logical

access control, healthcare, Industry News, logical, privacy

Security and adoption of online health record access

25% of Patients Did Not Access Data Over Patient Privacy Concerns (Health IT Security)

“Using National Cancer Institute survey data, the study found that 52 percent of US citizens were offered access to an online medical record by a healthcare provider or insurer in 2017, up from 42 percent in 2014. Of those who were offered access, 53 percent viewed their records at least once in the past year.

However, of the individuals offered access to online medical record, one-quarter did not access that information because of privacy/security concerns.”

So, is it fair to imply that up to 25% more patients would access their online health record if they were more confident in the security of their access to it?

access control, FIDO, logical, Microsoft

Windows 10 and biometrics

Microsoft Announces FIDO Support For Windows 10 (The Verge)

Soon, you may be able to log in to Outlook with a fingerprint or an eyescan. At the Stanford Cybersecurity Summit on Friday, Microsoft announced that Windows 10 would support the next version of the Fast Identification Online (FIDO) spec, allowing devices to work with a wealth of third-party biometric readers and providing an easy framework for any hardware makers that want to build extra security into a laptop or phone.

access control, Health Care, ID management, logical

Biometrics for secure medical records access

NSTIC pilot uses biometrics to bring identity management to seniors (Fierce Government IT)

Members of AARP, a nonprofit group that serves adults 50 years or older, are testing technology to help them better manage their digital identities in a simple, but more secure way using biometrics. It’s just one of 15 federally funded pilots that was recently highlighted by the National Institute of Standards and Technology.

access control, financial, logical

Financial account security and biometric modalities

The 5 Best Ways to Protect Your Financial Data From Crooks (The Street)

“It’s premature to declare fingerprints the winner,” said Gil Mermelstein, a managing director with technology-focused consulting firm West Monroe Partners.

The lowest-hanging fruit would seem to be protecting customer information databases with biometric access control systems. Passwords, however complex aren’t enough protection against the huge data losses making the news lately.

This article discusses account-level (rather than database level) security and which type of biometric might work best.

access control, database, hack, logical

Protecting customer data

After Massive Data Breaches, Businesses Move to Make ID More Personal (ABC News)

The cost of a data breach is terrifyingly high. Home Depot estimates that the massive data breach that affected 56 million customers this summer will cost the company several hundred million dollars—and that’s the figure they are using to assuage fears on the Street. The reality is probably much higher. Target’s breach may top out at the $1 billion mark. While the jury hasn’t even been empanelled as to what the JPMorgan breach will cost, it will leave a mark that will no doubt make news down the line.

With so much to lose, the implementation of biometrics-based consumer authentication may be the cheaper option for companies that handle the kinds of information hackers find so irresistible.

We’ve been saying it for years. All databases containing sensitive customer information should be biometrically protected. It’s just good business.

access control, cloud, face, logical, voice

Biometric authentication for cloud storage

Intel’s McAfee brings biometric authentication to cloud storage (Computer World UK)

Intel is introducing new ideas to secure the public cloud, offering a service in which online files can be accessed after users are verified by an authentication scheme including face and voice recognition.

McAfee, a unit of Intel, is adding a product called LiveSafe that will offer 1GB of online storage that can be accessed through biometric authentication. LiveSafe has a Web-based management dashboard, and users can be authenticated through face recognition, voice or by punching in a PIN. LiveSafe also includes antivirus and other security features.

access control, authentication, logical, passwords

End of the line for online passwords, says PayPal (BBC)

So the industry is looking to ditch passwords, and is turning to a variety of solutions, such as voice recognition, key stroke analysis and finger print identification.

Payments firm PayPal is one of those leading the changes, and president David Marcus says the aim is to make the whole process seamless.

“Like magic, you’ll be authenticated, and the payment will go through,” he tells BBC World Service’s Business Daily.

