Saturday, March 20, 2010

Biometrics becoming the norm for Aussie banking > Biometrics > Biometrics & Forensics > News > SC Magazine Australia/NZ

Log into online banking at the blink of an eye.
Australian banks are taking a closer look at biometric authentication as a means of reducing fraud, thanks to an improved business case, increased consumer concerns about personal data and some impressive breakthroughs in technology.
In June, National Australia Bank became the first Australian bank to roll out a biometric-based solution for customer authentication, implementing a voice-based system for telephone banking customers.
Tim Cullen, head of direct channels with NAB, said the voice authentication has "far exceeded expectations."
"Nine out of ten customers when offered it are taking up the service," he said.
Cullen said the bank initially experienced some technical problems with the biometric-based technology when attempting to enrol users, but eventually managed to iron these issues out. The bank is now hoping to expand the option to mobile phone banking users, he said.
"Expanding voice biometrics into mobile Internet banking just seemed a logical extension from a usability perspective," he said.
Cullen said he would also consider deploying the solution to an online payments environment in a bid to help reduce card-not-present fraud.
As banks around the world gradually deploy chip-based cards with PIN authentication, Cullen points out fraud is simply shifting to card-not-present environments.
"For us it's about real-time monitoring of card-not-present transactions...but we certainly could move to voice and outbound (calls) for certain transaction types."
Beyond voice
Voice is just one of many biometric identifiers that can be used for the purposes of identification and authentication. In the US, biometric security specialist Global Rainmakers has been targeting banks with its HBOX iris scanning system.
Iris scanning is different to retina scanning, which requires the emission of light and close contact between the scanner and user.
Former Bank of America executive Jeff Carter now sits on the board of Global Rainmakers and says by the first quarter of 2010 the company will have the technology deployed in a mobile phone to allow remote authentication.
"It will go into a phone that has a high enough resolution to complete the registration," he said.
Fraud remains a major driver for banks considering the use of biometric-based authentication.
Customers have high expectations of the way banks manage their data said Cullen. "I think while banks are very protective over data, some other organisations aren't. So having a biometric protecting your identity provides added peace of mind."
"One of the questions we ask is what inconvenience are customers willing to accept for peace of mind, and I think tolerance in today's world is reasonably high, especially in terms of online banking" said Cullen.
In this case however, Cullen said the successful acceptance of voice biometrics has largely been as a result of its ease of use.
"There's probably not a lot of new technologies out there that create a safer experience that are easier to use or create a better customer experience."
Posted by at 1 comment:

Thursday, March 11, 2010

A National ID card in 2010?


A National ID card in 2010?

A new attempt at immigration reform may require a biometric ID card for all working Americans. Privacy advocates aren't pleased



National identification cards, long feared by privacy advocates, may soon become mandatory for American workers. In a bipartisan effort to curb the hiring of illegal immigrants, Sens. Charles Schumer (D-NY) and Lindsey Graham (R-SC) have proposed legislation that, if passed, will require all working Americans to carry biometric ID cards containing fingerprint records and other personal information. Sen. Schumer calls the measure "the nub of solving the immigration dilemma." But Chris Calabrese, an American Civil Liberties Union lawyer, warns the cards would be a "massive invasion" of privacy. Are national ID cards the solution to our immigration woes — or an unacceptable intrusion into our lives? (Watch Ron Paul chime in on the national ID card debate)

This is an affront to our freedom as Americans: Not only would this "ghastly" plan be a frightening invasion of privacy, says Alex Nowarsteh in Fox News, it "would treat every American like a criminal by requiring them to enter their most intimate and personal data into a government database." This is a "naked government power grab," and it must be stopped.
"5 reasons why America should steer clear of a national ID card"

The privacy concerns make no sense: If we're ever going to improve our national security, the "infuriatingly nonsensical" hand-wringing over privacy needs to end, says Donn Tennant in IT Business Edge. Many non-criminals, including members of the armed forces and "most public servants," are already fingerprinted, and their liberty remains intact. And having to show "a national ID with your biometric information" at the airport is no more "loathsome" than showing a driver's license.
"National ID cards: Pointless privacy argument is getting old"

Issuing every American an ID card would be wasteful: Instituting the national ID cards now, says Megan Carpentier in Washington Examiner, would add "hundreds of millions of dollars" to the federal debt, and impose painful costs on employers. All that just to keep "less than 4 percent of the total population of the United States from accessing the job market. Apparently, cost-benefit analyses aren’t the rage on Capitol Hill these days."
"The government would like to see your papers, please"

It won't pass, anyway: Privacy advocates aren't the only ones who don't want this bill to pass, says Jack Cafferty in CNN. The aim of worker ID cards is to make it harder for employers to hire illegal immigrants. "If you think the corporations that make huge profits on the backs of an illegal alien workforce are going to let something like that get through, think again."
"Are worker ID cards a good idea?"
Posted by at No comments:

Saturday, March 6, 2010

Howard Schmidt Dismisses Cyberwar Fears


White House Cybersecurity Coordinator Howard Schmidt isn't buying into the grim forecasts that the United States is ill prepared to defend the government's and nation's critical information assets from an immense virtual attack by political adversaries or cyber criminals. 

Schmidt, in a face-to-face interview with GovInfoSecurity.com, said the federal government and the private businesses that control 85 percent of the nation's critical IT infrastructure are better positioned than ever to fend off massive digital assaults.

