Tuesday, December 12, 2017
Home Tags Biometric Authentication

Tag: Biometric Authentication

Printed electronics makes the perfect fake fingerprint Boffins from Michigan State University have loaded up an inkjet printer with cartridges designed for printing electronic circuits, and used the output to fool smartphone fingerprint sensors. All that's needed is a scan of the victim's fingerprint (reversed so it presents the right way when printed), and a suitable inkjet printer loaded up with ink and paper from printed electronics specialist AGIC. In their paper (PDF) the researchers, Kai Cao and Anil Jain from the university's Department of Computer Science and Engineering cracked a Samsung Galaxy S6 and a Huawei Honor 7. It's a much simpler approach than the “gummy bear fake fingerprint”, which needs materials like latex milk or white wood glue. As the researchers note, in that kind of attack you have to wait 30 minutes for the imprint to set, and there's a fair amount of D-I-Y skill needed to turn a fingerprint into a spoof without spoiling it. Scanning and reversing a fingerprint, loading a printer with electronics cartridges (and one black cartridge), and printing the result on the appropriate paper is much simpler. While the Huawei phone was slightly harder to spoof than the Samsung, the paper says the researchers worked with several volunteers and they were ultimately successful on all attempts. Fake fingerprints fooling phones Although it won't work for all smartphones, the researchers reckon there's an “urgent need for antispoofing techniques for fingerprint recognition systems” since mobiles are being used for payment systems. ® Youtube Video Sponsored: 2016 global cybersecurity assurance report card
It’s probably already happened, but you just haven't seen it... Technology moves quickly, not just in legitimate business, but in the cybercriminal world too.

Advanced attack tools are now available on the black market, lowering the barrier to entry for the average online lowlife.

They are happy to target large and small organizations alike, and they only have to be lucky once. Security pros have been forced to prepare for a world of constant, sustained attack by understanding the threats and choosing the right measures to prepare for them.

Companies are realising the extent of the threat and gearing up for it, say experts. “We have seen information security budgets increasing in the last 12 months to address the challenges that cyber crime is bringing to the organisation,” said Steve Durbin, managing director of the Information Security Forum. So what kinds of threats are they dealing with, and how can they prepare? What are the threats and where are they coming from? The cyberthreats facing modern companies fall into various categories, and they’re loosely linked to the type of cybercriminal that you’re dealing with and the kind of information that they’re after. Hacktivism has traditionally been characterised by attacks with a relatively low barrier to entry such as DDoS and web site defacements, for example. While hackers’ motives are frequently political or ideological, financial cybercriminals are interested purely in money, and are adept in their pursuit of it.
Some will attempt to transfer money out of an organization, while others will focus on saleable information. Malware typically underpins a financial cybercrime attack. One notable recent example is Carbanak, an extensive attack on financial institutions that netted $1bn in stolen assets.
It was a devilish attack, starting with a backdoor sent as an attachment that then moved through the network until it found an administrative machine. Then, the malware intercepted clerks’ computers, recording their sessions, and subsequently used that information to transfer money fraudulently using online banking sessions and to dispense money from ATMs. Carbanak was a sophisticated attack that sought to directly manipulate systems, but cybercriminals typically look to steal specific types of information such as personally identifiable information (PII) when they attack. Malware delivery via phishing and drive-by downloads is still a highly effective tool to steal this data.

Exploit kits designed to target enterprise clients with malicious payloads are on the rise.
In its 2015 Threat Report, Forcepoint found three times more exploit kits in circulation than it had in 2013. This information can be about your customers or your employees.

The latter can be just as damaging, because you’re likely to have financial and other data about the people who work for you. One of the most egregious attacks on employee data recently must be the Office of Personnel and Management hack that compromised 5.6 million fingerprint records, and more than 21 million former and government employees, harvesting social security numbers and addresses. PII isn’t the only threat category, though.
Intellectual property is another rich seam for online criminals to mine. Often the subject of targeted attacks, this information can take many forms, from email archives through to launch plans for new products, or details of new products currently under development. “We see a lot of intellectual property theft out there, coming from assumed nation states based on the IPs that they’re coming from, and from industry, too,” said Eric Stevens, director of strategic security consulting services at Forcepoint. “It’s a lot cheaper to steal development time than it is to do that development yourself,” he pointed out. While these different groups will typically seek different types of information, there is also an increasing amount of overlap. Hacktivists have begun targeting both customer data and intellectual property where it suits their needs.

