Mobility

Authentication startup AnchorID wins Finovate Best-in-Show

anchor-ID-logo

New York startup AnchorID has garnered the Best-in-Show award at Finovate Fall, which just wrapped up in New York. There, the company demonstrated its consumer authentication technology for websites and mobile apps, which is purportedly set to launch any time now (Fall of 2014, according to the company website). AnchorID is tackling the notorious multiple password management problem, following in the footsteps of companies like AgileBits and Dashlane. AnchorID looks to improve on these earlier-generation consumer SSO offerings by completely eliminating passwords - providing secure access to both websites and mobile apps via a proprietary smartphone app, and by letting the user choose which type of authentication token he or she wants to use. The explanatory video lists fingerprint and voice biometrics, PINs, and a simple Yes/No button - that is, proceed with the login or not - as options. The user has to pick a single user name (their "Universal Username"). Again, no passwords are involved - so the authentication factors are the user's Universal Username, the app/smartphone combination (presumably including some level of device identification), and the token value (biometric, yes/no, etc.) as selected by the user. The company says they don't gather any personal data about the user. Integration to the target website or mobile app is via AnchorID's API.

AnchorID was founded in January 2014 and, according to Crunchbase, has received two rounds of angel funding totaling US $510,000. They're coming into an extremely crowded and noisy market, so success will depend as much on execution as on their technology.

Congratulations to AnchorID on making Best-in-Show!

Alipay gives some serious market cred to Nok Nok Labs and the FIDO standard

galaxy-s5-sensor

Nok Nok Labs has announced that Alipay will use Nok Nok's NNL S3 Authentication Suite to authenticate payment users on future versions of the Samsung Galaxy S5. The NNL S3 technology will provide access to the Alipay Wallet application via the Galaxy S5's fingerprint sensor (which I hope that Samsung has fixed by now). That's a major win for both Nok Nok Labs, a Silicon Valley startup in business since November, 2011 - and for the FIDO Alliance, of which Nok Nok Labs is a founding member. FIDO is an industry consortium, launched in 2013, that provides a standard implementation framework for "post-password" authentication. Its stated mission is to get rid of passwords as the world's default authentication method, and replace them with something more secure, standardized, and suited to the emerging, multichannel IoT world. NNL S3 is a FIDO-compliant authentication management platform for operation by service providers (including enterprises), that's technically agnostic to the endpoint form of authentication. So it supports not only fingerprint biometrics, as with the Galaxy S5, but also voice biometrics, face biometrics, secure elements, trusted platform modules, removable tokens, and others (of which there are many).

I think the announcement wasn't timed real well, as it was completely overshadowed by the Apple Pay launch a couple of days earlier. However, this is also a very significant step in the global evolution of mobile payments. Alipay, often referred to as "China's PayPal" (although it's more appropriate now to say that PayPal is America's Alipay), has an existing mobile user base of 100 million, and 80 percent of China's mobile payments market share. And with Samsung commanding 12 percent of the smartphone market in China, we're talking millions and millions of users out of the gate for the new Galaxy S5. As sexy as Apple Pay is, Apple and its posse of partners have some way to go before they get anywhere close to Alipay's market weight.

Via The Paypers (sic)

"Any smartphone can be compromised"

Post describing a few creative mobile device exploits by IOT hackers Samy Kamkar, Glenn Wilkinson and Mathew Solnick, including:

  • Spoofing recognized wireless networks in a way that tricks smartphones into joining them automatically
  • Hacking drones in the sky, which then hack each other
  • Intercepting phone data over a cellular network

Via Motherboard

Does the US need a mandatory smartphone kill switch?

Bit of controversy going on in the States, where some groups are proposing a mandatory "kill switch" on every smartphone, while others are proposing ... not that. Who's right?

On the surface,  it seems like a no-brainer. Smartphone theft is rife in the US, where 113 of the little goodies purportedly go missing every minute (presumably from different people) - resulting in $2.6 billion in annual losses. Plus, the thefts can often turn violent, leading to even more undesirable consequences. The simple solution: someone swipes your iPhone, and all you do is make a quick call to the phone company. They remotely send a command down to the device that will "brick" it (that is, render it permanently useless, except for things like building walls and even then, perhaps not the material of choice). None of your passwords are compromised, no online accounts broken into, and all you've lost is the device, which for sure is a headache, but at least you've avoided identity theft. And this would be a great deterrent to would-be thieves as well, since they're usually looking to sell the stolen devices, which tend to fetch a higher price when they're actually working.