The Obama administration's top cybersecurity official was responding to questions about recent comments made by former National Intelligence Director Michael McConnell that the United States would lose a cyberwar and a simulated cyber attack known as Cyber ShockWave, aired last month on CNN, that disrupts smart phone service to 20 million customers, shutters an electronic energy trading platform and cripples the power grid along the Eastern seaboard.

"How would we fare in some sort of a massive cyber intrusion and attack like that? I think we're much better prepared now than we were in the past," Schmidt said in the interview held during the RSA 2010 IT security conference in San Francisco.

IT security professionals protecting key systems know of the existence of the vulnerabilities and are taking steps to mitigate them to lessen their impact, he said.
Posted by at 1 comment:

BioVault: biometrically based encryption


Article Abstract

Title: BioVault: biometrically based encryption

Author: B.L. Tait, S.H. Von Solms Email author(s)

Address: University of Johannesburg, Kingsway Avenue, Auckland Park 2006, Gauteng, South Africa. ' University of Johannesburg, Kingsway Avenue, Auckland Park 2006, Gauteng, South Africa

Journal: International Journal of Electronic Security and Digital Forensics 2009 - Vol. 2, No.3 pp. 269 - 279

Abstract: Biometric-based token authentication is an asymmetric (von Solms and Tait, 2005) authentication technology. This means that the reference token generated during the enrolment process and stored in the biometric database, will never match any freshly offered biometric token exactly (100%). This is commonly accepted due to the nature of the biometric algorithm (Wayman et al., 2004) central to the biometric environment. A password or pin on the other hand, is a symmetric authentication mechanism. This means that an exact match is expected, and if the offered password deviates ever so slightly from the password stored in the password database file, authenticity is rejected. Encryption technologies rely on symmetric authentication to function, as the password or pin is often used as the seed for a random number that will assist in the generation of the cipher. If the password used to encrypt the cipher is not 100% the same as the password supplied to decrypt, the cipher will not unlock. The asymmetric nature of biometrics traditionally renders biometric tokens unfit to be used as the secret key for an encryption algorithm. This article introduces a system that allows biometric tokens to be used as the secret key in an encryption algorithm. This method relies on the BioVault infrastructure. For this reason, BioVault will briefly be discussed, followed by a discussion of biometrically based encryption.






Posted by at No comments:

Saturday, February 13, 2010

New Javelin Study: ID Fraud Hits Record Highs


The number of identity fraud victims increased 12 percent to 11.1 million people in 2009 -- the second consecutive annual increase. At the same time, the total amount of fraud also increased by 12.5 percent to $54 billion. These are the headlines of the newly-released 2010 Identity Fraud Study by Javelin Strategy & Research. 

"As the economy gets more challenging and more and more people are out of work, there is more identity fraud," says James Van Dyke, president and founder of Javelin. "[Fraud] is at the highest rate since Javelin began this report in 2003." The good news, Van Dyke says, is "Consumers are getting more aggressive in monitoring, detecting and preventing fraud with the help of technology and partnerships with financial institutions, government agencies and resolution services."

Fighting Back

Van Dyke says other findings in the report reinforce the trend that fraudsters are becoming increasingly technology-savvy and are using personal information stolen in data breaches to open new accounts or to make changes to existing non-card accounts. 

Organizations are fighting back by eliminating the use of Social Security numbers in account information, as well as more proactively monitoring and notifying customers of possible fraudulent activity. Consumers also are monitoring their accounts more frequently, using technologies such as the internet and mobile alerts. 

Despite the number of victims going up, the average amount taken in each fraud incident has gone down, as has the average amount of time it takes for the fraud to be resolved.

Posted by at No comments:

Saturday, January 30, 2010

Identifying ID Theft and Fraud


Identifying ID Theft and Fraud

ScienceDaily (Oct. 19, 2009) — If the wife of FBI boss Robert Mueller has warned him not to use internet banking because of the threat of online fraud, then what hope is there for the average Jo? 

The results of research published in a forthcoming issue of the International Journal of Business Governance and Ethics suggests that more of us are no longer entrusting our finances to virtual accounts.
According to Susan Sproule and Norm Archer of McMaster University, Ontario, Canada, identity theft and fraud are an increasing concern to consumers who interact with online businesses routinely.

Phishing for logins is not the only problem. Credit card skimming, insider theft, and counterfeiting of digital information, and ID "trafficking" are also on the increase. All of these types of fraud are costly for the individuals involved both financially and often in terms of the time needed to clear their name when illegal use has been made of their personal details.

The Canadian team has now created a model of how consumer identity theft and fraud occur and in parallel report on a recent survey of Canadian consumers. In assessing fraud concerning credit cards, existing bank accounts, new accounts, and other frauds, they find that one in five people have stopped or reduced the amount of shopping that they do online while almost one in ten are no longer carrying out banking online, or have reduced the amount of online banking that they do because of fraud worries.

"These findings are of concern to business and government," Sproule says, "since, if consumers stop doing business online, the productivity benefits of e-business will not be realized." Until recently there was little information on the problem of identity theft in Canada, in particular, and there were no coordinated efforts within the academic community to examine the problem. She adds. "It was believed that, if unchecked, the problems around identity theft and fraud could have a significant effect on e-commerce."

Fortunately, since 2005, Sproule and her colleagues have been involved in a multidisciplinary program that has brought together researchers from four universities and subject matter experts from the financial and telecommunications sector. Their research is allowing them to define the processes involved in identity theft and to measure its reach.

