Saturday, January 30, 2010

Identifying ID Theft and Fraud


Identifying ID Theft and Fraud

ScienceDaily (Oct. 19, 2009) — If the wife of FBI boss Robert Mueller has warned him not to use internet banking because of the threat of online fraud, then what hope is there for the average Jo? 

The results of research published in a forthcoming issue of the International Journal of Business Governance and Ethics suggests that more of us are no longer entrusting our finances to virtual accounts.
According to Susan Sproule and Norm Archer of McMaster University, Ontario, Canada, identity theft and fraud are an increasing concern to consumers who interact with online businesses routinely.

Phishing for logins is not the only problem. Credit card skimming, insider theft, and counterfeiting of digital information, and ID "trafficking" are also on the increase. All of these types of fraud are costly for the individuals involved both financially and often in terms of the time needed to clear their name when illegal use has been made of their personal details.

The Canadian team has now created a model of how consumer identity theft and fraud occur and in parallel report on a recent survey of Canadian consumers. In assessing fraud concerning credit cards, existing bank accounts, new accounts, and other frauds, they find that one in five people have stopped or reduced the amount of shopping that they do online while almost one in ten are no longer carrying out banking online, or have reduced the amount of online banking that they do because of fraud worries.

"These findings are of concern to business and government," Sproule says, "since, if consumers stop doing business online, the productivity benefits of e-business will not be realized." Until recently there was little information on the problem of identity theft in Canada, in particular, and there were no coordinated efforts within the academic community to examine the problem. She adds. "It was believed that, if unchecked, the problems around identity theft and fraud could have a significant effect on e-commerce."

Fortunately, since 2005, Sproule and her colleagues have been involved in a multidisciplinary program that has brought together researchers from four universities and subject matter experts from the financial and telecommunications sector. Their research is allowing them to define the processes involved in identity theft and to measure its reach.

The team's model of cyber crimes has now defined ID theft and fraud as two distinct but related problems, which could not only help legislators to develop new laws and law enforcers in the pursuit of criminals, but also help educate an unwary public as to how their personal data might be misappropriated and used fraudulently.
Posted by at No comments:

Online Auction Fraud: Data Mining Software Fingers Both Perpetrators And Accomplices


Online Auction Fraud: Data Mining Software Fingers Both Perpetrators And Accomplices

ScienceDaily (Dec. 5, 2006) — Computer scientists at Carnegie Mellon University are using data mining techniques to identify perpetrators of fraud among online auction users as well as their otherwise unknown accomplices.
The new method analyzes publicly available histories of transactions posted by online auction sites such as eBay and identifies suspicious online behaviors and dubious associations among users. 

Online auction sites are immensely popular. The largest, eBay, reported third quarter revenues of $1.449 billion, up 31 percent from the previous year, and registered 212 million users, up 26 percent. But the popularity of online auction sites also makes them a target for crooks. Internet auction fraud, such as failure to deliver goods after a sale, accounted for almost two-thirds of the 97,000 complaints referred to law enforcement agencies last year by the federal Internet Crime Complaint Center.

Perpetrators of these frauds have distinctive online behaviors that cause them to be readily purged from an online auction site, said Computer Science Professor Christos Faloutsos. The software developed by his research team -- Network Detection via Propagation of Beliefs, or NetProbe -- could prevent future frauds by identifying their accomplices, who can lurk on a site indefinitely and enable new generations of fraudsters.

In a test analysis of about one million transactions between almost 66,000 eBay users, NetProbe correctly detected 10 previously identified perpetrators, as well as more than a dozen probable fraudsters and several dozen apparent accomplices.

"To the best of our knowledge, this is the first work that uses a systematic approach to analyze and detect electronic auction frauds," said Faloutsos, who noted that NetProbe could eventually be useful for both law enforcement and security personnel of online sites.

The researchers have already adapted the software to provide a trustworthiness score for individual user IDs. Though not yet available to the public, the NetProbe score would complement user reputation scores that many auction sites already provide to help prevent fraud.

"We want to help people detect potential fraud before the fraud occurs," said research associate Duen Horng "Polo" Chau, who developed NetProbe with Faloutsos, undergraduate student Samuel Wang and graduate student Shashank Pandit.

Many auction sites try to avert fraud with so-called reputation systems. In eBay's case, buyers can report whether they had a positive, neutral or negative experience in a transaction, and that report is then translated into a feedback score for that seller.

Unfortunately, a crook can manipulate these feedback scores, obtaining a favorable score by engaging in a number of legitimate sales. But that is costly and time-consuming and, once the fraudster starts cheating buyers, that user identification is quickly red-flagged and shut down.

Perpetrating frauds may be sustainable, however, if a fraudster has accomplices or sets up separate user IDs to serve as accomplices. These accomplice accounts conduct legitimate transactions and maintain good reputations. They also have many transactions with the user IDs of fraudsters, using their good reputations to boost the fraudsters' feedback scores. Because accomplices don't perpetrate frauds, they usually escape notice and can keep working to establish new fraudster accounts, Faloutsos said.

