Tag Archives: security

Metal Injection Attack: Bypassing Biometric Fingerprint Security

(Image from LockPickingLawyer YouTube video)

This metal injection attack isn’t from an Ozzy Osbourne video, but from a video made by an expert lock picker in 2019 against a biometric gun safe.

The biometric gun safe is supposed to deny access to a person whose fingerprint biometrics aren’t registered (and who doesn’t have the other two access methods). But as Hackaday explains:

“(T)he back of the front panel (which is inside the safe) has a small button. When this button is pressed, the device will be instructed to register a new fingerprint. The security of that system depends on this button being inaccessible while the safe is closed. Unfortunately it’s placed poorly and all it takes is a thin piece of metal slid through the thin opening between the door and the rest of the safe. One press, and the (closed) safe is instructed to register and trust a new fingerprint.”

Biometric protection is of no use if you can bypass the biometrics.

But was the safe (subsequently withdrawn from Amazon) over promising? The Firearm Blog asserts that we shouldn’t have expected much.

“To be fair, cheap safes like this really are to keep kids, visitors, etc from accessing your guns. Any determined person will be able to break into these budget priced sheet metal safes….”

But still the ease at bypassing the biometric protection is deemed “inexcusable.”

So how can you detect this injection attack? One given suggestion: only allow the new biometric registration control to work when the safe is open (meaning that an authorized user has presumably opened the safe). When the safe is closed, insertion of a thin piece of metal shouldn’t allow biometric registration.

For other discussions of injection attack detection, see these posts: one, two.

By the way, this is why I believe passwords will never die. If you want a cheap way to lock something, just use a combination. No need to take DNA samples or anything.

Oh, and a disclosure: I used Google Gemini to research this post. Not that it really helped.

TPRM

(Imagen 3)

A little (just a little) behind the scenes of why I write what I write.

What does TPRM mean?

I was prompted to write my WYSASOA post when I encountered a bunch of pages on a website that referred to TPRM, with no explanation.

Now if I had gone to the home page of that website, I would have seen text that said “Third Party Risk Management (TPRM).”

But I didn’t go to the home page. I entered the website via another page and therefore never saw the home page explanation of what the company meant by the acronym.

They meant Third Party Risk Management.

Unless you absolutely know that everybody in the world agrees on your acronym definition, always spell out the first instance of an acronym on a piece of content. So if you mention that acronym on 10 web pages, spell it out on all 10 of them.

That’s all I wanted to say…

How is NIST related to TPRM?

…I lied.

Because now I assume you want to know what Third Party Risk Management (TPRM) actually is.

Let’s go to my esteemed friends at the National Institute of Standards & Technology, or NIST.

What is TPRM?

But TPRM is implied in a NIST document entitled (PDF) Best Practices in Cyber Supply Chain Risk Management. Because there are a lot of “third parties” in the supply chain.

When companies began extensively outsourcing and globalizing the supply chain in the 1980’s and 1990’s, they did so without understanding the risks suppliers posed. Lack of supplier attention to quality management could compromise the brand. Lack of physical or cybersecurity at supplier sites could result in a breach of corporate data systems or product corruption. Over time, companies have begun implementing vendor management systems – ranging from basic, paper-based approaches to highly sophisticated software solutions and physical audits – to assess and mitigate vendor risks to the supply chain.

Because if MegaCorp is sharing data with WidgetCorp, and WidgetCorp is breached, MegaCorp is screwed. So MegaCorp has to reduce the risk that it’s dealing with breachable firms.

The TPRM problem

And it’s not just my fictional MegaCorp. Cybersecurity risks are obviously a problem. I only had to go back to January 26 to find a recent example.

Bank of America has confirmed a data breach involving a third-party software provider that led to the exposure of sensitive customer data.

What Happened: According to a filing earlier this month, an unidentified third-party software provider discovered unauthorized access to its systems in October. The breach did not directly impact Bank of America’s systems, but the data of at least 414 customers is now at risk.

The breach pertains to mortgage loans and the compromised data includes customers’ names, social security numbers, addresses, phone numbers, passport numbers, and loan numbers.

Note that the problem didn’t occur at Bank of America’s systems, but at the systems of some other company.

Manage your TPRM…now that you know what I mean by the acronym.

Keith’s “Why”

One of the best “why” stories I’ve seen in some time was written by Keith Puckett of Ubiety Technologies

He had purchased a feature-rich home security system and received an alarm while he was traveling. That’s all—an alarm, with no context.

“The security company then asked me, ‘Should we dispatch the police?’ At that moment, the reality hit: I was expected to make a decision that could impact my family’s safety, and I had no information to base that decision on. It was a gut-wrenching experience. The very reason I invested in security—peace of mind—had failed me.”