The team's model of cyber crimes has now defined ID theft and fraud as two distinct but related problems, which could not only help legislators to develop new laws and law enforcers in the pursuit of criminals, but also help educate an unwary public as to how their personal data might be misappropriated and used fraudulently.
Posted by at No comments:

Online Auction Fraud: Data Mining Software Fingers Both Perpetrators And Accomplices


Online Auction Fraud: Data Mining Software Fingers Both Perpetrators And Accomplices

ScienceDaily (Dec. 5, 2006) — Computer scientists at Carnegie Mellon University are using data mining techniques to identify perpetrators of fraud among online auction users as well as their otherwise unknown accomplices.
The new method analyzes publicly available histories of transactions posted by online auction sites such as eBay and identifies suspicious online behaviors and dubious associations among users. 

Online auction sites are immensely popular. The largest, eBay, reported third quarter revenues of $1.449 billion, up 31 percent from the previous year, and registered 212 million users, up 26 percent. But the popularity of online auction sites also makes them a target for crooks. Internet auction fraud, such as failure to deliver goods after a sale, accounted for almost two-thirds of the 97,000 complaints referred to law enforcement agencies last year by the federal Internet Crime Complaint Center.

Perpetrators of these frauds have distinctive online behaviors that cause them to be readily purged from an online auction site, said Computer Science Professor Christos Faloutsos. The software developed by his research team -- Network Detection via Propagation of Beliefs, or NetProbe -- could prevent future frauds by identifying their accomplices, who can lurk on a site indefinitely and enable new generations of fraudsters.

In a test analysis of about one million transactions between almost 66,000 eBay users, NetProbe correctly detected 10 previously identified perpetrators, as well as more than a dozen probable fraudsters and several dozen apparent accomplices.

"To the best of our knowledge, this is the first work that uses a systematic approach to analyze and detect electronic auction frauds," said Faloutsos, who noted that NetProbe could eventually be useful for both law enforcement and security personnel of online sites.

The researchers have already adapted the software to provide a trustworthiness score for individual user IDs. Though not yet available to the public, the NetProbe score would complement user reputation scores that many auction sites already provide to help prevent fraud.

"We want to help people detect potential fraud before the fraud occurs," said research associate Duen Horng "Polo" Chau, who developed NetProbe with Faloutsos, undergraduate student Samuel Wang and graduate student Shashank Pandit.

Many auction sites try to avert fraud with so-called reputation systems. In eBay's case, buyers can report whether they had a positive, neutral or negative experience in a transaction, and that report is then translated into a feedback score for that seller.

Unfortunately, a crook can manipulate these feedback scores, obtaining a favorable score by engaging in a number of legitimate sales. But that is costly and time-consuming and, once the fraudster starts cheating buyers, that user identification is quickly red-flagged and shut down.

Perpetrating frauds may be sustainable, however, if a fraudster has accomplices or sets up separate user IDs to serve as accomplices. These accomplice accounts conduct legitimate transactions and maintain good reputations. They also have many transactions with the user IDs of fraudsters, using their good reputations to boost the fraudsters' feedback scores. Because accomplices don't perpetrate frauds, they usually escape notice and can keep working to establish new fraudster accounts, Faloutsos said.

But an unnatural pattern becomes evident when the transactions are plotted as a graph, with each user represented as a node, or dot, and transactions between individual users represented by lines connecting the nodes.
In the resulting graph, transactions between accomplices and fraudsters create a pattern that sticks out like "a guiding light," Chau said. Graph theorists call this pattern a "bipartite core" -- members of one group have lots of transactions with members of a second group, but don't have transactions with members of their own group. One group, the accomplices, also deals with honest eBay users, but most of the transactions are with fraudster groups.

The researchers tested their method, in part, by accumulating transaction histories from eBay and demonstrating that they could detect the distinctive fraud patterns within these massive data sets. Chau reported on an analysis involving about 100 eBay users at a September data mining conference in Berlin. The team has since analyzed about a million transactions between almost 66,000 eBay users, and those as-yet unpublished findings have been submitted for presentation at an upcoming scientific conference. 

"Crooks are extremely ingenious," Faloutsos warned, so identifying accomplices would not eliminate all online auction fraud. But eliminating accomplices would force crooks to resort to more sophisticated, complex schemes. "These schemes will require more effort and cost, so fraud would be increasingly unprofitable," he added.
Posted by at No comments:

FBI Biometrics

Electronic Biometric Transmission Specification (EBTS)

  • Proper methods for federal, state, local, tribal and international stakeholders to communicate with the FBI
  • Transmission of biographic, biometric, and disposition information for purposes of criminal or civil identification
  • Sharing of identity history information when appropriate and approved
  • Upgrade from the Electronic Biometric Transmission Specification (EBTS) Version 8.1 to EBTS Version 9.0

    • For more information, please click 'EBTS' on the left bar.

  • New message structures to send fingerprint at 1000ppi, palmprint, face with subject acquisition profiles, scars, marks, and tattoos, and iris biometrics
The standards process evolves with the needs of the biometric community; it improves with community feedback. Suggestions and questions are encouraged. Please submit them via the Web site’s Comments Form. In order to receive the latest updates and news, please sign up and Register for your convenience.

Agencies transitioning from the EFTS to the new EBTS standard are encouraged to contact the FBI CJIS Biometric Services Section's Customer Service Group at (304) 625-5590, or via e-mail at liaison@leo.gov prior to implementation.
Posted by at No comments:

Wednesday, January 20, 2010

Biometric Security Systems Standards


BioAPI
BioAPI Logo


Standard biometric interfaces are required to provide interoperability between biometric components and subsystems. The BioAPI specification defines a standardized interface for using biometric devices, algorithms, and archives.

