The results of Phase 2 of the Mobile Fingerprinting Innovation Technology (mFIT) challenge organized by the United States National Institute of Standards and Technology (NIST) have been partially revealed, and experts say the evaluation shows that biometrics of Contactless Fingerprint is now ready for practical deployments.

The Phase 1 winners, announced in June 2021, were BlueBible Team, ENGR Dynamics, Idemia, Identy, Slapshot SDK Team (which includes Integrated Biometrics and Scientometrics), and Telos ID. Each received $85,000 in prize money. Two additional teams also participated in Phase 2, Tech5 and a team including T3K.

First place overall in Phase 2 of the mFIT Challenge is tied between Idemia and Telos, who also tied for the “First Responder Choice Award”. The Slapshot SDK team is tied with Identy and ‘T3K & Teeltech’ for third place. The Slapshot team’s technology provided a corresponding accuracy rate of 95% or better in the Phase 2 evaluation, which is ahead of the challenge, however, said the executive vice president of Integrated Biometrics. , Tom Buss. Biometric update in an interview.

The challenge is organized in collaboration with the FirstNet telecommunications network for first responders and aims to establish the effectiveness of technologies for contactless mobile fingerprint capture, transmission on FirstNet and matching with legacy databases filled with reference patterns collected on contact-based biometric scanners.

This will allow police to identify persons of interest without transporting them to a station first, saving time and money for the force, while making the process less time consuming and less convenient for the subject. Identifying a suspect early could also have significant benefits for public or officer safety.

Buss explains that NIST took a database of 2 million reference patterns and added biometrics from fingerprints of 100 volunteers collected on contact-based scanners to match the ABIS.

The Colorado-based NIST division works with the Federal Communications Commission and organized the mFIT Challenge to encourage the development of technological innovations to support public safety workers, such as police and other first responders. The industry was challenged to come up with a method of collecting slap (four-finger) fingerprints with a smartphone camera that would yield processable images, Buss says.

“You would like to have some kind of tool that is not difficult to carry or separate equipment that you have to plug in.”

NIST measured input matching accuracy, but also “a bunch of other metrics related to usability, look and feel,” Buss says. While these items are important to overall performance, they didn’t carry as much weight and IB focused on biometric matching results, Buss said, as applications will be developed and fine-tuned by systems integrators for production deployments.

Integrators of mobile applications to capture contactless fingerprints are the same group that already serves the law enforcement community with biometric technologies used in police stations, according to Buss.

The Slapshot Team Approach

The Slapshot SDK captures images at less than 2% of the 500 pixels per inch of the legacy database models.

“If the images presented at ABIS are not close to 500 ppi resolution, the accuracy drops off quite quickly,” Buss notes.

Sciometrics software included in the SDK controls the precision of the resolution at which all fingers are captured, with a high level of focus provided by a series of images, with the optimal image for each finger selected to create the model probe.

CEO Shawn O’Rourke says IB has a patent portfolio for contactless technology that is just as robust as its contact-based IP portfolio.

Meanwhile, standards are being created for contactless fingerprint capture and will be partly informed by mFIT results.

Sciometrics President Mark Walch describes the results of the mFIT challenge as showing that contactless fingerprint collection is “ready for prime time,” which he hopes will spur NIST action to support. creating these standards.

Buss says IB plans to leverage its leadership in the contactless ID space to meet demand for identity verification with a future software release. This will involve different considerations, such as the quality of the phone cameras involved vary more widely.

“We’re going to conquer this contactless market just as we conquered the contact market for fingerprints,” said Dave Gerulski, IB’s senior vice president of sales and marketing.

Article topics

precision | biometric matching | biometric tests | biometrics | biometric search | contactless | fingerprint biometrics | Integrated biometrics | mFIT Challenge | NIST | Sciometry | Slapshot SDK

UK-based company Yoti and partner Post Office are the first digital identity service providers (IDSPs) in the UK to be certified by the government to carry out identity checks for employment.

