Page 1
Essence Care@Home
Standard

Senior monitoring – security flipped on its head

Let’s say you want to set up a security system for your home. In days past that would mean hiring a security company that would install sensors around your house, connected to a keypad, and linked via a phone line (usually a dedicated line you would need to add) to a monitoring company. Those sensors would probably have required wired connections to a central hub installed in a closet somewhere, or in a drop ceiling, requiring lots of installation work, cutting holes in walls, and cleaning up the mess afterwards with spackle and paint. Once installed, this system would only work if you paid the company that installed it a monthly fee.

DIY Security Systems

In recent years a new category of security systems have emerged, so-called DIY security systems. These systems are designed to be installed by the homeowner, and in general do not require ripping up walls to install them. Some systems allow you to monitor your house yourself, and some include monitoring for a fee, similar to the older systems. One good example of this type of system is SimpliSafe, which sends you a kit including various sensors to install yourself, and then provides a traditional monitoring service. In general these new systems use wireless connections to connect to a central hub, and each device therefore only needs power. This means you can simply plug in a sensor and connect it to your hub, wherever you have an electrical outlet. Smaller sensors can work with just batteries and can run for up to a year before needing the batteries to be swapped or charged.

Camera-based Security Systems

Blink system with 3 Cameras
Blink system with 3 Cameras

More recently, systems have come out where cameras, the most power-hungry of security sensors, have been able to be run on batteries as well. Whole security systems have been developed based on just using these wireless cameras with batteries. Examples include Netgear’s Arlo system, as well as Blink, Homeboy and Canary.

All of this innovation is great, but runs into a problem when one wants to set up a system to help their elderly relative. Much of the technology is the same, but usage is flipped on its head. You don’t want a system that is triggered every time it senses movement, but one that recognizes when there is a lack of movement. While a standard security system can be dumb in that any movement is considered bad, a system set up to monitor the elderly should be smart and learn patterns of movement, only notifying when there is a change in the pattern.

Some security system are cognizant of privacy concerns, offering physical shutters to block cameras when a system is disarmed, and insures all video streams are encrypted. When monitoring the elderly, however, your system is never really disarmed, it’s just in a different mode. If your security system is camera-based and gets its motion-detection capabilities from the camera, then closing the shutter means your system cannot operate at all.

Of course, having a camera on all the time has major privacy concerns, and your elderly relative may, understandably, not want a cameras watching them at all times, even if its just for motion sensing. All of these new camera-based systems sadly cannot be used for the elderly, or at least the system cannot be solely based on cameras. This means another type of solution is required.

Existing Security Systems Adapted for the Elderly

Alarm.com Wellness Notification
Alarm.com Wellness Notification

Some existing security system companies offer versions adapted for the elderly. Alarm.com, for example, offers a service called Wellness that monitors seniors in their home, recognizing patterns, and even sensing how long someone stays in bed or in a favorite chair. This system is integrated into their monitoring service, and can alert a family member if their relative leaves the house at a strange time, or doesn’t get out of bed all day, or doesn’t open the fridge.

Essence Care@Home

Essence Care@Home
Essence Care@Home

Israeli company Essence, which sells panic-button systems for use in elderly homes, has come out with a more comprehensive system called Care@Home that uses a combination of motion sensors, door sensors, cameras, etc. as well as a traditional panic button, in combination with a service to look for patterns and notify family and care providers accordingly. This system is sold to monitoring companies that install the system in people’s homes and sell a monitoring service.

Sen.se Silver Mother

Silver Mother Sensor on Medicine Bottle
Silver Mother Sensor on Medicine Bottle

One interesting solution is from French company sen.se, which offers a product called Silver Mother. Silver Mother works with a central hub with small wireless motion sensors. These sensors can be used many ways. For example, place one on the refrigerator door to sense how often the fridge is opened. Place one on a mattress to see how often and how long a person is in bed. Put one on a medicine bottle to know that someone has taken their medicine (or rather at least one can determine if they have not taken their medicine if the bottle never moves). Another advantage of the Silver Mother system is there are no monthly fees. It is for the most part a self-contained system, although it can work with Nest and IFTTT.

DIY Options for Senior Monitoring

If you wanted to build your own senior-focused security/monitoring system, there are a few options, although none that are perfect. One approach is to use a multi-purpose hub like Samsung’s SmartThings Hub, or Wink’s Hub. Both products connect to devices from many different manufacturers, using multiple home-automation protocols, such as Z-Wave and Zigbee, as well as WiFi and Bluetooth. Wink additionally works with some manufacturer-specific protocols like ones from Kidde and Lutron.

Protocol Problems

The use of popular home automation protocols like Z-Wave and Zigbee is key, as it allows many devices from many manufacturers to be used together. Unfortunately, that’s only partly true. Both protocols have their problems.

Z-Wave uses different frequencies in different countries, and there is no such thing as a hub that can handle more than one frequency. If you’re in the US and you buy a US hub, you need to buy sensors that are intended for the US market. There are more than a dozen different frequencies used around the world. The US is different than Europe, which is different than Australia, which is different than Japan, which is different from China, etc. Hong Kong shares one frequency used in the US, but not a second one. For a large multinational company that can manufacture dozens of versions of their products, this is okay. For a small company looking to break into the home automation market, this is a major problem. If you move around, you also may not be able to take your equipment with you.

Zigbee can for the most part be used on a single frequency (although it does support using similar frequencies to Z-Wave in some cases) worldwide because it works in the same frequency as WiFi and Bluetooth (2.4 GHz), although it uses different profiles for different devices, and devices designed for one profile will not work if the device its connecting to uses a different profile. For example, the Samsung SmartThings Hub supports the Zigbee Home Automation profile, but not the Zigbee Smart Energy profile. Add to this that the signal strength allowed in different countries can be different (the US allows almost twice the signal strength of Zigbee devices as is allowed in Europe, so if you buy a Zigbee device in the US it’s probably illegal to use it in Europe).

