Tuesday, April 28, 2015

US GAO: To reduce fraud, MediCare smatrcards need biometrics

Smart cards would do little to curtail Medicare fraud: GAO (McKnight's)
...[K]ey [smartcard] benefits, including the ability to electronically exchange beneficiary medical information and electronically convey beneficiary identity and insurance information to providers, would do little or nothing to deter fraud, experts said.

Adding certain layers of protection to smart cards like biometric biometric information or a picture ID could help to deter fraud, the GAO said.
Note: GAO = Government Accountability Office

SIBA head testifies before congressional committee on border biometrics

Senate Homeland Security Committee calls SIBA's Kephart to testify (Secure
Identity & Biometrics Association (SIBA))

Testimony before the Senate Homeland Security & Governmental Affairs Committee
Tracking the arrival and departure of foreign visitors to the United States is an essential part of immigration control, law enforcement and national security. The need for arrival controls is obvious, but recording departures is also important; without it, there is no way to know definitively whether travelers have left when they were supposed to. Biometric entry/exit and transfer solutions are proven in their feasibility, low cost, added security value, increased efficiencies, travel convenience, and accuracy. Good products are available off the shelf. They are flexible and built, and can be customized, for many environments. The biometric, secure document and identity management industry is well-versed in integration with back-end data systems while building in flexibility for the future. Biometric solutions such as facial recognition, fingerprints and iris scans assure identity when coupled with biographic information found in travel documents. Using only biographic information, however, such as names or passport numbers, provides no assurance that the person departing is the one whose original arrival was recorded.
The quote above is taken from the pdf linked to the article at top. The 29-page document is an excellent resource for those interested in the topic.

Biometrics a factor in World Bank's optimism on India

While India’s Economy has Turned the Corner, Wider Reforms are Needed to Boost Economic Growth (World Bank)
The report points out that India’s government has begun to implement reforms to unlock the country’s investment potential - to improve the business environment; liberalize FDI; boost both public and private investment in infrastructure; quickly resolve corporate disputes; simplify taxation, and lower corporate taxes. States are set to receive more resources and spending power, and the government has reiterated its resolve to implement the GST by April, 2016, a move that is widely expected to meaningfully increase India’s tax to GDP ratio. New models of delivering benefits through direct transfers to bank accounts, together with the biometric identification of beneficiaries, are expected to reduce leakages.

Monday, April 27, 2015

India: UID milestone

Aadhaar world’s largest biometric ID system (Times of India)
The Aadhaar card has emerged as probably the world's largest biometric identification programmes in the world with the Unique Identification Authority of India (UIDAI) issuing nearly 82 crore cards.
1 crore = 10,000,000

We haven't been spending as much time on issues of economic development as we have at other times in the past, but India's major ID initiatives are creating a lot of opportunities to lift millions out of poverty.

Friday, April 24, 2015

Best comments thread I've seen in a while...

Biometrics May Ditch The Password, But Not The Hackers (NPR) — The piece itself is rather de rigueur, but the comments are a great way to start Friday.

It looks like that Paypal piece was pretty widely read.

Consent and Trust

Biometric Data Without the Big-Brother Angst (American Banker)
At the end of the day, biometric data is really just another type of personal data that banks hold, access and use with the trust of customers and employees. But obtaining consent should not just be seen as merely a bureaucratic necessity. It is part of a process by which banks can maintain and enhance trust — which only becomes more important in the age of big data and virtual relationships.

Thursday, April 23, 2015

Older Andriod versions had more vulnerabilities

Is Samsung's Galaxy S5 'leaking' YOUR fingerprints? Flaw means hackers can intercept and steal biometric data (Daily Mail); Forbes piece, here.
The pair told Thomas Fox-Brewster from Forbes that the flaw lies in older versions of the Android operating system, up to and including Android 4.4.

Subsequently, anyone running Android 5.0 or above are not at risk and the security experts are advising people on older models to update as soon as possible.
The semi-technical press seizes upon biometrics as a proxy for personal data. This is old news, but here's a great example.

