit trail data, cardholder
privilege changes, and much more. Consequently, it is critical to protect this information exchange
on the communications media on two levels. The actual communications medium, be it hard-wired
or wireless, as well as the data content must be protected.
When the communication takes place using wires, there are many different methods, interfaces and
protocols to choose from. The most popular and de-facto industry standard is the Wiegand
Protocol. This protocol became very popular because it is universally supported by almost all reader
and panel manufacturers. More modern communication methods such as RS485 and TCP/IP offer
more security and are therefore more desirable.
If a perpetrator can get access to the wires used for communications between the reader and the
upstream device, it may be possible to intercept messages; this could result in a loss of privacy as
well as the possibility of replaying a previously captured message and unlocking the door. It may
also be possible to simply send an ‘unlock’ message as well. That is why a secure protocol is
important, ideally employing 1) mutual authentication to ensure that each device trusts the other
device, 2) encryption, and 3) message replay protection.
An additional reason to protect the wiring is to prevent a ‘denial of service’ attack in which the wires
are cut or shorted together to interrupt communications. Another vulnerability due to unencumbered
access to the wires can be initiated by the use of command cards used by some manufacturers to
program the operating characteristics of readers. Typically, command cards are only accepted for a
short time after power has been interrupted and then restored to prevent them from being used at
any time. If the power wires to a reader are accessible, then a perpetrator would be able to interrupt
the power to the reader so that command cards could be read in an attempt to put the reader in a
state where cards are no longer read, creating a denial of service attack. An even more destructive
denial of service attack can be launched in which the communication wires are connected to a high
power source in an attempt to destroy the reader and/or the upstream device.
To minimize these risks, installing the security systems wiring in conduit makes it more difficult to
access the wires without being noticed due to the difficulty of identifying the correct conduit, not to
mention the additional time required to compromise the wiring in the conduit. Even if the entire wire
run is not fully enclosed in conduit, just using conduit in the most vulnerable publicly accessible
areas is desirable. Additionally, bundling several wire runs together (ideally in conduit) to make it
more difficult to identify the correct set of wires is also desirable. (Follow the manufacturer’s
recommended installations. Some wiring, such as power wiring, may not be recommended to be in
the same conduit as data communications wires.) It is particularly important to protect the wiring of
outside readers that are located at the entrance to a premise.
Additionally, avoid the use of readers with built-in connectors that make it easier to quickly swap out
a reader and avoid the use of wire-nut connectors to connect the reader wire pigtails to the panel
wiring. Instead, connect the wires in a more secure and permanent fashion, such as soldering with
shrink-wrap tubing to cover the connections.
5
Use Security Screws
Always utilize security screws that require special tools to remove a reader and other security
components. If the correct tool is not available, then it makes it nearly impossible to remove the
reader without causing damage to the screws. This damage may be noticed alerting security of a
potential intrusion attempt – especially if policy dictates that readers be physically examined on a
periodic basis. (Physical examination of readers should be included on guard tours.) It also has the
effect of making the removal process more difficult, and slowing down the removal increases the
possibility that the perpetrator will be noticed.
Prevention Using Antipassback
Another best practice that may be feasible is to program the access control host software to refuse
granting access to a cardholder that is already inside the facility, which will prevent a duplicate card
from entering the facility. This mechanism, referred to as antipassback, is available in many access
control systems. Note that this feature requires two readers at the door – an ‘in’ reader and an ‘out’
reader. One additional benefit of using antipassback is that it prevents a user from using their card
with others following through an open door (tailgating).
Use Additional Factors of Authentication
It is generally accepted that multiple factors of authentication consisting of something you have
(e.g., a card), something you know (e.g., a password), and something you are (e.g., a biometric)
increases the probability that the person presenting his card at a reader is the same person that
was initially issued the card. Ideally the use of all three factors is best but just adding one additional
factor can be effective. A relatively inexpensive, easy-to-use second factor is a password, which
can be achieved with the use of card readers with built-in keypads. Keypad readers are ideal
solutions for environments where additional layers of security are required – such as in a lab or
corporate research environment and the perimeter entrances to a facility.
Readers with a built-in keypad minimize the likelihood that a lost card can be picked up and simply
used to enter a facility. It also minimizes the threat of card cloning. Ideally, the password should be
changed periodically, or if a common password is utilized, change it every day to increase the
effectiveness. Note that some systems store the actual password inside the card itself. Although
this is generally effective if the card technology is secure, it is better to have the password stored on
the host.
