Exclusive: Bank of Canada found only one poor-quality counterfeit new polymer $100 note, analyzed by RCMP

Thursday, 17 May, 2012

2011 Canada New Polymer $100 - back - pix 18

In a followup interview with Nish Vairavanathan, a Bank of Canada currency analyst, this reporter has confirmed that (as far as Vairavanathan was aware) there is only one known case of counterfeit new polymer $100 banknote. (Note: The new polymer $100 was launched a few months ago in November 2011.) As reported yesterday (also mirrored in an article here), the counterfeit new polymer $100 bill was of very poor quality. For example, the counterfeit new polymer $100 bill did not have the transparent window in the middle of the banknote, one of the most obvious and easily verifiable security feature.

Readers of this article should not be alarmed by the existence of this one known case of counterfeit new polymer $100 banknote, what you can do is arm yourself with the knowledge of the new polymer banknote’s security features. You can start by watching a video of me handling and inspecting a new $100 banknote for its security features up close. Also watch this informative PSA video from Bank of Canada: The New $100 Note. I’ve been informed the single counterfeit new polymer $100 banknote is with the RCMP National Anti-Counterfeit Bureau being analyzed. I asked if a picture of it is available to the media but was told that information like how it looks, where it was found, etc are not being shared (I presume for security or police investigation reasons).

What should Canadians do when we come across suspected counterfeit banknotes?

Any Canadians handling cash, especially those in the front line handling cash as a cashier or merchant, etc, should familiarize ourselves with the new polymer banknotes’ security features. When we see any cash that doesn’t look real, then we can and should refuse it and simply politely ask for another form of payment.

For our safety, don’t confront the payer as it may put ourselves in danger, contact local police instead. Plus the person with the “counterfeit-looking” banknote may be truly innocent and not aware the banknote is potentially a counterfeit. You may be interested to know, Bank of Canada discovered $2.6 million dollars worth of Canadian Journey series counterfeit banknotes last year, 48% are $20 bills and 37% are $100 bills.

Curious readers may be interested to know, the old Canadian Journey series banknote costs 10 cents each to print compare to the new polymer banknote costing 19 cents each to print but will last 2.5 times longer make the polymer banknotes more cost effective in the long term according to Bank of Canada.

Note: This news is marked “Exclusive” because at press time, as far as I can find or search, no news media has reported or picked on the existence of the one poor-quality counterfeit new polymer $100 note and the fact that the RCMP National Anti-Counterfeit Bureau has it under analysis.

(Article is cross-posted to Examiner.com)


Bank of Canada confirms poor-quality counterfeit polymer $100 notes as it launches 4 new PSAs to help educate public to prevent financial crimes

Wednesday, 16 May, 2012

Bank of Canada - pix 00

Yesterday, Bank of Canada unveiled four public service announcements (PSAs) at Toronto Police Service headquarters.

The Bank of Canada takes counterfeiting very seriously and responds by researching and developing new notes with innovative security features that are both easy to check and hard to counterfeit. The Bank of Canada will be unveiling four new public service announcements to help educate the public and assist in the prevention of Financial Crimes.

During the post-press conference Q&A, Bank of Canada representative confirmed with this reporter that since the launch of the new polymer $100 notes in November 2011, there have been attempts to counterfeit the polymer $100 notes and the counterfeit $100s were in circulation. Fortunately, according to the Bank representative, the quality of these counterfeit C$100 notes were of very poor quality, for example, these counterfeit notes didn’t even have the transparent windows, one of the most obvious and easily verifiable security features. Which is why the Bank is emphasizing the importance of educating the public to detect counterfeit polymer notes. You can watch my questions and the Bank representative’s answers at the 20:00 mark of this YouTube video.

Full press conference video: Fighting Fraud On The Front Lines ~ Bank of Canada & Toronto Police Financial Crimes Unit

Bank Note Counterfeiting – from Bank of Canada

A good way to check bank notes is FLP (Feel, Look, and Flip) as explained here at the 3:20 mark.

Some readers may remember I’ve previously written about polymer banknotes since Bank of Canada first announced (in March 2011) that it would launch polymer notes in Canada. The following are my in-depth research articles based on information known or found at the time.

March 2011, “Secrets of Bank of Canada’s new plastic money: An advance look of 12 possible security features

March 2011, “Bank of Canada’s new polymer banknote – Patents & technologies by Securency International

June, 2011, “Canada New Polymer $100 Notes in Nov 2011 – Now your money is smooth & will bounce!

November, 2011, “Canada polymer $100 banknote hands-on look finally! (with video)

Note: See also this 660 News article reporting about the BoC press conference, “Bank of Canada launches fraud prevention campaign“.

Note: article is cross-posted to examiner.com

Bank of Canada - pix 01

Bank of Canada - pix 02

Bank of Canada - pix 03


Innovative and Flawed MintChip Challenge by The Royal Canadian Mint

Sunday, 22 April, 2012

Innovative and Flawed MintChip Challenge by The Royal Canadian Mint

It is refreshing to see the Royal Canadian Mint (RCM) innovatively create and launch the MintChip Challenge to solicit ideas, software apps submissions and discussions from the public. At the same time, I find it very troubling to see the core security basis of the MintChip system has not been released for public review and discussion. In fact, here is the official RCM line in this forum discussion thread,

While we appreciate your interest in the physical chip’s trusted hardware, public-key infrastructure and encryption methods, we are not in a position to release that information at this time.

