Category Archives: biometrics

On Surveillance in the Workplace

Data & Society just published a report entitled "Workplace Monitoring & Surveillance":

This explainer highlights four broad trends in employee monitoring and surveillance technologies:

  • Prediction and flagging tools that aim to predict characteristics or behaviors of employees or that are designed to identify or deter perceived rule-breaking or fraud. Touted as useful management tools, they can augment biased and discriminatory practices in workplace evaluations and segment workforces into risk categories based on patterns of behavior.

  • Biometric and health data of workers collected through tools like wearables, fitness tracking apps, and biometric timekeeping systems as a part of employer- provided health care programs, workplace wellness, and digital tracking work shifts tools. Tracking non-work-related activities and information, such as health data, may challenge the boundaries of worker privacy, open avenues for discrimination, and raise questions about consent and workers' ability to opt out of tracking.

  • Remote monitoring and time-tracking used to manage workers and measure performance remotely. Companies may use these tools to decentralize and lower costs by hiring independent contractors, while still being able to exert control over them like traditional employees with the aid of remote monitoring tools. More advanced time-tracking can generate itemized records of on-the-job activities, which can be used to facilitate wage theft or allow employers to trim what counts as paid work time.

  • Gamification and algorithmic management of work activities through continuous data collection. Technology can take on management functions, such as sending workers automated "nudges" or adjusting performance benchmarks based on a worker's real-time progress, while gamification renders work activities into competitive, game-like dynamics driven by performance metrics. However, these practices can create punitive work environments that place pressures on workers to meet demanding and shifting efficiency benchmarks.

In a blog post about this report, Cory Doctorow mentioned "the adoption curve for oppressive technology, which goes, 'refugee, immigrant, prisoner, mental patient, children, welfare recipient, blue collar worker, white collar worker.'" I don't agree with the ordering, but the sentiment is correct. These technologies are generally used first against people with diminished rights: prisoners, children, the mentally ill, and soldiers.

Social-Engineer Newsletter Vol 09 – Issue 114

Smile, Facial Recognition in Use

At a sporting event kiosk, you stand there watching rehearsal clips of a singer that will be performing at the half time show. What would you say if I told you that a facial-recognition camera inside the display was taking your photos and cross-referencing them with a database of the performer’s known stalkers? After reading about this happening to many attendees of the Rose Bowl, I started to look into how else facial recognition is being used. I found that this software has been growing in popularity with companies and government agencies throughout the world.

As a social engineer, I was concerned. I wanted to see how easily facial recognition technology could be circumvented and used maliciously through social engineering techniques, because it utilizes openly available information: your face. I started thinking, can we trust using facial recognition technology, such as on the new iPhones? Would the phones allow access to the device just by using a photograph of myself? Another question I wanted to answer was, could facial recognition technology be used by someone malicious to exploit others?

How did facial recognition software get its start?

Facial recognition isn’t new. It’s been developing since the 1800s. It all started with photographs being used to track down criminals and escaped prisoners. Then, through the work of pioneers studying facial expressions such as that of Silvan Tomkins, Dr. Ekman, and others, many uses of facial recognition technology started to emerge. When the 9/11 tragedy struck, biometrics, that is the measurement and analysis of unique physical or behavioral characteristics especially as a means of verifying personal identity, began to expand rapidly. This was especially true with facial recognition technology. Companies began coming out with various forms of this technology such as Microsoft’s Face API, Amazon’s Rekognition, and RealNetworks’ SAFR.

Smile, Cameras are Watching

So, where can you expect to see facial recognition technology in use?

When it comes to security, you can look at biometric security. It is being used with the FaceID on the latest iPhone and iPad Pro, and Microsoft’s Hello is being used on Windows 10 PCs. It’s also at offices and schools where they are using it to watch over the main entrance, allowing only those that are in the database to enter. One example of this is at the University Child Development School in Seattle, Washington.

We can also look at customer satisfaction. In China, people are using it to pay for coffee, visit tourist attractions, and withdraw cash from ATMs. When you are shopping, stores are using facial recognition to monitor how customers react to certain product displays.

Then there is law enforcement, where it is being used to identify suspects. By using facial recognition technology, the 2013 Boston Marathon bombers were identified. It’s also being used to prevent identity theft. To protect us from that, many states are using facial recognition technology to prevent the issuance of fraudulent drivers’ licenses. New York Officials have reported that using the technology has resulted in spotting some 21,000 cases of possible identity fraud. Customs and Border Protection used the technology to nab two imposters attempting to cross from Mexico into the U.S. using someone else’s border-crossing cards.

These are just some of the many ways facial recognition is being implemented, there are too many to cover in this newsletter alone. So, how can facial recognition technology be circumvented? In what way can it be used by someone malicious to exploit others?

Smile Facial Recognition in Use

The SE Angles

When looking at how facial recognition technology could be used to protect the main entrance at an office or school, one thing it still doesn’t prevent is tailgating. This allows someone without clearance to gain entrance to the building by following behind someone that does have clearance.