The two partner companies will see their combined biometric identity verification service made available for employment verification via web-based identity verification, reusable app-based digital identity and in-person verification at branches from the post office. These checks are performed by Document Validation Technology (IDVT) provided by an IDSP which verifies the right to work for UK and Irish citizens holding a valid passport.

Both digital ID providers are IDSP-certified to meet the needs of the Right to Work, Right to Rent and Disclosure and Barring Service (DBS) programs set up by the UK government. The right to work program aims to prevent illegal work by requiring employers to verify that their permanent, full-time or part-time, contract, zero-hours and work experience students and interns have the right to work at the UK. The programs conform to the UK Department for Digital, Culture, Media and Sport’s Trust Framework for Digital Identity and Attributes.

Yoti’s digital ID applications secured by biometrics and the post office’s EasyID would also be viable for the right to work by sending a verified image of individuals’ passport to be stored and verified by an employer to meet ministry requirements. of the Interior in matters of “legal excuse”.

“Being one of the first IDSPs to be certified shows our commitment to the market and is a testament to the quality of our digital identity technology,” said John Abbott, Chief Commercial Officer of Yoti. Abbott notes that the maximum fine for hiring illegal workers is £20,000 (about US$25,072) per worker. “Certification under the Digital Identity and Attribute Trust Framework represents the gold standard for delivering digital identity services with security and privacy first, meaning customers have no concerns about GDPR,” he said.

Companies that will use Yoti and Post Office IDVT include HireRight, People Check, and Atlantic Data, among many others. More than three million people are said to have joined the Yoti and Post Office digital ID network.

Elinor Hull, Director of Identity Services at Post Office, said: “At a time when the hospitality and retail sectors in particular are struggling to recruit and bring staff into the shop floor , the ability to digitally verify candidates’ right to work speeds up the hiring process, is more secure, and could allow them to start earlier than if the candidate had to travel and then have their documents photocopied and physically verified.

Yoti also announced a partnership with First Advantage in February for Right to Work and DBS to integrate its selfie biometrics into First Advantage’s platform.

Article topics

biometrics | certified | digital identification | identity verification | research and development | selfie biometrics | standards | Trust Framework | United Kingdom | Yeti

Sterling Check (NASDAQ:STER – Get Rating) and NerdWallet (NASDAQ:NRDS – Get Rating) are both small cap business services companies, but which company is superior? We’ll compare the two companies based on institutional ownership strength, analyst recommendations, earnings, valuation, profitability, risk, and dividends.

Benefits and evaluation

This table compares the gross revenue, earnings per share, and valuation of Sterling Check and NerdWallet.

Sterling Check has higher earnings and earnings than NerdWallet.

Analyst Notes

This is a breakdown of current ratings and price targets for Sterling Check and NerdWallet, as provided by MarketBeat.com.

Sterling Check currently has a consensus price target of $28.75, suggesting a potential upside of 51.48%. NerdWallet has a consensus price target of $24.93, suggesting a potential upside of 112.70%. Given NerdWallet’s stronger consensus rating and higher possible upside, analysts clearly believe that NerdWallet is more favorable than Sterling Check.

Profitability

This chart compares the net margins, return on equity, and return on assets of Sterling Check and NerdWallet.

Insider and Institutional Ownership

85.5% of Sterling Check shares are held by institutional investors. Comparatively, 49.0% of NerdWallet shares are held by institutional investors. 49.6% of NerdWallet shares are held by company insiders. Strong institutional ownership indicates that endowments, hedge funds, and large money managers believe a stock is poised for long-term growth.