Not so fast, though.  According to the CTIA (the US wireless trade association), this plan has a few fatal flaws:

  • The "kill" command would have to be made known to every mobile network operator, so it couldn't be kept secret. It would quickly become common knowledge on the street, and then think of the potential for abuse ... "revenge brickings", attacks on random devices "just for the lulz", and so
  • The risk isn't limited to a single device at a time. Large-scale, automated denial of service attacks could be launched against groups of devices (within a big company or government agency, for example) by incrementing the MSISDN (phone number), the IMSI (unique identity of the customer) or the IMEI (unique identity of the device).
  • Customers victimized in this manner would suddenly be unable to make emergency calls, possibly putting their safety in jeapordy.
  • This approach eliminates any chances of reactivating the phone if it's reported lost or stolen, and then later found. This is a very common scenario. I've had it happen myself more than once. The customer would still have to go to the expense of buying a new device.

What the CTIA doesn't mention is the cost of implementing a kill switch on every single device, which, I suspect, is their real reason for opposing the idea. Note that they don't offer any kind of alternative approach in their position piece on the topic (PDF). That's because, I suspect, they would rather not make any changes at all. The security problems that they cite are solvable (see below), but not for free. The cost to mobile operators and device manufacturers of doing this would be non-trivial. They'd have to agree on a standard protocol, possibly do some hardware modifications, and put the feature into every new device, the real estate inside of which is already extremely scarce and subject to fierce contention. Security would improve, but the cost of that improved security would be borne by the mobile industry, instead of consumers and government who are absorbing it now.

The problem with that way of thinking is, in the US if there's a problem affecting a very large number of consumers, which this one is, and it's not going to go away, which it isn't, and you as a provider of products and services don't solve it proactively, the regulators have a tendency to step in and solve it for you, and usually not in the ideal way that you'd envisioned.

Now they could spend the money on lobbyists to try and defeat any impending regulatory threat, or they could just bite the bullet and invest it in security upgrades, which will have the net effect of increasing trust in the smartphone market. Which is something the US mobile industry in particular could use a giant heaping platter of, especially if it sees providing things like payment services in the future. As a bonus, with better security in place, the carriers may find insurers more than willing to work with them to defray costs. Just speculating here, though.

Anyway, I'm going to side with the CTIA here on the basis of their stated security concerns, because they're legitimate, but only for now, because I think they need to take some action, as opposed to doing nothing.

Here's how I would do the security part:

(1) Still implement the kill switch, but restrict its use to certain, well-defined high risk situations , and put a lot of security around its use by the mobile operator (extra strong user authentication, execution only under dual control, and perhaps even a mandatory court order).  And sent securely over the Internet, not the GSM network, with strong device authentication, transaction validation, and message encryption. Reason for this is, there are some scenarios where the ability to permanently brick a device remotely would have very high security value ... for example, if the device was known to be  in use by someone who was planning a major crime or terrorist attack.

(2) For garden variety thefts and losses, implement a reversible kill feature in software, again activated securely over the Internet. This could selectively disable certain features on the device that would be valuable to a criminal, but keep things like the ability to make emergency calls. It would also enable  reactivation to full functionality later on by customers whose devices just fell between the sofa cushions and then they panicked. Reactivation would be also have to done with strong security controls, of course I would make them go physically to a mobile operator shop , or to another trusted facility, like a post office, to do this), and use some form of multifactor authentication.

This way you get the best of both worlds. Go ahead and pass the cost on to consumers ... but we know that will happen anyway. I believe a good many, if not most, of them won't have a problem with paying a bit extra for the warm and fuzzy feeling it will give them about the safety of their "Precious".

I'd be really interested to know how other countries are tackling this problem. I'm sure it exists in every other country where there are smartphones, which is what, every country ... and I'm sure some are approaching it more rationally than others.