1 Chair Roger Clarke, Xamax Consultancy, Australia Panellists Milena Head, McMaster Uni, Canada Khaled Hassanein, McMaster Uni, Canada Roger Bons, (Ing),

Slides:

Advertisements

Similar presentations

Copyright Roger Clarke Xamax Consultancy, Canberra Visiting Professor – Cyberspace Law & Policy UNSW and at the ANU and the Uni. of.

Advertisements

© State Services Commission, 2006 Authentication to access government services What might the future hold? Laurence Millar Deputy Commissioner Information.

Stephen Upton – 2 June 2005EURIM Personal Identity Working Group Secure identity – a personal view Stephen Upton Office: Mobile:

Computer Fraud Chapter 5.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

Copyright, Can Mobile Payments be 'Secure Enough'? Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong.

Improving Cybersecurity Through Research & Innovation Dr. Steve Purser Head of Technical Competence Department European Network and Information Security.

1 Suzanne Lockhart M.A. Criminology thesis University of Melbourne, 2005 Current: PhD candidate University of S.A Identity Fraud – Displacement effects.

FIT3105 Smart card based authentication and identity management Lecture 4.

Introduction to Biometrics Dr. Pushkin Kachroo. New Field Face recognition from computer vision Speaker recognition from signal processing Finger prints.

GUIDE TO BIOMETRICS CHAPTER I & II September 7 th 2005 Presentation by Tamer Uz.

Biometrics and Authentication Shivani Kirubanandan.

Biometrics: Identity Verification in a Networked World

Biometrics: Voice Recognition

Security-Authentication

Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.

1J. M. Kizza - Ethical And Social Issues Module 16: Biometrics Introduction and Definitions Introduction and Definitions The Biometrics Authentication.

Module 14: Biometrics Introduction and Definitions The Biometrics Authentication Process Biometric System Components The Future of Biometrics J. M. Kizza.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Karthiknathan Srinivasan Sanchit Aggarwal

11 – E-Commerce 1. What is Electronic Commerce? 2. What is a contract? 3. Elements of an enforceable contract 4. Standard terms of a contract 5. Form and.

Identity verification in the private sector Chris Gration 30 March 2006.

Account Authority Digital Signature AADS Lynn Wheeler First Data Corporation

CS 736 A methodology for Analyzing the Performance of Authentication Protocol by Laseinde Olaoluwa Peter Department of Computer Science West Virginia.

Private and Confidential. Levels of Identity Verification Is this person who they claim to be? Knowledge based Authentication Is this a real identity?

10/8/20151 Computer Security Authentication. 10/8/20152 Entity Authentication Entity Authentication is the process of verifying a claimed identity It.

Network Security Lecture 26 Presented by: Dr. Munam Ali Shah.

“Stronger” Web Authentication: A Security Review Cory Scott.

Garry Compton Manager Government Authentication ANTA Workshop 05/08/03 Canberra, Australia An update on Commonwealth Authentication.

Controlling Fraud Risk Exposure and Loss Sherri Goodman Director of Fraud Operations September 22, 2005.

NIST Update: Part Deux Elaine Newton, PhD NIST

The Future of Biometrics. Operation and performance In a typical IT biometric system, a person registers with the system when one or more of his physical.

John Carpenter & lecture & Information Security 2008 Lecture 1: Subject Introduction and Security Fundamentals.

The Challenges of Online Identity Assurance in a Judicial Setting Alison Knight, Supervisors: Prof. Steve Saxby (Law) & Dr. Mark Weal (ECS) Law ILAWS dog.

Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

CSCE 522 Identification and Authentication. CSCE Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.

Introduction to Biometrics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #18 Biometrics Applications - III October 26, 2005.

Unit 9: Electronic Fraud Professor Thomas Genovese.

Biometrics and Retina Scan Technology Lum OSMANI Alex CHERVENKOV Course: Information Security April 2008.

