Fujitsu and NTT DoCoMo team up for mobile iris biometrics

NTT DoCoMo launches smartphone with iris unlock feature (PC World)

The Fujitsu prototype incorporated a high-speed, high-accuracy iris recognition algorithm developed by California-based Delta ID. Fujitsu said the error rate for the prototype is about one in 100,000.

Available in green, black and white, the Arrows NX F-04G is slated to be released at the end of this month in Japan for around ¥55,000 (US$460). There are no plans to sell it outside Japan.

I somehow missed the first mention of this collaboration in early March.

India UID: Interesting de-duplication and exception stats

Over 9 crore Aadhaar enrolments rejected by UIDAI (Zee News)

Out of 823.3 million enrollments, 97.3 million (Approx. 12%) have been rejected for reasons of either quality or duplication.

This may seem to be high to some, or low to others. In the big picture, there is (or should be!) a cost-benefit analysis at the beginning of the project that gets at the expense of the process vs. the infallibility of the process. On the first pass, it might make sense to get the highest proportion of good enrollments with the most convenient process, then to engage in a more expensive enrollment process applied only to more difficult enrollments.

It’s also important to note that the 97.3 million rejected enrollments contain both duplicate applications, which must be rejected and other applications where clerical error, fraud, or un-enrollable biometrics are the reason for rejection.

Another interesting statistic in the article is that only about 618,000 UID numbers have been issued under the “Biometric Exception Clause” which allows for creating UID numbers for people whose biometrics cannot be enrolled. That comes out to around 0.07%.

What that means is that (depending on the number of people waiting for a biometric exception) using a data set approaching a billion individuals, at least 99.3% of the population of India is biometrically enrollable within the existing UID enrollment process.

Note: The article uses the Indian numbering units crore and lakh.

1 crore = 10,000,000
1 lakh = 100,000

See also: UID applications without biometrics highly likely fraudulent

Forecast: Key biometrics industries and applications – 2024

Biometrics Market Forecasts (Tractica)

Tractica’s forecasts indicate that key industries in the biometrics market over the next decade are likely to be finance, consumer devices, healthcare, and government, followed by enterprise applications, defense, education, law enforcement, and non-government organizations. Key use cases that are likely to drive biometrics revenue over the next decade include consumer device authentication, mobile banking, automated teller machines (cashpoints), government IT systems, point-of-sale transactions, pharmacy dispensing, and wearable device authentication.

Fingerprints help end 55-year fugitive search

Fingerprint ruse IDs Florida man as longtime Ohio fugitive (MSN)

Authorities in Florida say a ruse to get a man’s fingerprints led to his arrest as a convicted killer who escaped an Ohio prison farm and disappeared for most of six decades.

Brevard County deputies say investigators with the U.S. Marshals Service in Ohio sought help to check out the man while chasing leads about Frank Freshwaters, an Akron man who escaped in 1959. Major Tod Goodyear says they created a ruse to get the man to sign papers, then matched the fingerprints to those from the decades-old arrest.

Biometrics aid in aid delivery

IOM Uses Biometrics to Aid Displaced in Democratic Republic of the Congo (MENAFN)

The lack of identity documents for IDPs in the Eastern DRC poses a challenge in targeting humanitarian assistance. Almost 80 per cent of adults living in sites having no form of identity documents. In response IOM launched a biometric registration pilot project in eight displacement sites around the city of Goma in June 2014.

Between June 2014 and April 2015 IOM took the fingerprints of nearly 16000 IDPs. In the context of food distributions the collected information is used to ensure that humanitarian aid reaches the most vulnerable and avoids duplication and fraud.

Biometrics are an inexpensive, fast and accurate way of setting up ad hoc ID systems from scratch. Those interested in development and disaster recovery, take note.

US: Federal prosecutors want to use voice biometrics in court

Prosecutors want to use hi-tech evidence in trial to identify voices of terrorists (Daily Mail)

Terrorism prosecutors in Brooklyn want to use sophisticated voice recognition evidence — the same technology used to identify ISIS butcher “Jihad John” — for the first time in a federal trial in the U.S., the Daily News has learned.

The novel part of this that prosecutors wish to use the technology in a Federal trial.

