Industry News

HomeIndustry News

Experts: Discarded electronics can lead to identity theft

On 2012/05/07   /   Industry News   /   Comments Off

SEATTLE — Technology evolves in leaps and bounds, which means cell phones and laptops that were on tech’s bleeding edge a few years ago will soon be woefully outdated.

But what do you do when you don’t want those old electronics anymore?

You can sell them, recycle them or give them away. But experts say the best way to avoid identity theft is to destroy them.

Most smart devices are designed to save your personal information. You may think you’ve erased everything, but that cell phone or tablet computer could still be loaded with data — just the sort of stuff an identity thief needs to target you.

Robert Siciliano, an identity theft expert with McAfee (the digital security software company) did a little experiment to find out how often this happens.

“I was surprised that I found people’s entire digital lives,” he said.

Like many of us, Siciliano used to sell his old digital devices when he upgraded to new ones. But not anymore.

“I will never, ever sell a device that has storage in it ever again,” he said.

Siciliano went on Craigslist and bought a bunch of digital devices.

“I bought iPhones, iPods, laptops, desktops, netbooks, notebooks,” he said. “I wanted to see what type of information I could find on them.”

Of the 30 devices he purchased, Siciliano said he was able to retrieve data from more than half of them.

And the scariest part is that in most cases, the person selling the devise thought they had purged the data by following the manufacturer’s instructions.

Despite their best efforts to scrub the electronics, Siciliano said someone who knows computers wouldn’t have a hard time retrieving the data.

“I bought this from a student. It had all of his personal information, banking information. It had photos and videos, videos of him at a concert and also a lot of pornography. Way too much information for me,” he said.

Without much effort, Siciliano was also able to uncover personal and financial information from a family’s desktop computer. It still had their banking information and Social Security numbers.

Siciliano said equipment manufacturers and software developers need to do a better job, so people can effectively erase and delete the data stored on their devices.

“A problem with a lot of the digital devices we have today is that when you reset the operating system, when you reinstall or reformat, it doesn’t often do the job it says it does,” he said. “So you’re leaving a lot of bread crumbs that can be all spliced back together, which allows a bad guy to basically steal your identity.

Based on his experiment, Siciliano said Blackberries were the best at completely scrubbing deleted data. Apple products also did a good job, but Android devices didn’t fare as well in the tests. Even when people did a factory reset, Siciliano still found a tremendous amount of data on the Androids.

He also found that it’s difficult to completely scrub devices that run on Windows XP.

“This study scared me so much because I’m just as guilty as anyone else of selling devices on Craigslist. I will never, ever sell a device that has storage in it ever again,” Siciliano said.

Instead of selling or donating the devises, Siciliano advises people to destroy them.

“I will take it and put it in a vice and I will drill holes through it,” he said. “I will smash it with a sledge hammer. Or I’ll put it in a bucket of salt water for a year. But you’re not going to see me selling it on Craigslist.”

And it’s not just sellers who should be worried. Siciliano found that many of the used smart phones and computers he bought came with viruses or other malicious software. If he had used them, his personal information could have been compromised.

Asked to respond to Siciliano’s findings, Microsoft said its new software has considerable security and privacy improvements. Google did not respond.

By Herb Weisbaum

Story Updated: May 4, 2012

ᔥ via the Komo News: http://www.komonews.com/news/local/Experts-Discarded-electronics-can-lead-to-identity-theft-150271355.html

Back to Top

Calgary Transit testing electronic payment smart cards

On 2012/05/03   /   Industry News   /   Comments Off

CALGARY — Calgary Transit began testing this week its highly anticipated smart card system, with the full program on track for a summer rollout.

Dubbed “Connect,” the electronic fare payment system will allow transit users to tap smart cards against an electronic reader as they board Calgary Transit buses or trains.

Customers will be able to use the cards in lieu of cash, tickets or passes. The cards will be reloadable.

In an effort to ensure a smooth summer launch, officials are testing the system by giving Connect cards to 100 city staff and 400 students at the University of Calgary.

From May 1 to June 7, the testers will put the system through its paces and report regularly on how well it functions as well as identify any potential problems.

“The purpose of the pilot is to aggressively test the system and devices before we launch to the general public,” said Calgary Transit spokesman Ron Collins.

The department hasn’t set a precise date when the new system will go public.

The Connect system has a price tag of roughly $7 million, which is being shared by the municipal, provincial and federal governments.

“We are doing this because we’re trying to make the system as convenient for the public as possible,” Collins said. “This is yet another option that we’re hoping the public will really embrace.”

Back to Top

Should Colleges Earn Money From Prepaid Student Debit Cards?

On 2012/05/03   /   Industry News   /   Comments Off

Prepaid debit cards are becoming the de facto debit cards for a growing number of people these days. This is partially because issuers are promoting the heck out of them and partially because people, especially younger people, view them as preferable to a traditional bank account. As a result, a small number of colleges are experimenting with — and profiting from — hybrid student ID cards that are also prepaid debit cards. Is this a clever way for cash-strapped schools to avoid socking students with yet another tuition hike, or are colleges doing their students a disservice?

