A library of snippets
xxx
“Facial recognition technology used by London’s Metropolitan Police incorrectly identified members of the public in 96 per cent of matches made between 2016 and 2018.”
From “Met police’s facial recognition technology ‘96% inaccurate’ – inews.co.uk”.
xxx
xxx
“First, as we saw above, it’s easy to attain high confidence in the incorrect classification of an adversarial example — recall that in the first ‘panda’ example we looked at, the network is less sure of an actual image looking like a panda (57.7%) than our adversarial example on the right looking like a gibbon (99.3%). Another intriguing point is how imperceptibly little noise we needed to add to fool the system — after all, clearly, the added noise is not enough to fool us, the humans.”
From “Breaking neural networks with adversarial attacks – Towards Data Science”.
xxx
xxx
“Switch a few pixels here or there, or add a little noise to what is actually an image of, say, a gray tabby cat, and Google’s Tensorflow-powered open-source Inception model will think it’s a bowl of guacamole. This is not a hypothetical example: it’s something the MIT students, working together as an independent team dubbed LabSix, claim they have achieved.”
xxx
xxx
“SMS has well-known security weaknesses and SMS codes are susceptible to interception by the likes of malware or weaknesses in the SS7 networking protocol. To avoid this, organisations should move to more secure push-based or app-based mobile authentication technology”
From “Leading UK networks team up to defeat SMS-based phishing scams”.
xxx
xxx
“The SMS Phishguard initiative from EE, O2, Three and Vodafone aims to stamp out text message based phishing scams, where fraudsters are able to ‘spoof’ numbers so bogus texts appear to be sent from a bank.”
From “Mobile networks aim to stamp out banking text frauds | Financial Times”.
xxx
We’re seeing a lot about strong customer authentication (SCA) at the moment because of the requirement of the Second Payment Services Directive (PSD2) that comes into force in September. That’s because there’s a lot of fraud online, it’s getting worse and the strong authentication of people (in this case, online customers) is seen as being a way to tackle it. PSD2 demands SCA, and this means that European banks and Payment Service Providers (PSPs) have had to up their game.
Strong authentication, in this context, means “two factor authentication” (2FA). What 2FA means is that you must present two “factors” to demonstrate you are who you say you are. The three factors you can choose from are something you have, something you are and something you know (or, in my case, something I had, something I was and something I’ve forgotten). When you buy something in a shop, for example, you present a credit card (something you have) and put in a PIN (something you know). When you enter the country, you present something you have (a passport) and show your face (something you are). SCA is already being implemented by the UK banks, although it appears to be in a somewhat random pattern:
Santander will send a code by text to a mobile or via their mobile banking app (which is how it should be done).
HSBC customers will be sent a code via text to a mobile. If unable to receive it, they can get it sent by email.
Lloyds will text the code to a mobile or send a voice message to a landline.
Royal Bank of Scotland customers can also opt for an email.
Nationwide will offer mobile and email options, as well as notifications sent to their mobile banking app and the use of a card reader.
I’m actually quite surprise to see that some of them are still using text messaging to send a “one time password” (OTP) to customers for authentication. It’s not because, as the British newspapers were quick to point out, people who can’t get a mobile signal or don’t own a mobile phone face, as The Guardian put, it being “frozen out of internet shopping as banks are increasingly insisting that online payments are verified by text”. This is indeed a valid concern, but what I find most disturbing about this report is that anyone is verifying online payments, or indeed any other important online transaction, by insisting that they are authenticated by text messages! With the explosion of “smishing” (ie, phishing attacks via SMS) and the daily tales of account takeover, bitcoin theft and payment fraud carried out via SMS, you really do have to wonder why text messaging is still being used in this context.
This is hardly a new issue. More than a decade ago I wrote about the comments of Charles Brookson, then the head of the GSMA security group who, when talking about the use of SMS for financial services, made the point that SMS has, to all intents and purposes, no security whatsoever. Structurally, it has always seemed to me to be irresponsible for financial institutions to rely for security on something that is not secure and over which they have no control. Given the prevalence of smart phones, you would think that SMS would be long gone, but it is only now that German banks, for example, are giving up on SMS OTP in response to the PSD2 requirements for SCA.
If we abandon SMS then what should we use instead? Well we already know that the better option is to use mobile banking apps on the mobile phone. If my banks want to contact me, they should send a message to the bank app on my phone, not send me a trivially-counterfeitable text message. Google found in their research on authentication for account recovery that
an SMS code sent to a recovery phone number helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks.
On-device prompts, a more secure replacement for SMS, helped prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks.
