Wire Transfer Fraud on High Alert – Can Voice Authentication Help?

 General  No Responses »
Sep 262012
 

Computerworld reports in the article, ‘US Banks on High Alert against Cyber Attacks’ (http://www.computerworld.com/s/article/9231515/U.S._banks_on_high_alert_against_cyberattacks), that the FS-ISAC has raised its cyber threat level to ‘high’ given the recent efforts by fraudsters to steal employee credentials and utilize multi-pronged wire-transfer transaction attacks that bypass authentication measures. During the attacks, more stringent authentication measures were bypassed and synchronously launched Denial of Service (DOS) attacks were launched by perpetrators to distract officials, according to the article.    

Discussions that I participated in at the NYC August SpeechTek event talked about at least one major bank pilot that utilizes an easy-to-use, multi-factor voice authentication solution as one means to thwart these costly attacks.  Despite this success, we need to acknowledge that no amount of additional factors in a multi-factor solution will help if they are bypassed.  However, an easy-to-use voice interface with voice biometrics as part of a multi-factor authentication solution has the promise of being convenient and therefore more widely adopted.

Perhaps these recent events will provide impetus towards a voice biometric anti-fraud solution?

 Posted by at 3:20 pm

The multiplicity of facial recognition implementations today

 General  No Responses »
May 092012
 

How has the Facial recognition tsunami begun to shake our application and privacy policy paradigms? This article talks about the Facial recognition wave.  It pulls in valuable information from the workshop held in December of 2011 by the Federal Trade Commission (FTC).    In addition to consumer advocacy and policy groups, there were a host of technology experts and vendors such as Face.com and Google. Links to the transcripts and recordings of the public workshop which contain more detailed information, are posted on iBiometrics’ blog roll links. This article discusses the changes in the technology, the wide variety of applications utilizing the technology, the importance of privacy policy and the direction of the technology.     

Technology

At the workshop, Dr. Gross, a postdoctoral fellow at Carnegie Mellon University, talked about the challenges of facial recognition and the amazing strides it has made.  The automated technology started in 1973 using data from 20 research subjects.  Today, we now have a comparatively enormous amounts of facial data where Face.com alone purports to have indexed 13 billion facial images which incorporate a wide variety of poses.  If we use our basic biometrics model, we note that facial recognition uses the same fundamental architecture for identification and verification purposes.  Specifically, for face biometrics, there are 4 steps which are face detection, normalization, feature extraction and matching.  Detection finds faces in an image; normalization filters out extraneous information; feature extraction uses the features of the face such as distance between eyes, contour of lips, etc. and creates a mathematical model.  The final matching step matches with the features of faces either from a gallery of images of many people or one ‘claimed’ user’s portfolio of images    

Another speaker at the workshop was Dr. Jonathan Philips, a leading technologist at NIST.  He has performed research in the area of facial biometrics since 1993 where he started the Face Recognition Technology (FERET) program. So again, if we use our basic biometrics information covered in previous sessions, we recall that false acceptance and false rejection rates are measurements of error rates and biometrics accuracy. In 1993, Dr. Philips experiments yielded false reject rates at 79%. In 2002 the false rejection rates were 20% and now he sees rates of .003.  Clearly this is a phenomenal change over the past 10 years.  His work was performed using mug shots with similar quality images and he now incorporating issues of quality image into his research.

Applications

Applications include traditional applications for law enforcement, criminal detection/management from video tapes at retail stores or financial offices, border control and military.  In the enterprise, local PC access is a secure and convenient way to logon to your PC with products like BioTrust replacing win login.  Here you see some people love it while others have difficulty with positioning and lighting.  A good feature of this product is that it lets you securely add to your enrollment portfolio overtime incorporating different conditions into your facial recognition model.  This is critical for folks on the go and adds to the overall convenience factor of using facial recognition without having to enter your password. 

The big application uses that are everywhere today are the Social media applications where naturally Google and Facebook are big players.  Here you see a distinction between facial detection and recognition applications where classification techniques to identify gender and age are valuable to the advertising business model of the internet.  The digital billboard application that changes ads that are relevant to the viewer incorporate this capability as well. 

