May 2013

air travel, Dubai, eGates, UAE

Dubai airport is adding 14 e-gates to the 14 it already uses

After only five months, the Dubai airport is doubling the amount of biometric e-gates available to passengers.

Dubai Airport’s Terminal 3 to get 14 more e-gates (Gulf News)

Dubai: The smart e-gate system which went operational at Dubai International airport’s Terminal 3 from January 1 this year is being expanded with 14 new e-gates becoming operational in a month’s time, taking the number of smart e-gates to 28, according to emaratech, the company which has engineered and powered the project.

The new smart e-gate system and the technology behind it were demonstrated at the 13th Airport Show. Sunil Gulia, emaratech’s technical manager, said the smart e-gate system has already seen close to 70,000 passengers registering since it started, but the number of times the gate has been used is much higher due to frequent fliers.

UPDATE:
20 seconds to get through UAE immigration, thanks to Smart Gates (The National)

Three passengers will be able to be processed each minute using the new system and “Smart Gates” – a vast improvement on the current average wait of about an hour.

identification, passwords, verification

How I learned to quit worrying and love the password

Even in a world saturated with biometric ID management applications, Username/Password verification will still be around.

For one thing, there is no logical limit to the number of password hoops users can be made to jump through, with increasing ID confidence with each consecutive correct answer. The web site for one financial services company I use asks for four pieces of information before allowing me to access the account:

  • user name (a sort-of password)
  • password
  • PIN (really just a shorter password)
  • (and since I have cookies pretty well locked down on my most-favored browser and haven’t bothered to create some sort of exception) one of a menu of security questions is asked every time I log on.

Even though the human representatives employed by this company are uniformly delightful, efficient, and helpful individuals any number of other ID steps could be added to the process before I shunned the web site. After all, the ID steps on the phone with the call center are no less rigorous.

For another, people aren’t the only things that claim an identity before accessing IT systems — computers do it, too, and they don’t have biometrics. Passwords are also a cheap, well-understood, flexible technology that supports certain access control models that biometric techniques don’t.

The challenge that system-designers interested in biometrics now face is to identify where using Username/Password is too risky (or piling them up, too cumbersome), and where biometrics can be used to reduce risk to an acceptable level. This requires identifying everything currently authenticated with a Username/Password and a determining which of these things are more efficiently protected using biometric authentication, then implementing the change. This is far easier said than done.

For starters, and we’ve been banging this drum for a long time, it’s a really good idea to require biometrics for access to tables of stored usernames and passwords. The long and short of it, however, is that passwords are going to be around for a long, long time.

As long as that’s the case, it’s good to know a little more about how passwords work as a technology and the following article is a great resource.

Passwords: How to choose one and why we need them (PHYS ORG)

Perhaps it is because they are so ubiquitous that we take them for granted without ever really understanding how they work. Passwords are an example using of something you know to prove your identity. In security circles it is often said the way we prove our identity falls into three categories:

  • something you have, such as a bank card
  • something you are, such as some form of biometric such as a photograph of the user, fingerprint or iris scan
  • something you know, with passwords being the most common example

What are passwords really made of?

Well-designed password systems never store passwords directly. What’s stored instead is

  • the hash – a cryptographic function that takes a sequence of characters or numbers and generates a sequence based on it
  • the salt – some additional characters which do not form part of the password, but are added during encryption to make it harder for hackers to hack password files

The output of a hash function tells you very little about its input so is very difficult to reverse. It takes vastly more computation to reverse a hash value than it takes to calculate it. When a password is entered into a system, the hash of the password and any salt value is calculated and compared with the stored value.

Read the whole thing. It’s quite good, ending with two points upon which the author and I are in complete agreement: There is nothing as cheap and as well understood as passwords. They are likely to be around a while yet.

Like any other technology, there’s a right way and a wrong way to use passwords. If you get to know them, when to use them, how to use them properly, and the techniques used to undermine them, your relationship with the password can be a long and happy one.