Power Point Project Michael Bennett CST 105Y01 ONLINE Course Editor-Paulette Gannett.

Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.

Biometric for Network Security. Finger Biometrics.

1 Figure 2-8: Access Cards Magnetic Stripe Cards Smart Cards  Have a microprocessor and RAM  More sophisticated than mag stripe cards  Release only.

Authentication What you know? What you have? What you are?

INTRODUCTION TO BIOMATRICS ACCESS CONTROL SYSTEM Prepared by: Jagruti Shrimali Guided by : Prof. Chirag Patel.

L. F. Coppenrath & Associates PASSWORD BIOPASSWORD ® Biometric Keystroke Dynamics Technology Overview.

Federations: The New Infrastructure Speaker Name Here Date Here Speaker Name Here Date Here.

CSCE 201 Identification and Authentication Fall 2015.

E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.

My topic is…………. - It is the fundamental building block and the primary lines of defense in computer security. - It is a basic for access control and.

An Introduction to Biometrics

WHAT NEW, WHAT NEXT IN PAYMENT PROCESSING. EMV WHAT IS EMV? 3  An acronym created by Europay ®, MasterCard ® and Visa ®  The global standard for the.

Jason Tortorete COSC 316.  Concept: Access Control  CISSP and Access Control Framework  Biometric Applications and Functionality  Verification and.

LESSON 12 Business Internet. Electronic business, or e-business, is the application of information and communication technologies (ICT) in support of.

The Future Digital Identity Landscape in Europe Timothée Mangenot, chairman 14th of December, 2015 ACSIEL partners day.

7/10/20161 Computer Security Protection in general purpose Operating Systems.

CSCE 522 Identification and Authentication

MANAGEMENT of INFORMATION SECURITY, Fifth Edition

Nick Mothershaw - Experian

Authentication.

Tokens & Proofing De-Mystified

Summary Physical Access & Time and Attendance PC/Network Access

Biometric Identity Misrepresentation Risk in Transactional Processes

Chris Farmer Director of Fraud Strategy

Red Flags Rule An Introduction County College of Morris

Computer Security Protection in general purpose Operating Systems

Jeremy Grant Coordinator Better Identity Coalition

Presentation transcript:

1 Chair Roger Clarke, Xamax Consultancy, Australia Panellists Milena Head, McMaster Uni, Canada Khaled Hassanein, McMaster Uni, Canada Roger Bons, (Ing), The Netherlands Do the eyes have it? Consumer Acceptance of Potentially Intrusive Identity Authentication Mechanisms

2 Acceptability of Biometrics in Financial Transactions AGENDA Underlying Concepts Consumer Financial Transactions (Id)entification Authentication Introduction to the Panellists Panellists’ Statements Discussion Intra-Panel Open

3 Consumer Financial Transactions

4 Account No. Card No. Customer No. Account Customer Identity and Identifier

5 Identification The process of associating data with a particular Identity Achieved by acquiring an Identifier for the Identity A recording medium for an Identifier Token

6 The Entity/ies underlying an Identity

7 Entity and Entifier

8 Authentication A process that establishes confidence in an Assertion Assertion: a proposition relating to... Assertion Types: a fact a quality of a Data-item a characteristic of an Entity, e.g. condition, value the Location of an Entity an Attribute of an Entity or an Identity appropriate use of a particular Identity performance of an act by a particular Entity Authenticator: evidence useful for authentication Credential: a physical or digital Authenticator

9 Identity Authentication – Traditional What you knowPassword, PIN What you haveCredential, 1-time Password

10 Identity Authentication – Traditional What you knowPassword, PIN What you haveCredential, 1-time Password Risk of Fraud, because: the Identifier is easily known the Authenticator is easily acquired

11 Identity Authentication – Traditional What you knowPassword, PIN What you haveCredential, 1-time Password Risk of Fraud, because: the Identifier is easily known the Authenticator is easily acquired Fraud Countermeasures: Change of Authenticator Two-factor Authentication (provided the factors are independent)

