Friday, 10 July 2015

Security Without Password

Security Without Password

You don’t need to remember your password anymore for a secure log-in

In the last year alone, over two billion data records were stolen by cyber criminals. This is far riskier than just a mere number of accounts, since many people often use the same password for various log-ins. For many years, experts have been advising to keep different passwords for every account, which should consist of special characters, upper and lower case and figures as well. Understandably, it is tedious for most of the users. However, in order to keep the accounts reasonably safe, the security industry now advising users to take additional measures. There are no truly safe passwords out there. There are methods to attack most of them. Really safe password alternatives have yet to developed until now.


Meanwhile, there are many services that offer one of the first steps for more security - the 2 step verification. Here, a one-time password besides the actual password is requested from the user, which is forwarded to him, for example, via SMS or smart-phone app. The method provides clearly enhanced safety, but it can be hacked regardless. Most frequently, cyber gangsters use key-loggers, which they infiltrate by phishing into the victim’s PCs. The malware not only reads the normal password, but also the one-time password. Via man-in-the-middle-technique, the attacker can log in unnoticed or can even change the password for the account. It is much simpler when for instance, simple security questions for the online service are chosen, for example the mother’s maiden name. Based on this information, many services allow access to the account and switch off the 2-factor-option. The safety measure has instead become the loophole for the hacker. Even if the security question is not simple to guess, the system could still be hacked. The attackers can infiltrate the user’s smartphones, for example, using the malware BadUSB. When the mobile device is connected to the computer for charging, a virus, which has crept in the computer earlier, is automatically installed. Hence the attackers have both the password factors and they can login easily.

2-factor-passwords without using mobile


Users however can prevent this attack - by not using the mobile as a second element, instead by using a special Crypto-USBKey with the U2F-Standard (Universal Second Factor). If a user wants to log-in to Google services, Google demands an additional special key, which can be generated by the stick. In this process, the transferred data is encrypted. But the stick is also not problem-free; if it is stolen, the gangster can install it without any problem, because the U2F-Sticks have no security question. Admittedly, the attacker must also know the normal user-password - however it can be relatively easy to change, depending on the service. The one who knows the second element, in this case the one who possesses the U2F-Stick, can often reset the password with a basic recovery procedure.

If one does not want to carry the stick around, one can use biometric recognition. These days, face recognition is very popular. In this, a picture of a user is recorded by the inbuilt camera of the device and individual characteristics are stored - for example the distance between the eyes. Though face recognition may sound simple and secure, it also has some loopholes for the cyber criminals. According to the hacker Starbug, in the initial generations of the devices, it suffices to hold a photo of the user in front of the camera; the computer gets unlocked or allows online log-in. The next software generation should eliminate these weak points by “Biodetection”.

Yet the hackers can overcome these hurdles very easily, by moving a pen up and down in front of the photo. Software solutions like Android face recognition can often be tricked with this method.

Another model offers more security, which also supports the U2F-standard is iris recognition. A camera scans the human iris in the eyes and uses it as verification. A few years ago only professional solutions were available with highly secured equipment with integrated Iris-Scan, cheap consumer versions have now become available. Even the upcoming Windows 10 is expected to have integrated Hello function, a biometric iris recognition for log-ins. Iris recognitions are very safe - it gives false reports in only one in 1.5 million cases. The manufacturers of the iris scanner advertises the technology as uncrackable; but even this solution can be outsmarted with a very high resolution photo. The Chaos Computer Club, for example, has proved it. With the photo of the German chancellor Angela Merkel, shot from a distance of about five meters - it was possible for the hackers to enlarge and print the iris details in such a way that experts warned that the popular iris tools could be outsmarted.