The biggest use of facial recognition in social media today is photo tagging which is popular for locating friends.  However, when the technology was showcased last summer, you heard the word ‘creepy’ being used by people in the media reaction.  Concerns were expressed surrounding the use of facial recognition with other technologies, such as location, that could let you potentially connect a name with the face of a stranger walking on the street next to you, as one example.  

The ease of integration of facial technology with your applications represents a paradigm shift.  Face.com, as one example, has APIs that your application can integrate.  It is now possible for applications other than Google and Facebook to utilize the technology.  For example, there are fun applications that change an individual’s face and one that finds a biometrically similar mate as part of a dating site.  

Policy

It is undeniable that there is some need for privacy guidelines once you get into the ‘creepy’ territory and near crossing the line between acceptable and unacceptable use.  Parties agreed at the conference that privacy regulations were needed given the capability of the technology and the scope of its use.  Vendors like face.com who offer APIs and use best practices today based on industry ethics are in favor of a privacy framework that they can support and plug into.

Technology Direction for Facial Recognition

Dr. Gross of CMU talked about today’s impact of more image data for research purposes being available.  He now sees potential in moving towards 3-D modeling to overcome the challenges associated with input images of faces in a wide variety of poses. Dr. Philips of NIST echoed the benefits of more research data and talked about the improvements in handling image quality and variability.  I think that biometric fusion where facial recognition is combined with other biometrics such as voice is another direction that shows promise.  For example, face and voice biometrics are often cited as having potential at a sophisticated ATM that replaces a teller.

One thing is for sure, facial recognition is here.  Privacy policy is needed to draw acceptable use guidelines today and into the future as the technology continues to capture innovation and be part of our social applications.

Author: Valene Skerpac (http://www.ibiometrics.com/Management_Skerpac.html)

Copyright protected 2012

 Posted by at 1:52 pm  Tagged with: , , , , , , , ,

Why ‘Biometrics in the Cloud’ Makes Sense and Why it may not

 General  No Responses »
Mar 062012
 

The idea of biometrics in the cloud may sound odd to the security minded IT professional.  We know that in order to perform biometrics with integrity it is important to manage the trustworthiness of the entire process.  From an architectural and services standpoint, aren’t we just now working towards trustworthiness in the cloud, as seen in efforts such as the Trusted Cloud Initiative led by the Cloud Security Alliance?  In the past, executives have stated security as a reason not to move to the cloud.  From this viewpoint, how can it make sense to consider biometrics in the cloud?

 Two Reasons Why ‘Biometrics in the Cloud’ Makes Sense Today

I think there are two good reasons why biometrics in the cloud does makes sense today.  One is Big Data and two is Wider Access.  A March 2012 ComputerWorld article talks about Big Data becoming an issue that many IT organizations must come to terms with in 2012.  The challenge being; how do you store massive amounts of end user data and make it useful? 

Large biometric deployments have this same issue.  As an example, in the past several years, the amount of biometric data records (mostly fingerprints, but also iris and facial images) has grown tremendously as several US agencies are required to use the latest identification and verification technologies.  It is expected that there will be hundreds of millions of identities—petabytes of biometric data in Federal Bureau of Investigations, State Department, Homeland Security, and Department of Defense that need to be accessed real-time.  One idea started in 2011 by Booz Allen Hamilton is to use the concept of cloud computing to drive up performance of data bases and processing of large amounts of biometric data as described in an article on the Booz Allen website

This is but one example of what I think is a trend of using the computing concepts of Big Data and more processing power in the cloud to benefit biometrics. 

Secondly, biometrics in the cloud can provide Wider Access to biometrics.  In fact, in the area of voice biometrics, a common configuration is to use the voice channel as input, collect the audio via the speech application and securely access voice biometrics engine services via SOAP messaging.  Many organizations have historically used hosted (cloud) voice services so the concept is not new.   This cloud configuration, be it internal or external, actually lends itself to voice biometrics allowing organizations to engage with qualified hosting centers to gain access to more channels through unified communications and try new technology without the overhead of implementing it themselves. 