There are a couple of reasons why these cards got popular in the first place: Issuers like them because there’s no lending risk (you’re spending your own money) and because they can earn higher interchange fees from merchants. People told interviewers in a recent focus group they like prepaid cards because they like the built-in discipline, and because they really, really hate bank fees. They also griped about prepaid debit card fees, but said card companies present them in an understandable, up-front way, which banks don’t do.

The concept of combining a college student ID and a debit card isn’t a new one. Some schools have offered cards linked to a checking account at a certain bank for a while now, but prepaid cards add a new wrinkle.

Prepaid cards tend to be heavy on the fees, although the ones offered through colleges tend to be better than average in this regard. But there are still some fees, such as for use of ATMs, that students wouldn’t have to pay if they used a traditional debit card and stuck to using that bank’s ATM network for withdrawls.

Beginning this summer, for example, North Carolina State University will offer a hybrid ID-prepaid debit MasterCard in conjunction with U.S. Bank. Previously, the school had a partnership with another bank that provided a traditional debit card feature tied to a checking account.

Called the Wolfpack One, the new card comes in two versions, regular and deluxe. (It’s likely most students will get the deluxe version, since that’s the only one that permits funds to be loaded from sources outside of campus, such as a parent’s bank account or direct deposit from an off-campus job.)

“N.C. State will receive 75 cents per month for each open and active deluxe prepaid card account,” University spokeswoman Jennifer Gilmore says via email. The school has approximately 34,000 students, so even if only three-quarters of them have a deluxe card, that’s more than $19,000 a month in revenue for the school.

According to the Wall Street Journal, other banks such as SunTrust also offer campus ID-prepaid hybrids, and it predicts the practice will grow.

In November, the University of North Florida began offering students the option of an American Express prepaid account through its student ID cards, called “Osprey1Cards.” Neither American Express nor the University of North Florida would comment on whether or not the school receives any money from this partnership.

While a debit card is certainly an improvement over a credit card, it’s worth asking if schools have the best interests of students in mind when they make these deals. It’s certainly possible that the additional revenue keeps schools from having to raise fees or cut services elsewhere, but students have a right to know if their convenient ID cards are a moneymaker for their school.

If there’s one good thing to say about prepaid debit, though, at least it’s better than credit cards, which are still being marketed to college kids heavily, according to new research conducted by Jim Hawkins, professor at the University of Houston Law Center.

Hawkins found that credit card companies are still plying students with sign-up gifts and qualifying for cards without any verification of their income. His study found that 68% of students under 21 got credit card offers in the mail. Even worse, 27% of students under 21 applying for cards listed student loans as “income” to pay for them.

“I found that many of the CARD Act’s student and young consumer provisions have not affected credit markets in the ways the Act’s proponents had hoped,” Hawkins said in a statement. When even federal regulations fail to deter banks from targeting students, it’s obvious they need all the guidance they can get to grow into fiscally responsible adults. The question is whether or not school-sanctioned prepaid debit cards help or hurt in this goal.
By Martha C. White | May 1, 2012

ᔥ via Time: http://moneyland.time.com/2012/05/01/should-colleges-earn-money-from-prepaid-student-debit-cards/

Back to Top

Magicard releases the Enduro+

On 2012/04/30   /   Industry News   /   Comments Off

Ultra Magicard is pleased to announce the fresh redesign of one of its leading ID card printers: introducing the Enduro+.

Enduro+

The Enduro+ provides professional, fraud proof ID card printing technology, helping to reduce costs and make card printing quick, secure and simple.

Perfect for schools, colleges and medium sized businesses that print up to 10,000 cards per year, the Enduro+ brings upgraded features to Magicard’s best-selling Enduro card printer.

The Enduro+ is affordable and easy to use, giving you the power to take control of ID card production and eliminate the costs and delays associated with outsourcing.

The original Enduro printer was launched in 2008 and is Magicard’s most popular card printing machine, with many tens of thousands installed worldwide.

In developing the Enduro+, Magicard listened to the needs of its customers – schools, colleges, successful SMEs and events organisations around the world to create an upgraded printer that will meet the demands of a fast-changing global business environment. New features include Ethernet network connectivity, increased memory, more encoding options and even better image clarity.

Features which make the Enduro+ outstanding:

●     Ethernet connectivity to enable remote printing from any of your offices

●     Improved colour mapping for better photo clarity and improved accuracy of identification

●     Multiple encoding options

●     Rewrite technology

●     Easily upgradeable from single to double sided printing

●     Secure watermarking with Magicard’s patented HoloKote feature
The Enduro+ is designed to evolve with your organisation: users have the freedom to install upgrades as they go, expanding the printer’s abilities to match growing demands. This makes the Enduro+ an extremely cost effective investment.

“When we redesigned our best-selling printer we listened to what our customers wanted”, explains Andy Matko, Managing Director of Ultra Electronics Card Systems. “You asked for more flexibility, improved connectivity and even better print quality, and I am confident that the Enduro+ delivers on all of these.” He continued: “One of the great things about the Enduro+ is that it evolves with your company’s needs, making it a future-proof solution. It’s also excellent value for money, at the same price as the original Enduro”

ᔥ via Ultra Magicard Press Release

Back to Top

The Mobile ID experiment.