The use of biometric readers to insure that the person presenting the card is actually the same
person that was issued the card can be used in environments where an even higher level of
security is required. A similar solution is to use hand-held biometric fobs that only emit RFID card
data after a biometric authentication has occurred. These types of devices actually help to increase
privacy and cannot be surreptitiously read without the user’s permission since the access control
credential cannot be read until the biometric authentication process has taken place.
If the use of multiple factors presents throughput or convenience obstacles, consider only requiring
multiple factors of authentication outside of normal business hours where the risk of unauthorized
entries are highest or automatically turned on when there is an elevated ‘threat level’.
6
Mind the Cards
A perpetrator may use surreptitiously obtained cards for nefarious purposes. One way to do this is
to claim that a card was lost when it really wasn’t. Make sure that lost cards are voided immediately.
Another way for a perpetrator to fraudulently obtain cards is through gray market sources such as
eBay or even legitimate card resellers. There are several best practices to prevent this. First, make
sure that only issued cards are valid; don’t have spare cards pre-validated and ready to hand out.
Some access control systems can also generate a different message than just denied in the case of
presented card in an ID number range that haven’t been entered in the system. When an illegally
obtained card is used, if the message generated by the access control system was ‘Card out of
range’ instead of simply ‘Denied’, it should signal more urgency to be investigated. Similarly, cards
using a different data format that are reported as ‘Unrecognized’, as well as cards with the wrong
facility code are also indications that illegally obtained cards are being presented to the system.
Therefore, any messages reported by the host access control system with wrong formats, wrong
site codes, or out of range should be immediately investigated.
Don’t succumb to the argument made by alternate card suppliers that proprietary card formats are
more expensive and are an attempt by manufacturers to keep you from buying cards from open
sources. The use of proprietary formats offered by an OEM or one that is exclusive to a particular
site is a desirable best practice.
Cards with proprietary formats are much more difficult to fraudulently obtain as compared to the
industry-standard open-format 26-bit Wiegand format and proprietary cards typically provide
provisions for non-duplication of card numbers. Some manufacturers’ readers can even be set to
ignore ‘foreign’ cards completely, which will also present an obstacle to using cards obtained on the
open market.
As described earlier, never use contactless smart card readers that solely rely on the card serial
number such as CSN readers. It doesn’t make sense to use a contactless smart card with
increased security over legacy card technologies and ignore the security capabilities built-into the
card. Some companies advocate these types of readers because they do not require
implementation of security mechanisms which may not be available for license to that reader
manufacturer and typically add additional costs which makes the readers more expensive. Using
CSN readers is analogous to using a high security reader on a glass door.
Protect the Cards
Cardholders should be instructed not to wear their badges in prominent view when outside the
premises and be aware of people approaching them attempting to perform a ‘bump and clone’ in
which an attempt is made to try and surreptitiously read their card using an electronic skimming
device. For contactless smart cards operating at 13.56 MHz, there are many companies that sell
RFID shielding devices that are packaged into a card holder that are very convenient to use that
prevents these kinds of attacks.
Another best practice is to avoid putting any identifying data on the card that gives an indication as
to the location or address of the facility to make it harder to identify where a lost card can be used.
Of course, many companies put their company logo on their cards but organizations should balance
this requirement with the disadvantage of including artwork that reveals the company’s location.
For companies with multiple facilities at different physical locations, do not use the same facility
code (also known as site code) data in all of the cards so that a lost card can be used at any of the
locations.
7
Another best practice is to have a policy that lost cards need to be reported as soon as possible.
And make it a policy that when a card is reported lost, it is immediately removed from the system.
As an alternative, consider making the cost for a replacement card high enough so that a
cardholder will think twice about being careless. Of course, this policy may actually discourage a
cardholder from immediately reporting a lost card in the hope that it might be found.
Detection – The Second Line of Defense
Buy readers with a tamper detect mechanism that provides a signal when the reader has been
removed from the wall. Almost every panel manufacturer provides the ability to monitor this alarm
signal and report when a reader is tampered with. If the panel supports ‘supervision’, another
method that can be used by installers is to include an additional pair of wires that are connected
together through a resistor at the reader. This loop can be monitored by the panel using a technique
called ‘supervision’ that can detect when the wires are cut, shortened, or other changes in the
electrical characteristics of the wires are made. Of course the panel must support this capability.