Identity management is also moving towards providing wider access to cloud application via cloud services.  CSA trustworthy cloud initiative includes identity management and Identity Management providers are targeting the cloud and looking to make use of federated identity methods to provide single sign on along with strong authentication if required.  Schemes recently developed allow organizations to maintain credentials such as biometric models in the cloud or behind their own firewall.

Another way that the cloud enables wider access to biometrics is seen in emerging countries.  This is a very different model then the US model. 

As an example, a recent NPR article describes the national ID project in India where many Indians, in particular the poor, don’t have any ID.  This makes it tough for them to fully engage in a rapidly modernizing society.  A biometric project began in 2010 which tries to fix this problem by giving each citizen a biometrics ID.  At its peak registrations were being made at a pace of one million people each day and the voluntary program is set to exceed its target of 200 million shortly.  The idea is that if every person’s biometric data is collected and linked in the cloud, then with the swipe of a thumb, a rural farmer or city worker could be properly identified. For many people, this could determine whether or not they get access to a wide number of services.   

Given the wide deployment of cellular networks in emerging countries, voice biometrics is popular and has grown quickly over the last six months through the cloud in Turkey.   There are approximately 4 million voice biometrics users going through Global Bilgi, a CRM center that handles over 700 million customer contacts annually for a variety of companies, including Turkcell.  Voice biometric has improved customer service and decreased overhead by reducing the authentication process to 5 seconds from 25 seconds for Turkcell’s consumer customers and 40 seconds less for its corporate subscribers.

Reasons Why ‘Biometrics in the Cloud’ Requires Pragmatism

Biometrics used as a security technology requires security discipline.  Using an established security risk practice, we apply a ‘what if’ analysis to determine ‘why biometrics in the cloud’ might not make sense to rush to with over exuberance.  A realistic resource is a document produced by the National Research Council entitled, ‘Biometrics Recognition: Challenges and Opportunities’ (free download) which covers technical and societal issues.  Contributors include leading research and industry technology, medical and legal experts.  The report lets us know realistically the status of biometrics and where further research is recommended.

The research report reminds us of the realistic challenges of performing biometrics with integrity across populations over time.  It focuses on two main challenges which are that biometrics are complex and they are inherently probabilistic. In addition to the report, my previous posts and my other InfraGard learning series videos provide the background information on biometric technology to help understand why this is the case

The national research report states that automated biometrics recognition of individuals should be ‘tempered by an awareness of the uncertainty associated with that recognition’.  Throughout our learning series, we have been realistic in positioning biometrics as a multi-factor technology option, in part due to this fact as well as differences in environments, cultures and laws.

The report advises that uncertainty can arise in a number of ways when using biometric systems in large populations including an ‘incomplete understanding of the distinctiveness and stability of the traits measured by biometric systems, the difficulty of characterizing the probability that an imposter will attack the system; and even the attitudes of the subjects using the systems—subjects who may have become conditioned by fictional depictions to expect, or even fear, that recognition will be perfect.’ 

Ultimately, the report recommends well run, pragmatic deployments with targeted users that effectively handle errors and deal with impostors.  In addition, continued research to understand the effects of population over time is recommended.  I agree with this strategy and believe that well executed biometric cloud implementations that meet prescribed goals are attainable and very beneficial.  An irony worth noting is that research itself can benefit from a ‘research cloud’ to better store and analyze biometric research data over time helping industries and governments to best utilize biometrics in the future.

Author: Valene Skerpac (http://www.ibiometrics.com/Management_Skerpac.html)

Copyright protected 2012

 Posted by at 2:07 pm  Tagged with: , , , , , , , , , ,

The Top Five Threat Categories for Biometric Authentication Systems

 General  No Responses »
Feb 072012
 

When I bring up biometrics as an authentication option to information technology professionals, there usually is a ‘favorite’ biometrics vulnerability story to tell.  From a Mission Impossible recorded voice playback scene to the publicized ‘gummi bear’ fake finger report.  The attacks seem etched in the minds of these professionals.  The purpose of this blog, based on the February InfraGard TV Biometrics learning series, is to begin to talk about and categorize biometric threats as well as countermeasures that can or cannot be employed as part of a multi-factor authentication solution.  The good news is that much work has been done over the past ten years by US and international standards bodies to define biometric threats and establish acceptable controls and procedures including system countermeasures.  I use those standards as well as other information as supporting information to this talk.  Unfortunately, a fee is required regardless of an organizations’ status to download the standards.  They are listed below as a reference:

