Home
Search
Login
<mosaic.cnfolio.com>

Article 1


Identification Methods


Two methods used for identification are a driver's license and a debit or credit card. Both of these forms of identification may be used to authorise the owner in different situations as each gives certain information for the tasks they are needed for.
The modern driver's license is compiled of two sections; the photo-card and the counterpart paper form. Together, these enable a complete authentication of the owner and the details requested. Such details are of the driver's personal information (i.e. Full name, address, date of birth etc.), and details of the driver's license categories (what they are allowed to drive). Further details regarding endorsements, like penalty points, are included on the counterpart. As you can see, there are many details included on the driver's license to enable authentication, although many of these may not necessarily be needed for the purpose. This form of identification is required for occasions such as proof of age or proof of your identity. The main reason is for driving standards authentication or police verification, as this will need to be shown upon request.
Debit and credit cards hold a lot less visible information than the driver's license and may not be used as a form of proof of age or identification by an authority. The details that are held on a card are purely for verification from a bank or payee. The details held on a bank card are typically the account holder's name, account number, bank sort code, card number and start or expiry dates. As you can see from the details, possession of this card is not an instant form of authentication, as the holder only needs to say they are the name on the card to gain a certain level of confidence with the authenticator, even though this may be a very low level of trust.
The claim stated by a holder of the debit or credit card in the instance mentioned above is very weak and by today's standards of security, the holder would not have gained any level of access with it. Authentication via the use of a bank card is made via a number of methods. There are chips on bank cards today which are read when a user enters them into a machine, which will ask for a pin number. Although, the details on the card may suffice in a number of cases, especially with paying over the phone. The details a user may need is the card number, issue details and security number.
Driver's licenses do not work in the same way as this. Modern photo-card licenses contain a photo of the holder and therefore give the authenticator a visible comparison in order to verify the holder. Unlike bank cards, where the holder can say they are the person on the card, driver's licenses match the name with the photo. This form of identification can therefore be used to increase the confidence of the claim on a bankcard when one is used as proof. Authentication is completed via a means of comparing attributes of the person to the card. Other forms of verification may be the use of the driver's number, which may be read out over the phone if necessary by the driving standards agency.
As you can see from above, the authentication of bank cards may sometimes only require possession of the card, whereas driver's licenses would require a visible comparison in order to state their claim. This means that the driver's license is a more effective way of authentication when proving the holder's identity.
Visual recognition of the owner was not always the way that licenses worked. Before the photo-card, driving licenses used purely the counterpart as proof of a driving license. This meant that on the spot checks made by police officers could not verify that the holder was actually the person who provided the license. The license was given over and confidence in the claim was received by the fact that the person was in possession of it.
Similarly, bank cards did not always have a chip and pin system in place for verification during money transfers. At a point of sale, the holder could pay for an item/items by card and then use a signature to show that this is them. A person's signature may vary from time to time and in some cases people could easily get hold of the owner's signature to copy it. Trust here was also in the fact that the person paying was in possession of the card and also that it was truly their signature when they signed for the card. The latest methods of authentication using a pin number to verify the card is a lot more secure, although it is still not a definitive method of supporting the claim that the holder is the owner of the card.
Security of these identifiers have been increased since their release, as fraudulent acts have noticed and attempts to end these have been put into place.
The government are benefiting most from the current identification methods, as they have all been standardised across companies to keep fields the same and make checking easy. The companies themselves are also able, through the use of the standards to file identification such as a driving license or bank card by the details on them.
Both of these forms of identification hold various threats on the collection of personal data. Driver's licenses in themselves contain enough data to commit fraud with the amount of personal details present and even a copy of the owner's signature. The photo-card does prevent a person from using the card themselves when they are not the actual owner.

Article 2


Fujitsu PalmSecure Vs. WiKID Open Source Two-Factor Authentication


Fujitsu PalmSecure is a new authentication technology used in many cases to supplement other authentication methods via the use of a palm vein scanner. Palm vein scanning technology is a new technology built in order to fight against fraud as it is not a very easy technology to bypass. Unlike fingerprint scanners, where fingerprint patterns may be copied in some cases, veins aren't so easy to copy without having the person's actual hand present. Palmsecure works by near-infrared beams being sent through the user's hand. The de-oxygenated haemaglobin in the veins of the user, absorbs the near-infrared beams and causes them to glow in the image taken. The pattern of veins is therefore taken and matched to a previous scan of the user to determine whether they are who they say they are. Only the veins show up because oxygenated haemaglobin in the blood does no absorb the near-infrared beams and therefore do not show up on the image. Similarly to fingerprints, the vein patterns in the palm are unique, making this a viable biometric authentication method. (Fujitsu Frontech North America, Inc., 2009)

WiKID Systems Inc. on the other hand, have presented an open source technology which makes use of a software based system to authenticate users. WiKID have utilised a two-factor authentication system which work via the use of asymmetric encryption, private/public keys and one time passwords, as follows:

Upon authorisation, the user will select a WiKID domain name of up to 12 characters which is sent to the server. A public key will then be generated and sent to the server separately, whilst a private key is held by the client. The user is prompted to input a pin code which may vary in length depending on the user’s preference (ie. 4 digits or 8 digits). The private key on the client’s side will encrypt this pin and send it separately to the server. This will then be checked by the server side and decrypted by the public key.

