Kraken Feeds on your Phone Calls

Transcription

Kraken Feeds on your Phone Calls
Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Sm
& Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card
y News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Iden
• Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity New
Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Sma
& Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card
July 2010
Volume 19 • Number 7
Smart Card & Identity News
Smart Cards, SIM, Payment, Biometrics, NFC and RFID
www.smartcard.co.uk
Kraken Feeds on your
Phone Calls
6 • Identity-based Convergence for
Stronger Security
8 • Banking on a Simpler Approach to
Authentication
12 • Verayo develops the world’s first
‘unclonable’ RFID chip
18 • Biometrics – It’s not what you
know, it’s who you are!
Karsten Nohl and other members of the Chaos Computer Club are set to
bring mobile phone tapping within reach of the home computer user. Karsten
and team have already brought an early death to the NXP’s Mifare Classic
Smartcard used in many transport ticketing systems such as London
underground’s Oyster card system by reverse engineering its proprietary
Crypto-1 cryptographic algorithm.
Karsten’s latest project (The A5/1 Security Project) announced this month on
the 16th of July the release of 'Kraken'. Kraken is a software toolkit, which
uses new encryption cracking tables to break the cipher used to secure mobile
phone communication. Kraken has the potential to de-cipher a phone call in a
matter of seconds. The Kraken software has been designed to run on
inexpensive desktop computer equipment which brings phone snooping into
the hands of the home computer geek.
Continued on page 4….
©2009 Smart Card News Ltd., Worthing, England. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in
any form or by any means, electronic, mechanical, optical, recording or otherwise, without the prior permission of the publishers.
Our Comments
Dear Subscribers
Smart Card & Identity News
Is published monthly by
Smart Card News Ltd
Head Office: Smart Card Group,
Suite 3, Anchor Springs, Duke Street,
Littlehampton, BN17 6BP
Telephone: +44 (0) 1903 734677
Fax: +44 (0) 1903 734318
Website: www.smartcard.co.uk
Email: info@smartcard.co.uk
Editorial
Managing Director – Patsy Everett
Technical Advisor – Dr David Everett
Production Team - John Owen,
Lesley Dann, Suparna Sen
Contributors to this Issue –
David Ella, Stephen Howes, Suparna
Sen, Tom Tainton, Peter Tomlinson,
Neil Fisher
Photographic Images - Nejron Dreamstime.com
Printers – Hastings Printing Company
Limited, UK
ISSN – 1755-1021
Disclaimer
Smart Card News Ltd shall not be liable
for inaccuracies in its published text.
We would like to make it clear that
views expressed in the articles are those
of the individual authors and in no way
reflect our views on a particular issue.
All rights reserved. No part of this
publication may be reproduced or
transmitted in any form or by any
means – including photocopying –
without prior written permission from
Smart Card News Ltd.
© Smart Card News Ltd
Smart Card & Identity News • July 2010
I couldn’t help but chuckle reading in the paper
today about the unemployed lorry driver who
sold the Ritz hotel in London for £250 million
when it’s worth two or three times that price.
He was so successful that he even managed to
get £1 million popped into his bank account
before the fraud was discovered.
Patsy Everett
Remember the old saying that if it sounds too good to be true it
probably isn’t so good! You can’t help wonder about the people who
are duped by such offers, are they not perhaps just as dishonest as
the fraudster in thinking they can make a quick buck to somebody’s
disadvantage.
So how does this work in the antiques trade? If I pop into a shop
with an old plate from mother’s collection and get offered £300 to
hear later that it was worth £100,000 who is wrong? Is an antique
dealer obliged to pay the potential market value for which of course
he is on risk? He might have made a mistake or an expert further
down the road might throw it out as a copy. How would you mark
his reputation? Arguably you could say he is paying you what it is
worth to him at that moment in time, is he obliged to tell you it
might be worth £100K?
And what happens if you are an expert and see some artefact in a
shop marked up for $50 that you know is worth $50,000, should you
tell the shop keeper about his error? Perhaps I’ll cause an uproar here
but it seems to me that many antique collectors are out to discover
just such an opportunity.
So down to basics, what happens if you get given a £1 coin that you
subsequently discover is a counterfeit? We have been hearing this
month that 1 in 36 £1 coins in circulation are counterfeit. Now I’m
sure you all know that as soon as a coin accepted in good faith is
found to be counterfeit, it is immediately rendered worthless.
Attempting to pass it on is an offence. I’m sure we all hand our
counterfeit coins in to the bank so that they are taken out of
circulation. I still remember as a youngster getting foreign coins in
change and not being too excited about it when discovered. Not me
of course but some of my friends developed an art for passing them
on undetected to the next person.
Now I’m not setting out to cause any unnecessary guilt complexes
but only want to raise some fundamental issues of today’s society and
it’s all about reputation and trust which are closely related. So in our
previous scenarios do we trust antique dealers and what is their
average reputation? Of course they are going to differ but how can I
tell the reputation of a particular individual?
Now imagine the same antique dealer going to his bank for a loan,
can the bank trust him (or her)? The basis of trust and reputation are
really quite different, you could be very good at spotting a bargain
making large profits but particularly bad at repaying loans. So the
bank is only interested in your reputation in that one area and that’s
not straightforward because your reputation can change overnight, an
unforeseen event perhaps (maybe somebody has defrauded you) and
you can no longer pay your bills.
2
You may be wondering where all this is leading, well dear subscribers lets enter the wild, wild, West or to put
it another way the internet. Here the system of reputation and trust is even more on trial. Last week a friend
was telling me about her experiences on an on-line dating site, she met up with a great guy and they seemed
to have so much in common and then out of the blue came the call for money. The details don’t matter but
this is really common and many innocent people are robbed of all their savings.
We all do it, yes, eBay can be great fun and you can get some bargains but this really is the haven for every
fraudulent idea ever invented by man and there are new ones occurring every day. So how do you pay for
your purchases? PayPal of course, in most cases at least but this doesn’t stop you from getting involved in
fraud whether the seller or the purchaser. The goods were never sent or never arrived give me my money
back depending on which party is the fraudster. Disputes like this are legion and it’s not too difficult to get
your PayPal account frozen and it’s often very difficult to get it released.
So the question I’d like to leave you with this month is when making payments on the internet who do you
trust and what will your bank or PayPal do in the event of a dispute. Do we need a better way to pay?
Happy holidays,
Patsy.
Contents
Regular Features
Lead Story - Kraken to feed from your phone calls. . . . . . . . . . . . . . . . . .1
Events Diary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
World News In Brief . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5,7,11,14,16
Industry Articles
Identity-based Convergence for Stronger Security . . . . . . . . . . . . . . . . . . . 6
Banking on a Simpler Approach to Authentication. . . . . . . . . . . . . . . . . . 8
It’s time to travel without credit cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Verayo develops the world’s first ‘unclonable’ RFID chip. . . . . . . . . . . . .12
Hold very tight please! Ting-ting!.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Biometrics – It’s not what you know, it’s who you are! . . . . . . . . . . . . . . 18
Events Diary
August 2010
25-26
5th ID, Smart Card & Ticket Security & Anti-Counterfeiting Technology Summit, China –
http://www.cids.com.cn/En/
September 2010
14-15
Mobile Payment China 2010, Shanghai, China.
http://www.mobilepaymentchina.com/mobilepayment/
14-16
5th Near Field Communication World Asia 2010, Grand Hyatt, Singapore.
http://www.terrapinn.com/2010/nfc/
21-24
Smart Event '10, Sophia Antipolis, French Riviera, France.
http://www.smart-event.eu/
21-23
The Biometric Consortium Conference, Tampa, Florida, USA - http://www.biometrics.org/
27-30
Prepaid Mobile 2010, Hotel Fira Palace, Barcelona, Spain.
http://www.iir-telecoms.com/event/prepaid
27-29
Mobile Payment Services 2010, Hotel Fira Palace, Barcelona, Spain.
http://www.iir-telecoms.com/event/mobilepayment
Source: www.smartcard.co.uk/calendar/
Smart Card & Identity News • July 2010
3
Kraken to feed from your phone calls…. Continued from page 1
GSM (Global System for Mobile communications) technology uses an array of radio transmitters called Base
Stations (BS) to connect your cellphone with your cellular network such as Orange or Vodafone. Base
Stations are all interconnected, which is why you can move from one cell to another without losing your
connection. According to data from the GSM Association, about 3.5 billion GSM phones are used in nearly
200 countries worldwide.
