Thursday, July 28, 2016

A look at evolving Mobile Device Security

Fingerprints and Password Protection

Fingerprint authentication for mobile devices can be a secure protection, but it’s only as secure as the weakest link in the authentication system. For example, a mobile user downloads a banking app, logs in with a user name and password, and then creates a fingerprint authentication. Fingerprint information is kept locally on the drive. If the user gets a new device, the app is downloaded again and the fingerprint information is recreated.

Passwords are often simple and all too often captured or stolen. With a stolen password, a thief can create a fraudulent fingerprint authentication on a new device.

Banks and commercial enterprises need to continually refine authentication techniques to have “a smart way of knowing” when fraudulent person is attempting to use a mobile device.

Mickey Boodaei, Transmit Security, Feb 29, 2016

Fingerprinting Computers and Mobile Devices to Prevent Fraud

Device fingerprinting is a way of uniquely identifying a computer, tablet or mobile phone based on characteristics such as browser version, time zone, screen dimensions, plug-ins, etc. Once a device is fingerprinted, unfortunately, it must be blacklisted at least once before it can be blocked from future access.

 This article identifies three areas where device fingerprinting can be improved to enhance fraud prevention:

  • As users make changes to their devices, they change the fingerprint of their devices. Fuzzy Matching refers to deciding which changes are noteworthy (such as operating system) and which are okay to ignore (such as browser fonts). Fuzzy matching is used to determine if the device fingerprint is the essentially the same, or a different fingerprint is being used with a mobile app.

  • Reverse Engineering to help defend against hacker programs created to spoof the signals of users (to mimic a victim’s computer, or to hide the thief’s digital tracks) and circumvent fraud detecting fingerprinting technology.

  • Predictive Modeling will eliminate the problem of having to have a device blacklisted once before being able to block fraudulent access. Predictive modeling will identify when a device will be used to commit fraud even if it hasn’t been used fraudulently before. Fraudulently used devices often have patterns in their set of signals. A smart app, when opened, will identify a suspicious device and block usage before a fraudulent act is committed.

Rahul Pangam, Network World, Jul 22, 2016

Tuesday, July 19, 2016

An update on the FBI's Iris Scan Biometric Database

Eye scan data use not new, it’s currently used by the military and private security companies. What is new is the development of a comprehensive database of eye scans by the FBI. The FBI’s iris scan pilot program started in 2013 with over 30,000 arrestee records. The biometric database is at 430,000 and counting.

Existing scans were gathered with info sharing agreements from the US Border Patrol, the Pentagon and local law enforcement in states that have been collecting and storing iris scans, including California, Texas and Missouri.

Iris scans capture a detailed image of the ridges in the colored part of the eye using infrared photography. The iris is as detailed and unique as a fingerprint. Among the reasons for the popularity of iris scans are that they are done quickly and easily, with little or no personal contact.

Research at Carnegie Melon University is developing technology that will be able collect scan data at 40 feet. With the ease of capturing such data, privacy concerns are increasing. One participant in the Carnegie Melon study commented, “I feel negatively about a remote iris scan because I want there to be some kind of interaction between me and this system that’s going to be monitoring me.” *

People want to know and approve that their data is being collected. So far, there has been no public debate or oversight. The bureau is in the process of creating a “privacy impact assessment” report in response to the growing scope of the program, saying currently that the program is bound by “internal information security standards.” **

**The FBI has collected 430,000 iris scans in a so-called 'pilot program'

By Colin Lecher and Russell Brandom for The Verge, July 12, 2016 08:00 am

*The FBI has spent years quietly building a huge trove of eyeball data

By Rafi Schwartz, for Fusion, 7/13/16

Tuesday, July 12, 2016

Retailers are using Facial Recognition Technology to track shoppers, for security and to help boost sales

Discerning shopper photo

Retailers are increasingly using facial recognition technology for security, checking camera footage against known shoplifters and criminals. This is made possible with higher resolution cameras and advanced analytical capabilities.

The same techniques to identity shoplifters are also be used to track customers with the goal of increasing sales. Sophisticated analytics software measure browsing “dwell times,” responses to product displays and traffic flow, helping retailers measure which displays work well, and where the customer traffic is. This helps brick and mortar stores compete against online retailers, which use cookies to track buyers. 

Consumer privacy is a key issue. Is the data being collected and saved? If so, is it secure from hackers? These are the issues and concerns retailers are considering. 

Revealed: how facial recognition has invaded shops – and your privacy 
Chris Frey , Toronto, March 3 2016

Related: a multi-stakeholder NTIA group has agreed to a Code of Conduct for commercial use of Facial Recognitions Technology

National Telecommunications and Information Administration (NTIA) guidelines encourage commercial entities that use facial recognition technology to give individuals the opportunity to control whether their facial template data can be shared with a third party that doesn’t have this information.

Other recommendations for best practices urge commercial organizations to disclose their policies on the collection, sharing, and storage of this information; to provide notice to consumers when facial recognition is used; to takes steps to protect this information; and to provide consumers means of contacting entities regarding the use of this data.

NTIA group agrees on face recognition code of conduct 
22 June 2016 

Thursday, July 7, 2016

A look at the new science of CSI – criminal forensics

Photo collage of fingerprints and digital data

In 2012 the federal government released new guidelines for fingerprint analysis aiming at reducing error. While computers are good at matching prints and searching databases, the human eye is better at matching crime scene prints – often smudged, distorted or partial – to those of a suspect. Final review by experts is subjective, a craft, as good as the training and expertise of the analyst. 

Aside from new guidelines, some experts are in favor of a paradigm shift; instead of stating a match with absolute certainty in a courtroom, the fingerprint analysis should be expressed in terms of the uncertainty in the results, similar to DNA analysis. Experts are also working on more objective ways to analyze the loops, whorls and arches used to compare fingerprints. “The development of such standards is key to making forensic science, well, scientific.”

New advances include DNA phenotyping – reverse engineering the physical likeness of a person from a DNA sample – yielding information such as geographic ancestry, eye color, natural hair color and even the possible shape of facial features. This analysis is useful for eliminating suspects to save time, making a police investigation more efficient. Another new technology is the use of CT scanners that allow doctors to perform virtual autopsies, detecting signs of murder not detected by a standard autopsy.

How Science is Putting a New Face on Crime Solving

National Geographic magazine, July 2016 edition