Blogs

Passwords are a pain. We choose simple words that are easy to remember, but equally easy for hackers to guess.

Yet we still forget them. And they also get stolen with alarming frequency.

The reported theft of 1.2 billion email passwords by Russian hackers earlier this month was just the latest in a long string of major password security breaches that have led some people to wonder if the use of passwords should be abandoned.

But what are the alternatives?

One low-cost option, according to Dr Ant Allan, an authentication expert at Gartner Research, could be biometrics, making use of the microphones, cameras and web cams most computers and mobile devices are equipped with.

The simplest way to log on might be through facial recognition – or “authentication by selfie,” as Dr Allan calls it – because it would require the user to do nothing more than look at their computer or mobile screen. Logging in using voice recognition would also be straightforward, he argues.

Security for these authentication methods can be beefed up by adding contextual information such as GPS data from a mobile phone, or simply the time of day. If a user tries to log on at an unusual time or place then additional authentication information can be requested.

Digital portrait

Biometric authentication systems from companies like BioCatch use several different types of biometrics and other information at the same time to build a complex profile of a user. This works as a kind of digital portrait that can be used to recognise them.

At the simplest level a profile includes information about the devices and the internet address that the user typically logs in from.

To this is added a physical profile of the user – voice or face biometrics – and characteristics that can be learned from a computer’s camera or a mobile device’s GPS, gyroscope and other sensors. These characteristics can include whether the user is left or right handed, how tall they are, the length of their gait, and a measurement of their hand-eye co-ordination.

After this a “cognitive profile” is built up by monitoring preferences such as where windows are placed on the screen, how quickly the user actually uses the computer or mobile device, and what their typing or touch gesture patterns are.

Finally, the user’s response patterns to a variety of “challenges” are measured.

“The system may introduce a bias which changes where the device thinks your finger is placed on the screen,” explains Dr Allan. “It’s very subtle and not enough for you to see, but enough for you to correct for it,” he says.

Since different people correct for it in different ways, information about their responses to these hidden “challenges” can be added to their overall profile.

What’s different about this type of authentication approach is that is uses “active” or “continuous” authentication. Rather than making authentication a single event, the system continues to monitor a user’s characteristics and behaviour for as long as they are logged on.

“The benefit of this is that you get increased confidence that the user is who they say they are over time, and you also can also keep checking that the person using the system is the same person who logged on originally,” explains Dr Allan.

A much simpler approach that could be suitable in some circumstances is to tie a user to a particular computer or mobile device, Dr Allan suggests.

“This is a simple measure that goes a long way,” he says. “If a user tries to log on using a different machine, they would have to do something extra to authenticate themselves,” he adds.

Researchers in Germany and the Netherlands have been exploring ways to identify devices accurately as part of a European project called Puffin – short for “Physically unclonable functions found in standard PC components”.

They have examined seemingly identical computer parts, such as memory chips, and found that tiny variations in conditions during the manufacturing process give each one has a unique digital fingerprint, or physically unclonable function (PUF).

Software that can read these PUFs can be used to identify a computer or mobile device reliably, says Pim Tuyls, the chief executive of Intrinsic-ID, a commercial partner in the Puffin project.

The sound of your voice

These approaches don’t work when users have to authenticate themselves over a conventional telephone – to access phone banking services, for example.

Since voice is the only physical biometric available over the phone, Barclays Bank has begun to authenticate some of its customers using “voice print” analysis. The system checks the speaker’s voice in real time against a signature pattern they already have stored.

“The idea is to be as transparent as possible so the customer won’t know that they are actually logging in,” explains Seb Reeve, marketing manager at Nuance, the company that makes the biometric system.

“The system listens to the customer speaking, and after ten or fifteen seconds it will pop up a green traffic light in the call centre to confirm that the person is who they say they are, and the conversation can continue.”

But Karsten Nohl, a member of a German security collective called Security Research Labs, warns that hacking voice recognitions is trivial. “You can pretty much make any voice sound like any other,” he says.

He also points out that you can’t change biometrics like your fingerprints, iris pattern, or voice, whereas you can change passwords. That’s a problem if a hacker makes an imitation finger, say, with your fingerprint on it. These can easily be made to appear “alive” by spraying them with graphite to simulate the properties of skin, and by breathing on them to add a realistic amount of moisture, he adds.

Even so, he admits that while biometrics may not be as secure as long random passwords, they are probably more secure than the simple, easy-to-remember passwords that many people use.

“Long passwords are simply impractical, while something like a fingerprint is very practical,” he says.

For the moment, though, the traditional username and password pair is still by far the most common way for people to authenticate themselves online.

The reason – despite all the password security breaches – is that passwords offers a reasonable level of security at very low cost, according to Andras Cser, a security analyst at Forrester Research.

