Kraken Feeds on your Phone Calls
Transcription
Kraken Feeds on your Phone Calls
Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Sm & Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card y News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Iden • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity New Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Sma & Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card July 2010 Volume 19 • Number 7 Smart Card & Identity News Smart Cards, SIM, Payment, Biometrics, NFC and RFID www.smartcard.co.uk Kraken Feeds on your Phone Calls 6 • Identity-based Convergence for Stronger Security 8 • Banking on a Simpler Approach to Authentication 12 • Verayo develops the world’s first ‘unclonable’ RFID chip 18 • Biometrics – It’s not what you know, it’s who you are! Karsten Nohl and other members of the Chaos Computer Club are set to bring mobile phone tapping within reach of the home computer user. Karsten and team have already brought an early death to the NXP’s Mifare Classic Smartcard used in many transport ticketing systems such as London underground’s Oyster card system by reverse engineering its proprietary Crypto-1 cryptographic algorithm. Karsten’s latest project (The A5/1 Security Project) announced this month on the 16th of July the release of 'Kraken'. Kraken is a software toolkit, which uses new encryption cracking tables to break the cipher used to secure mobile phone communication. Kraken has the potential to de-cipher a phone call in a matter of seconds. The Kraken software has been designed to run on inexpensive desktop computer equipment which brings phone snooping into the hands of the home computer geek. Continued on page 4…. ©2009 Smart Card News Ltd., Worthing, England. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, optical, recording or otherwise, without the prior permission of the publishers. Our Comments Dear Subscribers Smart Card & Identity News Is published monthly by Smart Card News Ltd Head Office: Smart Card Group, Suite 3, Anchor Springs, Duke Street, Littlehampton, BN17 6BP Telephone: +44 (0) 1903 734677 Fax: +44 (0) 1903 734318 Website: www.smartcard.co.uk Email: info@smartcard.co.uk Editorial Managing Director – Patsy Everett Technical Advisor – Dr David Everett Production Team - John Owen, Lesley Dann, Suparna Sen Contributors to this Issue – David Ella, Stephen Howes, Suparna Sen, Tom Tainton, Peter Tomlinson, Neil Fisher Photographic Images - Nejron Dreamstime.com Printers – Hastings Printing Company Limited, UK ISSN – 1755-1021 Disclaimer Smart Card News Ltd shall not be liable for inaccuracies in its published text. We would like to make it clear that views expressed in the articles are those of the individual authors and in no way reflect our views on a particular issue. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means – including photocopying – without prior written permission from Smart Card News Ltd. © Smart Card News Ltd Smart Card & Identity News • July 2010 I couldn’t help but chuckle reading in the paper today about the unemployed lorry driver who sold the Ritz hotel in London for £250 million when it’s worth two or three times that price. He was so successful that he even managed to get £1 million popped into his bank account before the fraud was discovered. Patsy Everett Remember the old saying that if it sounds too good to be true it probably isn’t so good! You can’t help wonder about the people who are duped by such offers, are they not perhaps just as dishonest as the fraudster in thinking they can make a quick buck to somebody’s disadvantage. So how does this work in the antiques trade? If I pop into a shop with an old plate from mother’s collection and get offered £300 to hear later that it was worth £100,000 who is wrong? Is an antique dealer obliged to pay the potential market value for which of course he is on risk? He might have made a mistake or an expert further down the road might throw it out as a copy. How would you mark his reputation? Arguably you could say he is paying you what it is worth to him at that moment in time, is he obliged to tell you it might be worth £100K? And what happens if you are an expert and see some artefact in a shop marked up for $50 that you know is worth $50,000, should you tell the shop keeper about his error? Perhaps I’ll cause an uproar here but it seems to me that many antique collectors are out to discover just such an opportunity. So down to basics, what happens if you get given a £1 coin that you subsequently discover is a counterfeit? We have been hearing this month that 1 in 36 £1 coins in circulation are counterfeit. Now I’m sure you all know that as soon as a coin accepted in good faith is found to be counterfeit, it is immediately rendered worthless. Attempting to pass it on is an offence. I’m sure we all hand our counterfeit coins in to the bank so that they are taken out of circulation. I still remember as a youngster getting foreign coins in change and not being too excited about it when discovered. Not me of course but some of my friends developed an art for passing them on undetected to the next person. Now I’m not setting out to cause any unnecessary guilt complexes but only want to raise some fundamental issues of today’s society and it’s all about reputation and trust which are closely related. So in our previous scenarios do we trust antique dealers and what is their average reputation? Of course they are going to differ but how can I tell the reputation of a particular individual? Now imagine the same antique dealer going to his bank for a loan, can the bank trust him (or her)? The basis of trust and reputation are really quite different, you could be very good at spotting a bargain making large profits but particularly bad at repaying loans. So the bank is only interested in your reputation in that one area and that’s not straightforward because your reputation can change overnight, an unforeseen event perhaps (maybe somebody has defrauded you) and you can no longer pay your bills. 2 You may be wondering where all this is leading, well dear subscribers lets enter the wild, wild, West or to put it another way the internet. Here the system of reputation and trust is even more on trial. Last week a friend was telling me about her experiences on an on-line dating site, she met up with a great guy and they seemed to have so much in common and then out of the blue came the call for money. The details don’t matter but this is really common and many innocent people are robbed of all their savings. We all do it, yes, eBay can be great fun and you can get some bargains but this really is the haven for every fraudulent idea ever invented by man and there are new ones occurring every day. So how do you pay for your purchases? PayPal of course, in most cases at least but this doesn’t stop you from getting involved in fraud whether the seller or the purchaser. The goods were never sent or never arrived give me my money back depending on which party is the fraudster. Disputes like this are legion and it’s not too difficult to get your PayPal account frozen and it’s often very difficult to get it released. So the question I’d like to leave you with this month is when making payments on the internet who do you trust and what will your bank or PayPal do in the event of a dispute. Do we need a better way to pay? Happy holidays, Patsy. Contents Regular Features Lead Story - Kraken to feed from your phone calls. . . . . . . . . . . . . . . . . .1 Events Diary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 World News In Brief . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5,7,11,14,16 Industry Articles Identity-based Convergence for Stronger Security . . . . . . . . . . . . . . . . . . . 6 Banking on a Simpler Approach to Authentication. . . . . . . . . . . . . . . . . . 8 It’s time to travel without credit cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Verayo develops the world’s first ‘unclonable’ RFID chip. . . . . . . . . . . . .12 Hold very tight please! Ting-ting!.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Biometrics – It’s not what you know, it’s who you are! . . . . . . . . . . . . . . 