Tuesday, September 29, 2015

Payments: Visa's chip-on-card biometrics

Visa develops a new spec that enables palm, voice, eye and facial biometrics with chip card payment. (Visa - Tech Matters)
Here’s how it works: Visa’s new architecture enables fingerprints to be securely accepted by a biometric reader, encrypted, and then validated. The specification supports “match-on-card” authentication where the EMV chip card validates the biometric so that it is never exposed or stored in any central databases. Issuers can optionally validate the biometric data within their secure systems for transactions occurring in their own environments, such as their own ATMs.

Wednesday, September 23, 2015

US: Office of Personnel Management raises assessment of biometric hack to 5.6 million individuals

OPM: Stolen biometric data list grows by 4.5 million (Fedscoop)
The Office of Personnel Management underestimated the number of people who had their biometric data stolen in this year’s high-profile hack, with an additional 4.5 million people being affected.

In a Wednesday press release, an OPM spokesman said the subset of individuals whose fingerprints have been stolen has increased from approximately 1.1 million to 5.6 million. That number, according to the agency, comes after OPM and the Defense Department identified archived records containing additional fingerprint data that were not previously analyzed.

Tuesday, September 22, 2015

US: Should governent agencies outsource authentication?

How authentication tools can save hundreds of millions in cash (Federal Times)
Federal agencies across the board are looking to improve cybersecurity by finding ways to validate users accessing citizen services online. But there are also significant savings to be found for the cost-minded agencies (read: all agencies).

Monday, September 21, 2015

Identical twins don't have identical fingerprints

Biometric data helps immigration authorities catch woman using twin's identification (WPLG - Miami).

Security vs Privacy discussion matures...

Roundtable: Identity and access management (SC Magazine)
It's a line that's hard to walk, the one between usability, security and privacy – one that might get harder and harder to walk if things keep going the way they are. Increasingly, businesses depend on personal information offered by customers, Chandler reminds us: “We're going on to a shared business environment, where we share information in order to make the community better.” With the growth of wearables, sensors and the Internet of Things – voice-activated TVs for instance – this trend might be hard to mitigate.

Friday, September 11, 2015

US: Iowa, Morpho Trust, and prototype digital ID's

Iowa DOT Using Digital ID’s (WHOtv)
Iowa Department of Transportation Director Paul Trombino says Iowa is the first state to offer a prototype for digital licenses currently being used by Iowa DOT employees. The new licenses which will only be optional and not mandatory are fitted with even more secure technology than the card version.

Trombino explained, "I use a fingerprint to open up my phone that can help authorize that. You may have to make a facial movement so it`s not just looking at a picture in order to open up the biometric perspective, so only you can open that up." If that isn't secure enough, "The picture physically moves, so it`s not a static picture like your regular driver`s license," said Trombino.

Wednesday, September 9, 2015

Australia funds national face recognition capability

Govt funds $18.5m Aussie facial recognition database (iTnews)
It will allow law enforcement agencies to share citizens' facial images to identify unknown individuals and verify identities.

The 'national facial biometric matching capability' will match a facial photograph to images on passports, visas and driver’s licences, and will initially offer functionality to match the identities of known individuals. It will later be able to match unknown individuals, the AGD said last month.

It will be targeted towards identity theft, fraudulent identity documents and "other serious criminal activity", AGD said.

Tuesday, September 8, 2015

Japan airports to install mobile biometric terminals to screen foreign passengers (Airport Technology)
After capturing the visitors' images and fingerprints, the terminals will send the information to the immigration desk.

The Justice Ministry expects Biocarts to reduce waiting time for travellers as well as ease the burden on the immigration staff.

Another Illinois Facebook face recognition lawsuit

Gillen v Facebook (Scribd)

Note: BIPA = Biometric Information Privacy Act

I have removed two footnotes in original.
NATURE OF ACTION

1. Plaintiff brings this action for damages and other legal and equitable remedies resulting from the illegal actions of Facebook in collecting, storing and using Plaintiff’s and other similarly situated individuals’ biometric identifiers and biometric information (referred to collectively at times as “biometrics”) without informed written consent in violation of the BIPA.

2. The Illinois Legislature has found that “[b]iometrics are unlike other unique identifiers that are used to access finances or other sensitive information.” 740 ILCS 14/5(c). “For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”

3. In recognition of these concerns over the security of individuals’ biometrics – particularly in the City of Chicago, which was recently selected by major national corporations as a “pilot testing site[] for new applications of biometric-facilitated financial transactions, including finger-scan technologies at grocery stores, gas stations, and school cafeterias,” 740 ILCS 14/5(b) – the Illinois Legislature enacted the BIPA, which provides, inter alia, that a private entity like Facebook may not obtain or possess an individual’s biometrics unless it: (1) informs that person in writing that biometric identifiers or information will be collected or stored, see id.; (2) informs that person in writing of the specific purpose and length of term for which such biometric identifiers or biometric information is being collected, stored and used, see id.; (3) receives a written release from the person for the collection of his or her biometric identifiers or formation, see id.; and (4) publishes publically available written retention schedules and guidelines for permanently destroying biometric identifiers and biometric information, see 740 ILCS 14/15(a).

