* Posts by Jin

109 posts • joined 28 Aug 2012

Page:

A little phishing knowledge may be a dangerous thing

Jin

How informed?

Well-informed > Un-informed > Ill-informed > Misinformed > Disinformed

Microsoft 'kills' passwords, throws up threat manager, APIs Graph Security

Jin

Logic and rationale defied

The PIN is the weakest form of numbers-only password. If it can kill the password, a small sedan should be able to kill the automobile.

They allege that a PIN is stronger because it is linked to a device while the password is not made linked to the device. Then we have to ask "What if you made the password linked to the device?

Biometrics: Better than your mother's maiden name. Good luck changing your body if your info is stolen

Jin

The Issue of False Rejection

The actual/measured false rejection rates in the Aadhaar scheme have been publicized - reportedly 6% for fingerprints and 8.5% for iris scan. Those who were falsely rejected need to be rescued somehow.

If passwords are to be used as an alternative to the biometrics (as a fallback means), the overall security would be lower than the password-only authentication. It would mean that the huge amount of money spent for biometrics had contributed only to ruining the security. What an irony!

No password? No worries! Two new standards aim to make logins an API experience

Jin

Security solutions expensively deployed for not improving security

We must look at what are NOT MENTIONED.

Firstly, biometrics that is used with a fallback password against false rejection provides the level of security lower than the password.

Secondly, physical tokens and devices that store biometrics data, cryptographic keys or passwords are as subject to loss, stealth and abuse as a memo with a password on it.

Refutations against this observation would be welcomed.

Lenovo's craptastic fingerprint scanner has a hardcoded password

Jin

Adding fingerprint to PIN-protected device brings a vulnerability

Don’t forget that biometrics with a fallback password comes with a security lower than a password authentication Two entrances placed in parallel provide nice convenience to criminals.

Smartphones' security enhancements just make them more dangerous

Jin

And, at the end of the day, the security is lower than a PIN-alone login.

Even if perfected to be fake-proof, biometrics will remain insecure due to inherent trade-off between False Acceptance and False Rejection, which demands the co-use of a fallback password. Two entrances placed in parallel provide nice convenience to criminals.

Windows 10 Hello face recognition can be fooled with photos

Jin

More important is the trade-off between false acceptance and false rejection

Hacking by photos, masks and brothers are minor issues. Even if perfected to be fake-proof, biometrics will remain insecure due to inherent trade-off between False Acceptance and False Rejection.

Two entrances placed in parallel in case false rejection provide nice convenience to criminals. This is what we witness in so many biometrics products in cyberspace

Archive of 1.4 billion credentials in clear text found in dark web archive

Jin

Not because we are silly or lazy.

Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.

At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

Microsoft's memory randomization security defense is a little busted in Windows 8, 10

Jin

(False ) sense of security, not security, matters to those people

This tells that those people are not so much interested to offer security as to offer the false sense of security, which is more effective to dazzle consumers. We see a similar phenomenon in the case of biometrics that is said to offer higher security but actually only offers higher convenience at the sacrifice of security.

For goodness sake, stop the plod using facial recog, London mayor told

Jin

False Acceptance versus False Rejection

It is astonishing that so many people are indifferent to the fact that FAR (False Acceptance Rate) and FRR (False Rejection Rate) are NOT independent from each other.

The level of a FAR that rejects a twin would have to bring the level of a FRR that rejects the registered user very frequently. The level of a FRR that eliminates the need of a fallback means would have to bring the level of a FAR that accepts nearly anyone.

No biometrics, whether static or behaviourial, can escapte this inherent characteristics..

Sure, Face ID is neat, but it cannot replace a good old fashioned passcode

Jin

Face ID can by no means be more reliable than a password

How would it be logically possible for Face ID to be more reliable than a password when it has to depend on a password (as a fallback means against false rejection)?

Thousand-dollar iPhone X's Face ID wrecked by '$150 3D-printed mask'

Jin

A terrific ‘one-in-a-million’ and an empirical ‘0.1%’, which of the two can we trust?

