Target hack investigation looks at vendor ID credentials

Target: Cybercrooks used stolen vendor ID to hack into system (Star Tribune)

Target Corp. said Wednesday that the huge data breach it suffered late last year happened after an intruder stole a vendor’s credentials and used them to gain access to the company’s computer system.

A Target spokeswoman wouldn’t identify the vendor or type of credentials because the retailer is in the midst of forensic and criminal investigations into the malware attack, where cybercrooks hijacked debit and credit card information from up to 110 million people.

Research points to growth in government biometrics market and future M&A

Govt biometrics market to hit US$6.9bn (Security Document World)

SDI says: “Government identity and border control initiatives, increasing concerns about data security, and an increase in rebel groups and terrorism are expected to boost the demand for biometric identity and security systems over the coming years. As this sector gains prominence, it is expected that large competitors will try to generate competence by acquiring medium and small sized niche firms which will fill the gaps in their products or services portfolio.”

Malaysia and biometric ID for foreigners

Biometric identity cards for foreigners studying in Malaysia? (The Star)

“Several countries, namely Saudi Arab, Yemen and several Middle East countries have indicated interest in adopting such a card for their students students here,” he added.

Based on ministry’s records, there were some 80,000 international students in the country last year. The aim is to attract 200,000 foreign students by 2020.

In a related issue, Ahmad Zahid said that a pilot project is currently underway to implement the biometric identity card for the 2.116mil foreign workers in the country by the end of next year.

Future payments

Biometrics a tipping point for future of payments (Finextra)

Smart folks like Jack Dorsey of Twitter have been talking about and removing friction for the best part of 10-15 years. It’s not a new concept, but in many ways the technology is finally catching up in order for us to make things happen under the bonnet (OK – no more car analogies).

The accepted norm for payment authentication has been some sort of user name and password or PIN. It’s a great place to start to develop future propositions. But this doesn’t make mobile or devices any more secure. No real advantage. And having a contactless card or device that can be used with a bump, tap, pass or wave; doesn’t set minds at ease.

Device manufacturers and electronics manufacturers have an awful lot of skin in the game to set this new standard, alongside the players that manage the market infrastructure. There are a number of developments underway in Biometric security. Things like Facial Recognition, Fingerprint, Ear scanning and Heart Rhythm. Capability that could make payment security into a “subconsciously competent” factor. And of course, this technology could quickly extend into daily life (transport networks, biometric security “keys” to name but two) and come in many forms.

Right now we have to try to identify ourselves to IT networks, including payment networks. That probably won’t always be the case.

Policy must precede technology

Some Ugandans may miss identity cards (New Vision)

In Mengo and Kisenyi suburbs, many non-indigenous Ugandans yesterday expressed disappointment when officials at the distribution centres demanded proof showing that they were registered Ugandans.

This group included Salim Uhuru, the NRM chairman of Kampala district and councillor of Kisenyi, who has since described the development as discrimination.

“When I reached the distribution table, I was told that I was not supposed to get the identity card. My name and photograph were in the register, but were marked ‘non-citizen’. I also noticed that this was the same case with every other person who was light skinned. This smells of discrimination of fellow countrymen on grounds of their skin colour,” he said.

The title of this post is a variation on the theme that technology is no substitute for managerial skill and wise policies (see here for similar thoughts). It looks like Uganda has some work to do in its ID management infrastructure as it seems that in important parts of the bureaucracy, no one is quite sure what a Ugandan is.

See also:
Poor ID Management Infrastructure Prevents Uganda Little League Baseball Team from World Series Participation

It’s obvious that Uganda has more than a fair helping of ID management challenges. The good news is that it has never been easier to overcome technical challenges. The bad news is that technology can’t force a consensus on who should get an ID.

Uganda rolling out updated ID

National identity card issuance starts today (New Vision)

In the program the director citizenship and immigration control Wanzira explained that members of the public, who will come in to receive the IDs, will be verified to ensure that the real owners only receive the IDs.

“This is so, to ensure that the real owners behind the pictures and biometric data are the ones who end up receiving their national IDs,” stated Wanzira.

