Monday, October 19, 2009

TFTs Used as Fingerprint Sensors for Smart Cards

Features Nikkei Electronics Asia -- June 2009
TFTs Used as Fingerprint Sensors for Smart Cards
Jun 17, 2009 16:30

Nikkei Electronics Asia

An extremely thin and flexible fingerprint sensor, only 0.2mm thick, has been developed by e-Smart Technologies Inc of the US (Fig 1). Estimates indicate that the volume production price will be no more than US$2.00/unit. The firm commented that conventional thin fingerprint sensors run between US$8.00 and US$20.00 apiece. The new sensors can be mounted on non-contact smart cards with functions including employee identification, credit cards and electronic money, providing a method for implementing user authentication. This would minimize the risk of unauthorized use in the event that a card is lost. The flexible structure also means it could be mounted in soft materials such as passports, opening up a wide range of other possible applications.


New LCD Application
The developed fingerprint sensor consists of a sheet of pressure-sensitive material on top of a thin-film transistor (TFT) made of amorphous or poly-crystalline silicon, with a thin stainless steel substrate. The design detects the ridges in the fingerprint using pressure-sensing technology. e-Smart chief technical officer (CTO) Tamio Saito explains, "It's an application of LCD panel technology. With amorphous silicon TFTs we can volume-produce for no more than US$2.00 apiece."

The dimensions of the sensing elements, equivalent to the pixels in the liquid crystal display (LCD), are 75um square. e-Smart's Saito continues, "We used the largest size we could and still recognize fingerprints, to keep costs down. We hope to reduce size down to about 57um square to be able to recognize children's fingerprints, too." The company is also developing a sensor to judge paper quality, using the same technology.

e-Smart has already commercialized a non-contact smart card with a different type of fingerprint sensor. It has been used in the Ubiquitous Security Service Project currently being trialed in Gwangju and other Korean cities, providing non-contact smart cards for use as resident registration cards*, electronic money, etc. The card uses a capacitance* fingerprint sensor on a glass substrate, manufactured by sensor manufacturer BMF Corp of Japan.

Even in that volume, though, Saito admits that the capacitance sensor still costs between US$8.00 and US$20.00. In search of a thinner, cheaper design, e-Smart and BMF jointly developed this new fingerprint sensor on a flexible substrate. They are now developing a design using a plastic substrate instead of stainless steel.


Wireless Authentication
e-Smart has introduced a number of proprietary technologies in the non-contact smart card mounting the sensor, too (Fig 2; Note 1).

For example, one technology has eliminated the need to mount a battery on the smart card to drive the sensor. Sensor power is instead transmitted via radio during communication between the non-contact smart card and the card reader.

This was not a simple task, explains Saito, because "Under the ISO14443* communications standard for non-contact smart cards, the card can only be supplied with a maximum of 50mW. This is much less than the 120mW needed to drive the fingerprint sensor." They resolved the problem by adopting a high-Q antenna in the card, boosting received power. He says, "We made use of magnetic resonance to draw the card reader magnetic field to the smart card."

The data used to authenticate identity is stored in the card, which also handles comparison processing. "The reference fingerprint data could be stolen if stored in the card reader, but because authentication is handled inside the card itself, this isn't a worry. The data requires only a small amount of memory to store," adds Saito.

The company revealed that a Japanese hospital is very close to adopting the cards as patient identification cards, but Saito believes that electronic money is the most promising application. "This fingerprint sensor makes a safe electronic money card possible, because even if the user drops it, it can't be used by anyone else," he explains. e-Smart is already marketing the idea as electronic money under the name Global Market Exchange (GME).

by Tetsuo Nozawa

* Resident registration card: All citizens are required to carry an ID card in Korea at all times. The owner's fingerprint is clearly visible on the card

* Capacitance method: Capacitors are fabricated in each TFT cell, etc, making it possible to measure fingerprint ridges and valleys based on the strength of external magnetic fields.

Note 1: The card is also provided with wired communication functionality, utilized for reference fingerprint data registration and other tasks.

* ISO14443: A standard for RFID communication, with a working range of about 2cm. Two versions are defined: Type A (equivalent to the MIFARE technology developed by NXP Semiconductors of the Netherlands), and Type B (developed by Motorola of the US, and utilized in Japan's "taspo" authentication card required to purchase cigarettes from a vending machine, etc). e-Smart says their technology will work with both, just by swapping the chip.

* Resident registration card: All citizens are required to carry an ID card in Korea at all times. The owner's fingerprint is clearly visible on the card.

* Capacitance method: Capacitors are fabricated in each TFT cell, etc, making it possible to measure fingerprint ridges and valleys based on the strength of external magnetic fields.

Note 1: The card is also provided with wired communication functionality, utilized for reference fingerprint data registration and other tasks.