“We want to move away from passwords, and get to embedded fingerprint scanners on mobile phones

access control, hack, logical, social media

Social media critique with a bleg for some biometrics already

The recent Burger King and Jeep twitter account hacks inspired Charlie Wollborg’s Having your social media feed hacked is forgivable; being boring is not at Crain’s Detroit Business.

Of course there’s a biometrics tie-in but the article is a fun read for those who are interested in the social media as well.

The biometrics part:

Can we unleash a few of our most talented geeks on making biometric security apps to the smartphone? Every sci-fi and spy movie in the last 50 years has shown our heroes using fingerprint scanners, retinal scanners and voice print identification. Forget the flying car, just bring me a biometric security app!

We’re working on it!

And then there’s the social media critique.

So yes, Burger King and Jeep had to deal with being hacked, but look at the opportunity! All eyes were on their social media feeds! What did they respond with? More of the same boring, bland content. Reading the last 30 twitter updates for both brand will give Lunesta a run for it’s money. Overly promotional. Instantly forgettable. Yawn.

Being hacked is forgivable. Being boring is not. A status update should not be a to do item. Don’t just post to post…

Good advice follows. I’d like to think we…

access control, logical, Password, technology

Coopetition: Biometrics and Passwords

Startup Prepares Alternative to Online, Mobile Banking Passwords (American Banker)

As banks struggle to move past passwords, a Silicon Valley startup is taking a stab at a fingerprint and facial recognition standard backed by some heavy hitters — PayPal and Lenovo among them.

Despite hopeful initiatives, demise of passwords years away (CSO)

Security pros have been saying for years that password protection is not enough. And this week, two groups — one private, one public — announced initiatives to create more secure ways to authenticate identities online.

Several security experts, who would love to see passwords retired, said they will be watching those initiatives with interest, but don’t expect mainstream change for at least the next several years.

Passwords are the ID management security method everyone loves to hate. So why are they still everywhere? Why is their number growing without signs of slowing?

In their A Research Agenda Acknowledging the Persistence of PasswordsCormac Herley and Paul C. van Oorschot tell us why.

Passwords, though unloved, deserve some words of praise. They have brought us this far: they are the means by which two billion Internet users access email, banking, social networking and other services. They are essentially free from the service provider viewpoint, and are readily understood by users. They allow instantaneous account setup. Revocation is as simple as changing the password. Those who forget their passwords can be emailed either reset links or the passwords themselves (this practice, though insecure, is common for low-value sites). All of this is automated and instantaneous. They allow access to one’s accounts from anywhere in the world assuming nothing more than a simple browser. Sophisticated users can protect themselves from many of the threats.

The part about them being essentially free requires qualification (which the authors offer), but that’s a pretty impressive list.

So it’s good thing for us in the biometrics business that biometrics don’t need to supplant the password altogether. For the moment biometrics can’t compete on cost to root passwords out everywhere. But I’d like to discuss two (there are more) instances where biometrics can and should be used to limit the risks organizations expose themselves to by over-reliance upon passwords.

Databases of customer information should be biometrically protected. 
From an organizational point of view, for many many service providers, allowing customers and users to protect their individual accounts with passwords, exposes the organization as a whole to minimal risk. Some relatively predictable number of users who use passwords will choose poor passwords, some will become victims of phishing scams. If the costs of sorting these cases out are less than the costs associated with burdening all users with more onerous security protocols, then the password is the appropriate solution. But at some point, all databases of user/customer information should be protected with biometric access control methods because, while having occasional users pick weak passwords or get tricked into giving them away is one thing, hackers making off with the entire database of user/password information is something else altogether. Requiring biometric verification of all human database Administrator logins would go a long way to lowering the biggest risk of passwords: their wholesale theft. In many ways the Admin level is the perfect point to introduce these more rigorous security protocols. There aren’t (or shouldn’t be) too many Admins, so the inconvenience falls on as few individuals as possible. Admins are tech savvy, so they should be able to adapt to the new security environment quickly. They should have an understanding of why the extra step is worth the effort. It’s their responsibility to keep the keys of the kingdom. Perhaps most compelling, they’re the ones on the hot seat when the CEO is out apologizing to all and sundry following a data breach.