Voice biometrics have made news in a criminal trial before. This 2012 piece by Jeff Weiner of the Orlando Sentinel describes voice biometrics used by an expert witness in the trial of George Zimmerman.

US GAO: To reduce fraud, MediCare smatrcards need biometrics

Smart cards would do little to curtail Medicare fraud: GAO (McKnight’s)

…[K]ey [smartcard] benefits, including the ability to electronically exchange beneficiary medical information and electronically convey beneficiary identity and insurance information to providers, would do little or nothing to deter fraud, experts said.

Adding certain layers of protection to smart cards like biometric biometric information or a picture ID could help to deter fraud, the GAO said.

Note: GAO = Government Accountability Office

SIBA head testifies before congressional committee on border biometrics

Senate Homeland Security Committee calls SIBA’s Kephart to testify (Secure
Identity & Biometrics Association (SIBA))

Testimony before the Senate Homeland Security & Governmental Affairs Committee

Tracking the arrival and departure of foreign visitors to the United States is an essential part of immigration control, law enforcement and national security. The need for arrival controls is obvious, but recording departures is also important; without it, there is no way to know definitively whether travelers have left when they were supposed to. Biometric entry/exit and transfer solutions are proven in their feasibility, low cost, added security value, increased efficiencies, travel convenience, and accuracy. Good products are available off the shelf. They are flexible and built, and can be customized, for many environments. The biometric, secure document and identity management industry is well-versed in integration with back-end data systems while building in flexibility for the future. Biometric solutions such as facial recognition, fingerprints and iris scans assure identity when coupled with biographic information found in travel documents. Using only biographic information, however, such as names or passport numbers, provides no assurance that the person departing is the one whose original arrival was recorded.

The quote above is taken from the pdf linked to the article at top. The 29-page document is an excellent resource for those interested in the topic.

Biometrics a factor in World Bank’s optimism on India

While India’s Economy has Turned the Corner, Wider Reforms are Needed to Boost Economic Growth (World Bank)

The report points out that India’s government has begun to implement reforms to unlock the country’s investment potential – to improve the business environment; liberalize FDI; boost both public and private investment in infrastructure; quickly resolve corporate disputes; simplify taxation, and lower corporate taxes. States are set to receive more resources and spending power, and the government has reiterated its resolve to implement the GST by April, 2016, a move that is widely expected to meaningfully increase India’s tax to GDP ratio. New models of delivering benefits through direct transfers to bank accounts, together with the biometric identification of beneficiaries, are expected to reduce leakages.

India: UID milestone

Aadhaar world’s largest biometric ID system (Times of India)

The Aadhaar card has emerged as probably the world’s largest biometric identification programmes in the world with the Unique Identification Authority of India (UIDAI) issuing nearly 82 crore cards.

1 crore = 10,000,000

We haven’t been spending as much time on issues of economic development as we have at other times in the past, but India’s major ID initiatives are creating a lot of opportunities to lift millions out of poverty.

Consent and Trust

Biometric Data Without the Big-Brother Angst (American Banker)

At the end of the day, biometric data is really just another type of personal data that banks hold, access and use with the trust of customers and employees. But obtaining consent should not just be seen as merely a bureaucratic necessity. It is part of a process by which banks can maintain and enhance trust — which only becomes more important in the age of big data and virtual relationships.

Older Andriod versions had more vulnerabilities

Is Samsung’s Galaxy S5 ‘leaking’ YOUR fingerprints? Flaw means hackers can intercept and steal biometric data (Daily Mail); Forbes piece, here.

The pair told Thomas Fox-Brewster from Forbes that the flaw lies in older versions of the Android operating system, up to and including Android 4.4.

Subsequently, anyone running Android 5.0 or above are not at risk and the security experts are advising people on older models to update as soon as possible.

The semi-technical press seizes upon biometrics as a proxy for personal data. This is old news, but here’s a great example.

A close reading of the article reveals that earlier releases of Google’s version of the Android mobile OS weren’t as secure as they are now. This will come as news to few. The article points out that, “Once inside they can monitor all data sent to and from the phone, as well as data recorded by the handset’s built-in sensors, including the fingerprint scanner.”