Immediately investigate tamper alarms even if they are momentary and return to normal. You might
actually detect the perpetrator in action or find that a foreign device has been installed in an attempt
to monitor and/or modify the communications between a reader and the upstream device. If the
reader is controlling a sensitive location, such as a perimeter door, have it and the door monitored
by CCTV. Some access control systems can automatically switch the viewing monitor to the door
with the tamper alarm as well as tag the video history log with the event for later review. And, if you
are using your own company-specific cryptographic keys that are stored in a reader, realize that a
reader that has been removed from the wall might have had the cryptographic keys extracted from
the reader, which compromises the entire security of your installation.
Many reader manufacturers also have the capability of sending ‘health’ messages (also referred to
as ‘heartbeat’ or ‘I am Alive’ messages) on a periodic basis to the upstream device.
This functionality can also be used to detect when the wires are cut and does not require any
additional wires to get this protection. If these periodic messages are set to occur faster than it
would take to install a rogue listening device, then the panel would notice and report the
interruption. Ideally these messages would be set to occur as fast as every second. Monitoring
health messages also provides additional benefits since they will detect reader malfunctions. It is
better to know when a reader is not working before somebody complains (usually in the middle of
the night when they cannot get in the door).
For converged physical and logical access control systems, geographic monitoring is available. For
example, if a person has just come in through a door at a site in Buffalo but is trying to log into his
computer in Denver, then obviously there is a problem. Another benefit in converged systems is to
not allow a person to log onto his computer if he hasn’t used his card at a perimeter reader. This
simple concept will get people to change their behavior and not tailgate when they are denied
access during the computer log-on process.
Protect and Study the Security Logs
The audit trail of the transactions (i.e., security logs) should be protected as it contains very
sensitive data, such as who is going through what doors at what times, card numbers, and much
more. If audit trails are electronically stored, keep them encrypted and secure. If they are printed
out, shred them when done. (If any of this data is available from a remote site over the network, or
for that matter, if the server is accessible or uses the public Internet, make sure that a proper
penetration [PEN] test is performed by a reliable third-party.)
8
The security logs are invaluable after a security-related event has occurred because they might
provide clues as to who the perpetrator was. But that is not the only time to study the logs.
Periodically look at the logs in an attempt to see patterns of events that don’t make sense. Even
better yet, use computer software to analyze the logs for suspicious behavior patterns. For
example, a cardholder requires a finite amount of time to travel between entry points and if the
same card is used at two different locations in a very short time, this could indicate that a cloned
card is being used.
System Upgrades and Migration Strategies
Choose a manufacturer who has a strong portfolio of migration products and strategies including
multi-technology cards in which both the legacy credential and the new credential technology can
co-exist on the same card. Similarly, multi-technology readers capable of reading both the legacy
credential and the new replacement higher security credential are useful in a migration strategy.
And often a combination of these products may be necessary to effectively migrate in the shortest,
most convenient, and cost effective manner.
Conclusion
Following as many of these best practices as feasible, with attention to appropriate levels of
security, will result in a system that better fulfills its intended function with less possibility of being
compromised. And these are just a few best practices to look for. There are many additional best
practices that have not been discussed in this paper, such as the use of security mechanisms on
the card (like holograms) and other tamper evident technologies and much more. This paper will be
continually expanded to include additional best practices for organizations to effectively balance
cost, convenience and security when deploying an access control system. Please set a book mark
where you downloaded this document check back for later versions.
9
Appendix A: The Dangers of Using CSN-only Smart Card Readers
Introduction
Some manufacturers, in an attempt to sell a ‘universal’ reader capable of reading almost any
contactless smart card technology, actually disable all of the built-in security mechanisms in order
to achieve their goal. Reading only the CSN of a contactless smart card actually provides a false
sense of security analogous to installing a high security door without any locking mechanism.
These readers, referred to as ‘CSN readers’, only read the card’s serial number which, as per ISO
standards, must NOT be protected by any security since they are needed by the reader to be able
to detect when more than one card is presented to a reader at the same time. This process,
referred to as anticollision, takes place before the card and reader mutually authenticate each other.
Because the ISO specifications are a publicly available document, details of how this anticollision
process works can be used by a perpetrator to build a device to clone (simulate) the CSN of a
contactless smart card.