GSM security works by authenticating the subscriber’s SIM card by using a pre-shared secret and challengeresponse. Once authenticated by the mobile network provider, ongoing communication is secured by one of
GSM’s A5 family of stream cipher algorithms.
•
•
•
•
A5/0 utilises no encryption.
A5/1 is the original A5 algorithm used in Europe.
A5/2 is a weaker encryption algorithm created for export and used in the United States.
A5/3 is a strong encryption algorithm created as part of the 3rd Generation Partnership Project
(3GPP).
Kraken has been especially designed to de-cipher the A5/1 cryptographic algorithm. The A5/1 stream cipher
was developed in 1987 to encrypt both voice and signalling data from a mobile telephone. A5/1 in its day was
considered a strong method of keeping mobile phone calls private using 64-bit encryption, and even a
watered down version of the algorithm ‘A5/2’ was developed to be exported outside of Europe.
Frank Stevenson, a developer within the A5/1 Security Project made the announcement of the first release of
Kraken: “I have named this beast Kraken, after a Norse mythological creature capable of eating many things
for breakfast. Kraken feeds of an exclusive diet of A5/1 encrypted data.” He also pointed out the following
hardware prerequisites needed to set up Kraken.
•
•
•
•
Linux machine, multicore min 3GB RAM
1.7 – 2 Terabytes of hard disk space, partitioned without a file system
The Berlin A5/1 Rainbow table set
GPU support will be added for ATI Radeon HD
When Kraken was in the early stages of development, the GSM Alliance said that the research is a long way
from being a practical attack on GSM. The GSMA said that they welcomed research, but continued by
highlighting that “the theoretical compromise of GSM network requires the construction of a large look-up
table of approximately 2 Terabytes, which is equivalent to the amount of data contained in a 20 kilometre
high pile of books.”
The software is regarded as a key step towards eavesdropping on mobile phone conversations over GSM
networks. Since GSM networks are the backbone of 3G (or 3rd Generation of standards for mobile phones
and mobile telecommunications service, even 3G phones can be compromised since when they roll back to
GSM mode when a 3G network is not available.
The A5/1 Security Project have stressed that their main aim is to show how easily the A5/1 encryption can
be cracked. It is anticipated that A5/1 Security Project leader Karsten Nohl will discuss the hardware and
software setup during this years Black Hat Security Conference.
Further information on kraken can be found on the A5/1 Security Project website
(http://reflextor.com/trac/a51)
By Suparna Sen, Smartcard & Identity News
4
Smart Card & Identity News • July 2010
World News In Brief
E-borders Firm Axed Over Delays
The firm in charge of the government's £750m eborders programme has been axed over delays.
Immigration Minister Damian Green said the
performance of Raytheon Systems Limited had been
"extremely disappointing"; the company have
delivered some elements while other elements have
remained undelivered. “Delivery of the next critical
parts of the programme are already running at least
12 months late”, continued Mr Green. E-borders, a
system to count everyone entering and leaving the
UK would remain a priority and he was seeking
alternative suppliers. The complex system was
meant to be fully operational by March 2014.
Home Trust of Canada selects
Gemalto for EMV Migration
Gemalto announced this month that it has been
chosen to manage Home Trust Company’s
migration from magnetic stripe credit cards to EMV
(Chip and PIN) smart payment cards. Home Trust
are a Canadian Visa Issuer and one of Canada’s
leading trust companies, focusing on consumers
who typically do not meet all the lending criteria of
traditional financial institutions.
Gemalto is providing microprocessor payment
cards, as well as data preparation, card
personalisation and fulfilment at Gemalto’s state-ofthe-art facility in Burlington, Ontario. Gemalto’s
consulting service is engaged with the project
providing guidance in how to interact with all
members of the payments ecosystem to ensure
Home Trust is prepared to meet the Canadian EMV
requirements. Gemalto will also train the Home
Trust team extensively on all activities associated
with EMV migration.
BIO-key to Unveil Enterprise Ready
Biometric Identity Platform for
Smartphones
BIO-key International, Inc. announced the company
will be unveiling its first ever mobile biometric
identification and authentication platform that
provides enterprises with the ability to capture and
transmit fingerprint biometric data to a secure server
for identity and authentication of smartphone,
laptop, tablet and desktop users. On Wednesday,
July 28 at the Burton Group Catalyst Conference,
San Diego, CA, BIO-keys will hold demonstrations.
BlackBerry poses 'Security Risk' say
UAE Authorities
The United Arab Emirates (UAE) has said that it
could move to restrict or monitor BlackBerry
mobile phones, as they pose a "national security
risk". The region’s telecoms regulator said,
"BlackBerry operates beyond the jurisdiction of
national legislation" as it stores its data offshore. It
said it was concerned that misuse may have "serious
social, judicial and national security repercussions".
Critics branded the moves as "repressive".
The media freedom watchdog Reporters Without
Borders told BBC News that while the UAE was
playing a "technological leadership role in the Arab
world" this was backed by "repressive laws" and a
"general trend of intensified surveillance".
mopay call for Online Merchants
mopay, a leading provider of mobile payment
solutions worldwide, announced mopay call, a new
solution that lets online merchants bill purchases
directly to consumers' landline phone accounts.
With mopay call, mopay is expanding its breadth of
offerings in order to sustainably position a widely
available and far-reaching alternative payment
platform. The company further extends its ability to
provide globally available billing solutions that
enable the unbanked to pay for goods and services.
Record Number of Fake £1 Coins
Could Force Reissue
At present, there are about £41 million fake £1
coins in the UK - one in every 36 in circulation. Due
to the fake £1 coins in circulation, the Royal Mint
may be forced to scrap all of the coins and reissue
the entire denomination.
The situation has worsened since last year, when one
in 40 £1 coins was found to be fake. £41 million
fake £1 coins have made a record and the number
suggests that the proportion of counterfeit coins had
tripled in the last decade. The Conservative MP
Andrew Rosindell said the number of counterfeits
was "a genuine matter for concern".
5
Smart Card & Identity News • July 2010
Identity-based Convergence for Stronger Security
By David Ella - Chief Technology Officer, G4S Technology
Thousands of companies routinely control and manage building access for
security and tracking purposes using smart cards. Tightly integrating the key
security functions such as Access Control and Video Management provides
organisations with a completely unified approach to securing their buildings and
offices. In parallel, IT network access can be controlled and managed using an
enterprise network authentication infrastructure.
David Ella
In most circumstances the two security systems—the physical and the network
(logical)—live in separate technology silos—but we are now in an era where you
can enable seamless communication between the two systems to affect a
stronger, and more compliant, overall security posture.
Integrating physical and network security enables you to:
•
•
•
•
Increase overall site security
Audit who, what, when, and from where—from door, desktop, and remote
Close security gaps between disparate security systems
Quickly and easily deploy a converged security system without modifying the existing IT
infrastructure
Recognising this opportunity to create a more unified security solution and responding to the needs of the
user is critical. Solutions need to be simple and effective. Security should not create barriers or be a burden to
the users on a daily basis. Security should just work. The simplest form of integration is to have both network
and physical security on the same smart card. Normally physical security will use a contactless interface and
network security uses a contact interface. For many organisations this level of security integration is adequate,
however, more sophisticated options are available.