On 2012/04/17   /   Education, Industry News   /   Comments Off
Tags: , ,

Be it Android, Apple, tablet or smart phone … mobile devices are everywhere, and users want to do everything on them that they do on their desktop. As the functionality increases so do the threats to the information stored on and accessed by the devices. The same dangers that plague the desktop world are exacerbated in the mobile world.

Mobile brings convenience, access and portability with a low cost of entry, but it creates a “perfect storm” of risk, explains Juan Duque, principal in the Federal Enterprise Technology Risk Services at Deloitte. “It can be the same risk you see in the non-mobile environment but it can go even deeper,” he says. “The risk universe is expanded.” some aspect of near field communication for identity. The U.S. government is looking at how the communications protocol can be used in connection with PIV and PIV-I credentials, and the enterprise sees it as a solution for converged physical and logical access control.

The challenges with mobile devices and identity are numerous, and after years of discussion, industry finds itself in the midst of a great experiment. Significant issues surround the policies that govern these devices and credentials. Existing policy needs to be changed or created from scratch to deal with challenges the mobile devices presents to an enterprise.

On the technology side many feel it is a foregone conclusion that the mobile will use some aspect of near field communication for identity. The U.S. government is looking at how the communications protocol can be used in connection with PIV and PIV-I credentials, and the enterprise sees it as a solution for converged physical and logical access control.

Solve the ‘where’ before the ‘why’

One of the core issues with credentials on the mobile is where to store it on the device and who controls that area. For followers of near field communication, these issues will sound very familiar.

“Who controls the secure element? Who owns the secure element? What form does it come in?” asks Terry Gold, vice president of U.S. sales at idonDemand.

These questions have plagued the NFC market and delayed adoption as ecosystem players have struggled for control. On the payment and marketing side, there has been some compromise with carriers, financial institutions and handset manufacturers partnering to rollout initial services.

But on the identity and credentialing side it’s not yet clear how this will work and who will control and profit from mobile identity. “You have this big battle shaping up,” Gold says. “If you have a secure element who is going to own and control it? It is not really owned by the end user. Even though he decides what apps and identity elements go on his handset, it’s someone else who provides the security.”

Eventually the secure element will have to be owned by the end user and access granted to any application he sees fit, Gold says.

Secure element options

There are three options for storing identity credentials on a mobile device’s secure element. One would place it on the SIM, a smart card in the handset that is used for identification to the mobile network. This choice is handset agnostic and the mobile operators–such as AT&T, Sprint, Verizon, T-Mobile–control the SIM.

Placing the credential on a microSD card that is inserted into the phone is another option. Many smart phones–Android, Blackberry but not the iPhone–have microSD slots and the credentials could be removed and placed in other handsets if an individual switched devices. In this case the issuer of the microSD card would be its likely owner.

The final option is embedding the secure element into the handset. The handset manufacturer would own this space, and many are already adding this capability to devices. Notably, RIM is going this route with its Blackberry handsets.

To further cloud the issue, it’s also possible that handsets could have more than one secure element, or even all three types, with different owners for each. “Everyone wants control of the secure element in NFC,” Gold says. “On the identity side it gets difficult. If someone else owns that secure element how are you going to put an identity credential on it?”

Will the secure element owner charge a fee to put a credential on the device? Will companies or organizations be willing to pay? Questions abound. The handset as access control card

HID Global has seen these issues arise and is designing a solution that will work in any environment and can manage the credential wherever it is stored, says Karl Weintz, vice president of business development for the mobile access business at HID.

A pilot in the fall of 2011 at Arizona State University had HID Global showing how its solution can work with different handsets. The 32 participants were outfitted with one of three devices: RIM’s BlackBerry Bold 9650, Samsung’s Android (multiple models) or Apple’s iPhone 4G.

The pilot relied on microSD cards and sleeves for the NFC functionality because handsets that include NFC in the U.S. are not widely available. Three separate carriers–AT&T, Verizon and T-Mobile–were used for mobile services and the credentials were manually loaded on to the handsets.

HID’s solution will be handset and carrier agnostic. Because of the small size of the pilot and the control the school and vendors exerted over the pilot it was able to avoid some of the issues that may crop up during a full-scale rollout of placing the credential on the device.

That said the program was still successful. Approximately 80% of the ASU participants reported that using a smart phone to unlock a door is just as convenient as using their campus ID card. Nearly 90% said they would like to use their smart phone to open all doors on campus.

And, while the pilot was focused on physical access, nearly all participants also expressed an interest in using their smart phone for other campus applications including access to the student recreation center, as well as transit fare payment and meal, ticket and merchandise purchases.

HID also has a partnership with ISIS–the consortium of AT&T, Verizon and T-Mobile that will rollout NFC in 2012. This project will place the credential on the SIM, Weintz explains.

Expand focus

Having the choice to add applications and functionality to a device is important and may be critical in successful deployments of NFC. Neville Pattinson, vice president for Government Affairs, Standards and Business Development at Gemalto, says the mobile is going to impact three market–payments, transit and identity–and it should be up to the device owner which applications they choose.

“People are focused on one area, but you have to look at all three and the big picture,” Pattinson says. That means being able to use a handset to securely store identity credentials as well as access to public transportation and payment data.

It’s likely the mobile will store multiple sets of each type of data, Pattinson says. There may be one set of identity credentials for work and another for personal information. “We have a platform in our hands that becomes a multifunction device,” he says

It could take two to three years to define the policy issues that will guide the placement of identity credentials on secure elements, Gold predicts. Until then it’s going to be a waiting game as consumers load various identity apps in an application space that may not be fully secure. BYOD

In a “bring your own device” world, corporations are faced with a major challenge. Consumers expect to be able to load the applications of their choice on to their devices, but leads to serious security issues in enterprise environments.

Deloitte’s take on bring your own device is pretty straightforward, Duque says. “You’re damned if you do and damned if you don’t.”

To make it easier for the corporation it can come up with a list of approved handsets from which an employee can choose. This gives the employee some options, Duque says.

Otherwise it is bring your own device, and this creates issues that can literally change on a daily basis as new handsets hit the market, Duque explains.

A company can achieve some cost savings if they don’t reimburse for the purchase of mobiles devices and employees don’t have to carry multiple devices, which makes it more convenient for them.

But the disadvantages are numerous.

Employees buy devices and try to connect them to corporate resources without approval, circumventing security. There’s an increased cost, as IT staff must support multiple devices types. Trying to keep up with the potential attacks on the different handsets can be time consuming and expensive because each mobile operating system has different attack vectors.

The cons would seem to outnumber the pros but organizations are still wrestling with the issue. Duque also says organizations need to have policies in place for device configuration, devices use monitoring, data ownership and acceptable data use.

These policies issues can get thorny, says Jim Zok, director of Identity and Privacy Assurance at CSC. “If I bring in my device and want to use it for work what happens if I download something? You wipe the phone but will I get reimbursed?” he asks. “If you have a company phone does it have an approved app list?”

The viruses and malware attacks on mobile devices are ever growing. “There’s practically no way to protect these devices and put an app on it,” Zok says.

One solution could be two kernel handsets, says Zok. This would enable the device to have a business function and a personal function with strict segregation between the two sides. If one kernel is infected the other side would be able to function normally, he explains.

Mobile PIV

In the U.S. government space, enabling the mobile will take some significant policy changes. Computer scientists at the National Institute of Standards and Technology (NIST) are working on possible solution for government employees to have secure credentials on mobile devices. NIST released a revised FIPS 201-2 draft last year, and though the draft omitted mobile ID, government smart card officials say adding the capability is imperative.

The agency is exploring three options for enabling the PIV on a smart phone or tablet, says Bill MacGregor, a computer scientist at NIST. One is additional hardware that would connect the smart card to the mobile device, another is an enhanced PIV that would fully enable all functionality of the PIV’s contactless interface and last is use of a mobile device manager and a derived credential.

Contact smart card readers that use Bluetooth, WiFi or a cord to securely connect the PIV credentials to mobile devices already exist, MacGregor says. This option isn’t the most attractive because of the cost of the hardware and the form factor. “From a usability point of view it’s awkward and not realistic,” he adds.

Enhanced PIV

The other two options seem to be more realistic but each requires policy and technology changes. The phone could be used as a credential if the contactless interface of the PIV was fully enabled, MacGregor says. The first FIPS 201 version limited the amount of information that was available from the contactless portion of the card.

If these restrictions were eliminated, near field communication devices could read the PIV and authenticate to networks, sign and read email, and complete other tasks. To do this the process for creating a secure channel between the mobile and the credential would have to be created. “It’s easy to do technically but hard for the key management,” he says.

Since any NFC device would be able to read any PIV there would have to be a secure key placed on the mobile to make sure the credential is only being read by the properly authorized device. It would be a way to authorize the device to the credential.

Secure keys would have to be issued to the mobile devices, MacGregor says. This could be as simple as a pairing PIN that could be entered into the mobile to authorize pairing. “This doesn’t require too much more functionality,” he adds.

Derived credential

The other option is a derived credential and mobile device manager, MacGregor says. This option has the PIV presented to a mobile device manager which then assigns the credential to a device. The credentials would be placed on a secure element within the mobile.

Only a portion of the PIV functionality would be available with the derived credential and it’s possible that different derived credentials could be issued depending on the level of assurance necessary, MacGregor says.

“The chief negative of this approach is the complexity,” MacGregor says. “It needs interaction with a mobile device manager.”

Enhanced PIV and derived credentials are the focus of NIST’s current efforts to enable the PIV with smart phones, MacGregor explains. Derived credentials are also mentioned in NIST’s Special Publication 800-63-1 which focuses on electronic authentication.

The mention of derived credentials is in a generic form and not specific to PIV, says Hildegard Ferraiolo, a computer scientist at NIST. If derived credentials were to be included with PIV it would be included in the next draft of FIPS 201-2, which is expected sometime in the first half of 2012.

The notion of an enhanced PIV and derived credentials brings up some thorny policy issues, says Gemalto’s Pattinson. “NIST has a PKI policy that only allows digital credentials to be present on a smart card form factor,” he explains.