Anonymous was behind the theft of ticketholder data for the 2012 F1 Grand Prix in Montreal, which was posted online. Hacktivist faction Lulzsec mined intellectual property from private security firm Stratfor in 2011. How do you live with attackers getting in, and continue to fight them? Over the years, the focus on keeping attackers out at all costs has shifted towards managing them when they break into an organization.
Security professionals seem to be tacitly admitting that network intrusion is a question of ‘when’, rather than ‘if’. “15 years ago, the focus was keeping them out.

Today, organizations are starting to realize they have to deal with a certain degree of compromise,” explained Stephen Northcutt, director of academic advising for the SANS Technology Institute. This is something that at least one of the three-letter agencies has understood for years.
In 2010, Deborah Plunkett, then-head of the Information Assurance Directorate at the NSA, said that the agency assumed that there were already intruders inside its network.

Considering itself already compromised forced it to protect critical data inside the network, rather than relying on a single ring of iron. The Open Group’s Jericho Forum focused on containing rather than preventing threats with its de-perimeterization principle, first espoused in the mid-2000s, which stated that the traditional trusted network boundary had eroded. One of the group’s commandments to survive in a de-perimeterized future was the assumption that your network was untrusted. Clearly, the NSA didn’t protect its resources especially well, though.

Ed Snowden, working for third party contractor Booz-Allen Hamilton, happily vacuumed up gigabytes of sensitive data for a sustained trickle-feed campaign to the media. No matter what side of the Snowden debate you’re on, for CISOs his case highlights the need for controls to stop the theft of information through authorized accounts. “Over the next few years, you will see a lot of growth in privilege and identity management,” said Northcutt. “At the network level you are going to see more segmentation and isolation.” To fully protect themselves with these techniques, though, organizations need a deep understanding of the data that they have and how it is used in their business, said Stevens.

There are many roles and sets of responsibilities in an organisation.
Some of them may even transcend internal employees altogether. “You have to understand what your business processes are surrounding that data,” he said.
It’s necessary to understand what a normal process looks like.

A hospital may send data to a third party company that produces its invoices for it. How can you distinguish between a legitimate business process like that, and an illegitimate one that is sending sensitive data to bad people? How do you distinguish between normal behaviour/threats Distinguishing between these different modes of behaviour is an important skillset for IT departments trying to spot attackers inside their network, but it’s doable with the right tools, say experts.
It’s all a question of mathematics, said Northcutt. “Twenty years ago the US Navy spent about a million dollars for a bunch of PhD statisticians to determine that like groups of people using like systems have a very similar network traffic footprint,” he said, adding that we have been using statistical techniques to baseline normal behaviour for years now. One form of attack involves malware that enters a network and then moves laterally, trying to find any data it can, and then exfiltrating it.
Software designed to baseline regular employee behaviour and then spot anything that deviates from the norm may be able to spot the unusual patterns that this malware may generate. Is a user account sending large amounts of data from an account that normally doesn’t? Is it encrypting that data, when it is normally sent over the internal company network in plain text? Why is it sending it at 2am when all employees are normally long gone? All of these things can raise flags in a suitably-equipped system. Where do you start when choosing tools Training people to be security aware is an important part of stopping breaches, but CISOs will never eradicate those problems entirely.

A technology layer provides a vital layer of protection.

Don’t be distracted by emotions or industry buzzwords when choosing these tools, said Stevens. He recommends first identifying what data you want to protect (adding that this is more difficult than you’d imagine for many companies).

Talk to compliance managers and line of business owners to identify this information, and then work out what category of tool would best block the egress of that data. Companies can hone their priorities by focusing on a security framework like NIST’s, using it to establish areas where they need to improve. “Then it’s about ensuring that those purchases are improving your security posture as well as catering to compliance requirements that you may have,” he said. At the very least, though, he recommends a web and email security gateway, along with a data leak prevention (DLP) tool to monitor and prevent things from leaving. “Essentials are always going to be network monitoring tools,” said the ISF’s Durbin, adding that companies can build out their tool sets as they become more sophisticated. “The more advanced will focus on big data and trying to anticipate breaches and identify weaknesses in the security perimeter. Best of breed vs holistic approach Should companies buy a single security platform offering a holistic approach, or focus on point solutions instead? “I would always vote on holistic, mainly because we aren’t seeing point channel solutions that are very effective,” said Stevens.

The main problem with best of breed solutions is visibility, he argued.
If you’re purchasing point solutions from multiple vendors, then integrating them to create a coherent view of your organizations’ security incidents can be challenging. Your view of security needs to be watertight, not least because incidents in one domain that seem incongruous might suddenly gain more significance if you’re able to correlate them with other incidents happening elsewhere. A single pane of glass can help to ensure a consistent view of everything that’s happening across the various aspects of your infrastructure, from email scanning through to web gateways. The good news is that while many of the threats facing companies are sophisticated, many of them rely on the least amount of effort to infiltrate a company.

