Community

With respect Chris, instead of simply bowing to the inevitable, why can't you answer the questions I've asked over and over on this blog and on swiftcommunity ... 

- what to do about identity theft?

- what are acceptable false accept, false reject and fail to enrol specs?

- what degradation in accuracy is permissable when trying to interoperate between vendors?

- what to do about false detect / false accept tradeoffs when security and customer convenience are at odds?

Cheers,

Stephen Wilson, Lockstep.  

I don't write biometrics off because of their past failures.  I write them off because of the dozen or more really fundamental issues that nobody seems able or willing to answer.

Biometrics really is the Wild West of information security.  There are dozens of vendors and competing technologies, none of them interoperable, many based on research that is barely out of the labs, no standards for testing performance, an endemic reluctance to reveal false detect and false reject rates, usually no mention at all of failure to enroll rates, no answers whatsoever on the show-stopping question of revocation, state of the art liveness detection being debunked on "Mythbusters", and the most flagrant, gimmicky marketing, appealing to science fiction movies as if there were case studies. 

Does anyone even care about these issues?  I'm astonished sometimes that in the banking sector, where security professionals are properly conservative and sensitive to snake oil, respected commentators can exhibit such credulity over biometrics. 

Cheers,

Stephen Bloody Wilson

Lockstep.

I'm sure the sheer popularity of biometrics gladdens the heart of vendors, but when are we going to get answers to these and other questions? The thread on swiftcommunity that Chris Skinner cites ran dry without a single response to any of my questions. 

There is so much that is litereally unreal about these technologies. I repeat for the umpeenth time, What are they going to do when a biometric gets stolen?

I have seen biometric vendors actually open their presentations with clips from "Diamonds Are Forever", or "Minority Report". These are fiction for heavens sake!  Worse, in "Diamonds ..." James Bond shows how easy it is to steal and replicate someone else's prints! It's surreal.

For the 11 out of 11 bankers who have been won over, I'll show you:

- the failed Australian warehouse fingerprint attendance system

- Heathrow Airport withdrawing their fingerprint system

- the prison where inmates could fake warder's prints

- Tampa Police dropping their face recognition system

- Failure of face recognition at Boston Logan Airport  

Not to mention advice from the UK Government's CESG (the peak information security authority) that to avoid spoofing, biometrics are best used in supervised locations.  Good idea in branches but where does that leave ATMs? 

Cheers,

Stephen Wilson. 

Dean Procter wrote:

"have you looked at those card specs? They're dumber than a Commodore64 and you can't even protect your Duo core PC".

You're comparing apples and oranges Dean.  The reason we cannot protect a duo core PC is that the security target for a general purpose personal computer is far too complex, and the operating system in particular was not designed with security top of mind.  But with smartcards, starting from scratch, we have the luxury of making security a priority. Furthermore, we have a very very restricted computing model, making testing vastly easier, and security weaknesses vastly rarer.  

And so, for example, the MULTOS smartcard operating system achieves Common Criteria certification at the very top level, almost unheard of outside of defence departments.

The dumbness of smartcards relative to full blown PCs acts in favour of security, not against it.

Cheers,

Stephen Wilson

The Lockstep Group.

Using biometrics -- especially fingerprints -- as an approach to solve ATM fraud could be disastrous.  These are so easy to steal, clone and otherwise work around that it's almost comical.  To avoid lengthy queues at an ATM, the false accept / false reject ratio in the detectors needs to be tuned towards lower false reject, and therefore higher false accept, making them even more vulnerable to attack. 

For details on the vulnerability of fingerprint detection, have a look at:

http://www.schneier.com/crypto-gram-0205.html#5  

http://en.wikipedia.org/wiki/MythBusters_(season_4)#Fingerprint_Lock 

http://www.heise.de/ct/english/02/11/114/

I've researched and summarised a range of other fundamental problems with biometrics at Babystep 3: Biometrics under the microscope.

Cheers,

Stephen Wilson.

Dean,

One of the most disconcerting claims anyone can make in any branch of IT, especially identity, is that their solution is "one size fits all".  You really shouldn't dismiss 'context', 'assertions' and 'mutliple identity' as being buzzwords.  These are modern ways of understanding the plurality and complexities of 'identity'; they characterise most of the current literature on the subject. 

You are evidently frustrated by a lack of broader engagement with your approach.  It would help us all if your proposal was transparent.  Why don't you publish your work, expose it to scrutiny, let us see for ourselves how good it is? The claims you make are quite extraordinary, but without any substantiation, well, you know what they say about something that sounds too good to be true ... 

Cheers,

Stephen Wilson.

Take care Dean, this is important.  

They're talking about "Info Cards", as pioneered by Kim Cameron at Microsoft.  This is the most important and best supported initiative in identity for many years, it's not trivial.  Start by looking at www.identityblog.com.

It's not mentioned in the article, but Project Higgins is a generalisation of Microsoft's work.  Not only is Higgins open source, but they have abstracted "information" cards to "relationship" cards.  Very powerful stuff.

You don't need readers necessarily.  Info Cards are virtual -- they are graphical icons that map onto sets of SAML and WS* based 'assertions' or 'claims', that themselves are implemented on a range of technlogies.  Some InfoCards are soft, while some are on smartcards or smartphones. 

You obtain Info Cards from "Identity Providers", many of which in future will be extensions of the sorts of institutions we currently have relationships with -- banks, government licensing agencies, communities.  The meaning and value of any given Info Card is context dependent.  People will likely pay for them accordingly, just as they currently pay (or not) to have a bank account or a store account. 