There is also an issue of dealing with the same credential in more than one place. “How do you end up with one card in your hand and another in the phone?” Pattinson questions. “You can’t have the same key in two places.”

This also doesn’t solve the problem of being able to decrypt email on mobile devices. “When a PKI credential is made on a PIV there are several keys and certificates associated with different functions, for example decryption, digital signature, key exchange, among others,” Pattinson says.

Decrypting an email is more complicated than it sounds. For a person to send an encrypted email there has to be an encryption public key certificate available to the sender to encrypt the email so only the recipient can read it, Pattinson explains.

The private key associated with this public key may be only known to the original PIV as it was generated on card at the time of issuance or activation. The private decryption key may never leave the card. In the case of a derived credential, if it does not have the original private key for decryption, there may not be an ability to decrypt the email.

However even this isn’t a hard and fast rule. Some agencies “escrow” the private decryption key initially generated off card or securely extracted off the card. This is done to allow for situations where cards are replaced or lost but the need to decrypt older email remains.

That’s just one example. Figuring out how to handle these policy issues is going to take some time, possibly one to two years, Pattinson predicts.

Technology issues

As the policy issues are being addressed, the technology continues to evolve. The lack of NFC handsets is one issue holding back mobile identity efforts, says Jon Callas, chief technology officer at Entrust. In the U.S. there are just a handful of NFC devices on the market, a couple of Blackberry and Samsung models but that’s it, he says.

Google with Android and Apple with iOS must progress to make identity better in mobile operating systems, Callas adds. He believes identity should be embedded into the device, and not the decision of third-party apps. Consumers should be able to control the identity as they wish, he explains.

“The operating system vendors will start to solve this problem by putting container support on the devices so that people can do identity on their own,” Callas adds.

Nobody buys a new handset based on identity, Callas explains. “Identity wasn’t on the list of reasons why I bought my phone,” he says. “You buy a mobile because you want that device.”

Though the mobile identity market has progress to make, both the technology and consumer adoption move quickly. Because handsets are relatively inexpensive they are replaced every one to three years, Callas explains.

While both the technology and policy need to advance before mobile identity is widespread this rapid pace of consumer adoption bodes well for the market. But officials must keep this pace in mind as they define policy. “Frankly, the technology is changing faster than we can keep up with,” says Zok.

What will mobile identity look like?

The goal of mobile credentialing is to enable an individual to have the same level of interaction with a system on the handset as they would on a laptop or desktop, says Jerome Becquart, vice president and general manager of identity assurance at HID Global.

HID acquired ActiveIdentity and its smart card middleware. The company is porting that software to the mobile device for access to secure email and virtual private networks, Becquart says. To date, however, the company hasn’t seen much call for the technology because the U.S. government’s policy requires the use of a smart card and PIN.

HID partnered with Good Technology to deliver new government-strength, two-factor mobile authentication and credentialing solutions for the iOS and Android platforms. The new solutions will couple the security capabilities of Good for Enterprise and Good for Government with the authentication technology of the ActivIdentity ActivClient Mobile middleware to make it easier for federal employees and the companies that support them to gain access to pertinent applications using their mobile device while maintaining necessary security levels set forth by their Information Assurance personnel.

Smart phones and tablets have not been able to achieve necessary levels of security but Good Technology and ActivIdentity are working to mobilize smart cards and the underlying secure element technology. This solution enables email and document encryption, cryptographic signing of emails and forms, and extends public key infrastructure authentication tools to custom applications previously not enabled on smart phones and tablets.

As the handsets gets more functionality the use will go beyond basic access to information, Becquart says. With NFC embedded physical access control can be added to the handset as well.

These converged physical and logical access systems will enable organizations to greatly increase security. Employees would have to wave their phone to gain access to the front door of a building, and if they didn’t authenticate at the door they won’t be able to access their computer.

The handset would also be the key for entry into the computer and instead of having to enter a long, complex password an individual might just have to remember a PIN, says Jon Callas, CTO at Entrust. Also, if an individual walks away with their handset the desktop would lock.

The GPS feature on smart phones could also play a part with security. If the network shows that someone is trying to remotely access email from an unusual location it could check the GPS on the employee’s smart phone to see if they are in that area. “Companies will be able to look at where you’ve been and determine if a transaction is too risky,” Becquart says.

Easy, yet secure, authentication on the mobile

Individuals want to do more and more with the mobile devices, but often the device itself is unprotected or using additional security is cumbersome.

A survey by Confident Technologies found that 65% of respondents reported using their personal mobile device to access work email or the company computer network, and more than half said they do not use a password or PIN to lock their smart phone or tablet. Some 44% of those who do not lock their mobile devices said that using a password is “too cumbersome.”

An additional 66% of respondents said they try to leave applications on their smart phones perpetually logged-in unless they are required by the application to log in every time.

Logging on to Web sites with mobile devices can be difficult. Even with handsets that have QWERTY keyboards it’s difficult to enter the complex user names and passwords required by some corporate sites. Confident Technologies is trying to make the mobile login process secure as well as easy, says Curtis Staker, president and CEO at the company.

With Confident’s image-based technology a user enrolls in the system by picking a category of photos, for example animals, and then chooses the specific images for their login. When returning to the site the individual is presented with a group of images in random order and taps the ones specific to their login.