Understanding this misuse of the CSN is critical for users of the technology to ensure that access
control security is maximized. If implemented and deployed properly, contactless smart cards
represent one of the most secure identification technologies available today.
Why Use Contactless Smart Cards?
The most modern contactless smart cards incorporate advanced state-of-the-art security
mechanisms. Before a reader can begin a dialogue with a card, it uses mutual authentication to
ensure that both the reader and card can ‘trust’ each other. Only after this process occurs is the
reader allowed to access the data stored inside the card. This data is protected by cryptographic
algorithms and secret keys so that if the data were somehow extracted or even spied on, it can be
very difficult to decipher and utilize.
As with 125 kHz Prox technology, contactless smart cards are convenient for users who merely
present their cards near a reader. In addition, users do not have to carefully insert the card into a
slot or worry about proper orientation. This also minimizes the physical wear-and-tear on both the
card and the reader, the potential for vandalism, and environmental elements.
Amplifying the convenience of contactless smart cards is their capability to support more than one
application at a time. For example, a single card can be used for the dual purposes of opening a
door and logging on to a computer.
Contactless smart cards also provide greater and ever-increasing amounts of memory, enhancing
the sophistication of applications. Enough memory is available to store biometric templates and
even photos, enabling additional factors for user authentication. Such authentication of both the
card and user increases the security and likelihood that the person using the card is indeed the
authorized user of that card.
A False Sense of Security
To understand why using the serial number of contactless smart cards provides a false sense of
security, it is first important to understand some basic definitions and contactless smart card
mechanisms.
10
CSN: CSN refers to the unique card serial number of a contactless smart card. All contactless
smart cards contain a CSN as required by the ISO specifications 14443and 15693. CSNs are
typically 32 to 64 bits long.
The CSN goes by many other names including UID (Unique ID), CUID (Card Unique ID), and of
course CSN (Card Serial Number). It is important to note that the CSN can always be read without
any security or authentication as per the ISO requirements.
Think of the CSN using the analogy of the identifying number on a house. It is important for
everyone to be able to read the house number to find it. Similarly, the CSN is used to uniquely
identify a card when more than one card is presented at a reader at the same time. Moreover,
nobody can get in to your house or get in to a smart card without using the correct key.
Anticollision: Anticollision is part of the communications protocol used by contactless smart cards
to uniquely identify a card when more than one card is presented at a reader at the same time. It
provides the ability to communicate with several contactless smart cards simultaneously. This is
especially important in long-range readers, as illustrated by Figure 2: Anticollision.
Figure’2:’Anticollision
The ISO standards require that every contactless smart card have a unique CSN and these
standards describe several methods to implement anticollision. It must be pointed out that the CSN
was never intended by ISO to be used for any purpose other than anticollision.
How is a CSN Used for Access Control?
CSN readers are readers that use the CSN of a contactless smart card instead of the credential
data stored in the secure area of the card. When a card is presented to the reader, it reads the CSN
and typically extracts a subset of the CSN, converts it to a 26-bit Wiegand or other output format,
and then outputs this data to an upstream device such as a panel or host computer.
The Most Commonly Used CARD Format Intensifies the Problem
There are many card formats available and formats are comprised of multiple fields. The most
commonly used format contains a total of 26-bits and includes a site code field (8-bits), a card
number field (16-bits), and two parity bits.
The site code field (also called a facility code) is usually the same for all cards at a given site and is
used to ensure that cards from different facilities in the same geographic area can be distinguished
from each other. Without this field, cardholders with the same card number might be able to access
facilities for which they do not have authorization. The card number field uniquely identifies each
cardholder and the parity bits are used to detect data communication errors.
11
If the 26-bit Wiegand protocol is being used, the 16-bit card number field is extracted from the CSN
and the site code field is usually created from a pre-programmed number stored in the reader.
Because the smart card manufacturer preprograms the CSN, using only a small portion of the CSN
is utilized. This introduces the likelihood that there will be duplicate card numbers. Statistically, out
of every 65,535 cards, there will be at least one duplicate.
This is why it is desirable to use a card format with more bits in the card number field. Some
manufacturers offer a card format that uses both a larger card number field and includes an
additional OEM field together with the site code field.
Keep in mind that the issue of duplicate card numbers is not limited to the Wiegand protocol. It
occurs in any protocol that uses a reduced number of bits derived from the CSN to represent a card
number.