From Ubiety Technologies, “What is Your Why?”

https://ubiety.io/what-is-your-why

Puckett then started his company so others wouldn’t face the same emotions of fear and helplessness that he faced.

Why ask why?

Why is a “why” story so powerful? 

Because a story like this grabs a prospect’s attention a million times better than some boring technical feature list with optimum camera angles.

Make it personal. Many prospects have their own challenges that you can solve. 

Make sure you have the answers to their questions. That’s why Bredemarket asks questions before creating content…so your prospects don’t have to.

After all, “why ask why?” is more than an old beer commercial slogan.

And one more thing

For those like me who noted Ubiety Technologies’ Illinois location—you know, BIPAland—here is the company approach to privacy.

What Coauthor “Wrapped” About My LinkedIn Activity

So I checked out Coauthor’s me-too LinkedIn-themed copycat of Spotify Wrapped, like many of you did. Here’s the (unedited) post it wrote for me—not too bad:

= = =

Here’s my 2024 LinkedIn Rewind, by Coauthor.studio:

After 30 years in identity and biometrics, 2024 showed me that verification only goes so far. The real challenge isn’t just confirming who someone is – it’s understanding what they might do.

From employment fraudsters with verified credentials to healthcare imposters with stolen birthdates, this year proved that identity verification alone can’t prevent deception. But it also showed how combining technical expertise with human insight can help protect organizations and individuals.

Key observations from 2024:

  • Identity verification without intent analysis is incomplete
  • Employment fraud evolves faster than verification methods
  • Healthcare identity remains dangerously vulnerable
  • The best fraud prevention combines technology and psychology
  • Product marketing must address both verification and trust

Three posts that captured these themes:

“Employment Fraud and Identity Verification”

On why verifying someone’s identity only goes so far

https://www.linkedin.com/feed/update/urn:li:activity:7268454996734545921/

“Rich Powaza’s Disappearance” 

Real consequences of fraudulent behavior

https://www.linkedin.com/feed/update/urn:li:activity:7253092940393193472/

“Get Off My Lawn”

Changing workplace norms and responsibilities

https://www.linkedin.com/feed/update/urn:li:activity:7262320817898758145/

Through Bredemarket, I delivered over 100 content and analysis projects helping organizations navigate these challenges. I also conducted research on employment fraud tactics and moderated communities helping others avoid scams.

Looking ahead: 2025 will require even more sophisticated approaches to identity verification and fraud prevention. The fraudsters aren’t going away – but neither am I. I’ll continue helping organizations implement effective identity strategies while advocating for ethical AI use and employment practices.

To the wildebeests following along: remember that verification is just the start. The real value comes from understanding intent and building trust.

#fraud #identity #security #productmarketing

Get your 2024 LinkedIn Rewind! Go to coauthor.studio 

Black Friday Fraud Reduction?

Black Friday fraud dipped in 2024? Maybe good news…maybe not.

Frank on Fraud shared a TransUnion report of a 30% decrease in fraud on Black Friday this year. (Links below.)

This in turn was shared and analyzed by Hilton McCall, who noted several theories as to why fraudsters apparently took Black Friday off.

“Tighter fraud prevention measures by merchants and platforms.”

That’s good news.

“Shifting fraud tactics targeting other high-value days like Cyber Monday.”

“A possible focus on new fraud methods, like account takeovers and loyalty point scams, rather than traditional purchase fraud.”

That’s bad news.

Remain vigilant—and if your firm offers a fraud-fighting solution, share your message.

Frank on Fraud: https://frankonfraud.com/fraud-trends/fraudster-vacation-fraud-plunges-on-black-friday/

TransUnion: https://www.globenewswire.com/news-release/2024/12/05/2992306/0/en/New-TransUnion-Analysis-Finds-More-Than-4-of-U-S-Attempted-Ecommerce-Transactions-Between-Thanksgiving-and-Cyber-Monday-Suspected-to-be-Fraudulent.html

Hilton McCall: https://www.linkedin.com/posts/hilton-mccall_fraudprevention-blackfriday-cybersecurity-activity-7272611182727909376-lsyD

Survey Says

So Deloitte announced the results of a survey earlier this month.

“The fifth annual Deloitte “Connected Consumer” survey reveals that consumers have a positive perception of their technology experiences and are increasingly embracing GenAI. However, they are determined to seek balance in their digital lives and expect trust, accountability, and transparency from technology providers.”

Deloitte conducted the survey BEFORE the RIBridges hack.

