US: Government sues energy company over biometric time clocks

U.S. sues company over miner’s religious objection to handscan (Reuters)

The Equal Opportunity Employment Commission filed a lawsuit against Consul Energy Inc, stating that Beverly Butcher Jr. had worked at the company’s coal mine in Mannington, West Virginia, for more than 35 years, until he was required to use a biometric hand scanner to track his hours.

Consul, with headquarters in Western Pennsylvania, was accused of discriminating against Butcher, who repeatedly told mining officials that using the scanner violated his Evangelical Christian beliefs, given his view of the relationship between hand-scanning technology and the mark of the beast in the New Testament’s Book of Revelation, the lawsuit said.

More iTouch hack push-back

Why I Hacked Apple’s TouchID, And Still Think It Is Awesome. (Lookout)

Despite being hacked, TouchID is an exciting step forwards for smartphone security and I stand by our earlier blog on fingerprint security. Hacking TouchID gave me respect for its design and some ideas about how we can make it strong moving forward. I hope that Apple will keep in touch with the security industry as TouchID faces its inevitable growing pains. There is plenty of room for improvement, and an exciting road ahead of us if we do this right.

Read the whole thing. It’s good.

Our post on the CCC hack are here.

Touch ID was hacked, but no one cares (ITWeb)

Headline writer gets it backwards

Today I came across what might be a perfect example of a biometrics headline/article non sequitur.

The article linked below, is pretty bullish on biometrics from both the convenience and security angles. In addition to favorable quotes from a user and an industry executive, an Electronic Privacy Information Center (EPIC) staff member is quoted speaking of biometric technologies in favorable terms. As long-time readers may recall, that hasn’t always been the case.

Given all that, it’s hard to comprehend why the headline writer went with:

New technology causes new privacy, security concerns (WJXT – Jacksonville, FL)

I’d quibble that that the headline writer has it backwards. On the article’s own terms a better headline would be, Privacy, security concerns fuel new technology, but reading the article might have given me an unfair advantage.

United States: Entry-exit system back in the news

Biometric ID viable at U.S. entry points: report (Washington Times)

Federal law has long called for all visitors to the U.S. to submit to biometric identification both coming and going, but the government has never lived up to that promise — and senators in their immigration bill this year even announced a retreat, weakening the law, saying the requirement is too expensive.

But a report released Tuesday by the Center for Immigration Studies says biometric identification can be implemented easily and at a fraction of the cost estimated by government officials.

See also: Who’s in my country? That’s a tough one.

More context for fake fingers

Here’s what you need to know about the Apple TouchID “hack” (GigaOM)

So for most people this won’t be a problem. And indeed, if you’re the type who forgoes passcodes because they slow you down, it’s better to use TouchID than to use no security at all. Also, it’s not like we’re talking about someone hacking into the phone’s secure A7 chip.

But do remember that, compared with passcodes, the inclusion of biometric access can in certain circumstances make it just that little bit easier for someone to get into your phone. And if that phone carries secrets that others really want to steal, you may want to bear this new risk in mind.

Chaos Computer Club’s re-run of the old rubber finger trick

Apple’s stated purpose for installing a fingerprint reader on its new iPhone is to give people who aren’t currently protecting their mobile hardware at all a more convenient way than passwords to do so.

Great, right? The number of mobile devices left unprotected will go down, sparing some non-trivial number of individuals the heartache of having their devices accessed in a way they didn’t authorize. Hooray Apple!

Not so fast!
The Chaos Computer Club thinks that’s a really “stupid” way to look at things. They think that because it was so “easy” for them to create a rubber finger (likely with the full participation of the user) in a matter of (at least) hours, that only a moron would use the technology.

 Chaos Computer Club breaks Apple TouchID.

The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple’s TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.