NIST and IARPA announced the winners of face recognition contest. The best figure for verification of 99.9% (0.1% reversely) seems to fall reasonably in the range that wouldn’t astonish anyone, although it does not look as fantastic as ‘one millionth’ that Apple boasts for Face ID.

This and the other related news that Apple’s Face ID was reportedly designed to learn to get fooled are not only eye-catching on their own but also demonstrate part of a more crucial problem.

It appears that the 'ex-factory Face IDs of low FAR with high FRR' are rapidly turning into the 'in-use Face IDs of high FAR with low FRR' day after day in a gigantic scale. Then criminals would only have to wait for a good time to come.

In any case, most critical is a fact that Face ID and other biometrics solutions are dependent on a fallback password, which only results in the level of security lower than that of a password-only authentication and also that of a biometrics-only authentication.

Apple’s facial recognition: Well, it is more secure for the, er, sleeping user

Jin

What False Acceptance and False Rejection Mean for Face ID?

What FAR means when it does not come with the corresponding FRR?

Answer: It means nothing.

According to some tech media¸the FAR (false acceptance rate) of iPhone X Face ID is said to be one millionth, which might be viewed as considerably better than the reported one 50,000th of Touch ID.

It is not the case, however. The fact is that which is better or worse can by no means be decided when the corresponding FRR (false rejection rates) of Face ID and Touch ID, which are in the trade-off relation with FAR, are not known. This crucial observation is seldom reported by major tech media. It is really sad to see the misguided tech media spreading the misguiding information in a huge scale.

The only meaningful fact that we can logically get confirmed by the trade-off between FAR and FRR is that the biometrics deployed with a password as a fallback means against false rejection would only provide the level of security lower than that of a password-only authentication.

Face ID, which brings down security as such, could be recommended only for those who want better convenience, as in the case of Touch ID. If recommended for better security, it would only get criminals and tyrants delighted.

Security professionals are expected to speak up.

30-second video - https://youtu.be/7UAgtPtmUbk

Jin

What is the FRR/FNMR when the FAR/FMR is claimed to be one millionths?

The FAR/FMR (false acceptance/false match) of Face ID, reportedly one millionths, would make sense only when it comes with the corresponding FRR/FNMR (false rejection/false non-match) and when the values are empirical, not theoretical. I expect The Register to obtain the whole picture with all the empirical figures.

Jin

Face ID - Nice way to get criminals delighted

So long as a fallback password is needed in case of false rejection, biometrics brings down security as explained in this video.

- Biometrics in Cyber Space - "below-one" factor authentication

https://youtu.be/wuhB5vxKYlg

Mo' money mo' mobile payments... Security risks? Whatever!

Jin

Bringing in biometrics, things get even riskier

So long as a fallback password is needed in case of false rejection, biometrics brings down security as explained in this video.

- Biometrics in Cyber Space - "below-one" factor authentication

https://youtu.be/wuhB5vxKYlg

Biometric data stolen from corporate lunch rooms system

Jin

Mix up ‘Unique’ with ‘Secret’ and confuse ‘Identification’ with ‘Authentication’?

Biometrics follows “unique” features of individuals’ bodies and behaviors. It means that it could be well used when deployed for identification of individuals who may be conscious or unconscious, alive or dead. Due respect could be paid to biometrics in this sphere.

Being “unique” is different from being “secret”, however. It would be a misuse of biometrics if deployed for security of the identity authentication of individuals.

Confusing “Identification” with “Authentication”, we would be building a sandcastle in which people are trapped in a nefarious false sense of security. However gigantic and grandiose it may look, the sandcastle could melt away altogether when we have a heavy storm.