The specific pictures and their location on the grid are different each time, forming a unique, one-time authentication code every time. All the user needs to do is remember a few categories and look for pictures that fit those categories. You get the usability without forsaking the usability,” Staker says.

GSMA: SIM-based NFC gains support of 45 mobile operators

The GSM Association announced that 45 of the world’s mobile operators have committed to supporting and implementing SIM-based NFC services.

Chief among these companies are China Mobile and China Unicom, which account for nearly 800 million subscribers throughout China. Other major operators include Deutsche Telekom, KT Corporation, Orange, SK Telecom, Telefónica, Telecom Italia, Turkcell, Verizon and Vodafone.

ISIS, the organization formed by AT&T, T-Mobile and Verizon to build a nationwide mobile commerce network in the U.S., has also announced its support for SIM-based NFC.

According to research firm Strategy Analytics, nearly 1.5 billion SIM-based handsets will be sold worldwide between 2010 and 2016, supporting transactions of more than $50 billion globally over the period.

SD Association, GlobalPlatform to include NFC in new SD standards

The SD Association has announced a new collaboration with GlobalPlatform to include smart chip technology in SD standards, enabling mobile phones and other portable devices to provide authentication services with SD memory cards.

Standardized authentication services on microSD and full-size SD memory cards could transform consumers’ mobile phones and devices into electronic wallets, enabling NFC-enabled cashless payments and paperless identification, plus a variety of value-added applications leveraging NFC.

According to the association, offering NFC on SD memory cards opens new business models for any authentication process, including:

  • Mobile commerce: Consumers can use devices equipped with smart microSD cards to make contactless payments for anything from groceries to subway fare.
  • Customized services: Content and service providers can customize features, offers and rewards automatically, eliminating manual entry of customer identifiers such as account or rewards card numbers. For example, airlines could automatically review customer accounts for upgrade and other frequent flier rewards.
  • Secure access/Personal ID: Users could store digital identification cards and redeem access control credentials on their mobile device.
  • Secure voice: Smart microSD cards can support hardware encrypted voice services, a security method used by governments, emergency services and corporations.
  • In each of these new business models, the microSD and full-size SD memory cards would provide the secure element, based on GlobalPlatform standards, for authorization purposes and would only be active in the authorized device.

By Zack Martin, Editor, Avisian Publishing
ᔥ via SecureIDNews: The Mobile ID experiment

Back to Top

Should Canadians embrace the digital wallet in a future without cash?

On 2012/04/17   /   Industry News   /   Comments Off
Should Canadians embrace the digital wallet in a future without cash?

TORONTO – The recently announced end of the penny and the proposed launch of digital-chip currency are sure signs we are entering the era of the ‘digital wallet.’

But the question is, will Canadians embrace virtual money and personal identification over cold hard cash and the ID cards we now carry?

A digital wallet refers to a mobile phone that uses wireless technology for in-person identification or financial transactions. This means you could store your debit card, credit card, and all ID information in your phone and access it with a few taps on your screen.

Google announced plans to develop the Google Wallet app in May 2011, with cell phone companies, Visa and PayPal developing similar technology.

The wireless e-wallets are already popular with consumers in Europe, Asia and parts of Africa, but Canada lacks the secure system and infrastructure for widespread use.

A Global Overview of Digital Wallet Technologies, created by the University of Toronto’s Prop-ID research project, looks at various payment systems and digital wallet applications across the globe. The “Prop” in Prop-ID refers to the fact that the part of your ID that’s accessed is proportionate to the actual need for the transaction.

Project lead Dr. Andrew Clement hopes to investigate how digital wallet technologies could be used to help regain control over personal information.

Clement and his team have developed a privacy protective app that works like the Google wallet does, but solely with ID information. (While many other digital wallets focus on the financial transactions, they also transmit identifying information, despite not being referred to as ID wallets).

How it works

Clement’s version of the ID wallet would work like this: when you come within range of a service organization (the LCBO, for example) the LCBO will let you know that all they need is a face match and an age authentication. You press ‘ok’ on your smartphone, and the ID information will be transmitted to an authenticating device (that an LCBO employer or bouncer or bar would hold) in encrypted form. The LCBO then decrypts that using the key provided by the driver’s license authority in your province so they could verify the ID was real, and if your credential matched, the transaction would go through.

Privacy risks

Clement worries that when digital wallets become widespread, the proportionate method described above may not be used. If people start using their smartphones for any and all transactions, they’ll be handing over unnecessary personal information that could be kept on record.

“Currently when you show ID, you flash a card, somebody looks at it and they sort of decide whether you’re right or not, but they don’t actually record anything,” explains Clement. “But if you have a smartphone that does that kind of transaction, then all of the information potentially on your card is available.”

Clement mentions Facebook and Google as two online companies who appreciate how lucrative personal information is for targeted advertising, and the dangers of leaving ever-more detailed traces of our daily activities.

“I’m concerned that as transactions move to smartphones, our ID transactions will look more like what we do on the web—where a lot of personal information is transmitted—than the current practice for those situations, such as buying liquor or other transactions, where while we might show ID, we don’t leave the same kind of traces of our identity,” he says.

