Stop! No More ID Stealing!

JoongAngDaily

Input : May 22, 2009 1:10:38 A.M.

Even with the leakage of passwords or resident registration numbers, a verification method which makes it impossible for others to be accessed will be applied to the main website of Gyeonggi English Village for the first time beginning at the end of this month. Fingerprint verification smartcard (picture above) developed by e-Smart Korea recognizes cardholder’s fingerprint through fingerprint sensor on the card. Currently, the card is being used in Advanced Broadcasting Media Technology Research Center of Korea Aerospace University as student ID card for attendance check by connecting to a system developed by Cobalt Ray Co., Ltd., and is planned to be applied to credit cards and IDs in the future.

Seung-shik Choi

Air France Biometric Boarding Pass Technology:

INTRODUCTION:
Air France has implemented the use of smartcard based boarding pass (on trial basis until the end of the year) for its frequent flyer programme members on flights between Paris Charles de Gaulle and Amsterdam Schipol. This new boarding pass contains an encrypted version of forefinger and thumb prints of passengers. During boarding the passenger would scan their forefingers and thumb prints on a fingerprint scanner (installed at the gate) that would then be compared with those stored in the card and upon successful verification the passenger would be allowed to board.

ISSUING OF AIR FRANCE BOARDING PASS:
It consists of the following steps:

Step1: Verification of identity based on documents like passport etc.

Step2: After verification fingerprints would be scanned using sensor (mostly optical) that would be stored in the boarding pass.

Step3: Collect the card.


OPERATION OF AIR FRANCE BOARDING PASS:

Step1: Insert the card into the boarding pass terminal and flight details will be printed on back of the card. The card can be reused at least 500 times because during next use the existed information will be erased and new flight information will be printed on it. Thus, the passenger holds on to the boarding pass even after travel.

Step2: Proceed to boarding terminal based on the information printed on the card.

Step3: The boarding terminal reader will check the flight information stored in the chip.

Step4: Once the flight information is read the passenger will be prompted to get his fingerprints scanned at the fingerprint scanner located at the terminal.
Step5: Fingerprint information stored in card is compared with the scanned fingerprint information. If both the fingerprint information matches then the boarding gate would open, allowing the person to board the flight.

WHAT MAKES THE AIR FRANCE BOARDING PASS SECURITY RELIABLE?
The answer to this question is NOTHING. The boarding pass technology just mimics the current e-passport and credit card technology, which suffer from many flaws.

DRAWBACKS OF THE AIR FRANCE BIOMETRIC BOARDING PASS SYSTEM:
Air France Biometric Boarding pass system suffer from the same drawbacks of e-passports and credit cards that are as follows:
1. Boarding Pass can be cloned:
Similar technology based e-passports and credit cards have been successfully cloned. This means that all the personal information stored in the boarding pass would be transferred to the cloned card including the passenger’s fingerprint. Following are some articles that show how easily e-Passports and credit cards can be cloned:
· http://www.timesonline.co.uk/tol/news/uk/crime/article4467106.ece (Fake-proof e-passports cloned in minutes)
· http://www.neoseeker.com/news/9787-insecurity-of-homeland-security-rfid-passports-shown-by-researcher/ (US Homeland Security passports successfully cloned with no problem)
· http://nepalinirelandnews.blogspot.com/2008/05/dublin-shop-workers-bribed-to-help-in.html (Dublin lasercard bank fraud).
2. Fingerprint scanner can be fooled:
The fingerprint scanner used is similar to the ones used at immigration i.e. optical fingerprint scanner. There are numerous evidence online that these scanners can be easily fooled by using fake finger. Making fake finger is not very difficult and lot of information is available on the web that teaches a person how to make a fake finger. For example the following link shows how easily latent fingerprint (fingerprint left behind on some object by the potential victim) can be lifted and used as a stencil to make fake finger.
http://www.ccc.de/biometrie/fingerabdruck_kopieren.xml?language=en (Tutorial to make fake finger)

Following are few articles that show how the contemporary optical fingerprint readers can be fooled easily with fake finger.
http://www.securityfocus.com/news/6717 (German hackers fool fingerprint scanners).
http://software.silicon.com/security/0,39024655,11033437,00.htm (Japanese man fools biometric sensor with fake finger)
http://www.asiaone.com/Travel/News/Story/A1Story20090101-111750.html (South Korean woman fools Japanese fingerprint sensor)
3. Vulnerable to skimming or eavesdropping:
The fingerprint information stored in the card is transmitted to the reader, which compares the information with the passenger’s scanned fingerprints. This is major drawback because the authentication is done by the system, so while transmission the data could be intercepted and stolen.