About Sterling Check (Get a rating)

Sterling Check Corp. provides background and identity verification technology services in the United States, Canada, Europe, the Middle East and Africa, and Asia-Pacific. The Company offers identity verification services, such as telecommunications and device verification, identification document verification, facial recognition with biometric matching, social security number verification and identification verification. via live video chat; fingerprinting; background checks, including criminal record checks, sex offender registries, civil court records, motor vehicle and driver’s license records, executive inquiries, credit reports, searches on social media and contingent labor solutions; liens, judgments and bankruptcies; and sanctions, risks and compliance checks. It also provides credential verification services, which include employment verification, education verification, credential verification, professional reference verification, and transportation department; drug and health screening; onboarding solutions, including Sterling I-9 which integrates a suite of screening and onboarding services and onboarding forms; and solutions for monitoring workforce, medical licensing and motor vehicle records. The company’s services are delivered through its cloud-based technology platform that empowers organizations with real-time, data-driven insights to conduct and manage their employment screening programs. It serves customers in a range of industries, such as healthcare, gig economy, financial and business services, industrial, retail, contingents, technology, media and entertainment, transport and logistics, hospitality, education and government. The company was previously known as Sterling Ultimate Parent Corp. and changed its name to Sterling Check Corp. in August 2021. Sterling Check Corp. was founded in 1975 and is headquartered in New York, New York.

About NerdWallet (Get a rating)

NerdWallet, Inc. operates a digital platform that provides consumer-focused personal finance advice by connecting individuals and small and medium-sized businesses with financial product providers. The company’s platform offers consumer guidance through educational content, tools and calculators and product marketplaces, as well as the NerdWallet app for various financial products including credit cards, mortgages, insurance, small business products, personal loans, banking services, investments and student loans. . It serves customers in the United States, United Kingdom and Canada. The company was founded in 2009 and is based in San Francisco, California.

Get news and reviews for Sterling Check Daily – Enter your email address below to receive a concise daily summary of the latest news and analyst ratings for Sterling Check and related companies with MarketBeat.com’s free daily email newsletter.

San Diego County has changed its public COVID-19 vaccination policy to indicate that its vaccination clinics will accept a wide range of documents to verify identity after a new source the investigation found that health staff turned away people who wanted to be vaccinated but could not provide photo ID.

In April, new source reported that a North San Diego County Latino immigrant advocacy group, Universidad Popular, saw community members being denied vaccinations because they were unable to provide a room photo ID. At the time, county public literature stated that people wishing to be vaccinated were required to present photo identification.

Proponents feared that this requirement would discourage people living in the United States without permission from getting vaccinated.

Officials said new source that county policy was to work with people seeking vaccines without photo ID to verify their identity. However, emails obtained by new source showed some confusion among county health care personnel about the type of documentation needed to receive a vaccine.

The emails suggested that staff had referred people who did not provide photo ID to vaccination clinics.

Ask by new source how many people were turned away for not having photo ID, a county spokesperson could not provide an answer. Officials are not tracking these cases, he said.

The county maintains that its internal policy has always been to accept a wide range of IDs, but recently changed the policy on its website to reflect that.

The website now states that at vaccination clinics, adults “must provide photo ID (other ID verification methods accepted) AND proof of age (something that shows date of birth) .”

Depending on the county, acceptable forms of identification in cases where someone cannot provide photo ID include:

• Driving license from a foreign country
• Paycheck
• Consular card
• Report card
• Utility or phone bill
• Confirmation from a family member or employer who has photo ID
• Previous entry in San Diego County Vaccine Registry

Nora Vargas, who co-chairs the San Diego County Board of Supervisors’ COVID-19 subcommittee tasked with helping the county’s response to the pandemic, said she was “baffled” by from inewsource reports.

Vargas, District 1 supervisor, said part of his mission on the committee since joining has been to ensure equitable access to vaccines.

“It’s not supposed to happen. There are not supposed to be any obstacles for our communities,” Vargas said.

Vargas said she followed her team to share reports and ensure all county health care personnel were properly trained and briefed on the types of documents acceptable to receive a COVID-19 vaccine.

The supervisor pointed out that some type of document confirming identity is important for the purposes of maintaining medical records.

Lilian Serrano, co-director of the Universidad Popular, said after new sourceThe county’s investigation was released, the county supervisor’s office for his district contacted to say he was “directing county staff to make the necessary changes.”