Israel makes another run at biometric ID

Israel is having a go at a biometrically enabled ID document system. Participation is voluntary, for now. It’s also worth noting that this isn’t the first time biometrics have come up in a discussion of Israeli ID, but at least this time the biometrics part belongs there.

Sa’ar: No reason to panic over biometric database (Ynetnews)

After countless discussions, delays, objections, Israel launches database enabling smart identity cards. Interior minister says system meets ‘highest standards of data protection preventing identity theft.’ Labor’s Yachimovich: Experiment on humans

Wow, that is some strong talk from Shelly Yachimovich. See also…

Yachimovich Opposes Biometric Database (Arutz Sheva)

Long-delayed biometric database pilot program gets underway (The Times of Israel)

Residents of the central Israeli town of Rishon Lezion were invited to trade in their current Israeli identity cards for a new “smart card” that will digitally encode not only their personal information, but also their fingerprints, photo, and facial profile (the contours and other details of the face). The government will study the results of the voluntary pilot program, searching out glitches and problems in the system before it becomes mandatory — according to plans, in two years.

Pilot begins for Israel’s National Biometric Database program (+972)

The government claimed that the database is needed in order to prevent the forging of Israeli ID cards and passports. However, critics point to the fact that the government could issue “Smart IDs,” which themselves store biometric data, without keeping the personal records in one national database.

Europeans, especially the French, are open minded about biometrics

Majority of Europeans support biometrics for ID cards or passports (Biometrics Update)

Specifically, 81 percent of French citizens favour the application of biometrics for ID documents, compared to 74 percent of Danish respondents and 68 percent of the survey’s British respondents. Across Europe, 69 percent were also in favour of using biometrics as a form of access control for secure areas. In this case, the French respondents proved again to be the most supportive, with 77 percent, followed by the Danes at 75 percent and the Brits at 69 percent.

More survey results including private sector biometrics at the link. The French people surveyed seem to be way more positive on biometrics than their government.

UPDATE:
See also: French shoppers give new payment method the thumbs up.

Soon, your body will be the only password you need (DVice)

Tiny little computers and sensors are in development all across the globe. And while their development is primarily geared toward a better understanding of our health, there’s another emerging application for their use — biometric security, where your voice and skin and eyeballs are more secure than any password could ever be.

On the one hand, this can sound crazy and too fictitious to be true, especially since it’s been a staple for just about every single sci-fi movie and TV show ever. On the other, we’ve basically already accepted the use of our bodies as sources of information and security.

After long hiatus, Israel biometric ID pilot set to begin

Israel’s biometric database to begin operating in two weeks (Haaretz)

Israel’s pilot biometric database will begin operations in two weeks, Deputy Interior Minister Fania Kirshenbaum announced Monday.

The database was supposed to have started working in November 2011, but its commencement was delayed due to longer-than-expected legislative proceedings, an appeal to the High Court of Justice by the Association for Civil Rights in Israel (which was turned down) and a labor dispute between the Population and Immigration Authority and the Finance Ministry. This dispute was resolved two weeks ago, removing the last obstacle for implementation of the project.

Some people really love stovepipes…

…otherwise there wouldn’t be so many.

Congress demands progress on advanced ID cards  (FCW)

“We’ve spent billions and we have nothing to show for it,” said Rep. John Mica (R-Fla.) at a June 19 hearing addressing lagging implementation of fingerprint and iris recognition technology. Mica, who chairs the House Oversight and Government Reform Committee’s Subcommittee on Government Operations, noted various examples of flawed federal biometric ID efforts, including the Transportation Workers Identification Credential, or TWIC card, and the Federal Aviation Administration’s new pilot’s license — which does not include a photo of the licensee.

“It’s mind boggling that we have nothing close to meeting with the intent of the 2004 law,” said Mica. “Is there any sense of urgency here?” asked Rep. Gerry Connolly (D-Va.), the subcommittee’s ranking minority member.

Witnesses included managers from the National Institute of Standards and Technology, FAA, Customs and Border Protection and the State Department.

It’s stunning that pilots licenses still don’t have photographs on them. Lots of good information awaits those who click the link.