Technology, such as the integration between G4S Technology’s Symmetry™ Security Management System
(SMS) and Imprivata OneSign provides a single point of authentication. This translates to a streamlined,
simplified management process for integrating physical security events with IT network access, effectively
closing security gaps that exist when disparate physical access control and IT network authentication systems
live in self-contained silos. This simple, yet highly effective solution builds on a simple concept - the single
point of authentication using a smart card.
Identities contained within the database are mapped to the network directories enabling a converged policy
for allowing or denying network access. This is based on a user’s physical location and badge events,
organizational role, and / or employee status. All this is made possible from a single, easy to use Web based
interface.
The technology available today allows card holder’s identities to be managed quickly and easily from a single
screen. Set up details, customise cards and grant special privileges. Restrictions can also be applied to cards
such as a usage limit or expiry period to give you the flexibility you need to meet the demands of any business.
“The experience we have with smart card applications provide us with a unique perspective and practical
knowledge regarding the use of smart cards for physical and network access control” said David Ella, G4S
Technology Chief Technology Officer.
Biometric integration is another option for adding additional layers of security to a smart card access control
solution. Biometrics is best defined as measurable physiological and / or behavioural characteristics that can
be used to verify the identity of an individual. These include fingerprint and iris scanning, hand geometry and
facial recognition.
Storing an individual’s biometric template on a smart card stores personal data and provides a portable
method of identification. The value proposition for Biometric readers in access control is simple: a card can
be duplicated or stolen, but a unique physiological characteristic cannot. Biometrics enables access control
systems to ask not only, "What do you have?" and "What do you know?" but, "Who are you?” As a result,
biometrics is taking an increasingly prominent position as an additional access control solution in today’s
escalating requirements for physical security.
The smart card today is vital, storing high levels of data and enabling the holder to activate / unlock a number
of different applications ranging from access control though to cashless payments, such as the GiroVend
solution from G4S Technology.
Smart Card & Identity News • July 2010
6
As technology continues to rapidly evolve, we cannot practically expect organisations to continuously
upgrade their security solutions at the same pace. Recognising where critical technological advancements are
made and understanding which ones will be able to benefit individual organisations is the key. The unified
approach of logical and physical integration is one we expect to quickly be adapted. What is exciting,
however, is where this smart card technology and biometric applications meet, creating a virtually
impenetrable and intelligent security solution.
World News In Brief
Girocard Holders Can Now Withdraw
Cash from UK ATMs
Holders of the German 'Girocard' debit cards will
be able to withdraw cash from ATMs across the
UK. The UK's LINK ATM network is opening all
63,000 UK cash machines to all users of the
German card scheme operated by Zentraler
Kreditausschuss. The development has been made
possible by EAPS, the alliance of European debit
card schemes, which facilitates pan European ATM
and POS transactions by uniting independent card
schemes throughout Europe under a single
European framework.
ZF Electronics to Supply Secure
Access Technology for UK Police
Forces' NPIA Framework Portal
ZF Electronics UK has announced its Cherry smart
card secure access products have been chosen as
part of the security improvement programme being
rolled out across the UK by the National Policing
Improvement Agency (NPIA). This will allow ZF
Electronics UK to list products on the NPIA
framework portal as NPIA-approved devices for
authenticating access to the Police National
Database and Police National Computer. Enhanced
security guidelines laid down by the NPIA require all
56 UK Police Forces, plus the British Transport
Police, Civil Nuclear Constabulary and other
specialist Police divisions to ensure only authorised
personnel can access the sensitive data held on the
PND and PNC computer systems.
Co-op to Introduce Contactless
Payments
The Co-operative Food will become the UK's first
major grocery retailer to introduce contactless
payment in its stores nationwide after joining forces
with Barclaycard.
The roll-out will begin with a pilot in 100 Cooperative food stores next year after an agreement
was signed with Barclaycard in partnership wit Visa.
If the pilot is successful, The Co-operative says it
Smart Card & Identity News • July 2010
will roll out the contactless terminals to the majority
of its food stores in time for the 2012 Olympics,
which is being billed as a contactless event, where
visitors will be able to use the new cards to pay for
transport, tickets and other low value purchases.
Now NFC Mobile Phones turn into
Secure ID and Access Devices
HID Global, trusted leader in solutions for the
delivery of secure identity, and INSIDE Contactless,
a leading provider of advanced, open-standard
contactless chip technologies, announced that they
have extended their long standing partnership to
bring market-leading iCLASS access control and
identity credentials to near-field communications
(NFC) mobile phones. Embedding iCLASS virtual
credentials into NFC mobile phones will enable
potential substitution of numerous plastic cards for
a variety of commercial and consumer identity
applications, including not only physical access
control, but also secure PC log on, time and
attendance monitoring, equipment and material
checkout, authorised access to office equipment and
manufacturing machinery, private label retail
payments, prepaid transit passes, and customer
loyalty and membership programs.
PULSE Introduces PIN Debit for ecommerce Transactions
PULSE, one of the nation's leading debit/ATM
networks, is bringing the security, reliability and
convenience of PIN debit to online shopping with
the introduction of PULSE Internet PIN debit.
Financial institutions using PULSE Internet PIN
Debit can deliver convenient PIN-based, online
transaction verification to a growing number of
consumers who purchase products from ecommerce merchants. The new payment solution,
which uses Acculynk's PaySecure Internet PIN debit
software, reinforces the issuer and cardholder
relationship by using a financial institution-branded
graphical PIN pad.
7
Banking on a Simpler Approach to Authentication
By Stephen Howes, CEO of GrIDsure
Most people have heard of Ockham’s razor, the principle that states that the
solution with the simplest explanation is more often than not the correct one.
It came to mind recently when reading about Visa’s latest attempt to combat
card fraud – its CodeSure payment card. This is essentially a cash card with a
built-in One-Time-Password (OTP) generator. It looks like the sort of card
Harrison Ford might carry in Blade Runner, with a small digital screen just
below the magnetic stripe and a little keypad so users can enter their PIN to
receive the OTP. There is no doubt that this is a very impressive piece of
Stephen Howes
technology, but in the spirit of Ockham, it got me thinking whether it’s not just
another complex means of authentication.
In responding to rising levels of fraud, banks have historically taken the option of throwing ever increasing
amounts of technology at the problem with the hope that some of it will work. I am a technologist and a
strong believer in the power of technology to solve problems, but not at the cost of the simplicity and
elegance of a solution. Many of the approaches taken to date have put too much of the onus on the
customer, burdening them with a greater array of passwords to remember and an ever-increasing range of
gadgets to carry around. A successful approach to authentication should encompass three main touch-points:
usability, cost and security, but many of the solutions employed by banks fall short on all three of these.
Limitations of chip and PIN
Let’s take for example the UK, where both card present and card-not-present (CNP) fraud is at a very high
level. According to the UK Cards Association, money lost to online fraud rose by 14 per cent in 2009, an
increase they put down to more sophisticated methods of fraud, including computer programmes that can
learn the keystrokes customers use for passwords (key logging).
I believe that the crux of the problem is that the industry is still relying on static PINs and passwords as a
primary authentication method. The UK spent £1.1bn on the chip and PIN system in 2004. This has been a
huge improvement from the days of magnetic stripe fraud, but it is still a far from perfect solution. The
problems of ‘shoulder surfing’ for PIN numbers aside, chip and PIN does not work well in the card-notpresent (CNP) environment – an increasingly important channel as online retail continues its inexorable rise.
The main response to the particular problems of CNP authentication has been to introduce longer secondary
passwords. In practice these are of little value. Aside from making customers remember more passwords, the
approach is still open to attack from phishing or key logger attacks. Not only is it the case that many
purchasers abandon their transaction at the point of login because they can’t remember their password, but
there is also a sizeable number of users who will still not make purchases online due to security fears and this
important segment of the market cannot be ignored.
