Entries Tagged "authentication"

Page 20 of 28

More Forged Credentials

I’ve written about forged credentials before, and how hard a problem it is to solve. Here’s another story illustrating the problem:

In an apparent violation of the law, a controverisal aide to ex-Gov. Mitt Romney created phony law enforcement badges that he and other staffers used on the campaign trail to strong-arm reporters, avoid paying tolls and trick security guards into giving them immediate access to campaign venues, sources told the Herald.

When faced with a badge, most people assume it’s legitimate. And even if they wanted to verify the badge, there’s no real way for them to do so.

Posted on July 20, 2007 at 1:37 PMView Comments

GAO Report on International Passenger Prescreening

From the U.S. GAO: “Aviation Security: Efforts to Strengthen International Prescreening are Under Way, but Planning and Implementations Remain,” May 2007.

What GAO Found

Customs and Border Protection (CBP), the Department of Homeland Security (DHS) agency responsible for international passenger prescreening, has planned or is taking several actions designed to strengthen the aviation passenger prescreening process. One such effort involves CBP stationing U.S. personnel overseas to evaluate the authenticity of the travel documents of certain high-risk passengers prior to boarding U.S.-bound flights. Under this pilot program, called the Immigration Advisory Program (IAP), CBP officers personally interview some passengers deemed to be high-risk and evaluate the authenticity and completeness of these passengers’ travel documents. IAP officers also provide technical assistance and training to air carrier staff on the identification of improperly documented passengers destined for the United States. The IAP has been tested at several foreign airports and CBP is negotiating with other countries to expand it elsewhere and to make certain IAP sites permanent. Successful implementation of the IAP rests, in part, on CBP clearly defining the goals and objectives of the program through the development of a strategic plan.

A second aviation passenger prescreening effort designed to strengthen the passenger prescreening process is intended to align international passenger prescreening with a similar program (currently under development) for prescreening passengers on domestic flights. The Transportation Security Administration (TSA)—a separate agency within DHS—is developing a domestic passenger prescreening program called Secure Flight. If CBP’s international prescreening program and TSA’s Secure Flight program are not effectively aligned once Secure Flight becomes operational, this could result in separate implementation requirements for air carriers and increased costs for both air carriers and the government. CBP and TSA officials stated that they are taking steps to coordinate their prescreening efforts, but they have not yet made all key policy decisions.

In addition to these efforts to strengthen certain international aviation passenger prescreening procedures, one other issue requires consideration in the context of these efforts. This issue involves DHS providing the traveling public with assurances of privacy protection as required by federal privacy law. Federal privacy law requires agencies to inform the public about how the government uses their personal information. Although CBP officials have stated that they have taken and are continuing to take steps to comply with these requirements, the current prescreening process allows passenger information to be used in multiple prescreening procedures and transferred among various CBP prescreening systems in ways that are not fully explained in CBP’s privacy disclosures. If CBP does not issue all appropriate disclosures, the traveling public will not be fully aware of how their personal information is being used during the passenger prescreening process.

Posted on May 23, 2007 at 7:18 AMView Comments

Does Secrecy Help Protect Personal Information?

Personal information protection is an economic problem, not a security problem. And the problem can be easily explained: The organizations we trust to protect our personal information do not suffer when information gets exposed. On the other hand, individuals who suffer when personal information is exposed don’t have the capability to protect that information.

There are actually two problems here: Personal information is easy to steal, and it’s valuable once stolen. We can’t solve one problem without solving the other. The solutions aren’t easy, and you’re not going to like them.

First, fix the economic problem. Credit card companies make more money extending easy credit and making it trivial for customers to use their cards than they lose from fraud. They won’t improve their security as long as you (and not they) are the one who suffers from identity theft. It’s the same for banks and brokerages: As long as you’re the one who suffers when your account is hacked, they don’t have any incentive to fix the problem. And data brokers like ChoicePoint are worse; they don’t suffer if they reveal your information. You don’t have a business relationship with them; you can’t even switch to a competitor in disgust.