A close reading of the article reveals that earlier releases of Google's version of the Android mobile OS weren't as secure as they are now. This will come as news to few. The article points out that, "Once inside they can monitor all data sent to and from the phone, as well as data recorded by the handset's built-in sensors, including the fingerprint scanner."

Get it? Exploiting the security flaw means that the whole device is compromised: Email apps, microphone, location information, and possibly even the contents of phone calls themselves, but according to the author and editor(s), the news value is in the possibility of capturing a fingerprint image. Of course, it's their outfit; it's their call.

For readers here, instead of "OMG fingerprinst[!]," I'd emphasize that:

Not all mobile operating systems are created equal.
Different mobile applications offer a different mix of privacy costs and benefits.
Installing OS updates and patches is very important.
If the OS is compromised, the applications it runs are vulnerable.

Left out of the information readily available online about this hack is how the people at FireEye got their malware onto the hardware in the first place. Past "hacks" of biometric systems have been executed on a playing field that is far more favorable than the real world to the the hackers, where all the other layers of the security regime are stripped away from the one security link they want to test. Here's a particularly striking example. If FireEye rooted the phone, side-loaded their malware onto the device, and went from there, this isn't a hack in any real sense — it's a malware test.

That hypothetical scenario would mimic a real world example where a user lost their phone and bad guys got it, loaded software on it and then returned the mobile device to the user who continued as if nothing had happened. In the security world, if you lose control of the hardware, all bets are off for anything that isn't encrypted (with a strong key).

So, without more information, it's hard to say how big a deal this is, or in many (most?) cases, was. In the bigger picture, this is a Google Android OS story. The subtext is that users who care about mobile device security should be thoughtful about what device/OS/app combinations they adopt, keep their device's software up to date, and be careful about malware.

As automated and convenient security including biometrics becomes better and more common, the highway robbers of the 21st Century are increasingly forced to turn to social engineering techniques rather than frontal assaults on security technology.

See: The Con is Mightier than the Hack

Wednesday, April 22, 2015

Monday, April 20, 2015

Looking for cyborg customers, or, I forgot to take my Paypill

Kill all passwords by eating them says PayPal (Techworld)
He says external body methods like fingerprints are “antiquated”, and that internal body functions like heartbeat and vein recognition using embedded and ingestible devices are the future, to allow “natural body identification”. LeBlanc says internal devices could include brain implants, and that ingestible devices could be powered by stomach acid that runs batteries.
Time will tell, I guess, but user acceptance has been has been a big issue for identity management solutions using biometrics. A bank asking customers to put something in their body in order to access their money would seem to be of another character entirely.

Perhaps the analysis is meant to provide a perspective on what far-distant ID management technologies will look like. Even then, with the exponential growth of the computing power in "externally carried computers" i.e. smartphones, it's hard to see how gaining a foot or so of proximity distance by moving the token inside the body lowers error rates enough to justify the mess.

The subtext is this, though:

"We know how to identify machines. People are a pain. If we can just turn the people into enough of a machine, all our problems are solved." In other words, engineering! There's a problem here, though. If you turn the machines into people, the machines will probably get harder to identify.

At SecurLinx, we'll keep at it just in case.

Thursday, April 16, 2015

US: Social Security Number is an unreliable identity management technology

Should We Kill the Social Security Number? (Huffington Post)
That's right: Social Security numbers were not intended for identification. They were made to track how much money people made to figure out benefit levels. That's it. Before 1972, the cards issued by the Social Security Administration even said, "For Social Security purposes. Not for Identification." The numbers only started being used for identification in the 1960s when the first big computers made that doable. They were first used to identify federal employees in 1961, and then a year later the IRS adopted the method. Banks and other institutions followed suit. And the rest is history.
Author: Adam Levin, Former Director New Jersey Division of Consumer Affairs; Chairman of Credit.com and Identity Theft 911.

There's a lot of good data in the article about just how much fraud is perpetrated against the IRS, fraud that is at least partly due to over-reliance on the Social Security number for ID purposes.