“We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can’t change and that you leave everywhere every day as a security token”, said Frank Rieger, spokesperson of the CCC. “The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.” Fingerprint biometrics in passports has been introduced in many countries despite the fact that by this global roll-out no security gain can be shown. [ed. bold emphasis added]

While both of the parts above in bold type are false, they are false in different ways. The first part, “using easy everyday means” is only a fib. The process described is “easy and everyday” kind of like manufacturing dentures is easy and everyday. Sure, it happens every day, but it isn’t like making brownies.

The second bolded part is indistinguishable from the ranting of a conspiracy theorist.

There’s something vaguely embarrassing about people who claim to know a lot about technology, but who display no understanding of its use or appreciation for its context. When they also presume to tell everyone else what to do, it begs a response.

The CCC shows either a total ignorance of the purposes of security technologies or a belief that the world is a one-size-fits-all security market. Either way, they come off as contemptuous of ordinary people who might want a more convenient way to increase their own security and the people working to give it to them.

It’s one thing to point out how new technologies are fallible. All technologies are and it is important that consumers understand how that is the case. It’s another thing to try to scare people away from adopting security techniques that will leave them safer than they are now and are convenient to use.

Apple’s implicit point is that when it comes to protecting access to the device, fingerprint access is better compared to doing nothing, which is the option many people currently choose. It’s not a question of perfect security, it’s a question of security that is convenient enough that it actually gets adopted.

Other posts where the question “…compared to what?” arises:
The old Gummi Bear trick
Visa to drop signatures on credit card purchases by 2013
Unisys Poll: 63% of credit card users would prefer fingerprint
German gov downplays biometric ID card hack

Marco Tabini at Macworld seems to agree. Apple’s Touch ID may not be bulletproof, but it’s still useful.

Apple announcement also reinvigorates critics of biometric technologies

Column: Why fingerprints, other biometrics don’t work (USA Today)

The Apple announcement has pushed interest in biometrics to new heights and we couldn’t be happier. It has also given renewed attention to those who are sceptical, or even hostile to the technology. I won’t go so far as to point fingers (rubber, gummi, or otherwise) at the sources for the articles out there because they usually bring up valid points and treat the subjects in which they are interested in a holistic manner. That sometimes gets lost in journalistic translation.

Other times the breakdown happens between reporters and headline writers (see: iPhone 5S: Thieves may mutilate owners in bid to gain access to fingerprint-reading handsets, expert warns).

Concerns about biometric revocability, secrecy, and how accuracy changes with database size are valid. Unsurprisingly people interested in biometrics have been dealing with these issues for as long as biometric technologies have existed. The existence of those challenges, however, does not justify the assertion that “biometrics don’t work.” Subjected to the same standards, no security measure works. ID cards don’t work. Passwords don’t work. House keys don’t work. Police departments don’t work. Security guards don’t work.

ID and security isn’t about perfect. It’s about return on investment, or cost-benefit analysis if you prefer. We’ve covered the subject from various angles over the last few years. The piece linked below is as good a place to start as any for interested readers.

Please see:
Biometrics & ID infrastructure: Perfect is the enemy of  good

There’s no going back

Insight: Trigger Finger – Apple fires biometrics into the mainstream (Reuters)

By adding a fingerprint scanner to its newest mobile phone, Apple Inc is offering a tantalizing glimpse of a future where your favorite gadget might become a biometric pass to the workplace, mobile commerce or real-world shopping and events.

Read the whole thing. I think this piece gets things about right.

It’s easy to overestimate and underestimate the importance of what Apple has just done. The fingerprint functionality itself is pretty shallow. The fingerprint sensor allows users to unlock the phone and buy stuff from Apple. That is all. But that also reflects that, of course, Apple wants to get things right “in captivity” before releasing the fingerprint sensor “into the wild.” And further, I think that means that fingerprint sensors on mobile devices are here to stay. Samsung, Microsoft/Nokia, etc. will follow suit.

Japan, U.S. law enforcement to share fingerprint databases online (Japan Today)

Japan and the United States have agreed to provide mutual access to online fingerprint databases to aid criminal investigations.