Health staff at vaccination clinics in his area “have been much more willing to work with community members who don’t have ID,” Serrano said in a text.

Vargas said “human error” can sometimes lead to someone being wrongfully turned away, but his office is available to ensure access to vaccines for everyone in the county.

“If someone is turned away, something happens, let them call my office, call 211, and we’ll make it happen,” Vargas said.

Vargas encouraged anyone who is denied a vaccine at a county clinic to call his office at 619-531-5511.

The global blockchain identity management market is estimated at 77.23 million USD in 2021 and reach 2733.60 million USD in 2027, registering a CAGR of 81.20% during the forecast period, 2021-2027. With the growing importance of identity verification during any authentication process, the blockchain identity management market is expected to witness robust growth over the forecast period. The growing need for real-time critical information from organizations, employees, and customers is mainly driving the demand for blockchain identity management in industries like banking, retail, education, and retail. Key challenges associated with blockchain identity include identity theft risks, username and password combinations, Know Your Customer (KYC) integration, and lack of control . It is here that blockchain identity management offers a potential solution to overcome these challenges by providing users with a sense of security that no third party can share their personal identity information (PII) without their consent.

Major factors influencing the Blockchain Identity Management industry over the forecast period

There has been a growing need to establish trust in transactions between the parties involved in recent years. Moreover, the advent of technology brings an equally advanced threat to cybersecurity, which demands efficient and reliable assistance like blockchain identity management. Rising demand for privacy and security solutions among enterprises is likely to supplement market growth till 2025. Blockchain based on cryptographic security ensures the authenticity and security of user data, remaining the main factor market expansion.

Get a PDF for more business and technical information: https://www.marketstatsville.com/request-sample/blockchain-identity-management-market

The exponential proliferation of e-commerce is another significant factor that will drive the growth of the blockchain identity management market in the near future. Government initiatives to promote the use of advanced technologies are likely to benefit market performance. A significant increase in the demand for scalability and fast/instant transactions is also expected to create major growth opportunities for players in the blockchain identity management market in the near future. However, lack of awareness about blockchain technology and its benefits as a host will continue to hamper the market growth during the forecast period.

Impact of COVID-19 on the Blockchain Identity Management Market

The COVID-19 outbreak initially led to nationwide shutdowns, which gave rise to the explosive new trend worldwide – working from home/remotely. Hence, there has been a significant spike in the inclination towards the adoption of blockchain technology. It is increasingly preferred as a viable tool for providing identity protection and authentication. Amid the pandemic, blockchain identity management has gained traction among enterprises struggling to overcome their visibility and security challenges. The urgent need to operate along secure supply chains amid the COVID-19 pandemic has further accelerated the growth of the blockchain identity management market. Furthermore, the dramatic expansion of e-commerce coupled with the tremendous digital currency boom has boosted the market growth during the pandemic.

You can buy full [email protected] https://www.marketstatsville.com/buy-now/blockchain-identity-management-market?opt=2950

Report scope

The report depicts the global Blockchain Identity Management market study based on vendor and type.

On the basis of vendor, the blockchain identity management market has been segmented into –

• Application providers
• Middleware providers
• Infrastructure providers

Based on Type, the Blockchain Identity Management Market has been segmented into –

• BFSI
• Government
• Health and life sciences
• Telecom and IT
• Retail and e-commerce
• Transport and logistics
• Immovable
• Media and Entertainment
• travel and hospitality
• Other (automotive, education and energy and utilities)

Blockchain Identity Management Market Regional Outlook

Based on region, the blockchain identity management printing market has been segmented into five geographical regions: North America, Asia-Pacific, Europe, South America, Middle East & Africa. In 2020, North America held the largest global blockchain identity management market share, followed by Asia-Pacific. It is further estimated that North America will dominate the global blockchain identity management market during the forecast period, while Asia-Pacific is expected to project the highest CAGR in the global market during the period forecast.

