Guilty until proven innocent
Once again, in relation to charges levelled against their own, politicians have claimed that like everyone else, they deserve the presumption of innocence. But the old saw "innocent until proven guilty" is no universal human right. It is merely a corollary of the 18th century Blackstone's Formulation: "Better that ten guilty persons escape than that one innocent suffer".
For persons in positions of trust -- politicians, police officers, customs officers, judges and so on -- different calculations apply. The community cuts public officers less slack, because the consequences of their misconduct are far reaching. When only one bad apple can spoil the barrel, Blackstone's Formulation patently does not apply. It is probably better that 10 innocent politicians (or police officers or airport baggage handlers) lose their jobs than for one wrongdoer to stay in place.
If politicians agree to be held to higher standards than members of the public, then as part of the bargain, they cede the presumption of innocence.
Card Not Present now three quarters of all fraud
The Australian Payments Clearing Association (APCA) releases card fraud statistics every six months for the preceding 12m period. Lockstep monitors these figures, condenses them and plots the trend data.
Here's the latest picture of Australian payment card fraud in three major categories over the past six financial years.
Card fraud by skimming and counterfeiting is holding steady, thanks to the security of EMV chip-and-PIN cards. Card Not Present (CNP) fraud is the preferred modus operandum of organised crime, and continues to grow unabated. The increase in CNP fraid from last financial year was 46%; CNP now represents 71% -- or nearly three quarters -- of total annual card fraud.
What's to be done about this never ending problem?
- The credit card associations' flagship online payment protocol "3D Secure", rolled out selectively and tentatively overseas, is loathed by customers and merchants alike. 3D Secure is virtually unknown in Australia.
- There have been various attempts to stem the tide of stolen cardholder details that fuels CNP fraud. Examples include 'big iron' software changes like "Tokenization" and the PCI-DSS security audit regime, which has proven expensive and largely futile. Arguments raged over whether Heartland Payments Systems (which suffered the world's biggest card data theft in 2009) was "really" PCI-DSS compliant. It's become so arbitrary that by the time the Sony PSN was breached last year with the loss of up to 70 million credit cards (nobody really knows how many) the question of whether Sony was PCI compliant never even came up.
- Or we could get smart and exploit the same cryptographic security that allows chip cards to stop skimming, to protect cardholder details between the user's device and the merchant server. See Lockstep Technologies' award winning Stepwise CNP security solution.
Farmers know about silos
Imagine this. Two grain growers are neighbours. One farms wheat and the other corn. Both have invested a lot of money in their silos and grain handling equipment, all of which continues to be a significant cost in their operations. The corn farmer is an innovator and comes up with a bright idea. She approaches her neighbour and gives him the following proposition: since their infrastructure is such an overhead, why not, in the name of efficiency, join up and share their silos?
What farmer wouldn’t reject this idea out of hand? If a grain grower needs more capacity, in theory they could re-engineer the entire storage and handling system to use someone else's silo, strike up new support arrangements with their equipment providers, and seek insurance to cover new risks of mixing up their grains. But it would be simpler, cheaper and quicker to just build themselves another silo!
"Break down the silos" is one of the catch cries of modern management practice, and it’s a special rallying call in the Federated Identity movement. Nobody denies that myriad passwords and security devices have become a huge headache, but attempts to solve what is really a technology and human facors challenge, by sharing identities and identity provisioning all too often come unstuck.
It’s not for nothing that we call identity domains "silos". Grain silos are architecturally elegant, strong and safe; they are critical infrastructure for farmers.
Of all the metaphors in identity management, "silo" is actually one of the good ones. And you have to wonder when and why it became a dirty word in our industry. Identity silos are actually carefully constructed risk management arrangements and in IDAM, risk is the name of the game. As such, silos are not to be trifled with!
Posted in Security, Language, Federated Identity
Federation is at odds with infosec best practice - and nature
In modern information security we implore businesses to understand the risks of their particular business contexts, and to enact security mechanisms that are attuned to their environment. There is no one-size-fits-all risk management arrangement. And infosec professionals frown upon one company uplifting another's security system without first analysing their own situation and fune tuning the controls.
The inherent differences between business settings is the clear reason why authentication rules have evolved into different silos.
And yet the dominant idea in contemporary identity management remains federation: the unreal optimism that one identity can efficiently work across multiple unrelated contexts.
It seems to me like a law of nature - perhaps something like a Conservation of Risk Management Energy - that the effort and cost required to devise one identity that interoperates across N contexts cannot be less than the total overhead of maintaining N separate identities.
It's truer today than ever before: you cannot cut corners in risk management.
