As the travel restrictions imposed to control the coronavirus pandemic are beginning to be relaxed in some parts of the world, it is time to start rethinking airport security in the age of COVID-19. Even if an effective vaccine is found for COVID-19, it will be out of the question to go back to long lines at security checkpoints and boarding gates, and the manual checking of identity documents and boarding passes.
In a provisional patent application that I coauthored with Karen Lewison before the pandemic and have now published, we proposed an automated method of verifying the identity of travelers that could be used in the post-pandemic world to speed up the security check and the boarding process, and to eliminate the face-to-face interaction with a security officer at the checkpoint and a flight attendant at the boarding gate. The method takes advantage of the high accuracy achieved by today’s deep neural networks for face recognition, while overcoming the privacy concerns raised by the collection and storage of facial images.
Here is a summary of the method.
Continue reading “Airport Security in the Age of COVID-19”
Updated April 1st, 2020
This blog post has been coauthored with Karen Lewison
The coronavirus pandemic is causing unprecedented disruption throughout
the business world. Businesses that are not able to cope with public
health orders and new customer behaviors are going out of business,
while businesses that are able to adapt are thriving and expanding
their market share. Disruption will be temporary in sectors of the
economy where face-to-face interaction adds value to the
business-to-customer relationship and a physical presence on the
street is an essential requirement of the business model; gyms, bars
and conference centers will no doubt reopen once the pandemic has been
controlled. But changes brought by the pandemic will be permanent in
sectors of the economy where face-to-face interaction adds no value
and a physical presence is a legacy of a traditional business model.
One of those sectors is the financial world.
A challenge to financial institutions
Financial institutions have been less impacted than other businesses
by the pandemic. In the US, the entire financial sector has been
declared critical infrastructure by DHS and is thus protected against
closure orders by states or counties. And most financial transactions
are now conducted online using web browsers or mobile apps, without
face-to-face interactions that would put employees and customers at
risk of contagion. Nevertheless, coronavirus poses a challenge to
financial institutions: how to verify the identity of new customers.
Continue reading “Identity Verification: A Coronavirus Challenge to the Financial World”
Pomcor has been granted US
Patent 10,567,377, Multifactor Privacy-Enhanced Remote Identification Using a
Rich Credential. Karen Lewison is the lead inventor and I am
a coinventor. Pomcor has so far been granted a total of eight patents,
two of which we have sold. The remaining six patents that we own are
listed in the Patents page of this web site.
This latest patent is special because it provides a solution to a
major societal problem: how to identify people over the Internet with
strong security. Techniques are available for authenticating repeat
visitors to a web site or current users of a web application. But
authentication techniques are only applicable once a relationship has
been established. They are not applicable when somebody wants to
establish a new relationship, e.g. by becoming a new customer of a
bank, or signing up with a robo advisor, or applying for a mortgage,
or renting an apartment, or switching to a different car insurance.
Continue reading “Pomcor Granted Patent on Rich Credentials”
This blog post has been coauthored with Karen Lewison
In recent posts we have been concerned with online credit card fraud
and how to fight it using cardholder authentication. In this post we
are concerned with another kind of financial fraud, known as
application fraud or new account fraud. Both kinds of fraud have been
rising after the introduction of chip cards, for reasons mentioned by
Elizabeth Lasher in her
Surge of Application Fraud:
“Due to the high volume of data breaches, Social Security numbers,
mailing addresses, passwords, health history, even the name of our
first pet is all for sale on the Dark Web. When you combine this
phenomenon with the economic pressure applied on fraudsters to find a
new cash cow after chip and signature plugged a gap in card-present
fraud in the US, there is a perfect storm.”
The term “application fraud” refers to the creation of a
financial account, such as a bank account or a mortgage account, with
the intention to commit fraud. Application fraud can be first-party
fraud, where the account is opened under the fraudster’s own identity,
or third-party fraud, where the fraudster uses a stolen identity.
Here we are primarily concerned with the latter.
Continue reading “A New Tool Against the Surge of Application Fraud”
One of the saddest failings of Internet technology is the lack of
security for online credit card transactions. In in-store
transactions, the cardholder authenticates by presenting the card, and
card counterfeiting has been made much more difficult by the addition
of a chip to the card. But in online transactions, the cardholder is
still authenticated by his or her knowledge of credit card and
cardholder data, a weak secret known by many.
Credit card networks have been trying to provide security for online
transactions for a long time. In the nineties they proposed a
complicated cryptographic protocol called SET (Secure Electronic
Transactions) that was never deployed. Then they came up with a
simpler protocol called 3-D Secure, where the merchant redirects the
cardholder’ browser to the issuing bank, which asks the cardholder to
authenticate with a password. 3-D Secure is rarely used in the US and
unevenly used in other countries, due to the friction that it causes
and the risk of transaction abandonment; lately some issuers have been
asking for a second authentication factor, adding more friction. Now
the networks have come up with version 2 of 3-D Secure, which removes
friction for low risk transactions by introducing a “frictionless
flow”. But the frictionless flow does not authenticate the
cardholder. Instead, the merchant sends device and cardholder data to
the issuer through a back channel, potentially violating the
Last August we wrote
post and a paper proposing a scheme for authenticating the
cardholder without friction using a cryptographic payment credential
consisting of a public key certificate and the associated private key.