18 Events Diary August 2010 25-26 5th ID, Smart Card & Ticket Security & Anti-Counterfeiting Technology Summit, China – http://www.cids.com.cn/En/ September 2010 14-15 Mobile Payment China 2010, Shanghai, China. http://www.mobilepaymentchina.com/mobilepayment/ 14-16 5th Near Field Communication World Asia 2010, Grand Hyatt, Singapore. http://www.terrapinn.com/2010/nfc/ 21-24 Smart Event '10, Sophia Antipolis, French Riviera, France. http://www.smart-event.eu/ 21-23 The Biometric Consortium Conference, Tampa, Florida, USA - http://www.biometrics.org/ 27-30 Prepaid Mobile 2010, Hotel Fira Palace, Barcelona, Spain. http://www.iir-telecoms.com/event/prepaid 27-29 Mobile Payment Services 2010, Hotel Fira Palace, Barcelona, Spain. http://www.iir-telecoms.com/event/mobilepayment Source: www.smartcard.co.uk/calendar/ Smart Card & Identity News • July 2010 3 Kraken to feed from your phone calls…. Continued from page 1 GSM (Global System for Mobile communications) technology uses an array of radio transmitters called Base Stations (BS) to connect your cellphone with your cellular network such as Orange or Vodafone. Base Stations are all interconnected, which is why you can move from one cell to another without losing your connection. According to data from the GSM Association, about 3.5 billion GSM phones are used in nearly 200 countries worldwide. GSM security works by authenticating the subscriber’s SIM card by using a pre-shared secret and challengeresponse. Once authenticated by the mobile network provider, ongoing communication is secured by one of GSM’s A5 family of stream cipher algorithms. • • • • A5/0 utilises no encryption. A5/1 is the original A5 algorithm used in Europe. A5/2 is a weaker encryption algorithm created for export and used in the United States. A5/3 is a strong encryption algorithm created as part of the 3rd Generation Partnership Project (3GPP). Kraken has been especially designed to de-cipher the A5/1 cryptographic algorithm. The A5/1 stream cipher was developed in 1987 to encrypt both voice and signalling data from a mobile telephone. A5/1 in its day was considered a strong method of keeping mobile phone calls private using 64-bit encryption, and even a watered down version of the algorithm ‘A5/2’ was developed to be exported outside of Europe. Frank Stevenson, a developer within the A5/1 Security Project made the announcement of the first release of Kraken: “I have named this beast Kraken, after a Norse mythological creature capable of eating many things for breakfast. Kraken feeds of an exclusive diet of A5/1 encrypted data.” He also pointed out the following hardware prerequisites needed to set up Kraken. • • • • Linux machine, multicore min 3GB RAM 1.7 – 2 Terabytes of hard disk space, partitioned without a file system The Berlin A5/1 Rainbow table set GPU support will be added for ATI Radeon HD When Kraken was in the early stages of development, the GSM Alliance said that the research is a long way from being a practical attack on GSM. The GSMA said that they welcomed research, but continued by highlighting that “the theoretical compromise of GSM network requires the construction of a large look-up table of approximately 2 Terabytes, which is equivalent to the amount of data contained in a 20 kilometre high pile of books.” The software is regarded as a key step towards eavesdropping on mobile phone conversations over GSM networks. Since GSM networks are the backbone of 3G (or 3rd Generation of standards for mobile phones and mobile telecommunications service, even 3G phones can be compromised since when they roll back to GSM mode when a 3G network is not available. The A5/1 Security Project have stressed that their main aim is to show how easily the A5/1 encryption can be cracked. It is anticipated that A5/1 Security Project leader Karsten Nohl will discuss the hardware and software setup during this years Black Hat Security Conference. Further information on kraken can be found on the A5/1 Security Project website (http://reflextor.com/trac/a51) By Suparna Sen, Smartcard & Identity News 4 Smart Card & Identity News • July 2010 World News In Brief E-borders Firm Axed Over Delays The firm in charge of the government's £750m eborders programme has been axed over delays. Immigration Minister Damian Green said the performance of Raytheon Systems Limited had been "extremely disappointing"; the company have delivered some elements while other elements have remained undelivered. “Delivery of the next critical parts of the programme are already running at least 12 months late”, continued Mr Green. E-borders, a system to count everyone entering and leaving the UK would remain a priority and he was seeking alternative suppliers. The complex system was meant to be fully operational by March 2014. Home Trust of Canada selects Gemalto for EMV Migration Gemalto announced this month that it has been chosen to manage Home Trust Company’s migration from magnetic stripe credit cards to EMV (Chip and PIN) smart payment cards. Home Trust are a Canadian Visa Issuer and one of Canada’s leading trust companies, focusing on consumers who typically do not meet all the lending criteria of traditional financial institutions. Gemalto is providing microprocessor payment cards, as well as data preparation, card personalisation and fulfilment at Gemalto’s state-ofthe-art facility in Burlington, Ontario. Gemalto’s consulting service is engaged with the project providing guidance in how to interact with all members of the payments ecosystem to ensure Home Trust is prepared to meet the Canadian EMV requirements. Gemalto will also train the Home Trust team extensively on all activities associated with EMV migration. BIO-key to Unveil Enterprise Ready Biometric Identity Platform for Smartphones BIO-key International, Inc. announced the company will be unveiling its first ever mobile biometric identification and authentication platform that provides enterprises with the ability to capture and transmit fingerprint biometric data to a secure server for identity and authentication of smartphone, laptop, tablet and desktop users. On Wednesday, July 28 at the Burton Group Catalyst Conference, San Diego, CA, BIO-keys will hold demonstrations. BlackBerry poses 'Security Risk' say UAE Authorities The United Arab Emirates (UAE) has said that it could move to restrict or monitor BlackBerry mobile phones, as they pose a "national security risk". The region’s telecoms regulator said, "BlackBerry operates beyond the jurisdiction of national legislation" as it stores its data offshore. It said it was concerned that misuse may have "serious social, judicial and national security repercussions". Critics branded the moves as "repressive". The media freedom watchdog Reporters Without Borders told BBC News that while the UAE was playing a "technological leadership role in the Arab world" this was backed by "repressive laws" and a "general trend of intensified surveillance". mopay call for Online Merchants mopay, a leading provider of mobile payment solutions worldwide, announced mopay call, a new solution that lets online merchants bill purchases directly to consumers' landline phone accounts. With mopay call, mopay is expanding its breadth of offerings in order to sustainably position a widely available and far-reaching alternative payment platform. The company further extends its ability to provide globally available billing solutions that enable the unbanked to pay for goods and services. Record Number of Fake £1 Coins Could Force Reissue At present, there are about £41 million fake £1 coins in the UK - one in every 36 in circulation. Due to the fake £1 coins in circulation, the Royal Mint may be forced to scrap all of the coins and reissue the entire denomination. The situation has worsened since last year, when one in 40 £1 coins was found to be fake. £41 million fake £1 coins have made a record and the number suggests that the proportion of counterfeit coins had tripled in the last decade. The Conservative MP Andrew Rosindell said the number of counterfeits was "a genuine matter for concern". 5 Smart Card & Identity News • July 2010 Identity-based Convergence for Stronger Security By David Ella - Chief Technology Officer, G4S Technology Thousands of companies routinely control and manage building access for security and tracking purposes using smart cards. Tightly integrating the key security functions such as Access Control and Video Management provides organisations with a completely unified approach to securing their buildings and offices. In parallel, IT network access can be controlled and managed using an enterprise network authentication infrastructure. David Ella In most circumstances the two security systems—the physical and the network (logical)—live in separate technology silos—but we are now in an era where you can enable seamless communication between the two systems to affect a stronger, and more compliant, overall security posture. Integrating physical and network security enables you to: • • • • Increase overall site security Audit who, what, when, and from where—from door, desktop, and remote Close security gaps between disparate security systems Quickly and easily deploy a converged security system without modifying the existing IT infrastructure Recognising this opportunity to create a more unified security solution and responding to the needs of the user is critical. Solutions need to be simple and effective. Security should not create barriers or be a burden to the users on a daily basis. Security should just work. The simplest form of integration is to have both network and physical security on the same smart card. Normally physical security will use a contactless interface and network security uses a contact interface. For many organisations this level of security integration is adequate, however, more sophisticated options are available. Technology, such as the integration between G4S Technology’s Symmetry™ Security Management System (SMS) and Imprivata OneSign provides a single point of authentication. This translates to a streamlined, simplified management process for integrating physical security events with IT network access, effectively closing security gaps that exist when disparate physical access control and IT network authentication systems live in self-contained silos. This simple, yet highly effective solution builds on a simple concept - the single point of authentication using a smart card. Identities contained within the database are mapped to the network directories enabling a converged policy for