Programming a DIY System

Putting aside these protocol problems, we run into another problem. You need to program the system to notify you based on the sensors in ways that make sense for seniors. The non-DIY system have built that intelligence into their system. If you build something yourself, you need to figure out a way to create a similar intelligent method for notifying you. Some types of notifications are easier than others. For example, if the door to the outside opens between 11pm and 6am, send a notification. If the resident hasn’t gotten out of bed by 11am, send a notification. If the system sees no movement for over an hour during the day, send a notification. These are simple rules that could be enhance by using advanced pattern recognition, but still will work for the most part. A more sophisticated system would know when the resident gets up every day (i.e. between 8am and 9:30am) and would know if something is out of the ordinary (the resident is not yet up by 10am), but if you watched the data for a few weeks, you could probably just set the notification for 10am and get the same thing.

Both Wink and SmartThings can be programmed using IFTTT. This allows some level of interoperability between them, as well as with other systems that don’t support the same protocols, but do support IFTTT. IFTTT stands for IF This Then That, and is a simple rules-based system for telling Internet-connected services to trigger actions based on certain conditions. These sets of rules are called Recipes. For example, you could set up a recipe to send you an SMS whenever a specific stock went over a certain price, or you could get an e-mail whenever a specific product showed up on eBay. In Home Automation scenarios, you could have a recipe that whenever someone passes a motion sensor outside your door, the light outside is turned on and a beep is sounded inside. These can be very powerful, but are limited in intelligence. You could use an IFTTT recipe to turn on a light through your Wink Hub when the sensor in a Silver Mother system detects the resident gets out of bed (although you would need both the Wink hub and the Silver Mother hub).

Samsung gets Groovy

Samsung, in addition to supporting IFTTT, also supports creating programs using Groovy, a language developed by the Apache Foundation which works in the Java Platform. This means it can use Java libraries, and is run through the JVM. The technical details don’t matter too much, but in short it means that you have a lot more control in building intelligent applications using SmartThings than you do with Wink.

As an example, here’s a program I found posted in the SmartThings Community that triggers a notification if there is no motion between a specific start time and an end time:

/**
 *  Notify if no motion
 *
 *  Copyright 2015 Bruce Ravenel
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
 *  in compliance with the License. You may obtain a copy of the License at:
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software distributed under the License is distributed
 *  on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License
 *  for the specific language governing permissions and limitations under the License.
 *
 */
definition(
    name: "Notify if no motion",
    namespace: "bravenel",
    author: "Bruce Ravenel",
    description: "Notify if no motion during some time period",
    category: "Family",
    iconUrl: "https://s3.amazonaws.com/smartapp-icons/Convenience/Cat-Convenience.png",
    iconX2Url: "https://s3.amazonaws.com/smartapp-icons/Convenience/Cat-Convenience@2x.png",
    iconX3Url: "https://s3.amazonaws.com/smartapp-icons/Convenience/Cat-Convenience@2x.png")

preferences {
	section("Which motion sensors?") {
		input "motions", "capability.motionSensor", title: "Motion(s):", required: true, multiple: true
	}
    
	section("Text me at (optional, sends a push notification if not specified)...") {
		input "phone", "phone", title: "Phone number?", required: false
	}
    section("Unless this presence sensor is not present...") {
	    input "presence1", "capability.presenceSensor", title: "Which presence?", required: false, multiple: false
    }

        section("If no motion between these times...") {
		input "starting", "time", title: "Starting", required: false
		input "ending", "time", title: "Ending", required: false
    }
}

def installed() {
	initialize()
}

def updated() {
	unsubscribe()
	initialize()
}

def initialize() {
	subscribe(motions, "motion.active", motionHandler)
        schedule(starting, startingTime)
        schedule(ending, endingTime)
}

def motionHandler(evt) {
	state.noMotion = false
}

def startingTime() {
	state.noMotion = true
}

def endingTime() {
    if(presence1) if(presence1.currentPresence == "not present") return
	if(state.noMotion) {
    	    def msg = "There has been no motion since $starting"
	    if (phone) sendSms(phone, msg)
            else sendNotification(msg)
	}
}

I don’t mean to show this as an example of an complex program, but rather just what the code looks like for a simple program. Samsung has a Marketplace within their phone app that allows you to download many applications (dubbed SmartApps in keeping with their naming pattern), including a whole category called Elder Care. I wasn’t able to find a list of the SmartApps in that category online, and I can’t look at them in their app because you need to connect it to a Hub before you can view the Marketplace.

The average person isn’t going to develop machine-learning algorithms in Groovy to learn the daily activity patterns of their elderly relative. Hopefully enough relevant SmartApps exist in Samsung’s Marketplace that they wouldn’t have to do it themselves.

Where does that leave us?

It would appear that we have either pre-packaged systems that have intelligent activity monitoring which requires monthly payments, or DIY systems that are a bit touch-and-go considering you need to buy lots of sensors and hook them into some existing applications that may do what you want, or you may need to write custom applications to get there, and none of those are likely to have the full level of intelligence needed to prevent frequent false positive notifications. There are some good DIY systems like Wink and SmartThings, and even senior-focused systems like Silver Mother, but they’re not set-it-and-forget-it easy to configure. We’re at the point where system like Blink have pretty much brought that easy of installation to the home security market, but the senior market is still catching up. It should be interesting to see how this niche makes up the ground in the next few years.

The end
PRISM E-mail Data Collection
Standard

E-mail security stinks, and that makes hackers (and the NSA) happy

The Better Mousetrap

Making the perfect e-mail client seems like the build-a-better-mousetrap challenge of our day. Every year or so it seems there’s another amazing e-mail client released by a startup, that says it has ‘reimagined’ or ‘reinvented’ e-mail and how to use it. Some examples include Sparrow (launched in 2011, bought by Google and discontinued in 2012) and Mailbox (launched in 2013 and bought a month later by Dropbox, and announcement of its imminent retirement just this month). This is kind of ironic considering the move away from e-mail to other messaging services, particularly real-time services, such as Slack and Whatsapp.

Recently, perhaps due in part to the imminent shut down of Mailbox, another e-mail app called Polymail has been receiving a lot of hype. It is already the fourth most up-voted product on Product Hunt, and it hasn’t even launched yet. Seeing the latest e-mail-mousetrap launch reminds me about one of the inherent security problems all of these applications encourage.