We have recently written
version of the paper with major improvements to the scheme. The
paper will be presented next month
at HCII 2019 in
Continue reading “Online Cardholder Authentication without Accessing the Card Issuer’s Site”
Karen Lewison and I have contributed the chapter on Biometrics to the book
Interaction and Cybersecurity Handbook, published by Taylor &
Francis in the CRC Press series on Human Factors and Ergonomics. The
editor of the paper, Abbas Moallem, has received the SJSU 2018 Author
and Artist Award for the book.
Biometrics is a very complex topic because there are many biometric
modalities, and different modalities use different technologies that
require different scientific backgrounds for in-depth understanding.
The chapter focuses on biometric verfication and packs a lot of
knowledge in only 20 pages, which it organizes by identifying general
concepts, matching paradigms and security architectures before diving
into the details of fingerprint, iris, face and speaker verification,
briefly surveying other modalities, and discussing several methods of
combining modalities in biometric fusion. It emphasizes presentation
attacks and mitigation methods that can be used in what will always be
an arms race between impersonators and verifiers, and discusses the
security and privacy implications of biometric technologies.
Feedback or questions about the chapter would be very welcome as
comments on this post.
Pomcor has recently been granted
9,887,989 on a multifactor cryptographic authentication
technique that uses a cryptographic key pair in conjunction with a
password and/or a biometric key while protecting the password and
biometric data against back-end security breaches.
All our patents are available for licensing.
At the last
Internet Identity Workshop
factor cryptographic authentication, not covered by the patent,
where a key pair stored in browser local storage is used instead
of a password for authentication to a web application. (A
proof-of-concept implementation of a simple web app is available in
PJCL web page and described in the
post.) Cryptographic authentication has huge advantages over
password authentication, as passwords are vulnerable to back-end
database breaches, phishing attacks, and password reuse at malicious
or insecure sites. But when used in multifactor
authentication, a password provides the unique benefit of being
something that the user knows, independent of something that
the user has (a device that contains a private key or is able
to generate or receive one-time codes) and something that the
user is (a biometric feature). Our latest patent discloses a
novel multifactor authentication technique where a password can
provide this benefit while being immune to the vulnerabilities of
conventionally used passwords.
Continue reading “Pomcor Granted Patent on Multifactor Cryptographic Authentication”
In a press
release, MasterCard announced yesterday an EMV payment card that
features a fingerprint reader. The release said that two trials have
been recently concluded in South Africa and, after additional trials,
a full roll out is expected this year.
In the United States, EMV chip cards are used without a PIN. The
fingerprint reader is no doubt intended to fill that security gap.
But any use of biometrics raises privacy concerns. Perhaps to address
such concerns, the press release stated that a fingerprint template
stored in the card is “encrypted”.
That’s puzzling. If the template is encrypted, what key is used to
decrypt it before use?
Continue reading “What kind of “encrypted fingerprint template” is used by MasterCard?”
NIST is working on the third revision of SP 800-63, which used to be
called the Electronic Authentication Guideline and has now
been renamed the Digital Identity Guidelines. An important
change in the current draft
of the third revision is a much expanded scope for biometrics.
The following are comments by Pomcor on that aspect of the new
guidelines, and more specifically on
5.2.3 of Part B, which we have sent to NIST in response to a call
for public comments.
The draft is right in recommending the use of presentation attack
detection (PAD). We think it should go farther and make PAD a
mandatory requirement right away, without waiting for a future edition
as stated in a note.
But the draft only considers PAD performed at the sensor.
Continue reading “Comments on the Recommended Use of Biometrics in the New Digital Identity Guidelines, NIST SP 800-63-3”
This is the last of a four-part series of posts presenting results of
a project sponsored by an SBIR Phase I grant from the US Department of
Homeland Security. These posts do not necessarily reflect the
position or the policy of the US Government.
We have just published a
the last three of the five solutions that we have identified in the
project on remote identity proofing that we are now finalizing.
Solutions 3–5 use Near-Field Communication (NFC) technology for
remote identity proofing. Each of the solutions uses a preexisting
NFC-enabled hardware token designed for some other purpose as a
credential in remote identity proofing. A native app running on an
NFC-enabled mobile device serves as a relay between the NFC token and
the remote verifier.
In Solution 3 the token is a contactless EMV payment card. In
Solution 4, the token is a medical identification smart card
containing a private key and a certificate that binds the associated
public key to attributes and a facial image. In Solution 5, the token
is an e-Passport with an embedded RFID chip that contains signed data
comprising biographic data and a facial image.
In solutions 4 and 5 a native app submits to the verifier an
audio-visual stream of the subject reading prompted text. The
verifier matches the face in the video to the facial image in the
NFC token, uses speech recognition technology to verify that the
subject is reading the text that was prompted, and verifies that the
audio and video channels of the stream are in synchrony by matching
distinguishable visemes in the video channel to phonemes in the audio