Thursday, December 3, 2015

China: Arrests in US OPM case

Chinese government has arrested hackers it says breached OPM database (Washington Post)
Beijing has repeatedly insisted that the government played no role in the intrusions, which compromised sensitive personal, financial and biometric data of the employees, and data on their families.

Costs continue to mount from Target 2013 breach

Target settles for $39 million over data breach (CNN)
The settlement is the latest in a series of payouts Target has made.

In August, Target settled with Visa for $67 million over the data hack. And in March, Target settled a federal class action lawsuit brought by customers for $10 million.

Tuesday, November 24, 2015

Healthcare: Getting serious about multifactor authentication

The Time Has Come for Two-Factor Authentication in Health Care (iHealthBeat)
William Braithwaite -- a health information privacy and security consultant and chair of the Healthcare Information and Management Systems Society's identity management task force -- noted that, no matter how long or complex passwords are, they're still vulnerable to theft. "The real problem is that passwords are being stolen, not that they're being broken," he said.

Tuesday, November 10, 2015

Face recognition in retail

Walmart’s Use of Sci-fi Tech To Spot Shoplifters Raises Privacy Questions (Fortune)
The only company that acknowledged using the software was Walmart. According to a spokesperson, the retailer tested facial recognition software in stores across several states for several months, but then discontinued the practice earlier this year.

“We were looking for a concrete business rationale … It didn’t have the ROI,” or return on investment, the spokesperson says.
Retailers and biometrics companies have been working together for years trying to figure out how to apply face recognition to the problem of shoplifting. As expected in a retail business, it all comes down to Return on Investment (ROI).

First, here's what modern shoplifting looks like. It isn't just teenagers pocketing lip-sticks and candy bars.

Police bust 'amazing' $15,000-a-day shoplifting ring (USA Today)
HAZEL PARK, Mich. — Police say a 7,600-square-foot warehouse served as the business hub for a sophisticated, multimillion-dollar theft ring that stole items from southeastern Michigan retailers and resold them on the Internet.

Veteran investigators said the shoplifting ring, which swiped as much as $15,000 a day in over-the-counter drugs and other goods from area stores, is the largest they have ever seen.

Oakland County Sheriff Michael Bouchard called the illegal business "amazing in size and scope" and one that likely operated for years before drug investigators spotted it last month.

The ring operators stored stolen items in the warehouse and sold them on the Internet through eBay, Amazon.com and other sites, investigators said.
Read the whole thing. Criminal organizations like these cause huge losses to retailers, higher prices to consumers, and increased production of dangerous street drugs. More and more, shoplifting is an organized crime problem, and everyone who isn't in on the scam pays the price in one way or another.

Privacy issues associated with facial recognition in businesses open to the public get a lot of well-deserved attention. Clearly, facial recognition technology could be deployed in businesses open to the public in ways that are injurious to a reasonable person's expectation of privacy. Brainstorming those ways, however, takes us pretty far away from the ROI calculation that is motivating retail outlets to seek out technologies that can help them reduce losses due to theft.

The privacy focus for facial recognition in retail spaces should be on what data is collected and what happens to it. In this case that means the photos and personal information that goes along with them. The easy part is that retail establishments have been collecting information on suspected shoplifters for a long time now and they already have policies about what they collect, when they collect it, and how long they retain it. The hard part is that new facial recognition technology makes sharing the information easier, securing it more difficult (and important!), and it requires new training for loss prevention staff about what, exactly, the technology is telling them.

That brings us back to the ROI. Obviously, using facial recognition to prevent a $15,000 organized crime heist helps the ROI calculation. Using facial recognition to interrupt a shopper based upon a "false positive" ID hurts the ROI calculation. So there's at least a little bit of good news here for privacy: The ROI calculation that is so important to the business's decision whether or not to use a facial recognition system does have a built-in way to account for at least some privacy concerns.