Using the CSN Sacrifices Security for Interoperability
To create a low-cost, universal reader capable of reading any manufacturer’s contactless smart
card, reading the CSN is the easiest and sometimes the only way to achieve interoperability. One or
more of the following reasons are at the heart of the problem:
1. The inclusion of the hardware chip containing the security algorithms adds cost.
2. The reader manufacturer may have to pay a license fee for the security algorithms or the
reader manufacturer may not even be able obtain a license.
3. The security keys to the contactless smart cards are not available.
Using a low-cost, universal reader that does not avail itself of the security features that contactless
smart cards offer will compromise the security of the facility or area where it is used. As noted
earlier, the three major reasons to use contactless smart cards are security, convenience, and
interoperability. Figure 3 illustrates how using the CSN compromises these three key reasons.
Diagram C: Using Smart Card with CSN Reduces Security
Security
Convenience
Interoperability
Using Smart Card w/Security
(Ideal Balance)
Using Smart Card w/CSN
(Reduced Security)
Figure’3:’Using’Smart’Card’with’CSN’Reduces’Security
12
Using the CSN is Inconvenient and May Add Hardware Costs
CSNs are non-consecutive numbers that are in a random order. Therefore, referring to a cardholder
by its CSN makes it impossible to group employees by card number ranges such as 1 – 100.
Furthermore, as discussed above, it is desirable to use all of the bits required to represent the entire
CSN. A 32-bit CSN would be represented as a number with as many as 10 digits and a 64-bit CSN
requires as many as 20 digits. Even using the hexadecimal notation to enter, CSNs still require a
person to type up to 16 characters to add or change a card.
With an enrollment reader, the process of adding cards to a system can be simplified since the CSN
of a card can be automatically read instead of being typed. However, this introduces more
complexity to the system, requiring additional access control software and hardware enrollment
readers. Moreover, if a cardholder’s privileges have to be changed, an enrollment reader is of no
use when the card is not available.
Using the CSN Can Decrease Privacy
Because reading only the CSN of a contactless smart card requires less power, read distances are
often greater. This is because the power-hungry cryptography circuitry inside the contactless smart
card is not used. Greater read distances, coupled with no authentication or security, make the cards
far less secure from illegal activities at even greater distances.
In addition, using the CSN gives the false impression that a particular reader’s performance is
greater than it actually is. This may be doubly misleading for users because the CSN reader may be
less expensive and offer better read distances than a reader that fully implements the security
protections available with contactless smart card technology.
CSN Emulation
An earlier section identified additional security threats based upon the availability of information
required to illegally read or copy a card technology. It concluded that using the CSN of a
contactless smart card is low security because it is well documented by ISO standards and no
security is used to authenticate a CSN. Many smart card development tools such as protocol
analyzers can emulate an ISO 14443 or 15693 CSN. Furthermore, universities are also teaching
the ISO protocols and students are writing firmware to emulate CSNs. What better way to prove
that a student correctly understands the ISO protocol than to actually create firmware to emulate a
CSN and fool a reader to prove that the firmware actually works?
U.S. Government and International Organizations Recommendations
A US Government report recommends not using the CSN for identification purposes since “… using
the CSN as a unique identifier works only for 14443A, and for 14443B it [may] be a random number
that changes every time and will be discussed in a future version of the specification.”
The International Civil Aviation Organization also warns, “There is no protection in use of a CSN
because this is often set in software by chip manufacturers and can be changed.”
13
Cryptographers and Industry Expert Opinions
Both cryptographers and industry experts also warn of the dangers of using the CSN to identify a
cardholder. David Engberg of Corestreet Ltd. said, “The serial number has no cryptographic or
protocol-level protections to prevent an attacker from asserting the same serial number as any real
card. By implementing ISO 14443 directly, an attacker can imitate any desired CSN.”
Bruno Charrat, CTO of Inside Contactless, concurs with David Engberg, adding, “As soon as there
is no security in the communications, you can clone a card and then enter anywhere you want! It is
as simple as that.”
In an article from Security Technology & Design, Greg Young, Technical Sales Manager for RFI
Communications & Security Systems, warns against the assumption that contactless smart cards
offer more secure transmission than 125 kHz Prox cards. “They can be more secure, but they’re not
necessarily more secure,” he said. “Many manufacturers are touting readers that read multiple
types of smart card technology —MIFARE, iCLASS—when really all they’re reading is the serial
number sent unencrypted from the card, in the same way Prox is. Unless you make sure that what
you’re reading is from a secure sector on the card that can be truly encrypted, and there is a
handshake procedure between the reader and the card before transmission, what you’re getting is
no more secure than proximity technology.”