The server generates a timed one time password (registration code). This means it can only be used once within a certain space of time, to increase security. The user may then be authenticated, provided their pin code and one time password have been entered correctly. Each authentication is completed via the WiKID servers to ensure correct verification. WiKID have a patent pending on their system architecture (WiKID Systems, Inc. , 2003 - 2010).

Cost to Implement the System


Fujitsu have offered a PC commercial mouse with an integrated PalmSecure scanner, with prices roughly at £300 per unit for personal use (Dennis Publishing Limited, 2009). The recommended retail prices for PalmSecure devices and applications are around $427 for the hardware and $40 for the software with it. Therefore a total of $467 per unit.

The standard sensor kit comes as either a package or the standalone sensor. The RRP of these would be less than that of the integrated mouse system although the overal price ranges are inbetween the average prices of the fingerprint scanning systems and iris scanners.

The sensors have mainly been aimed at businesses so far and therefore are not widely available in many forms to a commercial audience.

The WiKID price per ‘seat’ starts at $24 per user. This means that each authentication registration is $24. $24 per user is for a bulk set bought for 10 – 500 users. 10 users or seats is the minimum amount that WiKID will let you buy at a time, so therefore the minimum cost is $240 and this allows space for 10 users. Already we can notice that this value for 10 users is still cheaper than just once authentication space for the PalmSecure system. The only difference here is that PalmSecure may hold authentication information for many users in the one device, although it will be necessary to buy many devices to supply a business with many workstations.

The greater the amount of seats a business buys with WiKID Systems, the cheaper the price per seat becomes. The ranges go up to 7501 – 15000, with the cheapest price per seat costing the user just $10. Therefore we can work out the cost of a large business using both authentication systems, assuming that each user had their own personal verifier.

Consider a business with 10000 users. Here are the calculations assuming that the cost of a PalmSecure system and WiKID system are $467 and $10 each respectively according to the information above.
PalmSecure
$467 x 10000 = $4,670,000
WiKID
$10 x 10000 = $100,000
As you can see, the cost of the WiKID system would be a lot cheaper to implement for a company than PalmSecure, providing that they could both be used for the task in hand. The WiKID system is software based and has much cheaper initial costs as shown here. The main thing to point out here is that the WiKID system does incur ongoing costs for their servers, which produce 40 authentications per second, whereas the PalmSecure may not.
WiKID offer even cheaper options to those who are commited to using their system. The first is a 30% reduced rate for a 3 year or more subscription. This means that a bulk buy could be reduced to $7 per seat instead of the $10 that was mentioned above.

Education and non-profit organisations may get a 25% discount which can add on to the 30% discount, which means that if they were to purchase a three year subscription for 10000 users, the pricing would be as follows:
10000 seats at $10 each = $100,000.
30% + 25% discounts = 55% discount from original price.
3 years = $300,000 x 0.45 = $135,000 for an education/non-profit organisation .
This equates to $45,000 per year.

If we look at the cost per unit of each system, we can note that one seat for authentication for the WiKID system is just over 5% the cost of one unit of the PalmSecure system. The point to note here is that the WiKID system has been built for different purposes than the PalmSecure system. WiKID appears to be a better option if they were both being used for the same purposes over a short period of time.

Cost of Maintenance of the System


As the base of the system is using a hardware and software orientated approach, there is always a chance of the hardware failing or breaking. If we say that 5% of the palmsecure systems may break in a year, and a company contains 100 of them, this may add up to $2335 of hardware costs in maintenance per year.

The WiKID system contains no hardware for the client and therefore the actual authentication system should cost the company $0 in hardware maintenance. The only accountable costs may be of the computers they run on themselves, although WiKID does not require a large amount of processing power and therefore they will not need to upgrade the system to run it.

Another point to note is that WiKID is software based and PalmSecure is both software and hardware based. WiKID’s authentication system is primarily using the servers set up by WiKID and their system runs through those. Maintenance costs will therefore be very low for this system on the client side. PalmSecure’s costs may be higher as the system will need to have a technician who knows the authentication system to maintain both the hardware and software, to make sure it is working sufficiently.

