I showed the guard my passport, then my driver's license. I tried to explain that not all US journalists had press cards with photos, but I handed him my business card. Eventually, he seemed satisfied, and I went to the next step, where I was checked off against a list, then photographed and fingerprinted. Finally, I was handed a blue and white card with what looked like a chip embedded in it. I would need this card, I was told, to access the press facilities of the European Union. It was the first time I'd actually had to use a smart card.
That smart card was coded with some useful information. It held my name, affiliation, some personal data, and the fact that I was only in Brussels for a few days. After the G7 Global Information Infrastructure meeting held in1995 ended, so did my access. In the meantime, I could go anywhere journalists were allowed. It also meant free beer, tons of tsotchkes, and a workstation I could call my own (at least for three days). It also meant I could mix with the information ministers and the US delegation, and it got me a rare, elevator-based interview with then Commerce Secretary Ron Brown. There was never any question about access; I either had it or I didn't.
The smart cards worked well back then, and despite the fact that most US companies know nothing about them, they've worked well since then--but mostly in Europe. For reasons no one seems to understand, smart cards have made virtually no penetration in the US, and in the minds of many, the cards are strange, have mysterious capabilities, and probably are hideously expensive, even if they do provide really good security. I guess that up to now, the feeling has been that nothing could happen in the US that might require actual security.
At the end of October, the US Department of Defense announced that every member of the military would be receiving a new type of ID card. Gone would be the green (or red or gray) piece of laminated paper. Replacing those millions of cards would be one that contained encrypted information that included service member identification, their personal details, their military information--even information about their security clearance and access needs. This card could be used for everything from building access to buying things at stores on military bases.
Though it's going to take a while for the military to implement smart cards, it's an important step. So was the decision several months ago when American Express started issuing smart cards in the US under the name "Blue by American Express."
In Europe, smart cards are very popular. The primary reason is that Europeans have, at least in recent years, seemed to take security more seriously. They've believed in an old principle that people can best prove who they are by something they have, and something they know. In the last few years, this principle has caught on with the growth of ATM cards that require both the card and a PIN.
Problem is, duplicating an ATM card isn't all that difficult, and getting the PIN number isn't impossible, as the growing level of ATM fraud indicates. Duplicating a smart card, on the other hand, can be extremely difficult. As a result, it works very well. According to David Bonalle, American Express vice president and general manager for Advance Payments Development, American Express has essentially eliminated fraud with its smart card-based credit cards. "It's super high security," Bonalle says. "To date, it's been completely foolproof."
This is, of course, nice for Amex, but why should you care? Think about the security in your enterprise. How easy is it to simply walk up to a computer and use it? The person who works at the computer you've just started to use may be away on break or at lunch, but his or her computer sits there, logged in, and you can just pretend to be that person. Or, you can look at the passwords written on notes on the side of the monitor if a user isn't logged in.
But suppose you had to log in by sliding a smart card into a reader, before you could enter your password. And the smart card would let the computer know what information you were allowed to see. You can see the difference. Even if your company is very security aware, it's not always easy to bring security to every desktop.
But smart card protection doesn't need to be expensive. According to Donna Farmer, president and CEO of the Smart Card Alliance, the cards themselves can cost less than a dollar. The readers can cost less that 20 dollars, and are now being integrated with some computers so they're essentially free.
Your company's security is important, and the methods most companies have used until now to help ensure access security just really aren't adequate. It's probably worth springing for a few bucks to make your company actually secure, instead of just giving you a false sense of security.
