Trusted identity management across the entire enterprise

NIST report, experts say security of IoT, mobile devices must be addressed (Biometric Update)

“Physical, sensing, actuating, computing and other security access control systems — including the spectrum of biometric usage such as biometric access and security systems; door, parking facilities, elevators, communication facilities, and rooms; occupant interface dashboards; and universal control and monitoring systems — are among the issues discussed in the recently released National Institute of Standards and Technology’s (NIST) Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT), prepared by the Interagency International Cybersecurity Standardization Working Group.”

Securlinx CEO Barry Hodge noted this morning:

IdentiTrac is the Securlinx flagship identity assurance platform that supports all of our ID management applications and integrates with users’ existing data infrastructure.

The source NIST draft report is available here:
Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT) (NIST.gov)

Database hacks stoke demand for customer-facing biometrics

As hacking grows, biometric security gains momentum (Bizcommunity)

With hackers seemingly running rampant online and millions of users compromised, efforts for stronger online identity protection – mainly using biometrics – are gaining momentum…

It’s true. The recent hacks have focused attention on biometrics. The spotlight, however, has fallen on consumer-level biometric applications. That’s fine by us, but the recent high profile hacks haven’t been perpetrated by hackers using customer credentials to gain access to systems. That kind of hack is hugely inconvenient for individual users, but it doesn’t make the news.

Most of the big, news-making hacks involve taking huge repositories of data that can be sold wholesale to organized criminals who sell the information on to the retail crooks who perpetrate their fraud using the individual accounts.

We have argued for years that the first, best place to apply biometrics to the problem of large-scale data theft is at the database level.

From an organizational point of view, for many many service providers, allowing customers and users to protect their individual accounts with passwords, exposes the organization as a whole to minimal risk. Some relatively predictable number of users who use passwords will choose poor passwords, some will become victims of phishing scams. If the costs of sorting these cases out are less than the costs associated with burdening all users with more onerous security protocols, then the password is the appropriate solution. But at some point, all databases of user/customer information should be protected with biometric access control methods because, while having occasional users pick weak passwords or get tricked into giving them away is one thing, hackers making off with the entire database of user/password information is something else altogether. Requiring biometric verification of all human database Administrator logins would go a long way to lowering the biggest risk of passwords: their wholesale theft. In many ways the Admin level is the perfect point to introduce these more rigorous security protocols. There aren’t (or shouldn’t be) too many Admins, so the inconvenience falls on as few individuals as possible. Admins are tech savvy, so they should be able to adapt to the new security environment quickly. They should have an understanding of why the extra step is worth the effort. It’s their responsibility to keep the keys of the kingdom. Perhaps most compelling, they’re the ones on the hot seat when the CEO is out apologizing to all and sundry following a data breach.

Granted, after a hack, having biometrics there to protect individual accounts should change the retail fraudster’s Return on Investment (ROI) calculations. With biometrics it should be harder for him to turn the user information into money. Still the Benjamin Franklin axiom that “an ounce of prevention is worth a pound of cure” would seem to carry the day here.

Being realistic about passwords

Ping Identity engineer: On second thought, passwords may be okay (FierceEnterpriseCommunications)

In the first part of a new discussion with Paul Madsen, a senior technical architect in Ping’s office of the CTO, I first asked whether Ping truly did intend to resurrect the password as a viable mechanism by way of supporting FIDO 1.0.

Paul Madsen, Senior Technical Architect, Ping Identity: It’s less a resurrection than just trying to be a little bit realistic about what FIDO does, and what it can do. Half of the FIDO specification set–U2F, specifically–pretty much assumes that there are still passwords in the mix. FIDO, arguably more so than killing off passwords, just mitigates some of their worst problems, particularly the risk of bulk compromise of the password database, as we see more and more.

Two things jump right out of this article. The first is the realistic treatment of the fact that passwords aren’t going the way of the dodo any time soon. The second is that passwords that control access to databases of passwords are very different than passwords that control access to an individual account.

The big scores are database hacks.

See also:
FIDO is not the end of passwords (and that’s OK) at the Ping Identity blog. It’s well worth it.

Protecting customer data

After Massive Data Breaches, Businesses Move to Make ID More Personal (ABC News)

The cost of a data breach is terrifyingly high. Home Depot estimates that the massive data breach that affected 56 million customers this summer will cost the company several hundred million dollars—and that’s the figure they are using to assuage fears on the Street. The reality is probably much higher. Target’s breach may top out at the $1 billion mark. While the jury hasn’t even been empanelled as to what the JPMorgan breach will cost, it will leave a mark that will no doubt make news down the line.