allowing or denying network access. This is based on a user’s physical location and badge events, organizational role, and / or employee status. All this is made possible from a single, easy to use Web based interface. The technology available today allows card holder’s identities to be managed quickly and easily from a single screen. Set up details, customise cards and grant special privileges. Restrictions can also be applied to cards such as a usage limit or expiry period to give you the flexibility you need to meet the demands of any business. “The experience we have with smart card applications provide us with a unique perspective and practical knowledge regarding the use of smart cards for physical and network access control” said David Ella, G4S Technology Chief Technology Officer. Biometric integration is another option for adding additional layers of security to a smart card access control solution. Biometrics is best defined as measurable physiological and / or behavioural characteristics that can be used to verify the identity of an individual. These include fingerprint and iris scanning, hand geometry and facial recognition. Storing an individual’s biometric template on a smart card stores personal data and provides a portable method of identification. The value proposition for Biometric readers in access control is simple: a card can be duplicated or stolen, but a unique physiological characteristic cannot. Biometrics enables access control systems to ask not only, "What do you have?" and "What do you know?" but, "Who are you?” As a result, biometrics is taking an increasingly prominent position as an additional access control solution in today’s escalating requirements for physical security. The smart card today is vital, storing high levels of data and enabling the holder to activate / unlock a number of different applications ranging from access control though to cashless payments, such as the GiroVend solution from G4S Technology. Smart Card & Identity News • July 2010 6 As technology continues to rapidly evolve, we cannot practically expect organisations to continuously upgrade their security solutions at the same pace. Recognising where critical technological advancements are made and understanding which ones will be able to benefit individual organisations is the key. The unified approach of logical and physical integration is one we expect to quickly be adapted. What is exciting, however, is where this smart card technology and biometric applications meet, creating a virtually impenetrable and intelligent security solution. World News In Brief Girocard Holders Can Now Withdraw Cash from UK ATMs Holders of the German 'Girocard' debit cards will be able to withdraw cash from ATMs across the UK. The UK's LINK ATM network is opening all 63,000 UK cash machines to all users of the German card scheme operated by Zentraler Kreditausschuss. The development has been made possible by EAPS, the alliance of European debit card schemes, which facilitates pan European ATM and POS transactions by uniting independent card schemes throughout Europe under a single European framework. ZF Electronics to Supply Secure Access Technology for UK Police Forces' NPIA Framework Portal ZF Electronics UK has announced its Cherry smart card secure access products have been chosen as part of the security improvement programme being rolled out across the UK by the National Policing Improvement Agency (NPIA). This will allow ZF Electronics UK to list products on the NPIA framework portal as NPIA-approved devices for authenticating access to the Police National Database and Police National Computer. Enhanced security guidelines laid down by the NPIA require all 56 UK Police Forces, plus the British Transport Police, Civil Nuclear Constabulary and other specialist Police divisions to ensure only authorised personnel can access the sensitive data held on the PND and PNC computer systems. Co-op to Introduce Contactless Payments The Co-operative Food will become the UK's first major grocery retailer to introduce contactless payment in its stores nationwide after joining forces with Barclaycard. The roll-out will begin with a pilot in 100 Cooperative food stores next year after an agreement was signed with Barclaycard in partnership wit Visa. If the pilot is successful, The Co-operative says it Smart Card & Identity News • July 2010 will roll out the contactless terminals to the majority of its food stores in time for the 2012 Olympics, which is being billed as a contactless event, where visitors will be able to use the new cards to pay for transport, tickets and other low value purchases. Now NFC Mobile Phones turn into Secure ID and Access Devices HID Global, trusted leader in solutions for the delivery of secure identity, and INSIDE Contactless, a leading provider of advanced, open-standard contactless chip technologies, announced that they have extended their long standing partnership to bring market-leading iCLASS access control and identity credentials to near-field communications (NFC) mobile phones. Embedding iCLASS virtual credentials into NFC mobile phones will enable potential substitution of numerous plastic cards for a variety of commercial and consumer identity applications, including not only physical access control, but also secure PC log on, time and attendance monitoring, equipment and material checkout, authorised access to office equipment and manufacturing machinery, private label retail payments, prepaid transit passes, and customer loyalty and membership programs. PULSE Introduces PIN Debit for ecommerce Transactions PULSE, one of the nation's leading debit/ATM networks, is bringing the security, reliability and convenience of PIN debit to online shopping with the introduction of PULSE Internet PIN debit. Financial institutions using PULSE Internet PIN Debit can deliver convenient PIN-based, online transaction verification to a growing number of consumers who purchase products from ecommerce merchants. The new payment solution, which uses Acculynk's PaySecure Internet PIN debit software, reinforces the issuer and cardholder relationship by using a financial institution-branded graphical PIN pad. 7 Banking on a Simpler Approach to Authentication By Stephen Howes, CEO of GrIDsure Most people have heard of Ockham’s razor, the principle that states that the solution with the simplest explanation is more often than not the correct one. It came to mind recently when reading about Visa’s latest attempt to combat card fraud – its CodeSure payment card. This is essentially a cash card with a built-in One-Time-Password (OTP) generator. It looks like the sort of card Harrison Ford might carry in Blade Runner, with a small digital screen just below the magnetic stripe and a little keypad so users can enter their PIN to receive the OTP. There is no doubt that this is a very impressive piece of Stephen Howes technology, but in the spirit of Ockham, it got me thinking whether it’s not just another complex means of authentication. In responding to rising levels of fraud, banks have historically taken the option of throwing ever increasing amounts of technology at the problem with the hope that some of it will work. I am a technologist and a strong believer in the power of technology to solve problems, but not at the cost of the simplicity and elegance of a solution. Many of the approaches taken to date have put too much of the onus on the customer, burdening them with a greater array of passwords to remember and an ever-increasing range of gadgets to carry around. A successful approach to authentication should encompass three main touch-points: usability, cost and security, but many of the solutions employed by banks fall short on all three of these. Limitations of chip and PIN Let’s take for example the UK, where both card present and card-not-present (CNP) fraud is at a very high level. According to the UK Cards Association, money lost to online fraud rose by 14 per cent in 2009, an increase they put down to more sophisticated methods of fraud, including computer programmes that can learn the keystrokes customers use for passwords (key logging). I believe that the crux of the problem is that the industry is still relying on static PINs and passwords as a primary authentication method. The UK spent £1.1bn on the chip and PIN system in 2004. This has been a huge improvement from the days of magnetic stripe fraud, but it is still a far from perfect solution. The problems of ‘shoulder surfing’ for PIN numbers aside, chip and PIN does not work well in the card-notpresent (CNP) environment – an increasingly important channel as online retail continues its inexorable rise. The main response to the particular problems of CNP authentication has been to introduce longer secondary passwords. In practice these are of little value. Aside from making customers remember more passwords, the approach is still open to attack from phishing or key logger attacks. Not only is it the case that many purchasers abandon their transaction at the point of login because they can’t remember their password, but there is also a sizeable number of users who will still not make purchases online due to security fears and this important segment of the market cannot be ignored. Increasingly, however, banks are using OTPs to help combat the threat posed by CNP. This is a much more useful approach