Trust Google with your Physical Access?

by | Apr 23, 2013 | Cyber Security, Data Security, Physical Access Control (PAC)

Industry Buzz about NFC Technology for Physical Access

NFC Physical AccessI have always believed that any two competing technologies have their advantages when placed in the proper environment. Whether it’s a contact versus contactless smartcard, or NFC versus RFID card, both can do the same function but which is it the best use of the technology?  For example, contact smartcards are horrible for physical access due to reader wear and exposure to weather environment. 

 

I often see a company who falls so in love with their technology that they forget to understand the customer’s problem.  They are playing the game of “technology looking for a problem.”  That is what NFC for physical access may be doing.

 

The new pyridine from smartphones is only just touching the tip of the iceberg.  The potential for these devices is huge and it will take years for it to shake out.  To date myself, I remember when the computer industry talked about the key application for home computers was recipe storage.  I don’t know about you, out of the five computers we have at home I don’t think there’s a single recipe on any of them.

 

At the recent ISC West tradeshow there was a lot of industry buzz about using a smartphone’s Near Field Communications (NFC) technology for physical access.  Some of the key industry leaders made this their key message.  The argument is that since we already carry a smartphone, image being able to use it to unlock a building’s front door.  My advice is to be very careful and fully understand all the ramifications before starting down this path.  Here is why I’m not jumping on the physical access NFC bandwagon:

  • Part of a physical access security system is to have a photo ID.  The photo allows someone to instantly see if the image matches the wearer’s face.  Plus, many ID badges include special security inks, graphics and holograms so cards cannot be easily cloned.  This won’t work with a smartphone.  Plus, one is not going to hang their smartphone around their neck with their image showing if for no other reason than it would drain the phone battery.
  • Speaking of battery. Have you ever reached for your phone only to discover that you forgot to charge it? I know I have.  So if you have a dead phone, how are you going to open the door to get to work?  It only takes one time for the CEO to be locked out of his or her business before systems get replaced.
  • There is the mistaken belief that using an employee’s owned smartphone can save the company money. If you thinking this then get ready for a breach.  In a recent Symantec security briefing they discussed the increase in smartphone malware attacking and stealing personal information.  Because most smartphone users are not security conscious they are more likely to load apps from unsecure sources if the app looks cool. Sadly, many legitimate apps don’t add in enough security to protect sensitive data. What do you think would happen to your company’s security if malware was able to steal the NFC building access codes?
  • Your CIO and CFO are very aware of the time and costs in protecting your company’s computer networks.  Do you now want to add that to your building security?
  • Finally, we have already read articles about Apple, Google, Facebook and others capturing and storing GPS information, emails, web searches, etc. from a person’s smartphone.  While there are no reports that NFC access control codes are being stored by these companies, is it too farfetched to at least ask the question? Plus, if they did store all this information it would be a treasure trove for hackers and thieves to want.  In the past we have seen that password data is not well secured so why assume building access codes would be.

 

Some of the arguments for smartphone NFC physical access are:

  • Advanced encryption algorithms can be used to secure the data and transmission.
  • Using some multifactor authentication that uses the phone’s camera to first authenticate the user before data is sent.
  • Longer read ranges. Especially useful for parking garages.
  • Read/Write data storage of access points, date, time, etc. in the phone.

 

While I’m not a strong proponent of NFC for physical access control, the ultimate decision is if this technology solves your specific problem better and more cost efficiently than say an RFID card.  Before adopting any technology there has to be a risk assessment.  Know where the data is being stored, how is it protected, what can happens if a phone is lost or stolen, and will employees be able to load apps at will are just some of the questions that need to be answered.

 

The IT department has many horror stories regarding the security threats from Spam emails, malware, phishing, Denial of Service attacks, clouds, firewall breaches and more.  Do you want to transfer these same headaches and expenses now to your building security?

 

About Access Smart:

Founded in 2005 and headquartered in Ladera Ranch, California, Access Smart, LLC (a certified CA Small Business) offers information security through reliable user authentication prior to network access. Authentication, authorization and non-repudiation do not have to be cumbersome to be effective. That’s why our products are designed using state-of-the-art security technologies while focusing on ease-of-use and low-cost-of-ownership.

Data security begins with cyber access control, and cyber access control begins with Power LogOn