PalmSecure may only need the one off payment for the initial cost of the system along with maintaining the hardware, although WiKID require companies to continue paying for their authentication system, as they need to maintain the system at the server side. Therefore the actual costs will begin to mount up after long periods of use of the system. I.e. If WiKID’s initial cost to set up (disregarding the administrative set up) is $100,000, as shown in the previous section, the cost for the next year will also be $100,000, whereas with PalmSecure you do not need to pay for server maintenance.

Known Attacks


PalmSecure is generally a secure system, as its new technology is very difficult to bypass. Images may be tampered with on the system or replaced to allow a different user’s pattern to be authenticated via the scanning of their hand instead of the original user. Also, the vain pattern of a person may be stolen and used to either create a model for authentication at a later date.

As with many internet applications, data may be viewed along the network as it travels between the client and the server. An attacker may be able to collect data from this connection such as the one time password or pin, even if they are encrypted. If the hacker was to overcome the encryption or even gain a copy of the public key, then the authentication system will be compromised. As this is an open-source system, security issues are pointed out regularly and updates are made to prevent possible exploits to the system.

Known and Potential Effects on collection of personal data


A known effect that this system has is that, as with many biometric technologies, the user's unique identity attributes are being held in a location. Images of the user's vein pattern are required to be stored in order for the system to authenticate the user against the person whose data is trying to be accessed. For access control and many security systems, these images are being centrally held in a database, possibly for the company or organisation. If an attacker was to get a hold of this data, they may be able to exploit it for their own personal gain. Bank cards or smart cards usually hold this information of the card itself, in order for the user to prove that they are the true possessor of the card.

There are no known effects on the collection of personal data for the WiKID system as there is no stage at which any personal data is stored in the system itself. The only data that may be taken is an encrypted password which could be taken in transit from the client to the server.

Organisations most likely to benefit from this system


PalmSecure can be used in a wide range of industries as an authentication method to determine who a person is, and may accompany other systems to add security. The major uses for this system are in security, banking, ATM machines, healthcare and access control (Genuth & Fresco-Cohen, 2006).

As this is a relatively new technology, many companies are starting to introduce it into their systems, such as the Tokyo-Mitsubishi bank on their ATM machines to supplement the standard chip and pin card system. Future uses may head towards PC authentications as it may replace computer passwords.

The government may find this method of authentication useful, similarly to fingerprints, although this is a much more secure method of authentication. Images of patterns may be kept for records.
The WiKID system may also be used in a wide range of industries, although authentication will require an internet connection, unlike PalmSecure. This is due to the WiKID servers being used for the verification processes. It is primarily used for computer software authentication and websites at the moment and may not be used in such a large range as the PalmSecure for situations like ATM machines etc.

Article 3


Identity Card Act 2006(UK) and the Computer Fraud and Abuse Act (revised 1996)(US)


The political objective(s) of each legislative act.


The Identity Card Act 2006 was put in to place to accompany the introduction of the National Identity Card into the UK and the National Identity register. The act states that the person must be in possession of their own card and nobody else’s. If a person is found to have a false document or a document that does not belong to them, they are committing an offense against the act.

Details about the owner will be present on the card and must reflect the data that is held on the register accurately. These details may be attributes about a person, such as biometric details, or government necessary information such as a national insurance number.

The reason for the introduction of these cards is that they will contain all the necessary identification information for a person in a quickly accessible and convenient manner. If a person of authority has a reasonable reason to require identification, this card may be produced for verification. It is a secure method of authentication. Details such as age will be displayed on the front of the card, whereas more private details such as biometric scans and address are held on a microchip on the card (Identity Cards Act 2006, 2006).

The Computer Fraud and abuse act (US) was put in place to stop the misuse of computers, in regards to people accessing data that they should not be accessing. This may be for financial gain.
It states that; accessing a computer to gain executive information to aid a foreign nation to an advantage over USA, accessing a computer without the required authorisation, accessing a computer with the intent to defraud or attempting to gain protected data would leave the attacker liable to be punished against the act. (The Computer Fraud and Abuse Act (as amended 1994 and 1996), 1996)

Here, we have an example of two separate acts that relate to authentication in different ways. The National Identity card act is to provide visual authentication of users, showing details of their attributes and other government register-able facts. A user must possess this document to be authenticated by a person who requires the information on it to verify them.

The computer fraud and abuse act is a Canadian act which has been put into action to prevent attempts to take information illegally from computer databases/devices for use in fraudulent acts. This means that a person would not legally be allowed to enter the national identity register to gain access to people’s information that has been kept for verification purposes. It would be punishable if a person was to use fake information about themselves.

The amount of government spending that may have been caused by each legislative act.


The main cost for the government regarding the national identity registration scheme, is the setting up of the database for use with the act. The actual database that has been set up is costing the government around £5 billion, although the rest of the costs for cards and administration is going to be paid for itself by users (Around £30 per card). (BBC News, 2009).

Known and potential effects on personal privacy issues.


