“It’s no longer simply about putting a photo on a white piece of plastic,” says Ryan Park, Fargo Electronics’ director of product marketing for secure printers/encoders. “It’s just not secure. Unfortunately, that represents a lot of the ID vehicles out there today. There are very few applications in the ID card world that don’t have a need for security.”
The need for greater security in the issuance process is what’s driving Fargo today. “Two years ago, we (Fargo) decided to step off the path, to not be a printer company anymore but a secure card program producer. We’re looking at all the places, cradle to grave, that could be vulnerable. Our message as a company is that we’ve expanded from printers to helping our customers issue secure credentials. In a post 9-11 world, we’ve seen a rapid increase in ID theft. Previously, we’ve focused on our printers, simply putting photos on cards. We now also want to be the best at securing the entire process.”
He said there are three elements to security: “The printer you choose, securing the card itself and having the process and personnel in place for when it comes out of the machine.”
As to the printers themselves, many have their own security features, he said, such “as the ability to load cards into the machine, then lock the access doors, or the ability to lock up the materials section of the printers so operators can’t access them.”
Some Fargo customers have gone so far as to bolt the printer to something immoveable, like a vault. “One of the things we’ve learned is you can have all the alarm bells in the world, but if someone is willing to crash a truck through a wall, you want to bolt the printer to something that can’t be moved,” said Mr. Park.
He calls it “lock and bolt. It’s your best defense.”
Another solution: “Give your printer some business rules,” he said. “For example you could define at what hours should the cards be produced. We know that cards being produced on the weekend may still may be legitimate, but it’s something we need to know about. Or you can determine which operators can physically use the product. The printer can periodically ask for code words that only certain parties should know.”
He said there are a “handful of features where a printer can be self-aware. You can set it up so every time a job is produced, a password is needed. Or you can use biometrics, where the operator might have to give his thumbprint. But at same time, you might have this bad person in the office and you want to prevent him from grabbing the materials so he can produce an ID outside the office. That’s where something like a secure vault comes in handy. You make sure the cards are locked up in the printer. Outside the printer you need to do inventory counts.”
Securing the Card
“The first thing you have to identify is what are the truly sensitive pieces of the process,” he said. “Are you a university utilizing a tamper-proof hologram? While anyone can buy a card printer, a hologram is something you can control.”
The purpose here – whether at a university, a major corporation, or as a federal agency or one that is supplying the feds – is to make the card counterfeit-resistant.
“At the very highest level, such as with a government agency, you want to control the movement of your hologram at all stages,” said Mr. Park. “For example, a hologram could be shipped by armored car, controlling the entire process. These are services we offer for very sensitive applications.” He said the street figure for these kinds of holograms would reach six figures, which is why securing them is so important.
Process and Personnel
“You’ve got this fantastic card you’re producing with smart encrypted chips and holograms, but you’re using temp labor to produce the cards, and all of a sudden 1,000 cards end up on the black market,” said Mr. Park. “You actually have to secure the production of that card.”
With cards that are instantly produced, “you’re basically postponing production of the card as long as feasible so the card is produced and given to the customer as soon as possible. It’s encoded in the machine and it goes directly to you. Once it’s produced, it’s now a valid entity. The more you can shrink that time the more secure it is.” Driver licenses are a good example. Some states utilize a central issuance facility, while most instantly produce the licenses and distribute them right away to applicants, he added.
“We’re talking about back-end production, but it’s very critical at the front end, too,” he said. “A driver license can be produced in a valid way but you could still end up with a forged driver license.”
The chain and its weakest link
As the old saying goes, a chain is only as strong as its weakest link. When it comes to issuance of secure identity credentials, the chain involves the securing the printer, the card, and the process. To improve your issuance security, make sure all three are evaluated on a regular basis.