ID assurance

cyber security, ID assurance, strategic partnership

Securlinx Enters into Strategic Partnership with REMTCS

Through the partnership, Securlinx and REMTCS will join forces to solve critical security challenges for companies. Securlinx will provide a “whitelist” and enterprise-wide authentication of trusted users outside the customer’s firewall, while REMTCS will provide superior protection against threats inside the firewall by killing viruses and “blacklisting” sites circulating malware. Both companies will also help protect clients against ransomware attacks. The software offerings of both companies are fully integrated to work in conjunction with each other.

Read our entire press release here.

hack, healthcare, ID assurance, Industry News, IoT

The healthcare Internet of Things: Promise and Risks

Exposed Devices and Supply Chain Attacks: Overlooked Risks in Healthcare Networks (Trend Micro)

“We discovered exposed medical systems — including those that store medical-related images, healthcare software interfaces, and even misconfigured hospital networks — which should not be viewable publicly. While a device or system being exposed does not necessarily mean that it is vulnerable, exposed devices and systems can potentially be used by cybercriminals and other threat actors to penetrate into organizations, steal data, run botnets, install ransomware, and so on. Furthermore, it shows that a massive amount of sensitive information is publicly available when they shouldn’t be.”

The article linked above and the companion Trend Micro blog post, along with the entire 61 page pdf report (available here) do a really good job of covering the range of threats confronting healthcare networks today.

The internet of things (IoT) offers so much of benefit — remote monitoring, diagnosis, collaboration, home healthcare, devices, etc. — to healthcare providers and patients that it is inconceivable that it will be abandoned. There are, however, significant privacy and health outcome risks associated with putting practically every software application, sensor, device and record within reach of the internet.

How large healthcare providers harness the IoT for better care delivery while minimizing the associated risks will go a long way toward sorting out the winners and losers in the business of healthcare.

Cyber security, identity assurance, and training are of critical importance if the promise of the healthcare IoT is to be kept for healthcare providers and patients alike.

fingerprint, government, ID assurance, online

US Government online fingerprint ID system to be tested in Michigan & Pennsylvania

Government to Test ‘Identity Ecosystem’ in Two States (The Blaze)

The first round of tests are aimed at finding an efficient and secure two-step verification for accessing public programs, like government assistance. The White House believes this ID system will reduce fraud and overhead, by eliminating duplicated ID efforts across multiple agencies.

The Blaze article is quite negative on the whole project but it contains a lot of links to other sources of information. It’s worth a read.

FIDO, ID assurance, ID management, online

A closer look at the Fast Identity Online Alliance

If you haven’t heard of FIDO yet, you should really click through to the entire article.

Password-free authentication: Figuring out FIDO (Search Security)

Online authentication mechanisms have grown increasingly difficult for IT security teams as employees and customers expect to access online services and e-commerce sites from a myriad of devices. With password fatigue reaching new heights, many security professionals want stronger authentication methods that eliminate the complexities and risks associated with the integration of online credentials and identity management.

By now, most security professionals have heard about the Fast Identity Online (FIDO) Alliance, a non-profit founded in July 2012 and publicly announced in February 2013. The industry group is championing better multifactor authentication and open standards to promote interoperability of next-generation authentication technologies.

enrollment, ID, ID assurance, Postal Service, verification

New Zealand Post office to offer ID assurance services

New Zealand Post online ID system backed by lawmakers (Post & Parcel)

New Zealand has adopted legislation granting the powers for a new national online identity verification service run by the government jointly with New Zealand Post.

The Electronic Identity Verification Act was passed by the nation’s Parliament last week, allowing private sector organisations to access the RealMe ID verification service.

The service launches in 2013 to verify people that use certain services over the Internet are who they claim to be.

NZ Post is set to get even more involved in ID services (see last year’s New Zealand ID Management: New Possibilities).

Around the world, enterprising postal services — who have seen their traditional business model of moving paper around steadily eroded — have been changing adding more explicit identity management services. I say “more explicit” because I believe it can be argued that the primary function of the postal service has always been identity management, the paper part was just ancillary to the ID part.

