ChetanPatil Testing

Category: SECURITY

  • Electronic ID – Authentication From Anywhere

    Electronic ID – Authentication From Anywhere

    Photo by Proxyclick Visitor Management System on Unsplash

    Identity is the backbone of Know Your Customer (KYC) process. Every country and company has its process and technology to ensure that the correct people have access to the correct resources. In the digital world, the Know Your Customer is moving to Electronic Know Your Customer (eKYC).

    Today, the world still relies on different types of identity documents for different services, with each service generating its identity numbers. From driving license to passport the list to have unique identity numbers and identity documents to prove the authentic identity of the owner never ends.

    On top of this, the majority of the countries have national identification programs that capture demographic or/and bio-metric information and connect it to an unique identification number. For example, the United States of America has Social Security Number, and then India has Aadhaar.

    Such national identification programs have met with a lot of criticism, but the fact is that the digital world will eventually rely on these centralized systems to shift from the traditional approach to have a separate identity document and identification number which used to prove the ownership.

    There is a dire need to move away from this process of providing a unique identity to each of the service types so that not only the process is centralized and relies on unique identification number and management but is also fast, secure, and enables cost-saving.

    The unique identification number and management solutions are important and critical in the digital world, and demands advanced solutions like Electronic ID (eID).

    IDENTITY PROBLEM

    To implement and use unique identification numbers and management, connected and secured infrastructure is required to ensure that the identity of the person and entity is preserved without compromising on security.

    Even though these unique identification programs have been implemented and in use, some gaps are there which still exist.

    Authentication on a connected system after producing identity card details is still not secure, costly, unreliable, and a slow process. Another fact is that all this requires an investment in infrastructure that validates the identity and makes the system costly for the business authenticating the details. Eventually, all these charges are passed to the consumer which makes it a costly process in the long term.

    Picture By Chetan Arvind Patil

    Data management is another issue because lack of standardization leads to add on investment in order to upgrade the systems to accept the new unique identification features while ensuring backward-compatibility.

    After all these investments and infrastructure to authenticate, there is no guarantee that the system is secure. With all the advanced approaches, the identity still gets stolen and thus invites fraud.

    All these issues make a strong case for unique identification number and management but using Electronic Identity (eID).

    IDENTITY SOLUTION

    One of the most talked-about solutions to solve identity management crises is Electronic ID (eID), which makes use of sensors and NFC enabled Electronic Identification Card (eIC) to authenticate the identity of the people.

    eID relies on demographic or/and bio-metric information to validate correct details. These details are already part of many national identification programs. By making use of eID, these programs can solve the identity crisis by ensuring security and centralization by data storage.

    Picture By Chetan Arvind Patil

    The smart cards that use eIDs are called eICs which are equipped with electronic chips to ensure that the data is stored securely and also transferred with encryption when required. Along with these features, these eICs also make use of the Trusted Platform Module (TPM) that enhances security and avoids theft.

    There are already many solutions in the market catering to the need for eICs. Like NXP’s National Electronic ID (NeID) solution not only secures the information but also allows high return on investment. A similar solution is also available from Infineon that is also targeted toward NeID.

    With EU going for Electronic IDentification, Authentication, And Trust Services (eIDAS), the adoption of eICs is going to be faster than anticipated.

    IDENTITY INNOVATION

    Many innovative solutions around eICs are already available. Countries have already started to make use of eICs in their national identification program where the true potential of eICs is.

    For example, Estonian Identity Card program is one of the earliest programs to make use of eICs to register its citizen. This innovation allows easy access to various public services and also secures the identity of the users.

    The VideoID, SmileID, and SignatureID solutions created by eID is another example of how to make the most of the technology to allow faster onboarding of customers by ensuring that the information provided is accurate and is not falsified.

    IDENTITY FUTURE

    Given how both software and hardware is taking over the world, it is certain that the future of identity is the body. Technology is going to make Microchip Implant a day to day activity. Certainly, this is going to be voluntary.