Biometrics can also be used to overcome some of the limitations of passwords in more mundane password use models.
Biometrics can facilitate the use of more complex passwords that change more frequently and hence are more secure. [See the laptop fingerprint sensor (i.e. biometrics to control a password management application).]

In higher value authentications, biometrics can also be used as a way to return the password to the simplicity of the PIN. For example: a fingerprint scan associated with a weak password such as a 4 digit PIN provides far stronger authentication than any password a human could be expected to type*. In other words, biometrics can be combined with rudimentary passwords to bring an end to the “password arms race” where the main coping strategy has been longer, more complex and more frequently changing passwords — i.e. the real reasons people tire of the humble workhorse of the ID game. So instead of replacing the password, biometrics might one day be used as a way to salvage what makes it great while minimizing the frustrations associated with over-reliance upon it.

*This type of model also has virtues regarding the irrevocablility of biometric identifiers, a discussion of which is beyond the scope of this post.

access control, ID management, IT, logical, network, security

Networked IT ID management in the real world

Passwords are the weak link in IT security (Computerworld)

Password security is the common cold of our technological age, a persistent problem that we can’t seem to solve. The technologies that promised to reduce our dependence on passwords — biometrics, smart cards, key fobs, tokens — have all thus far fallen short in terms of cost, reliability or other attributes. And yet, as ongoing news reports about password breaches show, password management is now more important than ever.

All of which makes password management a nightmare for IT shops. “IT faces competing interests,” says Forrester analyst Eve Maler. “They want to be compliant and secure, but they also want to be fast and expedient when it comes to synchronizing user accounts.”

Is there a way out of this scenario? The answer, surprisingly, may be yes.

It goes on from there to cover several different solutions, including biometrics.

access control, hardware, logical, passwords, schools

Schools should consider biometrics to protect personal information

Schools put pupils’ information at risk (The Telegraph)

Schoolchildren’s addresses, routes to school and even fingerprints are at risk of exploitation because nearly half of schools have no policy for handling pupil data, researchers have found.

If schools are unable to keep data secure, biometric template information is the last thing that should concern parents.

As the article points out, schools also keep academic records, behavioral records, medical records, socio-economic assessments for administering school lunch programs, home address information, counseling notes and a ton of other information that is much more sensitive than a fingerprint template consisting of a string text characters that cannot be used to learn anything about a student.

Too often, news accounts use biometrics as the ultimate example of private information and the hook on which to hang all sorts of fears the reader is supposed to imagine — i.e. part of the problem — when they are actually part of the solution. Because biometrics are far superior to usernames and passwords for securing personal information, I’d suggest that all electronic access to student information should be controlled biometrically.

Biometrics provide for far more secure information because the biometric sensor hardware itself provides a layer of protection that a keyboard never can provide passwords. In the standard Username/Password regime, the hardware used, the keyboard, offers no additional security. With username/password authentication, a hacker needs only a keyboard to fill in the proper fields and she gains access to the network. If that username/password is a superuser or administrator credential, an organization may see some turnover in the CTO function.

Biometric authentication is very different animal because with biometrics, the hardware layer does provide extra security. If the hacker steals a biometric or unencrypted biometric template (a long character string), she can’t just type it in even if she finds the place in the programming that handles the template. It has to come from the fingerprint sensor. The template resulting from a verification attempt is like a single use password created during the interaction of a physical object (body part) with certain known sensor.

financial, law, logical, security

Patco Construction v People’s United Bank is a Big Deal

Court Rules Bank’s Security Procedures Were Not Commercially Reasonable (Day Pitney LLP)

In an important decision last week, the U.S. Court of Appeals for the First Circuit held, as a matter of law, that People’s United Bank’s online banking security procedures were not commercially reasonable, even though its selected authentication technology fully complied with the Federal Financial Institutions Examination Council (FFIEC) guidelines for Authentication in an Internet Banking Environment.