With so much to lose, the implementation of biometrics-based consumer authentication may be the cheaper option for companies that handle the kinds of information hackers find so irresistible.

We’ve been saying it for years. All databases containing sensitive customer information should be biometrically protected. It’s just good business.

US: DHS sets sights on new biometric database

At Planet Biometrics…

The US Department of Homeland Security’s Office of Biometric Identity Management will receive US$20 million in extra funding to keep its existing identification system operating while a new database is developed, a senior OBIM official confirmed to Planet Biometrics at the Global Identity Summit in Tampa.

The official confirmed that the new database is required because the 20-year-old system is currently dealing with 300,000 transactions a day (hitting a database of 173 million unique identities) in comparison to 220,000 (hitting a database of 150 million unique identities) a year ago.

US government adding biometrics to terrorism watchlist database

More than 1 million people are listed in U.S. terrorism database (Washington Post)

The documents obtained by The Intercept also indicated that the government, with the assistance of the CIA, is in the midst of a major effort to obtain biometric data on people in the database. The records say analysts have added 730,000 biometric files to the database; some of those files include fingerprints, iris scans and facial photographs.

As of last year, the database contained 860,000 biometric files related to 144,000 people.

There’s a lot of really interesting information at the link.

Kenya seeks biometric citizen register

KENYA: State to register all citizens in digital database

The Government will register all Kenyans in a national digital database as a measure of addressing security challenges and arrest cases of fake identification documents. Deputy President William Ruto said the move will see a consolidation of all current registers of persons and development of a common database, which will bear biometric details of all those registered.

This will help the Government to address security issues and enhance planning. The database will contain biometric details of all persons, land, establishments and assets. The registration will start in three months. The database will capture new births registration.

There are some interesting details in the story and some important details are missing. We’ll just have to wait and see.

EFF sues for FBI response to FOIA request

EFF Sues FBI For Access to Facial-Recognition Records (Electronic Frontier Foundation)

As the FBI is rushing to build a “bigger, faster and better” biometrics database, it’s also dragging its feet in releasing information related to the program’s impact on the American public. In response, the Electronic Frontier Foundation (EFF) today filed a lawsuit to compel the FBI to produce records to satisfy three outstanding Freedom of Information Act requests that EFF submitted one year ago to shine light on the program and its face-recognition components.

Since early 2011, EFF has been closely following the FBI’s work to build out its Next Generation Identification (NGI) biometrics database, which would replace and expand upon the Integrated Automated Fingerprint Identification System (IAFIS). The new program will include multiple biometric identifiers, such as iris scans, palm prints, face-recognition-ready photos, and voice data, and that information will be shared with other agencies at the local, state, federal and international levels. The face recognition component is set to launch in 2014.

The text of the actual suit is also available at the EFF site [pdf] here.

Adam Vrankulj, covering the topic at Biometric Update, recalls that “The Electronic Privacy Information Center (EPIC) filed a FOIA lawsuit against the FBI in April to obtain documents related to the NGI.”

That’s a good catch, and it offers the opportunity to revisit the EPIC suit, assessed at the time here, in: EPIC sues FBI over biometrics FOIA request, where we noted EPIC’s tendency to overshoot the mark where technology is concerned.

The EFF requests are, to summarize, for:
1. Records related to the FBI’s proposed relationship with states to “build out its facial recognition database”
2. The FBI’s plans to combine civil and criminal data
3. Records related to the reliability of facial recognition capabilities

When compared to those of EPIC, the EFF FOIA activities certainly reflect a more moderate approach that would appear to have a higher likelihood of bearing fruit. The EFF seems carefully to avoid asking for information that the FBI can’t provide, and it would appear to be an easier request to comply with than EPIC’s.

UPDATE:
The EFF’s FOIA request/lawsuit has borne fruit.
FBI Plans to Have 52 Million Photos in its NGI Face Recognition Database by Next Year (EFF) Read te whole thing.

Face Recognition above the fold at the Washington Post

In the Sunday edition yesterday, the Washington Post ran a long piece above the fold on facial recognition, photo databases, and law enforcement.

State photo-ID databases become troves for police (Washington Post)

It looks like the issues we have been discussing are finally going mainstream.

UPDATE:
For fashion tips on how to beat facial recognition, check out CV Dazzle.

That’s not good: 300,000 UID enrollments lost in hard drive crash

Maharashtra loses data of 3 lakh UID cards (Times of India)

The Maharashtra government has admitted the loss of personal data of about 3 lakh applicants for Aadhaar card, an error that has forced the inconvenience of reapplication on unwitting victims and sparked concerns over possible misuse of the data.

Containing PAN and biometric information, the data was being uploaded by the state information technology department from Mumbai to the central Bangalore server of the Unique Identification Number Authority of India when it got “lost”. “The information is encrypted when uploaded. While the transmission was in progress, the hard disk with the data crashed. When the data was downloaded in Bangalore, it could not be decrypted,” said an official from the state IT department, which is overseeing the enrolment of citizens for Unique Identification number (UID) or Aadhaar card. The data mostly belonged to applicants from Mumbai.

3 lakh = 300,000
That data loss represents a lot of people’s time and effort. It will be inconvenient, to say the least, to redo 300,000 enrollments and the data loss has caused some to worry about UID data security.

If the Times of India reporting is accurate though, the data isn’t “lost” so much as it is unreadable… by anyone.

Law enforcement interoperability, though little discussed, is a big deal

Tyneside jewellery heist could lead to DNA sharing (Chronicle Live)

A jewellery heist on Tyneside has sparked a review of DNA sharing across Europe that could force police to hand over criminal records to foreign counterparts.

Specialists in Newcastle will spearhead a £1.2m effort to design a database that profiles crimes committed across the continent as part of a controversial EU information sharing treaty.

It comes just 12 months after a convicted murderer and his armed gang from Eastern Europe were convicted of carrying out an armed raid at a Newcastle jewellers.

Led by convicted murderer Marek Viidemann, the ring was linked to at least 150 armed robberies across the UK and Europe before being eventually jailed for a total of more than 30 years.

First, DNA is likely to be a small part of whatever system improvements emerge.  It’s expensive and slow compared to just about any other biometric modality or combination of modalities such as finger, face and iris.

From a management standpoint it seems that if you want to have a free flow of people, you need to have a free flow of law enforcement information. This is easier said than done. It’s often a challenge even when dealing with adjacent counties in the same state in the US much less, as in the European context, two different countries.

The term for this system compatibility and ability to effectively cooperate among departments is interoperability. It is a managerial and technical challenge that is rarely dealt with in popular depictions of how law enforcement works but, especially as the complexity of the law enforcement challenge increases, it is of critical importance.

Often, there are good systems in place for passing information “up the chain of command,” i.e. from street cop all the way up to a state or national information repository, but the information doesn’t always flow as freely back down again in the other direction. For various reasons, the formal links between street-level law enforcement officers in neighboring jurisdictions run up through a centralized authority and then back down again, though there are often informal links that bypass the up-and-back-down information flow model. The implications for efficient multi-jurisdictional law enforcement are clear.

Some of these issues came up a couple of years ago in a post. Usefulness of Biometrics in Law Enforcement: Who is the Customer? The analysis there can be extended from biometrics to all sorts of law enforcement IT systems and it has a great deal of bearing on issues like the ones raised by the Newcastle jewelry heist by international criminals.

Many police professionals put a lot more into databases of all types than they ever get out of them. Through biometric technologies and other integration services, SecurLinx works hard to balance that out a bit for our law enforcement customers.

EPIC sues FBI over biometrics FOIA request

EPIC Sues FBI to Obtain Details of Massive Biometric ID Database (EPIC)
The text of the lawsuit (pdf) is here.

Key bit:

On September 20, 2012, EPIC transmitted, via facsimile, its first FOIA request to the FBI for agency records (“EPIC’s First FOIA Request”).

35. EPIC’s First FOIA Request asked for the following agency records:

a. All contracts between the FBI and Lockheed Martin, IBM, Accenture, BAE Systems Information Technology, Global Science & Technology, Innovative Management & Technology Services, Platinum Solutions, the National Center for State Courts, or other entities concerning the NGI.

36. On September 21, 2012, EPIC transmitted via facsimile another FOIA request to the FBI for agency records (“EPIC’s Second FOIA Request”).

37. EPIC’s Second FOIA Request asked for the following agency records: a. All technical specifications documents and/or statements of work relating to the FBI’s development, implementation, and use of technology related to NGI.

38. In both of its FOIA requests, EPIC asked the FBI to expedite its response to EPIC’s FOIA requests because EPIC is primarily engaged in disseminating information and the requests pertained to a matter about which there was an urgency to inform the public about an actual or alleged federal government activity. EPIC made this request pursuant to 5 U.S.C. §552(a)(6)(E)(v)(II). EPIC based the request on the need for the public to obtain information about the NGI program. EPIC cited extensive news coverage of the NGI program and the fact that aggregating these voluminous biometric data has profound privacy implications for U.S. persons.

39. In both of its FOIA requests, EPIC also requested “News Media” fee status under the Freedom of Information Act, based on its status as a “representative of the news media.”