See also:
Why passwords are great;
More on the awesomeness of passwords;
Coopetition: Biometrics and Passwords and
Biometrics, passwords & the Illinois water plant hack attack

Tangentially related…

UPDATE: Government lab demonstrates stealth quantum security project (GIGAOM)

Quantum cryptography is supposed to be a kind of holy grail solution for securing the smart grid, cloud computing, and other sensitive networked resources. The technology is still experimental, with only a handful of companies globally providing quantum key distribution services. Now, researchers at Los Alamos National Lab have quietly revealed that they’ve successfully been running what amounts to a mini quantum internet for the past two-and-a-half years.

The basic premise of keeping information secret using quantum mechanical phenomena lies in what is popularly called the observer effect. A quantum message, sent as photons, will be permanently altered if someone observes it, so the sender and recipient will be able to tell if there was a breach.

AFIS, child care, criminal background check, fingerprint, Georgia, US

US: Background check requirements for working in child care facilities

Fingerprint background checks for day care workers in Georgia (Biometric Update)

Georgia’s governor, Nathan Deal has just signed a bill into law that will see national fingerprint and criminal record searches performed for day care workers.

Georgia is joining the 32 states* requiring a check of the FBI fingerprint database and 30 states that require a sate-level fingerprint check for employment as a child care provider.

A table of state-by-state Child Care Center Regulations [pdf] compiled by Child Care Aware® of America shows which states require fingerprint searches of state and federal databases.

Here’s a summary:

The linked pdf contains information on what type of background check (Federal fingerprints, state fingerprints, criminal record check, child abuse registries, sex offender registries) is conducted in each jurisdiction.

The document is current as of April 17, 2013 and the aforementioned table has notes changes in the law that aren’t yet in force.

Observations:
A few states require a search against one of the fingerprint databases but not the other.
Many states require a search against both fingerprint databases but not the state’s sex offender registry.

*plus the District of Columbia and the U.S. Department of Defense. The study accounts for 52 political entities referred to as “states” throughout this post.

education, fraud, India, standardized test

INDIA: Six people impersonated for 87 students on admittance tests (PaGaLGuY)

In a press conference held today at the NMIMS Mumbai campus, vice-chancellor Dr Rajan Saxena said that the school had filed an FIR about the impersonation on April 24, 2013. When asked if checks and balances could have been stronger during the NMAT stage itself to flag such impersonation he said, “In hindsight, it could have been but it is only because of the quality of the admission process that this has been detected.” Asked if the test would be made more secure next year he replied, “It would be difficult to say now. We will look at it.” Unlike the Common Admissions Test (CAT) and the Graduate Management Admission Test (GMAT), the NMAT does not employ biometric scanning measures such as fingerprint or palm-vein profiling, used to prevent impersonation, during the test check-in process. Despite arguably weaker security measures, the NMAT costs Rs 1,650, higher than the CAT which costs Rs 1,600.

More expensive and less exact is a tough value proposition for a testing service to maintain unless, you know, the target customer is one who will pay more for less exactitude. That doesn’t mean the universities have to go along with it, though.

India, UID

Who know’s what’s going on here? Rumors that people were going to get cut off from subsidized LPG probably made some people mad, but it almost certainly made some people accelerate their plans to get a UID number.

UPDATE:

Confusion over LPG-Aadhaar link in Chennai (The Hindu)

LPG distributors of various oil companies in the city say they have not received any instructions about the scheme to link Aadhaar numbers to LPG subsidies.

The recent Central government announcement about plans to provide subsidies to LPG subscribers directly to their bank accounts from October 1 using the Aadhaar (unique identification) number has left residents and distributors, somewhat confused.


Wednesday, May 1, 2013

Get Aadhaar card or pay double for LPG from October (Times of India)

AFIS, fingerprint, interoperability, law enforcement

“Any sufficiently advanced technology is indistinguishable from magic.”

— Arthur C. Clarke

Fingerprint led to arrest in Dollar General killings, detective testifies (Wichita Eagle)

Detective Tim Relph said a video camera showed the killer walking into the store and quickly leaving after shooting two people with a .22-caliber handgun. The killer tried to exit the store through an entrance door before realizing that the door wouldn’t open from the inside, Relph said. The finger and palm print left on that entrance door proved to be the key to solving the case, he said.