A skimming attack is when someone attempts to read the passport chip simply by beaming power at the passport. At normal power ranges, contactless smart card readers must be relatively close to the card within a few inches or at most a few feet. However, that range can be extended if the reader broadcasts power at illegally high levels. A skimming attack could be done to facilitate identity theft or to trace the movements of an individual.

An eavesdropping attack can occur, if the contactless smart card is actively communicating with a legitimate reader. RF emanations from both the smart card and the reader have been shown in tests to be readable at distances up to 30 feet (9 meters).
Once the fingerprint information is stolen it is easy for criminal to make a fake finger of the passenger. Also, by lifting fingerprints left by the passenger in various objects can be used to make fake finger.
Related links:
http://www.neoseeker.com/news/9787-insecurity-of-homeland-security-rfid-passports-shown-by-researcher/
http://www.theregister.co.uk/2009/02/02/low_cost_rfid_cloner/
4. Boarding Pass can make travelers sick or even worse kill:
Another rising concern amongst people during travel is spread of contagious diseases like swine flu, SARS etc. Since ever traveler has to touch a coomon fingerprint sensor there is a possibility of disease spreading. Infections like swine flu etc spread easily and can result in death too. One may say that touching a door handle in the airport can infect travelers too, but our point is the verification system should not contribute in the spreading of disease. Suppose even if a person takes good precaution wearing gloves etc, he will have to expose his finger to get his fingerprint scanned by the sensor. Person does not have to remove gloves to touch door handle.

CONCLUSION:
Current Air France boarding pass is just eyewash to make people feel secure. Air France should consider using a system confers real security. A truly secure boarding pass is one that:
- cannot be fooled by a replica of person’s biometric details like fingerprint, face etc.
- hard to forge or counterfeit.
- provides a secure communication between the reader and travel document. In other words not vulnerable to skimming or eavesdropping.
- does not contribute in the spreading of disease.

E-SMART SOLUTION TO THE PROBLEM:
e-Smart Technologies Inc. creates an authentication environment that would overcome the above drawbacks. Let us analyze each drawback above and see e-Smart solution to overcome it.
1. Can fake finger fool the e-Smart Boarding Pass system?
NO, because the each boarding pass will have a fingerprint scanner that is foolproof. E-Smarts innovative match-on-card/ boarding pass technology and fingerprint matching algorithm together can easily detect latex finger, gummy finger by analyzing the changes in electrical characteristics and other properties.
2. Can e-Smart Boarding Pass be reliably cloned?
NO. Cloning e-Smart card doesn’t make sense because the cloned card would store the fingerprint information pertaining to the owner. The thief will not be able to authenticate the e-Smart boarding pass using either his finger or a fake finger.
3. Can the fingerprint information be stolen from the card?
NO, because the fingerprint matching is done in the card and not in a central system so personal data remains in the card. Thus, in e-Smart Boarding Pass authentication there is no question of vulnerability to data intercepting attacks, such as eavesdropping and skimming.
4. Would e-Smart Boarding Pass contribute in the spreading of contagious diseases?
NO, because the each boarding pass will have a fingerprint scanner for a personal touch. Where there is personal touch there is no possibility of getting infected (at least not because of boarding pass verification process).

Social Security, A Cause For Social Insecurity

SSN Fraud annually $50B, could be eliminated by e-Smart’s I AM Card, the offer by e-Smart was interrupted. The amount is the same range of Madoff Fraud, the claim against which had been interrupted too.
Who is responsible for the damage to innocent and good citizens, $100B ??


SOCIAL SECURITY, A CAUSE FOR SOCIAL INSECURITY:

1. INTRODUCTION:
Social security act and purpose:
The primary objective of the social security number (SSN) is to track individuals for tax purposes, but unfortunately it does more than that. SSN has become an identifier for individuals in the United States. It is used on many transactions like purchasing car or house, opening a bank account, applying for a loan, applying for credit card etc.
Understanding the SSN:
The SSN is a nine-digit number that is not randomly generated, but follows a pattern. The first three numbers (area number) refer to the state in which the number was issued. The next two (group numbers) indicate the order in which the SSN was issued in each area. The last four (serial numbers) are randomly generated. Thus a SSN can reveal an individual's relative age and place of origin1.

2. SSN AND IDENTITY THEFT:
Identity theft is defined as the process of using someone else’s personal information for your own personal gain. This personal gain may be in terms of employment (illegal immigrant assuming false identity), finance (applying for loan, credit card or opening bank account) etc.
Identity theft has become a major concern in the United States with nearly 10 million American victims losing $48 billion in 2008. The number of victims rose 22% to a record 9.9 million in 2008 from 8.1 million a year earlier, with about one in 23 U.S. adults becoming victims2.

