Wednesday, October 14, 2015

New season of credit cards fraud

Holiday season is coming and with it a new credit card fraud season. You might say I'm exaggerating, but I'm not. Experts are expecting it. Everyone might argue that, after what happened at Target, vendors are ready, you would be wrong.What is the problem with credit cards in US? Infrastructure and the credit card it self. Why? Well is the same as with the Internet infrastructure. In the US you can pay lots of money for a modest Internet connection compared with other countries, which implemented the network in the last 15 years, and offer greater speeds for less money. The explanation is simple: those countries implemented new technologies to begin with and upgraded them regularly due to fierce competition or government regulations.The same thing applies to credit card technology, which was implemented in US and still uses outdated systems. I remember when I received my first bank card over 10 years ago, it only have a magnetic stripe and PIN. We have always used PIN in Europe, which is a code you input to accept a transaction. After four years I received a new card, a chip card. This was done automatically by the bank in accordance with EU regulations.Why did US waited for such a long time to impose chip cards?

Monday, October 5, 2015

What is best open security VS security through obscurity?

For a long time it was believed that security through obscurity is the answer. Security through obscurity means that as long as you keep the details of a system or algorithm secret, that system is secure because the attackers don't know the details. Open security on the other hand implies disclosing an algorithm or a system and let the people test it and report the problems.

Because it was proven that security through obscurity is not good at all, many people argue that open security is the answer. This approach is not desirable either. Every method has it's flaws.
Security through obscurity major issue is that the security bugs will exist and a very skilled attacker will find them, plus a major security flaw can be overlooked for many years. Open security relies on the honesty of the ones reviewing the algorithm to report their findings.

Sunday, October 4, 2015

Smart everything a security risk

There is a new trend nowadays: turn everything into a smart device. Everyone is doing it from car, planes to home appliance manufactures. The big question is: is it safe? The latest news show not so much.  A computer system bug, even a zero day exploit, can be damaging for the end user, but not life threatening. What about a bug in your car or plane, which allows a person to remotely take control of it?
Samy Kamkar has created a box valued at 100$ called Onstar which allows an attacker to locate, unlock and start a general motor's car by intercepting the user's  smartphone commands send to the car. More details about this hack can be found here. This problem was reported as being solved by GM.
Another exploit on smart car's was on Jeep and other hundreds of Chrysler vehicles. The hackers were able to take full control of the car, by this I mean drive it. They could steer it, control the transmission and breaks. This problem was solved by the manufacturer, which had to recall over 1 million cars.
Another example of hacking smart devices is hacking the passenger WiFi on planes.

Thursday, October 1, 2015

Biometric databases breaches shouldn't be a problem

Recently there were a lot of news regarding breaches regarding stolen fingerprints. According to Hacked 5.6 fingerprint records were stolen from US government. With existing advancements in biometric template a breach like this shouldn't pose a problem.
Let me explain the biometric authentication process. The first step is enrollment which consists in acquiring the desired biometric trait, let's say fingerprint, by using the required sensor. Then a biometric template is created. Based on that biometric template the authentication is done. A long time ago, when biometrics were first introduced, this template was represented by the images of the fingers - I'm referring to fingerprint usage by law enforcement.
Ratha, Connell and Bolle introduced the concept of cancelable biometrics. According to the same authors classic biometric information storing has the following issues: