Community

Excellent work this by Elton and iTNews.

It exposes serious limitations in the state of Electronic Verification today.  What are these systems other than fancy black lists?  When digital identity data can be stolen so easily (without the victim even being aware of it) how can EV systems provide much assurance? 

EV is seemingly locked into the cybercrime arms race, with no end yet in sight. EV tries to stay one step ahead of the bad guys by having slightly more up-to-date or slightly richer stocks of personal information against which to verify identity.

The systemic concern I have is that EV has yet to provide any fundamental resistance to ID theft. Worse, by synthesising new wash lists, some EV services are likely to be adding to the extraneous third party stockpiles of personal information waiting to be raided by organised crime. It seems obvious that we wouldn’t need EV if it wasn’t so easy to take someone’s digital identity data and replay it behind their backs.

Without a doubt, EV is important.  But it needs more work: see http://www.bankingreview.com.au/2010/02/banks-accept-dubai-assassins-stolen-ids.html.

Are we talking about innovative companies (as per the body of the blog), or innovative technologies (as per the title)? 

Arguing the toss over innovation companies is always controversial, and inevitably gets complicated by considerations of objective measures, like sales growth, profitability, product development lifecycles etc. All good stuff.

But with regards to innovative technologies, it's a bit clearer.  Surely there are many undisputed technology innovations since the time of the ATM?  I'm thinking Internet banking, debit cards, chip-and-PIN, electronic bill presentment, m-commerce, and electronic verification, to name just a few.

The growth in CNP fraud over the Internet may be driven in part because organised crime have migrated away from Card-Present (signature fraud, skimmed cards, cloned cards).  But let's recognise that CNP fraud would have blossomed regardless of EMV, simply because it's soooo easy.  'Hacking' into bank accounts with real time MITM attacks is hard; replaying stolen credit card numbers and CCV2s is childs play, and can be conducted on an industrial scale with tens of millions of stolen accounts available on the black market.  So let's not blame EMV. Rather, let's apply the smarts in EMV cards to knock off CNP fraud as well, with one convenient familiar form factor.

Nick,

Two things. 

(1) Regarding the possibility of compromising biometrics, I don't think it's good enough to say that "the likelihood of this happening is slim to none".  What if it does happen, what then?  No security system is 100% effective; the art of true security demands that we plan for failure, and have a contingency plan.

The likelihood of biometric ID theft always rises markedly once these systems go live.  In the lab, False Accepts vs False Rejects can be better managed (mainly through very careful control over enrolment quality).  But out in the field, biometrics typically need to be de-tuned to achieve acceptable Fail to Enrol rates and False Reject rates.  This in turn makes them easier to spoof. As the FBI points out: "The intentional spoofing or manipulation of biometrics invalidates the zero effort imposter assumption commonly used in performance evaluations. When a dedicated effort is applied toward fooling biometrics systems, the resulting performance can be dramatically different".

(2) I don't agree that Chip and PIN cannot for be used verification in online transactions.  The humble CAP reader shows that it can. And I believe that the next wave of card applications will use connected readers in a much more sophisticated mode than CAP, to more or less replicate the ATM/POS experience in the home.  Connected smartcard readers are increasingly common in laptops. 

On the other hand, voice biometrics aren't a universal online authentication option.  I do like them in phone banking for sure, but for all e-commerce I am not so sure.  How do they mesh with regular browser based shopping?  I don't think it's natural to make an extra phone call to authenticate a credit card payment when shopping (noting that voice verification tends not to work over VOIP).

So it's horses for courses.  There won't be a single online authentication mechanism.

Thanks Nick.

I was being a bit facetious, and as I said, I do reckon that voice is the most promising biometric in banking and finance. 

Nevertheless, I expect there to be some resistance to using voice biometrics in public places. If speaking a challenge phrase like your name takes over from entering a PIN (and that's the whole idea!) then people may worry that being overheard (or recorded) will compromise their security. If today they protect their PINs, then tomorrow they may expect to have to protect their voice 'signature' somehow.

So what kinds of standard advice do you find it necessary to give to users about voice authentication?  Do you coach people on the need to speak clearly, how to choose a challenge phrase, the effects of a cold, effects of telephone line quality or speaker phones etc.?

Cheers,

Stephen Wilson.

Dean,

I agree with Ainslie and Joe.  To imagine cards disappearing even in 20 years is non-sensical. 

You ignored my two substantive criticisms of phone vs card from last week, so I will repeat them:

1. Using a phone in mercantile transactions is not free of extra hardware and transaction overheads as you imply.  A phone will not communicate with a terminal by magic.  You will either need to go through the network -- and pay -- or you will need to upgrade the terminal with NFC or something. So your criticism of smartcard readers on cost grounds is unjust. In any event, card readers in retail are near ubiquitous already.