Attackers will go for unpatched, out of date software versions and misconfigured machines if they can, to avoid giving away their zero-day secrets. Using tools to keep a watchful eye on your network, endpoints and data is one part of the solution.

Good threat intelligence is another. Just as important, though, are proper conversations with business counterparts to understand what data you should be trying to protect in the first place. ®
Step 1. Simply take over a victim's mobile phone number NatWest is tightening up its internet banking systems after security shortcomings were exposed by journalists. BBC hacks were able to hijack a colleague's NatWest online bank account and transfer money without knowing her password. The UK bank's parent, Royal Bank of Scotland (RBS) Group, is also shoring up its security. Radio 4's You and Yours revealed the security flaw after investigating complaints from the victims of SIM swap fraudsters. The SIM swap scam involves redirecting text messages from someone's mobe to another phone. El Reg covered the swindle three years ago. This is how is typically goes down: using some social engineering, the crook reports a victim's handset as lost or stolen to their mobile network, and asks for the victim's phone number to be swapped over to the crim's SIM. Alternatively, the crook just nicks the phone. Either way, the thief receives texts sent to the victim's number. As the You and Yours team found, the crim can then call NatWest and claim they've forgotten their customer ID number, password, PIN, and everything else needed to log into their online bank account. The bank will then text a code to the victim's number, which can be entered by the crook online to reset and change the password and PIN, and gain control of the bank account. This allowed a BBC reporter to siphon off £1.50 from a producer's account. On the one hand, an attacker must somehow gain control of a victim's phone number, which isn't straightforward. In the Beeb's case, the reporter was handed the producer's mobile and told to do her worst. It's not exactly Kevin Mitnick. On the other hand, simply having control of a person's phone number shouldn't immediately throw open the doors to all their money. So minus 10 points to NatWest. In response to the investigation, a community manager on NatWest's official forum stated that the "specific example put to us by You and Yours required them to know multiple pieces of personal information to generate the activation code and have control of the customer mobile phone," while admitting that its security needs improving and outlining forthcoming changes: We're implementing a number of new measures to further protect customers, including communicating with them using all of their registered methods of contacts with us, such as via email and text, to alert them any time a change is made to their contact details on online banking, in a similar way to Apple and Google. We are also introducing a 'cooling off period' of three days, which prevents payments being made via the mobile app when a reactivation has taken place. NatWest reckons that all manner of extra information would be needed to make a transaction, specifically the customer number, partial PIN and partial password. Crucially, though, the You and Yours team was able to set new passwords and PINs after claiming they had forgotten those login details. There was no email confirming a password change, a shortcoming RBS and NatWest has since addressed. The BBC team did not go through a step-by-step process of how the hack was carried out, due to an understandable concern to not give fraudsters fresh ideas. The community manager made a much better fist of explaining the bank's position than the hapless spokesperson fielded on BBC Radio 4's You and Yours, Chris Popple, manager director of digital at RBS/NatWest, who didn't get much past banalities about taking customer security seriously and repeatedly described the BBC's research as "helpful." In response to queries from El Reg, NatWest supplied a statement partly reiterating what its community manager had said: SIM swap fraud is an emerging issue across the industry, and we're working closely with Financial Fraud Action UK and mobile phone providers to enhance our customer authentication processes as fraudsters become more sophisticated. Our records show that of all the people who enroll in online banking and forget their details, only 0.01 per cent are fraudulent. We encourage all of our customers to protect their phone using a passcode or Touch ID, keep details of their PIN and online banking details secure, and to get in touch with us as soon as possible if they believe they have been a victim of fraud. As stated in our Digital Promise, if a customer does fall victim of fraud in this way, we will refund them. If you spot any security problems with your mobile or online banking, do ping us an email. ® Sponsored: Five essentials for improving endpoint security
Microsoft really, really wants everyone to dump Windows XP, Windows 7, and Windows 8 in favor of Windows 10.
It's been aggressively urging users to upgrade to Windows 10, even preinstalling the Windows 10 update on PCs unasked.