Increasingly, however, banks are using OTPs to help combat the threat posed by CNP. This is a much more
useful approach than simply replying on static PIN passwords. OTPs allow a randomly generated password
to be created for each transaction. Many OTP solutions on the market today rely on sending the code to a
piece of hardware, often this is a device created specifically for this purpose or a customer’s mobile phone.
Visa’s CodeSure cleverly integrates the OTP generator with a cash card for ease of use, and as an alternative to
static PIN passwords should be welcomed by the industry.
However, Visa’s approach is not without its limitations, and the complexity of the solution is a major barrier.
There is a lot of circuitry and electronics that need to go into the making of each of these cards, so the issuer
will see a bigger cost burden imposed on them every time they need to re-issue. When weighed against
cutting down on fraud this may well be an additional cost banks are willing to take on, but the solution would
need to deliver clear improvements in security for this to even be considered and I do not believe this is
entirely the case.
Despite the fact that CodeSure looks like a secure OTP solution, it is still founded on the weaker platform of
static PIN. For the OTP to be generated the card holder needs to enter his or her PIN number into the card,
once again leaving them open to ‘shoulder surfing’. Once the fraudster has the customer’s PIN number they
have full access to their account. So could CodeSure be considered as a PIN-based solution just dressed up as
an OTP approach?
Smart Card & Identity News • July 2010
8
The alternative
So are there viable alternatives to chip and PIN-based solutions that are stronger in the areas of usability, cost
and security? I believe that the answer to this is a resounding ‘yes’ and it comes not from adding extra
complexity to the solution, but from elegant simplicity. Authentication techniques that require the user to
remember a simple pattern instead of a password or PIN have been available for a while now and they offer a
real revolution in remote access security, but now is the time that banks should start to look seriously at these
alternatives. There appears to be a mindset in the industry that if you have something you can physically hold,
it offers better security than something virtual, but this is a myth that needs to be dispelled. Software-based
authentication technologies can provide an OTP that is much more secure than traditional solutions and as it
requires no hardware it is very cost effective to implement and scale to whatever deployment size is required.
Added to this is the enhanced usability a software-based solution can offer, as a pattern is much easier to
remember than a PIN number.
As highlighted earlier, static PIN numbers are vulnerable to key-logging and phishing attacks, but one time
passwords that are generated from software-based alternatives are significantly more resilient to attacks of this
nature. It is also very difficult to shoulder surf a pattern-based one time password generator because the
fraudster would need to view the user many times over to even begin to guess the pattern that was used to
generate the numbers.
Using a software-based solution also provides endless flexibility on how it is implemented in order to give
scaleable levels of security. For example, a user’s mobile phone or PC could be easily added to the security mix
to provide additional ‘two factor’ security without requiring any extra expensive hardware. Added to this is the
flexibility for using the solution in various languages and for people with disabilities who may not be able to
enter a four digit PIN code without assistance.
Drilling down a level, it is possible for software-based solutions to be cleverly implemented to help protect
against ‘man in the middle’ attacks. This is done by using details of the transaction (e.g. the amount being
transferred and the destination account details) to actually generate the passcode so that if a fraudster tries to
amend the information the transaction will be cancelled. Furthermore, using this method, the one-time
passcode can become a ‘digital signature’ of the transaction which counters internal fraud.
So, software-based solutions are much more secure, more cost effective and more user friendly in comparison
to traditional chip and PIN or complex static passwords.
The first step to a more secure future
OTP devices such as Visa’s SecureCode are therefore a welcome step in the right direction. It shows that the
industry is waking up to the fact that static PIN numbers are not enough in themselves to effectively
authenticate payments. This is only a start however. Such cards are expensive to produce and are still reliant
on fixed PIN as a starting point. Taking Ockham’s razor to the problem I strongly believe that a softwarebased approach using simple patterns to generate OTPs is a much more suitable solution. It costs less and is
incredibly easy for customers to use, removing in one stroke the persistent problems of ‘shoulder surfing’, key
logger and phishing attacks. This approach is available today, but banks need to have the confidence to take a
step back from the technology and realise that in some cases less is better and a simple solution can be the most
effective.
9
Smart Card & Identity News • July 2010
It’s time to travel without credit cards
By Suparna Sen, Smartcard & Identity News
It often becomes difficult to keep credits cards and gift cards safely in the wallet for
the fear of losing it while travelling. To solve this problem, iCache Inc., has
developed an electronic payment device – iCache, capable of carrying the details of
all your credit cards, debit cards, prepaid cards, ATM cards, loyalty cards, medical
insurance cards, hotel key cards, etc on one single device.
Suparna Sen
iCache is a small, slim, lightweight digital device that stores a universal blank
magstripe plastic card within it. iCache costs $99 and the gadget acts as a
replacement to wallets overstuffed with credit cards by mimicking all of the cards
that you usually carry with you. According to iCache officials, the device has a battery, which may be
recharged via micro USB. With normal use, the iCache can last up to 2-3 weeks between charges.
iCache includes a LCD screen, a card slot through which you enter and take out a magnetic-stripe after
unlocking the device by using the biometric fingerprint scanner on the bottom right of the device. In terms of
looks, the iCache resembles the iPod mp3 player and is slightly bigger than a small stack of credit cards.
Since the introduction of iCache at the 2007 International Consumer Electronics Show, Las Vegas, the device
has only been distributed to a select few customers, by the banks and other financial institutions within the
country (although according to the iCache website, the gadget can be bought from variety of iCache
supporting financial institutions or from any of the 10,000 iCache retail locations in the US).
To use your iCache, you need to activate it first. Activation requires self-registration of your fingerprint and
credit cards. You need to plug your iCache into your computer or laptop using a USB cable. Then you register
each card online on the iCache website which in turn transfers the credit card data on to the iCache device.
Finally, you scan your fingerprint on the biometric scanner available with each iCache to initialise the device.
At the time of payment you unlock the device with your fingerprint, select your specific card profile (e.g.:
MasterCard or Visa etc) by scrolling the card list on the device’s LCD screen. The blank magnetic-stripe card
stored inside the iCache is then written, with your chosen card details. You can then pull out the plastic card
as a replica of your desired card, with all the specific information on it, ready to be used for payments. The
card that pops out of your iCache won’t bear the well-known red and orange MasterCard symbol. It will
instead have the red and white iCache insignia. When you insert the plastic card back to the device, the
information stays for about 10 more minutes, and then the data gets deleted automatically or is overwritten
when you select the next card for use.
iCache replaces loyalty cards and gift cards with the ability to display barcodes on its screen. The barcodes can
be entered into the device by the user or can be sent to the user as digital packets by the issuer.
Currently, promotional materials & videos of a second-generation iCache Digital Wallet are starting to appear
over the Internet, whilst the iCache’s website has gone under development. This 2nd instalment of the iCache
digital wallet is rumoured to include the ability of contactless payments option and have improved barcode
rendering screen, which is able to be read by all barcode readers at the point of sale.
Smart Card & Identity News • July 2010
10
So I put forth a couple of questions to the CEO of iCache, Mr.
Ramaci. I asked how contactless payments would work. He replied:
“Although no-one, can truly replicate a contactless card because of
the security keys involved, iCache have the ability to internally store
a contactless card. In our design, contactless card data cannot be
accessed until the biometric authorization has passed. We also have
methods for projecting the contactless data through a metal case
according to the ISO 14443 spec. This enablement of the
contactless transmission of data does not occur until the user
successfully identifies himself to the iCache Digital Wallet and the
user selects to perform a contactless transaction”.