But an unnatural pattern becomes evident when the transactions are plotted as a graph, with each user represented as a node, or dot, and transactions between individual users represented by lines connecting the nodes.
In the resulting graph, transactions between accomplices and fraudsters create a pattern that sticks out like "a guiding light," Chau said. Graph theorists call this pattern a "bipartite core" -- members of one group have lots of transactions with members of a second group, but don't have transactions with members of their own group. One group, the accomplices, also deals with honest eBay users, but most of the transactions are with fraudster groups.

The researchers tested their method, in part, by accumulating transaction histories from eBay and demonstrating that they could detect the distinctive fraud patterns within these massive data sets. Chau reported on an analysis involving about 100 eBay users at a September data mining conference in Berlin. The team has since analyzed about a million transactions between almost 66,000 eBay users, and those as-yet unpublished findings have been submitted for presentation at an upcoming scientific conference. 

"Crooks are extremely ingenious," Faloutsos warned, so identifying accomplices would not eliminate all online auction fraud. But eliminating accomplices would force crooks to resort to more sophisticated, complex schemes. "These schemes will require more effort and cost, so fraud would be increasingly unprofitable," he added.
Posted by at No comments:

FBI Biometrics

Electronic Biometric Transmission Specification (EBTS)

  • Proper methods for federal, state, local, tribal and international stakeholders to communicate with the FBI
  • Transmission of biographic, biometric, and disposition information for purposes of criminal or civil identification
  • Sharing of identity history information when appropriate and approved
  • Upgrade from the Electronic Biometric Transmission Specification (EBTS) Version 8.1 to EBTS Version 9.0

    • For more information, please click 'EBTS' on the left bar.

  • New message structures to send fingerprint at 1000ppi, palmprint, face with subject acquisition profiles, scars, marks, and tattoos, and iris biometrics
The standards process evolves with the needs of the biometric community; it improves with community feedback. Suggestions and questions are encouraged. Please submit them via the Web site’s Comments Form. In order to receive the latest updates and news, please sign up and Register for your convenience.

Agencies transitioning from the EFTS to the new EBTS standard are encouraged to contact the FBI CJIS Biometric Services Section's Customer Service Group at (304) 625-5590, or via e-mail at liaison@leo.gov prior to implementation.
Posted by at No comments:

Wednesday, January 20, 2010

Biometric Security Systems Standards


BioAPI
BioAPI Logo


Standard biometric interfaces are required to provide interoperability between biometric components and subsystems. The BioAPI specification defines a standardized interface for using biometric devices, algorithms, and archives.

BioAPI was originally developed by the BioAPI Consortium, in which Daon is a participating member. BioAPI 1.1 became an American National Standard (ANSI INCITS 358) in April 2002. Since then it has been enhanced by JTC1/SC37 WG2, to produce a new version, BioAPI 2.0. Daon products use BioAPI to allow "plug-and-play" integration of biometric devices and algorithms that conform to the standard. In turn, Daon biometric functionality can also be made available to 3rd party applications through a BioAPI interface.

Work is underway in JTC1/SC37 to extend BioAPI and includes specification of a graphical-user interface model (BioGUI), a biometric archive function provider interface (BioAMI), a Biometric Interworking Protocol (BIP) specifying how BioAPI implementations communicate with each other across a network, and a lightweight version for use in embedded devices (BioAPI Lite).
Posted by at 1 comment:

13th Annual Kickoff Technology Policy Exhibition

13th Annual Kickoff Technology Policy Exhibition January 26th, 2010



January 26th, 2010 will mark the Congressional Internet Caucus Advisory Committee (ICAC)'s 13th Annual Kickoff Technology Policy Exhibition. To be notified of ICAC events, join the ICAC events mailing list.

2010 Presenters will include:
  • Accenture: Alzheimer's Association Comfort Zone
  • Change Agent Productions: Neighborhood Technology Learning Continuum
  • Comcast Corporation: On Demand Online
  • Common Sense Media: Common Sense Schools
  • EcoFactor, Inc.: Automated Management of Residential Heating and Cooling
  • ESRI and Connected Nation: Interactive Broadband Coverage Maps: Tools for stimulus tracking, consumer information, and economic development
  • Federal Trade Commission's OnGuard Online
  • Fujitsu: MedSecure patient kiosk
  • Google PowerMeter
  • Jitterbug, Created by GreatCall, Inc. Jitterbug: The easy to use cell phone experience (Health & Wellness applications)
  • KnowWho: Congressional Directories That Increase Constituent Transparency & Legislative Office Efficiency Simultaneously
  • Lockheed Martin: IronClad
  • Microsoft Corporation: USFederal360 Solution Using Surface and GetGameSmart
  • Motorola: Droid
  • National Center for Missing & Exploited Children: NetSmartz411
  • Nokia Accessibility
  • Panasonic: Broadband Video & more on TV
  • Points of Light Institute: HandsOn Network and Causes present Volunteer with Facebook
  • ReputationDefender, Inc.: MyReputation & MyPrivacy
  • Skoodat Tools for Teachers: Real-time Information to Transform Results
  • Sony: Sony Reader - Daily Edition
  • The Entertainment Software Association
  • TRUSTe: Behavioral Advertising Notice Program
  • Verizon Wireless: Verizon Safeguards
  • Virginia Tech: The Virginia Tech Lumenhaus
  • Yahoo! Privacy Tools
The Kickoff Technology Exhibition is the largest and longest running technology exhibition on Capitol Hill. Designed to demonstrate emerging Internet technologies that shape Congressional policymaking, the exhibition provides Members of Congress and their staff the opportunity to put their hands on the technologies that are changing our lives and influencing policy. 