2. You cannot use a credential on a phone to authentciate yourself to a human.  So all those scenarios where you're using a credential like a driver licence, health card, ID card, seniors card, proof-of-age card, airline club card, etc etc. still demand a piece of plastic.  Humans can trust plastic cards because they have tamper evident features, special printing, holograms, photos etc. that can never be realised -- almost by definition -- on the screen of a phone.  What could possibly make the image of my driver licence on a screen trustworthy by inspection?  So as I said before, e-credentials on a phone can only ever be used in a machine readable mode.  For human readable credentials, you still need a card.

Dean thinks that smartcard readers are still the smartcard's Achilles heel:

To make a card work you need a reader - who are to have them/pay for them?

I swear I am not making this up.  I happened to chat today with a girl who has just received her new government-sponsored school laptop.  It was a Dell (e4300 I think).  And it has an integrated smartcard reader. 

Very cool.

Sorry for the late comment on an oldish thread ...

Of all biometrics in banking, I do like voice the best, especially when the system allows for varying the challenge phrases, to thwart replay attack.

Yet there's a human dimension that strikes me as problematic. Personal electronic banking in the workplace is commonplace, and so it should be: it's better than having employees standing in queues on company time. 

But in open plan offices, how comfortable are people going to be using voice controlled phone banking?  Can eavesdroppers pick up enough cues, maybe from listening to multiple sessions, to mimic a customer?

Even if the systems' specificity can stop mimicry, I would expect that customers will feel exposed using voice biometric within ear-shot. 

I wonder what sort of advice are banks giving their customers about this? Trust us, the system is impregnable?  Or, cup your hand over the handset? ;-)

I said "I know plenty of profitable customers [who] would object strenuously to being forced by a bank let alone a government into such a scheme".  Dean responded

Do they outnumber those who would object strenuously to carrying an ID card?

Yes, they do outnumber ID card opponents.  Lot's of older people don't embrace any cell phone function beyond making calls. And that includes SMS.

To make a card work you need a reader - who are to have them/pay for them (and the power/reader to make use of them) and the infrastructure to connect them?

Two responses.  First, it's not so black and white. A good thing about cards is that they are human readable as well as machine readable.  Cards come with well understood, well socialised security mechanisms like optically variable printing, holograms, photos etc. that make them useful in human-mediated transactions even when the infrastructure is down, or a reader is unavailable.  You cannot replicate these human-readable features on the display of a phone, because the image is synthetic, it has no inherent copy protection.  So credentials carried on your phone are really only machine readable if we're ttalking about security. 

In short, smartcards issued today are useful even without personal readers.  We can issue now and wait a while longer for readers.

Second, regarding readers, my money is on ISO-7816 standard smartcards becoming so widespread that we will see readers built into laptops.  Yes, I know this has been a long time coming.  Ever since 2003 pundits including me have claimed that integrated readers are coming.  But remember that it's common to overestimate what will happen in one year but underestimate what will hapen in ten.  So, in 2013, consider that there will way over a billion EMV cards worldwide, a billion odd smart ID cards, and 100s of millions of health smartcards. 

Built-in smartcard readers are not uncommon today. My three year old HP 6910 has one.  Even better, Dell has laptops (e.g. e6500) with both contact and contactless card readers built in.  So Dell too is betting on a new wave of applications for their customers' smartcards (probably their FIPS 201 PIV cards in particular; I think the e6500 is US-focused).

Oh, another thing.  Smartcards get a bad rap for requiring readers, but it's not like a mobile phone interfaces to any given terminal automatically.  You either connect over the mobile operator's network (and pay and pay and pay) or you use one of those cute extra channels, like NFC, or bar codes.  These interface standards require their own terminal hardware too, they aren't ubiquitous, and they're a lot less mature than ISO 7816 or 14443.

... another thing which could be empowered/secured by mobile voting and few would object to that. ... Stephen would have us carry yet another card - our 'voter registration card'? Spare me (especially from attending the ballot box).

Not necessarily a new card.  I do advocate using chips in one form or another to protect anonymous ballots.  In fact I presented a peer reviewed academic paper on this very topic at the AusCERT conference in 2008.

Having claimed that you can secure online voting, perhaps Dean the time has come for you to explain how it works?  If you claim it's more tamper resistant and more confidential than marking a ballot paper, then let's see how.  For me, any mention of mobile phone plus voting implies centralised authentication , so you have an architectural privacy challenge up front.

Stephen - as for your first and last paragraphs. Assumptions are just that - and often misguided

Well I'm sorry but all we have to go on is several years of your ambit claims.  So yes, I made assumptions.  If you refuse to tell us how it works, but persist in claiming it will revolutionise banking, government, healthcare, voting, and even how your mum greets the plumber at the door, then "misguded" does describe the state that all of us is in.