Wednesday, February 18, 2015

Banks consider use of fingerprints instead of passwords


RBS and Natwest have announced plans to allow iPhone (5S and higher) users to access accounts with fingerprints, eliminating pin codes and passwords.  Phil Muncaster has a story on Infosecurity here. It would appear that a similar facility would be offered for ATM’s.  One could imagine the same concept developed with retinal scans.  Will people have bar-coded tattoos some day?  
   
But depending on fingerprints is not necessarily safer than strong passwords (and especially 2-step verification) according to the article, partly because the large number of fingerprints a person leaves.  But exploiting them is difficult and requires very dedicated criminals --- although Russia and China seem to have a plentiful supply of unemployed techies so motivated.
   
The innovation needs to be evaluated in conjunction with newer ATM debit and credit cards that have much harder-to-reproduce chips.  There is also the idea that making accounts safer could have the side effect of increasing violent crime (this already happens with autos – carjacking increases because cars are much harder to steal).  

Thursday, February 05, 2015

Major hack on a health insurance Anthem ("Blue") company


The Anthem Blue Cross plan (hq-ed in San Francisco) has endured a large data hack, according to USA Today, link .  Over 80 million records across the company were compromised, and the source appears to be China.  The breach did not involve credit card information, but a great deal of personal information.

The Wall Street Journal has a detailed story by Anna Wilde Mathews and Danny Yadron, link here.
My own work history had two employment episodes associated with the BCBS system.  One was a consortium of up to seven Plans, but the turf-oriented Blues have always had trouble working together so this hack is no surprise to me.  
   
I think this is the first major hack on a health insurance company, certainly a Blue Plan.

The hacks on major retailers and brokerages so far don’t seem to have directly resulted in a lot of identity theft. 

The biggest threats seem to be fictitious persons made out of children or of others (including the elderly) not needing credit or using it for a long time.  The danger could increase with the opportunity for medical identity theft. The best way to meet the threat seems to be to contact Experian, Equifax and TransUnion and put on credit freezes, which only you can unlock when actually needing credit.
     
But NBC News has a story explaining how credit monitoring may not stop medical identity theft, which can lead to incorrect patient records and create life-threatening mistakes later with real patients (especially in emergencies, where the careful address verification that I propose on other pages here cannot be done in time). So this gets closer to a real national security problem if coming from a foreign source,  The New York Times (Friday, Feb. 6, p. B4) has a story by Tara Siegel-Bernard on the steps of self-protection here (link), regarding existing accounts, new accounts and social security numbers.