Entries Tagged "authentication"

Page 11 of 28

Detecting Edited Audio

Interesting development in forensic analysis:

Comparing the unique pattern of the frequencies on an audio recording with a database that has been logging these changes for 24 hours a day, 365 days a year provides a digital watermark: a date and time stamp on the recording.

Philip Harrison, from JP French Associates, another forensic audio laboratory that has been logging the hum for several years, says: “Even if [the hum] is picked up at a very low level that you cannot hear, we can extract this information.”

[…]

It is a technique known as Electric Network Frequency (ENF) analysis, and it is helping forensic scientists to separate genuine, unedited recordings from those that have been tampered with.

Dr Harrison said: “We can extract [the hum] and compare it with the database – if it is a continuous recording, it will all match up nicely.

“If we’ve got some breaks in the recording, if it’s been stopped and started, the profiles won’t match or there will be a section missing. Or if it has come from two different recordings looking as if it is one, we’ll have two different profiles within that one recording.”

Posted on December 12, 2012 at 12:59 PMView Comments

Man-in-the-Middle Bank Fraud Attack

This sort of attack will become more common as banks require two-factor authentication:

Tatanga checks the user account details including the number of accounts, supported currency, balance/limit details. It then chooses the account from which it could steal the highest amount.

Next, it initiates a transfer.

At this point Tatanga uses a Web Inject to trick the user into believing that the bank is performing a chipTAN test. The fake instructions request that the user generate a TAN for the purpose of this “test” and enter the TAN.

Note that the attack relies on tricking the user, which isn’t very hard.

Posted on September 14, 2012 at 11:23 AMView Comments

Implicit Passwords

This is a really interesting research paper (article here) on implicit passwords: something your unconscious mind remembers but your conscious mind doesn’t know. The Slashdot post is a nice summary:

A cross-disciplinary team of US neuroscientists and cryptographers have developed a password/passkey system that removes the weakest link in any security system: the human user. It’s ingenious: The system still requires that you enter a password, but at no point do you actually remember the password, meaning it can’t be written down and it can’t be obtained via coercion or torture—i.e. rubber-hose cryptanalysis. The system, devised by Hristo Bojinov of Stanford University and friends from Northwestern and SRI, relies on implicit learning, a process by which you absorb new information—but you’re completely unaware that you’ve actually learned anything; a bit like learning to ride a bike. The process of learning the password (or cryptographic key) involves the use of a specially crafted computer game that, funnily enough, resembles Guitar Hero. Their experimental results suggest that, after a 45 minute learning session, the 30-letter password is firmly implanted in your subconscious brain. Authentication requires that you play a round of the game—but this time, your 30-letter sequence is interspersed with other random 30-letter sequences. To pass authentication, you must reliably perform better on your sequence. Even after two weeks, it seems you are still able to recall this sequence.

The system isn’t very realistic—people aren’t going to spend 45 minutes learning their passwords and a few minutes authenticating themselves—but I really like the direction this research is going.

Posted on July 24, 2012 at 6:28 AMView Comments

High-Quality Fake IDs from China

USA Today article:

Most troubling to authorities is the sophistication of the forgeries: Digital holograms are replicated, PVC plastic identical to that found in credit cards is used, and ink appearing only under ultraviolet light is stamped onto the cards.

Each of those manufacturing methods helps the IDs defeat security measures aimed at identifying forged documents.

The overseas forgers are bold enough to sell their wares on websites, USA TODAY research finds. Anyone with an Internet connection and $75 to $200 can order their personalized ID card online from such companies as ID Chief. Buyers pick the state, address, name and send in a scanned photo and signature to complete their profile.

ID Chief, whose website is based in China, responds personally to each buyer with a money-order request.

[…]

According to Huff of the Virginia agency, it has always been easy for the untrained eye to be fooled by fake IDs. The difference is, Huff said, that the new generation of forged IDs is “good enough to fool the trained eye.”

The only real solution here is to move the security model from the document to the database. With online verification, the document matters much less, because it is nothing more than a pointer into a database. Think about credit cards.

Posted on June 13, 2012 at 6:45 AMView Comments

Tax Return Identity Theft

I wrote about this sort of thing in 2006 in the UK, but it’s even bigger business here:

The criminals, some of them former drug dealers, outwit the Internal Revenue Service by filing a return before the legitimate taxpayer files. Then the criminals receive the refund, sometimes by check but more often though a convenient but hard-to-trace prepaid debit card.

The government-approved cards, intended to help people who have no bank accounts, are widely available in many places, including tax preparation companies. Some of them are mailed, and the swindlers often provide addresses for vacant houses, even buying mailboxes for them, and then collect the refunds there.

[…]

The fraud, which has spread around the country, is costing taxpayers hundreds of millions of dollars annually, federal and state officials say. The I.R.S. sometimes, in effect, pays two refunds instead of one: first to the criminal who gets a claim approved, and then a second to the legitimate taxpayer, who might have to wait as long as a year while the agency verifies the second claim.

J. Russell George, the Treasury inspector general for tax administration, testified before Congress this month that the I.R.S. detected 940,000 fake returns for 2010 in which identity thieves would have received $6.5 billion in refunds. But Mr. George said the agency missed an additional 1.5 million returns with possibly fraudulent refunds worth more than $5.2 billion.

The problem is that it doesn’t take much identity information to file a tax return with the IRS, and the agency automatically corrects your mistakes if you make them—and does the calculations for you if you don’t want to do them yourself. So it’s pretty easy to file a fake return for someone. And the IRS has no way to check if the taxpayer’s address is real, so it sends refunds out to whatever address or account you give them.

Posted on May 31, 2012 at 1:19 PMView Comments

Using Plant DNA for Authentication

Turns out you can create unique signatures from plant DNA. The idea is to spray this stuff on military components in order to verify authentic items and detect counterfeits, similar to SmartWater. It’s a good idea in theory, but my guess is that the security is not going to center around counterfeiting the plant DNA, but rather in subverting the systems that apply, detect, and verify the chemicals.

Posted on January 24, 2012 at 6:46 AMView Comments

Authentication by "Cognitive Footprint"

DARPA is funding research into new forms of biometrics that authenticate people as they use their computer: things like keystroke patterns, eye movements, mouse behavior, reading speed, and surfing and e-mail response behavior. The idea—and I think this is a good one—is that the computer can continuously authenticate people, and not just authenticate them once when they first start using their computers.

I remember reading a science fiction story about a computer worm that searched for people this way: going from computer to computer, trying to identify a specific individual.

Posted on January 23, 2012 at 11:49 AMView Comments

1 9 10 11 12 13 28

Sidebar photo of Bruce Schneier by Joe MacInnis.