Refuting Commonly Held CSN Beliefs
What About Encrypted CSNs?
Encrypted CSNs offer no real protection from cloning and replay attacks.
Chips with Programmable CSNs
The statement – ‘The CSN is a unique serial number permanently written into the device’s
nonvolatile memory at the factory; it cannot be modified and is guaranteed to be unique for all
devices.’ – is not always true.
Some contactless smart cards have programmable CSN. For example, one vendor’s contactless
smart card chip data sheet states: “The CSN is written at time of manufacture, but part of it can be
customer-accessible and customer-writable, on special request.”
Similarly, another manufacturer’s data sheet states: “The CSN is defined by the customer during
personalization … it is usually unique… may be set to any value.”
Clearly, we see that there is no guarantee of the authenticity of a CSN and CSN reader’s
compromise security.
When Should a CSN Reader Be Used?
CSN readers are very useful as a temporary solution to migrate from one smart card manufacturer
to another. A single reader can be used to read both the existing cards using its CSN and the new
replacement cards using full security and authentication. This provides a window of time to replace
the cards. When all of the existing cards have been replaced, the reader can then be instructed to
turn off its CSN reading capability. For maximum security, it is best to keep the replacement time
period as short as possible.
14
Conclusion
Using the CSN for anything other than its intended use severely reduces the security of a
contactless smart card. In other words, CSN is really an acronym for Compromizable Serial
Number. When implementing and deploying contactless smart card technology, always consider
the following:
1. Contactless smart cards are secure when used properly.
2. Using the CSN of a contactless smart card bypasses the security built into smart cards.
Understanding the security risks associated with using the CSN instead of reading the data
protected by security mechanisms will help ensure that the proper protections are in place for both
personnel and property.
AAA Alarms announces the design and release of the industries first and only Security System designed for Ultra High Security Application Facilities, Ultra High Risk Standards, which incorporates the requirement of IRIS Scan in order to disarm the security system.
Technology from IRIS ID has been integrated into a 250 Point UL Listed, High Security Addressable Security Controller to now require the presentation of valid IRIS Scan, in order to disarm the system and report an opening by user, to the AAA UL Central Monitoring Station. This first in kind technology is the first known application in the US.
For years, the UL Security industry for Jewelry, Precious Metals, and Department of Defense applications has issued standards (UL 681 and UL2050) in an attempt at making the security systems as secure as possible. However, ALL Central Station Monitored Security systems have utilized a simple PINPAD disarm sequence. So no matter how many detectors or sensors, the whole system can fail by an unauthorized person acquiring the PIN CODE either overtly or Covertly (Hidden Camera), as has been done with Bank ATMs in "Skimming".
Now, for the first time, by utilizing advanced Identity authentication, AAA Alarms cannot be disarmed without an authorized user's Eyes being presented to the keypad.
Iris Recognition Technology
Iris recognition is the best of breed authentication process available today. While many mistake it for retinal scanning, iris recognition simply involves taking a picture of the iris; this picture is used solely for authentication. But what makes iris recognition the authentication system of choice?
Stable – the unique pattern in the human iris is formed by 10 months of age, and remains unchanged throughout one’s lifetime
Unique – the probability of two rises producing the same code is nearly impossible
Flexible – iris recognition technology easily integrates into existing security systems or operates as a standalone
Reliable – a distinctive iris pattern is not susceptible to theft, loss or compromise
Non-Invasive – unlike retinal screening, iris recognition is non-contact and quick, offering unmatched accuracy when compared to any other security alternative, from distances as far as 12? to 16?
Traditional Notions of Establishing Identity
Historically, identity or authentication conventions were based on things one possessed (a key, a passport, or identity credential), or something one knew (a password, the answer to a question, or a PIN.) This possession or knowledge was generally all that was required to confirm identity or confer privileges. However, these conventions could be compromised – as possession of a token or the requisite knowledge by the wrong individual could, and still does, lead to the valid disarming of a high security system.