Well “… not in a position to release that information …”, really? I can appreciate the “coolness” in seeing interesting apps and use cases, but security has to be the foundation of MintChip and other similar products, without a properly reviewed, fully inspected, time-tested cryptographic system as a solid foundation, the rest of the “cool apps” & interesting use cases will not be of use to anyone.

I’ve been a long time reader of security industry expert Bruce Schneier’s ideas and ground breaking book Applied Cryptography (1995) out of curiosity and interest. Bruce wrote this insightful warning signs “Snake Oil” post in 1999

The problem with bad security is that it looks just like good security. You can’t tell the difference by looking at the finished product. Both make the same security claims; both have the same functionality. Both might even use the same algorithms: triple-DES, 1024-bit RSA, etc. Both might use the same protocols, implement the same standards, and have been endorsed by the same industry groups. Yet one is secure and the other is insecure.

Many cryptographers have likened this situation to the pharmaceutical industry before regulation. The parallels are many: vendors can make any claims they want, consumers don’t have the expertise to judge the accuracy of those claims, and there’s no real liability on the part of the vendors (read the license you agree to when you buy a software security product).”

After rereading the listed nine snake-oil warning signs, I get very uncomfortable when I see these words in the MintChip Challenge,

“Using innovative technology, for which the Mint has prototypes and five patents pending, MintChip uses a secure chip to hold electronic value and a protocol to transfer it from one chip to another.

What are in these “prototypes”? How are they tested and verified? How much of the crypto system are kept in these pending patents and how much will remain part of the “trade secrets”? Security through obscurity is a very bad idea.

Of course, in the minds of RCM, they may think the $52,000+ MintChip Challenge prize money is totally worthwhile in exchange of the hundreds of developers’ time and effort. At the same time, if project MintChip fail due to flawed security in the crypto system, the credibility of Royal Canadian Mint will unfortunately be tarnished. So the price is the $52K and the Mint’s reputation!

I urge the Royal Canadian Mint to publish the technical details of the MintChip cryptographic system and invite the security community to properly review and inspect the whole system to ensure it has a solid foundation to avoid wasting people’s time and, more importantly, maintain the Mint‘s hard earned credibility.

MintChipChallenge promo video

[HT Dwayne L in the discussion thread for the link to Bruce's "Snake Oil"]


City of Edmonton goes Google Apps – (Part 1/2) Financial, Technological Impacts

Wednesday, 11 April, 2012

Chris Moore, City of Edmonton Chief Information Officer, interview

Update: Part 2/2 Privacy Issues, USA Patriot Act, FOIP Act has now been posted.

Yesterday, City of Edmonton announced it “will become the first major municipal government in Canada to use Google email and other office technology apps for all City employees“. Google Enterprise stated, “While Edmonton may be the first city in Canada to go Google, it’s in great company with other city governments in North America ─ like PittsburghOrlando and Zapopan, Mexico ─ that have already made the move.” It is only natural for people in Calgary, Toronto, and other cities to ask and find out if there are anything we can learn from Edmonton?

In a video interview with Chris Moore, Chief Information Officier of City of Edmonton, Moore said all 6 departments, 31 branches, 10,000+ people, will move to use Google Apps for Government. The press release states, “The change will be phased in over the next few years with Google email and calendar put in place in late 2012, into 2013 and the other apps available for employees to use late next year.

In fact, Moore told me a few hundred employees are already in pilot projects using Google Apps. (note: While the police services will stay on their separate system, the city’s fire services, parks & recreations, waste management/day-to-day garbage pickup, tax department, etc are part of this move.) In a phone interview with Dr. Jonathan Schaeffer, University of Alberta Vice Provost and Associate Vice President (Information Technology) responsible for moving the university to Google Apps for Education, he said U of A has successfully transition 125,000 people and have 3,000 people to go in a phased migration. The U of A project started in March 2011 and is expected to be completed in early fall 2012.

According to city of Edmonton manager Simon Farbrother, “This move supports our City Vision, The Way Ahead, to use the most innovative technologies available. We will now have a more inclusive work environment where all employees will have access and be able to share and collaborate in real time on the same document whenever they want, in any location, and on any device such as smartphones and laptops.

By going to a cloud-based solution, Moore explained the city is moving away from the old model of software licenses installed on desktops and laptops, with upgrades every year or every other year, to the concept of iterative changes which people have already experiencing in their use of technologies at home.

According to Moore, 3.2 million dollars is the estimated up front cost for moving to Google Apps (e.g. implementation, training, documentation, etc). The cost savings over five years is about 9.2 million dollars, Read the rest of this entry »


NanoTech Security – Plasmonics as an anti-counterfeiting measure for banknotes and pharmaceuticals

Friday, 23 December, 2011

NanoTech Security anti-counterfeiting measure - pix 01NanoTech Security anti-counterfeiting measure - pix 04

I came across NanoTech Security‘s (a Surrey, B.C. based company) interesting anti-counterfeiting measure for banknotes or pharmaceuticals in this Fast Company article “A Never Before Seen Optical Trick Creates Ultra-Secure Cash“. [HT Bruce Schneier]

Imagine a bill covered with microscopic holes that make it glow slightly in the light. It’s tech borrowed from a butterfly, and it may soon be foiling counterfeiters around the world.