Video: Biometrics in Cyber Space - "below-one" factor authentication

https://youtu.be/wuhB5vxKYlg

How good are selfies these days? Good enough to fool Samsung Galaxy S8 biometrics

Jin

Another demonstration of "unique" being different to "secret"

Authentication by biometrics comes with poorer security than PIN/password-only authentication. This video explains how biomerics makes a backdoor to password-protected information.

https://youtu.be/5e2oHZccMe4

Also there is an interesting discussion about this issue on Payments Journal

http://www.paymentsjournal.com/Content/Blogs/Industry_Blog/35382/

Mastercard launches card that replaces PIN with fingerprint sensor

Jin

What when falsely rejected?

When the sensors are set as to effectively reject a third person, cases of false rejection of legitimate users happen frequently. What would you do when you are falsely rejected?

If you are requested to resort to PIN, we are not talking about security but just convenience. Convenience for you as well as criminals as shown in this 30second video.

https://youtu.be/7UAgtPtmUbk

Zero-days? Sexy, sure, but crap passwords and phishing are probably more pressing

Jin

However disliked, passwords are absolutely necessary

However nicely designed and implemented, devices, tokens, cards and phones are easily left behind, lost, stolen and abused. Biometrics brings down security in cyberspace. Then the remembered password would be the last resort.

And, in a world where we live without remembered passwords, say, where our identity is established without our volitional participation, we would be able to have a safe sleep only when we are alone in a firmly locked room. It would be a Utopia for criminals but a Dystopia for most of us.

Are you aware of this?

https://youtu.be/-KEE2VdDnY0

Security slip-ups in 1Password and other password managers 'extremely worrying'

Jin

All eggs in a basket?

Putting all your eggs in a basket and place it on a shaky shelf would not sound a nice idea.

It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. It should be operated in a decentralized formation or should be considered mainly for low-security accounts, not for high-security business which should desirably be protected by all different strong passwords unique to each account.

Human memory, or the lack of it, is the biggest security bug on the 'net

Jin

Different Memories

Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.

At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

Are you aware of this?

https://youtu.be/-KEE2VdDnY0

Just give up: 123456 is still the world's most popular password

Jin

Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.

At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

Are you aware of this?

https://youtu.be/-KEE2VdDnY0

Visa cries foul over Euro regulator's stronger authentication demands

Jin

Crying for criminal-friendly authentication?

It’s really suprising to see so many people so tragically misinformed. Biometrics should not be brought in where you need to be security-conscious. This video explains why and how.

https://youtu.be/5e2oHZccMe4

Jin

Biometrics used with a fallback password would ruin the security

Authentication by biometrics in cyberspace comes with poorer security than PIN/password-only authentication. This video explains why and how it is the case.

https://youtu.be/5e2oHZccMe4

Sorry, iPhone fans – only Fandroids get Barclays' tap-to-withdraw

Jin

Keep biometrics away if security matters

Authentication by biometrics in cyberspace comes with poorer security than PIN/password-only authentication. This video explains why and how.

https://youtu.be/5e2oHZccMe4

Stolen passwords integrated into the ultimate dictionary attack

Jin

Password could work if expanded

Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.

At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

Are you aware of this?

https://youtu.be/-KEE2VdDnY0

Mastercard rolls out pay-by-selfie across Europe

Jin

Criminals would be delighted

“User passwords are typically the easiest point of attack", so it is recommended to use your face with the user password as a fallback means against false rejection so that you/criminal can log in either by your face (videoed face) or your password. Is this a wise idea?

This video explains how biomerics makes a backdoor to password-protected information.

https://youtu.be/5e2oHZccMe4

True man-in-the-middle: Transmitting logins through the human body

Jin

Look at body features to scan before looking at the body flesh for data transmission.

Biometrics are easy to fake, impossible to reset, intrusive and costly on top of contributing to poorer security as outlined in

"Biometrics in Cyber Space - "below-one" factor authentication"

https://youtu.be/wuhB5vxKYlg

Fingerprint tech makes ATMs super secure, say banks. Crims: Bring it on, suckers

Jin

Biometrics are treats for criminals

Criminals can given chances to use either the fingerprint data or the User's PIN as shown in

https://youtu.be/5e2oHZccMe4

Intel, Lenovo officially gone to the dogs – with FIDO fingerprint logins

Jin

Alas! Criminals would be delighted.