40. EPIC further requested waiver of all duplication fees because disclosure of the records requested in EPIC’s FOIA requests will contribute significantly to public understanding of the operations and activities of the Government.

Here’s what EPIC wants:

Requested Relief

A. order Defendant to conduct a reasonable search for all responsive records;
B. order Defendant to promptly disclose to plaintiff responsive agency records;
C. order Defendant to recognize Plaintiff’s “news media” fee status for the purpose of EPIC’s FOIA requests, waive all duplication fees, and disclose all responsive agency records without charge;
D. order Defendant to grant Plaintiff’s request for expedited processing;
E. award Plaintiff its costs and reasonable attorneys’ fees incurred in this action pursuant to 5 U.S.C. § 552(a)(4)(E) (2010); and
F. grant such other relief as the Court may deem just and proper.

We’ll see where this goes. Some of the requests — the names of the contracted companies, for instance — seem reasonable. Some of the requests — section 37 in particular — may be a little trickier to comply with. To cite just one reason, it’s not unusual for entities that contract with government bodies to share highly confidential information about intellectual property with their customer with the understanding that it will be kept confidential. So, the FBI probably posses information it is unable to disclose that comes under section 37 of the EPIC request.

This FOIA request and lawsuit, however, is a win-win for EPIC. Send a fax. Get access to all sorts of information or gain attention through a lawsuit.

The FBI is probably indifferent.

It’s worth noting, however, that in the past EPIC has overshot the mark where biometrics are concerned. In EPIC Fail we discussed EPIC’s opinion that facial recognition technology should be banned.

Biometrics reveal improperly issued drivers licenses in New Jersey

Yesterday we concluded the “perfect is the enemy of good” post, with the observation that the merit of biometric ID systems is established when biometrics are used to audit what we termed “Industrial Age” systems.

Right on cue, The Trentonian (Trenton, NJ) reports that:

A new, high tech software has helped authorities identify two city men who fraudulently obtained New Jersey Drivers Licenses, according to the New Jersey Office of the Attorney General (AOG).

Raymond Feeney, 51, and Kirk Bland, 50, have been indicted on charges of using personal information of another to obtain a driver’s license, tampering with public records and forgery. Feeney’s license was suspended on four driving while intoxicated convictions, Bland’s licenses were suspended on two unrelated DUIs.

Any guesses as to what kind of high tech software was used to audit the New Jersey drivers license database, or the scope of the fraud detected (error rate, if you will)?

Many critics of the adoption of biometric identity management technology try to argue that unless biometric techniques are infallible and perfect, then they shouldn’t be used. This line of reasoning ignores the fact that the systems they themselves depend upon for the identity documents that enable their full participation in the modern world are demonstrably fallible.

Is it any wonder, then, that developing countries that don’t already have universal access to DMV’s, birth certificates, social security cards, etc., are not only adopting biometric ID management techniques but that they are deploying them at the front end of their ID infrastructure rather than as a remedial measure?

A peek at the tech requirements for India’s UID project

Why is India’s UID Aadhar a Big Data challenge and opportunity? (Information Week)

Everything about India’s UID project or Aadhar as it is commonly known is ambitious. Giving a unique identity to 1.2 billion residents is a challenging task. No country has done a project of this scale – which is why this project is being watched keenly by everyone – not only in India, but the rest of the world too.

Let’s look at some interesting facts about Aadhar. The scope is to capture 12 billion fingerprints, 1.2 billion photographs, and 2.4 billion iris scans. The file size for each enrollment is approximately 5 Mb. When you summarize this for 1.2 billion people, the file size would be measured in petabytes. This is just the storage part.

De-duplication, also addressed in the article, is the really crazy part, though.

Biometrics to protect customer data

Stolen credentials, basic security lapses at core of 2012 breaches (Search Security)

A common thread could be weaved through the high profile data breaches that took place in 2012. Attackers are targeting basic security lapses and configuration errors or bypassing security systems altogether by using stolen account credentials to appear as a legitimate user on the network.

Any organization that allows access to databases full of customer usernames and passwords without biometric authentication is asking for trouble. First, the number of people who have this sort of access should be limited to as few individuals as possible and those should be the types of people who understand both why the security measures are necessary and how to use them.

UIDAI tightens enrollment requirements

It looks like about 94% of the UID numbers issued without biometrics have had to be cancelled.

UIDAI cancels 3.84 lakh bogus Aadhaar enrolments (CIOL)

The UIDAI has cancelled 3.84 lakh Aadhaar numbers which were reportedly prepared under the biometric clause.