Wednesday, April 15, 2015

True cybersecurity requires a conceptual shift

The user knows nothing: Rethinking cybersecurity
This position — that the adversary knows your system as well as you do, if not better, as soon as it is stood up — while extreme, led to the creation of large number factorization, the basis for all modern encryption, from PGP to RSA tokens. Under these encryption schemes, as long as the key is kept private, someone can know everything about how the security system works and still not be able to crack it.

To get to a place of true cybersecurity, another stark innovation in thinking is needed. What is needed is an Inverse Shannon's Maxim: the user knows nothing.
Coincidentally, our CTO and I were having a conversation along these lines just yesterday. It's a thrill a minute at SecurLinx!

Quick links

South Africa: Banks piling into biometric security (The Citizen)

From the Interpol World Conference:
Security experts call for tighter international border control (Albawaba News)

New biometric permit cards required for long-term stays (Cayman Compass)

Tuesday, April 14, 2015

Israel: Interior Minister foresees mandatory biometric ID

Erdan wants advanced biometric ID card mandatory for all Israelis (Jerusalem Post)
All citizens will have to gradually move to biometric identification, Interior Minister Gilad Erdan said Monday, submitting a report on the system’s pilot run to the cabinet and Knesset.

“Smart biometric documentation that cannot be counterfeited, together with use of the biometric data will allow a full security and defense package for Israeli citizens’ identities and will balance our responsibility to ensure their security with our requirement to defend their privacy,” Erdan stated.
Obviously, his stance isn't universally popular, but read the whole thing. There are a lot of good bits of information there including this one: Israel is the OECD country with the most counterfeited passports.

India: Using biometrics to protect vulnerable children

Aadhaar goes to orphanages, joins war on child trafficking (Bangalore Mirror)
Aadhaar's comprehensive database that comprises iris (retina scan) and biometric (fingerprint) information is hoped to aid enforcement agencies find missing children, curb human trafficking and check illegal adoptions. Aadhaar enrolments have begun in Karnataka for children in child care institutes run by the state government's Department of Women and Child Development. Nearly 4,000 kids and youngsters are in care of state homes and will get identity cards.
A couple of notes:

Aadhaar means "foundation." An alternate name for the Aadhaar Project is the UID Project for Universal ID.

In the quoted passage above, "child care institutes" are orphanages rather than the child care centers some readers may be more familiar with.

Forecast: Global biometrics market CAGR 14% through 2020

Global Biometrics Market Forecast & Opportunities 2020 (TechSci Research) — The global biometrics market is projected to register a CAGR of around 14% until 2020.

Monday, April 13, 2015

The attorney suing Facebook

A lawyer Silicon Valley loves to hate (Seattle Times)
Though one tech financier calls Jay Edelson “a leech tarted up as a freedom fighter,” the Chicago class-action lawyer has had an impact on the privacy issues that the Internet has made so pervasive.
Biometric tech for bikers wins Singapore award (Planet Biometrics)
Already hosting soe 40,000 enrolees, the BIKES system facilitates self- immigration clearance at designated lanes. Designed for speed and accuracy, the process takes under 16 seconds.
Singapore has been one of the more enthusiastic adopters of border biometrics.
The question: when will biometrics take over from passwords? (The Guardian) — Four smart takes on large-scale customer-facing authentication.

Wednesday, April 8, 2015

USAA and customers both embrace biometrics

Biometric Innovation Boosts USAA Fiscal Results, Customer Satisfaction (Mobile ID World)
In a synopsis, the company credited its strong performance – which saw its net worth increasing by ten percent, reaching $27 billion – at least in part to “innovations such as secure facial and voice recognition on mobile devices”.
Tying in to the post below, the article mentions that the USAA customers who use it really love Apple Pay.

A sceptical look at Apple's Touch ID for banking

Why RBS and NatWest were wrong to trust Apple on biometric security (Information Age)
Here, Richard Walters, GM and VM at Intermedia, expands on Whaley’s criticism, claiming that the biometric technology offered by Apple is not secure enough to support sensitive activities like mobile banking.
Very much worth reading in its entirety.