The shooting occurred at 8:01 p.m. on Nov. 30, Relph said, and a computerized fingerprint classification system identified Marshall as a possible suspect by 3:45 the next morning. By 4 a.m., he said, a fingerprint examiner confirmed that the print came from Marshall.

“By 4:30 in the morning there were 50 police officers looking for him,” Relph testified.

Shooting at 8:01 PM. Positive ID before 4:00 AM. That’s less than eight hours. Sometimes, we’re led by various television programs and movies to believe that the process is much quicker than that.

In actuality, given the steps involved, the eight hour turn-around is magical. Because…

Law enforcement, NIST making fingerprint files easier to search (GCN)

Not all AFIS are alike, however. State and local agencies often maintain their own databases, and although there can be some interoperability in a vertical hierarchy of local, state and federal databases, there is very little interoperability horizontally between neighboring jurisdictions. To search different databases, examiners must mark distinctive features for fingerprints manually for different systems, using different coding, notation methods and data definitions.

See also: Law enforcement interoperability, though little discussed, is a big deal

It looks like quite a lot of progress is being made on the interoperability challenges we’ve discussed from time-to-time.

Asia, forecast, market

U can’t touch this…

ASIA/PACIFIC:
The touch-less sensing market is expected to reach $1.89 billion by the end of 2018 at a CAGR of 29.30% (Markets and Markets)

From the summary…

The increasing security concerns in the major countries of the region have pushed for the need of accurate and reliable biometric systems. The e-passport program has picked up pace in many countries and the Aadhaar number initiative by the Indian government have created huge demand for the touchless biometrics. The touchless sanitary market that includes products like touchless faucets, touchless soap dispensers, touchless hand dryers and so on, will witness growth in their shipments as the governments increase their focus on hygiene in the region.

The demand for touchless biometrics is on the rise owing to the accuracy on the part of the system. The contact-less biometric solutions are more hygienic as compared to the touch-based biometric systems. The touch-less sensing market is expected to reach $1.89 billion by the end of 2018 at a CAGR of 29.30%. The key players in the touch-less sanitary equipment market are iTouchless (U.S.), simplehuman LLC (U.S.). The key players in touchless biometric solutions include NEC Corporation (Japan), Fujitsu Limited (Japan), TST Biometrics (Germany), Touchless Biometric Systems (Germany), and IrisGuard (Switzerland). Majority of the global players have strong presence in the APAC market.

The huge demand for Smartphones and Tablets is a definite driver for the gesture recognition market in the APAC region. This is evident with the number of product launched, from the OEMs in the last two years. A number of OEMs, who have their footprint globally and in local markets, have launched products ranging from smartphones to smart TVs. The figure below shows the trend of the APAC gesture recognition and touchless sensing market from 2012 till 2018.

Gesture recognition is still in the emerging phase but has proved to be the next generation technology that has the potential to revolutionize the way humans interact with machines. The technology is currently being integrated majorly into consumer electronics. This would help to push the technology towards maturity and in turn the decrease in price. Slowly, automotive application and healthcare would emerge as potential applications for the gesture recognition market in the near future.

development, India, UID

IMF sees substantial savings from UID

Direct cash through Aadhaar to save 0.5% of GDP for India: IMF (New Indian Express)

Integration of direct cash transfer with Aadhaar will take time but the scheme will help Indian government save 0.5 per cent of the GDP, International Monetary Fund (IMF) said on Monday.

“… the total savings could be substantial: if the combination of direct cash transfer and Aadhaar eliminates the estimated 15 per cent leakage cited above for the programmes being integrated, savings could total 0.5 per cent of GDP in addition to the gains from the better targeting of spending on the poor,” the IMF said in a report.

That may be an undersetimate.

face, public, surveillance

Poll: Public not too worried about surveillance and face recognition

Americans mostly in favor of facial recognition at public events: poll (Biometrics Update)

From the report, 59% oppose email and cell phone surveillance (up 13% from 2006), but 79% are in favor of using facial recognition at various locations and public events and 81% support expanded camera surveillance on streets and in public places.

The public probably senses that there are a lot of ways to deploy facial recognition that are much less invasive of privacy than snooping on emails and hacking cell phones.

China, education, face, time-and-attendance

Calling the roll with face rec

It doesn’t take a Ph.D.  to read the same list of people’s names over and over again. So why do we make them do it?