Key competitors in the Global Blockchain Identity Management Market include

The global blockchain identity management market has a large number of players operating across the globe. Some of the Major Players in the Global Blockchain Identity Management Market are-

• IBM
• AWS
• Civic technologies
• Bitfury
• Evernym
• Netki
• ShoCard
• Unique ID
• Microsoft
• bit nation
• Nodal block
• EdgeSecure
• Block verification
• Peer Registry
• Cambridge Blockchain
• Neuroware.

The Blockchain Identity Management Market report provides an in-depth analysis of macroeconomic factors and market attractiveness of each segment. The report will include an in-depth qualitative and quantitative assessment of the industry/regional outlook with the presence of market players in the respective segment and region/country. The information concluded in the report includes the entries.

Access full report description, table of contents, table of figure, chart, etc. @ https://www.marketstatsville.com/table-of-content/blockchain-identity-management-market

Blockchain Identity Management Market report covers comprehensive analysis on

• Market Segmentation and Regional Analysis
• 10 year market size
• Price analysis
• Supply and demand analysis
• Product life cycle analysis
• Porter’s Five Forces and Value Chain Analysis
• Analysis of developed and emerging economies
• PEST analysis
• Factor analysis of the market and forecasts
• Opportunities, risks and market trends
• Conclusion and recommendation
• Regulatory landscape
• Patent Analysis
• Competition landscape
• More than 15 company profiles

Blockchain Identity Management Market Regional Analysis Includes

• North America (United States, Canada, Mexico)
• South America (Brazil, Argentina, Colombia, Peru, Rest of Latin America)
• Europe (Germany, Italy, France, United Kingdom, Spain, Poland, Russia, Slovenia, Slovakia, Hungary, Czech Republic, Belgium, Netherlands, Norway, Sweden, Denmark, Rest of Europe)
• Asia-Pacific (China, Japan, India, South Korea, Indonesia, Malaysia, Thailand, Vietnam, Myanmar, Cambodia, Philippines, Singapore, Australia and New Zealand, Rest of Asia-Pacific)
• The Middle East and Africa (Saudi Arabia, United Arab Emirates, South Africa, North Africa, Rest of MEA

Request for Report Description @ https://www.marketstatsville.com/blockchain-identity-management-market

Blockchain Identity Management Market Target Audience

• Blockchain Identity Management Manufacturers
• Manufacturers of surgical equipment and blockchain identity management
• Manufacturers, Distributors and Healthcare Providers
• Trade publications and magazines
• Government authorities, associations and organizations

Massachusetts Gov. Charlie Baker on Friday vetoed a plan that would have allowed the state to issue driver’s licenses to illegal immigrants due to identity verification issues as well as voting issues.

The bill (H4805), if passed, would have seen illegal immigrants issued a standard state driver’s license if they had applied on or after July 1, 2023. Individuals applying would be required to provide proof of identity, date of birth and residence in the state. .

A spokeswoman for Massachusetts House Speaker Ron Mariano said the chamber plans to proceed with a by-pass vote on June 8, according to the State House News Service. A two-thirds vote is required in each chamber to enact legislation.

In a letter to the state legislature (pdf), the Republican governor said he could not sign the measure, saying the state motor vehicle registry lacked the ability to verify the identity of illegal immigrants.

“The Registry does not have the expertise to check the validity of many types of documents from other countries,” he wrote in his veto message.

“This legislation also nullifies a key guarantee of the driver’s licensing process that I signed into law just six years ago,” he added. “As a result, a standard Massachusetts driver’s license will no longer confirm that a person is who they say they are.”

He also said the measure would “significantly increase the risk of non-citizens being registered to vote”.

Indeed, the bill contains no measures that would help distinguish a legal citizen from an illegal immigrant, and furthermore, it prevents the registry from sharing citizenship information with “entities responsible for ensuring that only citizens register and vote in our elections”. ,” he said.

Baker had previously told reporters on May 9 that, if the bill passed, there would be “a huge number of provisional votes, which would then make it harder for people to determine who actually won the election.” The state has two upcoming elections, with a primary on September 6 and a general election on November 8.