There is a large concern about the privacy issues for the National Identity card act, as it is directly related to private information about the user, which they may not wish to be revealed. The act will enforce the requirement for the identity register, to state that a number of details will be held on the card, ranging from their name and date of birth, to biometric scans of their fingers and facial scans, although none of the information recording will take into account private matters such as religion or sexual preference.

The register means that all this information will be saved onto a database, which many people oppose, as there don’t believe there is a reason for it. It is believed that the government is enforcing this act in order to keep control over the identity of the citizens rather than to reduce crimes and terrorism as originally planned.

If biometric scans are being kept in a database, there is a heavy security risk, as these may be unlawfully accessed, going against such acts as the computer misuse act 1990, which is the UK equivalent of the Computer Fraud and Abuse Act. If people were to gain access to the scans, they cannot change this detail as it is a part of them, unlike a password.

The computer fraud act does not affect a person’s details in this manner, as it is in place to prevent the access of any information. This is the case throughout the whole act, apart from one section. A line in section ‘f’ of this act states the following:

“This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.” (The Computer Fraud and Abuse Act (as amended 1994 and 1996), 1996)

This is the only line that appears to affect a person’s personal privacy, as it is lawfully allowing the intrusion of investigative procedures in order to gain intelligence. This appears to go against the idea of the act itself, which is in place to prevent unauthorised access to computer databases or another person’s property.

Estimates of the success of each legislative act towards achieving their political objective(s).


Overall, the computer fraud and abuse act appears to have achieved their political objectives more so than the Identity Cards act 2006. This can not be judged specifically yet due to the fact that the Identity Cards act is a recent piece of legislation and cards are only just being introduced into the society. The main issues being faced by the identity cards act is that people do not see any reason for the use of them, other than a convenience for authentication. There are other methods for identification that are suitable so far, such as a passport for travel. This contains nearly all the information that will be held on the Identity cards themselves, so there should be no specific need to pay for a new, optional method.

Biometric scanners are also not widespread at the moment. This means that the information held on the biometric microchip on Identity cards may not be read, which could boost the production of fake identification (BBC News, 2009).

Considerations of the possibility for achieving similar political objective(s) through business markets.


Identity cards may be used similarly in businesses for quick user authentication in payment or access. For example, casino's need a membership identification card, and may like to use an identity card for their system, with the relevant details of their customers held in a database that provides information for authentication, such as an image of the customer.
Businesses that make use of computer systems, such as payroll systems, may utilise acts such as the computer fraud and abuse act, or the computer misuse act to gain politcal objectives for their staff's allowances with the database. If a staff member was to attempt to access a database that they do not have authority to access within the company, they should be dealt with appropriately by the managers.

References


BBC News. (2009, July 2). Q&A: Identity cards . Retrieved January 20, 2010, from BBC NEWS: http://news.bbc.co.uk/1/hi/uk/3127696.stm

Dennis Publishing Limited. (2009, February 3). Fujitsu PalmSecure in Mice. Retrieved December 10, 2009, from PCPro: http://www.pcpro.co.uk/reviews/mice/246581/fujitsu-palmsecure/comments

Fujitsu Frontech North America, Inc. (2009). PalmSecure - Palm Vein Authentication Technology. Retrieved December 10, 2009, from Fujitsu: http://www.fujitsu.com/downloads/COMP/ffna/palm-vein/palmsecure_datasheet.pdf

Fujitsu. (2000 - 2010). PalmSecure™. Retrieved December 15, 2009, from Fujitsu: http://www.fujitsu.com/us/services/biometrics/palm-vein/

Genuth, I., & Fresco-Cohen, L. (2006, November 3). Fujitsu's Palm Vein Technology. Retrieved December 15, 2009, from The Future of Things: http://thefutureofthings.com/articles/34/fujitsus-palm-vein-technology.html

Identity Cards Act 2006. (2006). Retrieved January 20, 2010, from OPSI - Office of Public Sector Information: http://www.opsi.gov.uk/acts/acts2006/ukpga_20060015_en_1

Lim, D. (2009, February 9). Fujitsu’s LogonDirector integrates windows sign-on in the palm of your hand. Retrieved December 10, 2009, from SlashGear: http://www.slashgear.com/fujitsus-logondirector-integrates-windows-sign-on-in-the-palm-of-your-hand-0933593/

The Computer Fraud and Abuse Act (as amended 1994 and 1996). (1996). Retrieved January 20, 2010, from Panix: http://www.panix.com/~eck/computer-fraud-act.html

WiKID Systems, Inc. . (2003 - 2010). WiKID Commercial Open Source Two-Factor Authentication . Retrieved January 20, 2010, from WiKID: http://www.wikidsystems.com/















FILE MANAGER

Attachment Timestamp Size
Page revised 2010-01-25 23:35 • ©2012 University of Portsmouth • This website uses wikkawiki.org software.