than simply replying on static PIN passwords. OTPs allow a randomly generated password to be created for each transaction. Many OTP solutions on the market today rely on sending the code to a piece of hardware, often this is a device created specifically for this purpose or a customer’s mobile phone. Visa’s CodeSure cleverly integrates the OTP generator with a cash card for ease of use, and as an alternative to static PIN passwords should be welcomed by the industry. However, Visa’s approach is not without its limitations, and the complexity of the solution is a major barrier. There is a lot of circuitry and electronics that need to go into the making of each of these cards, so the issuer will see a bigger cost burden imposed on them every time they need to re-issue. When weighed against cutting down on fraud this may well be an additional cost banks are willing to take on, but the solution would need to deliver clear improvements in security for this to even be considered and I do not believe this is entirely the case. Despite the fact that CodeSure looks like a secure OTP solution, it is still founded on the weaker platform of static PIN. For the OTP to be generated the card holder needs to enter his or her PIN number into the card, once again leaving them open to ‘shoulder surfing’. Once the fraudster has the customer’s PIN number they have full access to their account. So could CodeSure be considered as a PIN-based solution just dressed up as an OTP approach? Smart Card & Identity News • July 2010 8 The alternative So are there viable alternatives to chip and PIN-based solutions that are stronger in the areas of usability, cost and security? I believe that the answer to this is a resounding ‘yes’ and it comes not from adding extra complexity to the solution, but from elegant simplicity. Authentication techniques that require the user to remember a simple pattern instead of a password or PIN have been available for a while now and they offer a real revolution in remote access security, but now is the time that banks should start to look seriously at these alternatives. There appears to be a mindset in the industry that if you have something you can physically hold, it offers better security than something virtual, but this is a myth that needs to be dispelled. Software-based authentication technologies can provide an OTP that is much more secure than traditional solutions and as it requires no hardware it is very cost effective to implement and scale to whatever deployment size is required. Added to this is the enhanced usability a software-based solution can offer, as a pattern is much easier to remember than a PIN number. As highlighted earlier, static PIN numbers are vulnerable to key-logging and phishing attacks, but one time passwords that are generated from software-based alternatives are significantly more resilient to attacks of this nature. It is also very difficult to shoulder surf a pattern-based one time password generator because the fraudster would need to view the user many times over to even begin to guess the pattern that was used to generate the numbers. Using a software-based solution also provides endless flexibility on how it is implemented in order to give scaleable levels of security. For example, a user’s mobile phone or PC could be easily added to the security mix to provide additional ‘two factor’ security without requiring any extra expensive hardware. Added to this is the flexibility for using the solution in various languages and for people with disabilities who may not be able to enter a four digit PIN code without assistance. Drilling down a level, it is possible for software-based solutions to be cleverly implemented to help protect against ‘man in the middle’ attacks. This is done by using details of the transaction (e.g. the amount being transferred and the destination account details) to actually generate the passcode so that if a fraudster tries to amend the information the transaction will be cancelled. Furthermore, using this method, the one-time passcode can become a ‘digital signature’ of the transaction which counters internal fraud. So, software-based solutions are much more secure, more cost effective and more user friendly in comparison to traditional chip and PIN or complex static passwords. The first step to a more secure future OTP devices such as Visa’s SecureCode are therefore a welcome step in the right direction. It shows that the industry is waking up to the fact that static PIN numbers are not enough in themselves to effectively authenticate payments. This is only a start however. Such cards are expensive to produce and are still reliant on fixed PIN as a starting point. Taking Ockham’s razor to the problem I strongly believe that a softwarebased approach using simple patterns to generate OTPs is a much more suitable solution. It costs less and is incredibly easy for customers to use, removing in one stroke the persistent problems of ‘shoulder surfing’, key logger and phishing attacks. This approach is available today, but banks need to have the confidence to take a step back from the technology and realise that in some cases less is better and a simple solution can be the most effective. 9 Smart Card & Identity News • July 2010 It’s time to travel without credit cards By Suparna Sen, Smartcard & Identity News It often becomes difficult to keep credits cards and gift cards safely in the wallet for the fear of losing it while travelling. To solve this problem, iCache Inc., has developed an electronic payment device – iCache, capable of carrying the details of all your credit cards, debit cards, prepaid cards, ATM cards, loyalty cards, medical insurance cards, hotel key cards, etc on one single device. Suparna Sen iCache is a small, slim, lightweight digital device that stores a universal blank magstripe plastic card within it. iCache costs $99 and the gadget acts as a replacement to wallets overstuffed with credit cards by mimicking all of the cards that you usually carry with you. According to iCache officials, the device has a battery, which may be recharged via micro USB. With normal use, the iCache can last up to 2-3 weeks between charges. iCache includes a LCD screen, a card slot through which you enter and take out a magnetic-stripe after unlocking the device by using the biometric fingerprint scanner on the bottom right of the device. In terms of looks, the iCache resembles the iPod mp3 player and is slightly bigger than a small stack of credit cards. Since the introduction of iCache at the 2007 International Consumer Electronics Show, Las Vegas, the device has only been distributed to a select few customers, by the banks and other financial institutions within the country (although according to the iCache website, the gadget can be bought from variety of iCache supporting financial institutions or from any of the 10,000 iCache retail locations in the US). To use your iCache, you need to activate it first. Activation requires self-registration of your fingerprint and credit cards. You need to plug your iCache into your computer or laptop using a USB cable. Then you register each card online on the iCache website which in turn transfers the credit card data on to the iCache device. Finally, you scan your fingerprint on the biometric scanner available with each iCache to initialise the device. At the time of payment you unlock the device with your fingerprint, select your specific card profile (e.g.: MasterCard or Visa etc) by scrolling the card list on the device’s LCD screen. The blank magnetic-stripe card stored inside the iCache is then written, with your chosen card details. You can then pull out the plastic card as a replica of your desired card, with all the specific information on it, ready to be used for payments. The card that pops out of your iCache won’t bear the well-known red and orange MasterCard symbol. It will instead have the red and white iCache insignia. When you insert the plastic card back to the device, the information stays for about 10 more minutes, and then the data gets deleted automatically or is overwritten when you select the next card for use. iCache replaces loyalty cards and gift cards with the ability to display barcodes on its screen. The barcodes can be entered into the device by the user or can be sent to the user as digital packets by the issuer. Currently, promotional materials & videos of a second-generation iCache Digital Wallet are starting to appear over the Internet, whilst the iCache’s website has gone under development. This 2nd instalment of the iCache digital wallet is rumoured to include the ability of contactless payments option and have improved barcode rendering screen, which is able to be read by all barcode readers at the point of sale. Smart Card & Identity News • July 2010 10 So I put forth a couple of questions to the CEO of iCache, Mr. Ramaci. I asked how contactless payments would work. He replied: “Although no-one, can truly replicate a contactless card because of the security keys involved, iCache have the ability to internally store a contactless card. In our design, contactless card data cannot be accessed until the biometric authorization has passed. We also have methods for projecting the contactless data through a metal case according to the ISO 14443 spec. This enablement of the contactless transmission of data does not