Posted in Security, Federated Identity
An authentication family tree
How do we make best sense of the bewildering array of authenticators on the market? Most people are familiar with single factor versus two factor, but this simple dichotomy doesn’t help match technologies to applications. The reality is more complex. A family tree like the one sketched here may help navigate the complexity.
Different distinctions define various branch points. The first split is between what I call Transient authentication (i.e. access control) which tells if a user is allowed to get at a resource or not, and Persistent authentication, which lets a user leave a lasting mark (i.e. signature) on what they do, such as binding electronic transactions.
Working our way up the Transient branch, we see that most access controls are based either on shared secrets or biometrics. Dynamic shared secrets change with every session, either in a series of one time passwords or via challenge-response.
On the biometric branch, we should distinguish those traits that can be left behind inadvertently in the environment and are more readily stolen. The safer biometrics are “clean” and leave no residue. Note that while the voice might be recorded without the speaker’s knowledge, I don't see it as a residual biometric in practice because voice recognition solutions usually use dynamic phrases that resist replay.
For persistent authentication, the only practical option today is PKI and digital signatures, technology which is available in an increasingly wide range of forms. Embedded certificates are commonplace in smartcards, cell phones, and other devices.
The folliage in the family tree indicates which technologies I believe will continue to thrive, and which seem more likely to be dead-ends.
I'd appreciate feedback. Is this useful? Does anyone know of other taxonomies?
Posted in Security, PKI, Biometrics
Card numbers are like nitroglycerine
No before time, merchants are pushing back on the PCI-DSS regime, with a new law suit brought by a restaurant against the card companies. Infosec commentators like Ben Wright ask why all the onus should be on merchants when the payments industry could invest in better security technology?
Credit card numbers are a bit like nitroglycerine: handle them with great care or they'll blow up. The slightest slip-up, the smallest weakness in database security in the face of sophisticated Advanced Persistent Threats, and tens of millions of card numbers are lost to criminals. PCI-DSS compliance is fiercely expensive, but all it does is protect against accidents; it is powerless to stop determined attackers or corrupt insiders.
Is it fair to hold merchants responsible for the highly technical handling procedures of the PCI-DSS regime, when instead the card companies could stabilise their highly volatile card data?
The fundamental problem with payment card safety (as is the case with most digital identity security) is that numbers are replayable. It's child's play to take account data and replay it against unsuspecting merchants, either via cloned mag stripe cards or even easier, in online Card Not Present fraud.
[See also updated CNP fraud trends for FY2011.]Yet with chip technologies now widespread, and digital signature primitives ubiquitous in computing and Internet platforms, it's nearly trivial to eliminate replay attacks. Not only could we dramatically reduce the cost of stolen card details, we'd pull the rug out from under organised crime, and we'd boost privacy by cutting the vicious cycle of gathering more and more ancillary personal data for proving customer identity.
Lockstep's R&D has proven a solution for this problem. Fast, easy-to-use, private, secure, low cost, mature, and feasible.
Technocrats' happy snaps
Once again, technologists confuse being in public with giving up one's right to privacy.
Today's Sydney Morning Herald reports on recent advances in automatic surveillance by facial recognition of people in public, especially airports. Now, I am not weighing into the public good argument; personally I would be delighted if this sort of technology thwarted terrorist plots. What worries me is the fundamental failure of technocrats to grasp privacy, and how this chronic blind spot biasses their work.
The subject of the article, Professor Brian Lovell, is quoted as saying 'people did not have the right to privacy in places such as airports'.
It's vital to appreciate that the concept of being "in public" doesn't actually figure in Australia's Privacy Act. What matters in our privacy regime, and in the Information Privacy law of many countries, is Personal Information -- that is, any information about someone whose identity is readily apparent -- and how that information is collected, used, shared and managed.
Traditional surveillance tapes of people in public places are retained for some months, and if suspicion arises, they're pored over by cops on a mission. People caught on tape who are not of interest remain anonymous. But automatic facial recognition of digital imagery converts otherwise anonymous data into PI, in real time and en masse, without discriminating between suspects and everyone else. Identifiable information is then converted into profiles and intelligence and probably retained 'just in case' a good deal longer than video tapes. After all, disk space is cheap.
It's worrying that technocrats seem so often to have a very limited and self-selected understanding of information privacy (see some more analysis of this gap at Public yet still private). They're not well equipped to have the crucial public good debate if they don't get how their technology works to create vast drifts of Personal Information where previously there was none.
Posted in Security, Privacy, Biometrics
Biometrics and false advertising
Use of the word “unique” in biometrics constitutes false advertising.