This week, it provided a new incentive to encourage Windows 10 updates, especially in businesses: enhanced security. The company announced a new service built into Windows 10 called Windows Defender Advanced Threat Protection that helps IT detect and make suggestions on how respond to attacks that have made it into the network. Windows Defender ATP does not yet actually remediate any breaches that it detects, though Microsoft plans to add such capabilities in the future. (Don't confuse Windows Defender APT with Exchange Online ATP, a for-pay add-on to Office 365. Windows Defender APT complements Exchange Online ATP, not serves as an alternative to it.) Windows Defender APT is one of several security features that Microsoft has brought to Windows 10 in hopes of upping the appeal to enterprise IT departments. Others include: Credential Guard: Built into Windows 10 Enterprise and Education editions, this tool stores credentials (NTLM hashes and Kerberos tickets) with the LSASS process that manages them in an isolated Hyper-V virtualized container. Device Guard: This tool prevents untrusted apps from running on Windows 10 Enterprise PCs.
Via virtualization, it isolates the Code Integrity services from the Windows kernel.

For this to work, you have to go through and sign your apps and determine their trustworthiness.  Windows Hello: This is a biometric authentication feature built into Windows, using fingerprint matching and facial recognition. Enterprise Data Protection: This tool works with Microsoft's Intune and Configuration Manager servers, as well as with third-party mobile management servers, to encrypt enterprise data and remotely wipe enterprise data from devices. Other mobile management tools offer similar capabilities, but Microsoft's stands apart in its integration with Azure Active Directory for access management to cloud and other sevices.  Windows 10 also provides security tools included in previous Windows versions, such as a software firewall, BitLocker drive encryption, and the Windows Defender antimalware tool.
Smarter Authentication 3.1 improves protection against MITM attacks and supports Android’s fingerprint APIOslo & Palo Alto, 25th February, 2016 – Encap Security, provider of uncompromising authentication for financial institutions, has today announced the release of version 3.1 of its Smarter Authentication platform.

The update includes support for Android’s fingerprint API, and better protection against Man In The Middle (MITM) attacks. The release builds on Encap’s support for Apple’s Touch ID and Samsung’s fingerprint sensor. With support for Android’s fingerprint API, all devices using this system can be used by financial institutions to provide fingerprint access to their services.

The API is part of Android’s Marshmallow update, and is used by Google’s Nexus 5X and Nexus 6P devices, with more to follow. Previous releases of Smarter Authentication have protected against MITM attacks at the network level, but this protection now extends to the OS level too. Previously all data communicated between the app and the Encap server was encrypted by the SSL layer on the device, making any network level intercepted data useless. Now all data is encrypted on the app layer before being passed to the SSL layer.

Even devices that have been compromised by malware to have the SSL libraries manipulated or replaced by malicious code or are jailbroken will still be perfectly safe to use as a security credential. Encap 3.1 also sees its white label Android authentication app rebuilt according to Google’s ‘Material Design’ guidelines, and new quick custom branding options built in that makes branding the app incredibly simple. “We are dedicated to creating a platform that allows banks the freedom to add authentication methods as they become available - and offer that choice to their customers,” said Thomas Bostrøm Jørgensen, CEO, Encap Security. “Smarter Authentication 3.1 builds on our previous work by future-proofing our fingerprint options and making the app even safer to use – even if the device itself is compromised.” -Ends- About Encap SecurityEncap Security provides uncompromising authentication for financial institutions.
It uses smart device capabilities to transform authentication from an obstacle into an enabler of financial services innovation. Encap’s Smarter Authentication platform turns any device into a security credential removing the need for cumbersome and costly SMS codes and hardware such as tokens and SIM-cards.
It makes authentication simple for users, and enables innovation, reduces risk and drives service adoption for institutions. Based in Oslo, Norway, and Palo Alto, USA, Encap Security’s world class management team has an unrivalled pedigree in mobile banking, finance, enterprise and remote access security.
Its patented solution is used by major banking institutions such as Santander, EnterCard and Sparebanken Vest. Website: https://www.encapsecurity.com/Twitter: https://twitter.com/encapsecurityLinkedIn: https://www.linkedin.com/company/encap?trk=company_name
MasterCard plans a rollout this summer in the U.S., U.K., and throughout Europe. Finally, a legitimate reason for taking a selfie: MasterCard will reportedly begin accepting selfie photos and fingerprints as an alternative to online passwords. MasterCard plans a rollout this summer in Belgium, Canada, Denmark, Finland, France, Germany, Italy, the Netherlands, Norway, Spain, Sweden, the U.K., and the U.S., according to the BBC, which the credit card firm hopes will cut down on potential fraud. News of selfie pay first emerged last year, and it was tested in the U.S. and the Netherlands before today's annoucement.  MasterCard currently uses SecureCode, a program that allows participating merchants to verify the legitimacy of a purchase by asking cardholders to enter a supplemental PIN at the point of purchase.

