Thursday, May 25, 2017

Visa and Neon Bank launch selfie pay in Brazil

Photo of a woman shopping via cell phone

Facial biometric identity authentication has been in use by Neon Bank’s 100% digital customers for their bank transactions for almost a year. Now biometric identity authentication by selfie will be used to approve internet purchases. The expected level of accuracy is 99.5%. 

Fernando Mendez, vice president of emerging products for Visa Latin America says the new selfie pay service will facilitate remote payments and be in in sync with consumer trends. Selfie pay will combine security with convenience, improving the customer’s shopping experience.

Using selfies will not replace PIN numbers or fingerprints for physical purchases. A selfie would be required only if the retail establishment requires it for identity verification before completing a transaction. Neither the user nor the commercial establishment receive the selfie taken during the purchase process; it is encrypted and sent to the bank’s databank. 

The impact on reducing fraud in e-transactions has not been calculated, but the service is expected to stimulate commerce and the number of transactions. Percival Jatoba, Visa Brazil’s vice president for products expects to see rapid growth for selfie pay in Latin American countries, as well as other new biometric authentication methods, a person’s heartbeat for example.

Visa, Brazil’s Neon Bank Launch Online ID Service Using Selfies

Latin American Herald Tribune article published May 11, 2017

Thursday, May 18, 2017

An update on the world’s largest biometric database – and it's not in the U.S.

Photo of rural Indian women by McKay Savage

India’s government established an ambitious goal – adding its population of over 1.3 billion people to a biometric database which includes fingerprints, iris scans and photographs. The program was largely developed to aid the poor by streamlining benefits and providing a means of identity – needed to get a driver’s license or apply for a bank account. Linking the 12 digit Aadhaar number to a bank card allows the government to directly transfer cash benefits and subsidies, helping to prevent fraud. This amount of change is not without great challenges. Among the concerns are…

A Twitter account called “Rethink Aadhaar” gives witness to Indians who have suffered because scanners didn’t read their fingerprints correctly, or because their information (such as the spelling of a name) was incorrectly recorded in the database in the first place.

Rapid Expansion
An Aadhaar number is now required to pay taxes, collect pensions, obtain welfare benefits – and it's even needed by children register for school. Those without an Aadhaar number have trouble getting essential benefits, including food. Children who don’t have yet have an Aadhaar number are getting turned away at school registration.  

Problems in Rural Areas
Rural villages don’t routinely register births. Also many rural Indians only have one name. This makes it difficult to get a birth certificate, usually required to get an Aadhaar number. Cell phone reception is also a problem in rural areas. Without the means for a scanner to connect to the internet, how will ID authentication be made? 

Unsecured Data
The Center for Internet and Security in New Delhi reported recently that Indian federal and state agencies had published up to 135 million Aadhaar numbers on unsecured websites. With the possibility for leaks such as this, many are worried that their biometric data is not safe. Unlike a PIN number which is easily changed, biometric data once compromised is compromised for life.

Privacy Concerns
A program that was once thought to be voluntary is now becoming mandatory, but not without legal challenge. In response to lawyers arguing that Indians should not be forced to share their biometric data, Atty. Gen. Mukul Rohatgi “countered that Indians had no constitutional right to privacy and could not claim an ‘absolute right’ over their bodies.” Activists are concerned that government intelligence agencies will use Aadhaar database information to spy on citizens.

Supporters say the Aadhaar program will “transform governance,” saving India billions of dollars by curbing tax evasion, and by ensuring that subsidy money is not stolen by middleman. But it’s important that a program designed to be "hugely empowering" for the poor doesn’t leave the poor behind. That no Indians should be prevented from getting essential services.

India is building a biometric database for 1.3 billion people — and enrollment is mandatory

By Shashank Bengali, Contact Reporter, Mumbai, India. Published May 11, 2017, the LA Times online 

Photo credit: McKay Savage from London, UK [CC BY 2.0 (], via Wikimedia Commons (Rural Women)

Friday, May 12, 2017

Could a master fingerprint unlock your mobile device?

No two people are believed to have the matching fingerprints, but could similarities between partial prints be enough to pass the security check on your smartphone or mobile device?

Fingerprint authentication sensors on smartphones are small and only capture a partial print. Also, many smartphones allow users to save several prints to be used for verification. Identity is confirmed when any of these prints is found to be a match.

Nasir Memon, a professor at New York University Tandon School of Engineering, leads a research team that decided to try and see if a master fingerprint could be created that would be good enough to fool current commercial fingerprint verification sensors and software.

Using a sample of 8200 partial prints, Nasir’s team found an average of 92 potential MasterPrints for every randomly sampled batch 800 partial prints. They found just 1 potential MasterPrint out of every randomly samples batch of 800 full prints. (A MasterPrint was defined as a print that would match about 4% of the prints in a random batch of 800.) It was evident that a partial print fingerprint reader had a much greater chance of being spoofed than a full print reader. 

With their created MasterPrints, the team reported successful matches with 26 to 65% of users, depending on how many partial prints were stored on the device, and how many log-in attempts were allowed. In comparison, a hacker trying the number 1-2-3-4 has about a 4% chance of successfully logging in to a random smartphone by PIN number.

The researchers emphasize that their testing was done is a synthetic environment, but their research led them to a couple recommendations. Their high matching results reinforce the need for a multi-factor authentication system. Also, fingerprint sensors on smartphones and mobile devices would benefit by having improved resolution to capture additional fingerprint features. If the resolution is not improved, it’s possible that a users prints can be compromised, and thus the security of the smartphone.

Biometric securityPartial fingerprints sufficient to trick biometric security systems on smartphones 

Published April 12, 2017 on Homeland Security News Wire

Thursday, May 4, 2017

A new security technology better than passwords or fingerprints?

Photo of notebook computer and cell phone user

The future. That’s what many experts are seeing in behavioral biometrics – a technology that exceeds passwords and fingerprint sensors in secure authentication. Instead of a one-time biometric scan, behavioral biometrics learns the user’s behavior over time. Speed of typing, pressure on the keyboard, speed of scrolling, common errors – all this information is analyzed quietly in the background while the user goes about their normal activity.

Hackers now cost the U.S. economy as much as $600 billion annually, with the number of identity fraud victims up 18% in 2015, affecting 15.4 million Americans. Major financial institutions are already using behavioral biometrics to fight back. For example, banks can use behavioral biometrics to analyze user behavior on online credit card applications, helping to prevent stolen identities. Banks are using behavioral biometrics for improving authentication of online purchases, reducing the number credit denials caused by false positives (when the bank mistakenly believes you’ve been hacked).

Behavioral biometrics will be very difficult to hack because it’s hard to steal one’s behavior. Hackers are already at work trying to write scripts that mimic human behavior. However behavioral biometrics is extremely adept at picking out scripted or automated behavior. One recognized drawback is when a user’s behavior typing habits change. A user with a hand injury could become locked out of their account.

Besides the benefit of enhanced security, the overall convenience provided by behavioral biometrics is undeniable. Instead of the user having to remember changing usernames, passwords and pin numbers, the device simply remembers the user.

So where is the future headed? Nimrod Vax, co-founder of the privacy management firm BigID in New York believes “artificial intelligence is the next frontier for all aspects of identification and privacy.” However, he adds “The password is like a pencil – it’s always going to be there.”

Kari Paul, May 2, 2017, article for