occur until the user successfully identifies himself to the iCache Digital Wallet and the user selects to perform a contactless transaction”. Further when I wanted to know whether iCache can be used for Internet payments, Mr. Ramaci said, “As well as having universal mag stripe capability, contactless, and barcode capability, the iCache excels at internet payments. An iCache Internet transaction is the safest of all Internet payment methods because the web merchant knows that the card used is tied biometrically to the individual owner of that card. Data is never decrypted or released from the iCache to a web merchant until it is biometrically unlocked by the card owner”. iCache doesn’t come without its problems. When you are using it as a travel gadget, you will still have to call each of the credit card companies for the cards you plan to use to let them know whether you are using the card internationally or domestically. There are places around the world where merchants are unfamiliar with iCache. For instance if you travel to some village in India and take out your iCache to pay for your purchase, you will face problems since the iCache mag-stripe card will not contain the Mastercard/Visa Logos and may cause confusion to the merchant. But most importantly, you can’t use iCache in countries that require chip & pin such as in the UK itself or in Ireland and many such Chip & Pin compliant countries. iCache is obviously still evolving since the design keeps changing and the claims of functionality growing. In addition, I have also been informed of an iCache add-on for your phone that is in the pipe-line. One of iCache’s core objectives is that the merchant does not have to change anything of the Point of Sale. World News In Brief Brighton and Hove Bus Company to Launch Smart Cards Smart cards for bus passengers will soon be introduced in Brighton and Hove in the south coast of England. Roger French, managing director of Brighton and Hove Bus Company, which operates the vast majority of routes in the city, told The Argus he hopes to start installing system in early next year. French is working with rail operator Southern to make sure the cards can be used both on bus and rail services. The entire process is expected to take between 12 and 18 months to complete. The system will be similar to Oyster cards used in London but will be based on new technology being developed by the Department for Transport that will eventually be rolled out nationwide. Smart Card & Identity News • July 2010 Visa to Reduce Payment Card Data stored in Merchant Systems Visa Inc. has launched a global effort to reduce unnecessary storage of sensitive card information in merchant payment systems. Understanding the significant commitment by merchants to secure the payment system and to protect sensitive cardholder information from criminals, Visa is clarifying existing operating regulations to ensure that acquirers and issuers allow merchants to present a truncated, disguised or masked card number on a transaction receipt for dispute resolution in place of the full 16-digit card number. Visa and the National Retail Federation (NRF) agree that merchants should not be obligated by their acquiring banks to store card numbers for the purpose of satisfying card retrieval requests. While Visa does not require merchants to store full card numbers beyond settlement, NRF's comments indicated marketplace confusion about what information merchants are required to store for dispute resolution by issuers, acquirers or processors. 11 Verayo develops the world’s first ‘unclonable’ RFID chip By Tom Tainton, Smartcard & Identity News The authentication solutions provider, Verayo, have developed the world’s first unclonable chip products – lead by the Vera M4H RFID. The company, founded in Silicon Valley in 2005, claims that the Physical Unclonable Technology (PUF) will transform the security industry, providing robust authentication for a wide range of sectors such as e-finance, ticketing, mobile payments and e-passports. Its co-founder and developer, Srini Devadas, even won a coveted CTO 25 Award for his efforts in developing this breakthrough silicon biometrics technology. PUFs are tiny electrical circuit primitives that exploit the IC fabrication process variations to generate an unlimited number of unique ‘secrets’ from each chip. These ‘secrets’ are dynamically generated, using a challenge response scheme. When a PUF circuit is queried with a challenge – a random 64-bit number, it instantly generates a unique ‘fingerprint’ response. Each PUF can effectively generate an unlimited number of unique challenge response pairs. The response from any given chip is based on the chip’s unique, unpredictable, random and unclonable fabrication process variation, thus making it impossible to generate the same challenge response pairs from another chip. To put simply, PUF technology is entirely unbreakable. Tom Tainton Vivek Khandelwal, Vice President of Marketing and Business Development at Verayo, says: “PUF is the first silicon technology that makes ICs unclonable. Until now there have been technologies that provide anticloning features, but none addressing this at the levels PUF does. PUF will add value in security space at two ends of the spectrum. At one end PUF is providing the lowest cost alternative to conventional cryptography for applications that require authentication, hence enabling security in applications where costs have been an inhibitor. On the other end PUF is extending the security envelope by using the silicon chip’s “biometric” information as a seed to create dynamic, volatile cryptographic keys.” The Vera X512H, the first unclonable RFID IC from Verayo, provided authentication at reduced cost but needed a network to access information. The new improved Vera M4H peddles a non-networked aspect, thus widening the reach of PUF-based RFIDs to a much broader market where access to network may not be available. So why don’t standard RFID chips cut the mustard anymore? Well, while basic RFID chips can be easily cloned – either by using a ghost device to “act” like a real RFID chip, or, by copying data from one chip to another Verayo’s PUF-based RFID chips provide a very strong authentication mechanism whereby no device can be disguised as the original chip, even if the data is copied Smart Card & Identity News • July 2010 12 from one Verayo chip to another. Bad news for identity fraudsters and skimming crooks too. Each PUF based RFID can generate an unlimited number of challenge response pairs, so when addressing the issue of skimming and replay attacks, the system simply uses a new challenge response pair each time. The unclonable RFID tags also offer an alternative to the largely ineffective authentication mechanisms commonly used to control counterfeiting. Holograms and colour-shifting inks are flawed, while basic RFID tags lack the necessary security requirements. Verayo’s PUF RFID tags can prevent counterfeiting in markets such as pharmaceuticals, liquor, wine and cigarettes and luxury products. In fact, PUF based RFIDS signal a change of direction in the industry. They’re tiny and consume low power, and they’re very cheap. Crypto-RFIDs provide comparable security and trust but at a significantly higher cost. PUF based authentication breaks the cost-security continuum. PUF technology is not tied to any particular RF frequency, and PUF technology can be integrated into RFIDs that operate at any frequency, for both short and long read range applications. Of course, with improved security for RFID solutions comes end-user ambiguity and easier adoption in a wide range of applications. Khandelwal says: “PUF RFIDs are getting good traction in markets like pharmaceutical and consumer product anti-counterfeiting, as well as secure ID and mass transit ticketing kind of applications. Like any other security technology, PUF technology has faced challenges on the robustness of authentication and security it provides. The technology has had to go through extensive environmental characterization. The technology is currently in trials, so specific case studies will be possible after completion of these trials and evaluations.” So what sectors beyond RFID can Verayo’s PUF technology benefit, and how? Many of us rely on computing devices for everything we do – whether it’s storing business or personal data to running financial transactions. Verayo’s security solutions aim to enhance the security of computational systems by providing a unique and reliable way to authenticate PUF based ICs and systems. Additionally, PUFs also provide a way to use each IC’s unique “fingerprints” as seeds to generate dynamic and volatile secrets, eliminating the need to store cryptographic keys. Computers and networking equipment can use PUF technology for more secure and robust hardware gear authentication. PUF based secure processors can addresses the needs of market segments that require a higher level of security and anti-tamper, such as national defence infrastructure. PUF technology can also be used for secure identification, data access and secure transactions for applications such as mobile (NFC) payments, e-Passports, SIM cards and contactless credit cards. Physical unclonable functions technology represents one of the biggest breakthroughs in semiconductor security. Verayo has done extensive testing, qualification