Monday, November 9, 2015

Banks like veins

Banks drawn to vein pattern recognition biometrics (Electronics News)
Vein recognition technology is restricted to checking vein patterns of living body tissues and offers reliable reading. Moreover, vein patterns are nearly impossible to counterfeit. Many banks worldwide consequently have incorporated this technology into their ATMs to improve the user authentication procedure of these machines.
While the ease of duplicating fingerprints to hack biometric systems is regularly overstated, it is a possibility. I've never even heard of anyone trying to spoof a finger- or palm vein biometric system.

The trade-off for vascular biometrics is that the sensors are typically larger and more expensive than fingerprint readers and there are fewer vendors offering vein technology. Nevertheless, certain deployments recommend themselves well to vein biometrics.

Thursday, November 5, 2015

Forecast: Global fingerprint recognition & mobile biometrics market

Global fingerprint recognition and mobile biometrics market to grow at a CAGR of 215.49% during 2014-2019 (Market Research Reports)

Banks using voice biometrics to counter social engineering

More companies are turning to voice biometrics for security purposes (Digital Trends)
Technology known as voice biometrics seems to be the next big thing in keeping your accounts safe and sound, especially with the alarming rise in call-in center fraud. In this latest version of trickery, criminals take advantage of human error and human emotions when they dial into a customer service line, describe some fictional situation that garners the representative’s sympathy, and subsequently gain access to sensitive data and, of course, money. $10 billion worth last year, in fact.
The purpose of identity management technology is to force fraudsters into social engineering. Identity management technologies can still help with that, too.

Biometrics + Cryptography

Keeping your passwords safely in the palm of your hand (electropages)
...[C]ontactless palm vein recognition technology is nothing new and was first demonstrated back in 2002 and is widely used. It works by extracting feature data from biometric data. With previous technologies, confidential data was encrypted with this feature data, but when decrypting, the feature data extracted from biometric data would usually be matched with the encrypted data. This does not present a problem when used in a personal device, such as a laptop or smartphone, but when used via an open network such as in the cloud, a more secure decryption technology is necessary to prevent leaks of biometric data.
The article discusses encryption within biometric templates using Fujitsu's palm vein technology, but the idea would seem to be applicable across biometric modalities.

Monday, November 2, 2015

Kuwait: Ministry discovers approximately 40% of paid workers are ghosts

Fingerprint attendance system exposes workers (MENAFN)
Ministry sources said the application of fingerprint attendance system uncovered many employees who continued to receive their monthly salaries although they were absent from duty for several years, in addition to those who traveled abroad without permission and others held behind bars on legal issues.

The same sources affirmed that the authorities next month will start deducting salaries and hold absentees accountable for their actions, along with those who skip the fingerprint attendance system on a regular basis.

They noted the implementation of the system has uncovered the reality of all problems and complications the ministry endured throughout the years, and last week, about 3,000 of the estimated 7,500 employees were compelled to apply for leave, and "the mass leave application'' was to avoid their inclusion in the fingerprint attendance system, as they fall in the category of 'absentees and evaders' of the fingerprint attendance system.

Positive review for Microsoft facial authentication on new hardware

Windows Hello facial logins on the new Surfaces are rather impressive (RAs Technica)
With Hello enabled, logging in to the machine is as simple as sitting down in front of it. The lock screen shows the Windows Hello "eye" looking around, and the detection is near-instantaneous. It takes longer for Windows to dismiss the lock screen and show the desktop than it does for it to recognize you in the first place. In fact, it's so quick that a kind of delay had to be built in. If there were no delay, locking your PC with Windows+L (or the Start menu option) would be nigh impossible.

Tuesday, October 27, 2015

Iris mobile NFC barcode ATM app

Citi tests ATMs that replace plastic cards with mobile phones, QR codes, NFC and iris scans (NFC World)
Customers using one of the new Irving ATMs download a mobile app and set up the transactions they wish to make when they reach the ATM on their mobile phone. They can then chose to have a QR code scanned by the ATM, tap their NFC phone against the ATM or have their iris scanned to authenticate themselves in order to complete the transaction they previously logged inside the mobile app.
This "grab bag" ID regime is interesting. Throw in Bluetooth, fingerprints, RFID and chip-on-card technology and the number of permutations of possible ID deployments goes up even higher. This is good news both for consumers and for business with ID management challenges.