Moving forward

The Prop-ID prototype is a working example of how the digital wallet can be used without handing over personal information to retailers. When considering what needs to be in place for the widespread use of digital wallets in Canada, Clement emphasizes the option for people to disclose as little information as needed for the transaction to go through.

“There are real technological options,” he says. “These should be discussed and people should understand that they’re there, and the relative merits of these approaches should be weighed.

“Another key criteria is that we make these choices in a publicly deliberative informed fashion. And right now we’re doing that inadequately, I would say. Seriously inadequately.”

So before you throw out your leather wallet in favour of an electronic version, it’s worth considering how much personal information will be transmitted with a few taps of your finger.

Prop-ID project lead Dr. Andrew Clement specializes in ID documentation and systems, privacy and social implications of information and communications technologies in the Faculty of Information at the University of Toronto.

Back to Top

ID theft victims now have Canadian support centre

On 2012/04/13   /   Industry News   /   Comments Off

Vancouver office offering help to victims across the country

Canada’s first support centre to provide resources for victims of identity theft has opened in Vancouver.

The Canadian Identity Theft Support Centre quietly opened an office downtown at the end of March.

A public launch is planned for May, but organizers say the centre has already received about a dozen calls to its toll-free number.

“The issue of identity theft is one of the fastest growing issues in Canada and victims across the country have nowhere to go once they become a victim. They are put out into the internet and into phone trees of different companies trying to figure out what to do,” said Kevin Scott, president of the Canadian Identity Theft Prevention Association. “We assist individuals from start to end on how to regain control of their identity.”

A charitable organization primarily funded by the federal Justice Department, the support centre is modelled on a similar U.S. organization based in San Diego, Calif.

The centre won’t publicize the exact location of its offices in order to protect the four full-time staff members from identity thieves.

In addition to a toll free number, the centre provides online resources to help victims deal with the fallout of identity theft ranging from credit and debit card fraud to wholesale takeovers of lives.

“We look at ourselves almost as a translator,” Scott said. “When an individual is a victim of identity theft, it’s almost like their world is out of control. They don’t know which way to turn. Their finances our turned upside down. They could have criminal records. They could have a variety of different internet reconfigurations.

“So when an individual is facing all those … they are very emotional and they are very concerned that they cannot regain control of their identity.”

Like Scott, the centre’s director, Lindsay Lee, trained with the organization’s U.S. counterpart. Despite a lack of publicity to date, she said centre staff have already taken several calls from Canadian victims of identity theft.

Victims seek vengeance

“People want — their instinct a lot of the time — is they want the person to be caught,” said Lee. “Unfortunately, that probably isn’t something that’s probably going to happen right now in Canada. That’s not really out there for people. It’s too difficult to track.

“So when people call, this is often what they have on their mind is ‘How can I get this guy?’ And that’s something you have to tell people — that’s not going to happen. You have to focus on yourself. You have to focus on getting your own life back.”

Scott said the centre also hopes to fill a statistical void. The last national survey done on identity theft in Canada happened in February 2008. The survey found that about 1.7 million Canadians had experienced identity theft ranging from credit and debit card fraud to impersonation used to rent apartments or avoid criminal records.

Susan Sproule, one of the authors of the survey, said the study cost about $80,000 to produce. That compares to estimates of up to $100 million in losses identity theft causes banks.

Sproule said she hopes to work with Scott’s centre on a new study and to obtain hard data for her research from the people who call the support centre.

“I’d love to do an update,” said Sproule. “I’m not sure what we would find.”

Scott believes the centre’s work will also highlight a need for greater vigilance by public bodies as well as private organizations in protecting the data of Canadians. He described the balance of maintaining privacy as a “three-legged stool” with each leg representing the duty of government, business and individuals.

“If we’re going to reduce identity theft in Canada, we need to ensure that each one of those legs is holding its own weight,” he said.

“At this point, I would say that each one of those is fairly weak because individuals aren’t taking the proper steps to protect their personal information. Corporations need to take greater steps to ensure that the information they gather is properly protected. And for government, there’s breach notification.”

Jason Proctor, CBC News | Posted: Apr 12, 2012 6:10 PM PT

ᔥ via CBC News: http://www.cbc.ca/news/canada/british-columbia/story/2012/04/12/bc-id-theft-support-centre.html

Back to Top

Credit-card robbers hit ATMs in ‘tsunami’ attacks

On 2012/04/11   /   Industry News   /   Comments Off
Credit-card robbers hit ATMs in 'tsunami' attacks

Editor’s Note: Identity and Financial Theft are occurring using out of date technology, in this case, mag-stripe. As we transition our cards to EMV and other such smart card standards, the odds of mass exploitation reduce dramatically.

—————————————————

A Montreal-based gang has targeted banks and stores in British Columbia and across the West in a credit- and debit-card crime a Vancouver Crown prosecutor describes as “tsunami fraud.”

Connections between suspects uncovered in a CBC News investigation indicate a pattern of criminality dating back to at least 2007, including convictions in Australia and New Zealand, prosecutor Peter Stabler told CBC News.