A main cause for identity theft is insecurity in the SSN. When one’s SSN falls into wrong hands, it can be used to get personal information about that person and use it for various crimes.
For example, identity thieves can use someone’s SSN number and credit to apply for more credit in the person’s name. Then, they use the credit cards and do not pay the bills creating a negative impact on the persons credit history. Also, compromised SSN’s are sold at a price and from which a Social Secirty Card can be fabricated. A lot of illegal immigrants buy such fake Social Security Cards to get jobs, open bank accounts etc. to survive in United States.

3. FACTS AND FIGURES ON IDENTITY THEFT:
Following are some facts and figures on Identity Theft:

Source: http://www.mysecurecyberspace.com/articles/statistics-trends/how-much-of-a-threat-is-identity-theft.html


Source: http://www.fraudwatchinternational.com/identity-theft/idtheft-types/


Source: http://www.fraudwatchinternational.com/identity-theft/idtheft-types/

Source: http://www.fraudwatchinternational.com/identity-theft/idtheft-types/

(Credit: FTC) NOTE: Identity Theft Ranks # 1 on FTC Complaint
Source: http://www.ftc.gov/opa/2009/02/2008cmpts.shtm


Identity Fraud Trends

Source: http://www.idsafety.net/Javelin2009IdentityFraudSurveyPressRelease.pdf


Source: http://vaperforms.virginia.gov/indicators/govtCitizens/consumerProtection.php


In 2007, credit card fraud (23%) was the most common form of reported identity theft followed by phone or utilities fraud (18%), employment fraud (14%) and bank fraud (13%). Other significant categories of identity theft reported by victims were government documents/benefits fraud (11%) and loan fraud (5%).
Source: http://www.idtheftawareness.com/docs/WhatIsIdTheft.php


Source: http://reports.celent.com/Japanese/PressReleases/20030121/CreditCardFraud.htm

Incidents of identity theft relative to the size of each banking institution

Source: http://www.concurringopinions.com/archives/category/privacy-id-theft

4. SOCIAL SECURITY CARD FACILITATES IDENTITY THEFT:
Security of citizens is dependent on social security number, which is printed on a social security card. Ironically the social security card is the most insecure card but it purpose is to provide social security.

Picture shows an identity thief taking Social Security Card from wallet.

NOTE: 36 percent of Americans age 18-49 and 43 percent of Americans age 50-plus carry their Social Security card in their wallet.

Also, the social security card can be faked easily. Fake ID’s that include social security card are common among illegal immigrants. Social security cards and other fake ID’s sold in flea market3.

Fake Social Security Cards and other ID’s

5. DISCUSSION:
Currently for opening credit card account etc people give their SSN over the phone or over the internet that can be easily overheard or hacked. Also, many criminals pose as they are from a bank and get personal information such as SSN from people over phone. Once the criminal knows someone’s SSN he can go to bank and open account and the bank people don’t check social security card for verification. To reduce identity theft the SSN should be always be used along with social security card. Since SSN has become a national identifier for individuals in the United States it is very important information and should be well protected. SSN in the current social security card is like precious jewels in a transparent plastic bag. The government is realizing this fact and proposals are being made for use of a biometric smartcard based social security card4.

Unfortunately this biometric smartcard technology has been used in creditcards and e-passports that have been successfully clones in minutes5,6 . Using such clone-able technology based social security card to protect SSN is not sufficient. If United States really wants to reduce identity theft then the technology used in the social security card should be fake-proof and imposter proof (incase stolen the card should be unresponsive to fake biometrics).

6. e-SMART SOLUTION FOR REAL SOCIAL SECURITY:
e-Smart Technologies Inc., a pioneer in developing biometric security systems, has developed a unique biometric fingerprint match-on-card. In this match-on-card the fingerprint template of the person is secured through encryption and never leaves the card during authentication process. Thus there is no risk of fingerprint to be stolen from the card by electronic eavesdropping or skimming etc. Also the card is dummy/fake finger proof because it can judge presence of fake finger electrically and via software.