According to biometric clause, the authorised enrolment agencies have been granted the permission to enrol people without taking biometrics like fingerprints and iris scan. But in any case, the enrolment agency must procure photograph and demographic information of the people. As of now, 4.10 lakh Aadhaar numbers have been generated under the biometric exception clause, out of which the UIDAI has directed to scrap 3.84 lakh Aadhaar numbers.

This isn’t too surprising. Last July, the story of UID numbers being issued to plants got quite a bit of attention and it was clear then that changes were coming to the process by which the UIDAI dealt with the private entities that underpin the enrollment function.

With today’s news and the accompanying hard numbers, it seems that there was an audit designed to put some specificity to what everyone knew was a flaw in a system where unscrupulous enrollment agencies could create large volumes of fake enrollments for which they would then be paid.

Now the numbers are in and the scale of the ID fraud possible in the absence of a biometric identifier is known.

The remedies are pretty clear.

Issuing a UID number without biometrics should only be done under very particular circumstances and with a very high degree of oversight.

Firms participating in the enrollment process should face incentives and sanctions based upon their performance. That could mean bonuses for firms with very good performance, penalties for bad data practices, and worse for those actively committing fraud.

The good news is that database technology makes the technical part of figuring out who’s doing what fairly straightforward. The hard part, as always, will be agreeing on the nature of the carrots and sticks to be deployed.

World Record Academy recognizes UAE population register as the largest biometric database in the world.

UAE receives official certification for largest biometric database (Gulf News)

The population register of Emirates Identity Authority (Emirates ID) has more than 103 million digital fingerprints and more than 15 million digital facial recognition records, which includes multiple records of each UAE resident, and digital signatures as of mid-October 2012.

World Record Academy has now recognised it as the largest such database in the world.

The FBI was unavailable for comment.

SRA keeps DOJ biometrics management project

SRA to help DOJ with biometric database system (Washington Technology)

The contract was awarded under the Information Technology Support Services 4 procurement vehicle. SRA will continue managing, operating and maintaining the agency’s Joint Biometric Data Exchange Hosting Environment infrastructure.

Services include system operations, maintenance and help desk support, system development, government furnished equipment inventory/distribution management and system security.

Police to get UK-wide facial search capability

PND: Facial Search Upgrade Being Introduced (Police Oracle)

The chief officer pointed out that the move will allow specialist officers and staff to input the photos of suspects into the database – and check matches across the UK.

Once they are compared to the custody photos logged in the PND a number of matches, each with their own percentage success rate, would flash up.

“Obviously some investigations will still be needed by officers themselves after the matches come through,” said CC Barton, of Durham Constabulary.

The above linked article is very good. I recommend it highly. Then, if you’re still interested in facial recognition, large databases and law enforcement, you might want to check out the two posts below where we discuss how the technology fits into police work.

(Facial Recognition vs Human) & (Facial Recognition + Human)

Canadian border guards want face rec

Biometrics Uncover 825,000 ID Inconsistencies in DHS Database

Fingerprint Records Reveal 825,000 Immigrants With Multiple Names (Mashable)

Many of the situations involved women who legally altered their names. “We found that nearly 400,000 records for women have different last names for the same first name, date of birth and [fingerprint identification number],” he wrote. “These instances are likely women who changed their names after a marriage.”

During the study, auditors examined records covering 1998 through 2011.

Most of the time, US-VISIT personnel try to resolve cases in which people who appear to be one and the same have different information listed in records, the auditors found. The researchers are not specifically targeting scams, Deffer explained. Accidental typos, the fact that various immigration-related agencies use incompatible data formats and other keying mistakes are factors they look for when probing mismatches. During the course of typical procedures, US-VISIT has picked up on only two instances of fraud, agency officials reported to the IG.

The enormity of the conflicting data, however, may obscure actual fraud. “These inconsistencies can make it difficult to distinguish between data entry errors and individuals potentially committing identity fraud,” he wrote.

As they grow and age databases can get really junked-up. Biometrics, in this case fingerprint biometrics, can be extremely helpful in maintaining their integrity. The database involved here is the on maintained by the US Department of Homeland Security US-VISIT program. It contains (wait for it) information, including a fingerprint, on all visitors to the US. The fingerprint has been the linchpin of the audit that discovered 825,000 database errors because it is the only  piece of truly unique and durable, personal information stored.

Before automated fingerprint ID systems (AFIS), combinations of data were used to reduce ID error rates to some reasonable approximation of zero. While names, birth dates, and other descriptors aren’t unique, multiplying them together works pretty well for a while. Working against this system are legal name changes and human typographical errors in data entry which have the database effect of creating a whole new person,  which runs counter to the reasons for keeping such a database in the first place.

See Biometric “Fix” Identity which takes on this issue from the angle of intentional fraud.