A Question of Protocol

All of these apps rely primarily on the IMAP e-mail protocol (short for Internet Message Access Protocol). That makes a lot of sense as it keeps most of the e-mail management on the server, and allows app developers to release both desktop and mobile clients that can both share the same e-mail, including read status and folder structure. Many of the largest e-mail providers like Gmail, Yahoo, iCloud, and Outlook.com (the service formerly known as Hotmail) support IMAP, so these e-mail accounts are generally supported by these new e-mail clients.

In the old days, most e-mail was served up using a different protocol, POP, short for Post-Office Protocol (technically it is POP3, and IMAP is actually IMAP4). The truth is that both POP and IMAP date back to the 1980s. POP is only a couple of years older than IMAP, although IMAP received more ongoing attention in the 1990s. There are a lot of differences between POP and IMAP, but the main difference is that when you use POP, all of your messages are downloaded to your e-mail client, and then deleted from the server, while IMAP downloads a local copy, but leaves all the e-mail on the server.

Keeping e-mail on the server has many advantages, such as having a backup of your e-mail on a remote server, and allowing your phone, tablet and desktop to all access your e-mail. There are some minor problems with keeping your e-mail on the server, such as running out of server space (depends on your e-mail provider). One problem that is usually overlooked, however, is that if your e-mail is stored on the server, your e-mail is accessible at all times by hackers and the government. Let’s take a look at these two scenarios.

Scenario One: Hackers

In the old days e-mail was never encrypted. Nowadays more and more companies are trying to insure it is encrypted when in-transit between servers. Google offers an interesting view of their attempt to encrypt e-mail in transit to different providers, showing which companies they receive and send e-mail to that are fully encrypted, and which are not. This in-transit encryption prevents, or at least greatly lowers, the ability of third parties (criminal or government) to intercept your e-mails while they are traveling between servers, or from a server to your client device. That’s great, but there’s one problem they don’t usually talk about, which is that the e-mails are stored unencrypted on the server itself. Apple actually points this out in their iCloud security and privacy overview:

apple-icloud-security-mail

Now I’m sure most major e-mail providers have amazing security, but nothing is a guarantee. How many times have you received spam from a friend whose account on a major e-mail provider or social network had been hacked? I still remember the first time I received the ‘I’m stranded in X and need you to wire me money’ scam. If your e-mail is online, it’s available to those who can access the server. That could be high-level hacks that compromise the entire server, or simple hacks like guessing your password. Check out HaveIBeenPwned.com to search a database of over 250 million username/password credentials that have been hacked and leaked online and you may find your e-mail address there. Do you use the same password on multiple sites? how about the same password for your e-mail and for online sites? That’s a big no no, but when the most common password on the Internet is ‘password’ security isn’t a major concern for many.

Even if you use strong passwords and use different passwords on different sites, however, there are more intricate methods for gaining access to e-mail without having to hack the server directly. Take for example the teenager that gained access to the personal e-mail account of John Brennan, the director of CIA. He did a reverse-lookup of Brennan’s phone number, determined its provider (Verizon), and called Verizon pretending to be a Verizon technician. This is called social engineering, and it’s basically hacking without a computer. The teenager managed to get enough information from Verizon to then call AOL and reset the password on the e-mail account. This was the director of the CIA.

Scenario Two: The Government

Sure, everyone knows the NSA is listening. Edward Snowden’s revelations about the NSA have been news fodder for years. One of the most troubling images released by Snowden via The Guardian was this slide from a presentation on NSA’s PRISM electronic surveillance program:

PRISM E-mail Data Collection

The slide seems to suggest at which point each of these services were compromised by the NSA. Whether these services were hacked by the NSA or were given access by the providers isn’t shown. That distinctions is really irrelevant, it would seem. Does this mean that the NSA can read all of your Gmail, Yahoo and iCloud e-mails? That’s not clear, but it doesn’t seem that is what they mean. It is possible that this slide merely means that the NSA is capable of intercepting all e-mails being sent and received by these servers. For example, they connect to the data pipes in between the hosting location and the Internet provider they use. The NSA can just listen in to everything coming and going, and doesn’t need to access the servers at all. That might have been the impetus for Google’s increased focus on in-transit encryption as mentioned above.

Now you might say that a lot of these programs were shut down and are not active. That’s also irrelevant. You know why? Because you don’t need to be the NSA to access e-mails stored on servers. You don’t even need a warrant. You’re probably thinking that’s crazy, and of course law enforcement agencies would need a warrant to access your e-mail on the server. NOT. TRUE. The Electronic Communications Privacy Act of 1986 (ECPA) defines e-mail on a server that is more than 180 days old as abandoned. This dates back to a time when everyone used POP or a proprietary protocol to download their e-mails, and storage was so expensive that keeping everyone’s e-mails on the server seemed absurd. Back then the assumption was you could download your e-mail and then the server would delete it to make room. The problem is that this antiquated definition is still the law of the land, and a law enforcement agency can ask for all e-mails older than 180 days and doesn’t need a warrant to do so. That’s not to say e-mail providers haven’t fought against this definition, but the law is on the government’s side until it gets changed. Meanwhile, if the government wants to take a look at the e-mails you’ve downloaded to your computer, they need a warrant. So if you store your e-mails remotely (using IMAP), the government can simply ask for them with little justification. If you download all your e-mails (using POP) then the government needs to go to a judge and get a warrant to search your computer, which they obviously need to get from you physically. If an e-mail provider hands over all your e-mails to a law enforcement agency, how would you know it even happened?

The interesting thing then is that using the older POP protocol, you are in many ways more secure than if you use IMAP. If you’re using in-transit encryption, which both IMAP and POP support, then the only e-mails accessible to government agencies when they approach an e-mail provider are what are sitting there in between downloads to your client. It’s usually a pretty good bet that those are less than 180 old, which means the government cannot get access to any of your e-mails if you use POP, without a warrant.

Sure all of this is theoretical. I don’t assume anyone reading this is being pursued by law enforcement. That said, any loophole is exploitable. Just ask John Brennan.

Then What?