This case of PATCO CONSTRUCTION COMPANY, INC. v. PEOPLE’S UNITED BANK is a really big deal but a little outside the scope of what we usually deal with around here.

The gist is that with today’s decision, banks have more responsibility to shield their business customers from fraud. That responsibility, however, will entail a cost that will ultimately be borne by customers in higher fees — applied directly to this this case, wiring fees. But if not appealed and/or upheld, it means banks will be offering customers more security and charging higher prices, part of which will flow to security providers including biometric ID management providers.

A couple of good blog posts already exist out there to bring interested readers up to speed:

Technology & Marketing Law Blog: Bank ACH Fraud Victims Get Mixed Rulings (Venkat Balasubramani – June 18, 2011). This one covers the first round and mixed decisions in two different but related cases.

Thinking About Security: Decision on Appeal of Patco v. Ocean Bank (Bill Murray – July 11, 2012). This one covers more recent news.

access control, face, logical

Unlock Your Computer With Your Face

Free trial (30 uses) available at CNET’s download.com

I haven’t tried it but it looks well thought out and has some cool features. I like the feature where it takes a picture of anyone snooping around machine.

KeyLemon logs you in to your computer by using your face. More than just a glorified Webcam tool, it regularly checks to make sure that it really is you using the computer. The latest version of the app also comes with a neat Firefox plug-in called LemonFox, for added protection when logging into Facebook, Twitter, and LinkedIn.

access control, logical, smartphone, voice

Unlock Your Phone With Voice Biometrics

Nuance’s Dragon ID lets you unlock your phone by voice (GigaOM)

While typical phone unlocking programs require tapping in a short code or tracing a pattern on screen, Nuance’s technology uses two layers of security: biometrics, which recognizes your unique “voice imprint,” and a password or pass phrase – which in this case is spoken not typed, said Kenneth Harper, Senior Product Manager, Nuance. Nuance has been selling the technology for years to businesses and governments for use in their own biometric security systems – with 20 million voice prints on file – but this is the first time it’s offering up its technology to consumer phones and tablets.

Pretty cool.

logical, privacy, telephone, voice

Who Said That? Voice Biometrics for Caller Authentication

That Wasn’t Me (IVR Deconstructed) 

Voice biometrics are numerical models of characteristics (like the sound, pattern, and rhythm) within an individual’s voice, and are represented in a voiceprint of spoken qualities.

The technology often acts as a quick, convenient, and secure method of remotely determining an individual’s identity. So why haven’t more organizations integrated these functionalities into their IVR systems?

Click the link for the answer in a really good and concise post about voice biometrics. I’d also encourage you to check out other content at IVR Deconstructed, especially posts by Lisa, for even more thoughtful material on voice biometrics, privacy and logical access control.

In case you’re wondering, IVR stands for Interactive Voice Response. I have a name for the IVR technology used by call centers: The Robot Lady. You may also know it as the beast that can only be slain by frantically and repeatedly pressing zero.

See also: Voice Biometrics and ID Management in Call Centers

fingerprint, hardware, logical

Product Review: Military Grade Fingerprint USB Flash Drive

Imation Defender F200 Biometric Flash Drive Review: Secure but Slow (IDG – Norway)

The Defender F200 is not only stylish, it’s highly capable. The drive has been validated to Level 3 of the FIPS 140-2 government security guideline–a lengthy and expensive process. The device uses hardware AES 256-bit encryption and may be configured to use the biometric scanner, a password, or both for a double layer of security. You may also specify two separate fingers to be used for validation. Excuse the morbidity, but it’s recommended that you use a finger from each hand in case you lose the use of an arm. The F200 Biometric, you see, is designed for with the military in mind.