Credit card security works as well as it does because the 1968 Truth in Lending Law limits consumer liability for fraud to $50. If the credit card companies could pass fraud losses on to the consumers, they would be spending far less money to stop those losses. But once Congress forced them to suffer the costs of fraud, they invented all sorts of security measures—real-time transaction verification, expert systems patrolling the transaction database and so on—to prevent fraud. The lesson is clear: Make the party in the best position to mitigate the risk responsible for the risk. What this will do is enable the capitalist innovation engine. Once it’s in the financial interest of financial institutions to protect us from identity theft, they will.

Second, stop using personal information to authenticate people. Watch how credit cards work. Notice that the store clerk barely looks at your signature, or how you can use credit cards remotely where no one can check your signature. The credit card industry learned decades ago that authenticating people has only limited value. Instead, they put most of their effort into authenticating the transaction, and they’re much more secure because of it.

This won’t solve the problem of securing our personal information, but it will greatly reduce the threat. Once the information is no longer of value, you only have to worry about securing the information from voyeurs rather than the more common—and more financially motivated—fraudsters.

And third, fix the other economic problem: Organizations that expose our personal information aren’t hurt by that exposure. We need a comprehensive privacy law that gives individuals ownership of their personal information and allows them to take action against organizations that don’t care for it properly.

“Passwords” like credit card numbers and mother’s maiden name used to work, but we’ve forever left the world where our privacy comes from the obscurity of our personal information and the difficulty others have in accessing it. We need to abandon security systems that are based on obscurity and difficulty, and build legal protections to take over where technological advances have left us exposed.

This essay appeared in the January issue of Information Security, as the second half of a point/counterpoint with Marcus Ranum. Here’s his half.

Posted on May 14, 2007 at 12:24 PMView Comments

Keystroke Biometrics

This sounds like a good idea. From a news article:

The technology, which measures the time for which keys are held down, as well as the length between strokes, takes advantage of the fact that most computer users evolve a method of typing which is both consistent and idiosyncratic ­ especially for words used frequently such as a user name and password.

When registering, the user types his or her details nine times so that the software can generate a profile. Future login attempts are measured against the profile which, the company claims, can recognise the same user’s keystrokes with 99 per cent accuracy, using what is known as a “behavioural biometric.”

I wouldn’t want to automatically block users unless they get this right, and the false-positive/false-negative ratio would have to be jiggered properly, but if they can get it working right, it’s an extra layer of authentication for “free.”

Another news article. Slashdot thread.

Posted on April 23, 2007 at 6:49 AMView Comments

Bank Botches Two-Factor Authentication

From their press release:

The computer was protected by two layers of security, a unique user-identifier and a multiple-character, alpha-numeric password.

Um, hello? Having a username and a password—even if they’re both secret—does not count as two factors, two layers, or two of anything. You need to have two different authentication systems: a password and a biometric, a password and a token.

I wouldn’t trust the New Horizons Community Credit Union with my money.

Posted on April 13, 2007 at 7:33 AMView Comments

10,000 Fake British Passports in One Year

This is the kind of thing that demonstrates why attempts to make passports harder to forge are not the right way to spend security dollars. These aren’t fake passports; they’re real ones mis-issued. They have RFID chips and any other anti-counterfeiting measure the British government includes.

The weak link in identity documents is the issuance procedures, not the documents themselves.

Posted on March 26, 2007 at 6:46 AMView Comments

Real-ID: Costs and Benefits

The argument was so obvious it hardly needed repeating. Some thought we would all be safer—­from terrorism, from crime, even from inconvenience—­if we had a better ID card. A good, hard-to-forge national ID is a no-brainer (or so the argument goes), and it’s ridiculous that a modern country like the United States doesn’t have one.

Still, most Americans have been and continue to be opposed to a national ID card. Even just after 9/11, polls showed a bare majority (51%) in favor—­and that quickly became a minority opinion again. As such, both political parties came out against the card, which meant that the only way it could become law was to sneak it through.

Republican Cong. F. James Sensenbrenner of Wisconsin did just that. In February 2005, he attached the Real ID Act to a defense appropriations bill. No one was willing to risk not supporting the troops by holding up the bill, and it became law. No hearings. No floor debate. With nary a whisper, the United States had a national ID.

By forcing all states to conform to common and more stringent rules for issuing driver’s licenses, the Real ID Act turns these licenses into a de facto national ID. It’s a massive, unfunded mandate imposed on the states, and—­naturally—­the states have resisted. The detailed rules and timetables are still being worked out by the Department of Homeland Security, and it’s the details that will determine exactly how expensive and onerous the program actually is.

It is against this backdrop that the National Governors Association, the National Conference of State Legislatures, and the American Association of Motor Vehicle Administrators together tried to estimate the cost of this initiative. “The Real ID Act: National Impact Analysis” is a methodical and detailed report, and everything after the executive summary is likely to bore anyone but the most dedicated bean counters. But rigor is important because states want to use this document to influence both the technical details and timetable of Real ID. The estimates are conservative, leaving no room for problems, delays, or unforeseen costs, and yet the total cost is $11 billion over the first five years of the program.

If anything, it’s surprisingly cheap: Only $37 each for an estimated 295 million people who would get a new ID under this program. But it’s still an enormous amount of money. The question to ask is, of course: Is the security benefit we all get worth the $11 billion price tag? We have a cost estimate; all we need now is a security estimate.

I’m going to take a crack at it.

When most people think of ID cards, they think of a small plastic card with their name and photograph. This isn’t wrong, but it’s only a small piece of any ID program. What starts out as a seemingly simple security device—­a card that binds a photograph with a name—­rapidly becomes a complex security system.

It doesn’t really matter how well a Real ID works when used by the hundreds of millions of honest people who would carry it. What matters is how the system might fail when used by someone intent on subverting that system: how it fails naturally, how it can be made to fail, and how failures might be exploited.

The first problem is the card itself. No matter how unforgeable we make it, it will be forged. We can raise the price of forgery, but we can’t make it impossible. Real IDs will be forged.

Even worse, people will get legitimate cards in fraudulent names. Two of the 9/11 terrorists had valid Virginia driver’s licenses in fake names. And even if we could guarantee that everyone who issued national ID cards couldn’t be bribed, cards are issued based on other identity documents—­all of which are easier to forge.

And we can’t assume that everyone will always have a Real ID. Currently about 20% of all identity documents are lost per year. An entirely separate security system would have to be developed for people who lost their card, a system that itself would be susceptible to abuse.

Additionally, any ID system involves people: people who regularly make mistakes. We’ve all heard stories of bartenders falling for obviously fake IDs, or sloppy ID checks at airports and government buildings. It’s not simply a matter of training; checking IDs is a mind-numbingly boring task, one that is guaranteed to have failures. Biometrics such as thumbprints could help, but bring with them their own set of exploitable failure modes.

All of these problems demonstrate that identification checks based on Real ID won’t be nearly as secure as we might hope. But the main problem with any strong identification system is that it requires the existence of a database. In this case, it would have to be 50 linked databases of private and sensitive information on every American—­one widely and instantaneously accessible from airline check-in stations, police cars, schools, and so on.

The security risks of this database are enormous. It would be a kludge of existing databases that are incompatible, full of erroneous data, and unreliable. Computer scientists don’t know how to keep a database of this magnitude secure, whether from outside hackers or the thousands of insiders authorized to access it.

But even if we could solve all these problems, and within the putative $11 billion budget, we still wouldn’t be getting very much security. A reliance on ID cards is based on a dangerous security myth, that if only we knew who everyone was, we could pick the bad guys out of the crowd.

In an ideal world, what we would want is some kind of ID that denoted intention. We’d want all terrorists to carry a card that said “evildoer�? and everyone else to carry a card that said “honest person who won’t try to hijack or blow up anything.�? Then security would be easy. We could just look at people’s IDs, and, if they were evildoers, we wouldn’t let them on the airplane or into the building.

This is, of course, ridiculous; so we rely on identity as a substitute. In theory, if we know who you are, and if we have enough information about you, we can somehow predict whether you’re likely to be an evildoer. But that’s almost as ridiculous.