The Kickoff Exhibition is also one of the largest policy networking events on Capitol Hill bringing together Congressional staff, Administration officials, industry executives and public interest advocates. The goal of this annual tech exhibition is to bring cutting-edge technology demonstrations to Capitol Hill that illustrate the power and flexibility of the Internet as medium for communications, commerce, and democracy. Perennially, over 600 people attend the Kickoff including lawmakers and staff, reporters, and representatives from the government agencies and private sector organizations. 

This widely attended educational briefing is hosted by the Congressional Internet Caucus Advisory Committee (ICAC), part of a 501 (c)(3) charitable organization.
Posted by at No comments:

Fujitsu Selected To Demonstrate PalmSecure Biometric Technology At Largest Capitol Hill Tech Policy Exhibition




Demonstration of MedServ Kiosk to Illustrate Importance of Biometrics to Ensure Patient Privacy in Electronic Health Records

FOOTHILL RANCH, Calif., - Fujitsu Frontech North America Inc., today announced the company will demonstrate the MedServ Patient Kiosk, featuring the Fujitsu PalmSecure™ palm vein biometric authentication technology, at the 13th Annual Congressional Internet Caucus Advisory Committee Kickoff Technology Policy Exhibition, on January 26, 2010.

The Tech Policy Exhibition, the largest and longest running event on Capitol Hill, will highlight key issues that continue to impact policy-making in the 111th Congress. Fujitsu is among only 30 manufacturers asked to participate in the exhibition. During the event, Jim Hewitt, CIO of Springfield Clinic, will provide hands-on demonstration of the Fujitsu MedServ Patient Kiosk and showcase its work with healthcare software and services partners to ensure the efficient and secure adoption of electronic health records (EHRs).
Building on the success of a nine-county pilot program deployed by Springfield Clinic in Illinois, the MedServ kiosks are currently in use at several major medical groups, including the George Washington University Medical Center, which has deployed more than 20 units. The patient kiosks use Fujitsu PalmSecure palm vein biometric authentication technology to verify patient identity, speed up check-ins, update patient records, make co-payments and improve patient satisfaction in an easy-to-use, private manner. Exhibition guests will be able to use the MedServ kiosk to experience the technology firsthand.
Internet Caucus Co-Chair Senator Patrick Leahy will preview the technology issues that will be drivers for Internet innovation and policymaking decisions. The exhibition brings cutting-edge technology demonstrations to Capitol Hill that illustrate the power and flexibility of the Internet as a medium for communications, commerce and democracy and will be attended by industry and non-profit representatives, leading academics and government policy staff.

"Fujitsu is honored to be selected to participate in the Tech Policy Exhibition, and looks forward to demonstrating how our PalmSecure biometric technology is helping the healthcare industry deliver better health care, patient privacy, electronic health records and health information exchanges," said Josh Napua, vice president, Fujitsu Healthcare Kiosk Solutions, Fujitsu Frontech North America Inc. "We have been demonstrating Fujitsu biometric technologies to the Internet Caucus in the past years, focusing on the promise of palm vein biometrics and their future application. This year, with our MedServ Patient Kiosks in use around the country, we showcase new technologies with practical applications."

The Congressional Internet Caucus Advisory Committee is a diverse group of public interest, non-profit, and industry groups working to educate Congress and the public about important Internet-related policy issues. For more information on the kickoff visit: www.netcaucus.org/events/2010/kickoff/ 

WHEN: Tuesday, January 26, 2010, 5:00 - 7:00 PM. Cocktails and hors d'oeuvres will be served.

WHERE: Hart Senate Office Building, Room 902, Washington, DC
RSVP: Kindly RSVP by email to RSVP@NetCaucus.org or by phone to 202-638-4370 202-638-4370. 

About Fujitsu Frontech North America Inc.
Fujitsu Frontech North America Inc. offers a wide variety of products including retail point of sales terminals and self checkout systems, kiosks, image solution products, palm vein recognition technology and Ethernet switches with sales, service and support operations throughout the United States. Fujitsu Frontech North America Inc. has its headquarters at 2791 Telecom Parkway, Richardson, TX. 75082 with operations and product development located at 25902 Towne Centre Drive, Foothill Ranch, CA. 92610. For more information about Fujitsu products and services, call us at 800-626-4686 800-626-4686 or visit us at: www.fujitsufrontechna.com
About Fujitsu Frontech Limited
As part of the Fujitsu Group, Fujitsu Frontech Limited ties people and IT together through the development, manufacture and sale of front-end technology such as ATMs, operation branch, POS and totalizator terminals, and public display devices. Fujitsu Frontech also delivers related software, system integration and outsourcing as part of its total solutions offerings. The company supports the security sector by offering products incorporating Fujitsu's latest palm vein authentication technology, and is actively involved in the development of key technologies in various fields, with a current focus on color electronic paper and RFID systems. For more information, please visit: www.frontech.fujitsu.com/en/
MEDIA CONTACTS:
Erin Sun
Dan Borgasano
Fujitsu Frontech North America Inc.
Schwartz Communications
949/855-5543 949/855-5543
781/684-6660 781/684-6660
ffna.pr@us.fujitsu.com
fujitsu@schwartz-pr.com
Posted by at No comments:

