Banking | Info Carnivore

ATM Biometrics Coming to a Corner Store Near You!

Posted by Daniel Snyder in Security News on August 24, 2010

iris scanning ATM biometrics Looks like ATM machines around North America are due for a security upgrade. This year Barnaby Jack demonstrated both local and remote ATM attacks at Black Hat 2010, and showed how easy it could be to hack an ATM and make it spit cash. Barnaby Jack also revealed a multi-platform ATM rootkit and discussed protection mechanisms that ATM manufacturers can implement to safeguard against these attacks.

Biometric Iris Scanners Coming to A Corner Store Near You!

One protection mechanism that we are now seeing become reality is biometrics. Although it has been in the works for years, it looks like all the futuristic spy movies we watched as kids are coming true as biometric iris scanning ATM machines are looming on the horizon, and in some parts of the world already in action. Of course you’re not likely to see one in your local corner store just yet, but they may well be coming soon! According to Jeff Carter of Global Rainmakers Inc. we’re all going to be connected to the iris system within the next decade.

The computer in a biometric ATM can identify a bank customer and scan their iris even from a distance of greater than three feet. The camera inside the machine takes a focused photo of the eye in black & white, while the system then measures the structure of the iris, and how light and dark areas fall upon it, a successful ID generates a code which is essentially the customers PIN. The latest method of biometrics is “finger vein” technology — an authentication system developed by Japanese tech giant Hitachi. Poland’s cooperative BPS bank says it’s the first in Europe to install a biometric ATM — allowing customers to withdraw cash simply with the touch of a fingertip. The company says that an infrared light is passed through the finger to detect a unique pattern of micro-veins beneath the surface – which is then matched with a pre-registered profile to verify an individual’s identity. “This is a substantially more reliable technique than using fingerprints,” Peter Jones, Hitachi’s head of security and solutions in Europe.

“Every person, place, and thing on this planet will be connected [to the iris system] within the next 10 years,”

But what’s happening now is Global Rainmakers Inc. (GRI), based out of New York City, has announced that it will use iris scanning technology to begin creating what it claims will be “the most secure city in the world” in Leon, Mexico. The task is to hook up all of GRI’s city wide iris scanners to a massive database created with law enforcement authorities.

“In the future, whether it’s entering your home, opening your car, entering your workspace, getting a pharmacy prescription refilled, or having your medical records pulled up, everything will come off that unique key that is your iris,” Jeff Carter, CDO of GRI tells tech website FastCompany.com. Jeff Carter claims “Every person, place, and thing on this planet will be connected [to the iris system] within the next 10 years,”.

You can read more about Global Rainmakers plans at Prison Planet, here.

Seems to me that things are changing so rapidly, the world around us is quickly become like that of every futuristic movie we’ve ever seen. Nothing is impossible anymore, and with creations and technology such as this the world is supposed to become a more secure place. Do you see this as a step forward, or do you have any objections to this kind of technology?

Sources: CNN World, "Biometric ATM gives cash via 'finger vein' scan."
Prison Planet, "Biometric Iris Scanning Technology Rolled Out across entire city".
Black Hat USA 2010
ATM Marketplace "Back to the Future: Biometrics Revisited"

ATM, attack, bank, banking, Barnaby Jack, Biometrics, Black Hat, hack, Iris, Scanning, security

8 Comments

Big Banks force Weak Security on Members

Posted by Daniel Snyder in Computer Security, Security News on August 17, 2010

online-banking security passwords characters Do you bank online? Your account may not be as secure as you’d like to think it is! The other day I was setting up my online account for my television cable provider and was asked to select a password. As I normally do I created a unique complex password for the site and stored it in a master database which is also password protected (by a different password of course!), my passwords are always complex and usually anywhere from 10 to 12 characters in length. I was frustrated when my cable provider rejected my 11 character password by notifying me that I was limited to a maximum of 8 characters and no special characters!

I have not found this uncommon either, I often find myself registering with websites that essentially force me into selecting a weak password. American Banks in particular have been under fire from security professionals for their current lack of strong security. A recent report by the OSCE which is of particular significance to U.S. banking customers reveals that “Bank network security, especially regarding log-on procedures, falls short of consumer expectations. Log-on protocols elsewhere utilize strong authentication. U.S. banks generally fail to meet that standard.” Read more about this on the E-Commerce News website, “Are Banks Short-Changing you on Security?“

Here are a few quick (and somewhat disturbing) facts about the current state of password security…

61% of passwords were either only lowercase letters or all digits (examples: iloveyou or 123456).

60% of web users only have one password that they use for all of their online accounts, including Facebook, PayPal, email, and banks, according to a recent study.

An estimated 1 in 9 people use one of the Top 500 passwords posted on WhatsMyPass.com

A study by Trusteer Inc. a New York based online security vendor found that 73% of bank customers use their Internet banking password to access non-financial — and less secure — websites. While Forty-seven percent use both their online banking user ID and password on other websites.

Security Expert Bruce Schneier wrote an article about a British Bank (Lloyd’s) that rejected a man’s password because they felt it was “not appropriate”. The article though not directly applicable to what we are discussing today, does conclude by mentioning that at least that bank allowed more than four characters in their password. Albeit stopping the customer at six characters (which honestly, isn’t any more secure.) You can read all of Bruce’s article here.

How quickly can you be hacked?

Spend a few minutes at the Online Password Generator, and you can find out just how quickly your password could be hacked by brute force. A four character password no matter what special characters or numbers are used can be hacked in less than one second (if unlimited attempts were possible). Add two more simple characters and the time only increases to 53 seconds on a Intel® Core™2 Duo E4500. An eight character password utilizing numbers and letters will take about 19 hours, 19 minutes. Punch in a twelve character password that utilizes upper and lower case, numbers and special characters and it will take a whopping 377283354 years, 7 months to crack.

Not as Secure as the Bank would have you believe

In summary, online banking is simply not yet as secure as banks would like you to believe. Internet Criminals are aggressive and use many methods to steal information which include database hacks, brute force attacks and phishing scams. The majority of these attacks will be performed on social networking sites such as facebook or twitter where the stolen information can then be turned around and used on banks. If you are one of the 47% that uses the same information on a social networking site as you do at your bank, then consider yourself seriously warned. If on the other hand your bank allows complex passwords (like the one mentioned in the above paragraph), and has a secure (HTTPS) login, well then… bank online at your own risk!

Read more on password security as well as some interesting facts at the infocarnivore password archive.