Entries Tagged "forgery"

Page 4 of 13

Fake Irises Fool Scanners

We already know you can wear fake irises to fool a scanner into thinking you’re not you, but this is the first fake iris you can use for impersonation: to fool a scanner into thinking you’re someone else.

EDITED TO ADD (8/13): Paper and slides.

Also This:

Daugman says the vulnerability in question, which involves using an iterative process to relatively quickly reconstruct a workable iris image from an iris template, is a classic “hill-climbing” attack that is a known vulnerability for all biometrics.”

Posted on July 31, 2012 at 11:11 AMView Comments

High-Quality Fake IDs from China

USA Today article:

Most troubling to authorities is the sophistication of the forgeries: Digital holograms are replicated, PVC plastic identical to that found in credit cards is used, and ink appearing only under ultraviolet light is stamped onto the cards.

Each of those manufacturing methods helps the IDs defeat security measures aimed at identifying forged documents.

The overseas forgers are bold enough to sell their wares on websites, USA TODAY research finds. Anyone with an Internet connection and $75 to $200 can order their personalized ID card online from such companies as ID Chief. Buyers pick the state, address, name and send in a scanned photo and signature to complete their profile.

ID Chief, whose website is based in China, responds personally to each buyer with a money-order request.

[…]

According to Huff of the Virginia agency, it has always been easy for the untrained eye to be fooled by fake IDs. The difference is, Huff said, that the new generation of forged IDs is “good enough to fool the trained eye.”

The only real solution here is to move the security model from the document to the database. With online verification, the document matters much less, because it is nothing more than a pointer into a database. Think about credit cards.

Posted on June 13, 2012 at 6:45 AMView Comments

Plasmonics Anti-Counterfeiting Technology

This could be interesting:

NOtES exploits an obscure area of physics to accomplish its bright and sharp display, known as plasmonics. Light waves interact with the array of nano-scale holes on a NOtES display—which are typically 100-200 nanometers in diameter—in a way that creates what are called “surface plasmons.” In the words of the company, this means light “[collects] on the films surface and creates higher than expected optical outputs by creating an electromagnetic field, called surface plasmonic resonance.”

[…]

And security, surprisingly, is one of the major applications of these light-amplifying tiny holes. Compared with things like holograms, NOtES has a number of advantages. For one, the technology consists of nothing more than an array of tiny holes, which means it can literally be stamped into anything. Nanotech Security is in talks with the Bank of Canada, whose new plastic bills are a perfect candidate for security measures embedded using NOtES.

[…]

Using a physical stamp, Nanotech Security can imprint its minuscule holes into bills even after they’ve been printed, instantly transforming the area of the bill that’s been stamped into something that resembles a tiny LED. It’s just like the old-school printing process that yields embossed invitations and business cards, except that instead of pressing “save the date” into cardstock, a nickel stamp covered with nano-scale bumps presses corresponding holes into a material.

The results aren’t just visually crisp, they’re also good for keeping things top secret. That’s because the NOtES process yields a surface that reflects light from ultraviolet all the way into the far infrared, or wavelengths outside what we can see, but which can easily be read by machines. This opens up the potential for NOtES to be used to create watermarks on bills that counterfeiters can’t even see.

Anti-counterfeiting technologies have a difficult set of requirements. They need to be cheap for legitimate currency printers, and at the same time expensive for counterfeiters. That this technology can encode unique serial numbers—or even digital signatures of unique serial numbers—onto paper currency would be a big deal.

Posted on December 19, 2011 at 6:48 AMView Comments

Forged Google Certificate

There’s been a forged Google certificate out in the wild for the past month and a half. Whoever has it—evidence points to the Iranian government—can, if they’re in the right place, launch man-in-the-middle attacks against Gmail users and read their mail. This isn’t Google’s mistake; the certificate was issued by a Dutch CA that has nothing to do with Google.

This attack illustrates one of the many security problems with SSL: there are too many single points of trust.

EDITED TO ADD (9/1): It seems that 200 forged certificates were generated, not just for Google.

EDITED TO ADD (9/14): More news.

Posted on September 1, 2011 at 5:46 AMView Comments

Counterfeit Pilot IDs and Uniforms Will Now Be Sufficient to Bypass Airport Security

This seems like a really bad idea:

…the Transportation Security Administration began a program Tuesday allowing pilots to skirt the security-screening process. The TSA has deployed approximately 500 body scanners to airports nationwide in a bid to prevent terrorists from boarding domestic flights, but pilots don’t have to go through the controversial nude body scanners or other forms of screening. They don’t have to be patted down or go through metal detectors. Their carry-on bags are not searched.