Further when I wanted to know whether iCache can be used for Internet payments, Mr. Ramaci said, “As
well as having universal mag stripe capability, contactless, and barcode capability, the iCache excels at internet
payments. An iCache Internet transaction is the safest of all Internet payment methods because the web
merchant knows that the card used is tied biometrically to the individual owner of that card. Data is never decrypted or released from the iCache to a web merchant until it is biometrically unlocked by the card owner”.
iCache doesn’t come without its problems. When you are using it as a travel gadget, you will still have to call
each of the credit card companies for the cards you plan to use to let them know whether you are using the
card internationally or domestically. There are places around the world where merchants are unfamiliar with
iCache. For instance if you travel to some village in India and take out your iCache to pay for your purchase,
you will face problems since the iCache mag-stripe card will not contain the Mastercard/Visa Logos and may
cause confusion to the merchant. But most importantly, you can’t use iCache in countries that require chip &
pin such as in the UK itself or in Ireland and many such Chip & Pin compliant countries.
iCache is obviously still evolving since the design keeps changing and the claims of functionality growing. In
addition, I have also been informed of an iCache add-on for your phone that is in the pipe-line. One of
iCache’s core objectives is that the merchant does not have to change anything of the Point of Sale.
World News In Brief
Brighton and Hove Bus Company to
Launch Smart Cards
Smart cards for bus passengers will soon be
introduced in Brighton and Hove in the south coast
of England.
Roger French, managing director of Brighton and
Hove Bus Company, which operates the vast
majority of routes in the city, told The Argus he
hopes to start installing system in early next year.
French is working with rail operator Southern to
make sure the cards can be used both on bus and
rail services. The entire process is expected to take
between 12 and 18 months to complete.
The system will be similar to Oyster cards used in
London but will be based on new technology being
developed by the Department for Transport that
will eventually be rolled out nationwide.
Smart Card & Identity News • July 2010
Visa to Reduce Payment Card Data
stored in Merchant Systems
Visa Inc. has launched a global effort to reduce
unnecessary storage of sensitive card information in
merchant payment systems. Understanding the
significant commitment by merchants to secure the
payment system and to protect sensitive cardholder
information from criminals, Visa is clarifying
existing operating regulations to ensure that
acquirers and issuers allow merchants to present a
truncated, disguised or masked card number on a
transaction receipt for dispute resolution in place of
the full 16-digit card number.
Visa and the National Retail Federation (NRF) agree
that merchants should not be obligated by their
acquiring banks to store card numbers for the
purpose of satisfying card retrieval requests. While
Visa does not require merchants to store full card
numbers beyond settlement, NRF's comments
indicated marketplace confusion about what
information merchants are required to store for
dispute resolution by issuers, acquirers or
processors.
11
Verayo develops the world’s first ‘unclonable’ RFID chip
By Tom Tainton, Smartcard & Identity News
The authentication solutions provider, Verayo, have developed the world’s first
unclonable chip products – lead by the Vera M4H RFID. The company, founded
in Silicon Valley in 2005, claims that the Physical Unclonable Technology (PUF)
will transform the security industry, providing robust authentication for a wide
range of sectors such as e-finance, ticketing, mobile payments and e-passports. Its
co-founder and developer, Srini Devadas, even won a coveted CTO 25 Award for
his efforts in developing this breakthrough silicon biometrics technology.
PUFs are tiny electrical circuit primitives that exploit the IC fabrication process
variations to generate an unlimited number of unique ‘secrets’ from each chip.
These ‘secrets’ are dynamically generated, using a challenge response scheme.
When a PUF circuit is queried with a challenge – a random 64-bit number, it
instantly generates a unique ‘fingerprint’ response. Each PUF can effectively
generate an unlimited number of unique challenge response pairs. The response
from any given chip is based on the chip’s unique, unpredictable, random and unclonable fabrication process
variation, thus making it impossible to generate the same challenge response pairs from another chip. To put
simply, PUF technology is entirely unbreakable.
Tom Tainton
Vivek Khandelwal, Vice President of Marketing and Business Development at Verayo, says: “PUF is the first
silicon technology that makes ICs unclonable. Until now there have been technologies that provide anticloning features, but none addressing this at the levels PUF does. PUF will add value in security space at two
ends of the spectrum. At one end PUF is providing the lowest cost alternative to conventional cryptography
for applications that require authentication, hence enabling security in applications where costs have been an
inhibitor. On the other end PUF is extending the security envelope by using the silicon chip’s “biometric”
information as a seed to create dynamic, volatile cryptographic keys.”
The Vera X512H, the first unclonable RFID IC from Verayo, provided authentication at reduced cost but
needed a network to access information. The new improved Vera M4H peddles a non-networked aspect, thus
widening the reach of PUF-based RFIDs to a much broader market where access to network may not be
available. So why don’t standard RFID chips cut the mustard anymore?
Well, while basic RFID chips can be easily cloned – either by using a ghost device to “act” like a real RFID
chip, or, by copying data from one chip to another Verayo’s PUF-based RFID chips provide a very strong
authentication mechanism whereby no device can be disguised as the original chip, even if the data is copied
Smart Card & Identity News • July 2010
12
from one Verayo chip to another. Bad news for identity fraudsters and skimming crooks too. Each PUF
based RFID can generate an unlimited number of challenge response pairs, so when addressing the issue of
skimming and replay attacks, the system simply uses a new challenge response pair each time. The unclonable
RFID tags also offer an alternative to the largely ineffective authentication mechanisms commonly used to
control counterfeiting. Holograms and colour-shifting inks are flawed, while basic RFID tags lack the
necessary security requirements. Verayo’s PUF RFID tags can prevent counterfeiting in markets such as
pharmaceuticals, liquor, wine and cigarettes and luxury products.
In fact, PUF based RFIDS signal a change of direction in the industry. They’re tiny and consume low power,
and they’re very cheap. Crypto-RFIDs provide comparable security and trust but at a significantly higher cost.
PUF based authentication breaks the cost-security continuum. PUF technology is not tied to any particular
RF frequency, and PUF technology can be integrated into RFIDs that operate at any frequency, for both
short and long read range applications. Of course, with improved security for RFID solutions comes end-user
ambiguity and easier adoption in a wide range of applications.
Khandelwal says: “PUF RFIDs are getting good traction in markets like pharmaceutical and consumer
product anti-counterfeiting, as well as secure ID and mass transit ticketing kind of applications. Like any
other security technology, PUF technology has faced challenges on the robustness of authentication and
security it provides. The technology has had to go through extensive environmental characterization. The
technology is currently in trials, so specific case studies will be possible after completion of these trials and
evaluations.”
So what sectors beyond RFID can Verayo’s PUF technology benefit, and how?
Many of us rely on computing devices for everything we do – whether it’s storing business or personal data to
running financial transactions. Verayo’s security solutions aim to enhance the security of computational
systems by providing a unique and reliable way to authenticate PUF based ICs and systems. Additionally,
PUFs also provide a way to use each IC’s unique “fingerprints” as seeds to generate dynamic and volatile
secrets, eliminating the need to store cryptographic keys. Computers and networking equipment can use PUF
technology for more secure and robust hardware gear authentication. PUF based secure processors can
addresses the needs of market segments that require a higher level of security and anti-tamper, such as
national defence infrastructure. PUF technology can also be used for secure identification, data access and
secure transactions for applications such as mobile (NFC) payments, e-Passports, SIM cards and contactless
credit cards.
Physical unclonable functions technology represents one of the biggest breakthroughs in semiconductor
security. Verayo has done extensive testing, qualification and engineering development to improve the
reliability of their PUF products. With the right implementation, Verayo claims PUFs achieve 9-9s reliability,
or in other words, a failure rate of less than one in a billion. Pretty good odds, I’m sure you’ll agree.