4. In direct violation of each of the foregoing provisions of § 15(a) and § 15(b) of the BIPA, Facebook is actively collecting, storing, and using – without providing notice, obtaining informed written consent or publishing data retention policies – the biometrics of its users and unwitting non-users.

5. Specifically, Facebook has created, collected and stored over a billion “face templates” (or “face prints”) – highly detailed geometric maps of the face – from over a billion individuals, millions of whom reside in the State of Illinois. Facebook creates these templates using sophisticated facial recognition technology that extracts and analyzes data from the points and contours of faces appearing in photos uploaded by their users. Each face template is unique to a particular individual, in the same way that a fingerprint or voiceprint uniquely identifies one and only one person.

6. Plaintiff brings this action individually and on behalf of all others similarly situated to prevent Facebook from further violating the privacy rights of Illinois residents, and to recover statutory damages for Facebook’s unauthorized collection, storage and use of unwitting non-users’ biometrics in violation of the BIPA.
A wrinkle in this lawsuit is that the plaintiff is not, and never has been, a registered Facebook user and therefore could not have agreed to Facebook's terms of service.

Friday, September 4, 2015

Serious ROI in remote patient monitoring

How one health system saves $90,000 per patient (Healthcare IT News)
NAH [Northern Arizona Healthcare] saw hospitalizations drop from 3.26 mean per patient to 1.82 and days hospitalized drop from 13.98 mean per patient to 5.13 and, based on the health system's data about the first 50 patients six months prior to enrollment and six months after enrollment, that added up to savings of approximately $92,000 per patient.
The "biometrics" discussed in the article aren't biometrics for identification, but ID biometrics will certainly be a part of the picture as these kinds of technologies are adopted more widely.

New DHS plans for biometrics should inform current corporate CIO's

DHS Outlines Plans to Enhance Use of Biometric Tech (Find Biometrics)
America’s Department of Homeland Security has released a new strategic framework on how it plans to move forward implementing biometric technologies. Entitled “DHS Vision Statement on Enhanced Biometric Capabilities”, the document indicates a tightening embrace of the technology.
The full DHS vision statement can be downloaded here [.pdf; 13 pages].

Interesting excerpt:
The DHS Office of Biometrics and Identity Management (OBIM) operates and maintains the DHS Automated Biometric Identification System (IDENT) and provides identity management services and expertise across DHS. Front‐end capabilities (i.e. biometric collection devices, applications, interfaces and supporting infrastructure) are each managed and maintained independently by the components, with limited collaboration. National Security Presidential Directive (NSPD)‐59 / Homeland Security Presidential Directive (HSPD)‐24 “Biometrics for Identification and Screening to Enhance National Security,” charges federal executive departments and agencies to use mutually compatible methods and procedures in the collection, storage, use, analysis, and sharing of biometric information. Access to external federal biometric databases however, through bilateral interoperability agreements, is not fully implemented, requiring DHS components to employ mission centric solutions for integrating certain biometric exchanges with the Federal Bureau of Investigation (FBI) and the Department of Defense (DoD). This requires DHS components to work independently with the FBI and DoD to integrate with each biometric system for access to data that assists in identifying and adjudicating subjects. The current IDENT system, although able to store multi‐modal biometrics, offers matching capability for fingerprints only, limiting operational components’ ability to implement the use of alternate biometrics that may better suit operational needs. Current DHS Component systems tend to be encounter‐based – instead of person‐centric – requiring biometrics collection processes to be repeated, rather than just verified. Connectivity for systems that collect biometrics in the field is inconsistent, often not allowing real‐time access to federal biometric databases. Further, existing biometric collection systems in the field are dated, many are at end‐of‐life, impacting the quality of the biometrics collected, which affects overall performance.
Current and prospective CIO's should reread that paragraph. The future of identity management is large-scale, multimodal, interconnected and updated as soon as possible, and provides access to virtual and physical resources. The earliest adopter of large-scale biometrics is coming to grips with the challenges of biometrics 2.0. At SecurLinx, we have designed our technology and approach to help our customers cope with the dead-ends and cult-du-sacs associated with gradual adoption of new ID technologies and provide them the flexibility to take advantage of the opportunities afforded by emerging technology.

Thursday, September 3, 2015

Mature talk on authentication...

Security vs. usability—that's the choice we make with passwords (Phys.org)
We all need some kind of authentication process if we are to access information systems at work or at home. We know why we need to do it: to make sure we have access to our data and unauthorised people don't.

So why do we routinely ignore such advice[...]?
Not all passwords protect equally valuable access. It turns out that many people are choosing weak passwords on low-priority systems like retail and media sites, and stronger authentication measures on high-priority systems like finance and work-related systems.

This sheds light on why even rigorous security measures like biometrics are being applied to instances where people are willing to jump through more password-related hoops but find the password regime horribly inconvenient.