This video explains how biomerics ruins the security of password protection..

https://youtu.be/5e2oHZccMe4

Brits: Can banks do biometric security? We'd trust them before the government

Jin

Widespread Misinformation on Biometrics

It’s really worrying that so many people are so tragically misinformed. The authentication by biometrics comes with poorer security than PIN/password-only authentication. The following video explains how biomerics makes a backdoor to password-protected information.

https://youtu.be/5e2oHZccMe4

HSBC: How will we verify business banking customers? Selfies!

Jin

Alas! So badly misguided.

Biometrics should not be activated where you need to be security-conscious.

https://youtu.be/wuhB5vxKYlg

US standards lab says SMS is no good for authentication

Jin

More important is prohibiting biometrics for 2F schemes.

Biometrics should not be activated where you need to be security-conscious.

It is known that the authentication by biometrics usually comes with poorer security than PIN/password-only authentication. The following video explains how biomerics makes a backdoor to password-protected information.

https://youtu.be/5e2oHZccMe4

Iraqi government finally bans debunked bomb-finding dowsing rods

Jin

Similar case found in cyber space

This new reminds me of the biometrics misused for cybersecurity.

For more, have a look at this 2-minute video.

- Biometrics in Cyber Space - "below-one" factor authentication

https://youtu.be/wuhB5vxKYlg

You really do want to use biometrics for payments, beam banks

Jin

Biometrics ruins cybersecurity

It is a pity that so many people are misinformed. Biometrics ruins cybersecurity, however inconvenient for many people to admit. This video may help for understanding this fact. .

https://youtu.be/wuhB5vxKYlg

Meet the grin reaper: Password manager now snaps login SELFIES

Jin

Authentication by selfies ruins the security of password protection.

They seem to be badly misinformed.

Authentication by biometrics usually comes with poorer security than PIN/password-only authentication as illustrated in this video.

https://youtu.be/5e2oHZccMe4

Body of evidence: Biometrics and YOU

Jin

How long can we remain indifferent to this ruinous misinformation?

Eye-opening experience about biometrics, passwords and cybersecurity

https://youtu.be/5e2oHZccMe4

Google to kill passwords on Android, replace 'em with 'trust scores'

Jin

False Rejection Vs False Acceptance

False acceptance must be zero or very close to zero. Then false rejection necessarily occurs. Falsely rejected users must be rescued somehow. In cyber space, the users have to rescue themselves if they are not ready to accept the denial of access. They need a password for fallback. Passwords will never be allowed to go away.

The following video explains how biomerics with a fallback password makes a backdoor to password-protected information.

https://youtu.be/5e2oHZccMe4

Yahoo! kills! more! passwords! with! push! notification! app!

Jin

Kill the password and you will see criminals delighted.

In a world where we live without remembered passwords, say, where our identity is established without our volitional participation, we would be able to have a safe sleep only when we are alone in a firmly locked room. It would be a Utopia for criminals but a Dystopia for most of us.

Biometrics not a magic infosec bullet for web banking, warns GCHQ bloke

Jin

Biomatrics ruins password security

This short video explains how biomerics make a backdoor to password-protected personal secrets.

https://youtu.be/5e2oHZccMe4

Apple: FBI request threatens kids, electricity grid, liberty

Jin

There is a backdoor.already

Something is apparently overlooked in the discussions over the backdoor. iPhone and many other smart devices already have valid backdoors, namely, a fingerprint scanner or a set of camera and software for capturing faces, irises and other body features, which can be collected from the unyielding, sleeping, unconscious and dead people.

It is now known that the authentication by biometrics usually comes with poorer security than PIN/password-only authentication. If Apple wants to claim that they are conscious of privacy and security, they could tell consumers to turn off the biometric functions. If the authority wants to have those backdoors open, they could tell consumers to keep them turned on all the times. And, security-conscious consumers could certainly refrain from turning them on.

