e-Smart was one of the companies who provided the demonstration models for this event as e-Smart product will be the standard of the nation.
Thursday, April 16, 2009
Secure OS Forum 2009 Conference in Korea 2009
There was a conference of OS Forum for Security held at COEX in Seoul, Korea.
e-Smart was one of the companies who provided the demonstration models for this event as e-Smart product will be the standard of the nation.
e-Smart was one of the companies who provided the demonstration models for this event as e-Smart product will be the standard of the nation.
Monday, April 13, 2009
E-Passport Security Issues and an e-SMART solution:
Background:
The realization that paper-based passports can be too easily altered or falsified is driving a worldwide move to electronic passports. The large number of lost or stolen passports—more than 300,000 in the United States alone in recent years—meant there was a huge pool of paper-based passports potentially available to counterfeiters.
After the destructions of WTC on the United States on September 11, 2001, Congress legislated that all countries participating in the Visa Waiver Program with the United States must issue passports with integrated circuits (chips) to add digital security features that prevent counterfeiting and positively confirm the bearer of the passport with a biometric, such as a digital copy of the photograph printed on the cover.
An e-passport contains a chip that implements the ICAO standard for Machine Readable Travel Documents (MRTD's). The only personal information stored on the chip is the same information that is printed on the data page of the passport, including a digital version of the photograph.
However, having Chip does not mean passport holder is the right person and impossible to prove it.
Because there is no direct relationship between Chip and passport holder. .It is NOT clone proof, hack proof, fake proof or not temper proof. The most important requirement is clone proof and fake proof. That means there is no technology to identify individual by the passport by itself, we can say all of current passports, maybe little bit better than paper, are old fashioned, legacy, stone age architect but not meaningful or effective modality to identify invividual at all. There are already so many proved fake or weakness there as below. We can say 9-11 tirggerd some business or benifit to low teck companies or related entities, but MicroChip can not prevent any tragedy like 9-11. We need to figure out WHO IS RESPONSBLE for implementing NON SECURED PASSPORT.
e-Passports Security:
The e-passports are protected by a digital signature which, when altered, are supposed to be rejected by the reader. The validation of the signatures on e-passports requires the exchange of PKI certificates between the authorities of the issuing countries or the use of ICAO's PKD (Public Key Directory) system.
The ICAO standard chip contains following files (“Elementary Files”, EFs):
– EF.DG1: personal information (required)
– EF.DG2: picture, JPG/JPG2000 (required)
– EF.DG[3-14,16]: finger prints, iris scans and other files for future use (optional)
– EF.DG15: anti-cloning crypto (optional)
– EF.SOD: safeguarding integrity of DGs (required)
– EF.COM: index of available files (required)
The ICAO standard requirements comprises of two authentication features (passive authentication and active authentication) and one confidentiality feature (Basic Access Code).
PASSIVE AUTHENTICATION (required):
Here information stored on the e-passport’s contactless smart card chip is digitally signed by the issuing country and the digital signature is checked before use. Passive authentication safeguard integrity of data stored in the chip. EF.SOD stores hashes of EF.DG[1-16] and a public key The hashes are digitally signed with a private key. If the attacker tried to change the hash to assume false identity, then the digital signature verification would fail, and the attack would be detected.
Flaws in Passive Authentication:
Unfortunately passive authentication is not highly reliable because it has the following drawbacks:
1. Passive authentication verifies data integrity but not chip integrity, which means no way to verify if chip data was stolen and cloned.
2. For passive authentication an inspection system must check the public key in the chip (part of EF.SOD) against a list of trusted certificates. This list comprises of "Country Signing CA Certificates (CCSCA)” and “ICAO Public Key Directory (PKD)”. Only ten of the forty-five countries with e-passports have signed up to the ICAO PKD code system (not all of them are currently using it) and the remaining can use their own CCSCA codes. Since there is no universally accepted key code system for authentication, criminals could always use fake e-passports from countries that do not share the ICAO PKD codes, which would then go undetected at passport control.
3. Passive authentication there is no protection against skimming or eavesdropping attack by outsiders.
A skimming attack is when someone attempts to read the passport chip simply by beaming power at the passport. At normal power ranges, contactless smart card readers must be relatively close to the card within a few inches or at most a few feet. However, that range can be extended if the reader broadcasts power at illegally high levels. A skimming attack could be done to facilitate identity theft or to trace the movements of an individual.
An eavesdropping attack can occur, if the contactless smart card is actively communicating with a legitimate reader. RF emanations from both the smart card and the reader have been shown in tests to be readable at distances up to 30 feet (9 meters).
Thus, the attacker could also clone e-passport of a country that implements the ICAO PKD if he managed to steal chip data information through skimming or eavesdropping. So, countries (including USA) that are just relying on passive authentication for e-passport verification are putting the identity of their e-passport holders in a great risk.
Examples of attacking Passive Authentication:
Example1: Osama technically becomes a citizen of Britain.
Jeroen van Beek, a computer researcher at the University of Amsterdam, has shown in some tests conducted for The Times that the new micro-chipped passports, introduced in UK to protect against terrorism and organized crime, can be easily cloned. Jeroen cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber.
The cloned chips were regarded as genuine by the Golden Reader, which is the standard passport reader software used by the UN agency setting standards for e-passports and which is also recommended for use at airports. The cloning operation took less than an hour.
Related Articles:
http://www.timesonline.co.uk/tol/news/uk/crime/article4467106.ece
http://www.edri.org/edrigram/number6.16/clone-epassports
Example 2: US Homeland Security passports successfully cloned.
The current EPC Gen 2 RFID tags used in the wallet-sized Homeland Security passports use no encryption, and are unable to selectively transmit any data. Instead, the RFID tags broadcast sensitive information, enabling anyone with the proper equipment to collect information that could potentially be used for identity theft, or other nefarious purposes.
An intrepid data security researcher named Chris Paget devised a simple method of collecting and absorbing RFID passport information for the illumination of his peers at the ShmooCon hacker convention (held in Washington, D.C.). Chris devised a fairly inexpensive method of tracking and reading the passports. He bought a $250 RFID scanner on eBay to do the actual card-reading. Then he purchased a cheap, simple antenna to boost his range of the scanner. Then, he went driving in San Fransisco. Chris said that the passport card is a real radio broadcast, so there is no real limit to the read range. It's conceivable that these things can be tracked from 100 meters -- a couple of miles. Chris had no trouble collecting -- and copying -- information from the RFID passports of six people, in a half-hour of driving around.
Related Article:
http://www.neoseeker.com/news/9787-insecurity-of-homeland-security-rfid-passports-shown-by-researcher/
http://www.theregister.co.uk/2009/02/02/low_cost_rfid_cloner/
BASIC ACCESS CONTROL (Optional):
Basic Access Control is an optional confidentiality feature that could be used to overcome the drawback of passive authentication, i.e. skimming and eavesdropping, however it has drawbacks of its own.
Basic Access Control requires that the initial interaction between the embedded microchip in the passport and the border control reader include protocols for setting up the secure communication channel. The reader first acquires the MRZ information from the data page of the passport, generally via a connected OCR scanner. This MRZ information is used for computing the encryption and message authentication keys used for the “secure” exchange of the session keys. After authentication data is encrypted (3DES).
The realization that paper-based passports can be too easily altered or falsified is driving a worldwide move to electronic passports. The large number of lost or stolen passports—more than 300,000 in the United States alone in recent years—meant there was a huge pool of paper-based passports potentially available to counterfeiters.