12 Identity Authentication – Traditional What you knowPassword, PIN What you haveCredential, 1-time Password Risk of Fraud, because: the Identifier is easily known the Authenticator is easily acquired Fraud Countermeasures: Change of Authenticator Two-factor Authentication (provided the factors are independent) Risks remain, and new Threats arise

13 (Id)Entity Authentication using Biometrics What you doPerformative Biometrics, e.g. - Signature dynamics - Password-input dynamics What you areStatic Biometrics, e.g. - Voice, Face, Iris - Thumb/Fingerprint(s)

14 (Id)Entity Authentication using Biometrics What you doPerformative Biometrics, e.g. - Signature dynamics - Password-input dynamics What you areStatic Biometrics, e.g. - Voice, Face, Iris - Thumb/Fingerprint(s) Potential security improvements Biometrics can be acquired ==> security isssues Biometrics relate to the entity ==> privacy issues

15 Panellist 1 Milena Head Associate Prof. of IS, DeGroote School of Business, McMaster Uni, Ontario & Associate Dean eBusiness and Human Computer Interaction (HCI) Trust, Privacy, Adoption, Identity Theft Research on consumer acceptability of biometrics in the context of financial transactions

16 Panellist 2 Khaled Hassanein Associate Prof. of IS, DeGroote School of Business, McMaster Uni, Ontario & Chair of IS Area eBusiness (Director of Research Centre MeRC), Mobile commerce, eHealth, online trust, online usability, human-centric DSS Previously a software engineer with NCR in the financial services sector Research on consumer acceptability of biometrics in the context of financial transactions

17 Panellist 3 Roger Bons Product Manager Cards/Cash, previously a strategic consultant, in a major financial institution But speaking as himself A Bled community member in earlier years from an academic perspective, while doing a PhD at Erasmus Financial services industry perspective on biometrics in consumer payments

18 Panellist 4 Roger Clarke eBusiness consultant, academic, advocate, incl. chip-cards generally chip-cards in financial services identity and entity, (id)entification, authentication, biometrics privacy, consumer protection Involved with consumer financial transactions sporadically over the last 20 years Sceptism about biometrics in consumer payments

19 Effectiveness of Biometric Authentication There are many sources of difficulty, e.g. Lack of control over equipment, capture environment, capture practices Inherently fuzzy measurement, and hence test for closeness of fit rather than equality These difficulties result in error-rates: Failure to EnrolFTE Failure to AcquireFTA False Match RateFMR False Non-Match RateFNMR

20 Error-Rates In Theory: Even the best (iris) has problems At FMR 1 in 1,000 FNMR 1-4% plus FTE 0.5-1%? FTA0.5-1%? Hence 2-6% exceptions, resulting in: Cost to organisations Inconvenience to people In Practice: Appears to be a lot worse

21 Imposters (and Avoiders) The statistics come from tests that assume no attempt to subvert the system Some ‘zero-effort imposters’ get through Biometrics are not a secret, can be acquired, and can be used to contrive an ‘artefact’ ‘Liveness testing’ to detect artefacts is difficult, expensive, and subject to counter-measures A ‘> zero-effort imposter’, who has knowledge and who invests effort, can get through The few imposters are the problem that we were trying to address in the first place

22 Security Issues Many organisations acquire a copy of the biometric (but the scheme can be designed to avoid it) Some organisations retain a copy of the biometric Many organisations retain a copy of the ‘template’ Some templates are not one-way hashes Reversible templates enable creation of an artefact and therefore support masquerade

23 Privacy Issues Biometrics are associated with the underlying entity Biometrics strike through identities Biometrics undermine identity silos, and encourage consolidation of personal data into one pool Identity silos are the primary privacy protection, which data protection laws have sought to sustain Templates have potential use as a common entifier (Almost all iris schemes use the same algorithm, and hence produce the same template. For all biometrics, industry concentration is likely in any case)