My advice is that no identity technology developer can afford not to be ready to integrate with Info Cards.  

Stephen Wilson.

Lockstep Group. 

The inclination to share passwords is the bane of many policy wonks' existance.  It arises naturally when humble users seek work-arounds to improve their day-to-day workplace situation.  A culture of work-arounds is especially prevalent throughout healthcare technology (not just health IT) as smart professionals working in close teams with dozens of 'machines that go ping' strive to get the most out of their equipment and to compensate for all-too-common shoddy user interfaces. 

In the specific case of computer logon, we're all caught up in the transition from username+password to something smarter and more robust.  I am one of those that has great belief in smartcards, because of their power as holders and notarisers of personal credentials, and also because they are so intuitive.  We have all been trained for decades to pop a card into a slot, enter a password, and get things to happen.  It's the most natural form factor for computer logon (perhaps using contactless cards in many hospital settings, with or without PIN depending on the application concerned).  Response times in smartcard log-on should be near instantaneous. The practical deployment of systems like Sun Rays is encouraging, where telecommuters enjoy added features like session portability, which is a huge benefit in healthcare.

The dreadful logon delays in the new NHS systems I think has something to do with the centralisation of healthcare professionals' credentials.  There is a two-stage process of first identifying a user, followed by extracting their authorisations from a central repository.  IMHO credentials are better secreted in the smartcard, notarised by digital signature, so that remote systems can rely on their 'pedigree' without referring in real time to central mission critical gateways that must be engineered with stupendous availability and bandwidth so as to limit bottlenecks.

Cheers, 

Stephen Wilson.

Dean wrote: "don't get all emotional about losing the card - it's going to happen". 

Um, I'm not emotional about cards myself, I just don't see how mobile payments solutions will get rid of them.  There are many transaction settings which will not move away from cards quickly: ATMs, EFTPOS, over-the-counter banking, and human readable proof of entitlements (from driver licences and health insurance all the way to airline lounge membership cards). At the same time, the card form factor is being embraced by Microsoft and PC manufacturers for identity management. 

And you might lampoon precious metal coloured cards but nevertheless, the physicality of plastic offers a tangible marketing and branding medium for banking products that cell phone displays do not.  A simple but effective example: nobody at the British Airways Executive Club desk is going to let me in based on a picture of a BA card on my phone, even if it were a fancy iPhone (come to think about it, especially if it were an iPhone).  For more on the non-technology issues here, I like Bruce Schneier's elegant account of the problem with single multipe-purpose cards; see below. 

So it seems to me that cards will be around for ages.

Mobile commerce and payments might be great, and they might indeed displace some online transactions, but they will live alongside cards; they won't replace them.  

What I don't buy is that mobile technologies offer a unique class of security services compelling enough to obsolete smartcards. 

[In fact, the dominant transaction security method using mobile phones today -- SMS one time passwords -- is a pretty klunky stop-gap measure that has found a temporary niche in the ecosystem because on its own, the Internet channel is vulnerable. I don't think there is a strong long term argument for two channel authentication in addition to two factor. I say make the main channel more secure and the attractiveness of SMS goes away.]

If there were to be a single convergent approach to transaction security, I would put my money on cards, because smartcards work in both web and bricks-and-mortar settings, whereas phones don't.  We probably agree that in general, chips, in one form or another, offer the sort of systemic breakthrough for identity safety that is needed to address whole categories of fraud, including card-not-present fraud.  What I like about chips in cards is they can be used across many more channels than chips in mobile phones can: web (when integrated readers become standard) as well as ATM, POS and counter, using today's terminal infrastructure.

[I will grant you smartcards on their own are still not quite enough.  FOr example, we still need to work on hardening PIN capture in PCs, but I think TPM will help with that.  And in any event, PIN capture by telephone keyboard isn't immune to tampering and sniffing; indeed the whole issue of malware on cell phones is set to blossom.]  

Dean -- I am interested in the Transinteract work (and I am sure it's in a league all of its own, not to be compared with SMS one time passwords).  Are there any whitepapers or case studies available? 
 

Attachment: Extract from Bruce Schneier on Multi-Use ID Cards (2006)

"You don't -- and won't -- have a single card in your wallet for everything. It has nothing to do with security.

"My airline wants a card with its logo on it in my wallet. So does my rental car company, my supermarket and everyone else I do business with. My credit card company wants me to open up my wallet and notice its card; I'm far more likely to use a physical card than a virtual one that I have to remember is attached to my driver's license number. And I'm more likely to feel important if I have a card, especially a card that recognizes me as a frequent flier or a preferred customer"

In thinking about these problems, let's remember that "card fraud" is a bit of a misnomer. Much card fraud is a special case of ID theft or 'identity takeover', it just happens that the identity data concerned is usually carried on a magnetic stripe card.  And therein lies the problem -- the data in this form is exposed to takeover and replay.

Ditching the cards to stop card fraud would be like getting rid of all windows to stop break-and-enter.  It's not the windows per se that matter, but their security.

The way to deal with "card fraud" is not necessarily to get rid of cards, but rather make them more secure.  Cards are such a universal form factor they just couldn't disappear overnight. 

Chip-and-PIN goes a long way.  The next step -- and it's getting urgent -- is to leverage Chip-and-PIN cards online to fight CNP fraud.  I advocate using the chips to notarise (digitally sign) cardholder details transmitted from browsers in e-commerce, to thwart replay attack on 'naked' card details. 

The same approach could be implemented in 2.5G SIMs, if there is a trusted process for translating credit card details from the issuing bank into the SIM.