The Emergence of Biometrics
To bind identity more closely to an individual and appropriate authorization, a new identity convention is becoming more prevalent. Based not on what a person has or knows, but instead on what physical characteristics or personal behavior traits they exhibit, these are known as biometrics – measurements of behavioral or physical attributes – how an individual smells, walks, signs their name, or even types on a keyboard, their voice, fingers, facial structure, vein patterns or patterns in the iris.
Biometric Appeal of Iris Recognition
Of all the biometric technologies used for human authentication today, it is generally conceded that iris recognition is the most accurate. Coupling this high confidence authentication with factors like outlier group size, speed, usage/human factors, platform versatility and flexibility for use in identification or verification modes – as well as addressing issues like database size/management and privacy concerns – iris recognition has also shown itself to be exceedingly versatile and suited for large population applications.
FIRST IN CLASS, FIRST IN TIME INTEGRATION WITH UL SECURITY SYSTEM AND CENTRAL STATION MONITORING:
Although the IRIS ID technology has existed for over 15 years, it has now been integrated for security system usage, rather than for just unlocking doors.
The Biology Behind the Technology
Like a snowflake, the iris – the externally visible colored ring around the pupil – of every human eye is absolutely unique, exhibiting a distinctive pattern that forms randomly in utero in a process called chaotic morphogenesis. In fact, it’s estimated the chance of two iris (irides) being identical is 1 in 1078.
The Advantage of Iris Recognition
Iris recognition is an attractive technology for identity authentication for several reasons.
The smallest outlier population of all biometrics. Few people can’t use the technology., as most individuals have at least one eye. In a few instances even blind persons have used iris recognition successfully, as the technology is iris pattern-dependent, not sight dependent.
Iris pattern and structure exhibit long-term stability. Structural formation in the human iris is fixed from about one year in age and remains constant (barring trauma, certain rare diseases, or possible change from special some ophthalmologic surgical procedures) over time. So, once a individual is enrolled, re-enrollment requirements are infrequent. With other biometric technologies, changes in voice timbre, weight, hairstyle, finger or hand size, cuts or even the effect of manual labor can trigger the need for re-enrollment.
Ideal for Handling Large Databases. Iris recognition is the only biometric authentication technology designed to work in the 1-n or exhaustive search mode. This makes it ideal for handling applications requiring management of large user groups, such as a National Documentation application might require.. Large databases are accommodated without degradation in authentication accuracy. IrisAccess platforms integrate well with large database back ends like Microsoft SQL and Oracle 9i.
Unmatched Search Speed in the one to many search mode is unmatched by any other technology, and is limited not by database size, but by hardware selected for server management. In a UK Government-commissioned study, Iris ID’s IrisAccess platform searched records nearly 20 times faster than the next fastest technology. Iris ID has developed a high speed matching engine, IrisAccelerator™, designed to deliver 10 million+ matches per second.
Versatile for the One to Many, One to One, Wiegand and Token Environments. While initially designed to work in one-to-many search mode, iris recognition works well in 1-1 matching, or verification mode, making the technology ideal for use in multifactor authentication environments where PINs, or tokens like prox or smartcards are used. In a token environment, many privacy issues related to biometric database management are moot, as the user retains control of biometric data – a small template of 512 bytes per iris.
Safety and Security Measures In Place. Iris recognition involves nothing more than taking a digital picture of the iris pattern (from video), and recreating an encrypted digital template of that pattern. 512-byte iris templates are encrypted and cannot be re-engineered or reconstituted to produce any sort of visual image. Iris recognition therefore affords high level defense against identity theft, a rapidly growing crime. The imaging process involves no lasers or bright lights and authentication is essentially non-contact.
Convenient, Intuitive User Interface. Using the technology is an almost intuitive experience, requiring relatively little cooperation from subjects. Proximity sensors activate the equipment, which incorporates mirror-assisted alignment functionality. Audio auto-positioning prompts, automated image capture, and visual and audio authentication decision-cueing completes the process.
AAA Alarms is Rhode Island’s leading provider of security to Department of Defense Contractors, having Underwriter's Laboratory approvals for UL 2050 standards. Call AAA today for assistance with compliance with mandated DFARS and NIST standards for CUI to be implimented. AAA offers Access control service with audit trails, DoD Certified Security Alarm Systems for Classified and Unclassified Documentation storage rooms. Compliance with facility tracking of personnel entering, badging, with full audit trail and Cloud Information Storage compliant with Level 4 and Level 5 Standards for Computerized Access Control Systems.