This post, The Post Office, Identity Assurance & Biometrics, expands on the theme.

Click Postal Service (or use the label in the footer) for more on post offices and ID services.

ID, ID assurance, private, UK

More on the UK’s new Identity Assurance Approah

Identity, Privacy and Trust: How I learned to stop worrying and love identity assurance (Computer Weekly)

The past week has seen a surge in media coverage of the government’s new Identity Assurance (IDA) programme, as the Department for Work & Pensions prepares to announce the first group of Identity Providers (IDPs) to be awarded services under their procurement framework. Those who know me will be aware that I played a minor role in trying to persuade the last government to change it’s plans for ID Cards, and that I became known as an opponent to that scheme; but for the past two years I’ve been engaged by the Post Office to support the shaping activities around the the development of the Identity Assurance programme.

So what persuaded me that IDA is a good idea?

Read the whole thing.

banking, ID assurance

Can biometric authentication be successful in banking?

Biometrics and the Banking Business (finextra)

Socio-technological challenges pose the biggest barrier to adoption of biometric technology by banks. Banks also need to consider the local culture and level of literacy in the target region. For example, they might like to use fingerprint authentication in lieu of signature at branches located in areas with low literacy. But they might prefer to use iris recognition in other regions.

Every paragraph contains an interesting idea exploring how banks should view the desirability of implementing customer-facing biometrics.

credit card, government, ID assurance, ID management, payments

Biometrics and the Future of Payments

One of these two articles talks about payments to the individual from a source of income, the other talks about payments from an individual to a retail establishment — in this case a convenience store. The organizations on both sides of the individual envision adopting biometric identity management techniques as a growing part of payment authentication.

MasterCard notes growing trend in Govt Adoption of Electronic Payments (IndiaInfoline)

“By supporting governments around the world with electronic payment programs we are helping save money and improve efficiencies, but more importantly, together we are opening up a world of inclusion for those who have previously not had access to traditional financial services,” said Tim Murphy, Chief Products Officer of MasterCard Worldwide.

SASSA recipients are now able to use debit cards, issued by Net1 and Grindrod Bank, to pay for goods and to check their account balances free of charge. A key feature of the card is biometric functionality used to identify grant recipients using unique identifiers such as fingerprints, facial and voice recognition to prevent stolen card usage. The new system is already dramatically reducing SASSA’s operating costs and is expected to save the government more than ZAR3 billion (USD 360 million) over the next five years.

Next-Generation Tech Gains Traction (Convenience Store News)

Payment Systems & Automation
In-store payment systems for the majority of c-store chains include credit and debit (96 percent), prepaid/stored value card (48.4 percent) and electronic benefits transfer (42.2 percent). Less popular are electronic check verification, used by 32.8 percent of chains and continuing to decrease in popularity every year, and radio frequency identification (RFID) or contactless cards, adopted by 17.2 percent. Also, only 3.1 percent report using self-checkout and just 1.6 percent say they have biometric payment technology.

However, when asked what technology c-store retailers plan to implement in the next one to three years, RFID/contactless tops the list, with 12.5 percent contemplating the technology, followed by self-checkout (10.9 percent) and biometric payment (10.9 percent).

I highly recommend the Convenience Store News article. It’s full of charts and tables and it really gives the reader an appreciation for the complexity and efficiency required in that market. In order to be convenient, the stores have to be small all other decisions flow from there.

government, ID, ID assurance, ID management, industry, NIST, standards

National Strategy for Trusted Identities in Cyberspace (NSTIC) Background and Progress Report

ID management: A matter of trust (Federal Computer Week)

In April 2011, the Obama administration launched a plan called the National Strategy for Trusted Identities in Cyberspace (NSTIC) to encourage the private sector to develop, with federal support and input, online ID and authentication systems that people could use and government agencies, other organizations and commercial players could accept without each needing to create their own vetting systems.