BioAPI was originally developed by the BioAPI Consortium, in which Daon is a participating member. BioAPI 1.1 became an American National Standard (ANSI INCITS 358) in April 2002. Since then it has been enhanced by JTC1/SC37 WG2, to produce a new version, BioAPI 2.0. Daon products use BioAPI to allow "plug-and-play" integration of biometric devices and algorithms that conform to the standard. In turn, Daon biometric functionality can also be made available to 3rd party applications through a BioAPI interface.

Work is underway in JTC1/SC37 to extend BioAPI and includes specification of a graphical-user interface model (BioGUI), a biometric archive function provider interface (BioAMI), a Biometric Interworking Protocol (BIP) specifying how BioAPI implementations communicate with each other across a network, and a lightweight version for use in embedded devices (BioAPI Lite).
Posted by at 1 comment:

13th Annual Kickoff Technology Policy Exhibition

13th Annual Kickoff Technology Policy Exhibition January 26th, 2010



January 26th, 2010 will mark the Congressional Internet Caucus Advisory Committee (ICAC)'s 13th Annual Kickoff Technology Policy Exhibition. To be notified of ICAC events, join the ICAC events mailing list.

2010 Presenters will include:
  • Accenture: Alzheimer's Association Comfort Zone
  • Change Agent Productions: Neighborhood Technology Learning Continuum
  • Comcast Corporation: On Demand Online
  • Common Sense Media: Common Sense Schools
  • EcoFactor, Inc.: Automated Management of Residential Heating and Cooling
  • ESRI and Connected Nation: Interactive Broadband Coverage Maps: Tools for stimulus tracking, consumer information, and economic development
  • Federal Trade Commission's OnGuard Online
  • Fujitsu: MedSecure patient kiosk
  • Google PowerMeter
  • Jitterbug, Created by GreatCall, Inc. Jitterbug: The easy to use cell phone experience (Health & Wellness applications)
  • KnowWho: Congressional Directories That Increase Constituent Transparency & Legislative Office Efficiency Simultaneously
  • Lockheed Martin: IronClad
  • Microsoft Corporation: USFederal360 Solution Using Surface and GetGameSmart
  • Motorola: Droid
  • National Center for Missing & Exploited Children: NetSmartz411
  • Nokia Accessibility
  • Panasonic: Broadband Video & more on TV
  • Points of Light Institute: HandsOn Network and Causes present Volunteer with Facebook
  • ReputationDefender, Inc.: MyReputation & MyPrivacy
  • Skoodat Tools for Teachers: Real-time Information to Transform Results
  • Sony: Sony Reader - Daily Edition
  • The Entertainment Software Association
  • TRUSTe: Behavioral Advertising Notice Program
  • Verizon Wireless: Verizon Safeguards
  • Virginia Tech: The Virginia Tech Lumenhaus
  • Yahoo! Privacy Tools
The Kickoff Technology Exhibition is the largest and longest running technology exhibition on Capitol Hill. Designed to demonstrate emerging Internet technologies that shape Congressional policymaking, the exhibition provides Members of Congress and their staff the opportunity to put their hands on the technologies that are changing our lives and influencing policy. 

The Kickoff Exhibition is also one of the largest policy networking events on Capitol Hill bringing together Congressional staff, Administration officials, industry executives and public interest advocates. The goal of this annual tech exhibition is to bring cutting-edge technology demonstrations to Capitol Hill that illustrate the power and flexibility of the Internet as medium for communications, commerce, and democracy. Perennially, over 600 people attend the Kickoff including lawmakers and staff, reporters, and representatives from the government agencies and private sector organizations. 

This widely attended educational briefing is hosted by the Congressional Internet Caucus Advisory Committee (ICAC), part of a 501 (c)(3) charitable organization.
Posted by at No comments:

Fujitsu Selected To Demonstrate PalmSecure Biometric Technology At Largest Capitol Hill Tech Policy Exhibition




Demonstration of MedServ Kiosk to Illustrate Importance of Biometrics to Ensure Patient Privacy in Electronic Health Records

FOOTHILL RANCH, Calif., - Fujitsu Frontech North America Inc., today announced the company will demonstrate the MedServ Patient Kiosk, featuring the Fujitsu PalmSecure™ palm vein biometric authentication technology, at the 13th Annual Congressional Internet Caucus Advisory Committee Kickoff Technology Policy Exhibition, on January 26, 2010.

The Tech Policy Exhibition, the largest and longest running event on Capitol Hill, will highlight key issues that continue to impact policy-making in the 111th Congress. Fujitsu is among only 30 manufacturers asked to participate in the exhibition. During the event, Jim Hewitt, CIO of Springfield Clinic, will provide hands-on demonstration of the Fujitsu MedServ Patient Kiosk and showcase its work with healthcare software and services partners to ensure the efficient and secure adoption of electronic health records (EHRs).
Building on the success of a nine-county pilot program deployed by Springfield Clinic in Illinois, the MedServ kiosks are currently in use at several major medical groups, including the George Washington University Medical Center, which has deployed more than 20 units. The patient kiosks use Fujitsu PalmSecure palm vein biometric authentication technology to verify patient identity, speed up check-ins, update patient records, make co-payments and improve patient satisfaction in an easy-to-use, private manner. Exhibition guests will be able to use the MedServ kiosk to experience the technology firsthand.
Internet Caucus Co-Chair Senator Patrick Leahy will preview the technology issues that will be drivers for Internet innovation and policymaking decisions. The exhibition brings cutting-edge technology demonstrations to Capitol Hill that illustrate the power and flexibility of the Internet as a medium for communications, commerce and democracy and will be attended by industry and non-profit representatives, leading academics and government policy staff.