If all goes as planned, the world’s supply of cash will soon be secured with a nano-scale optical defense that is as secure as it is visually impressive. [...]

The technology was inspired by the Blue Morpho butterfly, whose brilliant blue coloration comes not from pigment but the way that tiny holes in its scales reflect light. But the tech, called Nano-Optic Technology for Enhanced Security (NOtES), is different from the Morpho butterfly’s wings, and pretty much all other bio-inspired reflective optical technologies, in that it is both extraordinarily thin and functions even in dim light.

NOtES exploits an obscure area of physics to accomplish its bright and sharp display, known as plasmonic (or via Wikipedia). Light waves interact with the array of nano-scale holes on a NOtES display–which are typically 100-200 nanometers in diameter–in a way that creates what are called “surface plasmons.” In the words of the company, this means light “[collects] on the films surface and creates higher than expected optical outputs by creating an electromagnetic field, called surface plasmonic resonance.”

If you are interested in digging deeper into the technical details, have a read of “US patent 2010/0271174 – Security document with electroactive polymer power source and nano-optical display” by I|D|ME‘s Chief Scientific Officier Bozena Kaminska (a list of Bozena’s US Patent) and Chief Technology Officier Clinton K. Landrock (a list of Clint’s US Patent) (by the way, here is Clint’s Twitter).

Here are two informative videos from NanoTech Security so you can see how cool it is.

NOtES – An Introduction

NTS NOtES Master Shim and Embossed Banknote Grade Polypropolyene

I am a tech geek so I love cool technologies but I am also realistic as I understand there are many real world requirements and challenges before this or any other advanced technologies are accepted and adopted.

By the way, Bank of Canada is in the process of launching the 2011 series of polymer banknotes with technologies by Securency International and BoC and printed in Canada by Note Printing Australia (NPA is a wholly owned subsidiary of the Reserve Bank of Australia). So far, BoC has launched the new polymer $100 banknotes in Nov 2011, and will launch the $50 in March 2012, the widely circulated $20 in Fall 2012. And $10 and $5 before the end of 2013. To deter counterfeiting of banknotes, BoC plans to update its banknotes design faster than before (in 8 years time).

NanoTech Security anti-counterfeiting measure - pix 02

NanoTech Security anti-counterfeiting measure - pix 03

Further links/readings:

* Gizmodo article “The Money of the Future Will Shine Like Crazy”

* NanoTech Security (NTS) is a TSX-Venture listed company and you can download its financial & regulatory filings from the Canadian Securities Administrators SEDAR database by searching for “NanoTech Security Corp“. For some reason, I could only find annual reports from 2003 – 2008. I am surprised I couldn’t find annual reports for 2009 and 2010 in the SEDAR database. What happened to these two reports?

P.S. For the record, here is some not so positive news about Securency International (July 1st, 2011 press release) and Reserve Bank of Australia & NPA (July 1st, 2011 press release).


canada polymer $100 – money “laundering” test – wash and dry

Friday, 18 November, 2011

canada polymer $100 – money “laundering” test – after wash and dry

After a detail (with video) and more serious look at the new Canada polymer $100 banknote, I decided to have some fun and put the brand new $100 to a money “laundering” test. I washed & dried it in a dryer to see what happen.

Non-scientific test results:

* The fold marks are not much worst than regular use.

* The polymer $100 feels noticeably softer after heated up in drier but it feels ok and strong.

* The metallic strip and the holograms are still working great.

Conclusion:

* If you accidentally leave your $100 bills in your jeans pocket, they will survive a wash and dry cycle easily!

canada polymer $100 – money “laundering” test – after wash and dry


Canada polymer $100 banknote hands-on look finally! (with video)

Thursday, 17 November, 2011

2011 Canada New Polymer $100 - back - pix 18

I’ve written and speculated extensively about the new Canadian polymer notes. Finally, I am excited to say I’ve got one in my hand now. Have a watch of this slideshow of the new polymer C$100. In comparison, watch this slideshow of the HK$10 (which is less than US/C $2).

Here is a video of me checking out the new polymer $100, I slowed down the video at various place so you can have a closer look at some features.

Comments:

1) Raised ink: I definitely feel the raised ink on the large “100″ and the shoulders and different parts of the bill.

2011 Canada New Polymer $100 - front - pix 09

2) What hidden 100? I have given up trying to find the hidden numbers (using a single light source) in the maple leaf! Some people can see it, not me. So if this security feature is hard to use, or only some people (or small percent of people) can use it, I am questioning if this is a good security feature at all!

Note: I wonder if this feature is the WinDOE® (Diffractive Optical Element) as I wrote in “12 possible security features” in March?

New Bank of Canada $100 Polymer Note - Hidden numbers

3) Polymer but not cheap plastic feel: I actually quite like the feel and don’t feel it is “cheap” or anything thing. It feel like it is good quality. But only time and actually use will tell.

4) Large transparent window and metallic strip: I LOVE them! To me, they are the best part of the bill. They are extremely easy to inspect and tell if it is a real $100 with minimum training! They are hard to fake thanks to Securency International’s security features and patented technologies.