After the destructions of WTC on the United States on September 11, 2001, Congress legislated that all countries participating in the Visa Waiver Program with the United States must issue passports with integrated circuits (chips) to add digital security features that prevent counterfeiting and positively confirm the bearer of the passport with a biometric, such as a digital copy of the photograph printed on the cover.
An e-passport contains a chip that implements the ICAO standard for Machine Readable Travel Documents (MRTD's). The only personal information stored on the chip is the same information that is printed on the data page of the passport, including a digital version of the photograph.
However, having Chip does not mean passport holder is the right person and impossible to prove it.
Because there is no direct relationship between Chip and passport holder. .It is NOT clone proof, hack proof, fake proof or not temper proof. The most important requirement is clone proof and fake proof. That means there is no technology to identify individual by the passport by itself, we can say all of current passports, maybe little bit better than paper, are old fashioned, legacy, stone age architect but not meaningful or effective modality to identify invividual at all. There are already so many proved fake or weakness there as below. We can say 9-11 tirggerd some business or benifit to low teck companies or related entities, but MicroChip can not prevent any tragedy like 9-11. We need to figure out WHO IS RESPONSBLE for implementing NON SECURED PASSPORT.
e-Passports Security:
The e-passports are protected by a digital signature which, when altered, are supposed to be rejected by the reader. The validation of the signatures on e-passports requires the exchange of PKI certificates between the authorities of the issuing countries or the use of ICAO's PKD (Public Key Directory) system.
The ICAO standard chip contains following files (“Elementary Files”, EFs):
– EF.DG1: personal information (required)
– EF.DG2: picture, JPG/JPG2000 (required)
– EF.DG[3-14,16]: finger prints, iris scans and other files for future use (optional)
– EF.DG15: anti-cloning crypto (optional)
– EF.SOD: safeguarding integrity of DGs (required)
– EF.COM: index of available files (required)
The ICAO standard requirements comprises of two authentication features (passive authentication and active authentication) and one confidentiality feature (Basic Access Code).
PASSIVE AUTHENTICATION (required):
Here information stored on the e-passport’s contactless smart card chip is digitally signed by the issuing country and the digital signature is checked before use. Passive authentication safeguard integrity of data stored in the chip. EF.SOD stores hashes of EF.DG[1-16] and a public key The hashes are digitally signed with a private key. If the attacker tried to change the hash to assume false identity, then the digital signature verification would fail, and the attack would be detected.
Flaws in Passive Authentication:
Unfortunately passive authentication is not highly reliable because it has the following drawbacks:
1. Passive authentication verifies data integrity but not chip integrity, which means no way to verify if chip data was stolen and cloned.
2. For passive authentication an inspection system must check the public key in the chip (part of EF.SOD) against a list of trusted certificates. This list comprises of "Country Signing CA Certificates (CCSCA)” and “ICAO Public Key Directory (PKD)”. Only ten of the forty-five countries with e-passports have signed up to the ICAO PKD code system (not all of them are currently using it) and the remaining can use their own CCSCA codes. Since there is no universally accepted key code system for authentication, criminals could always use fake e-passports from countries that do not share the ICAO PKD codes, which would then go undetected at passport control.
3. Passive authentication there is no protection against skimming or eavesdropping attack by outsiders.
A skimming attack is when someone attempts to read the passport chip simply by beaming power at the passport. At normal power ranges, contactless smart card readers must be relatively close to the card within a few inches or at most a few feet. However, that range can be extended if the reader broadcasts power at illegally high levels. A skimming attack could be done to facilitate identity theft or to trace the movements of an individual.
An eavesdropping attack can occur, if the contactless smart card is actively communicating with a legitimate reader. RF emanations from both the smart card and the reader have been shown in tests to be readable at distances up to 30 feet (9 meters).
Thus, the attacker could also clone e-passport of a country that implements the ICAO PKD if he managed to steal chip data information through skimming or eavesdropping. So, countries (including USA) that are just relying on passive authentication for e-passport verification are putting the identity of their e-passport holders in a great risk.
Examples of attacking Passive Authentication:
Example1: Osama technically becomes a citizen of Britain.
Jeroen van Beek, a computer researcher at the University of Amsterdam, has shown in some tests conducted for The Times that the new micro-chipped passports, introduced in UK to protect against terrorism and organized crime, can be easily cloned. Jeroen cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber.
The cloned chips were regarded as genuine by the Golden Reader, which is the standard passport reader software used by the UN agency setting standards for e-passports and which is also recommended for use at airports. The cloning operation took less than an hour.
Related Articles:
http://www.timesonline.co.uk/tol/news/uk/crime/article4467106.ece
http://www.edri.org/edrigram/number6.16/clone-epassports
Example 2: US Homeland Security passports successfully cloned.
The current EPC Gen 2 RFID tags used in the wallet-sized Homeland Security passports use no encryption, and are unable to selectively transmit any data. Instead, the RFID tags broadcast sensitive information, enabling anyone with the proper equipment to collect information that could potentially be used for identity theft, or other nefarious purposes.
An intrepid data security researcher named Chris Paget devised a simple method of collecting and absorbing RFID passport information for the illumination of his peers at the ShmooCon hacker convention (held in Washington, D.C.). Chris devised a fairly inexpensive method of tracking and reading the passports. He bought a $250 RFID scanner on eBay to do the actual card-reading. Then he purchased a cheap, simple antenna to boost his range of the scanner. Then, he went driving in San Fransisco. Chris said that the passport card is a real radio broadcast, so there is no real limit to the read range. It's conceivable that these things can be tracked from 100 meters -- a couple of miles. Chris had no trouble collecting -- and copying -- information from the RFID passports of six people, in a half-hour of driving around.
Related Article:
http://www.neoseeker.com/news/9787-insecurity-of-homeland-security-rfid-passports-shown-by-researcher/
http://www.theregister.co.uk/2009/02/02/low_cost_rfid_cloner/
BASIC ACCESS CONTROL (Optional):
Basic Access Control is an optional confidentiality feature that could be used to overcome the drawback of passive authentication, i.e. skimming and eavesdropping, however it has drawbacks of its own.
Basic Access Control requires that the initial interaction between the embedded microchip in the passport and the border control reader include protocols for setting up the secure communication channel. The reader first acquires the MRZ information from the data page of the passport, generally via a connected OCR scanner. This MRZ information is used for computing the encryption and message authentication keys used for the “secure” exchange of the session keys. After authentication data is encrypted (3DES).
Basic Access Control Process
The MRZ information used for basic authentication is the passport serial number, the holder’s date of birth and the expiration date of the passport. Basic access control should be effective against simple skimming attacks. However with a little effort the key biometric passport is relatively easy to identify/crack since it is not random, but consists of passport number, the passport holder's date of birth and the passport expiry date. For example birth date for 10 year time period has 10*365 = 3650 values, expiry date within 5 years: 5*365 = 1825 values and passport numbers are typically issued in sequence, so low entropy, and strongly correlated with expiry date
.
Flaws in Basic Access Code:
i. Weak authentication key since it is based on passport issue date, passport expiry date and passport number.
ii. Does not detect cloned passport.
Example of Basic Access Control Authentication Attack:
Example: Cloning of biometric e-passports while they are still in the mail bag
For example there is an article that talks about successful attack on e-passports when they were in the mail sent by the passport office to the applicant. Perhaps more easier to crack in mail as the issue date of new passport would be within a few days and expiry date would be 10 years from the issue date. It relatively easy to identify the holder's date of birth. The passport number consists of a number of predictable elements, including an identifier for the issuing office, so effectively a significant part of the key can be reconstructed from the envelope and its address label. No proof of identity was required when the passport was delivered. Because it's feasible to steal the data without detection in the mail, it's perfectly possible that insiders could intercept large numbers of the millions of new passports delivered every year.