Tuesday, April 7, 2015

News you can use

Florida man, initially thought dead, arrested after facial recognition match (Ars Technica)
A Florida businessman accused of falsifying his death overseas was located and then arrested by federal authorities after facial recognition software returned a match to his face in passport records. Jose Salvador Lantigua now faces one federal count of providing a false statement on a passport application.
Though never easy, it's getting harder to fake your own death.

Illinois: More on the Facebook facial recognition lawsuit

Facebook lawsuit calls collection of biometrics data illegal (Biometrics Update)
According to the Illinois Biometrics Information Privacy Act, it is unlawful to acquire biometric data without first providing the subject with a written disclaimer that details the purpose and length of the data collection, and without the subject’s written consent.
Read the whole thing.

Photos aren't simply records of something that happened, mere mementos, anymore. They're search terms and search results. That has implications for both public and private entities who collect and store images of people. Ordinary snapshots are now biometric data.

Now, about those Florida school yearbooks...

New Nealand: Biometrics allow for the return of ten-year passports

Prime Minister John Key: 10-year passports in six months (New Zealand Herald)
New Zealand moved to five-year passports in 2005 in response to security concerns sparked by the 2001 terrorist attacks in the US...

In addition, developments in biometric technology have allayed concerns about passport fraud and counterfeiting.

Monday, April 6, 2015

Facial recognition technology is changing how we think about photography

SCOTLAND: Cash-strapped police spend £700k on UK database (The Scotsman)
The MPs noted a “worrying” lack of government oversight and regulation of the use of biometrics by public bodies.

It called for day-to-day independent oversight of the police use of all biometrics, and for the Biometrics Commissioner’s jurisdiction to be extended beyond DNA and fingerprints.
ILLINOIS: Does Facebook's facial recognition technology violate privacy laws? (ABA Journal)
The lawsuit, filed Wednesday, argues that the social media company was required by Illinois law to inform Carlo Licata in writing that it would collect and retain his “biometric data,” and specify when it would destroy that data.

Both Facebook and the police in Scotland have been collecting photos of individuals for years but facial recognition technology changes things. Photos aren't simply records of something that happened, mere mementos, anymore. They're search terms and search results.

That has implications for both public and private entities who collect and store images of people.

Ordinary snapshots are now biometric data. The news pieces above both show long-standing policies being scrutinized in the context of reliable facial recognition technology.

Friday, April 3, 2015

Face rec vs. the knockout game

Philadelphia teen arrested in filmed knockout punch of SEPTA passenger (New York Daily News)
Facial-recognition software reportedly helped collar a 16-year-old boy in Monday's violent Philadelphia subway attack that left a 60-year-old man knocked out cold and suffering a broken jaw.

Thursday, April 2, 2015

More fingerprint readers for mobiles

OnePlus Two release date, specs: highly advanced biometric scanner (Christian Today) — OnePlus's hardware naming convention is sure is going to be fun!

HTC One M9+ teaser images point to QHD display and fingerprint scanner (Trusted Reviews)

Wednesday, April 1, 2015

Don't forget the biometrics

Denmark issued 10,947 passports without fingerprints (Customs Today)
The different municipalities of Denmark issued flawed passports without fingerprints, stated by the Customs authority. Earlier the Customs authorities discovered the mistake and informed the affect municipalities. Passports issued from 44 municipalities after the date of February 2nd are missing biometric fingerprints due to an error made by...
I wonder how the oversight was discovered.

Apple granted patent for mobile device face unlock

Apple wants you to be able to unlock your iPhone with a selfie (Business Insider)
There's no guarantee Apple will implement the technology - the Cupertino company obtains numerous patents that it never uses. These can be precautionary, or intended to trip up or block competitors. But as the industry increasingly looks to kill traditional passwords, selfie-secured iPhones sounds surprisingly plausible.

Samsung looks to mobile iris biometrics

Iris Biometrics to Appear in Samsung Mobile Devices (Mobile ID World)
SRI International’s Iris on the Move (IOM) technology is about to see a number of integrations into mobile products. The company’s iris-scanning technology has been licensed to Samsung and will initially appear in the Samsung Galaxy Tab Pro 8.4 tablet before finding other integrations.