2011 Canada New Polymer $100 - front - pix 06

Further info: In March, I wrote a speculative technology piece with extensive links to patents by Securency International, “Bank of Canada’s new polymer banknote – Patents & technologies by Securency International” After the new $100 was announced in June, I wrote “Canada New Polymer $100 Notes in Nov 2011 – Now your money is smooth & will bounce!

2011 Canada New Polymer $100 - back - pix 22

2011 Canada New Polymer $100 - back - pix 20

2011 Canada New Polymer $100 - back - pix 12

2011 Canada New Polymer $100 - front - pix 02

The HK$10 (less than US/C$ 2)

HK polymer $10 (2007)

Here are some design info about the polymer $100 from Bank of Canada:

“$100 Note – Design Features
Portrait: Sir Robert L. Borden, Prime Minister, 1911–20
Signatures: Left – T. Macklem, Right – M.J. Carney
Size: 152.4 x 69.85 mm (6.0 x 2.75 inches)
Issue Date: November 2011
Theme: Medical Innovation Read the rest of this entry »


Twitter Virus Vaccine

Sunday, 16 October, 2011

The following tweets are viruses that try to infect you and steal your passwords, etc. Forewarned is forearmed. You are now vaccinated again these stupid Twitter viruses.

* “Hey theres a bad blog going around about you, seen it yet?” <a-link-to-infect-you>

* “lmao…omg i am laughing so hard at this pic u i just found” <a-link-to-infect-you>

If you have come across other twitter virus, please share the text (skip the link) in the comment section.


re: internet voting – A software engineer’s critique of Elections Canada Chief Electoral Officer’s plan

Wednesday, 24 August, 2011

Internet voting in a by-election held after 2013

Background

In this article, I am writing as a reporter and also as a computer scientist with 10 years of software engineering experiences plus a keen interest in internet security & internet voting issues for over 10 years. To me, there are many potential issues with internet voting and I will discuss two main issues I see in this article.

This recent discussion of  internet voting is a result of Elections Canada Chief Electoral Officer’s report on the 41st general election (PDF file) (emphasis and link added),

Under section 18.1 of the Act, the Chief Electoral Officer may carry out studies on alternative voting methods and test electronic voting processes for use during general elections or by-elections, subject to the approval of the House of Commons Standing Committee on Procedure and House Affairs and the Standing Senate Committee on Legal and Constitutional Affairs. Elections Canada has been examining Internet voting as a complementary and convenient way to cast a ballot. The Chief Electoral Officer is committed to seeking approval for a test of Internet voting in a by-election held after 2013.

1) “Security” of internet-based voting system vs. Advantage of Paper Ballots

Paper ballots used in Canada have one major security advantage: it takes a long time to fake or temper with the votes. Can you image, with our existing checks and balances, someone physically temper with (i.e. change the voters’ votes) 10 paper votes, 100 votes, or 10,000 votes? I honestly can’t. There are just so many Elections Canada people and election scrutineers from all parties to make tempering with physical votes almost impossible.

Now, can I, as a former software engineer, image someone with the smart and knowledge of the particular internet voting system’s precise weakness, electronically tempering with 100,000 votes in a general election? Absolutely!

Am I just imagining potential security weaknesses and worrying too much? Well, the D.C. Board of Elections and Ethics had some serious eggs on their faces in Oct 2010. They thought they had a secure internet-based voting system enough that they ask people to help test their system. Only after a few days of testing, their embarrassing failure was documented by Washington Post in “Hacker infiltration ends D.C. online voting trial”. [HT Bruce Schneier]

Last week, the D.C. Board of Elections and Ethics opened a new Internet-based voting system for a weeklong test period, inviting computer experts from all corners to prod its vulnerabilities in the spirit of “give it your best shot.” Well, the hackers gave it their best shot — and midday Friday, the trial period was suspended, with the board citing “usability issues brought to our attention.

Here’s one of those issues: After casting a vote, according to test observers, the Web site played “Hail to The Victors” — the University of Michigan fight song.

“The integrity of the system had been violated,” said Paul Stenbjorn, the board’s chief technology officer.

Let me quote Bruce Schneier which I totally agree (emphasis added),

My primary worry about contests like this is that people will think a positive result means something. If a bunch of students can break into a system after a couple of weeks of attempts, we know it’s insecure. But just because a system withstands a test like this doesn’t mean it’s secure. We don’t know who tried. We don’t know what they tried. We don’t know how long they tried. And we don’t know if someone who tries smarter, harder, and longer could break the system.

Fair election is the foundation of our democracy, as a software engineer of large scale safety and mission critical systems for 10 years, I try speak with an impartial view. I honestly don’t know if we can build a secure internet voting system that I would risk Canada’s democracy.

Sure, other countries may have internet-voting which their citizens approve. But what other countries do or don’t does not necessarily mean it is right! I care about my own country’s democracy which is why I am speaking out.

By the way, don’t even think about security by obscurity (using secrecy of design, etc) because it is a really bad idea!

2) Secret Ballots in Polling stations vs. Internet voting location

Polling stations in Canada have a specific set of requirements and the ability to let voters cast their ballots in secret is one of those fundamental requirements.