"Fujitsu is honored to be selected to participate in the Tech Policy Exhibition, and looks forward to demonstrating how our PalmSecure biometric technology is helping the healthcare industry deliver better health care, patient privacy, electronic health records and health information exchanges," said Josh Napua, vice president, Fujitsu Healthcare Kiosk Solutions, Fujitsu Frontech North America Inc. "We have been demonstrating Fujitsu biometric technologies to the Internet Caucus in the past years, focusing on the promise of palm vein biometrics and their future application. This year, with our MedServ Patient Kiosks in use around the country, we showcase new technologies with practical applications."

The Congressional Internet Caucus Advisory Committee is a diverse group of public interest, non-profit, and industry groups working to educate Congress and the public about important Internet-related policy issues. For more information on the kickoff visit: www.netcaucus.org/events/2010/kickoff/ 

WHEN: Tuesday, January 26, 2010, 5:00 - 7:00 PM. Cocktails and hors d'oeuvres will be served.

WHERE: Hart Senate Office Building, Room 902, Washington, DC
RSVP: Kindly RSVP by email to RSVP@NetCaucus.org or by phone to 202-638-4370 202-638-4370. 

About Fujitsu Frontech North America Inc.
Fujitsu Frontech North America Inc. offers a wide variety of products including retail point of sales terminals and self checkout systems, kiosks, image solution products, palm vein recognition technology and Ethernet switches with sales, service and support operations throughout the United States. Fujitsu Frontech North America Inc. has its headquarters at 2791 Telecom Parkway, Richardson, TX. 75082 with operations and product development located at 25902 Towne Centre Drive, Foothill Ranch, CA. 92610. For more information about Fujitsu products and services, call us at 800-626-4686 800-626-4686 or visit us at: www.fujitsufrontechna.com
About Fujitsu Frontech Limited
As part of the Fujitsu Group, Fujitsu Frontech Limited ties people and IT together through the development, manufacture and sale of front-end technology such as ATMs, operation branch, POS and totalizator terminals, and public display devices. Fujitsu Frontech also delivers related software, system integration and outsourcing as part of its total solutions offerings. The company supports the security sector by offering products incorporating Fujitsu's latest palm vein authentication technology, and is actively involved in the development of key technologies in various fields, with a current focus on color electronic paper and RFID systems. For more information, please visit: www.frontech.fujitsu.com/en/
MEDIA CONTACTS:
Erin Sun
Dan Borgasano
Fujitsu Frontech North America Inc.
Schwartz Communications
949/855-5543 949/855-5543
781/684-6660 781/684-6660
ffna.pr@us.fujitsu.com
fujitsu@schwartz-pr.com
Posted by at No comments:

Identity Assurance Comes of Age for Government, Business, and Consumer Security



Identity Assurance Comes of Age for Government, Business, and Consumer Security



The ability to securely and confidently establish the identity of an individual or organization is critical to national security programs, commercial businesses, and individual citizens all over the world. IDC believes that a number of convergent factors will enable governments and businesses to adopt a strong identity assurance stance. Some of the key factors are highlighted in the following list.
  • The current financial crisis has increased the transaction volume significantly, resulting in a rise of identity fraud, theft, and compromise in both government and corporate institutions worldwide.
  • Demand for advanced authentication solutions is rising in tandem with regulations designed to protect providers from fraud, data misuse, and identity theft. Passwords alone do not provide adequate protection.
  • Demand for advanced authentication solutions is rising in conjunction with the number of people being laid off. Disgruntled former employees represent a major risk factor, and thus a more sophisticated approach to the life-cycle management of identity credentials is required.
  • The current financial crisis is viewed by many as self-inflicted, and therefore, the public is calling for tighter government oversight and regulations. Advanced authentication solutions can offer a natural pathway to compliance because they enable organizations to track and report who was accessing what and at what time.
  • Until recently, there was no common infrastructure to address identity assurance needs that could be implemented across a variety of industry and government segments. This requires a centralized, core technology and underlying subsystems to create a high level of trust to operate electronically.
  • The need for organizations to support multiple authentication methods is increasing demand for open and flexible authentication infrastructures.
A proven identity assurance platform is critical to secure, successful transactions across Government-to-Citizen (G2C), Employer-to-Employee (E2E), and Business-to-Customer (B2C) scenarios.
Posted by at No comments:

ISO/IEC 19784-1:2006 - Information technology

ISO/IEC 19784-1:2006 - Information technology 
Biometric application programming interface  
Part 1: BioAPI specification


  • ISO/IEC 24713-3:2009
    Information technology -- Biometric profiles for interoperability and data interchange -- Part 3: Biometrics-based verification and identification of seafarers
  • ISO/IEC 29141:2009
    Information technology -- Biometrics -- Tenprint capture using biometric application programming interface (BioAPI)
  • ISO/IEC 29109-1:2009
    Information technology -- Conformance testing methodology for biometric data interchange formats defined in ISO/IEC 19794 -- Part 1: Generalized conformance testing methodology
Posted by at No comments:

BioAPI Consortium



Current BioAPI member organizations include (in alphabetical order):
Posted by at No comments:

Monday, January 18, 2010

BIO-key (OTCBB: BKYI) Launches TruDonor ID Accurate Biometric Id Solution Blogs weblogs at WooEB


BIO-key International, Inc. (OTC Bulletin Board: BKYI), a leader in finger-based biometric identification solutions, shared the launch of TruDonor ID, a fully hosted identity solution tailored to address the needs of the blood collection industry.