Meanwhile, it is somewhat more difficult to crack one of the most popular biometric techniques - the fingerprint scan. Many mobile devices, like the iPhone, protect complete access to the system with fingerprints. Still, there are some methods of getting the print. Using some gear costing only a few ringgit, some graphite dust, transparent film and wood glue, the masterminds behind the Chaos Computer Club could outwit the finger scanner of the iPhone 5S in September 2013. The pattern for the fingerprint copy is found directly on the iPhone device, but the Chaos Computer Club also showed that the fingerprints can be reconstructed from photos as well. “Victim” of the demonstration here was the German defence minister Ursula von der Leyen. Of course, the procedure does require extensive post-processing of the photos; but it does show that the safety of the finger print scan is deceptive. The safest market-ready solution so far is vein detection. In this, a device with infrared light reads the bloodstreams of the hand. Here only the reading device can be attacked, in which the hacker taps into the data stream to the computer. Manipulation is very difficult, depending upon the model. The reading devices are very costly and are practical only for being used in the high-security wings of large companies and government agencies.

Heart rate as a password


Other new procedures are also based on physical characteristics, which cannot be manipulated via photo only. Now a type of an electrocardiogram (ECG) can be recorded by special sensors; this allows systems to draw conclusions on physiological variations of the heart muscle, like the size and the location of the muscle as well as the exact time at which the heart pumps blood. These values differ from person to person. The technology has already perfected in such that the right person can still be identified when the carrier of such a biometric band has a changed pulse due to stress, physical strain or illness.

The first company to start heart recognition is Nymi. For measuring heart rate, the Canadian company uses an arm-band with two electrodes, which records slight changes from skin galvanic response, pressures and measures the heart with the help of these recordings. Every time the user wears it, he has to authorise himself using his ECG. When the band recognises the right user, a crypto-key saved beforehand in the bracelet is sent to a compatible device, like a smart phone or a computer, through a coded Bluetooth-connection.

So far, the company has been distributing a development kit for the programmers. A consumer version is planned for this year. The advantage of inner  biometrics - here are hardly any attack vectors in detecting the heart rate. The individual values, which Nymi reads for detection, are extremely difficult to falsify. So, the attacker must not only copy the pulse, but also the individual values of the heart muscle. According to the manufacturer Nymi, it is not absolutely impossible; but it can be realised only after investing a lot of efforts. Besides, stealing the band makes no sense, because data automatically locked when the lock or the casing is opened. The band is activated again only after the ECG is measured again.

In the future, remember your password


There is a technology safer than the heart measurement, which is being researched the University of Berkeley. An EEG sensor (Electroencephalography) measures brain waves and can thus discover whether the user remembers the correct secret code. Over here, the password is not a combination of letters, but a mental task, like a certain hand movement or concentration on a certain tune. But, you will be able to select any password in the future. The EEG-samples means that variances will be different from person to person that a safe password can be formed from it. In the coming years, the EEG method should be available for the general public, because the output of several computers is necessary for evaluating the EEGs. The technique is considered as secure because there are very few ways of attacking here. Firstly, the attacker must place an EEG electrode unnoticed on his victim and should also make the victim think of his password.

One day, a retina scan of the eyes could also be a really safe password alternative. In this, the specifics of the eye are recorded by infrared light and course of the bloodstreams is recorded. These are just as individual as the human DNA. However, critics argue that the invasive technology already exists, but there are no long-term studies about the impact on the retina.

Experts opine that the future of access control belongs to DNA as every person can be identified almost 100 percent by his DNA. However, there is no inexpensive procedure as yet of reading the DNA. Skin flakes or hair samples could indeed help as sources; you still need well-equipped laboratories for the analysis. The question whether the DNA password cannot be unlocked simply with stolen hair and the user’s DNA obtained from that, remains to be answered.

Researchers from Oxford University are also using DNA as a password alternative, but they require no laboratory for their assessment. The basic approach is as follows; every man has an individual method of doing things on the PC, like pressing the keys of the keyboard; researchers refer to it as e-DNA (electronically defined natural attributes). According to David Scheckel, president of Oxford BioChronometrics, a man is clearly identified by e-DNA. The project is still in the research stage. According to renowned security expert Chris Mitchell, such a password alternative is difficult to place. The reason behind this is constant monitoring. Because the e-DNA programme can collate a user’s behaviour to the correct user by continuous analysis only. Advantages of the method: It does not require costly sensors and yet it is hard to crack.