Unfortunately, when voting is done over the internet, we can be no longer be sure all ballots are casted without undue influence from others in the “voting booth” because there isn’t a “voting booth” anymore.

Imagine a religious, trade, activist, etc group encouraging their members to vote on a computer at a common location for “elections parties”, while their leaders keep coercing their members. Can we stop this easily and effectively?

Even if the group is as small as a family, should we allow the sanctity of & requirement of “secret ballots” be violated by over-eager parents, grandparents, relatives, or friends?

3) My brief replies to interesting comments and “solutions” from this CBC News August 18 at 6:43am Facebook posting.

  • From Melissa Dimock, “I’m a little leery of it, but it’s being done elsewhere. I do think that making voting easier, more accessible and convenient would improve voter turn-out. […]” August 18 at 6:45am

My reply: I don’t know if internet-voting will increase voter turn-out for the long term once the novelty factor is gone. But assuming it does, does it worth the risks stated in (1) & (2) above?

  • From Steve Cooper, “I’m not too down with it. I wouldn’t trust it. Imagine on election night the result is a massive swing to a party you are not pleased with. How confident would you be that the result is legitimate?” August 18 at 6:51am

I have to agree with Steve.

  • From David Jamieson, “Nope and Nope again. It is a ridiculous idea in this age of hacking. A vote in a democracy is far too important to be left in the hands of so few. […]” August 18 at 6:52am

I also agree with David.

  • From Erika Belanger, “if you can submit your income tax or do banking on the Internet, we should be able to vote that way. Might have more voters that way. There as to be a way to make it secure…..” August 18 at 6:54am

I think Erika‘s thought may be shared by many Canadians. Why is it safe to submit income tax and do banking on the internet but not so for voting?

Well, lets put things in context with #2 above. We have no worries if someone is watching and monitoring how a person is paying income tax or banking online. But we have serious concern if someone is monitored and being “influenced” on how they vote in an “internet voting booth” at home or at any location.

Hacking our internet banking while profitable to criminals, imagine criminals help hack an election and control Canada’s political future? Our votes, paradoxically, are much more valuable in some sense even many fellow Canadians routinely give up their rights to vote.

A healthy democracy needs constructive debates. Please add your views, I will try to selective reply to some of the comments.

*** References & Notes ***

Bruce Schneier is an internationally respected computer security expert, he is the expert that I have read and admire for over 10 years! In this article, I quoted his Oct 2010 piece “Hacking Trial Breaks D.C. Internet Voting System” extensively. His earlier but comprehensive Dec 2000 piece “Voting and Technology“, while written over 10 years ago, still contains some valuable insights (even thought they may not be his latest thinking). His Dec 2003 “Computerized and Electronic Voting” is also a good read.


Canada New Polymer $100 Notes in Nov 2011 – Now your money is smooth & will bounce!

Monday, 20 June, 2011

Nov 17th update:  Happy to say I finally got a chance to play with my new Canada polymer C$100 bill (with video).
***

New Bank of Canada $100 Polymer Note - Front

New Bank of Canada $100 Polymer Note - Back

After some waiting, I am very excited to learn that the new $100 polymer bank notes will begin circulation in November 2011 in Canada. And they look great and cool too!

I’ve been waiting for the polymer notes since March 2011 when I wrote, “Secrets of Bank of Canada’s new plastic money: An advance look of 12 possible security features” and “Bank of Canada’s new polymer banknote – Patents & technologies by Securency International“. Now, I have to see how many of the security features are loaded into the $100 bills, the highest value bank notes in Canada. Not surprisingly, I expected the $100 to have the most security features. Yes, $100 bank notes will have everything and the kitchen sink.

Note: This article is being updated for today and the next few days, so please check back for further general and technical coverage.

New Bank of Canada $100 Polymer Note - Frosted maple leaf window

New Bank of Canada $100 Polymer Note - Large window

New Bank of Canada $100 Polymer Note - Hidden numbers

Here is the official video “Bank of Canada: The New $100 Note

Here is a video of my first impression (on20110620) of the Bank of Canada’s new polymer $100 notes.

For example, as I wrote in “An advance look of 12 possible security features” in March 2011, I speculated the use of LATITUDE™, which I think can now be confirmed in the 1:25 mark of the Bank of Canada video.

1. LATITUDE™ (link to pix) [Kempton: likely, especially on higher value banknote like $100]

01-Latitude4

“LATITUDE™ is an optically variable device (OVD) that is integrated into the transparent window area of the substrate and allows for design freedom, which enhances the security of the banknote. Through tilting the banknote, multiple images and optical effects are observed. “

Further comments, with time codes, of the official video “Bank of Canada: The New $100 Note“.

0:32 Smooth texture of the notes

0:40 Feel the raise ink (Is this like WinBoss® discussed in “12 possible security features“? Update: Thinking more about it, actually no. I think WinBoss® is a different advanced feature, not used in C$100.)

1:00 Two transparent windows (Is this like WinTHRU® discussed in “12 possible security features“?)

1:05 Frosted maple leaf window & the large window (Is this like LATITUDE™ discussed in “12 possible security features“?)

1:14 Metallic portrait matches the main portrait (Is this like LATITUDE™ discussed in “12 possible security features“?)