With TruDonor ID, blood centers of any size now have a fast, convenient and accurate method to positively identify donors. Following on earlier successes in the blood donor identification market, BIO-key's introduction of this secure SaaS (Software as a Service) donor ID solution provides an affordable, fully supported, web based solution that staff can access from anywhere and at anytime. Leveraging BIO-key's award winning biometric identification software, TruDonor ID accurately identifies donors without the need for them to produce IDs or remember donor ID numbers. This virtually eliminates the potential of misidentification of donors and it reduces the time and errors associated with staff validating identities and manually entering information.

TruDonor ID interfaces to existing blood management platforms or can operate as a standalone identity solution. "This is a huge breakthrough not only for blood centers but for the biometric identification industry as well," stated Mike DePasquale, CEO of BIO-key International. "Offering TruDonor ID as a SaaS solution eliminates one of the biggest hurdles faced by every blood center - costly IT expenditures on equipment, staff and maintenance. With TruDonor ID, blood centers have secure 24/7 access to their donor database on a superior computing environment supported by expert technicians." Mr. DePasquale also noted that "deployment times are far shorter since we eliminate the typical implementation learning curve associated with installing a licensed software solution. This is a first for the Identity Management Industry, a first for BIO-key and the beginning of a whole new era in the deployment of advanced security solutions including finger biometrics."
Posted by at No comments:

Thursday, January 14, 2010

Biometric at Airports

More than 1,600 employees and 1.7 million passengers passed through London City Airport in 2002, making it one of the United Kingdom's busiest airports for business travel. Two events in 2001 and 2002 led the airport to conduct a full-scale review of its security procedures and policies. The first was the horrific 9-11 attacks in the United States.

Second, two robberies unrelated to terrorism at Heathrow Airport targeted security vans within the airport's Restricted Zone (RZ) in early 2002. The robberies and the terrorist threat led the Metropolitan Police to call for tighter aviation security, with an emphasis on CCTV coverage and access control.



The airport identified the entry points to the RZ as being the top priority for an access control upgrade. London City Airport's RZ includes passenger departure areas in the airport's Jet Centre (a corporate aviation facility) and Terminal Building, baggage claim areas, cargo sheds, and mail centers--all of which are collectively referred to as airside areas. Airside cleaning and catering premises are also in the RZ. Only persons and vehicles authorized by the airport manager can enter the zone, including passengers intending to depart from the airport, who are subject to search, as is their baggage. This article focuses on employees access to the RZ.

Before the security upgrade, airport security staffed the entry/exit points to the RZ, visually inspecting the photograph on an employee's identification pass to confirm its validity. The airport realized through threat assessments and discussions with other practitioners that although no known breaches had occurred, this method created the potential for someone to enter the RZ with a forged pass.

Selecting biometrics. In January 2002, London City Airport began assessing technology solutions that could satisfy its need for enhanced security. As part of this effort, the airport identified a number of key requirements for any potential solution: It had to be cost-effective and flexible, user-friendly, secure and robust, compatible with existing access control systems, and able to comply with industry regulations. These regulations included the Aviation Security Act of 1982, which authorizes the Secretary of State for Transport to issue directives relating to aviation security.
Posted by at No comments:

Wednesday, January 13, 2010

One Day Tutorials | RSA Conference 2010


This tutorial will detail the use of smart cards in Identity Management. Security professionals are changing the way they think about security, identity management, and authentication. The session includes ways of establishing an identity, transforming identity attributes into digital credentials, assigning privileges associated with that identity, and methods for presenting those credentials in a secure, authenticated manner for physical and logical access use cases.

This session will explain the practical application of identity management and its usage of digital credentials stored on smart cards, and how they are issued, managed and revoked. The U.S. Government Federal Identity, Credential and Access Management (ICAM) committee has released a roadmap for the usage of millions of PIV compliant credentials, and many corporate enterprises are issuing PIV compatible smart card ID badges for the convergence of physical and logical access control and to cross-federate in some cases with the federal government ID systems. Because interoperable credentials make good security and fiscal sense, this session will look at how these new credentials are moving outside of the initial domain of federal agencies and into the commercial enterprise market.

This session begins by exploring the independence and interrelationships between the concepts of Identity, Privilege and Person in relation to privacy, consent, and authentication in the context of government and non-government issued IDs. Examples are presented on how specific smart card technologies are utilized to implement these concepts in well-known application contexts.
 
This session will conclude with an overview of the latest technology innovations in smart cards for IT. Advances in application and content management capabilities are shown that create flexibility for how smart cards are applied in IT environments.
 
This session will look at large scale smart card deployments that exemplify the value of secure, interoperable, and scalable smart card-enabled identity solutions that take a systematic approach to managing identity and integrating the physical and logical access needs for organizations of all types and sizes.

Identity and Access Management is the foundation for access controls in the Enterprise, a mission-critical IT function that is both the lifeblood of your business, and a frustrating and difficult beast to tame. Your IdM infrastructure is more complicated, with more moving parts, and more partners across the enterprise, than any other security related service. 