* ISO14443: A standard for RFID communication, with a working range of about 2cm. Two versions are defined: Type A (equivalent to the MIFARE technology developed by NXP Semiconductors of the Netherlands), and Type B (developed by Motorola of the US, and utilized in Japan's "taspo" authentication card required to purchase cigarettes from a vending machine, etc). e-Smart says their technology will work with both, just by swapping the chip.

http://techon.nikkeibp.co.jp/article/HONSHI/20090527/170835/

Sunday, August 23, 2009

FROM INDIA PRESENTATIONS‏

Click on the images to enlarge.














Monday, June 1, 2009

AIRPORT BIOMETRIC FINGERPRINTING TECHNOLOGY MAKES TRAVELERS SICK:

BIOMETRIC FINGERPRINTING TECHNOLOGY:
Biometrics technology is used for either identification or authentication purposes. Among all the biometric techniques, fingerprint-based identification is the oldest method (its history is going back as far as at least 6000 BC), which has been successfully used in various applications. A fingerprint pattern is a pattern made by the ridges and furrows (valleys) on the surface of the finger. Just as every Zebra has a unique black and white stripe pattern, every human has a unique set of fingerprints.

HUMAN HAND, A HIGHWAY FOR DISEASE TRANSMISSION:
Though every hand carries a unique set of fingerprints, it also can carry bacteria, pathogens, and viruses that cause diseases. Thus, the hand that feeds a person could also make the person and others sick if proper care is not taken like washing hands frequently etc. So, it is very important that people realize this fact and become hygiene cautions for benefit of themselves and others.

AIRPORT, A MAJOR HUB FOR DISEASE TRANSMISSION:
In an airport people from different parts of the world fly in and out and they don’t travel alone but infectious germs also hitchhike with them. A large portion of the travelers are not hygiene cautions, for example, a recent American Society for Microbiology study found that almost a third of people who use public restrooms while passing through international airports fail to wash their hands.
Infectious diseases are the leading cause of death and disease worldwide, and the third leading cause of death in the United States. The diseases that can spread due to this carelessness of people range from the common cold or influenza up to more serious diseases such as hepatitis and severe acute respiratory syndrome (SARS), the current swine flu and more.

MIGRATION OF INFECTIOUS GERMS DURING IMMIGRATION:
Fingerprint-based identification has been extensively used at airports and has become an inseparable part of the immigration process all around the world including USA. Few reasons for this popularity of biometric fingerprinting systems are that fingerprint biometric systems are:
· Easy to use
· Cheap
· Small size
· Low power
· Non-intrusive
· Large database already available

Inspite of all these advantages, one of the drawbacks in the current biometric fingerprinting systems is they act as point of transmission of infection from one person to another. The other drawbacks of biometric fingerprinting systems, such as their vulnerability to attack by fake finger, information leakage etc are discussed in the following articles:
http://globalbiometriccommittee.blogspot.com/2009/05/illegal-immigration-authentication.html
http://globalbiometriccommittee.blogspot.com/2009/05/air-france-biometric-boarding-pass.html

A step-by-step explanation of how current fingerprinting technology helps in spreading of disease among people is as follows:
In an airport people congregate from different parts of the world and many of them carry microorganisms/pathogens on their fingers.
During fingerprinting at the immigration/security check the traveler places his finger on the fingerprint scanner, thus transferring the microbes from his/her skin to the sensor surface.
Part of the transferred microbes on the sensor surface may die but the others survive.
The next traveler who places his finger on the sensor picks up some of the microbes left behind on the sensor by the previous traveler.
When a traveler touches his/her nose, mouth or eyes with the germ clad fingers, he/she can get infected with disease and further spread it around.

The paper “Biometric Fingerprinting for Visa Application: Device and
Procedure Are Risk Factors for Infection Transmission” gives a detailed analysis of the health hazards that current biometric fingerprinting systems can cause.
Related Link: http://www.kuleuven.be/rega/mvr/pdf/19006507.pdf.
The above research paper acknowledges the fact that Transmission risk exists for (but not limited to) enteric viruses (rotavirus, norovirus, and hepatitis A virus), respiratory viruses (respiratory syncytial virus, rhinovirus, influenza virus, etc.), and enteropathogenic bacteria with low infectious doses ( Shigella dysenteriae , Enterohemorrhagic Escherichia coli , etc.). According to the article the transmission of human rotavirus is estimated at 191 [95% credible intervals (CI) 0 – 289] per million fingerprint-capturing procedures.