7. REFERENCES:
http://epic.org/privacy/ssn/
http://money.cnn.com/2009/02/09/news/newsmakers/identity_theft.reut/index.htm
http://unheardnomore.blogspot.com/2009/03/social-security-cards-for-sale-fake.html
http://www.secureidnews.com/2008/02/14/biometric-smart-card-for-social-security-proposed
http://nepalinirelandnews.blogspot.com/2008/05/dublin-shop-workers-bribed-to-help-in.html (Dublin lasercard bank fraud).
http://www.timesonline.co.uk/tol/news/uk/crime/article4467106.ece (Fake-proof e-passports cloned in minutes)

ILLEGAL IMMIGRATION AUTHENTICATION:

-How Current Immigrations System is Broken and Weak-





Illegal immigration is one of the major problems faced by many countries in this world. Usually people illegally immigrate into another country to lead a better lifestyle, to evade criminal charges in their original country, or to perform criminal activities in the country they plan to enter. Illegal immigrants usually enter a country with help of fake documents. Fake documents are not necessarily forged/counterfeit documents that look like genuine documents, but they could be genuine documents that were stolen and the theft disguises himself/herself to look like the person in document. The later case is more difficult to spot since the documents are genuine so the immigration officer will allow the person to enter unless he or the system is smart enough to detect that the person is an imposter.

Let us concentrate on illegal immigration into the USA and what the country has done so far to prevent/ minimize illegal immigration. After the 9/11 terror incident USA government realized that paper immigration documents are easy to forge so the government has replaced regular paper passports with electronic passports or e-passports, and implemented special LaserCard technology for making its permanent residency card (commonly known as Green Card) and Border Control Card (commonly known as Laser Visa). In addition to documents the immigration officials scan the fingerprint of the arriving person to make sure if he is not a criminal or previously deported person. The question is that do these new technologies used in the immigration documents reliably stop illegal immigration. Let us look at each of these technologies one by one:

1. Examining Fingerprint of a person:
The optical fingerprint readers used at the airports can be easily fooled by fake finger. Fake finger means that the person can put some kind of thin tape/covering that contains fingerprint of someone else over his finger. Since the optical fingerprint reader just takes an image of the persons fingerprint and compares it with the database, the fake fingerprint on the tape would be compared with the database. Even though the USA immigration presently scans all 10 fingerprints of a person, it is not foolproof. One may say that although possible to make one fake fingerprint, it is not easy to make fake fingerprints for all fingers; but there is sufficient evidence in the web that teaches one how to easily create a fake finger. For example the following link shows how easily latent fingerprint (fingerprint left behind on some object by the potential victim) can be lifted and used as a stencil to make fake finger.


http://www.ccc.de/biometrie/fingerabdruck_kopieren.xml?language=en (Tutorial to make fake finger)

Following are few articles that show how the contemporary optical fingerprint readers can be fooled easily with fake finger.
· http://www.securityfocus.com/news/6717 (German hackers fool fingerprint scanners).
· http://software.silicon.com/security/0,39024655,11033437,00.htm (Japanese man fools biometric sensor with fake finger)
· http://www.asiaone.com/Travel/News/Story/A1Story20090101-111750.html (South Korean woman fools Japanese fingerprint sensor)

e-Passports:
Since paper passports can be forged without much difficulty, e-passports have been introduced. e-passports are similar to the regular passports except for a small contactless RFID chip embedded in the back cover that is supposed to make it more secure than regular passport. The only personal information stored on the chip is the same information that is printed on the data page of the passport, including a digital version of the photograph.

Do e-passports actually provide the security they are intended for? Unfortunately NO since current e-passports are vulnerable to skimming or eavesdropping attacks by hackers. A skimming attack is when someone attempts to read the passport chip simply by beaming power at the passport. An eavesdropping attack is when someone intercepts the communication between the e-passport and reader and steals data. The owner of the e-passport will not even be aware that his information has been compromised.
Once the information is compromised the RFID chip can be cloned and rest is to make a fake passport based on the information in the chip.
Following links show evidence of how easily the information in the e-passport’s RFID can be attacked and cloned.
http://www.timesonline.co.uk/tol/news/uk/crime/article4467106.ece (Fake-proof e-passports cloned in minutes)
http://www.neoseeker.com/news/9787-insecurity-of-homeland-security-rfid-passports-shown-by-researcher/ (US Homeland Security passports successfully cloned with no problem)
http://www.theregister.co.uk/2007/03/06/daily_mail_passport_clone/ (Cloning of e-passports when in mail)

Also, proposals are being made for a person’s fingerprint information to be stored in the e-passport chip, rendering added security. If a hacker manages to obtain the digitized fingerprint information from the e-passport chip then he can make fake finger using that information.

Lasercard Technology for making Green Card and Laser Visa:
Just like regular paper passports, greencard and border crossing cards can be forged without much difficulty. To solve this issue of forgery new greencards and border crossing cards (also known as Laser Visa) that are backed by Lasercard technology are issued. Lasercard is basically an optical memory card that can contain the optical digitized image of the owner’s photo and fingerprint. Though claims are made that the lasercard data cannot be altered and are hard to counterfeit some articles mention the sale of fake new greencards in Tijuana, Mexico for $500 a piece.