The Massachusetts Commonwealth Secretary disagreed. He told the Boston Globe the same day, “How does the governor manage to tie this to the licensing issue, I’m confused and bewildered.”

“I think the Governor in his comments and Republicans in general in their comments on this issue tried to raise the specter that this will allow these people to vote,” he said at the time. “Nothing could be further from the truth… he makes this rhetorical assertion that there will be people who will vote, which they are not.”

Proponents of the bill say it could help improve road safety.

Elizabeth Sweet, executive director of the Massachusetts Immigrant and Refugee Advocacy (MIRA) Coalition said she was “deeply disappointed” by Baker’s veto of the measure.

“The policy would not only make our communities safer, but would benefit our economy and build trust between law enforcement and immigrant communities,” she said in a statement, WBUR reported. “We hope the legislature will waste no time in overriding the governor’s veto.”

The bill had passed the State House and the Senate – both with Democratic majorities – with more than enough votes to override any veto by the governor. The House initially passed the bill with a vote of 120 to 36, and the Senate voted in favor with a vote of 32 to 8. On May 26, the House voted 118 to 36 to accept the report of the committee of measurement conference.

If the measure becomes law, Massachusetts will join 16 states and the District of Columbia in allowing illegal immigrants to be issued driver’s licenses.

Apple’s Wallet app now supports Maryland state IDs and driver’s licenses, marking it as the second state after Arizona to get the digital ID feature (via MacRumors). Free State residents can now use their iPhone or Apple Watch at select TSA checkpoints at participating airports, including Baltimore/Washington International and Reagan National. The iPhone won’t carry an “image” of the card, only a means of transmitting information to a receiving device – and you use biometrics to confirm the information sent to the device.

However, digital IDs do not replace physical IDs. The Maryland Motor Vehicle Administration (essentially, the DMV) website states that law enforcement does not accept Maryland Mobile ID, which means you will still need to carry your wallet to drive and even fly . For now, the only benefit of digital ID is that your physical ID can remain hidden at selected airports.

But this is just the beginning for the digital ID revolution, and there will be some confusion along the way. So if you envision a future where you don’t need to carry a wallet, then adoption will be key. For Maryland residents, instructional videos are available on the state’s website to help with the push, with production value we’re more used to seeing from Apple. That’s likely because Apple has explicitly committed to controlling marketing and other aspects of the deal with each state.

It was feared that once law enforcement is able to access information through these devices, attention will shift to your iPhone and they may ask you to hand over your phone to them even if it isn’t. as it is supposed to work.

A report by the American Civil Liberties Union (ACLU) last year on the “identity crisis” posed by the shift to digital IDs highlighted a host of potential privacy threats that should be addressed. , including police access to people’s phones, user control over data, and even longer-term issues like potential extensions of the information contained or remote use requirements. Along with the Electronic Frontier Foundation (EFF) and the Electronic Privacy Information Center (EPIC), they submitted a series of questions to the Department of Homeland Security, seeking to address these concerns before the technology becomes widely used.

Adding a Status ID to your iPhone requires an iPhone 8 or later running at least iOS 15.4, and an accompanying Apple Watch must be Series 4 or later running at least watchOS 8.4. Once you meet these requirements, you can tap the plus button at the top right of the Wallet app, tap Driver’s License or State ID, select your state, and then follow the instructions which include taking photos front and back of your ID. You’ll be asked to move your face in certain directions on the camera, on a screen that looks like a Face ID setup screen.

The data will be passed to the state for verification, so the ID may not be available immediately after the process is complete. Once you have it, however, you’ll use it by holding your iPhone or Apple Watch in front of the TSA check-in terminal. It will respond to your digital ID (similar to how Apple’s Express Transit Card works on the subway or subway) and then further verification on your device will ask for permission to continue.

This additional verification means that the images taken are sent to the state – in my case, Maryland – to confirm that I am the one installing it. Apple’s Wallet ID Privacy and Security Overview states that it deletes the data after the process is complete:

Your ID subset of data is deleted from Apple servers immediately after your request is submitted to the state. Your selfie and video of your movements are deleted from Apple servers shortly after the state issuing authority approves or denies adding your ID to Apple Wallet.