Related Article:
http://www.theregister.co.uk/2007/03/06/daily_mail_passport_clone/
Basic Access Code substituted by Faraday’s cage in US e-passports:
As a substitute to Basic Access Code, Faradays cage protects US e-passports. This cage is setup by covering the passport with an aluminum foil. However creating a Faraday’s cage can prevent skimming (when passport is closed) but not eavesdropping.
ACTIVE AUTHENTICATION (optional):
The optional active authentication feature further strengthens the Basic Access Code confidentiality feature. Active authentication lets the inspecting system know if the e-passport is genuine or a clone. For active authentication an asymmetric key pair is stored in the chip, one public key and one private. The public key is accessible in DG15 (i.e. integrity protected by PA). The private key does not leave the chip, no way to read the key, but possible to verify whether the chip can access the private key. RSA is used for active authentication. The steps involved in active authentication are as follows:
Step1: Reader reads signed passport public key
Step2: Reader sends challenge to passport
Step3: Passport encrypts challenge with secret RSA key
Step4: Reader gets encrypted response from passport
Step5: Reader verifies response using the public key from DG15
Active Authentication
Thus, the optional active authentication together with the mandatory passive authentication feature together should provide both data integrity and chip integrity.
Flaws in Active Authentication:
However the active and passive authentication combination is not impenetratable and can be cracked.
a). Manipulating the index file:
Any system (or security feature) is as strong as its weakest link. Even with active authentication enabled e-passports the attacker can manipulate the index file (EF.COM) such that Active Authentication check might be skipped.
Manipulation of the Index File
If the inspecting system is made to think that the DG15 file is not there then it will not check for active authentication, in other words not check for cloning. This attack strategy is also applicable to all other optional security features.
Related Article:
http://freeworld.thc.org/thc-epassport/
http://www.cs.ru.nl/~erikpoll/talks/Makerere/ePassport.ppt
b.) Side-channel attacks:
Side-channels provide unintended means to analyze or manipulate the behavior of cryptographic implementations. Common side channel analysis methods are:
i. Time analysis:
Here process duration is used to reveal secrets. After analyzing RSA trace, and noting the distance variations between higher and lower parts, the key can be derived from a single observation.
Time-Power Analysis of RSA
ii. Power Analysis:
Here power consumption pattern to reveal secrets. Collect many (>1000) RSA power traces and compute average energy per modular operation. Small variations reveal key bits. More advanced correlation analysis is also possible.
Statistical power analysis of RSA (2)
iii. Electro-Magnetic analysis:
Here EM radiation is used to reveal secrets
iv. Power glitching:
This involves the use power interruptions to inject computational faults.
Steps involved in cloning passport through side-channel attack:
Step1: Read personal data (Cloning requires physical access to victim passport)
Step2: Perform multiple active authentications (RSA)
Step3: Retrieve private key by (statistical) analysis
Step4: Load new chip with personal data and RSA keys
Step5: Attach chip to passport document with same identity
! Cloned e-passport chip ready to use!
Related Article:
http://wiki.whatthehack.org/images/2/28/WTH-slides-Attacks-on-Digital-Passports-Marc-Witteman.pdf
EXTENDED ACCESS CONTROL (Optional):
Extended Access Control is confidentiality feature defined by the European Union to allow authorized Inspection system (system used to read e-passport) to read sensitive biometric data such as fingerprints from e-passports. Extended Access Control is not a part of the ICAO standard.
In Extended Access Control the passport reader is required to obtain a digital certificate from the issuing country before it could access the fingerprint file on the passport chip. The certificate is supposed to be valid for only a short period of time so that no reader can access the fingerprint on a passport chip once that time period has expired.
Extended Access Authentication facilitates chip authentication and terminal authentication.
Chip Authentication by Extended Access Control:
replaces the active authentication feature to authenticate the chip and prove that the chip is genuine (not cloned);
establishes strongly secured communication channel (stronger than the one established by Basic Access Code mechanism)
Terminal Authentication by Extended Access Control:
· extra PKI for reader is used to determine whether the Inspection System is allowed to read the sensitive data from the e-passport.
Flaws in Extended Access Control:
i. Though the digital certificate obtained by the reader is supposed to be of short duration the passport chip contains no clock so that it can't know when the time period has passed and determine if a certificate is no longer valid. If the reader equipped with valid electronic certificate is stolen then the passport data can be accessed later and thief can access all biometric information of the person
ii. Another challenge for chips is to maintain an up-to-date list of PKIs belonging to those countries that have signed the appropriate agreement to access privacy-sensitive data. So far, readers must help e-passports figure out whether their countries have been granted access through an as-yet-unspecified protocol.
iii. The reader can read the SOD without passing through Extended Access Control. Someone who, say, knows most of the content of data group can try to access the chip data by brute force.
Related Links:
http://blog.wired.com/27bstroke6/2007/12/authorities-hit.html
http://infoscience.epfl.ch/record/115087/files/Vaudenay-epassport.pdf
Key features of e-Smart technology to overcome current e-passport security issues:
The key features of e-Smart powered Biometric e-passport are:
· e-Smarts proprietary match-on-card technology can be used to verify legitimacy of the person carrying the e-passport even if the passport is subjected only to passive authentication (lowest but mandatory requirement for authentication by ICAO).
· Fingerprint of the individual is used to reliably authenticate person. In e-Smart match-on-card system the biometric fingerprint information would not leave the card/e-passport but is matched within card/e-passport. So the hacker will not get access to to biometric fingerprint data.
· only the biometric template or co-ordinates of the fingerprint is stored within chip from which finger information cannot be extract. Thus, no risk of theft of person’s fingerprint data.
The MRZ information used for basic authentication is the passport serial number, the holder’s date of birth and the expiration date of the passport. Basic access control should be effective against simple skimming attacks. However with a little effort the key biometric passport is relatively easy to identify/crack since it is not random, but consists of passport number, the passport holder's date of birth and the passport expiry date. For example birth date for 10 year time period has 10*365 = 3650 values, expiry date within 5 years: 5*365 = 1825 values and passport numbers are typically issued in sequence, so low entropy, and strongly correlated with expiry date
.
Flaws in Basic Access Code:
i. Weak authentication key since it is based on passport issue date, passport expiry date and passport number.
ii. Does not detect cloned passport.
Example of Basic Access Control Authentication Attack:
Example: Cloning of biometric e-passports while they are still in the mail bag
For example there is an article that talks about successful attack on e-passports when they were in the mail sent by the passport office to the applicant. Perhaps more easier to crack in mail as the issue date of new passport would be within a few days and expiry date would be 10 years from the issue date. It relatively easy to identify the holder's date of birth. The passport number consists of a number of predictable elements, including an identifier for the issuing office, so effectively a significant part of the key can be reconstructed from the envelope and its address label. No proof of identity was required when the passport was delivered. Because it's feasible to steal the data without detection in the mail, it's perfectly possible that insiders could intercept large numbers of the millions of new passports delivered every year.
Related Article:
http://www.theregister.co.uk/2007/03/06/daily_mail_passport_clone/
Basic Access Code substituted by Faraday’s cage in US e-passports:
As a substitute to Basic Access Code, Faradays cage protects US e-passports. This cage is setup by covering the passport with an aluminum foil. However creating a Faraday’s cage can prevent skimming (when passport is closed) but not eavesdropping.