“It is hard to find something that offers a higher level of security for the same money that a password system costs,” he says. “There are other ways of authenticating- but many companies are unwilling to cough up.”

When walking through the centre of a busy city it is easy to feel anonymous.

Set against the cacophony of sharing and declaring that happens online, it can be precious to feel that, just for a moment, you are lost in a crowd.

Unidentifiable.

It is, of course, an illusion. You are never alone, especially if you are carrying a smartphone that has ever been used to connect to a wireless network. Which is pretty much all of them.

All of those devices maintain a list of the wi-fi networks they have joined. The way wi-fi works demands that they always seek to rejoin those networks. As a result, smartphones and tablets regularly broadcast the SSIDs (service set identifiers), or names, of those networks.

It’s a feature designed to ensure that when you are near a network you regularly use, you get connected quickly.

Wave snooping

However, with the right equipment, that very feature could leave you exposed to some sneaky surveillance.

The right equipment is a laptop on which Kali Linux – a version of the free operating system that includes a raft of security tools – is loaded. One of those tools can sniff the airwaves for lists of SSIDs.

I tried it for myself. Sipping a latte in a coffee bar that lay in the shadow of the Bank of England, I watched as my laptop gathered a list of all the wi-fi networks the people around me had joined.

When anyone walked past the window, the list grew, as a new device being carried in a pocket or purse declared where it had been.

I saw the names of wi-fi networks in homes, airports and hotels. Ones that people had changed to include their surname. I saw office networks, other coffee shops, bars, station platforms and football stadiums.

“So what?” you might say. Just because a phone is shedding this data does not make it dangerous.

But combine those lists with websites that log and list wi-fi networks and you potentially have a way to track where people have been without letting them know.

Those websites are easy to find and they handily map all the networks that volunteers have logged.

I entered a few of the names I found during my surveillance trip and it pointed me to quite a few homes in and around London – doubtless where the people that passed by actually lived.

And now I knew that they were not home.

Whitehall wi-fi

To test just what could be done with this low level data if it fell into the wrong hands, the BBC asked security firm Pen Test Partners to carry out a “war walk”, to scoop lists of wi-fi networks.

In the old days of hacking, “war dialling” involved making a phone dial consecutive numbers, and seeking those that answer with a data tone.

These days, “war walking” involved slipping a tablet in a backpack and strolling up and down a road.

The road we chose was Whitehall, in Westminster, London.

Chris Pickering and Ken Munro from Pen Test Partners walked up and down the street several times. Once they took a cab because it was raining. The idea was to gather data at different times, then look through it for the few wi-fi IDs that always turn up.

Those static lists should indicate people working inside the government buildings.

Each trip up and down the road netted about 1,000 hits, said Mr Munro. Sometimes more, sometimes fewer. Filtering out the noise, the tourists, left 58 hits that were consistent between the three passes.

Some of the wi-fi locations those 58 had used were “interesting” said Mr Munro, especially those by hits logged from inside the Ministry of Defence.

“Some government military staff don’t know how to turn wi-fi sharing off or that they can be tracked by it,” he said.

Passive wi-fi gathering has been done on a bigger scale by James Lyne, head of research at security firm Sophos. Mr Lyne has spent hours cycling around London and San Francisco, gathering the wi-fi data and then analysing it to see, broadly, what can be learned.

“There will be a lot of interesting stories in that data,” said Mr Lyne, given that it logs who went where and which wi-fi network they used when they were there. It could give clues to impending mergers and acquisitions, the early stages of business deals or even romantic assignations.

Commercial use

It is not just security researchers who are interested in the data being shed by your smartphone.

Shopping malls and individual stores are starting to use the data to track people as they move around. Some of the early uses of such tactics, such as when litter bins in London were scooping up the info, have caused concern.

The Future of Privacy Forum (FPF), which represents web giants such as Google, Facebook and Yahoo as well as retailers, banks and more traditional firms such as General Motors and Lockheed Martin, has drawn up guidelines for its backers that govern what data they can gather and what can be done with it.

Shops are keen to use the data as a way to fight back against online retailers, said FPF executive director Jules Polonetsky.

By using it to get to know customers, it should be possible to make shopping much more enjoyable, he said. Just as Amazon recommends items based on what you bought last time, so stores could do the same. They could tailor the experience to “delight” customers, Mr Polonetsky added.

The FPF is working with some stores to make their use much more transparent. In some cases this might go as far as having a display in store revealing the tracking system, who is on it, and where they are.

That transparency should start to dispel some of the fears growing up around the passive tracking, said Mr Polonetsky.

“We can’t have people nervous when they go into stores,” he said.

“This should be about the stores doing something for you, not to you”.