    It will be interesting to see the development and adoption of eICs. Given the digital world in the future, eICs will certainly take over traditional identity cards. The question is how soon.

    Many advanced eID based technological solutions will come out of innovative startups around the world. Creating businesses and solutions on top of the eIDs and eICs will also open up new market.

    With Work From Anywhere, the identity authentication is also going to be from anywhere with the help of Electronic ID (eID).

  • The Last Enemy – Total Information Awareness

    The Last Enemy – Total Information Awareness

    Photo by ev on Unsplash

    There is no denying that all online activities are being tracked. Either by the governments, or by companies. Data is the future oil, and the more companies have it the better their chances of survival.

    There are several factors as to why it is so easy for companies to get the data and make money out of it. Below are the reasons that I think contributes to easy leakage of data.

    People Do Not Care About Privacy:

    • This is true, people use technology for convenience and 99% of the products which provide solutions that customers (We The People) desperately needs, then they are willing to give up their privacy.
    • On top, if it’s free and provides with solutions that everyone needs then privacy word doesn’t matter.
    • There are tons of examples of where this scenario is applicable.

    Products Can Not Be Trusted:

    • All the software out in the market: You can’t trust them when it comes to privacy and tracking
    • Real Life Scenario:
      • On my smartphone, location is disabled
      • Specific apps don’t have permission to use location when not being used
      • Many times after I park my car and walk out, I get a notification “Why worry about parking hassle when you can take Lyft”
      • This just shows how I simply cannot trust both the hardware (smartphone) and software (apps)
      • Also, there is no way to solve this other that using a brick phone

    Data Logs:

    • Delete words doesn’t exists and doesn’t opposite of what it should in software data world
    • Google Maps, without an argument the most used location app and by default it knows where you have been, how long you have been, what route you took where you parked, whose home you went to etc.
    • Google does provide options to disable logging of such information.
    • However, can we really trust such features? Does delete really means deleted because it’s not visible to us?
    • What’s if after deletion of data, it’s still retained forever? Facebook does.

    Privacy Tools Do Not Work:

    • One of the most preached tool to protect privacy and fight tracking (after encryption) is VPN.
    • Problem with VPN is that it’s like giving your data after paying for a service.
    • Yes, arguments can be made that VPNs don’t log your data because they say so.
    • However, this is simply not true as VPNs may save you from hackers trying to steal data but VPNs provides in no way can gurantee they don’t use your data to make money out of it.
    • This basically means (at least to me) that VPNs are surveillance tools too, just that it’s one that people pay for.

    All the above helps create Total Information Awareness systems that companies and governments can build easily without much effort. It will be fair to say that any product you use, doesn’t matter whether it is hardware or software, is in itself a Total Information Awareness tool.

    If you are more curious about privacy and mass surveillance, then do watch The Last Enemy which showed how mass surveillance works in modern era well before Edward Snowden went public.

  • Crowd Sourced Private Mass Surveillance

    Crowd Sourced Private Mass Surveillance

    Photo by Bernard Hermant on Unsplash

    Crowd sourcing is not a new concept and the term was coined around 2005. In nutshell, it allows individuals to participate and complete tasks that are part of a bigger project. Contributing crowd may do it voluntarily or get paid for it. The concept of crowd sourcing is great, as long as it’s used for good cause. For example:

    However, if crowd sourcing leads to surveillance that too a private one then one should start questioning whether the intentions are good or bad. I came across one such example after landing on Cyberwire podcast and it opened many other details that were new to me.

    The podcast talks about how companies like Digital Recognition Network (DRN) (and many others) are using crowd sourcing to capture every license plate out on the roads. DRN has created a surveillance database of 9 billion license plate scans. More than the population of the world. This all is possible due to ubiquitous cameras, participation due to crowd sourcing and Automatic License Plate Recognition (LPR) libraries like OpenALPR, an automatic number-plate recognition library.

    Technological advancement is good as long as they are used for good intentions like: Finding stolen cars, car recalls, locating cars for finance recovery, amber alerts, unregistered cars on road etc.