ISO/IEC 24745 – Information Technology – Security Techniques – Biometric Information Protection.  This 2011 standard provides guidance for the protection of biometric information under various requirements (of confidentiality, integrity and renewability/revocability) during storage and transfer.  It also describes requirements and guidelines for security and privacy-compliant management and processing of biometric information. See blogroll link for NIST presentation.

ISO 19092 – 2008 Financial Services – Biometrics – Security Framework and US version ANSI X9.84 – 2010 Biometrics Information management and Security for the Financial Services Industry.  These standards describe controls and policies and procedures for using biometrics as an authentication mechanism for secure remote electronic access or local physical access controls for the financial industry.  The standards provide guidance applicable to other industries and are meant to be tailored for a particular implementation.

I start with the USER as a threat category to biometric authentication.  On one hand, some users may mistrust and shun biometrics associated with a government program, for example the NY food stamps program issues surrounding fingerprints.  On the other hand, many users today are prone to overly trusting internet applications with facial or other biometrics readily acquired via multi-modal interfaces.  Users need a better understanding and tools/services to manage their identities and associated privacy and authorization privileges on an application basis.

The second threat category to biometrics authentication is the APPLICATION. Biometric engines for the various biometrics are available not just through vendors but via open source.  Do application providers intend to use the biometrics as a ‘toy’ or as a real security measure?  Are there established privacy and use policies that won’t change on a whim or through the inevitable application ‘function creep’ over time?  Application providers of all sizes need more understanding of and access to biometrics best practices.    

The next threat category to biometrics authentication is PERFORMANCE.  In the November InfraGard TV learning series on biometrics technology, I talked more technically about the science of biometrics including ‘What makes a good biometric’ for information security.  That is, what traits are unique to the individual and more significantly, different than other users who may pose as an imposter in a large population.  The known accuracy of the engine is critical to the security design of a multi-factor authentication solution.  If we expect a 97% accurate acceptance rate for the biometric factor as part of the multi-factor solution, then actual performance needs to be tracked and measured with comparisons to at least the baseline performance expectations.  Testing of the biometric engine for the targeted user set and environment is required by the engine provider prior to production deployment as well as when the engine expands and is improved overtime.      

The fourth threat category to biometrics authentication is SYSTEM vulnerabilities and weaknesses at the system component level and/or during transmission.  This category covers spoofing, data insertions, score manipulation, database compromise, hill climbing and threshold manipulation which are broadly described here.  In the 2011 biometrics sessions, I covered the basics of the biometrics verification process from an architectural perspective.  Biometrics are a statistical process which consists of matching user input to a registered biometric and obtaining a score.  In simplistic terms, if there is a match (i.e. the score is above a prescribed threshold) then the claimed users’ biometric is verified as part of the overall authentication process.  I included an abstract diagram of biometric systems components, noting that designs varied as to where the component resided. 

  • Spoofing includes a replay of either raw biometric data (such as an audio recording) or biometric features extracted from the raw data and copied as input to the biometrics process.  Since a raw biometric such as your voice is often public information, user’s data can be obtained by hackers nefariously and used to fool the system into believing the user is present.  ‘Liveness’ detection is important to a real-time authentication process.  Techniques such as challenge response that ask for randomized biometric input can be utilized to combat spoofing or the biometric can be combined with other processes and/or factors of authentication to ensure liveness. 
  • Attacks that change an impostor’s score to a higher passing score are an avenue of attack.  Scores need to be maintained internally by the engine.  Other methods to communicate the matching outcome back to the application should be employed instead of exposing a raw score. 
  • A database compromise on the biometric models considered personal information is problematic even though they are generally considered one-way processes.  The above referenced standard, ISO 24745, provides for renewability/revocability which is particularly important to fixed biometrics such as a fingerprint.   
  • Hill climbing attacks include a brute force attack whereby a hacker continually alters the biometric input viewing the score until such a time that the score is above the threshold and the imposter fools the system.  Scores should be kept internal to the engine as previously described and attempts to verify should be limited.       

The top threat category to biometrics authentication is one at the ORGANIZATION level associated with identity assurance during enrollment.  Is the user being enrolled the authentic user?  For higher security applications, rigorous policies and procedures are needed for the enrollment assurance.  Industry guidelines or regulations for the integrity of an enrollment process for authentication of the user prior to the acceptance of biometric enrollment credentials should be followed.     

In summary, through best practices, biometric threats to multi-factor authentication solutions can be addressed.  However, it is important to note that even the best multi-factor solution that delivers high levels of enrollment and verification security does not necessarily protect against other attacks.  For example, once the user is authenticated, he or she could become a victim of a man-in-the-middle attack if their machine is infected from malware obtained elsewhere.  Layered security that includes secure authentication is what is required today.    

 Video segments of this talk from InfraGard TV can be found at Part One (http://www.youtube.com/watch?feature=endscreen&v=smSYaRCyhE8&NR=1) and Part Two (http://www.youtube.com/watch?v=YMQ8v5qQpXY&feature=related).

Author: Valene Skerpac (http://www.ibiometrics.com/Management_Skerpac.html)

Copyright protected 2012

 Posted by at 1:07 pm  Tagged with: , , , ,

Four reasons for biometrics as a multi-factor authentication option

 General  No Responses »
Feb 072012
 

I have started a series of blog entries that correspond with the NY Infragard (https://www.nym-infragard.us/cms/) learning TV series broadcast on Tuesday mornings with segments subsequently uploaded to YouTube. I started a series on biometrics authentication and identity in the fall or 2011.

In the kick-off October session, I talked about the authentication landscape and where biometrics fit in. Authentication guidelines and regulations are trending towards multiple factors of authentication as a response to identity fraud (over 11 million US victims in 2010) and weak credentials (Verizon Breach Report). Authentication use cases are many and varied given the explosion of devices, applications and mobility. For those interested, I covered the basics of how biometrics work during the session as background information.

This brought the session to the top four reasons for biometrics as part of a multi-factor authentication solution. The first reason is that biometrics can’t be shared. If your application requirements stipulate that a credential cannot be shared (for example, I can’t access my daughter’s medical records using her information) then a biometric is a straightforward way to accomplish this. Other methods of authentication become overly complex to design from a usability standpoint if this is a driving requirement. The second reason for a biometric is that if the user interface is well designed and the biometric performs as anticipated, it is convenient. For example, swipe a finger, look at the camera or say a pass phrase.  The third reason for a biometric is that it is a legal signature and, as such, can facilitate workflows that expedite business processes and reduce costs.  The fourth reason for biometrics is that they can enable personalization as part and parcel of emerging multi-modal applications.

We wrapped up with an approach to building successful multi-factor biometric solutions. You can watch the video segments from InfraGard TV on YouTube at Part One – Intro and Background (http://www.youtube.com/watch?v=hYl7DCKGSiM&feature=related) and Part Two – Four Reasons and Successful Approach (http://www.youtube.com/watch?v=_SqdSVhSZGU&feature=related).

Author: Valene Skerpac (http://www.ibiometrics.com/Management_Skerpac.html)

Copyright protected 2012

 Posted by at 2:14 am  Tagged with: , , ,

A new Identity blog dedicated to including Voice

 General  No Responses »
Jun 162011
 

As voice and automated speech processing find their way into all of our applications and devices, speaker verification becomes a more natural option as part of a multi-factor authentication identity framework.  Including voice identification as an authentication option is part of a new and evolving multi-factor authentication paradigm which is gaining relevance.  This blog is dedicated to including voice and mobile or telephone related identification in evolving ID scenarios and solutions.

 Posted by at 4:50 pm  Tagged with: , , , , , ,
© 2012 Identity +Plus Voice Suffusion theme by Sayontan Sinha