Identity Assurance Comes of Age for Government, Business, and Consumer Security



Identity Assurance Comes of Age for Government, Business, and Consumer Security



The ability to securely and confidently establish the identity of an individual or organization is critical to national security programs, commercial businesses, and individual citizens all over the world. IDC believes that a number of convergent factors will enable governments and businesses to adopt a strong identity assurance stance. Some of the key factors are highlighted in the following list.
  • The current financial crisis has increased the transaction volume significantly, resulting in a rise of identity fraud, theft, and compromise in both government and corporate institutions worldwide.
  • Demand for advanced authentication solutions is rising in tandem with regulations designed to protect providers from fraud, data misuse, and identity theft. Passwords alone do not provide adequate protection.
  • Demand for advanced authentication solutions is rising in conjunction with the number of people being laid off. Disgruntled former employees represent a major risk factor, and thus a more sophisticated approach to the life-cycle management of identity credentials is required.
  • The current financial crisis is viewed by many as self-inflicted, and therefore, the public is calling for tighter government oversight and regulations. Advanced authentication solutions can offer a natural pathway to compliance because they enable organizations to track and report who was accessing what and at what time.
  • Until recently, there was no common infrastructure to address identity assurance needs that could be implemented across a variety of industry and government segments. This requires a centralized, core technology and underlying subsystems to create a high level of trust to operate electronically.
  • The need for organizations to support multiple authentication methods is increasing demand for open and flexible authentication infrastructures.
A proven identity assurance platform is critical to secure, successful transactions across Government-to-Citizen (G2C), Employer-to-Employee (E2E), and Business-to-Customer (B2C) scenarios.
Posted by at No comments:

ISO/IEC 19784-1:2006 - Information technology

ISO/IEC 19784-1:2006 - Information technology 
Biometric application programming interface  
Part 1: BioAPI specification


  • ISO/IEC 24713-3:2009
    Information technology -- Biometric profiles for interoperability and data interchange -- Part 3: Biometrics-based verification and identification of seafarers
  • ISO/IEC 29141:2009
    Information technology -- Biometrics -- Tenprint capture using biometric application programming interface (BioAPI)
  • ISO/IEC 29109-1:2009
    Information technology -- Conformance testing methodology for biometric data interchange formats defined in ISO/IEC 19794 -- Part 1: Generalized conformance testing methodology
Posted by at No comments:

BioAPI Consortium



Current BioAPI member organizations include (in alphabetical order):
Posted by at No comments:

Monday, January 18, 2010

BIO-key (OTCBB: BKYI) Launches TruDonor ID Accurate Biometric Id Solution Blogs weblogs at WooEB


BIO-key International, Inc. (OTC Bulletin Board: BKYI), a leader in finger-based biometric identification solutions, shared the launch of TruDonor ID, a fully hosted identity solution tailored to address the needs of the blood collection industry.

With TruDonor ID, blood centers of any size now have a fast, convenient and accurate method to positively identify donors. Following on earlier successes in the blood donor identification market, BIO-key's introduction of this secure SaaS (Software as a Service) donor ID solution provides an affordable, fully supported, web based solution that staff can access from anywhere and at anytime. Leveraging BIO-key's award winning biometric identification software, TruDonor ID accurately identifies donors without the need for them to produce IDs or remember donor ID numbers. This virtually eliminates the potential of misidentification of donors and it reduces the time and errors associated with staff validating identities and manually entering information.

TruDonor ID interfaces to existing blood management platforms or can operate as a standalone identity solution. "This is a huge breakthrough not only for blood centers but for the biometric identification industry as well," stated Mike DePasquale, CEO of BIO-key International. "Offering TruDonor ID as a SaaS solution eliminates one of the biggest hurdles faced by every blood center - costly IT expenditures on equipment, staff and maintenance. With TruDonor ID, blood centers have secure 24/7 access to their donor database on a superior computing environment supported by expert technicians." Mr. DePasquale also noted that "deployment times are far shorter since we eliminate the typical implementation learning curve associated with installing a licensed software solution. This is a first for the Identity Management Industry, a first for BIO-key and the beginning of a whole new era in the deployment of advanced security solutions including finger biometrics."
Posted by at No comments:

Thursday, January 14, 2010

Biometric at Airports

More than 1,600 employees and 1.7 million passengers passed through London City Airport in 2002, making it one of the United Kingdom's busiest airports for business travel. Two events in 2001 and 2002 led the airport to conduct a full-scale review of its security procedures and policies. The first was the horrific 9-11 attacks in the United States.

Second, two robberies unrelated to terrorism at Heathrow Airport targeted security vans within the airport's Restricted Zone (RZ) in early 2002. The robberies and the terrorist threat led the Metropolitan Police to call for tighter aviation security, with an emphasis on CCTV coverage and access control.



The airport identified the entry points to the RZ as being the top priority for an access control upgrade. London City Airport's RZ includes passenger departure areas in the airport's Jet Centre (a corporate aviation facility) and Terminal Building, baggage claim areas, cargo sheds, and mail centers--all of which are collectively referred to as airside areas. Airside cleaning and catering premises are also in the RZ. Only persons and vehicles authorized by the airport manager can enter the zone, including passengers intending to depart from the airport, who are subject to search, as is their baggage. This article focuses on employees access to the RZ.

Before the security upgrade, airport security staffed the entry/exit points to the RZ, visually inspecting the photograph on an employee's identification pass to confirm its validity. The airport realized through threat assessments and discussions with other practitioners that although no known breaches had occurred, this method created the potential for someone to enter the RZ with a forged pass.

Selecting biometrics. In January 2002, London City Airport began assessing technology solutions that could satisfy its need for enhanced security. As part of this effort, the airport identified a number of key requirements for any potential solution: It had to be cost-effective and flexible, user-friendly, secure and robust, compatible with existing access control systems, and able to comply with industry regulations. These regulations included the Aviation Security Act of 1982, which authorizes the Secretary of State for Transport to issue directives relating to aviation security.
Posted by at No comments:

Wednesday, January 13, 2010

One Day Tutorials | RSA Conference 2010


This tutorial will detail the use of smart cards in Identity Management. Security professionals are changing the way they think about security, identity management, and authentication. The session includes ways of establishing an identity, transforming identity attributes into digital credentials, assigning privileges associated with that identity, and methods for presenting those credentials in a secure, authenticated manner for physical and logical access use cases.

This session will explain the practical application of identity management and its usage of digital credentials stored on smart cards, and how they are issued, managed and revoked. The U.S. Government Federal Identity, Credential and Access Management (ICAM) committee has released a roadmap for the usage of millions of PIV compliant credentials, and many corporate enterprises are issuing PIV compatible smart card ID badges for the convergence of physical and logical access control and to cross-federate in some cases with the federal government ID systems. Because interoperable credentials make good security and fiscal sense, this session will look at how these new credentials are moving outside of the initial domain of federal agencies and into the commercial enterprise market.

This session begins by exploring the independence and interrelationships between the concepts of Identity, Privilege and Person in relation to privacy, consent, and authentication in the context of government and non-government issued IDs. Examples are presented on how specific smart card technologies are utilized to implement these concepts in well-known application contexts.
 
This session will conclude with an overview of the latest technology innovations in smart cards for IT. Advances in application and content management capabilities are shown that create flexibility for how smart cards are applied in IT environments.
 
This session will look at large scale smart card deployments that exemplify the value of secure, interoperable, and scalable smart card-enabled identity solutions that take a systematic approach to managing identity and integrating the physical and logical access needs for organizations of all types and sizes.

Identity and Access Management is the foundation for access controls in the Enterprise, a mission-critical IT function that is both the lifeblood of your business, and a frustrating and difficult beast to tame. Your IdM infrastructure is more complicated, with more moving parts, and more partners across the enterprise, than any other security related service. 

This interactive session, taught by experienced IdM veterans and practitioners, provides an architectural view to resolving identity challenges, and will provide detailed and informative discussions on directory services, web access management, Single Sign-on, federated identity, authorization, provisioning and more. The morning session will provide an overview of the foundations of IdM, while the afternoon will provide a customized, detailed and interactive session to focus on the specific identity disciplines they find most challenging.

This workshop will cover:
  • Principles of Identity and Access Management and implementation strategies
  • Infrastructure architecture -- critical underlying processes to run a successful enterprise
  • Web-based authentication & Web Access Management
  • Selling Identity strategy in the C-suite
  • Directory Services – Enterprise, meta-directories and virtual directories
  • Provisioning - managing the processes of Identity and Access Management
  • Identity mapping and roll-up
  • Detailed Single Sign-on strategies: Getting off Identity islands
  • Detailed Federated Identity discussion and case studies
  • Gritty Reality of Federation SSO: Lessons learned from 14 major federation projects
  • Multi-factor authentication: biometrics, tokens & more
  • Functional IDs - real world considerations of this often forgotten access control
  • User Access Audit: Proving only authorized users have access
  • Auditing the identity systems 
Key Learning Objectives:
Participants should have a basic background in Information Security, IT systems, and identity management. After the class, participants should feel well grounded in identity management, understand the broad landscape from both a technical as well as a business perspective, and have gained practical insight into the strategies which will enable them to meet identity challenges in their organization.

Security Basics Boot Camp is a new day long course that explains some of the most important security principles and technologies. Designed for practitioners with less than three years of information security experience or those new to the field, Boot Camp will create a foundation of essential concepts to enhance your understanding of the more advanced security sessions during the week. Taught by the “who’s who” in the security industry, Security Basics Boot Camp is not to be missed. Topics and speakers include:
  • Business of Security
         •  Hugh Thompson, Chief Security Strategist, People Security
  • External Hackers and Insider Threats
         •  George Kurtz, Worldwide Chief Technology Officer & Executive
            Vice President, McAfee, Inc. and Dr. Eric Cole, McAfee
         •  Vinny Guilloto, Microsoft
  • Crypto 101/Encryption basics/SSL & certificates
         •  Josh Rosenthol, Consultant Product Manager, RSA, The Security Division
            of EMC
  • Introduction to Security Architecture
         •  Jeff Bardin, VP, Chief Security Officer, ITSolutions
  • Firewalls and Perimeter Protection
         •  Bill Cheswick, Lead Member of Technical Staff, AT&T Labs - Research
  • Intrusion detection and data loss prevention
         •  Kevin Rowney, Founder, Symantec DLP, Symantec Corporation
  • Authentication Technologies
         •  Bret Hartman, CTO, RSA, The Security Division of EMC and
            John Linn, Sr. Technologist, RSA, The Security Division of EMC
  • Application Security
         •  Jason Rouse, Cigital


Posted by at No comments:

Tuesday, January 12, 2010

Where Strong Authentication Fails and What You Can Do About It

Where Strong Authentication Fails and What You Can Do About It

Fraudsters have been raiding user accounts by beating strong two-factor authentication methods. A layered fraud prevention approach can mitigate these attacks.