and engineering development to improve the reliability of their PUF products. With the right implementation, Verayo claims PUFs achieve 9-9s reliability, or in other words, a failure rate of less than one in a billion. Pretty good odds, I’m sure you’ll agree. Smart Card & Identity News • July 2010 13 World News In Brief Oberthur Technologies Awarded $75 Million Tender for Uzbekistan Biometric Passports Oberthur Technologies, leading French secure technology company, has been awarded a contract to establish a biometric passport system for Uzbekistan, the Uzbekistan Daily website reported. Oberthur signed a contract worth more than $75 million with the government following a tender. In the first stage, employees of ministries and state bodies of Uzbekistan, citizens travelling abroad and citizens who are receiving new passports will get biometric passports. The first stage of the project was initially scheduled to begin Jan. 1, 2010, but was postponed for a year by Uzbek President Islam Karimov. All citizens of Uzbekistan will receive new passports in the second stage, which is set to begin in 2012. South Korean Early Adopter Chooses Clear2Pay NFC Test Tool Clear2Pay announced that the Korea Electric Testing Institute (KETI), a leading organisation dedicated to enhance the safety and quality of electric and electronic products, selected Clear2Pay's Integri test tools for the testing of digital communication between Near Field Communication (NFC) devices. Piraeus Opens First Online Bank for Greek Market Piraeus Bank is to launch Greece's first stand-alone direct bank through an extension of its electronic banking channel Winbank. With more than 150,000 customers now signed up to e-banking, Piraeus is taking the concept one step further with the creation of winbankdirect, which will target not only existing Piraeus Bank customers but the entire Greek consumer banking market. Piraeus Bank Group is one of the most dynamic and active financial organisations in Greece. SMARTRAC Launches New Gamma Radiation Proof RFID Tags SMARTRAC N.V., the leading developer, manufacturer and supplier of RFID transponders, announced that it has broadened its product portfolio with an RFID transponder that withstands gamma radiation of up to 45 kilogray (kGy). The new transponder, which is part of the company’s established S-Tag product family, is especially suited Smart Card & Identity News • July 2010 for use in medical applications where aseptic conditions are compulsory. New Yorkers Hand Over Personal Details to Microsoft's Fake Bank Microsoft has set up a fake bank branch in New York and tricked members of the public into handing over huge amounts of personal information. The tech giant built its Greater Offshore Bank & Trust branch in a bid to demonstrate how vulnerable people are to scams and promote Internet Explorer 8, which it says blocks three million online threats a day. In two videos posted on Youtube, actors playing bank staff members convince members of the public to reveal highly sensitive information in order to open accounts and receive $500. Duped "customers" were willing to hand over their mothers' maiden names, social security numbers, credit card numbers, strands of hair for DNA tests and details on whether they wear boxers or briefs. IBM Employee held Culprit in Massive DBS Outage An IBM employee has been fingered as the culprit behind a 7 hour system-wide outage that knocked out all consumer and business banking services and ATM and POS transactions at Singapore's DBS Bank this month. In a letter posted on the bank's Website, DBS CEO Piyush Gupta says the outage was triggered during a routine repair job on a component within the disk storage subsystem connected to the bank's mainframe. IBM and BDS entered into an S$1.2bn agreement in 2002 in which the bank outsourced IT services and infrastructure in Singapore and Hong Kong to IBM. World's Lightest Mobile Phone! According to the Guinness Book of World Records, the Modu 1 is the world's lightest mobile phone. Modu is an Israeli manufacture and will launch the Modu 1 in the UK later this month with the price tag of £129.99. This light phone holds a 3.2 mega pixel camera with 3.2x digital zoom and Bluetooth 1.2 connectivity. It includes 2GB of internal memory to act as your music player or storage device and is of dimension 72.11mm x 37.66 x 7.8mm and has a 1.3-inch OLED display and a built-in speaker. 14 Hold very tight please! Ting-ting! By Peter Tomlinson - Smartcard & Identity News There is an end of the Spring season feeling this month: the general election is already almost three months behind us, Ascot and Wimbledon and Henley are gone, students have come home (perhaps relief that they have gone home for those of us who live in student laden cities). The summer months this year are overlaid with the pause in the government’s allocation of funding and the wait to see their direction across many programmes, including those with significant secure Information and Communications Technology (ICT) content. About that funding: we are told to hang on until October 23rd, but to also keep an eye out for early release. As for direction, the history of the Information Assurance policy tells us that some policies Peter Tomlinson created in the Cabinet Office have difficulty getting out through the door. So it is. 1 Hold very tight please! for 3 more months. One bit of detail: contrary to last month’s front page article, ITSO Ltd’s scheduled additional funding is currently only sufficient for planning ITSO V3 on a 3 year timescale - they also wait until October. That is not just about an enhanced and restructured ITSO Specification: it also includes upgraded security servers and, early in the schedule, an upgraded test and certification service. Into this, two recent talks about the Oyster upgrade programme have injected a new insight into possibilities for other metropolitan areas. Also there is a new foray by old friends into the general UK market for smart devices, for support goods, and now for support services. And some continuing headbashing about being safe online. At a tangent to our orbit, the USA White House and their Homeland Security Department have launched a discussion on a possible national eID programme: a draft National Strategy for Trusted Identities in Cyberspace. SCN Daily News reported this on 30th June, and here are some of the links: The White House announcement: http://www.whitehouse.gov/blog/2010/06/25/national-strategy-trusted-identities-cyberspace The consultation document setting out the draft strategy, plus many responses: http://www.nstic.ideascale.com/ A review article: http://www.nextgov.com/nextgov/ng_20100628_8259.php?oref=topnews In the background are the success and also the problem of the USA’s Personal Identity Verification (PIV) smart card scheme for govt employees and contractors: it works, but the security schemes of the various govt depts are not fully federated. So the PIV card issued by Dept A may not allow you into Dept B. A strong security eID token for the public really needs to be interoperable across many services, but the USA’s federal govt will not want to be or to set up one issuer. Is there an echo here in the UK? Very very faint at the moment, but may get stronger if Martha Lane Fox and colleagues get to work on strong authentication for DirectGov and, with others, start a trickle down to local government – the potential curse is that Whitehall’s silo mentality means that currently we cannot build effective over-arching multi-departmental programmes. Transport for London is well on the way to rolling out its ITSO acceptance upgrade, and is also close to starting the move from their private transport token purse (that is how Oyster PAYG works) to adding a contactless bank card payment method as you travel, incorporating the same PAYG rules. The reason? Predicted much lower cost of operation. The method? All bank issued cards conforming to the EMV contactless requirements will be accepted. Over time (a currently unspecified period) the old Oyster cards will be replaced - and maybe there will be an Oyster branded pre-paid banking technology payment card. Key people from TfL spoke at both the Contactless Cards and Payments conference and the Gemalto Innovation Day: Lauren Sager Weinstein at the one, Peter Lewis at the other. As a result, one thing became very clear: it would be possible to take the new TfL Oyster bank payment and journey management technology and drop it into other areas where interoperable public transport ticketing dominates - interoperable across multiple local public transport service providers, that is. So, as well as Oysters in London, there could be Periwinkles in Manchester, Prawns in Birmingham and Tykes in most of Yorkshire… And you could then be able to take your Visa PayWave or Mastercard PayPass contactless card with you from home in London to journey by public transport to an inter-city railway station, travel by train to Manchester (buying your rail ticket some other way and holding it in another secure token or printing it), bus and tram it around Manchester, back to London by train, travel home on bus and tube and TfL PAYG rail services. If you make enough local journeys, you would Smart Card & Identity News • July 2010 15 benefit from one fare capping scheme in London, and from another one in Manchester. But you would