Gartner to FBI: Stop bullying Apple and the tech industry

Jin

A backdoor is already there.

iPhone and many other smart devices already have valid backdoors, namely, a fingerprint scanner or a set of camera and software for capturing faces, irises and other body features, which can be collected from the unyielding, sleeping, unconscious and dead people. .

If Apple wants to claim that they are conscious of privacy and security, they could tell consumers to turn off the biometric functions. If the authority wants to have those backdoors open, they could tell consumers to keep them turned on all the times. And, security-conscious consumers could certainly refrain from turning them on.

Security real talk time: So what exactly do we mean by 'backdoor'?

Jin

A backdoor that already exisits

It appears that something significant is overlooked in the heated debates about the backdoor.

The recent models of iPhone and many other smart devices already have an effective backdoor, namely, a fingerprint scanner or a set of camera and software for capturing faces, irises and other body features which are easily collected from the unyielding, sleeping, unconscious and dead people. .

The vendors of those smart devices who are conscious of privacy and security of consumers could tell the consumers not to turn on the biometric functions. The authorities who want these biometric backdoors to be kept open could tell consumers to keep them turned on all the times. And, needless to say, consumers who are concerned about their privacy and security could refrain from activating those backdoors.

How long is your password? HTTPS Bicycle attack reveals that and more

Jin

Easier said than done

Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.

At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

Incidentally, biometrics are dependent on passwords registered in case of false rejection in the cyber space. So are multi-factor authentications and ID federations like password-managers and single-sign-on services. And, in a world with passwords killed dead , we have no safe sleep. Passwords will stay with us for long.

John McAfee rattles tin for password replacement tech

Jin

Who will be pleased?

However nicely designed and implemented, physical tokens, cards and phones are easily left behind, lost, stolen and abused. Then the remembered password would be the last resort.

And, in a world where we live without remembered passwords, say, where our identity is established without our volitional participation, we would be able to have a safe sleep only when we are alone in a firmly locked room. It would be a Utopia for criminals but a Dystopia for most of us.

Incidentally, biometrics are dependent on passwords in the cyber space. So are multi-factor authentications and ID federations like password-managers and single-sign-on services. Passwords will stay with us for long.

It is too obvious, anyway, that the conventional alphanumeric password alone can no longer suffice and we urgently need a successor to it, which should be found from among the broader family of the passwords (= what we know and nobody else knows).

By 2019, vendors will have sucked out your ID along with your cash 5 billion times

Jin

Unless used very wisely, biometrics could end up pleasing criminals.

Whether face, iris, fingerprint, typing, gesture, heartbeat or brainwave, biometric authentication could be a candidate for displacing the password if/when (only if/when) it has stopped depending on a password to be registered in case of false rejection while keeping the near-zero false acceptance.

Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords alone. We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.

In short, biometric solutions could be recommended to the people who want convenience but should not be recommended to those who need security. It may be interesting to have a quick look at a slide titled “PASSWORD-DEPENDENT PASSWORD-KILLER” shown at

http://www.slideshare.net/HitoshiKokumai/password-dependent-passwordkiller-46151802

SaaS outfit to users: Change password! Or don't. Oh, go on then

Jin

Changing PW A to PW B to PW C to PW A to PW B to PW C ------?

Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.

At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

Incidentally, biometrics are dependent on passwords in the real life. So are multi-factor authentications and ID federations like password-managers and single-sign-on services. And, in a world with passwords killed dead , we have no safe sleep. Passwords will stay with us for long.

Yahoo! launches! password-free! push! logins! for! mobes!

Jin

Password-free life would be a nightmare.

However nicely designed and implemented, physical tokens, cards and phones are easily left behind, lost, stolen and abused. Then the remembered password would be the last resort.

And, in a world where we live without remembered passwords, say, where our identity is established without our volitional participation, we would be able to have a safe sleep only when we are alone in a firmly locked room. Is this what we want?

It is too obvious, anyway, that the conventional alphanumeric password alone can no longer suffice and we urgently need a successor to it, which should be found from among the broader family of the passwords (= what we know and nobody else knows).

Page:

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2020