OVERVIEW OF SOME OF THE PATHOGENS THAT CAN BE TRANSMITTED VIA FINGERPRINT SENSOR:

1. ROTAVIRUS:
Rotavirus is the most common cause of severe diarrhoeal disease in infants and young children globally. Rotaviruses are estimated to be responsible for approximately 530,000 deaths each year in many developing countries. In the U.S., rotavirus is responsible for approximately 5 to 10 percent of all episodes of diarrhea among children younger than 5 years of age. Each year in the U.S., rotavirus is responsible for more than 400,000 doctor visits; more than 200,000 emergency room visits; 55,000 to 70,000 hospitalizations; and between 20 and 60 deaths. Rotavirus leads to about $1 billion in health care costs and lost productivity per year in the U.S.
Related Link:
http://www.cdc.gov/vaccines/vpd-vac/rotavirus/dis-faqs.htm

2. NOROVIRUS:
The Norovirus causes approximately 90% of epidemic non-bacterial outbreaks of gastroenteritis around the world. Norovirus affects people of all ages. The viruses are transmitted by faecally contaminated food or water and by person-to-person contact. In the United States, norovirus infections are estimated to cause 23 million illnesses a year and may cause up to 50% of all foodborne outbreaks. Seroprevalence studies in the Amazon, southern Africa, Mexico, Chile, and Canada have shown that norovirus infections are common throughout the world, and most children will have experienced at least one infection by the age of 5 years. Infection can occur year round.
Related Links:
http://en.wikipedia.org/wiki/Norovirus
http://wwwn.cdc.gov/travel/yellowbook/ch4/norovirus.aspx

3. HEPATITIS A VIRUS:
The Hepatitis A virus (HAV) infects liver cells causing inflammation of the liver (hepatitis). Hepatitis A has a worldwide distribution occurring in both epidemic and sporadic fashions. About 22,700 cases of hepatitis A representing 38% of all hepatitis cases (5-year average from all routes of transmission) are reported annually in the U.S. In developing countries, the incidence of disease in adults is relatively low because of exposure to the virus in childhood. Most individuals 18 and older demonstrate an immunity that provides lifelong protection against reinfection. In the U.S., the percentage of adults with immunity increases with age (10% for those 18-19 years of age to 65% for those over 50). Hepatitis A virus (HAV) infection is rarely fatal except in patients with chronic liver disease.
Related Link:
http://www.foodsafety.gov/~mow/chap31.html
The following article analyzes death of a traveler due to hepatitis A virus.
http://jcm.asm.org/cgi/reprint/46/11/3850.pdf

4. RESPIRATORY SYNCYTIAL VIRUS:
Respiratory syncytial (sin-SISH-uhl) virus, or RSV, is a respiratory virus that infects the lungs and breathing passages. Most otherwise healthy people recover from RSV infection in 1 to 2 weeks. However, infection can be severe in some people, such as certain infants, young children, and older adults. In fact, RSV is the most common cause of bronchiolitis (inflammation of the small airways in the lung) and pneumonia in children under 1 year of age in the United States. In the United States, approximately 50% of infants and young children become infected with RSV each winter season. RSV causes about 90,000 hospitalizations and 4,500 deaths per year in children under age 5 years. In addition, RSV is more often being recognized as an important cause of respiratory illness in older adults.
Related Article:
http://www.dhpe.org/infect/rsv.html

4. RHINOVIRUS:
Rhinoviruses are the most common viral infective agents in humans, and a causative agent of the common cold. Human rhinovirus is a leading cause of respiratory infections in adults and children. Adults, on average, get infected with the virus once per year. Lung transplant patients, with impaired immune systems due to drugs to halt rejection, are at potentially higher risk from the virus. In fact the rhinovirus struck two immunosuppressed lung transplant patients, leading to progressive respiratory failure, graft dysfunction and finally death.
Related Link:
http://www.bio-medicine.org/biology-news/Common-cold-virus-leads-to-death-in-lung-transplant-patients-3945-1/