The obvious answer to e-mail security is to encrypt all e-mails all the time. That, however, is harder than it seems. First, you can’t force other people to send you e-mails that are always encrypted. Second, even setting up encryption for all of your outgoing e-mails is incredibly difficult. It doesn’t feel like so long ago that Phil Zimmerman had to publish the code to his PGP encryption software in a hard-bound book and put it up for sale, in order to allow it to be exported outside the US under the First Amendment. The problem at the time was that strong encryption was considered a munition under US law, and exporting it to many countries was illegal. Anyone with a copy of the book could rip off the cover, separate the pages, and then scan the pages and generate the source code. A project to do just that outside the US was set up to stay up to date with new versions, called the PGPi scanning project. Nowadays, those laws are more relaxed, and no scanning in foreign countries is required. It’s not a secret sauce anymore. Getting strong encryption code out into the wild was only part of the problem, however. The bigger problem turns out to be a question of how easy encryption is to use.

Many people have tried to make encryption easier to use so more people would use it, but no one has really succeeded. Phil Zimmerman himself advised Hushmail, and co-founded Silent Circle, both of which could be described as attempts to make encryption more accessible. More recently two other efforts are perhaps more interesting.

Will Ackerly, who used to work at the NSA, launched Virtru, a company that piggybacks on existing e-mail services like Gmail and adds strong encryption. Some of the things Virtru allows beyond encryption are the ability to allow or disallow an e-mail from being forwarded, and the ability to revoke an e-mail (i.e. delete it from the recipient’s computer) at will, or automatically after a set period of time. Additionally, recipients of encrypted e-mails don’t need to install special software to read messages sent via Virtru. Virtu currently offers Chrome and Firefox plug-ins for web-access to services like Gmail, and offers a plug-in for Outlook on the Windows desktop. They also offer iOS and Android apps. Virtru tries to be a simple end-to-end solution for secure e-mail, and it does seem to do things very well.

Another startup, Keybase, was founded by the former founders of online dating site OKCupid. Founding a dating site might not sound like the right pre-requisite for bringing encryption to the masses, but besides building OKCupid based on complex mathematical matching algorithms, they also managed to sell their company to Match.com for $50 million in cash. As proven entrepreneurs, they managed to convince the right people, and raised $10.8 million from major silicon investors just to get started on the problem. The idea behind keybase is to link your cryptographic key with your various social media profiles, making it much easier for people to locate your public key and communicate with you. For example, you might link your Facebook, Twitter, Instagram, and Reddit usernames to your public key, which you store on the Keybase server. The important part is not just finding the key, but finding the right key. Normally using PGP you need to establish trust based on who signs each key. The problem is that if you’re e-mailing someone new, you won’t necessarily know if the people signing the key are fake. If you can link the key to established accounts of the user and cross-reference them with other accounts, then you have a fairly safe and easy want to confirm the owner of a key. The encryption scheme started with PGP, but is now evolving to include NaCl. The idea addresses a significant problem with public-key encryption, but doesn’t fully remove the ease-of-use problem most people have with encryption. Hopefully those are also being addressed.

All of these efforts are great, but they’re not solutions most people will use – yet. In the mean time, the question is how accessible are your e-mails to snooping. While the latest whiz-bang e-mail applications support IMAP and storing e-mails on the server, most have left POP behind. It is possible to download all your e-mails locally using IMAP, and then delete them all from your server, but it’s not the default. Next time another web site is hacked (don’t forget to check your e-mail address on HaveIBeenPwned.com) or another revelation about government snooping is revealed, you might wonder if storing everything locally, like POP does by default, might not be the better way to go.

The end
5 Payment Services
Standard

Who do you trust with your identity?

This is the second in a series of articles, which started with The long goodbye to passwords. You might want to read that first, if you haven’t already.

Let’s start with a few questions:

  1. Have you ever had your password exposed by hackers, such as was done with Adobe, Gawker, Cupid Media, Stratfor, Yahoo and Sony users?
  2. When you go to a web site to buy something, and they offer to store your credit card information, do you let them?
  3. If you answered yes to #2 above, what sites do you say yes to, and why?
  4. How many companies have direct access to your bank account, such as PayPal, other payment service, or a stock brokerage?

Have you been pwned?*

Let’s start with question number one. Has a password of yours been revealed by having an account hacked? You might not even know it. Troy Hunt operated a very interesting site called ‘;–have i been pwned? where he has collected many of the files stolen from web sites by hackers (and subsequently released online) and made an interface where you can search by username or e-mail and see if it shows up in any of the files. Adboe itself had over 152 million accounts compromised (and makes up the bulk of the accounts, but the site also includes Forbes, Gawker, Snapchat, Stratfor, Yahoo, Vodafone, Sony, Tesco, and more. Altogether right now it has 16 sites comprising 161,602,992 accounts that were compromised by hackers (who released the files). Go ahead, take a moment to search the site for your e-mail address and common usernames. You can even request to be notified if your e-mail address pops up in a future file that is added to the site.

What these security breaches show, besides the fact that these companies should have protected their passwords better (hashed with salt), is that people re-use their passwords too much, and use really weak passwords. I remember after one of these breaches getting an e-mail from a different company warning me that I was using the same password on their site, and thus they had automatically reset my password. That means that like Troy Hunt, that company downloaded the released password file, and ran a comparison with their own password database, sending out e-mails to customers that matched passwords in both databases.

Password Managers and Authentication Services

One solution to this problem are password managers. These programs generate random passwords for each site you visit, and thus if a password is compromised on one site, it cannot be used to access any other site. Some popular programs for password management are 1Password and LastPass. Like iCloud Keychain (described in The long goodbye to passwords) these programs store all your passwords in an encrypted database, and share them between multiple devices like your computer and mobile devices. On computers, these programs can utilize browser plug-ins to enable auto-fill of username and password info. However, since Safari on iPhone doesn’t allow plug-ins, these apps cannot integrate directly on the iPhone, and instead have their own browsers built in to their iPhone apps. iCloud Keychain can generate random passwords for new accounts online, but 1Password and LastPass have more customizable password generation systems that allow you specify which types of character are required (upper case, lower case, numbers, punctuation, etc.), how long the password must be, if you want to remove easily confusable characters (like O and 0). LastPass actually offers a web-based password generator you can use, give it a try now to see the kind of passwords it can create.

