How smart, secure and convenient are biometric smartcards?

An image to demonstrate biometric smartcards

CardLab’s Frank Sandelov spoke to SciTech Europa about the company’s biometric smartcards and the security and convenience they offer.

Founded in 2003 by Torsten Nordentoft, amongst others, CardLab has done extensive research in high security cards for more than a decade. Working with several international investors, it has developed a range of unique products and high tech solutions, several of which have been patented and are already in use by card companies, and card providers across the globe. CardLab provides its customers with OEM sale of individual technologies as well as development of customer ordered complete solutions.

Having gained a position as a leading innovation partner for the card industry, CardLab now offers a wide range of technologies and solutions for integration in ID, financial and access cards, such as RFID and Bridge cards, the latter connecting mobile payments with existing payment infrastructure.

CardLab’s Frank Sandelov spoke to SciTech Europa about the company’s biometric smartcards and the security and convenience they offer.

High security capabilities, cost-effectiveness and convenience are the three most vital factors when it comes to finance, access, and ID cards, particularly in light of growing cybercrimes – including hacking and cryptocurrency theft – and other digital threats.

Can you briefly describe how CardLab’s solutions provide these elements?

It is a combination of the card and the backend system. We offer a solution where the card produces ‘tokens’, which means any transaction becomes tokenised. At the same time, we are able to store a certificate on the card and because this certificate is tokenised, any data that is stolen is essentially rendered useless as the thief is unable to access the tokens. In addition, there is the added convenience that persons using this system does not have to remember a password; they don’t need to worry about typing the wrong password in and getting locked out, and so on. Indeed, the added convenience coupled with the very high-level of security makes our approach extremely attractive.

The card is one element, the other element is a full backend authentication system, where we use the same level of security and encryption as the banks. This allow us to check the token validity assuring that if somebody hacks into the system, they will not get access to anything by capturing the token as it will be rejected by the backend as it has a higher security level than private-public key pairs.

In reality, we provide an a-synchronic key system which involves the client (the card) sending a key that unlocks an encrypted request from the authentication server for the other key from a secure vault in order to create the final token that, when tied together, forms the final verification. Because the first key (token) is unique and used to unlock the other, the biometric smartcards solution offers a very high degree of security. It also means that it has applications in areas such as access to databases and so on, where there is a need for security in order to ensure that no one other than those who should have access are able to actually get in.

Would you say that there is a barrier when it comes to enabling people to understand the mechanics behind biometric smartcards and to understand what makes the solutions so secure, and so put their trust in it?

I think most people are aware that everything they are using online can be hacked. However, we need to make people aware that with our solutions even if they are hacked, the hackers are not going to be able to do anything with their identity or their personal credentials because it has all been tokenised and it is held offline.

Nevertheless, there is indeed a challenge in explaining this to people; it is a challenge to ensure that they understand that this is a true solution that gives them privacy protection due to the fact that all their data is in the card, it is tokenised, and they are the only one who can access it.

Can you tell me more about the importance of biometrics in your solutions? How important is your recent licensing agreement with Drayson Technologies, and what will this mean for your company moving forwards?

Biometrics is extremely important because it is your unique ID. What we have seen is that there is also a need for low-cost, convenient products, and an integral part of this concerns the energy harvesting. That is where the new agreement with Drayson Technologies comes in. This is important because the standard version of low power readers, which only emit a signal intermediately, has a very low power potential to operate the card.

If you don’t create enough power in a circuit, you will need to add a battery, meaning adding cost. Drayson Technologies, however, have been able to extract three-to-seven times more energy out of a reader field with their patented energy harvesting solution than what is found in any other competitive card solution. Our research so far suggests that we should be able to get 98-99% market penetration by implementing Drayson technologies in terms of readers or point of sale adaptation. This means that this solution can become the first to be widely usable, and it helps brings the cost down on the card side.

The tokenisation provided by your biometric smartcards has enabled CardLab to specialise in delivering solutions to attacks such as ‘man in the middle attacks’. What were the biggest challenges in developing solutions such as this, and how are you working to ensure stakeholders are informed of the benefits of such technologies (alongside the need for good internal processes)?

One of the more difficult parts of the process was running tests on what areas held the potential for a hacker to break into the system. In addition, of course, we had to get the programming in place, and this meant having the right people with the right skills.
The next challenging step will be how to disseminate the knowledge and opportunities in use of the technology. To achieve this, we have started taking part in different conferences as there is a lot of appetite out there; but there is also a lot of companies spinning out solutions which lack a decent level of security, especially the necessary offline biometric authentication, and we can fill this gap.

‘Man in the middle attacks’ can, and will, happen, also in the future, but the person or persons responsible for that attack will not be able to use anything they steal. The card represents a decentralised security system, so your physical identity never gets revealed online, only your token, as we don’t rely on database comparison to validate your identity. Our solution eliminates the value of data captured by a man in the middle and keeps your privacy protected and saves a huge amount of resources on protecting critical data in databases.

Malware has even been used in ATMs to steal users’ information. How can CardLab’s technology help here, too?

The solution here again is based on the tokenisation. For example, if a person using an ATM becomes exposed, then they are still only exposed as a tokenised identity. This means that every transaction will be unique, and so if somebody is picking up data from an ATM and trying to get in, they will not be able to use that data again because it has become tokenised, meaning it is only valid for one transaction.

While these solutions offer a very high degree of security, there is always the danger of the technology and strategies used by the criminals to circumvent them will become similarly sophisticated. How can this be addressed?

There is certainly no doubt that the sophistication of criminal activities evolves alongside the solutions developed to thwart them. At this point, our solutions are 100% secure, but hackers are becoming increasingly skilled; they are as equally skilled as our programmers. That is why, when we can get a hacker on board, we are placing ourselves into the best possible position because we will know what happens in the market, in the dark market, and we are planning on doing this in order to ensure that we are able to stay ahead of the game.

Indeed, it is perhaps more important for us to be aware of what is happening in the world of hackers than it is to be aware of what is happening with regard to our competition or even at the policy making level.

Frank Sandeløv
CardLab Aps
+45 31 55 49 94

Laboratory Supplies Directory - Now Live


Please enter your comment!
Please enter your name here