Security & privacy

I have recently run across an interesting patent application from Sarnoff Corporation that may have profound privacy implications. The application, titled “Method and apparatus for obtaining iris biometric information from a moving subject” describes the system that would be necessary to make the scenes in the movie Minority Report a reality.

What Sarnoff describes is a collection of iris cameras that repeatedly scan a person, even if they are fairly far away and in motion, until a usable iris image is captured. Just like the movie, people could be scanned as they enter a building or walk down their street, and the iris information could be used for identification.

Traditionally, face recognition has been used for this kind of task, but face recognition systems have not been very accurate. Iris recognition is far more accurate, so a ubiqutous, highly accurate, covert identification system may soon be a reality.

Here is another graphical password scheme. This one appears to use a complicated collection of categories, images, and letters. As with other schemes, it is not clear how usable the system will be. Most problematic are confusion problems that may arise if people use the system for more and more accounts. Very little research has been done on confusions with graphical passwords.

New ‘passwordless’ authentication technology debuts at Web 2.0 Expo

At the time of login, users are presented with an array of images including an airplane, a car, or a key, and several other unrelated images. Each images has a letter stamped on top of it. To successfully login, user has to select the images in the categories that he/she selected as password. For example, if you’ve selected airplane, car, key as password, then you need to find the images of the airplane, the car, and the key in the grid, and enter in the letter on top of each one of them. Each time you try to log in, the images change. The “car” one time may be a mercedes bench, the next time a Ferrari. The images position changes in the grid, too. And the letters that go with the proper images also change. This makes the password very difficult to hack. Since other observers do not know the user’s categories, they do not know which of the displayed access codes to use as the key. Only the user can interpret the grid and notices a series of digits that act as the one-time access code.

Here is a report of a successful, real-time, man-in-the-middle attack against a two-factor authentication system used at a Dutch bank. Apparently, Trojan software installed when users clicked on a fake email message allowed the fraudsters to record the one-time password and then use it to conduct their own transactions. This is taking phishing to a new level.

Phishing attack evades ABN Amro’s two-factor authentication

Hackers sent the customers emails falsely claiming to be from ABN Amro. If recipients opened an attachment, software was installed on their machines without their knowledge. When customers visited their banking site, the software redirected them to a hacker-controlled mock site that requested their security details.

As soon as the hackers received these details they were able to log into a customer’s account at the real ABN Amro site, before the expiry of the fob-generated number. They could then transfer the customer’s money.

Not only are there many cases of mistaken matches against terrorist watch lists, but the lists are being used, must be used, by US businesses to screen their customers. So, we have business owners deciding who is a terrorist, who is not, and who might be, and they are forced to deny service in fear of huge penalties.

Ordinary Customers Flagged as Terrorists

“The way in which the list is being used goes far beyond contexts in which it has a link to national security,” said Shirin Sinnar, the report’s author. “The government is effectively conscripting private businesses into the war on terrorism but doing so without making sure that businesses don’t trample on individual rights.”The lawyers’ committee has documented at least a dozen cases in which U.S. customers have had transactions denied or delayed because their names were a partial match with a name on the list, which runs more than 250 pages and includes 3,300 groups and individuals. No more than a handful of people on the list, available online, are U.S. citizens.

Yet anyone who does business with a person or group on the list risks penalties of up to $10 million and 10 to 30 years in prison, a powerful incentive for businesses to comply. The law’s scope is so broad and guidance so limited that some businesses would rather deny a transaction than risk criminal penalties, the report finds.

Technorati Tags: terrorist, lists, terrorism, security

Here is a scary story about a new trojan that can infect PCs by exploiting IE flaws. The malware can then capture and send login credentials back to a “mothership.” Most notable is that SSL/TLS provides no protection since the data is captured before it is encrypted, and the fact that many antivirus products are slow at recognizing it.

Gozi Trojan

Russian malware authors are finding new ways to steal and profit from data which used to be considered safe from thieves because it was encrypted using SSL/TLS. Originally, this analysis intended to provide insight into the mechanisms used to steal that data, but it became an investigation into the growing trend of malware sold not as a product, but as a service. Eventually it lead to an alarming find and resulted in an active law enforcement investigation.

Update: I have been reading this important article more carefully and I have prepared a summary essay.

Technorati Tags: security, SSL, trojan, malware, russian, virus

I have drafted a new essay on biometrics and identity theft. This is an extension of a previous essay on authentication technologies in general.

In this essay I focus on biometric authentication systems, which includes systems based on fingerprints, hand or finger scans, and iris, voice, and face recognition. Biometrics are receiving a lot of attention during discussions about identity theft because of the possibility of uniquely identifying people in a reliable way.

Although biometrics offer great potential, they have serious limitations and their use may sometimes increase, rather than, decrease risks for identity theft.

Please have a look at the essay and make comments:

Biometrics and Identity Theft

I have drafted a new essay on authentication and identity theft. The purpose of this essay is to review the relationship between authentication and identify theft, with a focus on current and proposed electronic authentication methods. Because of the high rate and cost of identity theft and the rapid development of new authentication methods and services, there has been a lot of attention in this area.

My goal is to examine what upcoming authentication solutions may improve things in the short-term, to examine what would be necessary for long term authentication solutions, and to consider identity theft in the broader context. The focus is on financial services conducted electronically both on and off the Internet, such as online banking and automated teller machines (ATMs).

Authentication and Identity Theft