Patient ID in the United States

Identifying Solutions to Patient ID (HealthLeaders)

Patient identification is a fundamental building block of the emerging accountable care organization trend, according to Bill Spooner, CIO of Sharp HealthCare, which operates four acute care and three specialty care hospitals with an approximate total of 2,000 licensed beds in the San Diego region.

“The important thing is to be able to get accurately identified patients into your database and to be able to link them out to your transaction systems so everybody knows who they are so you can effectively engage in care management,” Spooner says.

The United States in particular faces a hurdle that other developed countries do not: By law, the U.S. Department of Health and Human Services is prohibited from establishing a national patient identifier.

Providers are coping in several ways. Technology exists to flag suspected duplicate identities with varying degrees of certainty. Some are turning to technology offered by suppliers of their electronic health records.

Other providers are relying upon technology that has been employed by payers for years. And for those systems that can make the technological jump, patients are now being positively identified during every visit using smart cards with photo IDs attached, or even by biometric means, such as fingerprint, palm, or retinal scans. [ed. The revolution will not be retinal scans; bold emphasis mine]

Bottom line:
“If you can’t uniquely identify your patients within whatever data you’re analyzing, you’re going to misread and therefore make executive decisions that are not spot-on,[a]nd you make some big strategic mistakes because of that.”

The lengthy piece is very much worth a longer look.

Perspecitves on ID in earlier- vs. later-developing countries

The Government and the UK’s National Technical Authority on Information Assurance (CESG) have published new guidance on ‘identity proofing’ and verification. (Pinsent Masons)

“Within the UK there is no official or statutory attribute or set of attributes that are used to uniquely identify individuals across Government,” the joint Cabinet Office and CESG guidance document said. “Neither is there a single official or statutory issued document whose primary purpose is that of identifying an individual. Without such attributes or documentation it is difficult for any person to be absolutely certain of the identity of another.”

“This guide is designed to demonstrate how a combination of the breadth of evidence provided, the strength of the evidence itself, the validation and verification processes conducted and a history of activity can provide various levels of assurance around the legitimacy of an identity,” it said.

The whole piece is interesting.

The first quoted sentence above really jumps out, though.

The early industrializers/bureaucratizers typically developed their ID schemes in an ad hoc fashion. The church kept its records for its purposes. The military kept its records for its purposes. Schools, for theirs. Service providers, etc. The system generally works. In the end, error rates and whether or not the costs of the ID errors exceed what it would cost to fix them rule the day. Political and financial considerations factor in.

It is precisely this patchwork ID environment that later-developing countries are choosing to leap-frog with more centralized (United Arab Emirates) or ecosystem (India) approaches involving biometrics. Outside observers from the earlier developing countries are often surprised that their political perspective on government-backed ID isn’t universally shared while observers in later-developing countries may be equally surprised that the most developed countries in the world have such patchwork ID systems.

Computerworld honors Aadhaar

Computerworld Honors 2013: ID program empowers citizens in India (Computerworld)

An estimated 400 million Indians cannot prove their identity. As a result, they’re shut out of countless opportunities. They cannot access educational programs, open a bank account, apply for welfare benefits or seek higher-level employment. Lack of identification is also problematic for the government, because as much as 40% of the $40 billion it directs yearly toward helping these individuals doesn’t reach the intended beneficiaries.

Aadhaar is more than a technology program that collects biometric data from residents. It is a transformative initiative that will allow all Indian residents the opportunity to participate more fully in society.

The Computerworld Honors Program, now in its 25th year, recognizes organizations that use information technology to promote and advance the public welfare, benefit society and business, and change the world for the better. This year’s 267 Laureates are that rare group with the ability to recognize problems and the courage to take bold steps to solve them. They are an inspiring reminder that great things can happen when determined people explore technology’s full potential.

UNICEF awareness campaign for universal ID in Paraguay

In what has come to be known as the “No Name Match,” UNICEF brilliantly harnessed the power of the Paraguay-Uruguay World Cup qualification match to drive the issue of universal ID for Paraguayans to the front of people’s minds before recent elections.

The two-minute video below is really good.

 

Without universal legitimate ID, it’s harder to make a lot of other things work that most of us take for granted. Universal vaccination against preventable disease, compulsory primary education, effective social safety nets — all of these things get a lot easier if everyone can prove their unique identity.