Another solution to the problem of passwords being hacked is not to give a site a password at all. A number of large sites offer authentication for smaller sites. Some of the biggest sites that do this are Facebook and Twitter. If you have an account on one of those sites, many other sites will let you log in using your Facebook or Twitter account, instead of having to enter a username and password. You go to a site, it asks you to authenticate, you click on a Facebook button for example, and it checks with Facebook and logs you in. The first time you connect your account, you’ll need to verify to Facebook or whoever that you indeed want to allow this site to use your Facebook account for authentication. Subsequently, you just click on the login button associated with the account (Facebook for example) and it verifies your identity and logs you in. The site never has access to a password, so even if they’re hacked, there’s no passwords to be found on their site. The deal here is that you trust the larger company like Facebook or Twitter more than the smaller company to keep your identity safe.

Do you trust web sites with your credit card info?

On to questions two and three. Do you trust any web site with your credit card information?

5 Payment Services
Who will you trust with your identity?

I haven’t done a poll, so I don’t know the answer to this one, but I imagine for most people there are sites they trust to keep their credit card data (Amazon, Apple, Google, PayPal, etc.) and there are sites they don’t trust. On some sites you will enter your credit card info to make a purchase, but when the site asks you if you want it to save your credit card details for future purchases, you say no.

It’s a simple calculation. Larger companies spend more on security, and you tend to trust them more with your financial information. There’s a second factor, however, and that’s convenience. For sites where you are making repeated purchases, having your credit card data on file is a big time saver. Buying $0.99 apps in the App Store or Google Play store would not be very convenient if you had to enter your credit card information every time.

At the same, the convenience factor can also trump security at times. If your favorite restaurant that you order delivery from twice a week offers to keep your credit card data on file, you might take them up on it. On the one hand, it’s not a big web site that would be targeted by hackers. On the other hand, it’s possible any employee of the restaurant might be able to access your credit card information. You have no idea what their security is – convenience is convenience however.

Direct Access

Let’s go beyond credit card information. Credit cards by their nature have some security features built in to them. You can always change your number if you think it’s been stolen, and credit card companies usually offer some protection from having to pay fraudulent charges. Credit card companies also spend a lot of time and money bolstering their automated fraud protection software.

This leads us to question number four – which companies do you allow to directly access your bank account?

For most people, the only answer is PayPal. PayPal built their business not only by making an easy way to transfer money between people and businesses, but by building algorithms that could detect fraudulent transactions and making the system safe. When you set up a PayPal account, you generally link it your bank account, with a credit card as a back up.

As mobile payments ramp up, I think more companies will try to move into this direct connected space, to allow them to do payment processing at the cheapest possible rate. Some companies currently want the credit card in the middle, to lean on their fraud protection and other security features. If there’s a credit card in the middle, you can add on their security features, but you also are allowing potential revenue to flow to the credit card companies.

Near Field Communication (NFC) and iBeacons

It’s not a coincidence that all the credit card issuers like Visa (payWave), MasterCard (PayPass) and American Express (expresspay) have all moved into NFC-based mobile payments. These systems don’t change anything – you’re still paying with your existing credit card. They’re just adding a convenience factor, and trying to lock you into using their credit card to make you payments (wouldn’t you use the easiest payment system you have?). Visa has gone one step further and built their own online payment system (V.me) as well, which competes directly with PayPal.

These companies realize that payments are going mobile, and are increasingly done with cell phones. Early efforts to use NFC in cell phones, including Google Wallet, basically failed. This is due to early NFC efforts being tied to the carriers. Google recently announced that any Android phone running a version of the OS earlier than KitKat (4.4), i.e. the latest version, will no longer support Tap & Pay (the ability to tap a payment terminal in a retail store with your phone to approve payment). The reason for dropping support for one of the defining features of Google Wallet in older versions of the OS is that they’ve completely overhauled how they handle payment, disconnecting from the carrier and moving to the cloud using a technology called Host Card Emulation (HCE). The technical details are not that important, but Visa and Mastercard have both also thrown their support behind HCE. It can’t be long before other payment processors like American Express also support the technology.

While Google and credit card companies have pushed NFC as their enabling technology for mobile commerce, Apple has assiduously avoided NFC. Instead, Apple has pushed its own solution, based on Bluetooth, called iBeacons. iBeacons is not only a technology to enable commerce, but a major enabling technology that allows retailers and other businesses to detect the presence of customers, make offers to them based on their location in a store, and other very powerful features. Apple has been slowly deploying this technology in it’s own stores, several other retailers, and sport locations like baseball stadiums. iBeacons allow baseball stadiums to detect a customer with seats in the nosebleed section, and offer them quick upgrade to better seats right on their phone when they enter the stadium. Retailers could see that a customer entering the store bought a razor previously, and offer them a discount on blades. As the range of NFC is so short, these kinds of applications are not possible. Apple is also laying the groundwork for retailers to deploy this technology for their own benefit (gaining knowledge about customers, being able to offer deals to them, etc.) while also building in the ability to accept payments. Right now retailers see NFC-based solutions as a cost they may not recover, while iBeacons offer a useful solution to retailers who happily will enable payments through their iBeacons. iBeacons are not an Apple-only technology (rather iBeacons is an Apple trademark and standard, but other companies like Google could offer support as well if they’re not locked into NFC as their only solution).

Becoming your preferred method of payment

In the end, all of these initiatives are focused on controlling the flow of commerce in the coming decades. The credit card companies have more or less controlled the majority of commerce for the past few decades, but they know change is coming. New players are moving into the space. There was a time when only the big credit card companies could manage payments globally. Today Apple, Amazon and Google operate stores and process payments in over 150 countries each. Currently these payment still get routed through credit cards, but who says they have to stay that way?

It’s no secret that PayPal has been trying to partner with Apple for their future commerce efforts. PayPal has already partnered with Samsung for their forthcoming Galaxy S5 phone, that will allow payments to be made via PayPal using the fingerprint reader on the S5 for authentication. Apple already offers payments using the Touch ID fingerprint reader on the iPhone 5S (5S/S5 – kind of annoying, no?) for their own store, but not yet for third-party stores. PayPal wants to be the clearinghouse for those third-party payments, but Apple could either continue to direct purchases to account-connected credit cards, or set up its own payment processing system in competition with PayPal.