Get it? Exploiting the security flaw means that the whole device is compromised: Email apps, microphone, location information, and possibly even the contents of phone calls themselves, but according to the author and editor(s), the news value is in the possibility of capturing a fingerprint image. Of course, it’s their outfit; it’s their call.

For readers here, instead of “OMG fingerprinst[!],” I’d emphasize that:

Not all mobile operating systems are created equal.
Different mobile applications offer a different mix of privacy costs and benefits.
Installing OS updates and patches is very important.
If the OS is compromised, the applications it runs are vulnerable.

Left out of the information readily available online about this hack is how the people at FireEye got their malware onto the hardware in the first place. Past “hacks” of biometric systems have been executed on a playing field that is far more favorable than the real world to the the hackers, where all the other layers of the security regime are stripped away from the one security link they want to test. Here’s a particularly striking example. If FireEye rooted the phone, side-loaded their malware onto the device, and went from there, this isn’t a hack in any real sense — it’s a malware test.

That hypothetical scenario would mimic a real world example where a user lost their phone and bad guys got it, loaded software on it and then returned the mobile device to the user who continued as if nothing had happened. In the security world, if you lose control of the hardware, all bets are off for anything that isn’t encrypted (with a strong key).

So, without more information, it’s hard to say how big a deal this is, or in many (most?) cases, was. In the bigger picture, this is a Google Android OS story. The subtext is that users who care about mobile device security should be thoughtful about what device/OS/app combinations they adopt, keep their device’s software up to date, and be careful about malware.

As automated and convenient security including biometrics becomes better and more common, the highway robbers of the 21st Century are increasingly forced to turn to social engineering techniques rather than frontal assaults on security technology.

See: The Con is Mightier than the Hack

Looking for cyborg customers, or, I forgot to take my Paypill

Kill all passwords by eating them says PayPal (Techworld)

He says external body methods like fingerprints are “antiquated”, and that internal body functions like heartbeat and vein recognition using embedded and ingestible devices are the future, to allow “natural body identification”. LeBlanc says internal devices could include brain implants, and that ingestible devices could be powered by stomach acid that runs batteries.

Time will tell, I guess, but user acceptance has been has been a big issue for identity management solutions using biometrics. A bank asking customers to put something in their body in order to access their money would seem to be of another character entirely.

Perhaps the analysis is meant to provide a perspective on what far-distant ID management technologies will look like. Even then, with the exponential growth of the computing power in “externally carried computers” i.e. smartphones, it’s hard to see how gaining a foot or so of proximity distance by moving the token inside the body lowers error rates enough to justify the mess.

The subtext is this, though:

“We know how to identify machines. People are a pain. If we can just turn the people into enough of a machine, all our problems are solved.” In other words, engineering! There’s a problem here, though. If you turn the machines into people, the machines will probably get harder to identify.

At SecurLinx, we’ll keep at it just in case.

US: Social Security Number is an unreliable identity management technology

Should We Kill the Social Security Number? (Huffington Post)

That’s right: Social Security numbers were not intended for identification. They were made to track how much money people made to figure out benefit levels. That’s it. Before 1972, the cards issued by the Social Security Administration even said, “For Social Security purposes. Not for Identification.” The numbers only started being used for identification in the 1960s when the first big computers made that doable. They were first used to identify federal employees in 1961, and then a year later the IRS adopted the method. Banks and other institutions followed suit. And the rest is history.

Author: Adam Levin, Former Director New Jersey Division of Consumer Affairs; Chairman of Credit.com and Identity Theft 911.

There’s a lot of good data in the article about just how much fraud is perpetrated against the IRS, fraud that is at least partly due to over-reliance on the Social Security number for ID purposes.

True cybersecurity requires a conceptual shift

The user knows nothing: Rethinking cybersecurity

This position — that the adversary knows your system as well as you do, if not better, as soon as it is stood up — while extreme, led to the creation of large number factorization, the basis for all modern encryption, from PGP to RSA tokens. Under these encryption schemes, as long as the key is kept private, someone can know everything about how the security system works and still not be able to crack it.

To get to a place of true cybersecurity, another stark innovation in thinking is needed. What is needed is an Inverse Shannon’s Maxim: the user knows nothing.

Coincidentally, our CTO and I were having a conversation along these lines just yesterday. It’s a thrill a minute at SecurLinx!