Apple and Maryland both tout that digital IDs are convenient and secure — and if the technology is trustworthy, we finally have a way to identify ourselves without having to hand over our personal data which is usually on a physical card.

Threat actors could gain access to users’ online accounts by exploiting a new type of technique that involves pre-hijacking an account before it is actually registered by the victim.

“Account pre-hijacking” is a new class of attack that can be used to gain access to a targeted account, and many online services could be vulnerable.

The account pre-hack was analyzed by independent researcher Avinash Sudhodanan and Andrew Paverd of the Microsoft Security Response Center. Microsoft funded the project with a grant that offered up to $75,000 for proposals to improve the security of its identity solutions.

Compromised accounts are involved in many attacks, but targeted accounts are taken over by the attacker after they are created. In pre-hijack attacks, the attacker predicts which online service the targeted person will use and conducts certain activities before the victim creates an account.

These attacks may involve federated identity and single sign-on (SSO) services, which allow users to sign up for certain online services using existing accounts registered with companies such as Microsoft, Google, and Facebook.

In a research paper published last week, Sudhodanan and Paverd described five types of pre-hijack attack methods. In one type of attack, the hacker creates an account using the victim’s email address, and the victim then registers on the same website using a federated identity service. If the website is unable to securely merge the two accounts, both the attacker and the victim could gain access to the account.

It could also work if the attacker registers an account using a federated identity while the victim creates an account on the same website using the regular registration process.

Another method involves unexpired session IDs. The attacker creates an account with the victim’s email address and maintains a long-lasting active session. The legitimate user can reset the password in order to gain access to the account, but the attacker could still retain access if their session was not invalidated following the password reset.

An attacker could also create an account and add a so-called “Trojan ID” which would later give them access to an account. This can be an alternate email address or phone number where password reset or one-time authentication links are sent.

Another interesting technique is for the attacker to initiate the process of changing an account’s email address to one they control. This process usually involves sending a verification URL to the new address. However, the attacker only completes the verification process at a later date, allowing him to regain access to an account after it has been used by the victim for some time.

Researchers analyzed 75 popular services and found that at least 35 of them were vulnerable to one or more pre-account takeover attacks. The list includes popular social media, cloud storage, video conferencing and blogging services. Affected providers were notified between March and September 2021, but many online services may still be vulnerable.

While these methods can be used against individual users, researchers believe they could also be used to target an entire organization. For example, the attacker could sign up for a service that is gaining popularity using previously leaked accounts. In attacks against an organization, if the attacker knows they plan to use a particular service in the future, they can create accounts with publicly available email addresses.

“Basically, the root cause of pre-account takeover vulnerabilities is that the service fails to verify that the user actually owns the provided identifier (e.g., email address or phone number) before to authorize use of the account,” the researchers explained. “While many services require credential verification, they often do so asynchronously, allowing the user (or attacker) to use certain account features before the credential has been verified. While this may improve usability, it creates a window of vulnerability for pre-hacking attacks.

Related: Multi-Factor Authentication Bypass Led to Box Account Takeover

Related: GitLab fixes a critical account takeover vulnerability

Related: Microsoft Pays $50,000 Bounty for Account Takeover Vulnerability

Edouard Kovacs (@EduardKovacs) is a SecurityWeek Contributing Editor. He worked as a high school computer teacher for two years before starting a career in journalism as a security reporter for Softpedia. Eduard holds a bachelor’s degree in industrial computing and a master’s degree in computer techniques applied to electrical engineering.

Previous columns by Eduard Kovacs:

Keywords:

Souvenir tokens representing the Bitcoin cryptocurrency dive into water in this illustration taken May 17, 2022. REUTERS/Dado Ruvic/Illustration/File Photo

• Trust Stamp, which has a $7.2 million contract with ICE to track migrants, exposed dozens of people’s data in a data breach, Insider has learned.