Fraudsters are beating strong two-factor authentication and are proving that any authentication method that relies on browser communications can be defeated. A layered fraud prevention approach can thwart these attacks.

Key Findings

•    Trojan-based, man-in-the-browser attacks are circumventing strong two-factor authentication, enabled by one-time password (OTP) tokens. Other strong authentication methods, such as those using chip cards and biometric technology that rely on browser communications, can be similarly defeated.
•    Fraudsters have been raiding user bank accounts that seemingly were protected by strong two-factor authentication, but any sensitive Web application is similarly vulnerable.
•    In some cases, the malware copies the user's ID, password and OTP, and immediately uses them. Other times, the malware overwrites user transactions with the crook's transactions, unbeknownst to the user or service provider, e.g., the online bank.
•    Out-of-band authentication using voice telephony is also being circumvented by fraudsters using call forwarding so that the fraudster, rather than the legitimate user, is called by the service provider performing the authentication.

Recommendations

•    Recognize that any authentication method that communicates through a browser can be defeated if the browser can be attacked and compromised, so make sure you deploy additional security measures.
•    Use server-based fraud detection to monitor transactions for suspicious behavior.
•    Use out-of-band transaction verification to verify user transaction requests, and execute only the specific transaction verified or signed by the requesting user.
•    Use out-of-band communication protocols that can prevent calls from being forwarded to numbers that are not registered to a specific user account.
   
What You Need to Know

Criminals are successfully launching man-in-the-browser attacks that circumvent strong two-factor and other authentication that communicate through the user's browser. The fraudsters are also successfully having telecommunication carriers forward phone calls used to authenticate users and/or transactions to the fraudster's phone instead of the legitimate user's phone. These attacks were successfully and repeatedly executed against many banks and their customers across the globe in 2009. While bank accounts are the main immediate targets, these attack methods will migrate to other sectors and applications that contain sensitive valuable information and data within the next three years.

A layered fraud prevention approach that includes server-based fraud detection and out-of-band transaction verification that precludes call forwarding to illegitimate user phone numbers can and has mitigated these threats.

Analysis

In the past several months, Gartner has spoken with many banks around the world whose authentication systems that rely on OTP tokens have been compromised by man-in-the-browser attacks on customer PCs. In addition, banks that rely on voice telephony for user transaction verification have seen those systems and processes compromised by thieves who persuade telecom carriers to forward legitimate user phone calls to the thief's cell phone. These targeted attacks have resulted in theft of money and/or information, if the bank has no other defenses sufficient to prevent unauthorized access to their applications and customer accounts.

Gartner clients who have fended off these attacks have done so with either automated fraud detection or manual review of high-risk transactions. In addition, enterprises that rely on telephone-based user authentication and transaction verification are considering, where possible, stopping a phone call from going to the user, if the phone calls and texts are being forwarded by the carrier to another phone number (see Note 1). These attacks have been typically launched against banks and their customers; however, in the future, they will certainly be used to attack other types of valuable assets and organizations.
   
How Do These Attacks Work?


•    Malware sits inside a user's browser and waits for the user to log into a bank. During login, the malware copies the user's ID, password and OTP, sends them to the attacker and stops the browser from sending the login request to the bank's website, telling the user that the service is "temporarily unavailable." The fraudster immediately uses the user ID, password and OTP to log in and drain the user's accounts.
•    Other malware overwrites transactions sent by a user to the online banking website with the criminal's own transactions. This overwrite happens behind the scenes so that the user does not see the revised transaction values. Similarly, many online banks will then communicate back to the user's browser the transaction details that need to be confirmed by the user with an OTP entry, but the malware will change the values seen by the user back to what the user originally entered. This way, neither the user nor the bank realizes that the data sent to the bank has been altered.
•    Authentication that depends on out-of-band authentication using voice telephony is circumvented by a simple technique whereby the fraudster asks the phone carrier to forward the legitimate user's phone calls to the fraudster's phone. The fraudster simply tells the carrier the original phone number is having difficulty and needs the calls forwarded, and the carrier does not sufficiently verify the requestor's identity before executing the fraudster's request.


Which Proven Measures Can Prevent These Attacks From Succeeding?

More than one of the following measures can and should be used to achieve optimal fraud prevention results.



Fraud Detection That Monitors User Access Behavior

This fraud detection method captures and analyzes all the user's Web application traffic (assuming the targeted application is Web-based), including login, navigation and transactions, and can spot abnormal access patterns that indicate an automated program is accessing the application, rather than a human being. This method worked well at one European bank where customers must use two event-based OTPs — one for login and one to execute a money transfer — that are generated by a dedicated token. Trojans in customer browsers stole two or three OTPs before the user noticed that the browser was frozen (by the Trojan). The criminal then started transacting in the user's account, causing a major difference in the online banking application's normal response time. The bank found that once inside the account, the Trojans generate transactions much faster than a legitimate human user does. For example, it takes a normal human user 10 to 20 seconds to enter a money transfer amount and press "okay" to confirm it, but the Trojan entered the same type of data and confirmation in under 1 second.