What about trusting the use of the technology to keep our new iPhone or iPad secure? One week after the iPhone X was released, a Vietnamese security firm demonstrated how they bypassed the FaceID with a combination of a composite mask of 3-D printed plastic, silicone, makeup, and simple paper cutouts. In another video, they demonstrated how they did it with a mask 3-D printed in stone powder and 2-D eyes printed with infrared-sensitive ink. That was in 2017, is it any better now in 2019?

In January, the Dutch non-profit Consumentenbond published its findings on a test of 110 smartphones and found that holding up a good portrait photo of the phone’s owner was all that was needed to unlock 42 of the phones tested. Microsoft’s Hello, the Windows 10 version of facial recognition, failed along with many others, according to an article by Graham Cluley. He mentioned that some researchers were able to bypass it just by using a “modified printed photo of an authorized user.” Microsoft has since patched the vulnerability found by these researchers, but can we really trust this technology to be the only source of securing our device? Until it is proven by the security community that facial recognition technology can secure our device without it being circumvented, it is best to stick with the old-fashioned password lock with a strong, unique password. We don’t want someone taking our phone, tablet, or pc to gain access to our private information, since all it took to bypass was a good photograph that can often be found easily with the use of open source intelligence research.

Another security concern with facial recognition technology is that someone with malicious intent can use a photograph and facial recognition software to quickly find personal information about us. In a report by The Telegraph, a Russian photographer took photos of complete strangers and used the facial recognition software Find Face to identify them. From that, he was able to find a trove of personal details about their lives. For social engineers, this can be a windfall for doing our job but for individuals this can be alarming. The criminal can take the information found and develop a targeted phish and send it to the victim. Unfortunately, there isn’t a way to prevent the use of facial recognition software being used to identify us, but we can limit the photos that are posted and secure our social media accounts, so our personal information is more secure.

While there are many conveniences and applications for facial recognition technology, there is still work to be done before it can be trusted as the sole mechanism in securing a device or as the only source of protection at the front entrance of an office or school. We should continue to use strong passwords on devices, some form of multifactor authentication, and security guards at the front entrance to prevent tailgaters where applicable. Since it’s getting easier to find information about us, we need to be aware of what is out there about us and know that the information could be used against us including facial recognition technology.

“Knowledge is power,” so with what we now know about the use of facial recognition technology, we need to use that knowledge to keep us secure.

Stay safe and secure.

Written By: Michael Hadnagy 


The post Social-Engineer Newsletter Vol 09 – Issue 114 appeared first on Security Through Education.

Cyber Security Predictions for 2019

A guest article authored by Jim Ducharme, Vice President of Engineering and Product Management at RSA

1. Prepare for IOT, the “Identity of Things”
From personal assistants, to wearables, smartphones, tablets and more, there is no shortage of connected devices. The explosion of IOT has finally reached a tipping point where the conversation of identity will start to take on a whole new meaning. The billions of new digital identities being created don’t come without risk – including new privacy and cybersecurity vulnerabilities. With businesses and consumers all in on IOT, how do we protect and securely manage the “identity” of the things? 

2. Biometrics vs. the Four-Digit Pin
Biometrics are under a lot of pressure these days to be the silver bullet of authentication. So how could a simple 4-digit pin, which has at most 10,000 possible combinations, give biometrics like FaceID with a 1 in 50 million entropy a run for its money? The industry will come to realize when 4-digit pins are combined with AI and machine learning, the four-digit pin, similar to what has been used for decades to protect access to our bank accounts, can provide a very high level of security. The ultimate goal for identity and access management is not to find the unbreakable or “unhackable” code for authentication, but rather, to layer security to create a much stronger identity assurance posture. AI and machine learning will be a game changer, allowing for intelligence-driven authentication that will open up additional options of security layers for organizations.  

3. Death of the Password?
We have long seen predictions that passwords are in their final days. But it’s time to come to grips that passwords will be here for a long time. But perhaps there is still hope that while we may be living with passwords for generations to come, they may be a lot less scary than the monster we have created. It’s time to reverse the trend of how complex passwords have become (MyKitsH8Me!) and how hard they are to manage (having to change them every 60 days) in an attempt to improve password strength. We can uncomplicate the password and unburden it from having the ultimate responsibility of security. A much more simple password coupled with additional layers of risk-based authentication, especially those factors invisible to the user like behavioral, location and device context, and even transparent biometrics can help businesses better secure access to critical resources.

4. A New Generation of Risk-based Authentication
With a seemingly endless stream of high-profile data breaches and malicious cyberattacks, the need to ramp up security and manage identities is evident. 2019 will see the beginning of a new generation of risk-based authentication, powered by machine learning and user behavior analytics. Organizations will start to uncover their own unique context and identity insights to gain a more comprehensive view of user identities including locations, behavior patterns, frequency of use and more. This new generation of risk-based authentication will allow organizations to reduce the friction on end users when accessing applications and information while strengthening the assurance that the user is who they claim to be.

Jim Ducharme, Vice President of Engineering and Product Management at RSA

    Hackers defeat vein authentication by making a fake hand

    Biometric security has moved beyond just fingerprints and face recognition to vein-based authentication. Unfortunately, hackers have already figured out a way to crack that, too. According to Motherboard, security researchers at the Chaos Communication Congress hacking conference in Leipzig, Germany showed a model wax hand that they used to defeat a vein authentication system using a wax model hand.

    Source: Motherboard