5. INFLUENZA VIRUS:
Influenza, commonly known as "the flu," is a highly contagious viral infection of the respiratory tract caused by influenza viruses. It can cause mild to severe illness, and at times can lead to death. Every year in the United States, on average, 5% to 20% of the population gets the flu; more than 200,000 people are hospitalized from flu-related complications; and about 36,000 people die from flu-related causes. There are three types of influenza viruses: A, B, and C. Major outbreaks of influenza are associated with influenza virus type A or B. Infection with type B influenza is usually milder than type A. Type C virus is associated with minor symptoms.
The recent (2009) flu in humans, known as "swine flu", is due to a new strain of influenza A virus subtype H1N1 that contains genes closely related to swine influenza. The origin of this new strain is unknown. However, the World Organization for Animal Health (OIE) reports that this strain has not been isolated in pigs. This strain can be transmitted from human to human, and causes the normal symptoms of influenza. The Swine flu has been compared to other similar types of influenza virus in terms of mortality and it appears that in the US for every 1000 people who get infected, about 40 people need admission to hospital and about one person dies.
Related Links:
http://www.cdc.gov/flu/keyfacts.htm
http://en.wikipedia.org/wiki/Swine_influenza
CONCLUSION:
The current biometric fingerpring system that intended to protect one’s identity is highly insecure when it comes to protecting one’s health, as the system aids in the spread of diseases among travelers. It is beyond the control of airport authorities worldwide to counsel/babysit all travelers to make them hygiene concious, but at the same time some kind of control needs to be implemented so that others don’t have to pay the price for someones negligence. Thus, the biometric fingerprinting system needs to be changed such that it provides security to both one’s identity and health.
SOLUTION:
The e-Smart technology match-on-card biometric fingerprinting system not only overcomes the drawbacks of the existing fingerprinting system when it comes to protecting one’s identity, but also provides medical security to its travelers. In the e-Smart security system every traveler will have a personal fingerprint sensor integrated in into the travel document. Also, the travel document would contain a fingerprint template of the person that is secured through encryption. During authentication at immigration the traveler would place his finger on the sensor integrated in the travel document. Thus, there is no fear of transfer of pathogens from one traveler to another via sensor, as every one will have their own personal sensor.
ADDITIONAL REFERENCES:
http://www.joe.org/joe/2009february/rb7.php
http://preventdisease.com/home/weeklywellness146.shtml
http://dhs.wisconsin.gov/communicable/factsheets/Handwashing.htm

Thursday, May 21, 2009

Stop! No More ID Stealing!


JoongAngDaily
Input : May 22, 2009 1:10:38 A.M.
Even with the leakage of passwords or resident registration numbers, a verification method which makes it impossible for others to be accessed will be applied to the main website of Gyeonggi English Village for the first time beginning at the end of this month. Fingerprint verification smartcard (picture above) developed by e-Smart Korea recognizes cardholder’s fingerprint through fingerprint sensor on the card. Currently, the card is being used in Advanced Broadcasting Media Technology Research Center of Korea Aerospace University as student ID card for attendance check by connecting to a system developed by Cobalt Ray Co., Ltd., and is planned to be applied to credit cards and IDs in the future.

Seung-shik Choi

Wednesday, May 20, 2009

Air France Biometric Boarding Pass Technology:

INTRODUCTION:
Air France has implemented the use of smartcard based boarding pass (on trial basis until the end of the year) for its frequent flyer programme members on flights between Paris Charles de Gaulle and Amsterdam Schipol. This new boarding pass contains an encrypted version of forefinger and thumb prints of passengers. During boarding the passenger would scan their forefingers and thumb prints on a fingerprint scanner (installed at the gate) that would then be compared with those stored in the card and upon successful verification the passenger would be allowed to board.

ISSUING OF AIR FRANCE BOARDING PASS:
It consists of the following steps:

Step1: Verification of identity based on documents like passport etc.

Step2: After verification fingerprints would be scanned using sensor (mostly optical) that would be stored in the boarding pass.

Step3: Collect the card.


OPERATION OF AIR FRANCE BOARDING PASS:

Step1: Insert the card into the boarding pass terminal and flight details will be printed on back of the card. The card can be reused at least 500 times because during next use the existed information will be erased and new flight information will be printed on it. Thus, the passenger holds on to the boarding pass even after travel.

Step2: Proceed to boarding terminal based on the information printed on the card.

Step3: The boarding terminal reader will check the flight information stored in the chip.

Step4: Once the flight information is read the passenger will be prompted to get his fingerprints scanned at the fingerprint scanner located at the terminal.
Step5: Fingerprint information stored in card is compared with the scanned fingerprint information. If both the fingerprint information matches then the boarding gate would open, allowing the person to board the flight.

WHAT MAKES THE AIR FRANCE BOARDING PASS SECURITY RELIABLE?
The answer to this question is NOTHING. The boarding pass technology just mimics the current e-passport and credit card technology, which suffer from many flaws.

DRAWBACKS OF THE AIR FRANCE BIOMETRIC BOARDING PASS SYSTEM:
Air France Biometric Boarding pass system suffer from the same drawbacks of e-passports and credit cards that are as follows:
1. Boarding Pass can be cloned:
Similar technology based e-passports and credit cards have been successfully cloned. This means that all the personal information stored in the boarding pass would be transferred to the cloned card including the passenger’s fingerprint. Following are some articles that show how easily e-Passports and credit cards can be cloned:
· http://www.timesonline.co.uk/tol/news/uk/crime/article4467106.ece (Fake-proof e-passports cloned in minutes)
· http://www.neoseeker.com/news/9787-insecurity-of-homeland-security-rfid-passports-shown-by-researcher/ (US Homeland Security passports successfully cloned with no problem)
· http://nepalinirelandnews.blogspot.com/2008/05/dublin-shop-workers-bribed-to-help-in.html (Dublin lasercard bank fraud).
2. Fingerprint scanner can be fooled:
The fingerprint scanner used is similar to the ones used at immigration i.e. optical fingerprint scanner. There are numerous evidence online that these scanners can be easily fooled by using fake finger. Making fake finger is not very difficult and lot of information is available on the web that teaches a person how to make a fake finger. For example the following link shows how easily latent fingerprint (fingerprint left behind on some object by the potential victim) can be lifted and used as a stencil to make fake finger.
http://www.ccc.de/biometrie/fingerabdruck_kopieren.xml?language=en (Tutorial to make fake finger)