    However, things start to go out of hand when same database starts acting like a surveillance tool and that too for private usage. Yes, cars are everywhere out in open, but that doesn’t mean anyone (except authorized authorities like Police etc. with a cause) should be able to simply enter license plate number to find where all this particular car has been during its life. The worse that can happen is such data base is exposed or hacked and then linked to vehicle registration databases, eventually creating an Open Graph about all car owners.

    Another example of crowd sourcing private surveillance is digital doorbells, where all the owners intentionally or unintentionally are contributing to the data base that allows private policing.

    The major reason to write about this was to look at the other side of it and raise concern about Crowed Sourced Private Mass Surveillance.

    Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.

    Benjamin Franklin
  • Building A World Around Passwords

    Building A World Around Passwords

    Photo by CMDR Shane on Unsplash

    Microsoft has massive plans to let user access its services without having the need to use passwords. In the latest preview build of Windows 10 they have taken giant step towards doing so. As internet user and usage grows year on year, many companies are following the similar approach.

    After being an internet/system user for last two decades, I believe it’s nearly impossible to access systems without passwords. I will be super surprised if password less systems can be created for mass usage. More than creating password less systems, what is required is how to make systems more secured by creating easy to use tools around passwords that add second layer of authentication. It is also important to ensure that such additional authentication system don’t end up being too complex to use, otherwise user adoption will be slow.

    Based on personal tech usage experience, if multi-authentication mode of accessing system is complex like asking codes every time a user logs in, not getting the code due to network issue or locking user out completely for sure will not attract faster adoption. Troy Hunt has written an article on how second authentication mode should evolve around passwords. I do agree with most of his points, but it seems for now only big tech giants like Microsoft, Google, Apple, Amazon etc are able to implement such solutions for its users. It’s very critical to bring such solution across all the services irrespective of the size of business. This will also ensure faster adoption of multi-authentication mode.

    I am in strong favor of TPM that is embedded in the hardware. Companies need to find a way to store keys in these TPMs, which will ensure that user is able to access systems/services only from set of registered devices having TPMs. This may invite trouble but I think it will be more robust than software tokens and way better than asking users to use another hardware than can get easily lost.

  • Two Factor Authentication – Hardware vs Software

    Two Factor Authentication – Hardware vs Software

    Photo by NeONBRAND on Unsplash

    Two factor authentication (2FA) is a type of multi-factor authentication that allows users to secure any type of account using a second authentication apart from the regular password protection. 2FA has been around for a long time and received mixed reaction from security researchers.

    With growing number of internet and smart device users it is becoming increasingly important to take 2FA seriously. Let’s take a quick look at types of 2FA, which I have separated into hardware and software depending on where the second authentication code comes from.

    Software 2FA:

    • Software 2FA (S2FA) is straightforward. Any website which supports S2FA will first walk user through account creation which requires password (first authentication). Then it will provide three options:
      • First: Register cell number in order to receive unique code via SMS or a phone call whenever a login attempt is made. Only after entering this unique code user can access the account.
      • Second: Application will ask user to install smartphone app like Duo Security or Google Authenticator. Using the app scan the QR code shown on screen and this will register account with the app. On every login attempt this app will generate an unique code that needs to be entered after password authentication. This works even without internet connection.
      • Third: Skip both the options and have only single authentication mode i.e. password.
    • If the user has S2FA and doesn’t have cell network or smartphone with him/her during login attempt, then backup codes can be used.
    • These codes can be generated using account settings. Each backup up code expires as soon as it is used. For best practice, always generate and save new ones as soon as first one is used.
    • Below video explains above scenario:

    • Pros of S2FA:
      • Protects account from hackers.
      • Allows users to trust the website or application providing such service.
    • Cons of S2FA:
      • I personally think S2FA is very complex process for people who aren’t good with computers.
      • For Android devices SMS based 2FA (the easiest to setup for anyone irrespective of age or fluency in using smart devices) is most vulnerable due to the Android feature that lets any application read SMS stored in the messaging app. Thus allowing hackers a backdoor to these SMS codes.
      • Most likely this is the reason why banks don’t trust this option.

