Entries Tagged "authentication"

Page 25 of 27

Real ID and Identity Theft

Reuters on the trade-offs of Real ID:

Nobody yet knows how much the Real ID Act will cost to implement or how much money Congress will provide for it. The state of Washington, which has done the most thorough cost analysis, put the bill in that state alone at $97 million in the first two years and believes it will have to raise the price of a driver’s license to $58 from $25.

On the other hand, a secure ID system could save millions in Medicare and Medicaid fraud and combat identity theft.

Why does Reuters think that a better ID card will protect against identity theft? The problem with identity theft isn’t that ID cards are forgeable, it’s that financial institutions don’t check them before authorizing transactions.

Posted on October 14, 2005 at 11:20 AMView Comments

The Doghouse: Lexar LockTight

Do you think we should tell these people that SHA-1 is not an encryption algorithm?

Developed by Lexar, the new security solution is based on a 160-bit encryption technology and uses SHA-1 (Secure Hash Algorithm), a standard approved by the National Institute of Standards and Technology (NIST). The 160-bit encryption technology is among the most effective and widely accepted security solutions available.

This seems not to be a typo. They explain themselves in more detail here:

Lexar has provided us with the following explanation as to how data is protected on the LockTight cards: (we understand that the encryption is carried out on the communications layer between the card and camera/computer rather than the data itself).

“Lexar employs a unique strategy to protect data on LockTight cards. LockTight cards are always ‘locked.’ In other words no computer or camera can read or write data from/to a LockTight card until a critical authorization process takes place between the LockTight card and the host computer or host camera. This authorization process is where the 160-bit HMAC SHAH-1 encryption algorithm is employed.”

Posted on October 3, 2005 at 8:22 AMView Comments

Forging Low-Value Paper Certificates

Both Subway and Cold Stone Creamery have discontinued their frequent-purchaser programs because the paper documentation is too easy to forge. (The article says that forged Subway stamps are for sale on eBay.)

It used to be that the difficulty of counterfeiting paper was enough security for these sorts of low-value applications. Now that desktop publishing and printing is common, it’s not. Subway is implementing a system based on magnetic stripe cards instead. Anyone care to guess how long before that’s hacked?

Posted on September 27, 2005 at 7:43 AMView Comments

Identity Thief Steals House

From Plastic:

James Cook left on a business trip to Florida, and his wife Paula went to Oklahoma to care for her sick mother. When the two returned to Frisco, Texas, several days later, their keys didn’t work. The locks on the house had been changed.

They spent their first night back sleeping in a walk-in closet, with a steel pipe ready to cold-cock any intruders. The next day, they met the man who thought he owned their house, because he had put a US$12,000 down payment to someone named Carlos Ramirez. The Cooks went to the Denton County Courthouse and checked their title. Someone had forged Paula Cook’s maiden name, Paula Smart, and transferred the deed to Carlos Ramirez. Paula’s identity was not only stolen, but the thief also stole her house. Even the police said they’ve never seen a case like this one, but suspect the criminal was able to steal the identity and the house with just Mrs. Cook’s Social Security number, driver’s license number and a copy of her signature.

This is a perfect example of the sort of fraud issue that a national ID card won’t solve. The problem is not that identity credentials are too easy to forge. The problem is that the criminal needed nothing more than “Mrs. Cook’s Social Security number, driver’s license number and a copy of her signature.” And the solution isn’t a harder-to-forge card; the solution is to make the procedure for transferring real-estate ownership more onerous. If the Denton County Courthouse had better transaction authentication procedures, the particulars of identity authentication—a national ID, a state driver’s license, biometrics, or whatever—wouldn’t matter.

If we are ever going to solve identity theft, we need to think about it properly. The problem isn’t misused identity information; the problem is fraudulent transactions.

Posted on August 29, 2005 at 7:42 AMView Comments

Actors Playing New York City Policemen

Did you know you could be arrested for carrying a police uniform in New York City?

With security tighter in the Big Apple since Sept. 11, 2001, the union that represents TV and film actors has begun advising its New York-area members to stop buying police costumes or carrying them to gigs, even if their performances require them.

The Screen Actors Guild said in a statement posted on its Web site on Friday that “an apparent shift in city policy” may put actors at risk of arrest if they are stopped while carrying anything that looks too much like a real police uniform.

The odds that an actor might be stopped and questioned on his or her way to work went up this month when police began conducting random searches of passengers’ bags in New York’s subway system. The guild said two of its members had been detained by security personnel at an airport and a courthouse in recent months for possessing police costumes.