Even worse, as soon as you divide people into two categories—­more trusted and less trusted people—­you create a third, and very dangerous, category: untrustworthy people whom we have no reason to mistrust. Oklahoma City bomber Timothy McVeigh; the Washington, DC, snipers; the London subway bombers; and many of the 9/11 terrorists had no previous links to terrorism. Evildoers can also steal the identity—­and profile—­of an honest person. Profiling can result in less security by giving certain people an easy way to skirt security.

There’s another, even more dangerous, failure mode for these systems: honest people who fit the evildoer profile. Because evildoers are so rare, almost everyone who fits the profile will turn out to be a false alarm. Think of all the problems with the government’s no-fly list. That list, which is what Real IDs will be checked against, not only wastes investigative resources that might be better spent elsewhere, but it also causes grave harm to those innocents who fit the profile.

Enough of terrorism; what about more mundane concerns like identity theft? Perversely, a hard-to-forge ID card can actually increase the risk of identity theft. A single ubiquitous ID card will be trusted more and used in more applications. Therefore, someone who does manage to forge one—­or get one issued in someone else’s name—­can commit much more fraud with it. A centralized ID system is a far greater security risk than a decentralized one with various organizations issuing ID cards according to their own rules for their own purposes.

Security is always a trade-off; it must be balanced with the cost. We all do this intuitively. Few of us walk around wearing bulletproof vests. It’s not because they’re ineffective, it’s because for most of us the trade-off isn’t worth it. It’s not worth the cost, the inconvenience, or the loss of fashion sense. If we were living in a war-torn country like Iraq, we might make a different trade-off.

Real ID is another lousy security trade-off. It’ll cost the United States at least $11 billion, and we won’t get much security in return. The report suggests a variety of measures designed to ease the financial burden on the states: extend compliance deadlines, allow manual verification systems, and so on. But what it doesn’t suggest is the simple change that would do the most good: scrap the Real ID program altogether. For the price, we’re not getting anywhere near the security we should.

This essay will appear in the March/April issue of The Bulletin of Atomic Scientists.

EDITED TO ADD (1/30): There’s REAL-ID news this week. Maine became the first state to reject REAL-ID. This means that a Maine state driver’s license will not be recognized as valid for federal purposes, although I’m sure the Feds will back down over this. And other states will follow:

“As Maine goes, so goes the nation,” said Charlie Mitchell, director of the ACLU State Legislative Department. “Already bills have been filed in Montana, New Hampshire, New Mexico, Georgia and Washington, which would follow Maine’s lead in saying no to Real ID, with many mores states on the verge of similar action. Across the nation, local lawmakers are rejecting the federal government’s demand that they curtail their constituents’ privacy through this giant unfunded boondoggle.”

More info on REAL-ID here.

EDITED TO ADD (1/31): More information on Montana. My guess is that Montana will become the second state ro reject REAL-ID, and New Mexico will be the third.

Posted on January 30, 2007 at 6:33 AMView Comments

Iraqi Gunmen Dressing Up in American Military Uniforms

I’ve previously written about how official uniforms are inherent authentication tokens, even though they shouldn’t be (see also this and this for some less deadly anecdotes).

Now we see this tactic being used in Baghdad:

The armored sport utility vehicles whisked into a government compound in the city of Karbala with speed and urgency, the way most Americans and foreign dignitaries travel along Iraq’s treacherous roads these days.

Iraqi guards at checkpoints waved them through Saturday afternoon because the men wore what appeared to be legitimate U.S. military uniforms and badges, and drove cars commonly used by foreigners, the provincial governor said.

Once inside, however, the men unleashed one of the deadliest and most brazen ambushes of U.S. forces in a secure, official area. Five American service members were killed in a hail of grenades and gunfire in a breach of security that Iraqi officials called unprecedented.

Uniforms are no substitute for real authentication. They’re just too easy to steal or forge.

Posted on January 29, 2007 at 1:37 PMView Comments

1 18 19 20 21 22 28

Sidebar photo of Bruce Schneier by Joe MacInnis.