The new function, however, is meant to simplify the process—especially for those forgetful users who can't remember their four-digit code. With selfie pay, consumers will still have to enter their credit card details when making an online purchase, according to the BBC.

But when additional authentication is required, the MasterCard app will ask users to look at their device's camera or use the fingerprint sensor instead of typing in a pin. Selfie takers must also blink into the camera to prove they are a living, breathing human being, and not just a photo, the BBC said.

The app then converts your face into an algorithm, which is compared with those stored in the company's database; your actual photo will not be saved in a directory. MasterCard did not immediately respond to PCMag's request for comment. Credit card rival Visa this week, meanwhile, introduced an Internet of Things solution: an expanded Visa Ready program for wearables, cars, appliances, public transportation, and clothing.
Initial partners include Accenture, Coin, Fit Pay, and Samsung, who will work with device manufacturers like Chronos and Pebble to embed secure payments into consumer devices. "By adding payments to these devices, we are turning virtually any Internet connection into a commerce experience—making secure payments seamless, and ultimately more accessible, to merchants and consumers," Jim McCarthy, executive vice president of Visa innovation and strategic partnerships, said in a statement.
Startup Trusona is launching what it claims to be a 100 percent accurate authentication scheme aimed at corporate executives, premiere banking customers and IT admins who have unfettered authorization to access the most valued corporate assets. The sys...
The geeks are approaching the whole Apple vs.

FBI battle over encryption and privacy all wrong.

This is a golden opportunity to get John Q. Public on board regarding data privacy and online security.

But instead, we have a cacophony of conflicting information and noise, and the FBI is winning in the court of public opinion. It's high time Jane Q.

Citizen got to see a clear example of how the U.S. government is slowly but surely chipping away at personal privacy under the guise of national security.

And you couldn't have a better company standing up to the government: The one behind some of the most popular consumer electronics devices today.

There's none of the squickiness of Google and its constant slurping of data, or Facebook's desire to collect information about people you know and things you like.

Apple is not just a tech company -- hate it or love it, Apple is indubitably a lifestyle brand. But there is a stark difference in how Apple and the FBI and the Justice Department, along with their allies, are framing the conversation.

And as a result, Apple and the techies are losing John's and Jane's attention by railing about backdoors, encryption, and legal precedents. Those detailed explainers and FAQs do lay out what's at stake.

But it's the FBI that comes off looking reasonable.

The FBI is, it regular reminds us, trying find out why two people killed 22 people and injured 14 a few months ago as part of a mass shooting, which it regularly describes as terrorism.  So reasonable, in fact, that there's this headline: "San Bernardino terror attack victims' families ask Apple to cooperate with FBI." The side relying on emotions and fear is always going to win against the side carefully crafting logical arguments.
It may be in the nature of technical people to avoid emotions and favor logic, but that's one reason why the FBI is winning the hearts and minds of Americans here.  The thing is, even with all the secret documents that Snowden stole from the NSA, the average user isn't any more concerned about government surveillance today than he or she was three years ago. Sure, it's terrible, but when it comes to user privacy it's still a world of weak passwords, mobile devices with no passcode (or TouchID) enabled, and an overall lack of urgency. So skip the arguments about how if the FBI wins this round, law enforcement will keep coming back with more requests against more devices.  If there is something the Janes and Johns are scared of, it's the foreign other, the faceless enemies sitting in China, Russia, and Iran (why not throw North Korea in the mix, too?).
It's the criminals siphoning money from banks, the nation-state actors stealing personal information from government agencies, and adversaries trying to stop a movie release.  If the FBI gets its way on bypassing this iPhone 5c's protections, what would stop other governments from coming to Apple, Dell, and other companies and asking for help modifying the devices we use to further their own purposes? It won't be the first time a government tried to compel a company to modify technology in the name of national security. Remember BlackBerry?  "While the FBI's request seems to go beyond what other governments have sought from Apple so far, if Apple is forced to develop code to exploit its own phones, it will only be a matter of time before other countries seek to do the same," Jennifer Granick, the director of civil liberties at the Stanford Center for Internet and Society, wrote on the NYU School of Law's Just Security blog. She's right.

And that's a scary enough prospect to justify supporting Apple.

Techies may not like the emotionalism, and consider it to be FUD.

But it's not FUD.
It truly is scary -- and should be talked about that way.
Designed to help increase revenue and enhance customer experience for MNOs through an identity strategy that leverages the privacy-preserving, biometrics-ready FIDO FrameworkFeb 19, 2016Barcelona & Palo Alto, CA — GSMA Mobile World Congress – Nok Nok Labs, an innovator in modern authentication and a founding member of the FIDO® Alliance, today announced the launch of the NNL™ “Jumpstart Program for Mobile Connect.” This program compliments the other products and solutions that Nok Nok Labs offers to Mobile Network Operators, and is designed for MNOs that utilize Mobile Connect with their strategy and offerings that address customer identity, authentication and biometrics enablement.

