The cardless ATM is gaining ground in the US and the world, with smartphone technology allowing for speedier and more secure transactions.
Banking giants such as Wells Fargo, Bank of America, and Chase are in the process of installing new ATMs and updating existing ones to allow customers to withdraw cash with a mobile application and then scanning a code to get their money without having to use a card. It's estimated that 80,000 machines in North America will be in use over the coming 18 months.
Doug Brown of the major provider of software and technology for ATMs, FIS Global, believes the use of smartphones reduces a lot of vulnerabilities.
The new technology is aimed to curb the growing problem of "skimming" in which criminals steal the data on a card by inserting devices into the ATM card slot.
Another security benefit they mention is that authentication on your mobile phone reduces the time spent at the ATM to around 10 seconds instead of the the typical 30 to 40 seconds.
ATM manufacturer, Diebold, is also working on developing a "headless" teller machine, without a screen or keypad, which dispenses cash from interaction on the smartphone. Senior business development manager for new technology, Dave Kuchenski, believes this will provide a better user experience. "If
we're using a mobile phone, we no longer have the need for a card, we
no longer have a need for a receipt printer, we've dematerialized a lot
of the devices. Banks like this, because it has fewer moving parts, so
it reduces the total cost of ownership."
This is a very interesting concept that has already somewhat been around. I have a Galaxy S6 and it comes with 'Samsung Pay', which allows me to make purchases at stores with my mobile phone simply by holding it near the Debit/Credit Card mag stripe reader where the transaction is completed wirelessly.
As for doing away with cards and using our smartphones to withdraw money from ATMs, I think it's a great idea. From a security standpoint, we no longer have to worry about physically securing a card that can easily be stolen or lost. I think with technology constantly evolving, this was bound to happen. There will be many against it just because a lot of us are afraid of change especially when it involves tech security and our finances. There are also those who do not own a smartphone and surprisingly it's a lot more than you think. Would this force them to purchase one? This technology is a great idea with a lot of benefits, but will take a while to completely transition to it.
Tuesday, February 23, 2016
Monday, February 15, 2016
Week 10 - Mandatory Encryption Backdoors Would Be Ineffective: Study
Cryptography expert Bruce Schneier and researchers Kathleen Seidel and Saranya Vijayakumar conducted a study to determine if the mandating of backdoor encryption on products to investigate crimes and fight terrorism would be as efficient as authorities believe.
The researchers identified 865 hardware and software encryption products from 55 different countries, including 546 from outside the United States. Of the non-US products, 47 are for encrypting files, 68 for email, 104 for messages, 35 for voice, and 61 for private networking.
The study found that while both domestic and foreign encryption products use strong algorithms, including proprietary ones, some solutions have been described as “jurisdictionally agile,” and the organizations behind them can easily move to countries with more favorable legislation. The study concluded that the international nature of the encryption marketplace would make mandatory backdoors ineffective.
The researchers stated that it would be easy to catch the criminals who are too stupid to realize that their product has been backdoored or lazy to switch to an alternative, but that's not the case for terrorists and organized crime, where they could easily switch to non-US non-backdoored communication devices.
While authorities in the United States and United Kingdom believe encryption backdoors would be beneficial for law enforcement investigations and national security, experts argue that it could also be exploited by criminals and terrorists.
The study conducted is just another reason why weakening encryption isn't the best solution. Terrorists and smart criminals always find a way around everything and in this case it's just as easy as switching to a non-backdoored device. I don't think this is the right solution and somehow the US Government and tech giants will have to come up with something that would satisfy both sides. Weakening encryption on devices is not it.
Reference:
http://www.securityweek.com/mandatory-encryption-backdoors-would-be-ineffective-study
The researchers identified 865 hardware and software encryption products from 55 different countries, including 546 from outside the United States. Of the non-US products, 47 are for encrypting files, 68 for email, 104 for messages, 35 for voice, and 61 for private networking.
The study found that while both domestic and foreign encryption products use strong algorithms, including proprietary ones, some solutions have been described as “jurisdictionally agile,” and the organizations behind them can easily move to countries with more favorable legislation. The study concluded that the international nature of the encryption marketplace would make mandatory backdoors ineffective.
The researchers stated that it would be easy to catch the criminals who are too stupid to realize that their product has been backdoored or lazy to switch to an alternative, but that's not the case for terrorists and organized crime, where they could easily switch to non-US non-backdoored communication devices.
While authorities in the United States and United Kingdom believe encryption backdoors would be beneficial for law enforcement investigations and national security, experts argue that it could also be exploited by criminals and terrorists.
The study conducted is just another reason why weakening encryption isn't the best solution. Terrorists and smart criminals always find a way around everything and in this case it's just as easy as switching to a non-backdoored device. I don't think this is the right solution and somehow the US Government and tech giants will have to come up with something that would satisfy both sides. Weakening encryption on devices is not it.
Reference:
http://www.securityweek.com/mandatory-encryption-backdoors-would-be-ineffective-study
Week 9 - US Unable to Crack San Bernardino Attacker's Phone
FBI Director, James Comey, revealed that after two months, they are still unable to to crack into the cell phone that belonged to the San Bernardino attackers, Syed Farook and Tashfeen Malik, who shot and killed 14 people.
The FBI and US intelligence have been trying to figure out whether or not the couple were self-radicalized and if they had links to broader jihadist-inspired groups or individuals.
Clapper's anecdote about the suspect's phone feeds into a broader campaign that the US government is waging to persuade Silicon Valley tech giants to give it access to encrypted devices and online files.