    Hardware 2FA:

    • Hardware 2FA (H2FA) is very similar to S2FA, however the 2FA is generated using a hardware rather than a software.
    • There different ways to setup H2FA:
      • First: Many laptops for long have provided finger print reader option. If fingerprint reader is available, then for the account with this feature user can register biometric to login as 2FA. This isn’t widely used for online websites, but mostly for logging into hardware devices like smartphone or PCs.
      • Second: From laptops to smartphones we have high resolution cameras. Many companies provide APIs that developers can use to access cameras as 2FA. For Apple devices there is Face ID. Microsoft provides Windows Hello. Face recognition for Android is under development. This option uses face as 2FA with help of camera.
      • Third: Security key is a piece of hardware that has electronic chip which has unique code inbuilt. Any application that supports 2FA using a security key will look for the registered key. If the key is found in USB port or via Bluetooth connection, then user will be allowed to access the application. Google strongly supports this option for enterprise based on their in house research.
    • If H2FA is setup and user doesn’t have access to 2FA devices, there is an option to use S2FA. Application for sure will force user to setup S2FA as a backup during H2FA setup.

    • Pros of H2FA:
      • Must more robust than S2FA.
      • Difficult to fish user as the hardware device has to be nearby.
    • Cons of H2FA:
      • Costly for regular user.
      • Many dislike carrying another hardware even though it can act as key chain.

    Future of 2FA:

    • I am in strong favor of H2FA. Instead of having to carry another piece of hardware, I would prefer if these keys can somehow find place in motherboard. This way applications can access and register keys using APIs. I understand this will not allow portability, but this idea can be improved.
    • Face ID is really good along with Windows Hello. With Google gearing up to bring face recognition to Android, it is fair to say that this is going to be the de-facto in near future when it comes to S2FA.
  • The Curious Case of Indian Cyber Security

    The Curious Case of Indian Cyber Security

    Photo by Matthew Henry on Unsplash

    India is home to billion dollar IT industry, numerous e-Governance projects, world’s largest bio metric database and many tech driven services. The single major problem with all these technological projects at national and state levels is the danger of theft and fraud. Government of India (GoI) did realize this and as they do with all services, introduced a policy called National Cyber Security Policy 2013.

    Well, the story ends with the formation of policy, 2 years after the policy was drafted there is no sign of National Cyber Coordination Centre (NCCC), and National Critical Information Infrastructure Protection Centre (NCIIPC). Both these agencies were supposed to take care of national IT infrastructure, mainly falling under GoI.

    What’s The Problem?

    Currently, as per my understanding there is only one national level cyber alert team called Indian Computer Emergency Response Team (CERT-In). They are mainly responsible for capturing and distributing information related to cyber security threats and they have been doing an excellent job. The major problem with CERT-In is that they are depended on CERT teams of advanced countries. What they need is a better way to tackle cyber security threats, which may put public and private IT infrastructure at risk. For this reason, GoI came up with new cyber security policy.

    Under the new policy, NCCC and NCIIPC will be formed as separate agencies, meaning they won’t be attached to CERT-In. When it comes to forming a separate national agencies in India, it takes really long to get hold of things and similar issues seems to have happened with these two new agencies. And, the more time it takes to put these agencies to work, the riskier our national IT infrastructure becomes. With cyber surveillance at its peak, national documents being leaked all over world and millions of Indians coming online, it has become the basic need to have these two agencies in place to tackle any cyber threat situation. The next war won’t be fought between forces, but between cyber war teams.

    What’s The Solution?

    The best case is to have these two agencies under or with CERT. This way CERT itself will get a major infrastructure upgrade and having years of experience would also come handy. With new agencies doing similar task and setting up new teams with new tech skills, it becomes a long and tedious process.

    GoI still has time to get this done other way, considering that there will be no conflict of interest. Also, with Digital India, and many other technological projects like Aadhaar taking shape, GoI should implement the policy as soon as possible, before they get tangled in cyber warfare.