The program will help Mobile Network Operators deliver a biometric-enabled, FIDO Certified™ customer authentication experience via Mobile Connect that increases revenue and loyalty with their own customers as well as opening the door to additional commerce services and partnerships. Nok Nok Labs logo The MNO industry, under the auspices of the GSMA and in cooperation with Nok Nok Labs and the FIDO Alliance, has developed an architecture for easy integration of biometric and other emerging authenticators.

The NNL JumpStart Program for Mobile Connect allows MNOs to rapidly build an identity strategy that better engages customers either directly, via simplifying access to an MNO’s own services, or indirectly, by providing solutions to third-party service providers via Mobile Connect, with greater convenience and improved security.

The program includes the following components: Strategy Assessment - aligning strategic initiatives around identity as a key building block via the Mobile Connect platform Proof of Concept - accelerated implementation of prototypes of customer solutions Production - Internet-scale deployment and monetization “We’re excited to announce our new Jumpstart Program at this year’s GSMA Mobile World Congress 2016, where the world’s leading MNOs assemble,” said Rajiv Dholakia, VP Products at Nok Nok Labs. “This program formalizes activities that Nok Nok Labs has undertaken over the past years and incorporates lessons learned from leading MNOs around the world. Over the last year, we’ve seen notable Internet scale deployments of our products from industry leaders, including NTT DOCOMO.

Through our Nok Nok Labs™ S3 Authentication Suite, we deliver omnichannel authentication that enables MNOs to deliver an identity and authentication strategy that better engages their customers with an improved user experience that combines convenience and security.” As highlighted by a paper published by the GSMA and Secure Identity Alliance, “Mobile Identity - Unlocking the Potential of the Digital Economy,” the opportunities in mobile identity are present in vertical markets including healthcare, education, commerce and the public sector. Such verticals are focused on delivering mobile-centric solutions that require identity verification for which MNOs are uniquely positioned. The Nok Nok Labs S3 Authentication Suite can assist MNOs in delivering a flexible set of authentication capabilities within their Mobile Connect deployments, facilitating a wide range of high-value services. Nok Nok Labs can provide standards-based infrastructure to support MNOs by: Driving revenue opportunities – By deploying a Nok Nok Authentication Server, MNOs are able to offer a wide range of different value-added authentication services to their business customers and partners via Mobile Connect, leveraging this combined framework for managing user consent and providing a wide range of value-added services based on attributes Increasing consumer satisfaction – Consumers will enjoy increased value through the use of authentication capabilities in mobile devices, such as fingerprint sensors, microphones and cameras, to enhance their online experience Leveraging existing assets – Nok Nok Labs has worked with partners to make FIDO-enabled SIM cards available as an authenticator option, locking in the value provided by the MNO Visit Nok Nok Labs while attending the GSMA Mobile World Congress 2016, at Stand UW7.9 from 22-25 February in Barcelona, Spain.

For more updates from the show, follow @NokNokLabs or @GSMA and use hashtag #MWC16 to be part of the conversation. About Nok Nok LabsNok Nok Labs provides organizations with the ability to bring a unified approach to deploy easy to use and secure authentication infrastructure to their mobile and web applications, using standards-based solutions that include support for FIDO and other specifications.

The Nok Nok S3 Authentication Suite enables organizations to accelerate revenues, reduce fraud, and strengthen security. Nok Nok Labs is a founding member of the FIDO Alliance with industry leading customers and partners that include NTT DOCOMO, PayPal, Alipay, Samsung and Lenovo.

For more information, visit www.noknok.com. Media Contact:Tom Rice703-856-2218NNLPR@merrittgrp.com
Solfyre offering is a hit with industry experts and the public, proving itself a true trailblazer in the fintech and mobile spacesLondon – 18th February 2016 - British cybersecurity pioneer Solfyre were awarded with the winner’s title for an outstanding three categories in global startup awards scheme the Tech Trailblazers Awards.

The voting public and judging panel made up of industry experts both decided that Solfyre would take home the Trailblazers title in FinTech, Mobile and Firestarter categories. Solfyre logo With the ability to offer businesses and consumers a secure and hassle-free login experience on any website, and its commitment to acknowledging and meeting the needs of the user, Solfyre’s login and password management mobile app ‘SID’ gained top scores all round. SID encrypts a user’s passwords, and when the user plans to log in to any website on their desktop it generates one time QR codes for two factor authentication.