Already it has been proven in the Dublin bank fraud case that lasercard technology is not imposter-proof or fake-proof. In Dublin bank case the bank lasercards were cloned and PIN numbers were obtained from shopkeepers who were paid to observe the customer while he/she was entering the PIN. The cloned card was used to withdraw money.
Related link:
http://nepalinirelandnews.blogspot.com/2008/05/dublin-shop-workers-bribed-to-help-in.html (Dublin lasercard bank fraud).

Like PIN is the authenticating factor in laser bankcard, fingerprint matching of person and visual comparison of face is authenticating factor in travel documents. Lasercards that contain the optical digitized image of the owner’s photo and fingerprint can be dangerous when stolen because stolen lasercards are government issued cards and so no headach of forging. The immigration officer will not object to the stolen card’s authenticity. All that the thief needs to do is to look like the victim and also have matching fingerprints. As we already know it is not hard to fake fingerprint and people leave their fingerprints everywhere, which can be stolen be any watchful hacker.

Actually looking at the current border-crossing scenario the illegal immigrant (who could be a criminal) doesn’t have much to do. Many articles mention that the border-crossing officers just ask a few questions and don’t even care to verify the biometric information stored in the card.
Related Article:
· http://www.themonitor.com/onset?id=2429&template=article.html (Expensive authentication technology wasted)

From the article above we can see that authentication using lasercard technology is person (i.e. immigration officer) dependent. The officer makes the decision whether to verify biometrics in the card or not. On a busy day the officer may be too lazy to verify all information, and the country may have to pay the price for his laziness. We should also not overlook the fact that the officer could be bribed.

CONCLUSION: USA (and also the world) needs “change” in Current immigration authentication systems:

Looking at the drawbacks in the current immigration authenticating system we need a system that:
- cannot be fooled by a replica of person’s biometric details like fingerprint, face etc.
- hard to forge or counterfeit.
- is independent of human control. Authentication should be done by the system automatically and not done as per discretion of immigration officer.
- Provides a secure communication between the reader and travel document. In other words not vulnerable to skimming or eavesdropping.

-IS THERE ANY SOLUSION?-
How can e-Smart Technologies Inc. bring about this “change” in the immigration system?

e-Smart Technologies Inc. claims it can create an authentication environment that would overcome the above drawbacks. Let us ask e-Smart Technologies Inc.’s CTO and Sr. Vice President, Mr. Tamio Saito, to get more knowledge on e-Smart technology.

Interviewer: Can you please briefly explain how e-Smart authentication system works and what makes it unique in terms to security when compared to contemporary systems?
e-Smart CTO: e-Smart authentication is made on the card and fingerprint template is secured in the card through encryption. So, there is no change for anyone to change the fingerprint. Current system, employee can change the fingerprint data base and hacker can do also. And the biggest risk is if someone stole the fingerprint, no way to recover, because no one can change their finger contrasting to passwords. There are so many crime that employee to sell data base for small cash. Spy can change the fingerprint VERY EASILY by paying small money to employee, such near bankruptcy because of investment loss, alcoholic, etc.

Interviewer: Can the e-Smart authentication system be fooled using a fake finger? If not why?
e-Smart CTO: Fingerprint detection system can find out copied paper finger very easily, gummy finger by electrical way and software way. Current Optical sensor, using CCD or MOS device can be easily faked by copied fingerprint. It cannot read wet finger. Under Sunshine or strong back light, it may cause the problem. But e-Smart sensor has no such issues.

Interviewer: Is the e-Smart’s RFID chip vulnerable to skimming and eavesdropping attacks and subsequent cloning of the chip? If no, please explain what make it so special that it cannot be cloned. If yes, would the clone would it work reliably for the imposter?

e-Smart CTO: Our design is to use Biometric related key for encryption from the finger touched on the sensor in the card. Current and legacy system, being used is using just generic CHIP off the self having no unique data comes from the person who holds the card.

Interviewer: Is the e-Smart authentication technology human dependent? In other words is the verification of biometric information dependent on the discretion or mood of the immigration officer who may be lazy or busy to verify all biometric information in e-passport?

e-Smart CTO: Current system, the person entering the border can bribe, threat, collaborates the immigration officer to cheat the system. They are NOT FAIL SAFE SYSTEM. It depends on immigration officers. However, e-Smart card can be activated only when finger print of card holder matches to the data in the card. It is automatic and immigration officer independent.