1:22 Metallic building (Is this like LATITUDE™ discussed in “12 possible security features“?)

1:25 Tilting will shift colour on portrait and building (Is this like LATITUDE™ discussed in “12 possible security features“?)

1:50 Look through single point light source will see hidden numbers (is this like WinDOE® (Diffractive Optical Element as discussed in “12 possible security features” ??)

P.S. See my March 2011 article, “Secrets of Bank of Canada’s new plastic money: An advance look of 12 possible security features“.

See official Bank of Canada webcast of the launch announcement.

See also TorStar report, “Coming soon: money you can launder“.


Lockheed Martin’s networks breached by hackers using counterfeit RSA SecurID electronic keys

Saturday, 28 May, 2011

- PC World, “Lockheed-Martin Attack Signals New Era of Cyber Espionage

- CNN, “Lockheed Martin detects ‘significant’ attack on information network

- CNet, “Report: Major weapons makers see networks breached by hackers

- Bloomberg, “U.S. Government Offers Lockheed Assistance After ‘Tenacious’ Cyber Attack

- AFP, “Lockheed Martin confirms attack on its IT network

- CBC, “Lockheed Martin hit by cyberattack

NOTE: Here is a March 2011 CNet background story, “What the RSA breach means for you (FAQ)


iPhones Tracking questions to Steve Jobs from US Senator Al Franken

Thursday, 21 April, 2011

US Senator Al Franken asks the following questions in an letter to Apple CEO Steve Jobs,

1. Why does Apple collect and compile this location data? Why did Apple choose to initiate tracking this data in its iOS 4 operating system?

2. Does Apple collect and compile this location data for laptops?

3. How is this data generated? (GPS, cell tower triangulation, WiFi triangulation, etc.)

4. How frequently is a user’s location recorded? What triggers the creation of a record of someone’s location?

5. How precise is this location data? Can it track a user’s location to 50 meters, 100 meters, etc.?

6. Why is this data not encrypted? What steps will Apple take to encrypt this data?

7. Why were Apple consumers never affirmatively informed of the collection and retention of their location data in this manner? Why did Apple not seek affirmative consent before doing so?

8. Does Apple believe that this conduct is permissible under the terms of its privacy policy? See Apple Privacy Policy at “Location-Based Services” (accessed on April 20, 2011), available at http://www.apple.com/privacy

9. To whom, if anyone, including Apple, has this data been disclosed? When and why were these disclosures made?

[HT Information Week "iPhone Tracking Only Tip Of Security Iceberg"]


iPhone Tracking Discussion – iPhone keeps record of everywhere you go in secret file

Wednesday, 20 April, 2011

iPhone Tracking Discussion

Have a read of “Researchers raise privacy concerns over location tracking in Apple’s iOS 4” for more info. See also: an earlier article here, CNet “Your iPhone’s watching you. Should you care? (FAQ)“.


Worth Reading: iPhone keeps record of everywhere you go in secret file, Terrorism alert less colourful, Sheen’s court, Filmmakers Opposing Premium VOD

Wednesday, 20 April, 2011

* Guardian, “iPhone keeps record of everywhere you go – Privacy fears raised as researchers reveal file on iPhone that stores location coordinates and timestamps of owner’s movements” Here is an excerpt (emphasis added),

“”Apple has made it possible for almost anybody – a jealous spouse, a private detective – with access to your phone or computer to get detailed information about where you’ve been,” said Pete Warden, one of the researchers.

Only the iPhone records the user’s location in this way, say Warden and Alasdair Allan, the data scientists who discovered the file and are presenting their findings at the Where 2.0 conference in San Francisco on Wednesday. “Alasdair has looked for similar tracking code in [Google's] Android phones and couldn’t find any,” said Warden. “We haven’t come across any instances of other phone manufacturers doing this.

Simon Davies, director of the pressure group Privacy International, said: “This is a worrying discovery. Location is one of the most sensitive elements in anyone’s life – just think where people go in the evening. The existence of that data creates a real threat to privacy. The absence of notice to users or any control option can only stem from an ignorance about privacy at the design stage.” [...]

The iPhone system, by contrast, appears to record the data whether or not the user agrees. Apple declined to comment on why the file is created or whether it can be disabled. Read the rest of this entry »


Worth Reading: Securing privacy, Showrunner DIY TV promos, Legal strategies in Charlie Sheen case, High noon in i4i-Microsoft fight

Monday, 18 April, 2011

* Guardian, Cory Doctorow: ‘The most powerful mechanism we have for securing the privacy of individuals is for them to care about that privacy’ – video – “Blogger, writer and activist Cory Doctorow on social networking, revolution and how to avoid haemorrhaging personal information online”

* The Hollywood Reporter, Q&A: ‘Cougar Town’ Boss Bill Lawrence Airs His Frustrations With Disney

THR: So what does work?

Lawrence: There are some shows like Modern Family or American Idol where lightening strikes. Otherwise, you have two options. First, you build word-of-mouth.

THR: And the second?