How will this SMS-less strong authentication be implemented? For payments it will be through the new version of the scheme’s “Three Domain Security” (3DS). 3DS version 2 introduces “frictionless authentication” and will be the main card authentication method used to deliver SCA in Europe. It works by allowing retailers and their PSP to send many more data elements with each transaction. These data elements – such as the shipping address, customer’s device identity and their transaction history – mean that the issuer can carry out more sophisticated risk management.to decide whether SCA is needed or not. In most cases, I would guess (since the issuers will use sophisticated risk management platforms with machine learning and all that sort of thing), no further authentication will be needed. But where it will be needed, Barclaycard (for example) can send a message to the Barclaycard app on my phone and ask me to authenticate myself.
This is actually a pretty sensible way forward and it would be good if this approach was adopted across the board – not only for retail payments but for logging in to bank accounts, authorising transfers and everything else. But if customers get mixed up between expecting an e-mail or getting a text, seeing an in-app message sometimes but not other times, then fraudsters will be quick to exploit the situation. We need both a better and more consistent approach to authentication for financial services. We need to standardise on the approach and the execution and the UX so that consumers can be confident that they are communicating with their bank or whoever.
Standard Strong Customer Authentication
xxx
“To understand this let’s take an analogy. Imagine that SCA in face to face commerce had been mandated on banks, but no technological solution was provided. Instead of chip and PIN each bank created its own solution such that every time a consumer approached a PoS device the authentication method they used would be dependent on which bank they chose to interact with. Can we imagine the confusion on adoption day? But this is, in essence, the experience that has been regulated into existence with PSD2 in on-line commerce. The problem is even worse for third-parties trying to build a business using the PSD2 APIs – because in the middle of their smooth, optimised customer journey their customers are redirected to a bank SCA experience which can vary dramatically in terms of friction and user experience.
To solve this the regulators need to take a step back, temporarily drop anti-competition laws and insist that banks come up with a minimum standard for SCA in online commerce, such that consumers know what to expect and third-parties aren’t disadvantaged by variable SCA experiences.”
From “Strong Customer Authentication: where are we now? | The Paypers”.
xxx
It has long been clear that the best architecture for what I am now labelling Standard Strong Customer Authentication (or SSCA) is biometric authentication against a revocable token stored in tamper-resistant local storage. We all carry a device capable of implementing this design at a manageable cost: the mobile phone.
(As an aside, since the mobile phone operators control a standard item of tamper-resistant hardware in all phones — the SIM — why we are not all using a standard authentication from our mobile operators already, but that’s a different point and I don’t want to get diverted by Mobile ID Connect here.)
This point is that with really strong authentication, your bank shouldn’t be sending you a text message or an e-mail or whatever, it should be using real cryptography to send a message to the bank app on your mobile phone. So, when you ty to buy something online with your Barclaycard
If the bank (or anyone else) cannot reach the mobile app then there should be a standard fallback across all service providers which would probably be a voice call thus opening up the use of voice recognition and authentication. And if you are online buying something or transferring money to someone or closing an account and you can’t be reached via the mobile app or by a voice call well… tough, basically.
xxx
“While the American Bankers Association remains a strong proponent of charter choice and generally does not comment on individual charter applications, the association expressed serious concerns about the implications of a large technology company obtaining a banking charter. ‘As Japan’s largest e-commerce site, Rakuten is a major technology firm engaged primarily in non-financial activities,’ said ABA President and CEO Rob Nichols.”
From “Japanese Retail Giant Applies for Banking Charter | ABA Banking Journal”.
If Rakuten get a licence, then why not Amazon?
xxx
“Available evidence suggests that even if ‘teething’ issues are resolved, if policy implementation is true to policy design, people will still, very likely be where they were before the integration of Aadhaar with welfare began. This is because of the over-centralized architecture of the technology, combined with the weak accountability of intervening administrative links. These are a crucial part of the design problem in the Aadhaar project. In that sense, Aadhaar is ‘pain without gain.'”
From “Aadhaar Failures: A Tragedy of Errors | Economic and Political Weekly”.
xxx
xxx
“The FBR had sought the cooperation from the central bank after it found out that hardly 10% of over 50 million bank account holders were income tax filers. ‘The existing legal framework provides constraints on procuring and sharing of privilege/confidential information relating to the affairs of the banks’ customers,’ the SBP wrote to the FBR.”
From “Pakistani Regulators Use Credit Card Data to Find Tax Fraud | PaymentsJournal”.
xxx
xxx
The results of the case could have implications for financial institutions which use SMS as a means of verifying account holders.
From Cryptocurrency investor who lost $24 million in SIM swap attack to….
xxx
Snippings