“Usually, about a dozen or so people are sent out en masse as a group to either go and skim information from ATM machines — but normally, that’s already been pre-skimmed by another group,” Stabler said.

“Then they make massive amounts of forged credit cards and these 12 people, for example, are each given 10 or 20 or 30 credit cards and they hit 10 or 12 ATM machines in an area all at the same time.

“So they just overload that system. They just take out so much money. It’s within usually a 24-hour period so by the time the alert comes on, they’re gone.”

“Tsunami fraud” is part of an identity theft phenomenon that appears to be growing exponentially, Stabler said.

An increasing number of organized crime groups are choosing credit and debit card fraud over drug profits, drawn by the promise of a lucrative payout with relatively little danger.

Crime group has links to New Zealand, Australia

Evidence of the group examined by CBC News dates back to a traffic stop and the arrest of three men in Cardinal, Ont., in February 2007.

The Montreal-based criminal organization has a history of debit and credit fraud.

The Montreal-based criminal organization has a history of debit and credit fraud. (CBC)According to police, Oscar Soto-Segovia, Navaneeth Ponnambalam and Jonathan Shao were stopped in a car containing 11 compromised point-of-sales terminals, forged credit and debit cards and equipment needed to scan and transmit card information.

Soto-Segovia was released on bail but arrested in the Lower Mainland in the spring of 2009. He and a co-accused Alexis Guillermo Esquivel-Lemus were charged with placing compromised point-of-sales terminals in Safeway stores in the Fraser Valley and using a Bluetooth device to obtain card information. Soto-Segovia pleaded guilty and received one day in jail.

Court documents show Esquivel-Lemus was accused of tampering with a point-of-sales terminal in Nanaimo in November 2009.

He and six other men — Ralph Alphonse, Saleheddine Fouzi, Giovanni Patroni-Hernandez, Diego Aparicio-Arguedas, Jose Leon-Salinas and Amine Mecheddal — were charged with trafficking in forged or falsified credit cards in Vancouver, Burnaby, Coquitlam and elsewhere in B.C. in January and February 2010.

Police in Edmonton recently sought the arrest of Esquivel-Lemus, Alphonse, Fouzi and Patroni-Hernandez for stealing more than $500,000 from ATMs in that city in the summer of 2010.

In July 2010, police in Saskatoon arrested Aparicio-Arguedas in a hotel room. He was found with $100,000 in a briefcase and accused in a scheme in that city that involved more than 600 compromised debit cards.

In another development, documents obtained from prosecutors in New Zealand show Esquivel-Lemus and Patroni-Hernandez arrived in Auckland in June 2010 claiming they planned to hike and surf. The pair fell under suspicion when a series of point of sales terminals were stolen from retail stores in and replaced with compromised ones in a manner similar to the Safeway thefts in the Lower Mainland.

The pair were caught along with another Canadian when they picked up a package full of skimming equipment mailed from New Westminster, B.C..

And last month, an Australian judge sentenced Navanaath Ponnambalam — the other man arrested in Ontario in 2007 — to eight years in jail after he was found guilty of stealing more than $400,000 from 4,500 bank customers in Western Australia.

A jury found he tampered with point-of-sales terminals at McDonald’s restaurants in 2009.

No criminal records

Stabler says members of the group are deliberately chosen.

“They are picked in Montreal on the basis that they don’t have a record. All the people that we’ve had convicted have never — as far as we know — committed another crime,” Stabler said. “So they come before the courts with no record. I say to the court strongly that this is obviously organized crime and they’re facilitating it. And they tend to get sentenced accordingly, instead of what I try to say ‘No — they know they’re helping organized crime.’ ”

According to details entered in the New Zealand court case against Esquivel-Lemus and Patroni-Hernandez, the scam in Canada operated for four years and cost in excess of $100 million. An average of 200 point-of-sales terminals were stolen from Canadian retailers every month in 2008.

In New Zealand, the men were charged with participating in an organized crime group. Similar legislation exists in Canada and carries much heavier sentences than those handed out so far for those convicted in the “tsunami fraud” ring. The maximum sentence for them has been two years less a day.

“I’ve been doing this for many years now and as technology’s improved, the pace and volume of this crime is just going up exponentially every year. It’s extremely easy, it’s extremely fast, extremely lucrative,” Stabler said.

“The chance of really getting caught is low and the penalties are improving but they vary considerably. So — just from a street level point of view — if you steal $300,000 and you get 18 months or two years less a day in jail plus you’re out on parole in one third of that — was it worth it? As a criminal you’re probably going to say yes.”

ᔥ via CBC News: http://www.cbc.ca/news/story/2012/04/10/bc-id-theft.html

Back to Top
Page 1 of 712345...Last »

Sign up for our Newsletter

* = required field

Address:

Vancouver Office (Main):
 200-7560 Vantage Way, Delta, BC, Canada V4G1H1

Toronto Office:
 1200-251 Consumers Road, Toronto, ON, Canada M2J4R3

Toll Free: (888) 983-2299
Vancouver: (604) 940-2298
Toronto: (416) 360-0948

Customer Support:

E-CARD Customer Care representatives will respond to your email request within 24 hours.

Please include your phone number so we can call you back right away to work through the issue.