This interactive session, taught by experienced IdM veterans and practitioners, provides an architectural view to resolving identity challenges, and will provide detailed and informative discussions on directory services, web access management, Single Sign-on, federated identity, authorization, provisioning and more. The morning session will provide an overview of the foundations of IdM, while the afternoon will provide a customized, detailed and interactive session to focus on the specific identity disciplines they find most challenging.

This workshop will cover:
  • Principles of Identity and Access Management and implementation strategies
  • Infrastructure architecture -- critical underlying processes to run a successful enterprise
  • Web-based authentication & Web Access Management
  • Selling Identity strategy in the C-suite
  • Directory Services – Enterprise, meta-directories and virtual directories
  • Provisioning - managing the processes of Identity and Access Management
  • Identity mapping and roll-up
  • Detailed Single Sign-on strategies: Getting off Identity islands
  • Detailed Federated Identity discussion and case studies
  • Gritty Reality of Federation SSO: Lessons learned from 14 major federation projects
  • Multi-factor authentication: biometrics, tokens & more
  • Functional IDs - real world considerations of this often forgotten access control
  • User Access Audit: Proving only authorized users have access
  • Auditing the identity systems 
Key Learning Objectives:
Participants should have a basic background in Information Security, IT systems, and identity management. After the class, participants should feel well grounded in identity management, understand the broad landscape from both a technical as well as a business perspective, and have gained practical insight into the strategies which will enable them to meet identity challenges in their organization.

Security Basics Boot Camp is a new day long course that explains some of the most important security principles and technologies. Designed for practitioners with less than three years of information security experience or those new to the field, Boot Camp will create a foundation of essential concepts to enhance your understanding of the more advanced security sessions during the week. Taught by the “who’s who” in the security industry, Security Basics Boot Camp is not to be missed. Topics and speakers include:
  • Business of Security
         •  Hugh Thompson, Chief Security Strategist, People Security
  • External Hackers and Insider Threats
         •  George Kurtz, Worldwide Chief Technology Officer & Executive
            Vice President, McAfee, Inc. and Dr. Eric Cole, McAfee
         •  Vinny Guilloto, Microsoft
  • Crypto 101/Encryption basics/SSL & certificates
         •  Josh Rosenthol, Consultant Product Manager, RSA, The Security Division
            of EMC
  • Introduction to Security Architecture
         •  Jeff Bardin, VP, Chief Security Officer, ITSolutions
  • Firewalls and Perimeter Protection
         •  Bill Cheswick, Lead Member of Technical Staff, AT&T Labs - Research
  • Intrusion detection and data loss prevention
         •  Kevin Rowney, Founder, Symantec DLP, Symantec Corporation
  • Authentication Technologies
         •  Bret Hartman, CTO, RSA, The Security Division of EMC and
            John Linn, Sr. Technologist, RSA, The Security Division of EMC
  • Application Security
         •  Jason Rouse, Cigital


Posted by at No comments:

Tuesday, January 12, 2010

Where Strong Authentication Fails and What You Can Do About It

Where Strong Authentication Fails and What You Can Do About It

Fraudsters have been raiding user accounts by beating strong two-factor authentication methods. A layered fraud prevention approach can mitigate these attacks.

Fraudsters are beating strong two-factor authentication and are proving that any authentication method that relies on browser communications can be defeated. A layered fraud prevention approach can thwart these attacks.

Key Findings

•    Trojan-based, man-in-the-browser attacks are circumventing strong two-factor authentication, enabled by one-time password (OTP) tokens. Other strong authentication methods, such as those using chip cards and biometric technology that rely on browser communications, can be similarly defeated.
•    Fraudsters have been raiding user bank accounts that seemingly were protected by strong two-factor authentication, but any sensitive Web application is similarly vulnerable.
•    In some cases, the malware copies the user's ID, password and OTP, and immediately uses them. Other times, the malware overwrites user transactions with the crook's transactions, unbeknownst to the user or service provider, e.g., the online bank.
•    Out-of-band authentication using voice telephony is also being circumvented by fraudsters using call forwarding so that the fraudster, rather than the legitimate user, is called by the service provider performing the authentication.

Recommendations

•    Recognize that any authentication method that communicates through a browser can be defeated if the browser can be attacked and compromised, so make sure you deploy additional security measures.
•    Use server-based fraud detection to monitor transactions for suspicious behavior.
•    Use out-of-band transaction verification to verify user transaction requests, and execute only the specific transaction verified or signed by the requesting user.
•    Use out-of-band communication protocols that can prevent calls from being forwarded to numbers that are not registered to a specific user account.
   
What You Need to Know

Criminals are successfully launching man-in-the-browser attacks that circumvent strong two-factor and other authentication that communicate through the user's browser. The fraudsters are also successfully having telecommunication carriers forward phone calls used to authenticate users and/or transactions to the fraudster's phone instead of the legitimate user's phone. These attacks were successfully and repeatedly executed against many banks and their customers across the globe in 2009. While bank accounts are the main immediate targets, these attack methods will migrate to other sectors and applications that contain sensitive valuable information and data within the next three years.

A layered fraud prevention approach that includes server-based fraud detection and out-of-band transaction verification that precludes call forwarding to illegitimate user phone numbers can and has mitigated these threats.