Companies are positioning themselves to be your preferred method of payment. Companies like Apple, Samsung, PayPal, Amazon, Visa, and Google are all trying to make sure they are the conduit for your mobile purchases. In this race I think some companies have advantages over others. Apple and Google already operate stores in over 150 countries each, and thus are close to being ready to offer global payment services. Both companies have their own mobile operating systems and can push commerce-related features into the devices that run their operating systems.

PayPal already has the service, but can be circumvented by device companies, which is why they are working so hard to insert themselves into the device manufacturers solutions (like they have with Samsung). Carl Icahn has been trying to get PayPal spun out as it’s own company to realize its full value separate from parent-company eBay. As things heat up in this space, perhaps we could instead see PayPal bought from eBay to further mobile payments from one of these companies.

Amazon operates a global store (although their physical goods are only sold in ten countries, their app store is available in 198 countries), as well as a global wireless network (Whispernet) which could be useful for such efforts. In addition to Amazon’s existing tablets, expect Amazon to offer phones and other personal devices soon. I believe that devices will play a part in the success of mobile payments, which is why the companies controlling the most devices that people use will have a major advantage.

I believe that wearable devices will become key in mobile payments. Smartphones are great, but a watch, bracelet or ring is even better. If you can authenticate yourself using some form of biometrics on a wearable device, and can wirelessly approve payments in retail stores, this creates the third factor (as I described in my earlier article The long goodbye to passwords) that is necessary for secure transactions.

The companies that can both offer payment services (Apple, Amazon, Google and PayPal) and those that can control the devices (Apple, Amazon, Google, and Samsung) will have a major advantage in the upcoming battle for your wallet. For the companies that don’t have enough influence on both the payment side and the device side, expect partnerships to develop.

In the end, the companies that will succeed, will do so by convincing you that they are the company you want to trust with your identity. This company will know what you buy, who you buy from, will have access to your biometric information in some form, and you will need to trust they will never be hacked. For this reason, it’s unlikely that a startup company without these other capabilities will win this war. There may be more than one company who win, but it won’t be a huge number of companies. Just like there are a limited number of credit card companies today, there will be a limited number of mobile commerce companies that take over the market as well.

The end
Password Rules
Standard

The long goodbye to passwords

Password Rules

First of all, if what’s written above is your password, you need to change it now. I’ll wait. Okay, good, now for the rest of the article.

Why Passwords Don’t Work

It’s not much of a secret that passwords are not a very good way to secure information. The real problem is when companies try to make users utilize more secure passwords, they end up making the whole system less secure. Does that seem counterintuitive? Here’s a scenario. A company wants to make their corporate systems more secure. They decide that the passwords their employees are using are not secure enough, so they institute rules for passwords, which include:

  • Must be 8 characters or longer
  • Must include a lowercase letter
  • Must include an uppercase letter
  • Must include a number
  • Must include a non-letter/number character
  • Must not be the same as the previous password used
  • Must not be the same as the username, or contain the username

You’ve probably run across these rules before. You may not have seen all of them, but you’ve probably seen most of them, and probably many of them with a single system. In theory, these are all good rules. Where they lead to a less secure system is that most people can’t remember a password that meets all those requirements. Did I make the first letter uppercase? or the last? Did I replace the O with a zero, or the A with an @? or both? Since some sites have different requirements, you end up with different passwords.

Take a look at Apple’s requirements for selecting a password for an Apple ID (which is used for everything from the iTunes Store to their iCloud e-mail accounts, etc.):

Apple ID Password Requirements

Originally the only requirement most sites had was that you had to have 8 characters. People generally can’t remember random 8 character passwords, so they use words they can remember, perhaps with some modifications. Introduce a requirement like a number and people need to change what they’ve been using. Perhaps one site has a number requirement and another does not, human nature leads one to use the same password with the only difference being the number. Now add in all the other requirements, and all of the sudden people are using many variations of their original password. When different sites have different requirements, people start getting confused and need to send themselves password reminders on sites they don’t use often.

Of course, a user should be using the most secure password they can, but the reality is simply that people use whatever is easiest to remember. If they can’t remember their password, they write it down. Or put it in their cell phone address book. Or keep a file on their computer listing all their passwords. The fact that someone has now put their secure password in an insecure location completely destroys the whole security system. Now instead of having a less secure password that the person could remember, you have a more secure password that is written down under the user’s keyboard at their desk, on a piece of paper in their wallet, or sitting in a text file on their computer.

PIN Codes

Another simpler look at this problem is PIN codes. When I lived in the US and opened bank accounts there, the bank teller would always let me enter a PIN code into a number pad so I could choose my PIN code without having to tell it to the bank teller. In Israel, my experience has been that I haven’t been able to choose a PIN code, and have instead been given a printout (using a special envelope that allows a PIN to be printed without being seen) where I need to use the PIN code that was assigned by the bank. So what’s more secure, the PIN I chose using the number pad, or the one assigned randomly by the bank? You might think the randomly assigned one, since it can’t be guessed using knowledge about me. Imagine how many people use their birthday as their PIN code (which by the way, if you do, you should change your PIN).

So the randomly assigned is more secure, right? Well, no. Since people have no reference to remember a random number, they tend to write it down or put it in their phone somewhere. You might think you can easily remember a four digit number, but what if you have multiple accounts? All with random PIN codes. I would say, therefore, that as long as you don’t choose an easily determined PIN code, being able to choose one is probably more secure.

The long-known solution to these problems is that there needs to be second piece of information in addition to your password which needs to be given in addition to your password, this second piece of information is what gives the name two-factor authentication its name. Bank machines have always had two-factor authentication – you need a physical bank card and you need to known your PIN.

With online two-factor authentication, what the second piece of information is gets complicated.

Hardware Code Generators

RSA SecurID Token
RSA SecurID Token (Wikimedia Commons)

One of the first practical solutions to two-factor authentication was to introduce hardware code generators. If you’ve worked in high-security locations like financial institutions, military contractors, government offices, etc. it’s likely you’ve seen some form of code generator.