• Credentials for potential customers to test Trust Stamp have been released publicly, leaving names and driver’s license data open.

• The vulnerability, which has been resolved, does not appear to expose migrant data.

Trust Stamp, a government contractor that develops facial recognition and surveillance tools for agencies such as immigration and customs, left the personal information of dozens of people unsecured on a hacked database, said learned Insider. This information included names, birthdays, home addresses and driver’s license data.

An anonymous tipster who claimed to be a security researcher contacted Insider and disclosed the breach. Insider confirmed the authenticity of the data with those named in the data leak. Trust Stamp later confirmed the security flaw and breach to Insider.

In an email to Insider, Trust Stamp CEO Gareth Genner said the exposed database was intended for potential customers to test his product, and that most of the entries were “clearly made-up data”, such as than “Heidi Sample” or “Test Alaska”. The majority of the hundreds of user entries exposed in the breach were indeed for fake users as part of a so-called demo app, the security researcher found, but several dozen entries were real. people. Insider has independently verified these people’s information as accurate.

The breach comes shortly after Trust Stamp won a lucrative $7.2 million annual contract with ICE to monitor migrants being processed at the southern border, using facial recognition and passive GPS tracking, as Insider reports. previously reported. The company also has partnerships with MasterCard and a major US bank to handle identity verification, according to an SEC filing earlier this year.

Genner said that until Insider contacted the company, it “was not aware of any suggestion of unauthorized data access anywhere in our systems” but “took all available steps to protect the referenced database”.

The story continues

“We have notified the National Cyber ​​Investigative Joint Task Force of the information provided and we will of course cooperate with them and other agencies in the investigation,” Genner said, adding, “We take the security data very seriously and we are always looking for ways to improve our policies and practices.

Cooper Quintin, security researcher and senior technologist at the Electronic Frontier Foundation, told Insider he was “very concerned” about the breach.

“If this was possible in the demo app, my biggest concern here is that they seem to have data on a lot of people and they’re not even taking basic steps to secure that data,” Quintin said. . “They are clearly not taking any of their security responsibilities.”

“They don’t strike me as a company to be trusted. [immigration] data,” the anonymous security researcher told Insider.

None of the several dozen people whose names were included in the data leak were migrants who had been processed at the US southern border. None of the people Insider was able to reach by phone were familiar with Trust Stamp or any of its services.

Genner, the CEO of Trust Stamp, confirmed to Insider that some of the user entries exposed in the breach “appear to represent ‘real people’.” It’s likely these people used a service from a company that plans to work with Trust Stamp, and that company used their data when testing the Trust Stamp demo app, Genner said. He said Trust Stamp gave credentials to potential customers, but declined to name them.

The security researcher who uncovered the breach said Trust Stamp publicly released credentials that can be used to access the demo app’s restricted application interface, or API. Accessing this API could reveal personal information — including names, addresses, dates of birth, and driver’s license issue and expiration dates — of people used in this demo app, they said.

Genner said Trust Stamp removed “all credentials” to the API after Insider contacted the company, adding that the company would reissue them with a new policy that it will automatically delete test data after 90 days.

“If ‘real’ test data was uploaded and not deleted, that is contrary to the intended use of the test tool,” Genner said.

In a recent SEC filing, the company said it had “39 business opportunities” with potential customers as of March 31, 2022. In addition to its deals with ICE and MasterCard, the company has a handful of smaller deals with other companies. Trust Stamp also said it had “opened dialogues” with “several foreign government agencies” over the sale of its facial recognition and biometric technology.

Genner told Insider that any data breaches from the enrollment demo “would have no relevance to our government services products” because the enrollment demo is not a test for government customers.

Do you have any advice? Contact this reporter by email at chaskins@insider.com or caroline.haskins@protonmail.com, or via the Signal secure messaging app at +1 (785) 813-1084. Check out the Insider source guide for suggestions on how to share information safely.

Read the original article on Business Insider