ACTIVE AUTHENTICATION (optional):
The optional active authentication feature further strengthens the Basic Access Code confidentiality feature. Active authentication lets the inspecting system know if the e-passport is genuine or a clone. For active authentication an asymmetric key pair is stored in the chip, one public key and one private. The public key is accessible in DG15 (i.e. integrity protected by PA). The private key does not leave the chip, no way to read the key, but possible to verify whether the chip can access the private key. RSA is used for active authentication. The steps involved in active authentication are as follows:
Step1: Reader reads signed passport public key
Step2: Reader sends challenge to passport
Step3: Passport encrypts challenge with secret RSA key
Step4: Reader gets encrypted response from passport
Step5: Reader verifies response using the public key from DG15
Active Authentication
Thus, the optional active authentication together with the mandatory passive authentication feature together should provide both data integrity and chip integrity.
Flaws in Active Authentication:
However the active and passive authentication combination is not impenetratable and can be cracked.
a). Manipulating the index file:
Any system (or security feature) is as strong as its weakest link. Even with active authentication enabled e-passports the attacker can manipulate the index file (EF.COM) such that Active Authentication check might be skipped.
Manipulation of the Index File
If the inspecting system is made to think that the DG15 file is not there then it will not check for active authentication, in other words not check for cloning. This attack strategy is also applicable to all other optional security features.
Related Article:
http://freeworld.thc.org/thc-epassport/
http://www.cs.ru.nl/~erikpoll/talks/Makerere/ePassport.ppt
b.) Side-channel attacks:
Side-channels provide unintended means to analyze or manipulate the behavior of cryptographic implementations. Common side channel analysis methods are:
i. Time analysis:
Here process duration is used to reveal secrets. After analyzing RSA trace, and noting the distance variations between higher and lower parts, the key can be derived from a single observation.
Time-Power Analysis of RSA
ii. Power Analysis:
Here power consumption pattern to reveal secrets. Collect many (>1000) RSA power traces and compute average energy per modular operation. Small variations reveal key bits. More advanced correlation analysis is also possible.
Statistical power analysis of RSA (2)
iii. Electro-Magnetic analysis:
Here EM radiation is used to reveal secrets
iv. Power glitching:
This involves the use power interruptions to inject computational faults.
Steps involved in cloning passport through side-channel attack:
Step1: Read personal data (Cloning requires physical access to victim passport)
Step2: Perform multiple active authentications (RSA)
Step3: Retrieve private key by (statistical) analysis
Step4: Load new chip with personal data and RSA keys
Step5: Attach chip to passport document with same identity
! Cloned e-passport chip ready to use!
Related Article:
http://wiki.whatthehack.org/images/2/28/WTH-slides-Attacks-on-Digital-Passports-Marc-Witteman.pdf
EXTENDED ACCESS CONTROL (Optional):
Extended Access Control is confidentiality feature defined by the European Union to allow authorized Inspection system (system used to read e-passport) to read sensitive biometric data such as fingerprints from e-passports. Extended Access Control is not a part of the ICAO standard.
In Extended Access Control the passport reader is required to obtain a digital certificate from the issuing country before it could access the fingerprint file on the passport chip. The certificate is supposed to be valid for only a short period of time so that no reader can access the fingerprint on a passport chip once that time period has expired.
Extended Access Authentication facilitates chip authentication and terminal authentication.
Chip Authentication by Extended Access Control:
replaces the active authentication feature to authenticate the chip and prove that the chip is genuine (not cloned);
establishes strongly secured communication channel (stronger than the one established by Basic Access Code mechanism)
Terminal Authentication by Extended Access Control:
· extra PKI for reader is used to determine whether the Inspection System is allowed to read the sensitive data from the e-passport.
Flaws in Extended Access Control:
i. Though the digital certificate obtained by the reader is supposed to be of short duration the passport chip contains no clock so that it can't know when the time period has passed and determine if a certificate is no longer valid. If the reader equipped with valid electronic certificate is stolen then the passport data can be accessed later and thief can access all biometric information of the person
ii. Another challenge for chips is to maintain an up-to-date list of PKIs belonging to those countries that have signed the appropriate agreement to access privacy-sensitive data. So far, readers must help e-passports figure out whether their countries have been granted access through an as-yet-unspecified protocol.
iii. The reader can read the SOD without passing through Extended Access Control. Someone who, say, knows most of the content of data group can try to access the chip data by brute force.
Related Links:
http://blog.wired.com/27bstroke6/2007/12/authorities-hit.html
http://infoscience.epfl.ch/record/115087/files/Vaudenay-epassport.pdf
Key features of e-Smart technology to overcome current e-passport security issues:
The key features of e-Smart powered Biometric e-passport are:
· e-Smarts proprietary match-on-card technology can be used to verify legitimacy of the person carrying the e-passport even if the passport is subjected only to passive authentication (lowest but mandatory requirement for authentication by ICAO).
· Fingerprint of the individual is used to reliably authenticate person. In e-Smart match-on-card system the biometric fingerprint information would not leave the card/e-passport but is matched within card/e-passport. So the hacker will not get access to to biometric fingerprint data.
· only the biometric template or co-ordinates of the fingerprint is stored within chip from which finger information cannot be extract. Thus, no risk of theft of person’s fingerprint data.
Wireless Fingerprint Matching Passport
Only when fingerprint matches to the passport holder, passport can communicate with passport reader. Passport get power wirelessly and no battery. Fingerprint encripted data of card holder resides inthe passport.
OTHER REFERENCES:
http://blog.wired.com/sterling/2006/11/arphid_watch_fi.html
http://news.zdnet.com/2100-1009_22-149117.html
http://www.cs.ru.nl/~erikpoll/talks/Makerere/ePassport.ppt
http://en.wikipedia.org/wiki/RFID
http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-180779
http://www.homelandstupidity.us/2006/08/03/your-new-e-passport-can-be-cloned/
http://www.homelandstupidity.us/2006/08/15/us-rfid-passports-now-arriving/
http://www.blackhat.com/presentations/bh-jp-08/bh-jp-08-vanBeek/BlackHat-Japan-08-Van-Beek-ePassports.pdf
http://domino.watson.ibm.com/library/CyberDig.nsf/papers/751B6341BFB9015485256FDB005DB216/$File/RC23575.pdf
http://www.law.ed.ac.uk/ahrc/SCRIPT-ed/vol4-3/hornung.asp
OTHER REFERENCES:
http://blog.wired.com/sterling/2006/11/arphid_watch_fi.html
http://news.zdnet.com/2100-1009_22-149117.html
http://www.cs.ru.nl/~erikpoll/talks/Makerere/ePassport.ppt
http://en.wikipedia.org/wiki/RFID
http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-180779
http://www.homelandstupidity.us/2006/08/03/your-new-e-passport-can-be-cloned/
http://www.homelandstupidity.us/2006/08/15/us-rfid-passports-now-arriving/
http://www.blackhat.com/presentations/bh-jp-08/bh-jp-08-vanBeek/BlackHat-Japan-08-Van-Beek-ePassports.pdf
http://domino.watson.ibm.com/library/CyberDig.nsf/papers/751B6341BFB9015485256FDB005DB216/$File/RC23575.pdf
http://www.law.ed.ac.uk/ahrc/SCRIPT-ed/vol4-3/hornung.asp
Thursday, April 9, 2009
Microchip ID- Doggy Technology
There looks like some countries disregarding human dignity, downgrading human to be dogs. That plan is to implant microchip in the human body just like for dog.