Consumers, worried by cyber crime and government snooping, are increasingly drawn to protected products and the industry is keen to serve the market, despite official concerns that encryption empowers criminals.
"Those devices are going to hold the evidence of child pornography, communications that someone made before they were killed, before they went missing," Clapper said, describing phones with a default lock.
"So it is a big problem with law enforcement armed with a search warrant when you find a device that can't be opened even though the judge said there's probable cause to open it."
I chose this article because I had previously posted a blog about the encryption debate on whether or not tech companies should weaken or create a backdoor to their devices for situations like this. Although the US Government's argument makes sense and would help in this investigation and other investigations, I am still on the side for NOT weakening encryption. I think the privacy and security of our devices are critical and the tech companies who decide to go with weak encryption will take a huge hit as far as consumer support goes. It's a controversial issue that I foresee being debated for a while. The Government needs access for investigative issues and companies need to protect their consumers and keep their trust. I will definitely be following this issue closely.
Reference:
http://www.securityweek.com/us-unable-crack-san-bernardino-attackers-phone
The FBI and US intelligence have been trying to figure out whether or not the couple were self-radicalized and if they had links to broader jihadist-inspired groups or individuals.
Clapper's anecdote about the suspect's phone feeds into a broader campaign that the US government is waging to persuade Silicon Valley tech giants to give it access to encrypted devices and online files.
Consumers, worried by cyber crime and government snooping, are increasingly drawn to protected products and the industry is keen to serve the market, despite official concerns that encryption empowers criminals.
"Those devices are going to hold the evidence of child pornography, communications that someone made before they were killed, before they went missing," Clapper said, describing phones with a default lock.
"So it is a big problem with law enforcement armed with a search warrant when you find a device that can't be opened even though the judge said there's probable cause to open it."
I chose this article because I had previously posted a blog about the encryption debate on whether or not tech companies should weaken or create a backdoor to their devices for situations like this. Although the US Government's argument makes sense and would help in this investigation and other investigations, I am still on the side for NOT weakening encryption. I think the privacy and security of our devices are critical and the tech companies who decide to go with weak encryption will take a huge hit as far as consumer support goes. It's a controversial issue that I foresee being debated for a while. The Government needs access for investigative issues and companies need to protect their consumers and keep their trust. I will definitely be following this issue closely.
Reference:
http://www.securityweek.com/us-unable-crack-san-bernardino-attackers-phone
Monday, February 1, 2016
Week 8 - DHS's Einstein Security System Has Limited Capabilities: Audit
The United States government plans on spending $5.7 billion by 2018 on a program called the National Cybersecurity Protection System (NCPS), also known as the Einstein program. It was launched in 2003 with its initial objective to help DHS detect intrusions in the networks of federal agencies.
The latest version of the NCPS, Einstein 3 Accelerated, is designed to deliver a wider range of capabilities, including intrusion detection and prevention, analytics, and information sharing. DHS has already spent $1.2 billion through fiscal year 2014.
Despite the time and money put into the program, an audit conducted by the Government Accountability Office (GAO) found that it only partially meets its objectives and not all federal agencies leverage its capabilities.
Its limited capabilities are due to the system only comparing traffic to known patterns or signatures, but does not detect deviations from normal behavior. It also does not monitor all types of traffic and commonly exploited vulnerabilities are not covered by its signature database. Also, the NCPS can block malicious email, but it cannot block malicious web traffic. DHS plans on implementing this capability in 2016 as well as enhancing its analytics capabilities.
Only 5 of the 23 agencies that were required to route their traffic through the NCPS benefited from intrusion prevention services.
I think it's a little ridiculous for the Government to have spent this much time and money into a program that produces these types of capabilities. We may never know the details as to why they've taken this long and spent this much money, but from the outside looking in, this is unacceptable.
The program started in 2003. If capabilities were fully developed then, would it have prevented the OPM, IRS, and Postal Service hacks? Maybe those recent hacks prompted the Government to kick it up a notch and pump more money into the program to develop it to its fullest potential. We can only hope they get it right this time and prevent future attacks.
Reference:
http://www.securityweek.com/dhss-einstein-security-system-has-limited-capabilities-audit
The latest version of the NCPS, Einstein 3 Accelerated, is designed to deliver a wider range of capabilities, including intrusion detection and prevention, analytics, and information sharing. DHS has already spent $1.2 billion through fiscal year 2014.
Despite the time and money put into the program, an audit conducted by the Government Accountability Office (GAO) found that it only partially meets its objectives and not all federal agencies leverage its capabilities.
Its limited capabilities are due to the system only comparing traffic to known patterns or signatures, but does not detect deviations from normal behavior. It also does not monitor all types of traffic and commonly exploited vulnerabilities are not covered by its signature database. Also, the NCPS can block malicious email, but it cannot block malicious web traffic. DHS plans on implementing this capability in 2016 as well as enhancing its analytics capabilities.
Only 5 of the 23 agencies that were required to route their traffic through the NCPS benefited from intrusion prevention services.
I think it's a little ridiculous for the Government to have spent this much time and money into a program that produces these types of capabilities. We may never know the details as to why they've taken this long and spent this much money, but from the outside looking in, this is unacceptable.
The program started in 2003. If capabilities were fully developed then, would it have prevented the OPM, IRS, and Postal Service hacks? Maybe those recent hacks prompted the Government to kick it up a notch and pump more money into the program to develop it to its fullest potential. We can only hope they get it right this time and prevent future attacks.
Reference:
http://www.securityweek.com/dhss-einstein-security-system-has-limited-capabilities-audit
Subscribe to:
Posts (Atom)