This seems like overkill to me. I understand that a police uniform is an authentication device—not a very good one, but one nonetheless—and we want to make it harder for the bad guys to get one. But there’s no reason to prohibit screen or stage actors from having police uniforms if it’s part of their job. This seems similar to the laws surrounding lockpicks: you can be arrested for carrying them without a good reason, but locksmiths are allowed to own the tools of their trade.

Here’s another bit from the article:

Under police department rules, real officers must be on hand any time an actor dons a police costume during a TV or film production.

I guess that’s to prevent the actor from actually impersonating a policeman. But how often does that actually happen? Is this a good use of police manpower?

Does anyone know how other cities and countries handle this?

Posted on August 25, 2005 at 12:52 PMView Comments

Eavesdropping on Bluetooth Automobiles

This is impressive:

This new toool is called The Car Whisperer and allows people equipped with a Linux Laptop and a directional antenna to inject audio to, and record audio from bypassing cars that have an unconnected Bluetooth handsfree unit running. Since many manufacturers use a standard passkey which often is the only authentication that is needed to connect.

This tool allows to interact with other drivers when traveling or maybe used in order to talk to that pushy Audi driver right behind you 😉 . It also allows to eavesdrop conversations in the inside of the car by accessing the microphone.

EDITED TO ADD: Another article.

Posted on August 2, 2005 at 1:41 PMView Comments

Security Skins

Much has been written about the insecurity of passwords. Aside from being guessable, people are regularly tricked into providing their passwords to rogue servers because they can’t distinguish spoofed windows and webpages from legitimate ones.

Here’s a clever scheme by Rachna Dhamija and Doug Tygar at the University of California Berkeley that tries to deal with the problem. It’s called “Dynamic Security Skins,” and it’s a pair of protocols that augment passwords.

First, the authors propose creating a trusted window in the browser dedicated to username and password entry. The user chooses a photographic image (or is assigned a random image), which is overlaid across the window and text entry boxes. If the window displays the user’s personal image, it is safe for the user to enter his password.

Second, to prove its identity, the server generates a unique abstract image for each user and each transaction. This image is used to create a “skin” that automatically customizes the browser window or the user interface elements in the content of a webpage. The user’s browser can independently reach the same image that it expects to receive from the server. To verify the server, the user only has to visually verify that the images match.

Not a perfect solution by any means—much Internet fraud bypasses authentication altogether—but two clever ideas that use visual cues to ensure security. You can also verify server authenticity by inspecting the SSL certificate, but no one does that. With this scheme, the user has to recognize only one image and remember one password, no matter how many servers he interacts with. In contrast, the recently announced Site Key (Bank of America’s implementation of the Passmark scheme) requires users to save a different image with each server.

Posted on July 1, 2005 at 7:31 AMView Comments

Wired on Identity Theft

This is a good editorial from Wired on identity theft.

Following are the fixes we think Congress should make:

Require businesses to secure data and levy fines against those who don’t. Congress has mandated tough privacy and security standards for companies that handle health and financial data. But the rules for credit agencies are woefully inadequate. And they don’t cover other businesses and organizations that handle sensitive personal information, such as employers, academic institutions and data brokers. Congress should mandate strict privacy and security standards for anyone who handles sensitive information, and apply tough financial penalties against companies that fail to comply.

Require companies to encrypt all sensitive customer data. Any standard created to protect data should include technical requirements to scramble the data—both in storage and during transit when data is transferred from one place to another. Recent incidents involving unencrypted Bank of America and CitiFinancial data tapes that went missing while being transferred to backup centers make it clear that companies think encryption is necessary only in certain circumstances.

Keep the plan simple and provide authority and funds to the FTC to ensure legislation is enforced. Efforts to secure sensitive data in the health and financial industries led to laws so complicated and confusing that few have been able to follow them faithfully. And efforts to monitor compliance have been inadequate. Congress should develop simpler rules tailored to each specific industry segment, and give the FTC the necessary funding to enforce them.

Keep Social Security numbers for Social Security. Social Security numbers appear on medical and voter-registration forms as well as on public records that are available through a simple internet search. This makes it all too easy for a thief to obtain the single identifying number that can lead to financial ruin for victims. Americans need a different unique identifying number specifically for credit records, with guarantees that it will never be used for authentication purposes.

Force credit agencies to scrutinize credit-card applications and verify the identity of credit-card applicants. Giving Americans easy access to credit has superseded all other considerations in the cutthroat credit-card business, helping thieves open accounts in victims’ names. Congress needs to bring sane safeguards back into the process of approving credit—even if it means adding costs and inconveniencing powerful banking and financial interests.