The RSA SecureID token is one of the more common physical code generators, and has been around for just less than 20 years as far as I can remember. A small dongle intended to fit on your keyring, it generates a numeric code that changes based on the time. At any given time, when logging in to a secure service, you would enter your password and the number given on the screen at that moment. The hardware token is tamper-proof, meaning that if you try to open it up to examine it, it would break and not work anymore. The great thing about these kind of code generators is that there is no need to be connected to a network, they just work based on the current time.

The fact that the SecurID tokens and their like were tamper-proof is evidence of one of their vulnerabilities – they are based on a secret which if known makes them completely insecure. This became evident back in 2011 when RSA itself was hacked, leading to tens of millions of SecurID tokens having to be replaced. Lockheed Martin, the military contractor responsible for some of the US military’s most important defense systems like the F-35 fighter jet, Trident missiles, satellites, etc. was hacked shortly after the RSA hack, before the compromised tokens could be replaced (and perhaps before the extent of the RSA breach was known, or at least known to Lockheed Martin).

YubiKey on a Keyring
YubiKey on a Keyring

There are other hardware solutions besides stand-alone code generating tokens. One interesting example is the YubiKey. It is not that different from a security point of view as the SecurID token. The difference is that it has no screen, no battery, and doesn’t work by itself. Instead, it plugs into your computer using USB (or to your mobile device using NFC with one model) and using software on your computer and servers online, generates the unique password used for authentication. Some are special made for specific services, and some are more general-purpose. Some can even be configured to output a static password as if it was a USB keyboard. A good summary of the technical details of the Yubikey can be found on their web site. The big advantage of the YubiKey is it’s small, has no maintenance needed (no battery), and it’s cheap ($25 for the basic model).

Software Code Generators

RSA SecurID Android
SecurID on Android

While hardware tokens have been around for a long time, nowadays when so many people carry around smartphones, it has been possible to create software-based code generators. RSA in fact offers SecurID software apps for most major mobile operating systems, including iOS, Android, Blackberry, Blackberry 10, Windows Mobile, Windows Phone, Symbian, etc. One of the advances available by having an always connected smartphone, however, is that there are now many more options available for software code generation. Indeed, many services provide their own software code generators within their smartphone apps.

As an example, Facebook’s mobile app has a code generator built in, which you can use with their two-factor authentication system which they call Login Approvals. I have a friend who enabled Facebook’s two-factor authentication last year, then got locked out of his account for months. Now when you sign up, they give you a week to shut it off just in case you end up locked out. They also let you print out up to ten codes you can use when you don’t have your phone. I guess you put that piece of paper in your wallet? It seems there’s a pattern here.

Two-factor authentication itself is not a panacea. It needs to exist within a larger framework of security that needs to be well though out. Dropbox, which offers two-factor authentication using one-time codes sent via SMS or via their mobile app, had their two-factor system completely bypassed by hackers who used a fake e-mail address and pretended they had lost their phones. It’s quite clever. Luckily for Dropbox, they contacted the company before publishing their exploit so it could be fixed. Not all hackers are so generous, however.

Biometrics to the rescue?

Some people believe that biometrics will be what replaces the use of passwords. People have believed that for decades. There are reasons it hasn’t happened yet, and reasons it’s unlikely to happen any time soon.

Soldier using 'portable' Iris scanner
Soldier using ‘portable’ Iris scanner

Biometrics is the use of unique physical body characteristics to verify your identity. The most well known biometric type in use is the fingerprint. Other biometric types include iris, retina, face, hand geometry, ear shape, gait, odor, speaker recognition, writing recognition, typing rhythm, etc. Not all of these are commercialized, but some like iris recognition and hand geometry are widespread. What is common to almost all of these biometric types, other than fingerprints, is that the hardware required to capture the biometric data is much too big to be used in a mobile device, too expensive, or too clunky from a user experience point-of-view. Some progress is occurring in allowing face recognition via the front-facing cameras in mobile phones, and possibly iris scanning, but things like odor and gait, ear shape, writing recognition, etc. are not coming to mobile any time soon. Without mobile, these technologies are really irrelevant in terms of password replacement.

There’s a reason fingerprints can’t really be used to replace a password, and I’ll get to that, but first let’s take a look at what you might think is fingerprints already in use for this purpose.

Touch ID and iCloud Keychain

Touch ID Exploded View
Touch ID Exploded View

You might be thinking to yourself that the iPhone 5S has Touch ID, so therefore fingerprint biometrics have made it into the mainstream of mobile authentication. Well, no. Touch ID is innovative in a lot of ways, and it can replace entering a pin to access your phone, but by itself it does not replace passwords (it does allow you to buy things from the iTunes Store and other Apple ID-connected stores, but that’s because it’s Apple and they themselves confirmed the phone is yours). Apple knows this, which is why it has been deploying iCloud Keychain into an increasing number of countries (over 100 countries now). You might not have even noticed iCloud Keychain, which was introduced with iOS 7.0.3 and OS X 10.9 just this past fall.

iCloud Keychain lets you sync passwords (as well as credit card details and Internet account info) via iCloud between your Apple devices such as your Mac, iPhone and/or iPad. When you go to login to a web site using Safari on your Mac or iOS device, it will ask you if you want to sync the password using iCloud Keychain. If you are registering for a new account on a web site, it will recommend a randomly generated password, which you will not need to remember (eliminating the paper taped under your keyboard problem), since it is synced between all your devices. You can of course choose your own password instead. Either way, if you want to save it to iCloud Keychain, it then becomes available for auto-fill on all of your devices.

What does iCloud Keychain have to do with biometrics and two-factor authentication? Let’s look at how you sign up for iCloud Keychain (and why it needed to be rolled out in specific countries). You turn on the feature, and authenticate using a mobile phone. This is not dissimilar to how the mobile messaging apps like WhatsApp verify your phone belongs to you (one of WhatsApp’s biggest expenses by the way). Once your phone is verified, it can be used as a verification device for your non-mobile devices such as your Mac (and I define mobile here as cellular-connected). Now that your mobile device is authenticated, all of your passwords stored in your iCloud Keychain are essentially secured with Touch ID (or a PIN code if you do not use it). Strictly speaking, this is not two-factor authentication. The web site you’re connecting to using the username and password stored in iCloud Keychain has no idea that in order to enter that password you had to authenticate your phone via SMS, and then access it using your fingerprint. If your password is found by someone, by hacking or otherwise, the fact that your use a fingerprint scanner on your iPhone does not effect that fact that they can access the web site without your phone.