As this technology is too old fashioned, anyone can transfer such capsule to god or cat or motorcycle or what so ever moving entity. Let Government keep track some capsule. Someone may give you copied one or better one, like all copies of Mr. President. This happens because there is no biometrical relationship between capsules to human.
Implantation to DOGs.
Our future, implanting to our body, if not using I AM card.
Farther more, the wireless frequency microchip for pet is 125 kHz ( ISO 11784/117785) and 134.2 kHz (11784/85, 134.2 kHz )and the photo looks very similar to capsule for pet, coil winding around ferrite core, cannot be even closer to the range of 1 GHz, how this can communicate with Satellite???? Toll gate at highway is 2-5 GHz with around 100 feet at back scattering. In much higher frequency range, Body acts as conductive body and thus very difficult have long range of communications. We cannot see any battery in the capsule, so communication distance is further limited.
Our future, if not using I AM card.
People can shield wireless communication by putting coin or aluminum foil on that and can put on faked on the top. If any those who want use this, recommended to eat dog food. There are some concern reported that implanted MicroChip caused CANCER. (http://www.nakedcapitalism.com/2007/09/microchip-implants-may-cause-cancer.html). What is interesting even a owner of this company is not ready to implant it.
e-Smart card, contracting to Legacy doggy technology, human possess and card holder’s irreversibly encrypted fingerprint is stored in the card, which can be only used by the card holder under ISO 14443A/B, of course no battery wireless power and fingerprint matching system on card. This is the technology for human and not for dogs. Korea start using this now.
As this technology is too old fashioned, anyone can transfer such capsule to god or cat or motorcycle or what so ever moving entity. Let Government keep track some capsule. Someone may give you copied one or better one, like all copies of Mr. President. This happens because there is no biometrical relationship between capsules to human.
Easily replaceable, easily copy-able, easily shield-able, legacy, low level, Dark Age technology for DOGs.
Implantation to DOGs.
Our future, implanting to our body, if not using I AM card.
Farther more, the wireless frequency microchip for pet is 125 kHz ( ISO 11784/117785) and 134.2 kHz (11784/85, 134.2 kHz )and the photo looks very similar to capsule for pet, coil winding around ferrite core, cannot be even closer to the range of 1 GHz, how this can communicate with Satellite???? Toll gate at highway is 2-5 GHz with around 100 feet at back scattering. In much higher frequency range, Body acts as conductive body and thus very difficult have long range of communications. We cannot see any battery in the capsule, so communication distance is further limited.
Another way to make capsle undetectable is to make LC circuit tuned to the carrier frequency ant put neaby the embedded capsle.
Actually the video shows the distance is few inches, nevertheless talking about GPS(???): Introduced as BARD CODE people (not hair bar code) , http://video.google.com/videoplay?docid=1969277708432444041&ei=wAnfSajHC4jIwgO_prS6Dw&q=microchip&hl=ja. For searching DOG, GPS is attached to the body not in the capsule as shown in the Photo. Do you want to be like this?
Our future, if not using I AM card.
People can shield wireless communication by putting coin or aluminum foil on that and can put on faked on the top. If any those who want use this, recommended to eat dog food. There are some concern reported that implanted MicroChip caused CANCER. (http://www.nakedcapitalism.com/2007/09/microchip-implants-may-cause-cancer.html). What is interesting even a owner of this company is not ready to implant it.
e-Smart card, contracting to Legacy doggy technology, human possess and card holder’s irreversibly encrypted fingerprint is stored in the card, which can be only used by the card holder under ISO 14443A/B, of course no battery wireless power and fingerprint matching system on card. This is the technology for human and not for dogs. Korea start using this now.
No injection needed.
Tuesday, April 7, 2009
IDENTITY THEFT AND FRAUD:
Dear Mr.Obama and Mr.MacCane,
We wonder who is responsbile for eliminating Fraud, especially on Social Security Fraud. There are so many proposal to eliminate Fraud by leading technology of biometrics. For example, e-Smart, since 2001, has been proposing fingerprint match on card based on the request from Social Security Office so that fingerprint information never leaves the card for protecting privacy of card holders. e-Smart has successfly developed that and Korea is start usinng that.
IDENTITY THEFT AND FRAUD:
Identity theft has been one of the major problems in this world. Within US itself there have been many cases of fraud caused by identity theft. Following are a few examples of identity theft fraud that have been listed in the http://www.usdoj.gov website:
Example1: Central District of California. A woman pleaded guilty to federal charges of using a stolen Social Security number to obtain thousands of dollars in credit and then filing for bankruptcy in the name of her victim. More recently, a man was indicted, pleaded guilty to federal charges and was sentenced to 27 months' imprisonment for obtaining private bank account information about an insurance company's policyholders and using that information to deposit $764,000 in counterfeit checks into a bank account he established.
Example 2: Central District of California. Two of three defendants have pleaded guilty to identity theft, bank fraud, and related charges for their roles in a scheme to open bank accounts with both real and fake identification documents, deposit U.S. Treasury checks that were stolen from the mail, and withdraw funds from those accounts.
Example 3: Middle District of Florida. A defendant has been indicted on bank fraud charges for obtaining names, addresses, and Social Security numbers from a Web site and using those data to apply for a series of car loans over the Internet.
Example 4: Southern District of Florida. A woman was indicted and pleaded guilty to federal charges involving her obtaining a fraudulent driver's license in the name of the victim, using the license to withdraw more than $13,000 from the victim's bank account, and obtaining five department store credit cards in the victim's name and charging approximately $4,000 on those cards.
Example 5: District of Kansas. A defendant pleaded guilty to conspiracy, odometer fraud, and mail fraud for operating an odometer "rollback" scheme on used cars. The defendant used false and assumed identities, including the identities of deceased persons, to obtain false identification documents and fraudulent car titles.
Above were just few examples to show how devastating identity theft can be for a victim. Incidences like there are becoming very common and proper measures needs to be taken by the US government and also governments around the world to counteract identity theft fraud.
PROPOSED MEASURES TO BE TAKEN TO COUNTER IDENTITY THEFT:
1. Social Security Number is not a reliable identifier:
Dr. Ron Paul, a Republican member of Congress from Texas, proposed to the congress about implementing an Identity Theft Prevention Act. This act is discourages the use of social security number as national identifier because once the number is stolen, along with a fake ID, it would be easy for any person to impersonate the person whose social security number has been compromised. In the above examples there is a case in which one person opened many fake accounts in a bank using fake ID and then pooled all the money from fake accounts to his real account. These incidences indicate a serious flaw in the way a person is identified. Just based on given social security number and looking at an ID is not enough to establish that the person is who he claims to be. There is always a possibility that the social security number could have been stolen and a fake ID could have been made. In other words looks can be deceptive.
Related Link:
http://www.lewrockwell.com/paul/paul228.html
2. Rely on Digital Technology than on humans:
Paper forms of identifying a person rely heavily on the skills and ability of a human to identify potential fraud and risk. Training personnel can help with fraud caused by paper records, but there is still an accepted level of human error that is permitted. By placing less reliance on humans to perform an ID check and more reliance on digital technology, the human error factor is reduced and higher efficiency rates can be achieved. Moving from a dependency of paper to a streamlined digital system is one way identity fraud risk patterns can be identified and mitigated.
Related Link:
http://ezinearticles.com/?Mitigating-Identity-Fraud-With-Fingerprint-Biometrics&id=1171062
3. Utilize Fingerprint Biometrics to eliminate possibility of multiple fake ID’s.
Fingerprint biometrics are a leading digital technology that can be utilized in digital identity authentication. Those in a point of service setting that use fingerprint biometrics do so by scanning a customer's ID through a system and instructing the customer to use a keypad to match fingerprints with a stored fingerprint identity. Fingerprint biometrics help increase the chances that the person in front of you presenting an ID is that ID's true identity. The result is an ability to capture and link fingerprints to a single ID record, which will increase fraud prevention and help ensure fraudsters do not attempt to use multiple identities.
Related Link:
http://ezinearticles.com/?Mitigating-Identity-Fraud-With-Fingerprint-Biometrics&id=1171062
4. Biometric Verification to link multiple IDs to single person:
Those in a point of service setting pay for fraud twice, once stemming from the initial act of fraud and a second time as a result of cost of goods, services and even insurance rates increases. Biometric verification can help resolve the problem of ID fraud and provide the point of service person that the customer presented is the actual person represented on the ID. The benefit of a biometric verification is that legitimate multiple IDs can be linked to a single person through one unique biometric fingerprint records. The additional benefit is that this unique biometric fingerprint cannot be utilized in multiple fraudulent IDs.
Related Link:
http://ezinearticles.com/?Mitigating-Identity-Fraud-With-Fingerprint-Biometrics&id=1171062
SOME EXAMPLES ON HOW BIOMETRIC TECHNOLOGY CAN BE USED TO PREVENT IDENTITY THEFT.
Example 1: Biometric smart card for Social Security proposed:
Current Social Security cards have limited security features and have no photo or biometric data and thus can be easily faked. In an effort to help combat identity theft and fraud, U.S. Rep. Mark Kirk (R-Ill.) is proposing a new Social Security card that would be based on the same technology the U.S. Department of Defense uses for the Common Access Card. The proposed cards would feature a photograph and fingerprint, as well as a computer chip, bar code and magnetic strip.
Related links:
http://www.secureidnews.com/2008/02/14/biometric-smart-card-for-social-security-proposed
http://archives.chicagotribune.com/2008/feb/12/news/chi-securitycard_12feb12
Example 2: New technology to protect pension funds from social security fraud:
Pension funds all over the world are confronted with the problem of misrepresentation for claiming pensions, which has resulted in huge loss to their legitimate beneficiaries. A Philippine-based pension fund has brought to the U.S. a technology mix that could put an end to fraud that often takes place in the delivery of social security benefits across nations. The Government Service Insurance System (GSIS) of Philippines unveiled on March 6, 2007 at the Philippine Center Building in San Francisco the GSIS Wireless Automated Processing System (GW@PS) to serve its pensioners and members in the area. The GW@PS is a home-blend of some of the most modern technologies—such as biometrics, smart card, and virtual private network—all working together to efficiently deliver social benefits while increasing safeguards against common claims fraud.
Related Link:
http://www.gsis.gov.ph/content.asp?ContentId=651&headertype1=left
Example 2: Trust in smartcards to prevent Internet and credit card fraud:
Internet fraud may perhaps one of the safest and economical ways of doing fraud, because for the person doing fraud there is no need to present any fake ID or give out social security number for online purchases. Perhaps that is why credit card fraud is 8 to 9 times more common in online channels than it is in traditional channels. If somehow a criminal minded person comes to know the credit card details and name of some other person then the criminal minded person can purchase products online using the credit card information of the other person. If a person losses his credit card or purse then at least he will take measures to cancel the card the moment he realizes it is missing, but if he has the card and just his information on the card is stolen then he will not realize his information has been compromised until he checks his credit card statement. If the person who is the victim of fraud does not check his credit card account periodically then he may not be aware of the fraud for a long time, resulting in huge loss for him.
One way to prevent internet fraud is by using biometric smartcards. Outfitted with a small microprocessor, smart cards perform all the functions of a traditional credit card, but provide greatly improved security as well as a range of specialized applications that take advantage of the card's ability to store and process personalized data. Smartcards are safer than credit cards because one can't just type a card number and expiration date into an online form or present the card to a sales agent at store or use it in a gas station. One must physically pass the smart card through a specialized card reader that communicates with the smartcard's built-in processor and data storage. Users can securely store personal data in the smartcards, which they can then share selectively to reduce the time they spend filling out tedious forms. Merchants can benefit because they can use the smart cards to offer electronic coupons or other special promotions aimed at improving sales and customer loyalty. Smart cards are also an excellent fit for multichannel sales because they are truly portable and can be used in a variety of settings--from physical stores to PCs to mobile phones--as long as those settings are equipped with card readers. People in European countries have been doing online and physical monetary transactions using smartcards for many years, but in the United States the technology is still new because the major credit-card companies didn't embrace the technology when it was first introduced--probably because it would have meant replacing billions of dollars' worth of existing technology. But now that the liability for credit-card fraud has shifted from merchants to card issuers there is considerable need for smartcards in United States to prevent fraud. Most analysts forecast fairly broad adoption of smart cards in the United States in the next two to three years.
Related Link:
http://www.zdnet.com.au/tag/news/fraud-security-smartcard.htm
We wonder who is responsbile for eliminating Fraud, especially on Social Security Fraud. There are so many proposal to eliminate Fraud by leading technology of biometrics. For example, e-Smart, since 2001, has been proposing fingerprint match on card based on the request from Social Security Office so that fingerprint information never leaves the card for protecting privacy of card holders. e-Smart has successfly developed that and Korea is start usinng that.
IDENTITY THEFT AND FRAUD:
Identity theft has been one of the major problems in this world. Within US itself there have been many cases of fraud caused by identity theft. Following are a few examples of identity theft fraud that have been listed in the http://www.usdoj.gov website:
Example1: Central District of California. A woman pleaded guilty to federal charges of using a stolen Social Security number to obtain thousands of dollars in credit and then filing for bankruptcy in the name of her victim. More recently, a man was indicted, pleaded guilty to federal charges and was sentenced to 27 months' imprisonment for obtaining private bank account information about an insurance company's policyholders and using that information to deposit $764,000 in counterfeit checks into a bank account he established.
Example 2: Central District of California. Two of three defendants have pleaded guilty to identity theft, bank fraud, and related charges for their roles in a scheme to open bank accounts with both real and fake identification documents, deposit U.S. Treasury checks that were stolen from the mail, and withdraw funds from those accounts.
Example 3: Middle District of Florida. A defendant has been indicted on bank fraud charges for obtaining names, addresses, and Social Security numbers from a Web site and using those data to apply for a series of car loans over the Internet.
Example 4: Southern District of Florida. A woman was indicted and pleaded guilty to federal charges involving her obtaining a fraudulent driver's license in the name of the victim, using the license to withdraw more than $13,000 from the victim's bank account, and obtaining five department store credit cards in the victim's name and charging approximately $4,000 on those cards.
Example 5: District of Kansas. A defendant pleaded guilty to conspiracy, odometer fraud, and mail fraud for operating an odometer "rollback" scheme on used cars. The defendant used false and assumed identities, including the identities of deceased persons, to obtain false identification documents and fraudulent car titles.
Above were just few examples to show how devastating identity theft can be for a victim. Incidences like there are becoming very common and proper measures needs to be taken by the US government and also governments around the world to counteract identity theft fraud.
PROPOSED MEASURES TO BE TAKEN TO COUNTER IDENTITY THEFT:
1. Social Security Number is not a reliable identifier:
Dr. Ron Paul, a Republican member of Congress from Texas, proposed to the congress about implementing an Identity Theft Prevention Act. This act is discourages the use of social security number as national identifier because once the number is stolen, along with a fake ID, it would be easy for any person to impersonate the person whose social security number has been compromised. In the above examples there is a case in which one person opened many fake accounts in a bank using fake ID and then pooled all the money from fake accounts to his real account. These incidences indicate a serious flaw in the way a person is identified. Just based on given social security number and looking at an ID is not enough to establish that the person is who he claims to be. There is always a possibility that the social security number could have been stolen and a fake ID could have been made. In other words looks can be deceptive.
Related Link:
http://www.lewrockwell.com/paul/paul228.html
2. Rely on Digital Technology than on humans:
Paper forms of identifying a person rely heavily on the skills and ability of a human to identify potential fraud and risk. Training personnel can help with fraud caused by paper records, but there is still an accepted level of human error that is permitted. By placing less reliance on humans to perform an ID check and more reliance on digital technology, the human error factor is reduced and higher efficiency rates can be achieved. Moving from a dependency of paper to a streamlined digital system is one way identity fraud risk patterns can be identified and mitigated.
Related Link:
http://ezinearticles.com/?Mitigating-Identity-Fraud-With-Fingerprint-Biometrics&id=1171062
3. Utilize Fingerprint Biometrics to eliminate possibility of multiple fake ID’s.
Fingerprint biometrics are a leading digital technology that can be utilized in digital identity authentication. Those in a point of service setting that use fingerprint biometrics do so by scanning a customer's ID through a system and instructing the customer to use a keypad to match fingerprints with a stored fingerprint identity. Fingerprint biometrics help increase the chances that the person in front of you presenting an ID is that ID's true identity. The result is an ability to capture and link fingerprints to a single ID record, which will increase fraud prevention and help ensure fraudsters do not attempt to use multiple identities.
Related Link:
http://ezinearticles.com/?Mitigating-Identity-Fraud-With-Fingerprint-Biometrics&id=1171062
4. Biometric Verification to link multiple IDs to single person:
Those in a point of service setting pay for fraud twice, once stemming from the initial act of fraud and a second time as a result of cost of goods, services and even insurance rates increases. Biometric verification can help resolve the problem of ID fraud and provide the point of service person that the customer presented is the actual person represented on the ID. The benefit of a biometric verification is that legitimate multiple IDs can be linked to a single person through one unique biometric fingerprint records. The additional benefit is that this unique biometric fingerprint cannot be utilized in multiple fraudulent IDs.
Related Link:
http://ezinearticles.com/?Mitigating-Identity-Fraud-With-Fingerprint-Biometrics&id=1171062
SOME EXAMPLES ON HOW BIOMETRIC TECHNOLOGY CAN BE USED TO PREVENT IDENTITY THEFT.
Example 1: Biometric smart card for Social Security proposed:
Current Social Security cards have limited security features and have no photo or biometric data and thus can be easily faked. In an effort to help combat identity theft and fraud, U.S. Rep. Mark Kirk (R-Ill.) is proposing a new Social Security card that would be based on the same technology the U.S. Department of Defense uses for the Common Access Card. The proposed cards would feature a photograph and fingerprint, as well as a computer chip, bar code and magnetic strip.
Related links:
http://www.secureidnews.com/2008/02/14/biometric-smart-card-for-social-security-proposed
http://archives.chicagotribune.com/2008/feb/12/news/chi-securitycard_12feb12
Example 2: New technology to protect pension funds from social security fraud:
Pension funds all over the world are confronted with the problem of misrepresentation for claiming pensions, which has resulted in huge loss to their legitimate beneficiaries. A Philippine-based pension fund has brought to the U.S. a technology mix that could put an end to fraud that often takes place in the delivery of social security benefits across nations. The Government Service Insurance System (GSIS) of Philippines unveiled on March 6, 2007 at the Philippine Center Building in San Francisco the GSIS Wireless Automated Processing System (GW@PS) to serve its pensioners and members in the area. The GW@PS is a home-blend of some of the most modern technologies—such as biometrics, smart card, and virtual private network—all working together to efficiently deliver social benefits while increasing safeguards against common claims fraud.
Related Link:
http://www.gsis.gov.ph/content.asp?ContentId=651&headertype1=left
Example 2: Trust in smartcards to prevent Internet and credit card fraud:
Internet fraud may perhaps one of the safest and economical ways of doing fraud, because for the person doing fraud there is no need to present any fake ID or give out social security number for online purchases. Perhaps that is why credit card fraud is 8 to 9 times more common in online channels than it is in traditional channels. If somehow a criminal minded person comes to know the credit card details and name of some other person then the criminal minded person can purchase products online using the credit card information of the other person. If a person losses his credit card or purse then at least he will take measures to cancel the card the moment he realizes it is missing, but if he has the card and just his information on the card is stolen then he will not realize his information has been compromised until he checks his credit card statement. If the person who is the victim of fraud does not check his credit card account periodically then he may not be aware of the fraud for a long time, resulting in huge loss for him.
One way to prevent internet fraud is by using biometric smartcards. Outfitted with a small microprocessor, smart cards perform all the functions of a traditional credit card, but provide greatly improved security as well as a range of specialized applications that take advantage of the card's ability to store and process personalized data. Smartcards are safer than credit cards because one can't just type a card number and expiration date into an online form or present the card to a sales agent at store or use it in a gas station. One must physically pass the smart card through a specialized card reader that communicates with the smartcard's built-in processor and data storage. Users can securely store personal data in the smartcards, which they can then share selectively to reduce the time they spend filling out tedious forms. Merchants can benefit because they can use the smart cards to offer electronic coupons or other special promotions aimed at improving sales and customer loyalty. Smart cards are also an excellent fit for multichannel sales because they are truly portable and can be used in a variety of settings--from physical stores to PCs to mobile phones--as long as those settings are equipped with card readers. People in European countries have been doing online and physical monetary transactions using smartcards for many years, but in the United States the technology is still new because the major credit-card companies didn't embrace the technology when it was first introduced--probably because it would have meant replacing billions of dollars' worth of existing technology. But now that the liability for credit-card fraud has shifted from merchants to card issuers there is considerable need for smartcards in United States to prevent fraud. Most analysts forecast fairly broad adoption of smart cards in the United States in the next two to three years.
Related Link:
http://www.zdnet.com.au/tag/news/fraud-security-smartcard.htm
Monday, April 6, 2009
Analysis on ID-Smart Card
Analysis on ID-Smart card photo in web www.id-smart to original id-smart card made in 2006,
Using e-smart circuit and e-smart components.
The card image matches.
e-Smart Technologies, Inc. Responds to Information Subpoenas From Securities & Exchange...
Mon Dec 31, 2007 3:00pm EST
Email Print Share Reprints Single Page[-] Text [+]
e-Smart Technologies, Inc. Responds to Information Subpoenas From Securities & Exchange Commission
NEW YORK, Dec. 31 /PRNewswire-FirstCall/ -- via COMTEX -- As discussed by e-Smart Technologies, Inc. (Pink Sheets: ESMT); ("e-Smart" or the Company") during its December 27, 2007 Telephonic Shareholder Conference Call, the Securities and Exchange Commission (SEC) has initiated an inquiry and has issued subpoenas to the Company for documents including those relating to certain loans made to e-Smart from its parent company IVI Smart Technologies Inc., ("IVI") and Intermarket Ventures, Inc. As in all such inquiries, the SEC has confirmed that it is conducting a "non-public fact-finding inquiry" and that its inquiry "does not mean that [the SEC] have a negative opinion of any person, entity or security" or "that anyone has broken the law."
As confirmed by the Company's legal counsel during that telephonic conference, "we received those requests for information, we've reviewed them and we're in the process of complying with all requests for information that come from the SEC."
The Company's legal counsel, Maranda Fritz, also provided an update relating to other important legal issues affecting the Company including the Company's pending litigation in the Northern District of California which resulted from the actions taken by two convicted felons, Wayne Drizin and Michael Gardiner, and Gardiner's company, ID Smart. Fritz advised that the
court issued an order prohibiting Drizin from any involvement in the biometric smart card industry, and barring Gardiner from using any e-Smart technology.
The court further ordered that those defendants return to e-Smart any and all property of the Company that they possessed. The Company is seeking a permanent injunction to prevent any use in the future of e-Smart's technology by Drizin and Gardiner and ID Smart.
The issuance of subpoenas by the SEC may also relate to further efforts by Gardiner and the other defendants to damage the Company and its shareholders. In November of 2007, Gardiner issued a public release stating that he had written a letter to the SEC claiming that the Company should have but did not publicly report their own -- Gardiner's and Drizin's -- wrongful conduct and their attempted theft of the Company's property. Details of these actions by Drizin and Gardiner were made public by the Company in a November 14, 2007 press release "e-Smart Technologies Responds to Press Release Issued by IDsmart LLC," and is available on the Company's website http://www.e-smart.com/.
In response to the SEC's inquiry, Mary Grace, CEO of e-Smart said, "The SEC is dedicated to the protection of the shareholders of public companies, and as the protection of our shareholders is my utmost concern, I am grateful that the SEC is looking into these issues. The actions of Gardiner and Drizin did cause damage to our shareholders because the Company was forced to take legal action to protect its intellectual property, and experienced delays in production. That Gardiner then tried to use his own fraudulent conduct to support his claims to the SEC, we believe, makes a mockery of the SEC and constitutes another act of securities fraud, the same conduct for which he already stands convicted. The Company will make available all information
requested by the SEC so they can fully review the actions of Wayne Drizin and Michael Gardiner/ID Smart against our shareholders and our Company. I am confident that, after the SEC looks at all matters relating to our Company, they will take appropriate steps to address the repeated instances of wrongful conduct by Drizin and Gardiner, and protect our Company and others from such conduct in the future."
e-Smart Technologies, Inc., is the exclusive supplier of the Biometric Verification Security(TM) (BVS2(TM)) system, the Super Smart Card(TM) system technology and related system technologies for Asia, Africa and the US, which e-Smart believes to be the world's first smartcard of its kind with an on-card sensor and a full match on-card system and other unique technologies for secure biometric ID verification. e-Smart's next generation technologies allow governments, public and private institutions, healthcare providers and insurers, companies large and small, to provide a superior level of protection. The Super Smart Card(TM) system technology and BVS2(TM) security system can secure countries from criminal and terrorist threats, stop ID and
payment fraud, along with identity theft in connection with physical and logical access and financial transactions, including telephone, Internet payment and other financial and data related transactions all while protecting individual privacy.
SAFE HARBOR STATEMENT
Statements in this news release that relate to future plans, financial results or projections, events or performance are forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended and Section 21E of the Securities Exchange Act of 1934, as amended. While these statements are made to convey to the public the Company's progress,
business opportunities and growth prospects, readers are cautioned that such forward-looking statements represent the management's opinion. While management believes such representations to be true and accurate based on information available to the Company at this time, actual results may differ materially from those described.
For more information about e-Smart Technologies, please visit http://www.e-smart.com or contact Media Relations at 703-768-7477 or mailto:ormediarelations@e-smart.com SOURCE e-Smart Technologies, Inc.
Media Relations of e-Smart Technologies, Inc., +1-703-768-7477, mediarelations@e-smart.com
http://www.reuters.com/article/pressRelease/idUS104201+31-Dec-2007+PRN20071231
Sunday, April 5, 2009
IDsmart Admits in Court Document That e-Smart's Technology was Used to Develop IDsmart's Smart Card
NEW YORK, April 9 /PRNewswire-FirstCall/ -- e-Smart(R) Technologies, Inc. (Pink Sheets: ESMT); ("e-Smart" or the "Company") and its parent company, IVI Smart Technologies, Inc., (IVI) (hereinafter, collectively, the "Company") learned from disclosures filed in a Motion last month by IDsmart LLC, in the United States District Court, Northern District of California, San Francisco Division, Case No. 3:06cv5528MHP, that IDsmart admitted that its engineers were directed to use e-Smart's technology in developing IDsmart's biometric smart card product, as the original complaint filed by the Company against IDsmart for theft and misappropriation of our biometric smart card technology alleges. IDsmart also confirmed that, because its engineers had been instructed to use e-Smart's technology, IDsmart did not actually have a product design and was unable to "release" any product until approximately four months ago.
Mary Grace, President and CEO of e-Smart(R) said, "Finally, IDsmart admitted what we alleged in the original lawsuit and which we have argued before the Court for nearly two years -- which IDsmart repeatedly denied until now. IDsmart now admits not only that their engineers used e-Smart's technology but also that they have known for more than a year that e-Smart's technology was used in developing IDsmart's claimed biometric smart card product. Rather than acknowledging that they had used e-Smart's technology, IDsmart continued trying to sell an IDsmart product and failed to acknowledge to the Court that e-Smart's claims were true. In the original lawsuit filed against IDsmart the Company alleged the theft and misappropriation of e-Smart's technology by IDsmart, which claim IDsmart repeatedly denied under oath to the court. The Company also reported the theft of the technology to both the police and FBI in 2006, which IDsmart, Michael Gardiner and Wayne Drizin, both convicted felons, denied at that time. The Company will now file new reports to both th
** Please, go to:
http://leninology.blogspot.com/2008/09/long-con.html
http://www.thesanitycheck.com/Default.aspx?EntryID=215&tabid=84
SOURCE e-Smart Technologies, Inc.
Copyright©2008 PR Newswire.
All rights reserved
http://www.bio-medicine.org/biology-news-1/IDsmart-Admits-in-Court-Document-That-e-Smarts-Technology-was-Used-to-Develop-IDsmarts-Smart-Card-2839-1/
Mary Grace, President and CEO of e-Smart(R) said, "Finally, IDsmart admitted what we alleged in the original lawsuit and which we have argued before the Court for nearly two years -- which IDsmart repeatedly denied until now. IDsmart now admits not only that their engineers used e-Smart's technology but also that they have known for more than a year that e-Smart's technology was used in developing IDsmart's claimed biometric smart card product. Rather than acknowledging that they had used e-Smart's technology, IDsmart continued trying to sell an IDsmart product and failed to acknowledge to the Court that e-Smart's claims were true. In the original lawsuit filed against IDsmart the Company alleged the theft and misappropriation of e-Smart's technology by IDsmart, which claim IDsmart repeatedly denied under oath to the court. The Company also reported the theft of the technology to both the police and FBI in 2006, which IDsmart, Michael Gardiner and Wayne Drizin, both convicted felons, denied at that time. The Company will now file new reports to both th
** Please, go to:
http://leninology.blogspot.com/2008/09/long-con.html
http://www.thesanitycheck.com/Default.aspx?EntryID=215&tabid=84
SOURCE e-Smart Technologies, Inc.
Copyright©2008 PR Newswire.
All rights reserved
http://www.bio-medicine.org/biology-news-1/IDsmart-Admits-in-Court-Document-That-e-Smarts-Technology-was-Used-to-Develop-IDsmarts-Smart-Card-2839-1/
Subscribe to:
Posts (Atom)