On the RIBridges Benefits System Hack

I originally worked with state benefits systems during my years at Printrak, and have performed analysis of such systems at Bredemarket. These systems store sensitive personal data of many Americans, including myself. And they are therefore a target for hackers.

The hack at RIBridges

A huge benefits system was hacked in Rhode Island, according to the State.

“On December 5, the State was informed by its vendor, Deloitte, that the RIBridges data system was the target of a potential cyberattack….”

That was just the beginning.

“On December 10, the State received confirmation from Deloitte that there had been a breach of the RIBridges system based on a screenshot of file folders sent by the hacker to Deloitte. On December 11, Deloitte confirmed that there is a high probability that the implicated folders contain personally identifiable information from RIBridges. On December 13, Deloitte confirmed there was malicious code present in the system, and the State directed Deloitte to shut RIBridges down to remediate the threat.”

RIBridges is…um…a bridge from Rhode Island residents to various Federally sponsored but State administered benefits programs, including:

  • Medicaid,    
  • Supplemental Nutrition Assistance Program (SNAP),    
  • Temporary Assistance for Needy Families (TANF),    
  • Child Care Assistance Program (CCAP),    
  • Health coverage purchased through HealthSource RI   
  • Rhode Island Works (RIW),    
  • Long-Term Services and Supports (LTSS), and    
  • General Public Assistance (GPA) Program

State benefits systems such as RIBridges are complex and often hosted on old infrastructure that requires modernization. (“Modernization” is a great buzzword to use to toss around when describing aging state computer systems, as I know from my years working with driver’s license and biometric identification systems.) The older and more complex the system, the easier to hack.

The history of RIBridges

This complexity is certainly true of Deloitte’s hacked RIBridges system.

As StateScoop noted in 2021:

“Gov. Daniel McKee…said the state will pay the firm $99 million over the next three years to manage and build out the RIBridges computer system….The firm has been developing the software, which handles the state’s Medicaid, SNAP and other welfare programs, since 2016, though delays and errors during (previous Governor) Raimondo’s administration caused the state to overspend by at least $150 million as of 2019, the last time the state renewed Deloitte’s contract.”

Why is Deloitte’s performance less than ideal? Anthony Kimerv of Biometric Update explains the issues facing RIBridges.

“Federal agencies, including the federal Centers for Medicare and Medicaid Services, had warned Rhode Island before the system’s launch that it was not ready for deployment….RIBridges proceeded despite clear operational risks, leading to immediate and widespread problems. The launch resulted in significant disruptions to benefits distribution, with thousands of residents experiencing delays in receiving critical assistance. Backlogs soared, with more than 20,000 cases piling up due to system malfunctions.”

After much time and effort the backlogs decreased, but the treasure trove of personally identifiable information (PII) remained a target.

“As a central repository for sensitive personal data, including financial information and health records, RIBridges became a potential target for cyberattacks. Security audits revealed vulnerabilities in the system’s defenses….Cybercriminals exploited weaknesses in RIBridges to access sensitive data. The attackers bypassed existing security measures, inserted malicious code, and obtained unauthorized access. The breach exposed flaws in the system’s technical defenses and highlighted issues with its oversight and vendor management.”

The consequences for RIBridges applicants

So now the system is down, applicants are using paper forms, and a cyber criminal is requesting a payout.

(Image by Google Gemini)

Delivery Packages and Geolocation in Residential Neighborhoods

Today’s musings concern delivery packages and geolocation, and may be pertinent if you receive a residential delivery this month. You know, maybe a present or something.

Let’s say you receive a package at your house, the delivery driver takes a picture of your package on your porch as proof of delivery…and the package is subsequently stolen by a porch pirate before you get it.

“Hey, you’re out of luck,” the company may say. “The package was delivered.”

How long will it be until security professionals advise you to NEVER EVER EVER HAVE RETAILERS DELIVER PACKAGES TO YOUR HOME? Use a locker or a staffed business address, but treat residential delivery as EVIL…just like public wi-fi.

Or perhaps expensive packages could be equipped with geotagging…like your luggage. I know that delivery companies hate geolocation as much as airlines do…but it’s a thought.

(Thanks to the anonymous victim of a porch pirate who inspired this. AI-generated image by Google Gemini.)

Insecurity

I didn’t write this. Google Gemini wrote this. (And created the image.)

“In essence, identity is the foundation upon which security is built. A strong, well-managed identity infrastructure is essential for protecting digital assets and preventing unauthorized access. By understanding the overlaps between identity and security, organizations can implement robust security measures that safeguard both their digital assets and the privacy of their users.”

So now take a moment and think about security WITHOUT identity. 

And shudder.