It has become increasingly important to uniquely identify an individual. Stealing or hacking personal, financial, medical and security information is increasingly common. Attacks against digital information databases are increasing. For example, by 2015, fraudulent card transactions have exceeded $11 billion a year worldwide, of which the U.S. represents 50%, while Europe follows with 15% of the total. Health insurance providers are one of the many industries most affected by hacking. In 2014, 47% of American adults had their personal information stolen by hackers-primarily through data breaches at large companies. In 2013, 43% of companies had a data breach in which hackers got into their systems to steal information. Data breaches targeting consumer information are on the rise, increasing 62% from 2012 to 2013, with 594% more identities stolen. Data about more than 120 million people has been compromised in more than 1,100 separate breaches at organizations handling protected health data since 2009. The data reflects a staggering number of times individuals have been affected by breaches at organizations trusted with sensitive health information.
Some of the data can be used to pursue traditional financial crimes, such as setting up fraudulent lines of credit, but it can also be used for medical insurance fraud, including purchasing medical equipment for resale or obtaining pricey medical care for another person. Personal information is also at risk, including information about an individual's mental health or HIV treatments.
Existing solutions are not adequate. For example, the security of passwords (e.g., password-protected systems) depends on a variety of factors. Compromising attacks, such as protection against computer viruses, man-in-the-middle attacks (where the attacker secretly intrudes into the communication of two unaware parties intercepting their conversation), physical breech (such as bystanders steeling the password by covertly observing thorough video cameras, e.g., at ATMs machines), etc. The stronger the password, the more secure is the information it protects. Strength may be a function of length, complexity and unpredictability. Using strong passwords lowers overall risk of a security breach, but strong passwords do not replace the need for other effective security controls. The effectiveness of a password of a given strength is strongly determined by the design and implementation of the factors (knowledge, ownership, inherence).
Tokens (security tokens) are used to prove one's identity electronically, as in the case of a customer trying to access their bank account. The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something.
The simplest vulnerability with any password container is theft or loss of the device. The chances of this happening, or happening unawares, can be reduced with physical security measures such as locks, electronic leashes, or body sensors and alarms. Stolen tokens can be made useless by using two factor authentication. Commonly, in order to authenticate, a personal identification number (PIN) must be entered along with the information provided by the token the same time as the output of the token.
Any system which allows users to authenticate via an untrusted network (such as the Internet) is vulnerable to man-in-the-middle attacks. In this type of attack, a fraudulent party acts as the “go-between” the user and the legitimate system, soliciting the token output from the legitimate user and then supplying it to the authentication system themselves. Since the token value is mathematically correct, the authentication succeeds and the party is improperly granted access.
Trusted as much a regular hand-written signature, a digital signature should ideally be made with a private key known only to the person authorized to make the signature. Tokens that allow secure on-board generation and storage of private keys enable secure digital signatures, and can also be used for user authentication, as the private key also serves as a proof for the user's identity.
For tokens to identify the user, all tokens must have some kind of number that is unique. Not all approaches fully qualify as digital signatures according to some national laws. Tokens with no on-board keyboard or another user interface cannot be used in some signing scenarios, such as confirming a bank transaction based on the bank account number that the funds are to be transferred to.
Biometrics (e.g., biometric identification systems) often physical features to check a person's identity, ensure much greater security than password and number systems. Biometric features such as the face or a fingerprint can be stored on a microchip in a credit card, for example. A single feature, however, sometimes fails to be exact enough for identification. Another disadvantage of using only one feature is that the chosen feature is not always readable.
A template protection scheme with provable security and acceptable recognition performance has thus far remained elusive. Development of such a scheme is crucial as biometric systems are beginning to proliferate into the core physical and information infrastructure of our society. Described herein are methods and apparatuses that may address the issues discussed above.