Fraud Detection That Monitors Suspect Transaction Values

This function looks at a particular transaction and compares it to a profile of what constitutes "normal" behavior for that user and/or group of users. The more structured the data (so that it can be analyzed more easily), and the more history available to put the transaction in context, the more able the fraud prevention system is to highlight suspect transactions.

Structured data is important to the effectiveness of many fraud prevention applications. For example, automated-clearinghouse (ACH) money transfer data is structured, and a fraud prevention application can determine the payment and payment beneficiary data in an ACH money transfer request so that it can spot that the amount or beneficiary is "unusual" and suspect. In contrast, wire transfer instructions are unstructured in part, and transfer instructions can be documented in textual comments. In order for a fraud prevention application to work in this case, it must be able to parse textual comments and isolate the important data.

This method has worked well for banks that have deployed it, for example, for U.K. banks that have had to implement real-time fraud detection for Faster Payments Service, a U.K. initiative that mandates immediate electronic payments be available to all U.K. bank customers.

Out-of-Band User Transaction Verification

This type of verification does not use the same primary communication channel (for example, the user's PC browser) and uses a different communication channel to verify a transaction request. It is a valuable fraud prevention tool — as long as only the specific transaction verified or signed by the requesting user is executed (as opposed to a transaction that a criminal has overwritten with his or her own values). Further, enterprises should not deluge users with transaction verification requests, and should keep them simple and confined to high-risk transactions, so that users are sure to pay detailed attention to them. Criminals have been known to successfully use social-engineering techniques to trick users into verifying the "wrong" illegitimate transactions.

Enterprises also need to use out-of-band communication providers that can prevent the enterprise's calls from being forwarded to phone numbers that the enterprise has not registered and vetted for a legitimate user account. Alternatively, the enterprise can simply terminate any calls that are being forwarded to another number (as a cautionary measure), and ask the user to call the bank instead. This means that the enterprise's telephony system or provider must be able to inspect the Signaling System 7 (SS7) telephony signaling protocols, which are used in most of the globe's public switched telephone network calls. SS7 is used to set up and disconnect phone calls, transmit Short Message Service (SMS) messages, manage call forwarding, and conduct many other services.

Summary

Fraudsters have definitely proved that strong two-factor authentication methods that communicate through user browsers can be defeated, and that the criminals can also figure out how to defeat out-of-band, telephony-based authentication and transaction verification using social-engineering techniques. 

While future attack types are unpredictable, one thing is very clear. Enterprises need to protect their users and accounts using a three-prong fraud prevention approach that employs authentication, fraud detection, and out-of-band transaction verification and signing for high-risk transactions.
Posted by at No comments:

Monday, January 11, 2010

2009 Identity Theft Statistics


Identity theft is defined as the process of using someone else’s personal information for your own personal gain. The Javelin Strategy & Research Center has been studying identity theft closely since 2004. Each year, they release their findings. Their 2009 study reveals that:

  • Identity theft is on the rise, affecting almost 10 million victims in 2008 (a 22% increase from 2007)
  • Victims are spending less money out of pocket to correct the damage from ID theft. The mean cost per victim is $500, and most victims pay nothing due to zero-liability fraud protection programs offered by their financial institutions.
  • 71% of fraud happens within a week of stealing a victim’s personal data.
  • Low-tech methods for stealing personal information are still the most popular for identity thieves. Stolen wallets and physical documents accounted for 43% of all identity theft, while online methods accounted for only 11%.
Types of Identity Theft
ID theft can happen to anyone, and it can come in all shapes and sizes. For example, your credit card digits could be stolen and used to make online purchases; a thief could impersonate you to open up a loan in your name; a felon could commit a crime and pretend to be you when caught; or someone could use your personal information to apply for a job.
Here’s a brief overview and description of each type of identity theft, based on Federal Trade Commission complaint data:
  • Credit Card fraud (26%): Credit card fraud can occur when someone acquires your credit card number and uses it to make a purchase.

  • Utilities fraud (18%): Utilities are opened using the name of a child or someone who does not live at the residence. Parents desperate for water, gas, and electricity will use their child’s clean credit report to be approved for utilities.

  • Bank fraud (17%): There are many forms of bank fraud, including check theft, changing the amount on a check, and ATM pass code theft.

  • Employment fraud (12%): Employment fraud occurs when someone without a valid Social Security number borrows someone else’s to obtain a job.

  • Loan fraud (5%): Loan fraud occurs when someone applies for a loan in your name. This can occur even if the Social Security number does not match the name exactly.

  • Government fraud (9%): This type of fraud includes tax, Social Security, and driver license fraud.
Posted by at No comments:

Microsoft, Adobe prep critical security patches | InSecurity Complex - CNET News


Microsoft will issue one bulletin on Patch Tuesday next week that is rated "critical" for Windows 2000.