There is little scientific basis for any of the common biometrics to be inherently “unique”. The iris is a notable exception, where the process of embryonic development of eye tissue is known to create random features. But there's little or no literature to suggest that finger vein patterns or gait or voice traits should be highly distinctive and randomly distributed in ways that create what security people call "entropy". In fact, one of the gold standards in biometrics - fingerprinting - has been shown to be based more on centuries old folklore than science (see the work of Simon Cole).
But more's the point, even if a trait is highly distinctive, the vagaries of real world measurement apparatus and conditions mean that every system commits false positives. Body parts age, sensors get grimy, lighting conditions change, and biometric systems must tolerate such variability. In turn, they make odd mistakes. In fact, consumer biometrics are usually tuned to deliberately increase the False Accept Rate, so as not to inconvenience too many bona fide users with a high False Reject Rate.
So no biometric system ever behaves like the trait is unique! Every system has a finite False Accept Rate; FARs of one or two percent are not uncommon. If one in fifty people are confused with someone else on a measured trait, how is that trait “unique”?
The word "unique" should be banned in conenction with biometrics. It's not accurate, and it's used to create over-statements in biometric product marketing.
This is not mere nit picking. The biometrics industry gets away with terrible hyperbole, aided and abetted by loose talk, lulling users into a false sense of security. Managers and strategists need to understand at every turn that there is no such thing as perfect security. Biometric systems fail. But when lay people hear “unique” they think that’s the end of the story. They’re not encouraged to look at the error rate specs and think deeply about what they really mean.
Exaggeration in use of the word "unique" is just the tip of the iceberg. Biometrics vendors are full of it:
Economical with the truth
- Major palm vein vendors claim spectacular error rates of FAR = 0.00008% and FRR = 0.01%. Their brochures show these specs side-by-side, without any mention of the fact that these are best case figures, and utterly impossible to achieve together. I've been asking one vendor for their Detection Error Tradeoff (DET) curves for years but I'm told they're commercial in confidence. The vendor won't even cough up the Equal Error Rate. And why? Because the tradeoff is shocking.
- The International Biometric Group in 2006 published the only palm vein DET curve I have managed to find, in its Comparative Biometric Testing Round 6 ("CBT 6"). Curiously this report is hard to find nowadays, but I have a copy if anyone wants to see it. The DET curves give the lie to the best case vendor specs. For when the palm vein system is tuned to highest security setting with a best possible False Match Rate of 0.0007%, the False Non Match rate deteriorates to 12%, or worse than one in ten. [Ref: CBT6 Executive Summary, p6]
Clueless about privacy
- You'd think that biometric vendors would brush up on privacy. One of them attempted recently to calm fears over facial recognition by asserting that "a face is not, nor has it ever been, considered private". This red herring belies a terrible misunderstanding of information privacy. Once faces are rendered personally identifiable by OSNs and names attached to the terabytes of hitherto anonymous snapshots in their stores, then that data becomes automatically subject to privacy law in many jurisdictions. It's a scandal of the highest order: albums innocently uploaded into the cloud over many years, now suddently rendered identifiable, and trawled for commercially valuable intelligence, without consent, and without any explanation in the operators' Privacy Policies.
Ignoring published research
- And you'd think that for such a research-intensive field (where many products are barely out of the lab) vendors would be up to date. Yet one of them has repeatedly claimed that biometric templates "are nearly impossible to be reverse engineered". This is either a lie or willful ignorance. The academic literature has many examples of facial and fingerprint templates being reverse engineered by successive approximation methods to create synthetic raw biometrics that generate matches with target templates. Tellingly, the untruth that templates can't be reversed has been recently repeated in connection with the possible theft of biometric data of all Israeli citizens. When passwords or keys or any normal security secrets are breached, then the first thing we do is cancel them and re-issue the users with new ones, along with abject apologies for the inconvenience. But with biometrics, that's not an option. So no wonder vendors are so keen to stretch the truth about template security; to admit there is a risk of identity theft, without the ability to reinstate the biometrics of affected victims, would be catastrophic
With more critical thinking, managers and biometric buyers would start to ask the tough questions. Such as How are you testing this system? How do real life error rates compare with bench testing (which the FBI warns is always optimistic)? And what is the disaster recovery plan in the event that a criminal steals a user’s biometric?
Posted in Security, Language, Biometrics
CNP fraud keeps growing without limit
The Australian Payments Clearing Association (APCA) releases card fraud statistics every six months for the preceding 12m period. Lockstep monitors these figures, condenses them and plots the trend data.