At this point, NSTIC supporters are making headway, though perhaps not in a headline-grabbing way. Earlier this month, the Identity Ecosystem Steering Group, a federally supported committee led by the private sector that will guide creation of NSTIC-style systems, met for the first time in Chicago to hash out plans for addressing privacy, standards, usability, contracts and other key components.

National Strategy for Trusted Identities in Cyberspace (NSTIC) is being run by National Institute of Standards and Technology (NIST) to encourage the development and adoption of standards for ID management. The recent Apple-Amazon hack points to why this is important.

In an environment where everyone has to create their own ID management system, it is inevitable that organizations will create exploitable gaps in the way they emphasize the importance of information. In this case, Amazon (like many other companies, just check your restaurant receipt) treated the last four numbers of a credit card as non-secure information, while Apple used the same information for logical access control.

Initiatives like NSTIC hope to facilitate companies and government agencies to work through ways to make this kind of thing less likely.

acoustic, conduction, ID assurance, ID management, mobile, modality

Using the Body as a Unique Link Between Gadgets

Using the human body as a unique link between gadgets will not lead to novel biometric modalities.

Recently, a couple of different groups have created prototypes that use the human body as a link between two gadgets, one mobile and the other, stationary. The first used an acoustic signal transmitted from a smartphone through the user’s body to a doorknob to unlock the door. The second used electrical signals to transmit an MP3 file through the users body to a speaker system. That’s pretty cool.

In their most basic use cases (using the body as a wire), these innovations accomplish little that couldn’t be accomplished with a USB cable. But if these technologies come to incorporate a biometrics and ID management element, they could kick start a revolution in mobile computing and ID management.

It’s not hard to see how future iterations of similar systems might use biometric modalities already in use — such as integrating a fingerprint reader with the conduction sensor for authenticating a data link — but both sets of innovators have something more profound in mind: using the electrical/acoustic properties of the body itself as an identifier.

The company is looking at different applications. Bhikshesvaran said the company was exploring the notion that it could end up being a new biometric footprint, since bodies all possess a unique energy signature. The company hasn’t quite figured that one out yet.

and

Amento and his colleagues think they can add another layer of security to the smartphone key, too — one that’s based on the unique properties of people’s skeletons. Because of differences in bone lengths and density, people’s skeletons should carry vibrations differently, they think.

My guess is that the fingerprint verification at one end of the link will be relatively straightforward, provide strong authentication and will work well enough to render the development of the new conduction/acoustic modalities impractical even over the very long term.

This is because in order to displace the well-understood modality of fingerprints and in order to make developing them worthwhile, the novel approaches will have to prove themselves to offer advantages far in excess of fingerprints (in order to justify the R&D outlay) and I don’t see this happening.

Q: Are the electronic and acoustic properties of individuals stable?
A: Compared to fingerprints, I doubt it. Changing the chemistry or mass of a body will lead to minute changes in its electric or acoustic properties. Drinking a sports drink will change electrolyte levels and cause a tiny change in electric properties. Visiting a buffet, wearing a heavy backpack or changing shoes will change the acoustic properties of a person at least a little.

Q: Are the electronic and acoustic properties of individuals unique?
A: Compared to fingerprints, I doubt it. Fingerprints can be as funky as they want to be without killing anyone; not so with the chemistry behind conductivity or the skeletal structure of a person.

Q: How easy is it to measure the properties involved?
A: Conductive and acoustic properties may be unique enough for a team of doctors with infinite resources and lots of time to make a positive ID but not unique enough to enable a very fast, cheap and confident identification.

But the biggest reason these novel approaches are extremely unlikely to be adopted in the competitive marketplace is the very nature of the technology (skin on hardware) lends itself perfectly to the cheap, well-understood and reliable fingerprint tech. No other modality actual or theoretical stands to recommend itself more highly than finger/hand based biometrics and no profit seeking organization will likely devote the resources necessary to establish the reliability conduction/acoustic biometrics that will at best only ever be equal to fingerprints.

The more novel approaches will probably only ever be used as a method of weak authentication such as liveness testing so as to thwart the old rubber finger trick.