The patch is designed to address a vulnerability that could allow an attacker to take control of a computer by remotely executing code on it, according to an advisory released Thursday. It is rated "low" severity for Windows 7, Vista, XP, Server 2003, and Server 2008 operating systems.

Meanwhile, Adobe Systems is scheduled to release a patch for a vulnerability in Adobe Reader and Acrobat on Tuesday that was discovered in mid-December and which is being exploited by attacks in the wild to deliver Trojan horse programs that install backdoor access on computers.

Adobe will also be releasing a beta test version of a new automatic updater for Reader and Acrobat on Tuesday, according to ZDNet, sister publication of CNET. The move is welcome, given that Reader was found to be one of the buggiest programs in 2009.
Posted by at No comments:

India to issue all 1.2 billion citizens with biometric ID cards


It is surely the biggest Big Brother project yet conceived. India is to issue each of its 1.2 billion citizens, millions of whom live in remote villages and possess no documentary proof of existence, with cyber-age biometric identity cards.


The Government in Delhi recently created the Unique Identification Authority, a new state department charged with the task of assigning every living Indian an exclusive number. It will also be responsible for gathering and electronically storing their personal details, at a predicted cost of at least £3 billion.
The task will be led by Nandan Nilekani, the outsourcing sage who coined the phrase “the world is flat”, which became a mantra for supporters of globalisation. “It is a humongous, mind-boggling challenge,” he told The Times. “But we have the opportunity to give every Indian citizen, for the first time, a unique identity. We can transform the country.”

If the cards were piled on top of each other they would be 150 times as high as Mount Everest — 1,200 kilometres.
Posted by at No comments:

Biometric Identity a Must For Faculty Recruitment

Biometric Identity a Must For Faculty Recruitment

Jan-11-10

The initiative will help in making the system transparent, says AICTE chairman S.S. Mantha

NEW DELHI, INDIA: The central government will start collecting biometric identity of teachers engaged in engineering and management institutions to curb malpractices by the faculty, an official said Sunday. "We will record biometric identity of all faculties working in technical educational institutions - all engineering and management colleges - from now on," All India Council of Technical Education (AICTE) chairman S.S. Mantha told IANS. "This will reduce the malpractice by some faculties. With the help of this record, we can verify if a faculty is working in more than one institution, which is illegal," he added.

The initiative will help in making the system transparent, explained Mantha, whose organization is the governing body of thousands of technical institutions in the country. He said all those who want to open new institutions will have to furnish the details of the faculties and their biometric identity before receiving the letter of approval to open the college. "It's mandatory," the chairman said. On Thursday, the human resource development ministry had allowed all new management colleges to double their student intake and all engineering colleges to increase their intake by 25 per cent.

All new management institutions can now take 120 students rather than the previous allotment of just 60 students. Similarly, all new engineering colleges can now take up to 300 students from the previous stipulated 240.
Posted by at No comments:

House backs biometrics in DHS 2010 spending bill

The Homeland Security Department spending bill approved by the House would give a boost to the department’s largest biometric program, but would not fund for a biometric land exit solution.

The House on June 24 approved a fiscal 2010 spending bill for DHS passed by 389-37 with very few changes from the measure endorsed by the House Appropriations Committee on June 12. 

The bill provides $42.4 billion in total discretionary funding, which is $205 million below the White House request and $2.6 billion more than the enacted fiscal 2009 amount.

The legislation includes $352 million for the U.S. Visitor and Immigrant Status Indicator Technology, known as US-VISIT, the department’s largest biometric program. That is $52 million more than the fiscal 2009 amount. Under the program, visa applicants to the United States must provide fingerprints, which are collected in a database and checked against criminal and terrorist databases.

The US-VISIT funding includes $119 million for program management, $128 million for operations and maintenance, $31 million for identity management and screening and $29 million for interoperability and the Unique Identity program.

The US-VISIT budget also includes $45 million for the costs of mirroring the US-VISIT fingerprint databases to a DHS data center, and establishing a backup database at a second DHS data center. Currently, the fingerprints are housed in a Justice Department data center.

Currently, the fingerprints of visitors to the United States are checked when the visitors enter the country but not when they exit. Congress has been asking for several years for DHS to provide an exit solution at the land and air borders, but the department has maintained that implementing a land exit solution is not feasible. This year, no funding was requested or approved for a land exit solution, which the House Appropriations Committee called a “conservative and realistic position.” DHS currently is conducting pilot testing of air exit biometric solutions.

Under the Unique Identity program, the department is making US-VISIT’s fingerprint database, the Biometric Identification System, known as Ident, interoperable with the FBI’s Integrated Automated Fingerprint Identification System. Funding for those efforts was increased last year to pay for Ident’s conversion to 10 fingerprints, from two.

The US-VISIT funding for fiscal 2010 also includes enumeration efforts within the department, which involve assigning a unique numerical identifying number to an individual’s biometric and biographic records and transactions, according to a report from the appropriations committee accompanying the spending bill.

Ident will provide a unique identifying number to any federal agency that submits fingerprints to Ident, the report said. “However, DHS also has taken the position that it will not use any single enumerator for any ‘public-facing’ use, due to potential risks to privacy and security,” the report added.

The legislation directs DHS to report to Congress by Jan. 15, 2010, on the use of unique identifying numbers.
Posted by at No comments:
Subscribe to: Comments (Atom)