I agree that it doesn’t make sense to screen pilots, that they’re at the controls of the plane and can crash it if they want to. But the TSA isn’t in a position to screen pilots; all they can decide to do is to not screen people who are in pilot uniforms with pilot IDs. And it’s far safer to just screen everybody than to trust that TSA agents will be able figure out who is a real pilot and who is someone just pretending to be a pilot.

I wrote about this in 2006.

Posted on August 12, 2011 at 6:59 AMView Comments

Forged Subway Passes in Boston

For years, an employee of Cubic Corp—the company that makes the automatic fare card systems for most of the subway systems around the world—forged and then sold monthly passes for the Boston MBTA system.

The scheme was discovered by accident:

Coakley said the alleged scheme was only discovered after a commuter rail operator asked a rider where he had bought his pass. When the rider said he’d purchased the pass on Craigslist, the operator became suspicious and confiscated the ticket.

An investigation by the MBTA Transit Police found that despite opening electronic gates, the printed serial number in the MBTA database did not show the card had ever been activated. Hundreds of similar passes in use by passengers were then discovered, investigators said.

Although you’d think the MBTA would poke around the net occasionally, looking for discount tickets being sold on places like Craigslist.

Cubic Transportation Systems said in a written statement that it is cooperating with authorities. “Our company has numerous safeguards designed to prevent fraudulent production or distribution of Charlie Tickets,” the statement said, referring to the monthly MBTA passes.

It always amuses me when companies pretend the obvious isn’t true in their press releases. “Someone completely broke our system.” “Say that we have a lot of security.” “But it didn’t work.” “Say it anyway; the press will just blindly report it.”

To be fair, we don’t—and probably will never—know how this proprietary system was broken. In this case, an insider did it. But did that insider just have access to the system specifications, or was access to blank ticket stock or specialized equipment necessary as well?

EDITED TO ADD (5/22): More details:

On March 11, a conductor on the commuter rail’s Providence/Stoughton Line did a double-take when a customer flashed a discolored monthly pass, its arrow an unusually light shade of orange. The fading, caused by inadvertent laundering, would have happened even if the pass were legitimate, but the customer, perhaps out of nervousness, volunteered that he had purchased it at a discount on Craigslist, Coakley said.

That raised the conductor’s suspicion. He collected the pass and turned it over to the Transit Police, who found no record of its serial number and began investigating. Working with State Police from Coakley’s office, they traced it to equipment at the Beverly branch of Cubic Transportation Systems Inc. and then specifically to an employee: Townes, a 27-year-old Revere resident.

Auditing could have discovered the fraud much earlier:

A records check would have indicated that the serial numbers were not tied to accounts for paying customers. But the financially strapped MBTA, which handles thousands of passes and moves millions of riders a month, did not have practices in place to sniff out the small percentage of unauthorized passes in circulation, Davey said.

Posted on May 20, 2011 at 7:44 AMView Comments

Decline in Cursive Writing Leads to Increase in Forgery Risk?

According to this article, students are no longer learning how to write in cursive. And, if they are learning it, they’re forgetting how. Certainly the ubiquity of keyboards is leading to a decrease in writing by hand. Relevant to this blog, the article claims that this is making signatures easier to forge.

While printing might be legible, the less complex the handwriting, the easier it is to forge, said Heidi H. Harralson, a graphologist in Tucson. Even though handwriting can change—and become sloppier—as a person ages, people who are not learning or practicing it are at a disadvantage, Ms. Harralson said.

“I’m seeing an increase in inconstancy in the handwriting and poor form level—sloppy, semi-legible script that’s inconsistent,” she said.

Most everyone has a cursive signature, but even those are getting harder to identify, Ms. Harralson said.

“Even people that didn’t learn cursive, they usually have some type of cursive form signature, but it’s not written very well,” she said. “It tends to be more abstract, illegible and simplistic. If they’re writing with block letters it’s easier to forge.”

Maybe, but I’m skeptical. Everyone has a scrawl of some sort; mine has been completely illegible for years. But I don’t see document forgery as a big risk; far bigger is the automatic authentication systems that don’t have anything to do with traditional forgery.

Posted on May 3, 2011 at 2:25 PMView Comments

1 2 3 4 5 6 13

Sidebar photo of Bruce Schneier by Joe MacInnis.