Facial-recognition use grows as accuracy rises, cost declines (China Daily)

Wei Xiaoyong, an associate professor at Sichuan University, used to worry about taking roll call for his class of 100 students.

“It is time-consuming. But students who attend classes every day say it is unfair if I do not do it.”

Wei eventually found the solution – a face recognition system.

With the system, all he has to do is to use an ordinary pocket camera to take a picture of the class. Wei then uploads the picture and the computer will automatically find out who showed up for class.

Wei has not noted a single absence since he started using the system.

border, immigration, US

Know your fingerprint terminology

Handy-dandy fingerprint terminology reference…
The definitions are longer and more detailed at the link.

What Is a Patent Fingerprint? (AZCentral)

If you’re in the business of crime scene investigation or forensic lab analysis, you have to know your fingerprint terminology. Fingerprints are complex natural patterns, and fingerprint professionals use a sophisticated jargon to describe their appearance.

Patent Fingerprint – visible image of a person’s fingertip left on a surface as a result of residue on the finger.

Plastic Fingerprint – impression left in a pliable substance, such as clay, wax or wet paint.

Latent Fingerprint – print left on a surface as the result of natural oils on the skin

Exemplar Fingerprint – deliberate print specifically made as part of a record

Africa, border, ECOWAS, law enforcement, leap-frogging, Nigeria

US & EU to help Nigeria with fingerprint biometrics in counter-terrorism effort

Insecurity: US, EU renew support for Nigeria (The Nation)

“We have figure prints of possible over 10 million travellers at the same time in a system. We are expanding in Nigeria, Chad, Burkina Faso and we are doing a major upgrade in Ghana. We are possessing about 10 thousand finger prints per week in West Africa.”

When reporters sought to know what the US stood to gain in the partnership, Moro responded that the assistance was at no cost to the country but an extension of a hand of fellowship from a caring ally.

Other members of the delegation are: Mr. Dwight Brown, Miss Theresa Keens, Mr. David Svendsen, Mary Johnson, Thaddaeus Hoyt and Diana Kohn, who are programmes personnel at the US Embassy.

The European Union also renewed its continued support to the Federal Government “until terrorism is defeated”. Ambassador and Head of Delegation of the EU to Nigeria and the Economic Community of West African States (ECOWAS) Dr David MacRae, dropped the hint at a media luncheon hosted by the commission in Abuja.

This news article from yesterday provides important context.

Nigeria: Boko Haram Threat Chokes Trade With Cameroon (All Africa)

Cameroon has stepped up security over the Boko Haram (BH) threat.

In November 2011, Nigeria shut its border with Cameroon, prompting Yaoundé to bolster security in the largely Muslim Far North Region, close dozens of Koranic schools and hand over suspected BH members to Nigeria, which reopened the border in 2012.

Despite the intensified security, suspected BH militants on 19 February abducted seven French tourists, including four children, from a national park in the Far North Region, freeing them two months later.

Cross-border trade sustains the local economy in the Far North Region which sells onions, rice, maize, livestock and other agricultural goods to Nigeria, and imports sugar, cement, textile and electronics.

“Tight border security and checks are making business impossible for some of us. This was worsened by the kidnapping of [the French] tourists. Today all the goods must be checked before entry, and taxes are so high,” said Doudou Yaouba, a trader in Maroua, the regional capital.

This last, detailed, article illuminates major concerns within ECOWAS and among other interested parties. Biometrics can be a leap-frogging technology for providing domestic services, as in India’s UID project. They can also be a leap-frogging technology for bringing less rigorous international security protocols into a standard operating environment where highly sophisticated capabilities can be brought to bear.

finger vein, fingerprint, modality, vascular

Why some might prefer finger vein to fingerprint

‘Finger vein recognition system’ promises security (Times of India)

[…C]opying and hacking fingerprints to breach security can be stopped by mapping people’s veins to verify their identity. This model can be used to make up for errors and loopholes in the biometric system, where finger prints can be copied easily.

“Using the blueprint of our veins, areas like credit card security and other time attendance systems can be strengthened.

Even shorter answer: there’s no latency.