Lawrence: Keep your loyal fans interested by giving them as much access, content and interaction as possible. That’s what I like as a TV viewer. For me, every show that I’ve felt like, “Wow, they actually care what the fans think” or “they’re actually writing for somebody,” I’m more loyal to. On Scrubs, we gave our fans extra content and access to the cast and writers. And in return, we could count on them to find the show on a network that moved the show about 20 times. Read the rest of this entry »


Schneier’s Law

Saturday, 16 April, 2011

Something fun about cryptography. Enjoy.

“Schneier’s Law”

by Bruce Schneier on Friday, April 15, 2011 at 12:45pm

Back in 1998, I wrote:

Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can’t break.

In 2004, Cory Doctorow called this Schneier’s law:

…what I think of as Schneier’s Law: “any person can invent a security system so clever that she or he can’t think of how to break it.” Read the rest of this entry »


Bank of Canada’s new polymer banknote – Patents & technologies by Securency International

Friday, 11 March, 2011

Nov 17th update:  Happy to say I finally got a chance to play with my new Canada polymer C$100 bill (with video).
***
June 20, 2011 Update: Today (June 20th), the Bank of Canada actually shows us the new polymer $100 notes. I’ve more coverage and technical analysis (with video) here in “Canada New Polymer $100 Notes in Nov 2011 – Now your money is smooth & will bounce!

***

Bank of Canada’s new polymer banknote uses Securency International polymer substrate

March 13, 2011 Update: I’ve got confirmation from BoC on Friday afternoon the Guardian® (supplied by Securency International) is indeed the polymer substrate to be used in the new plastic banknotes. By the way, for some reason Securency International‘s website seems to be down for the last few days.

***

It was nice to have an informative phone interview with a Bank of Canada representative this morning about the newly announced plastic banknote (see my lengthy post here). As expected, I was unable to get an official confirmation of whether the Guardian® polymer substrate (supplied by Securency International) will be used. At the same time, I’ve now gathered enough evidences to convince myself that the Guardian® substrate or an enhanced version of it will be used in Canada. After all, the Bank confirmed that they are using “industry proven technology” (the keyword here is “proven”) and stated in its public release,

“As part of its ongoing technology research program with its partners, the Bank has developed some new security features and adapted other existing features for the Canadian context.” [K: so it can be an "enhanced" version if Securency want to do some more testing on the "improvements" first?]

It should be noted that I know banks don’t usually like to talk about their security systems in detail. Many banks still believe (falsely) that the less we know, the more secure their systems are. Not true! I believe that good security has to be based on solid science and careful implementations. And “security by obscurity” is never enough nor secure.

Enough from me, if you are technical and want to learn more, I’ve found some Securency patents for you to study and learn from. As I wrote in a 2006 article as a side comment,

For the patent geek out there, [...] thanks to “2165 The Best Mode Requirement” of the MPEP, patent is required to disclose the “best mode” to make this device thus making the patent an interesting read.

Some US patents by Securency:

7,871,741 ,  Method of producing diffractive structures in security documents

7,790,361Methods of producing diffractive structures in security documents

7,652,757Method and apparatus for inspection of security articles incorporating a diffractive optical projection element

7,488,002Security and/or value document

7,040,664Self-verifying security documents

7,029,733Printed matter producing reflective intaglio effect

6,995,383Method of verifying the authenticity of a security document and document for use in such a method

Some US Patents by others that contain the keyword “Securency”:

7,820,282 (3M), Foam security substrate

7,655,296 (3M), Ink-receptive foam article

Patent searches

You can do the USPTO Patent search yourself for Securency to read more. Or you can use the Google patents search for Securency where you can download patents and patent applications with text and diagrams in PDF files (pretty handy).


Secrets of Bank of Canada’s new plastic money: An advance look of 12 possible security features

Friday, 11 March, 2011

Nov 17th update:  Happy to say I finally got a chance to play with my new Canada polymer C$100 bill (with video).
***
June 20, 2011 Update: Today (June 20th), the Bank of Canada actually shows us the new polymer $100 notes. I’ve more coverage and technical analysis (with video) here in “Canada New Polymer $100 Notes in Nov 2011 – Now your money is smooth & will bounce!

***

The Bank of Canada today (March 11, 2011) announced that it will begin circulating new polymer (plastic) banknotes starting with $100 in Nov 2011 ($50 in Mar 2012, $20, $10, and $5 notes to be issued by end of 2013). Publicly, BoC has NOT disclosed what security features will be deployed in these polymer banknotes. But basing on research using publicly available information, I will try to give you an advance look of 12 **possible** security features in the new Canadian polymer money.

Clues that lead to the “secret”/unannounced 12 possible security features

I know Hong Kong has issued polymer $10 note (in fact I have one in my hand) and some googling lead me to the interesting HKU technical note “Ten-dollar polymer note: Polymer currency technology” (pdf) and the HK government info about the $10 note (pdf). Here is an excerpt from the tech note,

“Different polymer substrates are available for manufacturing purposes, but the one used in printing banknotes is unique and is not commercially available. Hong Kong is using the polymer type called Guardian®, and they are made from polymer biaxially-oriented polypropylene (BOPP).”

From Guardian®, I then found that it is made by Securency International. And if I had known what to look, I would have found BoC actually stated this in its backgrounder: the polymer substrate will be supplied by Securency International.