Following are few articles that show how the contemporary optical fingerprint readers can be fooled easily with fake finger.
http://www.securityfocus.com/news/6717 (German hackers fool fingerprint scanners).
http://software.silicon.com/security/0,39024655,11033437,00.htm (Japanese man fools biometric sensor with fake finger)
http://www.asiaone.com/Travel/News/Story/A1Story20090101-111750.html (South Korean woman fools Japanese fingerprint sensor)
3. Vulnerable to skimming or eavesdropping:
The fingerprint information stored in the card is transmitted to the reader, which compares the information with the passenger’s scanned fingerprints. This is major drawback because the authentication is done by the system, so while transmission the data could be intercepted and stolen.

A skimming attack is when someone attempts to read the passport chip simply by beaming power at the passport. At normal power ranges, contactless smart card readers must be relatively close to the card within a few inches or at most a few feet. However, that range can be extended if the reader broadcasts power at illegally high levels. A skimming attack could be done to facilitate identity theft or to trace the movements of an individual.

An eavesdropping attack can occur, if the contactless smart card is actively communicating with a legitimate reader. RF emanations from both the smart card and the reader have been shown in tests to be readable at distances up to 30 feet (9 meters).
Once the fingerprint information is stolen it is easy for criminal to make a fake finger of the passenger. Also, by lifting fingerprints left by the passenger in various objects can be used to make fake finger.
Related links:
http://www.neoseeker.com/news/9787-insecurity-of-homeland-security-rfid-passports-shown-by-researcher/
http://www.theregister.co.uk/2009/02/02/low_cost_rfid_cloner/
4. Boarding Pass can make travelers sick or even worse kill:
Another rising concern amongst people during travel is spread of contagious diseases like swine flu, SARS etc. Since ever traveler has to touch a coomon fingerprint sensor there is a possibility of disease spreading. Infections like swine flu etc spread easily and can result in death too. One may say that touching a door handle in the airport can infect travelers too, but our point is the verification system should not contribute in the spreading of disease. Suppose even if a person takes good precaution wearing gloves etc, he will have to expose his finger to get his fingerprint scanned by the sensor. Person does not have to remove gloves to touch door handle.

CONCLUSION:
Current Air France boarding pass is just eyewash to make people feel secure. Air France should consider using a system confers real security. A truly secure boarding pass is one that:
- cannot be fooled by a replica of person’s biometric details like fingerprint, face etc.
- hard to forge or counterfeit.
- provides a secure communication between the reader and travel document. In other words not vulnerable to skimming or eavesdropping.
- does not contribute in the spreading of disease.

E-SMART SOLUTION TO THE PROBLEM:
e-Smart Technologies Inc. creates an authentication environment that would overcome the above drawbacks. Let us analyze each drawback above and see e-Smart solution to overcome it.
1. Can fake finger fool the e-Smart Boarding Pass system?
NO, because the each boarding pass will have a fingerprint scanner that is foolproof. E-Smarts innovative match-on-card/ boarding pass technology and fingerprint matching algorithm together can easily detect latex finger, gummy finger by analyzing the changes in electrical characteristics and other properties.
2. Can e-Smart Boarding Pass be reliably cloned?
NO. Cloning e-Smart card doesn’t make sense because the cloned card would store the fingerprint information pertaining to the owner. The thief will not be able to authenticate the e-Smart boarding pass using either his finger or a fake finger.
3. Can the fingerprint information be stolen from the card?
NO, because the fingerprint matching is done in the card and not in a central system so personal data remains in the card. Thus, in e-Smart Boarding Pass authentication there is no question of vulnerability to data intercepting attacks, such as eavesdropping and skimming.
4. Would e-Smart Boarding Pass contribute in the spreading of contagious diseases?
NO, because the each boarding pass will have a fingerprint scanner for a personal touch. Where there is personal touch there is no possibility of getting infected (at least not because of boarding pass verification process).

Tuesday, May 12, 2009

Social Security, A Cause For Social Insecurity

SSN Fraud annually $50B, could be eliminated by e-Smart’s I AM Card, the offer by e-Smart was interrupted. The amount is the same range of Madoff Fraud, the claim against which had been interrupted too.
Who is responsible for the damage to innocent and good citizens, $100B ??



SOCIAL SECURITY, A CAUSE FOR SOCIAL INSECURITY:

1. INTRODUCTION:
Social security act and purpose:
The primary objective of the social security number (SSN) is to track individuals for tax purposes, but unfortunately it does more than that. SSN has become an identifier for individuals in the United States. It is used on many transactions like purchasing car or house, opening a bank account, applying for a loan, applying for credit card etc.
Understanding the SSN:
The SSN is a nine-digit number that is not randomly generated, but follows a pattern. The first three numbers (area number) refer to the state in which the number was issued. The next two (group numbers) indicate the order in which the SSN was issued in each area. The last four (serial numbers) are randomly generated. Thus a SSN can reveal an individual's relative age and place of origin1.

2. SSN AND IDENTITY THEFT:
Identity theft is defined as the process of using someone else’s personal information for your own personal gain. This personal gain may be in terms of employment (illegal immigrant assuming false identity), finance (applying for loan, credit card or opening bank account) etc.
Identity theft has become a major concern in the United States with nearly 10 million American victims losing $48 billion in 2008. The number of victims rose 22% to a record 9.9 million in 2008 from 8.1 million a year earlier, with about one in 23 U.S. adults becoming victims2.

A main cause for identity theft is insecurity in the SSN. When one’s SSN falls into wrong hands, it can be used to get personal information about that person and use it for various crimes.
For example, identity thieves can use someone’s SSN number and credit to apply for more credit in the person’s name. Then, they use the credit cards and do not pay the bills creating a negative impact on the persons credit history. Also, compromised SSN’s are sold at a price and from which a Social Secirty Card can be fabricated. A lot of illegal immigrants buy such fake Social Security Cards to get jobs, open bank accounts etc. to survive in United States.

3. FACTS AND FIGURES ON IDENTITY THEFT:
Following are some facts and figures on Identity Theft:
(Credit: FTC) NOTE: Identity Theft Ranks # 1 on FTC Complaint
Source: http://www.ftc.gov/opa/2009/02/2008cmpts.shtm


Identity Fraud Trends
Source: http://www.idsafety.net/Javelin2009IdentityFraudSurveyPressRelease.pdf


Source: http://vaperforms.virginia.gov/indicators/govtCitizens/consumerProtection.php


In 2007, credit card fraud (23%) was the most common form of reported identity theft followed by phone or utilities fraud (18%), employment fraud (14%) and bank fraud (13%). Other significant categories of identity theft reported by victims were government documents/benefits fraud (11%) and loan fraud (5%).
Source: http://www.idtheftawareness.com/docs/WhatIsIdTheft.php


Source: http://reports.celent.com/Japanese/PressReleases/20030121/CreditCardFraud.htm

Incidents of identity theft relative to the size of each banking institution

Source: http://www.concurringopinions.com/archives/category/privacy-id-theft

4. SOCIAL SECURITY CARD FACILITATES IDENTITY THEFT:
Security of citizens is dependent on social security number, which is printed on a social security card. Ironically the social security card is the most insecure card but it purpose is to provide social security.

Picture shows an identity thief taking Social Security Card from wallet.

NOTE: 36 percent of Americans age 18-49 and 43 percent of Americans age 50-plus carry their Social Security card in their wallet.

Also, the social security card can be faked easily. Fake ID’s that include social security card are common among illegal immigrants. Social security cards and other fake ID’s sold in flea market3.


Fake Social Security Cards and other ID’s

5. DISCUSSION:
Currently for opening credit card account etc people give their SSN over the phone or over the internet that can be easily overheard or hacked. Also, many criminals pose as they are from a bank and get personal information such as SSN from people over phone. Once the criminal knows someone’s SSN he can go to bank and open account and the bank people don’t check social security card for verification. To reduce identity theft the SSN should be always be used along with social security card. Since SSN has become a national identifier for individuals in the United States it is very important information and should be well protected. SSN in the current social security card is like precious jewels in a transparent plastic bag. The government is realizing this fact and proposals are being made for use of a biometric smartcard based social security card4.

Unfortunately this biometric smartcard technology has been used in creditcards and e-passports that have been successfully clones in minutes5,6 . Using such clone-able technology based social security card to protect SSN is not sufficient. If United States really wants to reduce identity theft then the technology used in the social security card should be fake-proof and imposter proof (incase stolen the card should be unresponsive to fake biometrics).

6. e-SMART SOLUTION FOR REAL SOCIAL SECURITY:
e-Smart Technologies Inc., a pioneer in developing biometric security systems, has developed a unique biometric fingerprint match-on-card. In this match-on-card the fingerprint template of the person is secured through encryption and never leaves the card during authentication process. Thus there is no risk of fingerprint to be stolen from the card by electronic eavesdropping or skimming etc. Also the card is dummy/fake finger proof because it can judge presence of fake finger electrically and via software.

7. REFERENCES:
http://epic.org/privacy/ssn/
http://money.cnn.com/2009/02/09/news/newsmakers/identity_theft.reut/index.htm
http://unheardnomore.blogspot.com/2009/03/social-security-cards-for-sale-fake.html
http://www.secureidnews.com/2008/02/14/biometric-smart-card-for-social-security-proposed
http://nepalinirelandnews.blogspot.com/2008/05/dublin-shop-workers-bribed-to-help-in.html (Dublin lasercard bank fraud).
http://www.timesonline.co.uk/tol/news/uk/crime/article4467106.ece (Fake-proof e-passports cloned in minutes)

Wednesday, May 6, 2009

ILLEGAL IMMIGRATION AUTHENTICATION:

-How Current Immigrations System is Broken and Weak-





Illegal immigration is one of the major problems faced by many countries in this world. Usually people illegally immigrate into another country to lead a better lifestyle, to evade criminal charges in their original country, or to perform criminal activities in the country they plan to enter. Illegal immigrants usually enter a country with help of fake documents. Fake documents are not necessarily forged/counterfeit documents that look like genuine documents, but they could be genuine documents that were stolen and the theft disguises himself/herself to look like the person in document. The later case is more difficult to spot since the documents are genuine so the immigration officer will allow the person to enter unless he or the system is smart enough to detect that the person is an imposter.

Let us concentrate on illegal immigration into the USA and what the country has done so far to prevent/ minimize illegal immigration. After the 9/11 terror incident USA government realized that paper immigration documents are easy to forge so the government has replaced regular paper passports with electronic passports or e-passports, and implemented special LaserCard technology for making its permanent residency card (commonly known as Green Card) and Border Control Card (commonly known as Laser Visa). In addition to documents the immigration officials scan the fingerprint of the arriving person to make sure if he is not a criminal or previously deported person. The question is that do these new technologies used in the immigration documents reliably stop illegal immigration. Let us look at each of these technologies one by one:

1. Examining Fingerprint of a person:
The optical fingerprint readers used at the airports can be easily fooled by fake finger. Fake finger means that the person can put some kind of thin tape/covering that contains fingerprint of someone else over his finger. Since the optical fingerprint reader just takes an image of the persons fingerprint and compares it with the database, the fake fingerprint on the tape would be compared with the database. Even though the USA immigration presently scans all 10 fingerprints of a person, it is not foolproof. One may say that although possible to make one fake fingerprint, it is not easy to make fake fingerprints for all fingers; but there is sufficient evidence in the web that teaches one how to easily create a fake finger. For example the following link shows how easily latent fingerprint (fingerprint left behind on some object by the potential victim) can be lifted and used as a stencil to make fake finger.


http://www.ccc.de/biometrie/fingerabdruck_kopieren.xml?language=en (Tutorial to make fake finger)

Following are few articles that show how the contemporary optical fingerprint readers can be fooled easily with fake finger.
· http://www.securityfocus.com/news/6717 (German hackers fool fingerprint scanners).
· http://software.silicon.com/security/0,39024655,11033437,00.htm (Japanese man fools biometric sensor with fake finger)
· http://www.asiaone.com/Travel/News/Story/A1Story20090101-111750.html (South Korean woman fools Japanese fingerprint sensor)

e-Passports:
Since paper passports can be forged without much difficulty, e-passports have been introduced. e-passports are similar to the regular passports except for a small contactless RFID chip embedded in the back cover that is supposed to make it more secure than regular passport. The only personal information stored on the chip is the same information that is printed on the data page of the passport, including a digital version of the photograph.

Do e-passports actually provide the security they are intended for? Unfortunately NO since current e-passports are vulnerable to skimming or eavesdropping attacks by hackers. A skimming attack is when someone attempts to read the passport chip simply by beaming power at the passport. An eavesdropping attack is when someone intercepts the communication between the e-passport and reader and steals data. The owner of the e-passport will not even be aware that his information has been compromised.
Once the information is compromised the RFID chip can be cloned and rest is to make a fake passport based on the information in the chip.
Following links show evidence of how easily the information in the e-passport’s RFID can be attacked and cloned.
http://www.timesonline.co.uk/tol/news/uk/crime/article4467106.ece (Fake-proof e-passports cloned in minutes)
http://www.neoseeker.com/news/9787-insecurity-of-homeland-security-rfid-passports-shown-by-researcher/ (US Homeland Security passports successfully cloned with no problem)
http://www.theregister.co.uk/2007/03/06/daily_mail_passport_clone/ (Cloning of e-passports when in mail)

Also, proposals are being made for a person’s fingerprint information to be stored in the e-passport chip, rendering added security. If a hacker manages to obtain the digitized fingerprint information from the e-passport chip then he can make fake finger using that information.

Lasercard Technology for making Green Card and Laser Visa:
Just like regular paper passports, greencard and border crossing cards can be forged without much difficulty. To solve this issue of forgery new greencards and border crossing cards (also known as Laser Visa) that are backed by Lasercard technology are issued. Lasercard is basically an optical memory card that can contain the optical digitized image of the owner’s photo and fingerprint. Though claims are made that the lasercard data cannot be altered and are hard to counterfeit some articles mention the sale of fake new greencards in Tijuana, Mexico for $500 a piece.

Already it has been proven in the Dublin bank fraud case that lasercard technology is not imposter-proof or fake-proof. In Dublin bank case the bank lasercards were cloned and PIN numbers were obtained from shopkeepers who were paid to observe the customer while he/she was entering the PIN. The cloned card was used to withdraw money.
Related link:
http://nepalinirelandnews.blogspot.com/2008/05/dublin-shop-workers-bribed-to-help-in.html (Dublin lasercard bank fraud).

Like PIN is the authenticating factor in laser bankcard, fingerprint matching of person and visual comparison of face is authenticating factor in travel documents. Lasercards that contain the optical digitized image of the owner’s photo and fingerprint can be dangerous when stolen because stolen lasercards are government issued cards and so no headach of forging. The immigration officer will not object to the stolen card’s authenticity. All that the thief needs to do is to look like the victim and also have matching fingerprints. As we already know it is not hard to fake fingerprint and people leave their fingerprints everywhere, which can be stolen be any watchful hacker.

Actually looking at the current border-crossing scenario the illegal immigrant (who could be a criminal) doesn’t have much to do. Many articles mention that the border-crossing officers just ask a few questions and don’t even care to verify the biometric information stored in the card.
Related Article:
· http://www.themonitor.com/onset?id=2429&template=article.html (Expensive authentication technology wasted)

From the article above we can see that authentication using lasercard technology is person (i.e. immigration officer) dependent. The officer makes the decision whether to verify biometrics in the card or not. On a busy day the officer may be too lazy to verify all information, and the country may have to pay the price for his laziness. We should also not overlook the fact that the officer could be bribed.

CONCLUSION: USA (and also the world) needs “change” in Current immigration authentication systems:

Looking at the drawbacks in the current immigration authenticating system we need a system that:
- cannot be fooled by a replica of person’s biometric details like fingerprint, face etc.
- hard to forge or counterfeit.
- is independent of human control. Authentication should be done by the system automatically and not done as per discretion of immigration officer.
- Provides a secure communication between the reader and travel document. In other words not vulnerable to skimming or eavesdropping.

-IS THERE ANY SOLUSION?-
How can e-Smart Technologies Inc. bring about this “change” in the immigration system?

e-Smart Technologies Inc. claims it can create an authentication environment that would overcome the above drawbacks. Let us ask e-Smart Technologies Inc.’s CTO and Sr. Vice President, Mr. Tamio Saito, to get more knowledge on e-Smart technology.

Interviewer: Can you please briefly explain how e-Smart authentication system works and what makes it unique in terms to security when compared to contemporary systems?
e-Smart CTO: e-Smart authentication is made on the card and fingerprint template is secured in the card through encryption. So, there is no change for anyone to change the fingerprint. Current system, employee can change the fingerprint data base and hacker can do also. And the biggest risk is if someone stole the fingerprint, no way to recover, because no one can change their finger contrasting to passwords. There are so many crime that employee to sell data base for small cash. Spy can change the fingerprint VERY EASILY by paying small money to employee, such near bankruptcy because of investment loss, alcoholic, etc.

Interviewer: Can the e-Smart authentication system be fooled using a fake finger? If not why?
e-Smart CTO: Fingerprint detection system can find out copied paper finger very easily, gummy finger by electrical way and software way. Current Optical sensor, using CCD or MOS device can be easily faked by copied fingerprint. It cannot read wet finger. Under Sunshine or strong back light, it may cause the problem. But e-Smart sensor has no such issues.

Interviewer: Is the e-Smart’s RFID chip vulnerable to skimming and eavesdropping attacks and subsequent cloning of the chip? If no, please explain what make it so special that it cannot be cloned. If yes, would the clone would it work reliably for the imposter?

e-Smart CTO: Our design is to use Biometric related key for encryption from the finger touched on the sensor in the card. Current and legacy system, being used is using just generic CHIP off the self having no unique data comes from the person who holds the card.

Interviewer: Is the e-Smart authentication technology human dependent? In other words is the verification of biometric information dependent on the discretion or mood of the immigration officer who may be lazy or busy to verify all biometric information in e-passport?

e-Smart CTO: Current system, the person entering the border can bribe, threat, collaborates the immigration officer to cheat the system. They are NOT FAIL SAFE SYSTEM. It depends on immigration officers. However, e-Smart card can be activated only when finger print of card holder matches to the data in the card. It is automatic and immigration officer independent.