According to the arrangement, each nation will have instant access to fingerprint data for the purpose of investigating individuals suspected of involvement in terrorism or other serious crimes such as murder, Japanese officials said.

It’s Official: New iPhone really does have a fingerprint reader

Well, the rumors were true. Apple has included a fingerprint sensor in its newest iPhones. It’s hard to escape the conclusion that his is a big deal for mobile biometrics even though the biometric capability in the iPhone is limited to unlocking the device. Still, that’s not nothing and I expect that eventually, app developers will be given access to the reader. 
Even if they aren’t, Apple’s addition of fingerprint a sensor probably foreshadows their inclusion by all sorts of handset manufacturers. Motorola already has a history there; Samsung certainly won’t be left behind as mobile ID surges forward; Microsoft/Nokia + Windows 8 will almost certainly join the fray; moreover, we’d expect all of those companies to have a more laissez faire attitude than Apple toward turning future fingerprint hardware over to third party developers.*

*The preceding paragraph was revised on 24 Sept. 2013 it originally read, “Even if they don’t, Apple’s addition of fingerprint a sensor probably foreshadows their inclusion by all sorts of handset manufacturers. Motorola already has a history there and Samsung certainly won’t be left behind as mobile ID surges forward. “

Future payments

Biometrics a tipping point for future of payments (Finextra)

Smart folks like Jack Dorsey of Twitter have been talking about and removing friction for the best part of 10-15 years. It’s not a new concept, but in many ways the technology is finally catching up in order for us to make things happen under the bonnet (OK – no more car analogies).

The accepted norm for payment authentication has been some sort of user name and password or PIN. It’s a great place to start to develop future propositions. But this doesn’t make mobile or devices any more secure. No real advantage. And having a contactless card or device that can be used with a bump, tap, pass or wave; doesn’t set minds at ease.

Device manufacturers and electronics manufacturers have an awful lot of skin in the game to set this new standard, alongside the players that manage the market infrastructure. There are a number of developments underway in Biometric security. Things like Facial Recognition, Fingerprint, Ear scanning and Heart Rhythm. Capability that could make payment security into a “subconsciously competent” factor. And of course, this technology could quickly extend into daily life (transport networks, biometric security “keys” to name but two) and come in many forms.

Right now we have to try to identify ourselves to IT networks, including payment networks. That probably won’t always be the case.

More research shows the public is receptive to biometric technologies

Biometric payment methods set to rise in popularity as consumers steer away from mobile devices (ITProPortal)

Recent research from WorldPay revealed that paying for goods and services through fingerprint, palm and iris scanners is the most popular future technology choice for security-conscious shoppers, far outweighing the popularity of emerging mobile technology options like smartphone and SMS payments, and online wallets.

See also:
Unisys Poll: 63% of credit card users would prefer fingerprint (October 14, 2010)
Unisys Security Index Survey Finds High Levels of Support for Biometric Solutions (May 10, 2012)
Australia: More on survey of attitudes toward banking biometrics (October 4, 2012)

Security or Privacy? Yes, please.

Security vs. privacy (Homeland Security Newswire)

Those who ask you to choose security or privacy and those who vote on security or privacy are making false choices. That’s like asking air or water? You need both to live.

Maslow placed safety (of which security is a subset) as second only to food, water, sex, and sleep. As humans we crave safety. As individuals and societies, before we answer the question “security or privacy,” we first have to ask “security from whom or what?” and “privacy from whom and for whom?”

What will it take for iris ID to catch on?

Readying Iris Recognition for Prime Time (Bank INfo Security)

Federal researchers have reconfirmed the reliability of the iris as an authentication factor. But we’re at least three years away from using iris scanning as an advanced method of user authentication for IT systems.

What’s holding back iris recognition as an authentication tool to access information on IT systems? Several experts I spoke with this week narrowed the reasons to three: size, cost and culture.

Stay tuned on all three. Size and cost are coming down. Culture is less predictable. Could ROI be a useful proxy? The article gets to this question eventually. Read the whole thing.