The problem with fingerprints

Touch ID Hack Video
Touch ID hack being demonstrated 48 hours after release

In general, fingerprints are a great way to verify your identity. There are some people that have unreadable fingerprints (for a variety of reasons) but they are small in number. Fingerprints can also be faked – you might remember that Touch ID itself was circumvented with a fake fingerprint just two days after being released. Two days! Those issues aside, fingerprint biometrics is a fairly well researched technology, and the person who would want to fake your fingerprint would need both a copy of your fingerprint and access to your phone.

The big problem with fingerprints, like all biometric traits, is that once they are compromised there is no going back. If your fingerprint is copied, that’s it, end of game. Sure some fingerprint scanners try to scan under the skin to prove the fingerprint is on a living person, etc. but Touch ID also claimed that capability, and that turned out to be false.

In order to prevent losing the ability to use one of your biometric traits, a considerable amount of research has gone into developing a way to mix the benefits of biometrics and cryptography. This research has led to techniques allowing you to create a password that is based on your biometric trait, but cannot be reversed to reveal your biometric trait. Additionally, you can generate an unlimited number of these passwords, allowing you to change your biometric-based password just like you would change your regular password. This is called ‘revocable biometrics’ and it uses a variety of techniques such as fuzzy extractors. It’s a complicated area, but one thing which has been found in the extensive academic research is that a single fingerprint doesn’t contain enough data to create a secure revocable password. In other words, you will never be able to use a single fingerprint to create a secure password that cannot be hacked (at least with current mathematical and biometric understanding).

So where does that leave us?

At the moment, I’d say we’re pretty much in the same place we were 20 years ago as far as password security. That’s not to say there hasn’t been progress. It is cheaper to implement two-factor security. Dedicated hardware is no longer required. Two-factor security is available to almost any company, although foolproof implementation remains difficult, as evidenced by the RSA and Dropbox hacking events.

Nymi on Wrist
The Nymi

That said, there do seem to be some interesting products on the horizon. A company named Nymi has come out with a bracelet that uses your heartbeat to authenticate your identity. That’s an interesting trick, because authenticating via a wristband means that the technology can be integrated into any number of fitness bands and smart watches that people are already going to be wearing. I don’t think the concept of a stand-alone band like the Nymi has a long term success possibility, but the concept is interesting as a feature of other products. Not too surprisingly, it turns out Apple has several patents on a very similar feature going back to at least 2009. I tweeted a few weeks ago that if Nymi had good IP, they’d be an obvious purchase for Apple, but considering Apple’s patent portfolio maybe there’s no need to buy them. Even if their IP is weak and Apple could sue them into oblivion, if their product is further along than whatever Apple has developed, it’s still possible Apple could buy them, but they’ll have a much worse negotiating stance.

A company called EyeLock introduced a hockey-puck sized Iris sensor at CES earlier this year, called the myris. It connects via USB to your computer and lets you authenticate using your Iris, raising the false-positive rate from the 1 in 50K of a fingerprint to somewhere above 1 in 1 and a 1/2 trillion. Their next goal is to integrate this into the body of laptops and monitors, and eventually mobile devices. They claim to be able to detect that the eyes belong to a real living person (and not a photo, or on the end of a pen if you remember Demolition Man) which if true would be important for such technology. Certainly many biometric systems have been circumvented. It seems this technology is far from being usable in a mobile device, however, so this is years away from being practical.

At the Mobile World Congress (MWC) in Barcelona last week, a Chinese company called YunTab was pushing it’s $152 YunTab S5 smartphone that had one unique feature – 3D facial recognition for unlocking the phone. The phone uses two infrared emitters and an extra infrared camera to create a 3D image of your face for authentication. It’s an interesting implementation of facial recognition, considering that other implementations have circumvented by pointing the camera at a photo or video. I don’t think you’ll see this phone taking over the market (it’s only available in China right now) although it’s not a bad deal for an Android phone with okay specifications.

Authentec Patent Diagram
Authentec Patent Application Diagram

This is an area Apple also has extensive intellectual property. Apple bought Swedish facial recognition company Polar Rose in 2010. Apple also bought Israeli 3D sensor company PrimeSense (the company behind the original Xbox Kinect motion sensors) in 2013. Putting aside motion sensing, the technology is very similar to what the Chinese company is using to build a 3D model, and in fact PrimeSense had filed a patent on enhanced facial detection using depth before Apple purchased them. PrimeSense isn’t the only Apple acquisition with very similar patents. Authentec, which Apple purchased in 2012 and who is better known for the technology behind Touch ID, also had patent applications related to 3D facial recognition. Lastly, Apple has patents of its own in facial recognition, including using 3D information. I bring up the Apple connection again because I think the issue of authentication using biometrics is important, and in the end you will have a device with you that will be verified as yours (a la iCloud Keychain) and that you will be using biometrics to secure it. Apple is likely to be one of the companies making the devices you will use for this purpose.

Where are we heading? We’re heading beyond two-factor authentication to, you guessed it, three-factor authentication. Those factors are what-you-know (a password), what-you-have (your device), and who-you-are (a biometric sample). We need all of these factors, because without any one of them, the others have a much higher failure rate. The key is making them simple to use. Making them simple to use means integrating everything into a single device that you always have with you. Whatever that device, it needs to be able to be authenticated as yours (such as via SMS), needs to be able to securely store your biometric hash, and needs to be able to read your biometric signature. Right now the only device that fits that description is a smartphone, and just barely. I believe much of these functions will be in fact pushed to a wearable device. One reason it needs to be wearable is for security reasons – you’re less likely to lose your watch than your phone. Wearables are certainly on the rise now, and I think you will see many more of them integrating security functionality into them (like the Nymi). What else will wearables be integrating? That’s in my next article…

The end