This is an extremely easy and quick way to securely log in without having to constantly remember multiple passwords.

Furthermore, the judges were very impressed with SID’s biometric components for further authentication and personal security. Craig Vallis, founder and CEO of Solfyre said, “Gaining top recognition in these three categories illustrates our understanding of and commitment to the mobile technology we are evolving, the financial technology sector which SID is a strong solution for, as well as our strategy to grow as an early stage pre-funding startup. We are very proud to have gained recognition in three areas that are integral to Solfyre’s aims and progression as a company.” Rose Ross, Chief Trailblazer said, “On behalf of the team and esteemed international judging panel, I congratulate all the winners of the Tech Trailblazers Awards. We were greatly impressed by the ingenuity and innovation shown in the entries . Winners of this year’s Tech Trailblazers Awards are some of the most exciting enterprise tech startups making an impact in the business world today.
I’m sure we will be hearing more about the successes from these inspiring startups in the future. We wish them the very best of tech trailblazing luck in 2016.” For more information on the Tech Trailblazers, please visit www.techtrailblazers.com, follow the buzz on Twitter @Techtrailblaze, hashtag #TTawards or check out LinkedIn for the latest updates http://www.linkedin.com/company/tech-trailblazers-awards. ### About SolfyreSolfyre is a British startup specialising in identity and password management. Headquartered in London, the company is committed to igniting the Identity Revolution.

The first step is the development of SID, a mobile app that simplifies password management and ensures passwords are always secure and always accessible.

The app will available in iOS, Android and Windows Mobile versions in early 2016. For more information, visit the Solfyre website on: www.solfyre.com or follow them on Twitter on www.twitter.com/solfyreID Media ContactOmarketing for SolfyreRosalind Carrrosalind@omarketing.com+44(0)20 8255 5225@omarketingnews