Here's the latest picture of card fraud in three major categories over the past five calendar years.
It appears that EMV chip cards continue to stifle skimming and counterfeiting, but Card Not Present (CNP) fraud is left as the preferred MO of organised crime, and continues to grow unabated.
It's high time that banks and online merchants took definitive steps to prevent the replay of stolen card numbers. See Lockstep Technologies' Stepwise.
Other thoughts on Real Names
I'm going to follow my own advice and not accept the premise of Google's and Facebook's Real Names policy that it somehow is good for quality. My main rebuttal of Real Names is that it's a commercial tactic and not a well grounded worthy social policy.
But here are a few other points I would make if I did want to argue the merits of anonymity - a quality and basic right I honestly thought was unimpeachable!
Nothing to hide? Puhlease!
Much of the case for Real Names riffs on the tired old 'nothing to hide' argument. This tough-love kind of view that respectable people should not be precious about privacy tends to be the preserve of middle class, middle aged white men who through accident of birth have never personally experienced persecution, or had grounds to fear it.
I wish more of the privileged captains of the Internet could imagine that expressing one's political or religious views (for example) brings personal risks to many of the dispossessed or disadvantaged in the world. And as Identity Woman points out, we're not just talking about resistance fighters in the Middle East but also women in 21st century America who are pilloried for challenging the sexist status quo!
Some have argued that people who fear for their own safety should take their networking offline. That's an awfully harsh perpetuation of the digital divide. I don't deny that there are other ways for evil states to track us down online, and that using pseudonyms is no guarantee of safety. The Internet is indeed a risky place for conducting resistance for those who have mortal fears of surveillance. But ask the people who recently rose up on the back of social media if the risks were worth it, and the answer will be yes. Now ask them if the balance changes under a Real Names policy. And who benefits?
Some of the Internet metaphors are so bad they’re not even wrong
Some continue to compare the Internet with a "public square" and suggest there should be no expectation of privacy. In response, I note first of all that the public-private dichotomy is a red herring. Information privacy law is about controlling the flow of Personally Identifiable Information. Most privacy law doesn't care whether PII has come from the public domain or not: corporations and governments are not allowed to exploit PII harvested without consent.
Let's remember the standard set piece of spy movies where agents retreat to busy squares to have their most secret conversations. One's everyday activities in "public" are actually protected in many ways by the nature of the traditional social medium. Our voices don't carry far, and we can see who we're talking to. Our disclosures are limited to the people in our vicinity, we can whisper or use body language to obfuscate our messages, there is no retention of our PII, and so on. These protections are shattered by information technologies.
If Google's and Facebook's call for the end of anonymity were to extend to public squares, we'd be talking about installing CCTVs, tatooing peoples' names on their foreheads, recording everyone's comings and goings, and providing those records to any old private company to make whatever commercial use they see fit.
Medical OSN apartheid
What about medical social networking, which is one of the next frontiers for patient centric care, especially of mental health. Are patients supposed to use their real names for "transparency" and "integrity"? Of course not, because studies show participation in healthcare in general depends on privacy, and many patients decline to seek treatment if they fear they will be exposed.
Now, Real Names advocates would no doubt seek to make medical OSN a special case, but that would imply an expectation that all healthcare discussions be taken off regular social circles. That's just not how real life socialising occurs.
Anonymity != criminality
There's a recurring angle that anonymity is somehow unlawful or unscrupulous. This attitude is based more on guesswork than criminology. If there were serious statistics on crime being aided and abetted by anonymity then we could debate this point, but there aren't. All we have are wild pronouncements like Eugene Kaspersky's call for an Internet Passport. It seems to me that a great deal of crime is enabled by having too much identity online. It's ludicrous that I should hand over so much Personal Information to establish my bona fides in silly little transactions, when we all know that data is being hoovered up and used behind our backs by identity thieves.
And the idea that OSNs have crime prevention at heart when they force us to use "real names" is a little disingenuous when their response to bullying, child pornography, paedophilia and so on has for so long been characterised by keeping themselves at a cool distance.
What’s real anyway?
What’s so real about "real names" anyway? It's not like Google or Facebook they can check them (in fact, when it suited their purposes, the OSNs previously disclaimed any ability to verify names).
But more's the point, given names are arbitrary. It's perfectly normal for people growing up to not "identify with" the names their parents picked for them (or indeed to not identity with their parents at all). We all put some distance between our adult selves and our childhoods. A given family name is no more real in any social sense than any other handle we choose for ourselves.
Posted in Social Media, Security, Privacy, Nymwars, Internet, Identity, e-health, Culture, Social Networking