Smart Card & Identity News • July 2010
13
World News In Brief
Oberthur Technologies Awarded $75
Million Tender for Uzbekistan
Biometric Passports
Oberthur Technologies, leading French secure
technology company, has been awarded a contract
to establish a biometric passport system for
Uzbekistan, the Uzbekistan Daily website reported.
Oberthur signed a contract worth more than $75
million with the government following a tender.
In the first stage, employees of ministries and state
bodies of Uzbekistan, citizens travelling abroad and
citizens who are receiving new passports will get
biometric passports. The first stage of the project
was initially scheduled to begin Jan. 1, 2010, but was
postponed for a year by Uzbek President Islam
Karimov. All citizens of Uzbekistan will receive new
passports in the second stage, which is set to begin
in 2012.
South Korean Early Adopter Chooses
Clear2Pay NFC Test Tool
Clear2Pay announced that the Korea Electric
Testing Institute (KETI), a leading organisation
dedicated to enhance the safety and quality of
electric and electronic products, selected Clear2Pay's
Integri test tools for the testing of digital
communication between Near Field Communication
(NFC) devices.
Piraeus Opens First Online Bank for
Greek Market
Piraeus Bank is to launch Greece's first stand-alone
direct bank through an extension of its electronic
banking channel Winbank. With more than 150,000
customers now signed up to e-banking, Piraeus is
taking the concept one step further with the creation
of winbankdirect, which will target not only existing
Piraeus Bank customers but the entire Greek
consumer banking market. Piraeus Bank Group is
one of the most dynamic and active financial
organisations in Greece.
SMARTRAC Launches New Gamma
Radiation Proof RFID Tags
SMARTRAC N.V., the leading developer,
manufacturer and supplier of RFID transponders,
announced that it has broadened its product
portfolio with an RFID transponder that withstands
gamma radiation of up to 45 kilogray (kGy). The
new transponder, which is part of the company’s
established S-Tag product family, is especially suited
Smart Card & Identity News • July 2010
for use in medical applications where aseptic
conditions are compulsory.
New Yorkers Hand Over Personal
Details to Microsoft's Fake Bank
Microsoft has set up a fake bank branch in New
York and tricked members of the public into
handing over huge amounts of personal
information. The tech giant built its Greater
Offshore Bank & Trust branch in a bid to
demonstrate how vulnerable people are to scams
and promote Internet Explorer 8, which it says
blocks three million online threats a day.
In two videos posted on Youtube, actors playing
bank staff members convince members of the public
to reveal highly sensitive information in order to
open accounts and receive $500. Duped
"customers" were willing to hand over their
mothers' maiden names, social security numbers,
credit card numbers, strands of hair for DNA tests
and details on whether they wear boxers or briefs.
IBM Employee held Culprit in
Massive DBS Outage
An IBM employee has been fingered as the culprit
behind a 7 hour system-wide outage that knocked
out all consumer and business banking services and
ATM and POS transactions at Singapore's DBS
Bank this month.
In a letter posted on the bank's Website, DBS CEO
Piyush Gupta says the outage was triggered during a
routine repair job on a component within the disk
storage subsystem connected to the bank's
mainframe.
IBM and BDS entered into an S$1.2bn agreement in
2002 in which the bank outsourced IT services and
infrastructure in Singapore and Hong Kong to IBM.
World's Lightest Mobile Phone!
According to the Guinness Book of World Records,
the Modu 1 is the world's lightest mobile phone.
Modu is an Israeli manufacture and will launch the
Modu 1 in the UK later this month with the price
tag of £129.99.
This light phone holds a 3.2 mega pixel camera with
3.2x digital zoom and Bluetooth 1.2 connectivity. It
includes 2GB of internal memory to act as your
music player or storage device and is of dimension
72.11mm x 37.66 x 7.8mm and has a 1.3-inch
OLED display and a built-in speaker.
14
Hold very tight please! Ting-ting!
By Peter Tomlinson - Smartcard & Identity News
There is an end of the Spring season feeling this month: the general election is
already almost three months behind us, Ascot and Wimbledon and Henley are gone,
students have come home (perhaps relief that they have gone home for those of us
who live in student laden cities). The summer months this year are overlaid with the
pause in the government’s allocation of funding and the wait to see their direction
across many programmes, including those with significant secure Information and
Communications Technology (ICT) content. About that funding: we are told to
hang on until October 23rd, but to also keep an eye out for early release. As for
direction, the history of the Information Assurance policy tells us that some policies
Peter Tomlinson
created in the Cabinet Office have difficulty getting out through the door. So it is.
1
Hold very tight please! for 3 more months. One bit of detail: contrary to last month’s front page article, ITSO
Ltd’s scheduled additional funding is currently only sufficient for planning ITSO V3 on a 3 year timescale - they
also wait until October. That is not just about an enhanced and restructured ITSO Specification: it also includes
upgraded security servers and, early in the schedule, an upgraded test and certification service.
Into this, two recent talks about the Oyster upgrade programme have injected a new insight into possibilities for
other metropolitan areas. Also there is a new foray by old friends into the general UK market for smart devices,
for support goods, and now for support services. And some continuing headbashing about being safe online.
At a tangent to our orbit, the USA White House and their Homeland Security Department have launched a
discussion on a possible national eID programme: a draft National Strategy for Trusted Identities in
Cyberspace. SCN Daily News reported this on 30th June, and here are some of the links:
The White House announcement:
http://www.whitehouse.gov/blog/2010/06/25/national-strategy-trusted-identities-cyberspace
The consultation document setting out the draft strategy, plus many responses:
http://www.nstic.ideascale.com/
A review article:
http://www.nextgov.com/nextgov/ng_20100628_8259.php?oref=topnews
In the background are the success and also the problem of the USA’s Personal Identity Verification (PIV) smart
card scheme for govt employees and contractors: it works, but the security schemes of the various govt depts
are not fully federated. So the PIV card issued by Dept A may not allow you into Dept B. A strong security eID
token for the public really needs to be interoperable across many services, but the USA’s federal govt will not
want to be or to set up one issuer. Is there an echo here in the UK? Very very faint at the moment, but may get
stronger if Martha Lane Fox and colleagues get to work on strong authentication for DirectGov and, with
others, start a trickle down to local government – the potential curse is that Whitehall’s silo mentality means
that currently we cannot build effective over-arching multi-departmental programmes.
Transport for London is well on the way to rolling out its ITSO acceptance upgrade, and is also close to
starting the move from their private transport token purse (that is how Oyster PAYG works) to adding a
contactless bank card payment method as you travel, incorporating the same PAYG rules. The reason?
Predicted much lower cost of operation. The method? All bank issued cards conforming to the EMV
contactless requirements will be accepted. Over time (a currently unspecified period) the old Oyster cards will
be replaced - and maybe there will be an Oyster branded pre-paid banking technology payment card. Key
people from TfL spoke at both the Contactless Cards and Payments conference and the Gemalto Innovation
Day: Lauren Sager Weinstein at the one, Peter Lewis at the other. As a result, one thing became very clear: it
would be possible to take the new TfL Oyster bank payment and journey management technology and drop it
into other areas where interoperable public transport ticketing dominates - interoperable across multiple local
public transport service providers, that is. So, as well as Oysters in London, there could be Periwinkles in
Manchester, Prawns in Birmingham and Tykes in most of Yorkshire… And you could then be able to take your
Visa PayWave or Mastercard PayPass contactless card with you from home in London to journey by public
transport to an inter-city railway station, travel by train to Manchester (buying your rail ticket some other way
and holding it in another secure token or printing it), bus and tram it around Manchester, back to London by
train, travel home on bus and tube and TfL PAYG rail services. If you make enough local journeys, you would
Smart Card & Identity News • July 2010
15
benefit from one fare capping scheme in London, and from another one in Manchester. But you would have to
register online in London to be able to view your journey history on TfL services, and register separately in
Manchester to view Periwinkle journey history. Since DfT’s smart and integrated ticketing strategy envisages
using one secure token for all the journeys, Norman Baker MP (if he is still a Transport Minister by the time
that this happens) might not be best pleased.