Carbonite

Carbonite is one of the most recognizable names in online backup. It's also one of the easiest-to-use online backup services around, its mobile apps are well done, and it presents a good value for your money. Carbonite is still weak on sharing features, however, and limits you to a single PC, with external and network drives off-limits for backup. Recent news for the service is that it's discontinued the Sync & Share feature, so, unlike competitors such as IDrive and SpiderOakONE, Carbonite no longer has folder-syncing capability. Price Plans Carbonite's pricing plans are pretty straightforward: For $59.99 per year, the Basic plan gets you unlimited backup space for one PC or Mac computer. The Plus upgrade option ($99.99) adds the ability to back up external drives and create a mirror image of your entire disk for full system backup. The Prime plan ($149.99) adds automatic video backup (included in the base plan of Editors' Choice service SOS Online Backup) and a courier recovery service, which sends your data to you on a disk. The last will be of interest to SOHO users who may not have time to download hundreds of gigabytes of restored files. The fact that Carbonite's base price only covers one PC is not uncommon. But Editors' Choice IDrive offers 1TB that you can use on as many computers as you like for about the same price as Carbonite's one-PC-unlimited plan. A free 15-day trial Carbonite account is available (with no credit card needed), but there's no permanent, low-storage free plan like those offered by OpenDrive and IDrive.  Interface: Choosing What to Back UpAfter downloading Carbonite's PC software, you're taken through a clear wizard-driven process to select what's backed up and when. First you choose a nickname for the computer. That way, if you add other computers to your account, you know which one has the files you want. Next comes a big help for those who aren't sure exactly which files to back up: The wizard offers to automatically choose what to include (documents, photos, email, and music) and when to upload the files. There's also an Advanced option that lets you decide on the backup set and schedule the backup for yourself. You can use Advanced either to fine-tune Carbonite's default selections or to start completely from scratch. If you spring for the Plus plan, you can have the service back up your entire drive, system files and all, as well as connected external drives. The higher-level plans also let you create a duplicate backup to local storage, so that you can recover files without an Internet connection. Backup Scheduling and SecurityNext it's time to choose when backups should occur. I really like the default option, Continuous. You can also simply tell the software to back up once a day. If your Internet connection isn't the strongest, you may prefer that, though you can also tell Carbonite not to upload during your busy hours. The Continuous option only uploads file changes and new files, however, so it shouldn't overly tax your connection. Once you know what you're backing up and when, you need to decide on a security level. Carbonite encrypts your data before sending it to its servers. By default, Carbonite manages your encryption key, but those who want to really lock down their data can choose to manage their own key. This means no one at Carbonite has the means to access to your files even if compelled to by a search warrant, but also that they won't be able to recover your files if you lose the key. It means, furthermore, that you don't get Web access to your files; Mozy, by contrast, allows Web access for accounts using private keys. If you pick Carbonite, I recommend the still-secure but less-restrictive managed-key option. Your final options before Carbonite actually starts processing and uploading your data are to have the service prevent your PC from sleeping and to add any files not covered automatically—videos, program files, and files larger than 4GB. A wizard page explains that the initial upload could take a couple days. It also explains Carbonite's helpful File Explorer dots. The software adds a red dot if a file's waiting to be backed up, and green if it's all set. You can right click on any allowable file to add it to the backup set. If you update a file, the right-click context menu offers a "back up as soon as possible" choice, something I appreciate. If this functionality is very important to you, then Carbonite is a better choice for you than SOS Online Backup. CrashPlan, IDrive, and SpiderOakONE offer similar Explorer integration, though. During upload, Carbonite's clear InfoCenter window shows you exactly which file is currently being worked on, along with an overall progress bar. A system tray icon lets you launch the InfoCenter, freeze your backup, or pause uploads. Clicking a linked number of pending backup files opens an Explorer window that mirrors your drive structure, though it's populated only by backup files. InfoCenter's Settings tab lets you turn off the Explorer dots, change the backup set and schedule, and reduce bandwidth usage. Backup SpeedFor performance and bandwidth testing, I timed the Carbonite's backup upload speeds on two 100MB sets of mixed file types and sizes. I used PCMag's superfast 177Mbps (upload speed) corporate Internet connection so that bandwidth wouldn't be the limiting speed factor. At 3 minutes and 10 seconds Carbonite was among the slower services, only besting the very slow Backblaze. This compared with SOS Online's 52 seconds and CrashPlan's 59 seconds. Carbonite used to throttle throughput speed for personal accounts after 200GB was uploaded, but the company has since ended that unpopular policy. Restoring FilesCarbonite's InfoCenter is also your friend when it comes time to restore files. When you search for files to restore, you can either replace them in their original location or restore to a desktop folder. One problem I have with Carbonite is that if you delete a file on the backed-up PC, only to later realize you really wanted it, the service only keeps the file for 30 days. SOS keeps those files forever. Carbonite saves multiple versions of files as you edit and save them. They're kept for a bit longer than deleted files—3 months. But you're limited to 12 versions, compared with SOS's unlimited versions. In my tests of a document I updated several times, Carbonite correctly saved all versions. When you need to restore your entire PC backup to a new machine, Carbonite can recreate the lost PC's Windows user account on the new PC. You can also create a new user account for the backup. Note that when you do a full restore to a new machine, you lose the ability to back up the original PC, since the service only covers one PC per account. Otherwise, you can just save all the files to a separate folder. A nice option in the Restore window lets you use a search box to specify particular folders and files you need first. Carbonite estimates tells you how long the restore will take, and you can access already-processed files any time during the restoration. Web InterfaceAs with the desktop interface, Carbonite's Web interface is clear and well designed. It offers a folder view along with a quick search box, and all you have to do is double-click on a filename to start downloading it. One thing missing from the Web interface, however, is file-version choice. A Facebook button lets you send photos from your backed-up collection directly to the leading social network, but aside from this, there isn't much in the way of sharing features from the Web client. I am surprised that you can't even create a direct link to a file or extend editing access, as you can in several online backup services. Nor can you play music or videos from the Web UI. Mobile AppsCarbonite offers mobile apps for Android and iOS (missing is Windows Phone, for which IDrive has an excellent app). Oddly, you won't find links to the apps on Carbonite's site; you just have to search for Carbonite Mobile in the device's store. Large button tiles in the app offer access to Pictures, Documents, Music, and Desktop, or you can just view all your folders. I was able to view photos and documents, and even to play uploaded music right inside the app. File sharing is accomplished via iOS's built-in email sharing, which attaches files to an email message. The app was recently updated to support TouchID for easy access to protected files. Easy, Unlimited Online BackupIf you just want to back up your PC files to prepare for the occasional crisis, Carbonite is a fine choice. It stands out in the crowded online backup space with its ease of use, unlimited storage, and continuous backup. Against these strengths, however, you have to weigh its lack of support for external disks, limited sharing features, and the short period deleted files are saved. If those are concerns, you're better off with one of the PCMag Editors' Choice online backup services: CrashPlan for its innovations, SOS Online Backup for its super speed and powerful features, or IDrive for its wealth of features at a low cost.
Error affects iPhone 6 and 6S handsets with replaced or damaged TouchID sensors.