Extend fraud alerts beyond 90 days. The Fair Credit Reporting Act allows anyone who suspects that their personal information has been stolen to place a fraud alert on their credit record. This currently requires a creditor to take “reasonable” steps to verify the identity of anyone who applies for credit in the individual’s name. It also requires the creditor to contact the individual who placed the fraud alert on the account if they’ve provided their phone number. Both conditions apply for 90 days. Of course, nothing prevents identity thieves from waiting until the short-lived alert period expires before taking advantage of stolen information. Congress should extend the default window for credit alerts to a minimum of one year.

Allow individuals to freeze their credit records so that no one can access the records without the individuals’ approval. The current credit system opens credit reports to almost anyone who requests them. Individuals should be able to “freeze” their records and have them opened to others only when the individual contacts a credit agency and requests that it release a report to a specific entity.

Require opt-in rather than opt-out permission before companies can share or sell data. Many businesses currently allow people to decline inclusion in marketing lists, but only if customers actively request it. This system, known as opt-out, inherently favors companies by making it more difficult for consumers to escape abusive data-sharing practices. In many cases, consumers need to wade through confusing instructions, and send a mail-in form in order to be removed from pre-established marketing lists. The United States should follow an opt-in model, where companies would be forced to collect permission from individuals before they can traffic in personal data.

Require companies to notify consumers of any privacy breaches, without preventing states from enacting even tougher local laws. Some 37 states have enacted or are considering legislation requiring businesses to notify consumers of data breaches that affect them. A similar federal measure has also been introduced in the Senate. These are steps in the right direction. But the federal bill has a major flaw: It gives companies an easy out in the case of massive data breaches, where the number of people affected exceeds 500,000, or the cost of notification would exceeds $250,000. In those cases, companies would not be required to notify individuals, but could comply simply by posting a notice on their websites. Congress should close these loopholes. In addition, any federal law should be written to ensure that it does not pre-empt state notification laws that take a tougher stance.

As I’ve written previously, this won’t solve identity theft. But it will make it harder and protect the privacy of everyone. These are good recommendations.

Posted on June 29, 2005 at 7:18 AMView Comments

Stupid People Purchase Fake Concert Tickets

From the Boston Herald

Instead of rocking with Bono and The Edge, hundreds of U2 fans were forced to “walk away, walk away” from the sold-out FleetCenter show Tuesday night when their scalped tickets proved bogus.

Some heartbroken fans broke down in tears as they were turned away clutching worthless pieces of paper they shelled out as much as $2,000 for.

You might think this was some fancy counterfeiting scheme, but no.

It took Whelan and his staff a while to figure out what was going on, but a pattern soon emerged. The counterfeit tickets mostly were computer printouts bought online from cyberscalpers.

Online tickets are a great convenience. They contain a unique barcode. You can print as many as you like, but the barcode scanners at the concert door will only accept each barcode once.

Only an idiot would buy a printout from a scalper, because there’s no way to verify that he will only sell it once. This is probably obvious to anyone reading this, but it tuns out that it’s not obvious to everyone.

“On an average concert night we have zero, zilch, zip problems with counterfeit tickets,” Delaney said. “Apparently, U2 has whipped this city into such a frenzy that people are willing to take a risk.”

I find this fascinating. Online verification of authorization tokens is supposed to make counterfeiting more difficult, because it assumes the physical token can be copied. But it won’t work if people believe that the physical token is unique.

Note: Another write-up of the same story is here.

Posted on June 2, 2005 at 2:10 PMView Comments

Spelling Errors as a Counterfeiting Defense

This is a weird rumor.

ID cards in Belgium are being printed with intentional misspellings in an attempt to thwart potential fraudsters.

Four circular arcs on the ID cards show the country’s name in different languages—French, Dutch, German and English. According to the article, the German and English arcs will be spelled incorrectly, and misspellings will also appear elsewhere on the cards. The idea is that people making counterfeit cards won’t notice the misspellings on the originals and will print the fraudulent cards with the names spelled properly.

More information is here:

To trick fraudsters, the Home Office has introduced three circular arcs on the card—just beneath the identity photos—where you will find the name of the country in the official languages spoken in Belgium—French, Dutch and German, as well as in English. But instead of ‘Belgien’ in German, the ID card incorrectly uses the name ‘Belgine’ and instead of ‘Belgium’ in English, the card reads ‘Belguim’. Vanneste has promised other errors will be printed on the card to “further confuse fraudsters”. With any luck, these will not be revealed.

I’m not impressed with this as a countermeasure. It’s certainly true that poor counterfeits will have all sorts of noticeable errors—and correct spelling might certainly be one of them. But the more people that know about the misspellings, the less likely a counterfeiter will get it wrong. And the more likely a counterfeiter will get it wrong, the less likely anyone will notice.

I’m all for hard-to-counterfeit features in ID cards. But why make them grammatical?

Posted on June 1, 2005 at 7:58 AMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.