The new foray into the UK market is being made by Gemalto. Not just cards (many of our bank cards already
come from them). Also payment terminals, and all kinds of security offerings and associated services (including
the new entity for the mobile eService environment: the Trusted Service Manager) - they have been growing by
acquisition of innovative businesses. One very useful new service, demonstrated at their Innovation Day, is
online management of Gemalto retail bank card payment terminals: if it doesn’t work or do what you need,
phone the Gemalto-equipped call centre, they connect to the terminal across the internet, they try to fix it
remotely. To be rolled out in France very soon, proposed for the UK next year.
Headbashing has been happening at invitation-only Workshops run by the Information Assurance Advisory
Council (IAAC). Chatham House Rule applies: the general direction of the discussions can be reported, but
there must not be detailed reporting or attribution of statements to any named person or organisation. Privacy
of personal data was the theme for one set of sessions, be safe online came next - safe for citizens, safe for
businesses, safe for govt and private sector to operate the eServices. IAAC has for some years been active in
support of the government ICT Information Assurance strategy, is now supporting the new policy thinking
(and naming), and is due to update the IAAC Corporate Guidance at a Symposium on 8th September. In the
meantime, there is very useful material in their Directors’ Guides to Managing Information Assurance Risk2.
1With
apologies to Flanders and Swann’s Transport of Delight and the London transport omnibus
2 http://www.iaac.org.uk/Default.aspx?tabid=31
http://www.iankitching.me.uk/humour/hippo/transp.html
World News In Brief
KASIKORNBANK, AIS and Gemalto
Bring NFC to Thailand Mobile Users
M-Payment Start-Up Trades
MicroSDs for Passive Stickers
Gemalto, the world leader in digital security,
announced it will provide its Trusted Services
Management (TSM) service to support the launch of
Near-Field Communication (NFC) applications in
Thailand. The service is the first pan-Asian
deployment for Gemalto’s certified TSM centre in
Taiwan. This pioneering project has Gemalto
partnering with KASIKORNBANK, the country’s
second largest bank, and with Advanced Info
Services (AIS), the nation’s largest
telecommunications operator.
U.S.-based mobile-payment start-up RFinity is
adopting passive-contactless stickers for its payment
project in and around a university campus in Idaho,
changing an earlier plan to expand its pilot using
contactless microSD cards.
Nokia Siemens buys Motorola
Networks in $1.2bn Deal
Nokia Siemens Networks plans to take over some of
rival US mobile phone giant Motorola’s network
operations for a record $1.2bn (£784m) deal. The
purchase will give it second place in the huge North
American market. Nokia Siemens Networks is a 5050 joint venture between Finland’s Nokia, the
biggest handset maker in the world, and Germany’s
Siemens.
Smart Card & Identity News • July 2010
The company also appears to be adopting an mpayment model similar to that of U.S.-based Bling
Nation, which signs up community banks and
targets local merchants to participate in a close-loop
payment system using the automated-clearinghouse
network to avoid credit and debit card interchange
fees. RFinity and Bling are among a host of start-ups
hoping to take business from Visa Inc. and
MasterCard Worldwide and major banks in the
budding mobile-payment market.
DoCoMo to go SIM Free Next Year
in Japan
According to the DoCoMo PR Staff in Tokyo, the
Japanese mobile phone company may provide in
2011 SIM Free mobile phone in Japan, giving for
once people the choice to use their handset with
16
other carriers. Another possibility would be that
DoCoMo only unlock mid-range phones and keep
locked some of their best phone in order to keep an
edge over its competitors.
CUSTOM and ASK to Cooperate on a
New Contactless Paper Ticket's
Printer
CUSTOM ENGINEERING, designer of advanced
hardware and software technology for the
Barclaycard makes UK Coffee Chain automation of vertical markets which need printing,
scanning and reading solutions, etc, and ASK, a
Go Contactless
worldwide leading provider of contactless smart
cards,
smart tickets, smart adhesive labels, etc, are
AMT Coffee is partnering with Barclaycard to
pleased
to announce the beginning of an important
rollout contactless payment terminals nationwide,
cooperation
to provide their customers with a brand
according to computerworlduk.com. The technology
new
thermal
ticket printer.
allows customers to pay for purchases of £15 or less
without having to provide a signature or enter a
CUSTOM and ASK will work together to optimise
PIN. AMT Coffee's shops are located primarily in
their resources and share their respective expertise in
airports and railway stations, making them optimal
printers and contactless and RFID technology to
venues for speedy tap & go style payment, says
reach more customers in the ticketing sector and
AMT COO John Hassall.
offer state of the art solutions and products.
CreditCall Prepares to Roll Out Chip
& PIN Payment App
UK-based card payment company CreditCall is set
to release a Chip & PIN payment app that turns
smartphones into eftpos terminals for on-the-go
debit and credit card transactions. CardEase Mobile
app will be available for BlackBerry devices from
autumn. The app requires the use of a separate
Bluetooth-linked PIN Pad that can be paired to the
smartphone. Transaction data is encrypted and sent
over the wireless network for authorisation. A
transaction receipt can then be sent to the customer
by email, SMS or in paper format from an optional
printer.
South Shore Hospital Still Hunting
for Lost Records
The search for the missing computer files continues
at South Shore Hospital, USA. Administrators are
still trying to find out if the back-up computer files,
which contain personal data of as many as 800,000
patients, employees and vendors that are missing,
destroyed or unrecoverable. “We will continue the
search until all reasonable efforts have been
exhausted,” hospital spokeswoman Sarah Darcy
said.
The hospital recently reported that sometime
between February and June, 14 years’ worth of
computer records was missing. The hospital had
thought the files were destroyed by a still-unnamed
professional data management company. But in
June, the firm told the hospital that it had only
received, and subsequently destroyed, a portion of
the files. The hospital said it sought to destroy the
files because they are part of an outdated computer
system.
Smart Card & Identity News • July 2010
MorphoTrak Integrates Highest
Performing 1000ppi Palmprint
Scanners
MorphoTrak (Safran Group) announced that it has
integrated the new 1000ppi fingerprint and
palmprint capture scanner in its livescan
workstations. These workstations were
demonstrated at the ongoing International
Association for Identification (IAI) Educational
Conference in Spokane, WA. This annual
conference is one of the largest gatherings of local,
state and federal law enforcement professionals.
As a leading provider of Automated Fingerprint
Identification Systems (AFIS) and partner with
Cross Match Technologies, Inc., MorphoTrak is the
first AFIS provider to integrate this new scanner
into its product offerings. Not only is the new Cross
Match L SCAN® 1000PX the fastest 1000ppi
scanner in the industry, but it provides the highest
resolution and best contrast of any scanner available.
Camelot Blocked from Offering epayments
UK national lottery operator Camelot’s application
to use its terminals for commercial services such as
electronic fund transfer and e-bill payment has been
turned down. The firm had sought permission to
offer a range of services, including contactless
payments, mobile phone top-ups and international
calling cards through terminals at 28,000 retailers
around the country.
The National Lottery Commission says it is "minded
to refuse to grant consent" for the application to let
Camelot undertake "ancillary activities" because of
EU/competition law concerns. Interested parties
still have a "final opportunity" to address the issue.
17
Biometrics – It’s not what you know, it’s who you are!
By Neil Fisher, VP Global Security Solutions, Unisys
Protecting your personal information with “what you know” is no longer good
enough. In this digitised, Web 2.0 era it is now too easy to find out information like
a birth date, address or mother’s maiden name when they are freely posted on social
networking sites like Facebook, LinkedIn and Twitter.