have to register online in London to be able to view your journey history on TfL services, and register separately in Manchester to view Periwinkle journey history. Since DfT’s smart and integrated ticketing strategy envisages using one secure token for all the journeys, Norman Baker MP (if he is still a Transport Minister by the time that this happens) might not be best pleased. The new foray into the UK market is being made by Gemalto. Not just cards (many of our bank cards already come from them). Also payment terminals, and all kinds of security offerings and associated services (including the new entity for the mobile eService environment: the Trusted Service Manager) - they have been growing by acquisition of innovative businesses. One very useful new service, demonstrated at their Innovation Day, is online management of Gemalto retail bank card payment terminals: if it doesn’t work or do what you need, phone the Gemalto-equipped call centre, they connect to the terminal across the internet, they try to fix it remotely. To be rolled out in France very soon, proposed for the UK next year. Headbashing has been happening at invitation-only Workshops run by the Information Assurance Advisory Council (IAAC). Chatham House Rule applies: the general direction of the discussions can be reported, but there must not be detailed reporting or attribution of statements to any named person or organisation. Privacy of personal data was the theme for one set of sessions, be safe online came next - safe for citizens, safe for businesses, safe for govt and private sector to operate the eServices. IAAC has for some years been active in support of the government ICT Information Assurance strategy, is now supporting the new policy thinking (and naming), and is due to update the IAAC Corporate Guidance at a Symposium on 8th September. In the meantime, there is very useful material in their Directors’ Guides to Managing Information Assurance Risk2. 1With apologies to Flanders and Swann’s Transport of Delight and the London transport omnibus 2 http://www.iaac.org.uk/Default.aspx?tabid=31 http://www.iankitching.me.uk/humour/hippo/transp.html World News In Brief KASIKORNBANK, AIS and Gemalto Bring NFC to Thailand Mobile Users M-Payment Start-Up Trades MicroSDs for Passive Stickers Gemalto, the world leader in digital security, announced it will provide its Trusted Services Management (TSM) service to support the launch of Near-Field Communication (NFC) applications in Thailand. The service is the first pan-Asian deployment for Gemalto’s certified TSM centre in Taiwan. This pioneering project has Gemalto partnering with KASIKORNBANK, the country’s second largest bank, and with Advanced Info Services (AIS), the nation’s largest telecommunications operator. U.S.-based mobile-payment start-up RFinity is adopting passive-contactless stickers for its payment project in and around a university campus in Idaho, changing an earlier plan to expand its pilot using contactless microSD cards. Nokia Siemens buys Motorola Networks in $1.2bn Deal Nokia Siemens Networks plans to take over some of rival US mobile phone giant Motorola’s network operations for a record $1.2bn (£784m) deal. The purchase will give it second place in the huge North American market. Nokia Siemens Networks is a 5050 joint venture between Finland’s Nokia, the biggest handset maker in the world, and Germany’s Siemens. Smart Card & Identity News • July 2010 The company also appears to be adopting an mpayment model similar to that of U.S.-based Bling Nation, which signs up community banks and targets local merchants to participate in a close-loop payment system using the automated-clearinghouse network to avoid credit and debit card interchange fees. RFinity and Bling are among a host of start-ups hoping to take business from Visa Inc. and MasterCard Worldwide and major banks in the budding mobile-payment market. DoCoMo to go SIM Free Next Year in Japan According to the DoCoMo PR Staff in Tokyo, the Japanese mobile phone company may provide in 2011 SIM Free mobile phone in Japan, giving for once people the choice to use their handset with 16 other carriers. Another possibility would be that DoCoMo only unlock mid-range phones and keep locked some of their best phone in order to keep an edge over its competitors. CUSTOM and ASK to Cooperate on a New Contactless Paper Ticket's Printer CUSTOM ENGINEERING, designer of advanced hardware and software technology for the Barclaycard makes UK Coffee Chain automation of vertical markets which need printing, scanning and reading solutions, etc, and ASK, a Go Contactless worldwide leading provider of contactless smart cards, smart tickets, smart adhesive labels, etc, are AMT Coffee is partnering with Barclaycard to pleased to announce the beginning of an important rollout contactless payment terminals nationwide, cooperation to provide their customers with a brand according to computerworlduk.com. The technology new thermal ticket printer. allows customers to pay for purchases of £15 or less without having to provide a signature or enter a CUSTOM and ASK will work together to optimise PIN. AMT Coffee's shops are located primarily in their resources and share their respective expertise in airports and railway stations, making them optimal printers and contactless and RFID technology to venues for speedy tap & go style payment, says reach more customers in the ticketing sector and AMT COO John Hassall. offer state of the art solutions and products. CreditCall Prepares to Roll Out Chip & PIN Payment App UK-based card payment company CreditCall is set to release a Chip & PIN payment app that turns smartphones into eftpos terminals for on-the-go debit and credit card transactions. CardEase Mobile app will be available for BlackBerry devices from autumn. The app requires the use of a separate Bluetooth-linked PIN Pad that can be paired to the smartphone. Transaction data is encrypted and sent over the wireless network for authorisation. A transaction receipt can then be sent to the customer by email, SMS or in paper format from an optional printer. South Shore Hospital Still Hunting for Lost Records The search for the missing computer files continues at South Shore Hospital, USA. Administrators are still trying to find out if the back-up computer files, which contain personal data of as many as 800,000 patients, employees and vendors that are missing, destroyed or unrecoverable. “We will continue the search until all reasonable efforts have been exhausted,” hospital spokeswoman Sarah Darcy said. The hospital recently reported that sometime between February and June, 14 years’ worth of computer records was missing. The hospital had thought the files were destroyed by a still-unnamed professional data management company. But in June, the firm told the hospital that it had only received, and subsequently destroyed, a portion of the files. The hospital said it sought to destroy the files because they are part of an outdated computer system. Smart Card & Identity News • July 2010 MorphoTrak Integrates Highest Performing 1000ppi Palmprint Scanners MorphoTrak (Safran Group) announced that it has integrated the new 1000ppi fingerprint and palmprint capture scanner in its livescan workstations. These workstations were demonstrated at the ongoing International Association for Identification (IAI) Educational Conference in Spokane, WA. This annual conference is one of the largest gatherings of local, state and federal law enforcement professionals. As a leading provider of Automated Fingerprint Identification Systems (AFIS) and partner with Cross Match Technologies, Inc., MorphoTrak is the first AFIS provider to integrate this new scanner into its product offerings. Not only is the new Cross Match L SCAN® 1000PX the fastest 1000ppi scanner in the industry, but it provides the highest resolution and best contrast of any scanner available. Camelot Blocked from Offering epayments UK national lottery operator Camelot’s application to use its terminals for commercial services such as electronic fund transfer and e-bill payment has been turned down. The firm had sought permission to offer a range of services, including contactless payments, mobile phone top-ups and international calling cards through terminals at 28,000 retailers around the country. The National Lottery Commission says it is "minded to refuse to grant consent" for the application to let Camelot undertake "ancillary activities" because of EU/competition law concerns. Interested parties still have a "final opportunity" to address the issue. 17 Biometrics – It’s not what you know, it’s who you are! By Neil Fisher, VP Global Security Solutions, Unisys Protecting your personal information with “what you know” is no longer good enough. In this digitised, Web 2.0 era it is now too easy to find out information like a birth date, address or mother’s maiden name when they are freely posted on social networking sites like Facebook, LinkedIn and Twitter. Additional measures of combining “what you know” (eg. PINs) with “what you have” (eg. smartcards or tokens) provide another layer of protection for consumers against identity fraud. But in some instances, where even greater assurances of identity are required, organisations are seeking even better protection via another Neil Fisher layer, “what you are”, through the use of biometric technology such as fingerprinting, iris scanning and vascular technology. These identification technologies have the potential to improve both security and privacy - with corresponding benefits to consumers, corporations and government agencies alike. Consumers experience the advantages of greater convenience, ease-of-use and privacy in their interactions with trusted parties such as banks, airlines, and government agencies. Corporations and government departments thrive on stronger forms of authentication, improved security, less susceptibility to identity theft and fraud, reduced costs, and lower risk in terms of regulatory compliance. It is therefore not surprising that we are increasingly seeing appropriate security measures being put in place to reduce exposure to today’s complex range of security threats. According to the Unisys Security Index – a global research report designed to help businesses and governments understand consumer attitudes towards financial, personal, internet and national security – identity theft ranked as the first or second highest source of anxiety in ten countries and in the UK more than 87 per cent of British respondents voiced concern or extreme worry about identity theft, up thirty per cent from 2009. The Unisys Security Index also revealed that, given this level of trepidation, there is a strong rationale for embracing innovative security techniques to prove our identity with better and stronger assurances. Public acceptance of biometric technology has rapidly been gathering pace; 91 per cent find the use of fingerprint scans to verify their identity with banks, government agencies or other organisations acceptable, up 16 per cent in the last year. These findings suggest that, contrary to mistrust of biometric technology, organisations which adopt these technologies and make their security measures transparent will take the lead in integrating biometrics in established security protocol. The success stories will be those organisations which invest in transparent processes and education to reassure the public that their data has been securely collected, respected and protected. The public’s willingness to embrace biometrics is driven by an inherent expectation that people should have the freedom to trade online and across borders whilst enjoying absolute security and protection. As the use of biometrics continues to mature along with public acceptance of the technology, innovation will inevitably expand into new domains and beyond familiar methods of voice, face, finger and iris recognition. One promising alternative is vascular recognition technology, of which Unisys is a strong proponent. Vascular scanning technology is a rugged and robust tool. Infra-red cameras read the back of the hands from a small distance away. Verification is instantaneous and achieved when the blood flow pattern of the holder’s hand matches the pattern of the scan stored on a smart card. The technology carries a high degree of accuracy, is easy to use and overcomes most physical disabilities. Unisys has already successfully integrated vascular credentialing biometrics into their security credentials procedures to identify 4,000 workers in the Port of Halifax, Canada. So when an employee is banned from a site, this change cascades to every site networked with the central system. Unisys has also worked with the Canadian Air Transport Security Authority (CATSA) to supply, integrate and manage a new identification management solution, using fingerprint and iris biometric technology to confirm the identities of airport workers throughout Canada. The Restricted Area Identification Card (RAIC) system enhances aviation security by verifying the identities of airport workers via biometrics and ensuring that only those workers with security clearance can enter restricted areas. It also allows CATSA to instantly update the security clearance status of all 100,000 airport workers across the country. 18 Smart Card & Identity News • July 2010 Both deployments illustrate the commercial benefits of using biometric technology to identify workers and ensure anyone with criminal intentions is prevented from entering a closed area. There has been considerable work undertaken to impress upon the public the wider benefits of this technology, in particular by developing a more people-centric approach to identity management and governance. Stronger, robust authentication is crucial in a joined-up world where information is shared. In order to improve quality of life and increase prosperity on an individual basis it is necessary to identify ‘Mr Smith’ the person rather than ‘Mr Smith’ a member of the population. The implications are far ranging; for instance, a known terrorist should be very afraid of the potential of people centric security. National identity credentialing provides better services to those who need it and very few places to hide for those who try. Developments in biometric technology continue to push boundaries and provide fertile ground for innovation. The main challenge will be to achieve a zero False Acceptance Rate (FAR). Whilst automation allows for greater efficiency, quick manual checks should also be made to ensure that an unauthorised person has not managed to fool the system. Nevertheless, advances in biometric technology are moving ahead at a swift pace. Project IRIS (Iris Recognition Immigration System) was introduced four years ago to provide fast and secure automated clearance through the UK immigration control for certain categories of regular travellers using biometric technology. The system stores and verifies the iris patterns of qualifying travellers, giving watertight confirmation of their identity when they arrive in the UK. It is now considered antiquated, in comparison to the latest Glance and Go iris technology, which enables people to pass through border checkpoints more swiftly and get assured whilst “on the move”. Investment in biometrics is also driving research and development and expansion into new markets, such as home access and aged care services. The most significant applications will combine multiple biometric solutions with other security or identity measures, such as radio frequency identification (RFID) and smartcard technology. In any real-life application it should be heeded that the most effective approach to security is a holistic one, which assesses all possible security risks, internal and external. The main barrier to the adoption and advancement of biometric technology is public readiness. As organisations reach out to the public to address their concerns we will increasingly see the application of this technology to enhance people’s privacy, convenience and choice in all areas of life. As responsible messages are conveyed to highlight that privacy and security aren’t mutually exclusive ideals, we could actually see people wondering how they ever managed to mitigate risk without robust authentication; in the same way that we have come to depend upon mobile phones and email. Technology has empowered organisations to choose the right combination of solutions to meet their security needs. Biometrics will undoubtedly play an increasingly significant role in the security solutions of government and industry seeking to take a holistic approach to identity management. Advertising with Smartcard News Let the power of advertising with Smart Card News (www.smartcard.co.uk) bring customers direct to your website. Smart Card News is the number one source for Cards, Payments, Cryptography, Biometrics, RFID, EMV and Security relating to the Smartcard industry. Just type smart card into Google, our second place ranking attracts thousands of visitors to our website, from Smartcard companies, Government agencies, Research companies and Universities. One of the best ways of increasing your website ranking is to be linked by other established industry websites. If you require any additional information or would like to discuss your requirements, please contact Lesley on +44 (0) 1903 734 677 or email: lesley.dann@smartcard.co.uk 19 Smart Card & Identity News • July 2010 Mobile Payment Services A4 Ad:Layout 1 14/7/10 12:52 Page 1 Produced & Researched By: Over 25 leading perspectives from the Telecoms, Financial and Retail sectors 27-29 September 2010 Hotel Fira Palace, Barcelona Commercialising technology to deliver innovative mobile and contactless payment products and services across telecoms, retail, transport and financial markets KEY INSIGHTS FROM AT&T Mobility Mi-Pay Aurora Fashions No Need For Mirrors A1 Bank Nordea Bank Bankinter O2 UK BICS PayPal Europe Consult Hyperion Poste Italiane DoCoMo Europe Telefónica O2 Germany Eagle Eye Technologies Telecom Italia Mobile Edgar Dunn & Company Visa Europe Everything Everywhere Vodafone Group KPN Voice Commerce MasterCard Energise your m-payment strategy with new ideas on how to: Develop innovative Mobile Payment services and Smart Phone Apps Forge profitable partnerships and alliances with other industries Capitalise on the latest technologies and optimise go-to-market timelines Assure the security and integrity of your service offerings In-Depth Learning Opportunities Through 3 Pre-Conference Masterclasses FREE FOR RETAILERS Register Today Please Call: +44 (0) 20 7017 7483 Fax: +44 (0)20 7017 7825 Email: registrations@iir-telecoms.com Web: www.iir-telecoms.com/mobilepayment