Analysis

In the past several months, Gartner has spoken with many banks around the world whose authentication systems that rely on OTP tokens have been compromised by man-in-the-browser attacks on customer PCs. In addition, banks that rely on voice telephony for user transaction verification have seen those systems and processes compromised by thieves who persuade telecom carriers to forward legitimate user phone calls to the thief's cell phone. These targeted attacks have resulted in theft of money and/or information, if the bank has no other defenses sufficient to prevent unauthorized access to their applications and customer accounts.

Gartner clients who have fended off these attacks have done so with either automated fraud detection or manual review of high-risk transactions. In addition, enterprises that rely on telephone-based user authentication and transaction verification are considering, where possible, stopping a phone call from going to the user, if the phone calls and texts are being forwarded by the carrier to another phone number (see Note 1). These attacks have been typically launched against banks and their customers; however, in the future, they will certainly be used to attack other types of valuable assets and organizations.
   
How Do These Attacks Work?


•    Malware sits inside a user's browser and waits for the user to log into a bank. During login, the malware copies the user's ID, password and OTP, sends them to the attacker and stops the browser from sending the login request to the bank's website, telling the user that the service is "temporarily unavailable." The fraudster immediately uses the user ID, password and OTP to log in and drain the user's accounts.
•    Other malware overwrites transactions sent by a user to the online banking website with the criminal's own transactions. This overwrite happens behind the scenes so that the user does not see the revised transaction values. Similarly, many online banks will then communicate back to the user's browser the transaction details that need to be confirmed by the user with an OTP entry, but the malware will change the values seen by the user back to what the user originally entered. This way, neither the user nor the bank realizes that the data sent to the bank has been altered.
•    Authentication that depends on out-of-band authentication using voice telephony is circumvented by a simple technique whereby the fraudster asks the phone carrier to forward the legitimate user's phone calls to the fraudster's phone. The fraudster simply tells the carrier the original phone number is having difficulty and needs the calls forwarded, and the carrier does not sufficiently verify the requestor's identity before executing the fraudster's request.


Which Proven Measures Can Prevent These Attacks From Succeeding?

More than one of the following measures can and should be used to achieve optimal fraud prevention results.



Fraud Detection That Monitors User Access Behavior

This fraud detection method captures and analyzes all the user's Web application traffic (assuming the targeted application is Web-based), including login, navigation and transactions, and can spot abnormal access patterns that indicate an automated program is accessing the application, rather than a human being. This method worked well at one European bank where customers must use two event-based OTPs — one for login and one to execute a money transfer — that are generated by a dedicated token. Trojans in customer browsers stole two or three OTPs before the user noticed that the browser was frozen (by the Trojan). The criminal then started transacting in the user's account, causing a major difference in the online banking application's normal response time. The bank found that once inside the account, the Trojans generate transactions much faster than a legitimate human user does. For example, it takes a normal human user 10 to 20 seconds to enter a money transfer amount and press "okay" to confirm it, but the Trojan entered the same type of data and confirmation in under 1 second.

Fraud Detection That Monitors Suspect Transaction Values

This function looks at a particular transaction and compares it to a profile of what constitutes "normal" behavior for that user and/or group of users. The more structured the data (so that it can be analyzed more easily), and the more history available to put the transaction in context, the more able the fraud prevention system is to highlight suspect transactions.

Structured data is important to the effectiveness of many fraud prevention applications. For example, automated-clearinghouse (ACH) money transfer data is structured, and a fraud prevention application can determine the payment and payment beneficiary data in an ACH money transfer request so that it can spot that the amount or beneficiary is "unusual" and suspect. In contrast, wire transfer instructions are unstructured in part, and transfer instructions can be documented in textual comments. In order for a fraud prevention application to work in this case, it must be able to parse textual comments and isolate the important data.

This method has worked well for banks that have deployed it, for example, for U.K. banks that have had to implement real-time fraud detection for Faster Payments Service, a U.K. initiative that mandates immediate electronic payments be available to all U.K. bank customers.

Out-of-Band User Transaction Verification

This type of verification does not use the same primary communication channel (for example, the user's PC browser) and uses a different communication channel to verify a transaction request. It is a valuable fraud prevention tool — as long as only the specific transaction verified or signed by the requesting user is executed (as opposed to a transaction that a criminal has overwritten with his or her own values). Further, enterprises should not deluge users with transaction verification requests, and should keep them simple and confined to high-risk transactions, so that users are sure to pay detailed attention to them. Criminals have been known to successfully use social-engineering techniques to trick users into verifying the "wrong" illegitimate transactions.

Enterprises also need to use out-of-band communication providers that can prevent the enterprise's calls from being forwarded to phone numbers that the enterprise has not registered and vetted for a legitimate user account. Alternatively, the enterprise can simply terminate any calls that are being forwarded to another number (as a cautionary measure), and ask the user to call the bank instead. This means that the enterprise's telephony system or provider must be able to inspect the Signaling System 7 (SS7) telephony signaling protocols, which are used in most of the globe's public switched telephone network calls. SS7 is used to set up and disconnect phone calls, transmit Short Message Service (SMS) messages, manage call forwarding, and conduct many other services.

Summary

Fraudsters have definitely proved that strong two-factor authentication methods that communicate through user browsers can be defeated, and that the criminals can also figure out how to defeat out-of-band, telephony-based authentication and transaction verification using social-engineering techniques. 

While future attack types are unpredictable, one thing is very clear. Enterprises need to protect their users and accounts using a three-prong fraud prevention approach that employs authentication, fraud detection, and out-of-band transaction verification and signing for high-risk transactions.
Posted by at No comments:
Subscribe to: Comments (Atom)