Additional measures of combining “what you know” (eg. PINs) with “what you
have” (eg. smartcards or tokens) provide another layer of protection for consumers
against identity fraud. But in some instances, where even greater assurances of
identity are required, organisations are seeking even better protection via another
Neil Fisher
layer, “what you are”, through the use of biometric technology such as
fingerprinting, iris scanning and vascular technology. These identification technologies have the potential to
improve both security and privacy - with corresponding benefits to consumers, corporations and government
agencies alike. Consumers experience the advantages of greater convenience, ease-of-use and privacy in their
interactions with trusted parties such as banks, airlines, and government agencies. Corporations and
government departments thrive on stronger forms of authentication, improved security, less susceptibility to
identity theft and fraud, reduced costs, and lower risk in terms of regulatory compliance.
It is therefore not surprising that we are increasingly seeing appropriate security measures being put in place to
reduce exposure to today’s complex range of security threats. According to the Unisys Security Index – a global
research report designed to help businesses and governments understand consumer attitudes towards financial,
personal, internet and national security – identity theft ranked as the first or second highest source of anxiety in
ten countries and in the UK more than 87 per cent of British respondents voiced concern or extreme worry
about identity theft, up thirty per cent from 2009. The Unisys Security Index also revealed that, given this level
of trepidation, there is a strong rationale for embracing innovative security techniques to prove our identity with
better and stronger assurances. Public acceptance of biometric technology has rapidly been gathering pace; 91
per cent find the use of fingerprint scans to verify their identity with banks, government agencies or other
organisations acceptable, up 16 per cent in the last year. These findings suggest that, contrary to mistrust of
biometric technology, organisations which adopt these technologies and make their security measures
transparent will take the lead in integrating biometrics in established security protocol. The success stories will
be those organisations which invest in transparent processes and education to reassure the public that their data
has been securely collected, respected and protected.
The public’s willingness to embrace biometrics is driven by an inherent expectation that people should have the
freedom to trade online and across borders whilst enjoying absolute security and protection. As the use of
biometrics continues to mature along with public acceptance of the technology, innovation will inevitably
expand into new domains and beyond familiar methods of voice, face, finger and iris recognition. One
promising alternative is vascular recognition technology, of which Unisys is a strong proponent.
Vascular scanning technology is a rugged and robust tool. Infra-red cameras read the back of the hands from a
small distance away. Verification is instantaneous and achieved when the blood flow pattern of the holder’s
hand matches the pattern of the scan stored on a smart card. The technology carries a high degree of accuracy,
is easy to use and overcomes most physical disabilities. Unisys has already successfully integrated vascular
credentialing biometrics into their security credentials procedures to identify 4,000 workers in the Port of
Halifax, Canada. So when an employee is banned from a site, this change cascades to every site networked with
the central system.
Unisys has also worked with the Canadian Air Transport Security Authority (CATSA) to supply, integrate and
manage a new identification management solution, using fingerprint and iris biometric technology to confirm
the identities of airport workers throughout Canada. The Restricted Area Identification Card (RAIC) system
enhances aviation security by verifying the identities of airport workers via biometrics and ensuring that only
those workers with security clearance can enter restricted areas. It also allows CATSA to instantly update the
security clearance status of all 100,000 airport workers across the country.
18
Smart Card & Identity News • July 2010
Both deployments illustrate the commercial benefits of using biometric technology to identify workers and ensure
anyone with criminal intentions is prevented from entering a closed area. There has been considerable work
undertaken to impress upon the public the wider benefits of this technology, in particular by developing a more
people-centric approach to identity management and governance. Stronger, robust authentication is crucial in a
joined-up world where information is shared. In order to improve quality of life and increase prosperity on an
individual basis it is necessary to identify ‘Mr Smith’ the person rather than ‘Mr Smith’ a member of the
population. The implications are far ranging; for instance, a known terrorist should be very afraid of the potential
of people centric security. National identity credentialing provides better services to those who need it and very
few places to hide for those who try.
Developments in biometric technology continue to push boundaries and provide fertile ground for innovation.
The main challenge will be to achieve a zero False Acceptance Rate (FAR). Whilst automation allows for greater
efficiency, quick manual checks should also be made to ensure that an unauthorised person has not managed to
fool the system. Nevertheless, advances in biometric technology are moving ahead at a swift pace. Project IRIS
(Iris Recognition Immigration System) was introduced four years ago to provide fast and secure automated
clearance through the UK immigration control for certain categories of regular travellers using biometric
technology. The system stores and verifies the iris patterns of qualifying travellers, giving watertight confirmation
of their identity when they arrive in the UK. It is now considered antiquated, in comparison to the latest Glance
and Go iris technology, which enables people to pass through border checkpoints more swiftly and get assured
whilst “on the move”. Investment in biometrics is also driving research and development and expansion into new
markets, such as home access and aged care services. The most significant applications will combine multiple
biometric solutions with other security or identity measures, such as radio frequency identification (RFID) and
smartcard technology. In any real-life application it should be heeded that the most effective approach to security
is a holistic one, which assesses all possible security risks, internal and external.
The main barrier to the adoption and advancement of biometric technology is public readiness. As organisations
reach out to the public to address their concerns we will increasingly see the application of this technology to
enhance people’s privacy, convenience and choice in all areas of life. As responsible messages are conveyed to
highlight that privacy and security aren’t mutually exclusive ideals, we could actually see people wondering how
they ever managed to mitigate risk without robust authentication; in the same way that we have come to depend
upon mobile phones and email. Technology has empowered organisations to choose the right combination of
solutions to meet their security needs. Biometrics will undoubtedly play an increasingly significant role in the
security solutions of government and industry seeking to take a holistic approach to identity management.
Advertising with Smartcard News
Let the power of advertising with Smart Card News (www.smartcard.co.uk) bring customers direct to your
website. Smart Card News is the number one source for Cards, Payments, Cryptography, Biometrics, RFID,
EMV and Security relating to the Smartcard industry.
Just type smart card into Google, our second place ranking attracts thousands of visitors to our website, from
Smartcard companies, Government agencies, Research companies and Universities. One of the best ways of
increasing your website ranking is to be linked by other established industry websites.
If you require any additional information or would like to discuss your requirements, please contact Lesley on
+44 (0) 1903 734 677 or email: lesley.dann@smartcard.co.uk
19
Smart Card & Identity News • July 2010
Mobile Payment Services A4 Ad:Layout 1
14/7/10
12:52
Page 1
Produced & Researched By:
Over 25 leading perspectives from
the Telecoms, Financial and Retail sectors
27-29 September 2010
Hotel Fira Palace, Barcelona
Commercialising technology to deliver innovative mobile and
contactless payment products and services across telecoms,
retail, transport and financial markets
KEY INSIGHTS FROM
AT&T Mobility
Mi-Pay
Aurora Fashions
No Need For Mirrors
A1 Bank
Nordea Bank
Bankinter
O2 UK
BICS
PayPal Europe
Consult Hyperion
Poste Italiane
DoCoMo Europe
Telefónica O2 Germany
Eagle Eye Technologies
Telecom Italia Mobile
Edgar Dunn & Company
Visa Europe
Everything Everywhere
Vodafone Group
KPN
Voice Commerce
MasterCard
Energise your m-payment strategy with new
ideas on how to:
Develop innovative Mobile Payment services and
Smart Phone Apps
Forge profitable partnerships and alliances with
other industries
Capitalise on the latest technologies and optimise
go-to-market timelines
Assure the security and integrity of your service offerings
In-Depth Learning Opportunities Through
3 Pre-Conference Masterclasses
FREE FOR
RETAILERS
Register Today Please Call: +44 (0) 20 7017 7483 Fax: +44 (0)20 7017 7825
Email: registrations@iir-telecoms.com Web: www.iir-telecoms.com/mobilepayment