Bank of Canada’s new polymer banknote uses Securency International polymer substrate

An advance look

I want to be clear that the following are 12 security features of Securency International‘s Guardian substrate. Since I don’t think Securency make any other polymer substrate, therefore logically BoC must be using Guardian so these 12 security features are all possible/available to BoC.

Here are the 12 possible security features with emphasis added. Since I don’t have the costs associated with these features and I don’t have any inside knowledge whatsoever, I am only taking some wild guesses and base my comments on what I see in the HK$10 note (about less than C$2).

[March 11th, 2011 Update: I did some more research and added this article, "Bank of Canada’s new polymer banknote – Patents & technologies by Securency International".]

12 **possible** security features of Canada’s new polymer money

1. LATITUDE™ (link to pix) [Kempton: likely, especially on higher value banknote like $100]

01-Latitude4

“LATITUDE™ is an optically variable device (OVD) that is integrated into the transparent window area of the substrate and allows for design freedom, which enhances the security of the banknote. Through tilting the banknote, multiple images and optical effects are observed. “

2. WinTHRU® (Complex Window) (link to pix) [K: very likely, it is very easy for users to identify a fake]

02-WinTHRU

The ability to create transparent areas (or clear and complete windows) is a prime security feature within Guardian® substrate. Including a clear area in a banknote has proven to virtually eliminate the problem of the ‘casual counterfeiter’, who tries to copy or scan banknotes on readily available reprographic equipment (like colour copiers and scanners) [... more ...]“

3. WinDOE® (Diffractive Optical Element) (link to pix) [K: don't see why not?]

“The WinDOE® (Diffractive Optical Element) is a holographic structure applied to the surface of the clear window. When collimated light such as a distant point light source passes through the WinDOE®, it is transformed by the WinDOE® structure into a recognisable pattern (image) by the process of diffraction. The user can view the image in two ways. By holding the WinDOE® up to the eye and looking directly at a distant point source the user will see the image appear in space between the note and the light source. The appearance of the image will depend on the light source used. [... more ...]“

4. G-switch® (Dynamic optical colour shift) [K: Hmmm, why not?]

“G-switch® is a dynamic optical feature that changes colour when tilted under a light source. Read the rest of this entry »


Credit card fraud: Prevention/detection

Monday, 7 February, 2011

*** “Legitimate” voice message from “CIBC credit card fraud department” at “1-866-454-4339″ ?

Is this telephone fraud or is it for real?

Hello, this is the CIBC credit card fraud department calling. We have an urgent message for yyyy. Please note that this is not a sales call. And it is important that we speak with you. Please contact CIBC at 1-866-454-4339 at your earliest opportunity. A representative will be available to assist you 24 hours a day, 7 days a week. The number again is 1-866-454-4339. Thank you very much and have a nice day. For your convenience, this message will repeat again. Hello, this is the CIBC credit card fraud department [...]

A friend recently received the above message. In a series of articles about credit card fraud, I will share with you my reactions, investigations & recommendations to credit card users and the credit card companies.

*** Trusting a random voice message? When in doubt, what to do?

Should you trust a random and machine generated voice message claiming to be your credit card provider? My reaction and advice is of course NOT! With so many cases of reported telephone and internet fraud, people are correct to be VERY skeptical of random phone calls concerning their private financial information.

- Problem: At press time, research and investigation by the author has confirmed the toll-free number 1-866-454-4339 is NOT even listed in CIBC’s official information/website. How can people trust this as a valid toll-free number? Comments: This serious mistake that can be easily fixed. First of all, it makes 100% sense to list the fraud department’s toll free number on the bank’s official website. Better, print the fraud department’s 27/7 toll-free number on the back of credit cards, and ask the customers to call the toll-free number on their credit card!

- Comments: For security reason, customers don’t know and can’t really confirm who call them (incoming calls’ caller id can be spoofed/faked) BUT they can be more certain of who they call (after all, they dial the digits themselves). So fraud department should really ask their customers to call them directly using well-publicized number and not just an unpublished toll-free number.

The moral of the story for customers and CIBC credit card fraud department (yes, 1-866-454-4339 is indeed CIBC’s number) is this: When in doubt, be polite but don’t trust random people. Using only toll-free numbers you can be 120% SURE are from the financial institutions. Don’t trust any other unofficial sources, websites, or blogs (including this blog). Your financial information is too important to blindly trust some stranger.

[update: With this new reader comment, I revised my the moral of this story to simply, "When in doubt, be polite but don't trust random people. Using only toll-free numbers you can be 120% SURE are from the financial institutions.".]

*** Fraud detection

The fraud department customer service agent wasn’t able nor willing to share much information. But here is a few noteworthy pieces of information based on what was implied,

- They seem to have no idea when did the fraud happen. The official line was: it could have happened in the last year! Yes, 12 months!

- If they detect lots of potential fraudulent activities from a merchant, the fraud detection department seems to be quite defensive and will re-issue/cancel customers’ cards who transacted at that merchant.


Reconceptualizing Security – Bruce Schneier @ TEDxPSU

Friday, 29 October, 2010

Bruce Schneier (wikipedia bio) talking about reconceptualizing security @ TEDxPSU. Bruce is an insightful man that knows a lot about security. [HT Bruce]


Follow

Get every new post delivered to your Inbox.

Join 656 other followers

%d bloggers like this: