A PDF is available from thinkst with details on how to shoulder surf the iPad.

It points out that the keypad buttons glow when selected, defeating the mask of the password field. They have released an application to drive the risk home — a camera records the keys that glow.

Even better, they have referenced the movie Sneakers to point out that this is a simple and known threat. Kudos to them for not claiming any sophistication in their threat. It’s a simple and well-known attack and that is what makes it so annoyingly dangerous to use the Apple product.

This image about how to type a PIN should look very familiar.

Back to the PDF, this section caught my eye

We have long realised the danger of having passwords stolen through shoulder surfing attacks which is why it is truly rare to find an application that fails to mask the password on screen.
[…]

We take the fact that password masking is so ubiquitous as the obvious acknowledgement of shoulder surfing as a viable attack method.

Few people probably realize how lucky we are to have those passwords masked. When I worked on television and mobile authentication user interface security for many millions of devices one of my toughest jobs was to convince the developers and product managers to hide passwords. They did not want to do it and they had some good reasons to resist.

I would always hear the argument that making it easier to see the password when typing on a small screen, a small keypad, a keypad on a big screen, using a joystick, etc. meant fewer support/helpdesk tickets. The cost was palpable.

Take one mobile interface, for example. I argued that the character entered should immediately be masked, just like the typical computer interface. The product manager responded with some user behavior data linked to cost — showing the character entered until the next character was entered reduced helpdesk calls related to password more than 30%, with a cost per call said to be $10-15. That adds up quickly for tens of thousands of devices.

We ended up masking the character as soon as the next character was entered or after 1 second, which ever came first. That reduced the chance of exposure from shoulder surfing while still allowing us to force complex passwords. The only way I was going to get to constant masking was to reduce complexity (e.g. no uppercase, no symbols). Trade-offs and calculations of masking were hard, to say the least.

The threat models for mobile devices always led to shared spaces, especially transportation that forced closeness. Imagine sitting in the narrow seats of public transportation in Philadelphia or New York. Yes, I’ve even researched the space allocated between passengers. Did you know that San Francisco’s BART has the most space between passengers — anti-shoulder surfing or just wasted space? Airplanes and buses have the additional problem of rows facing the same direction but airplanes are especially bad because of the space between seats that allows for peering eyes to look through…

That is all for mobile devices that people carry with them. Giant televisions and projectors are another story entirely. Imagine inviting all your friends over to watch a movie. Then, just as you are about to start up NetFlix, you get a message from the Playstation network that it needs you to change your password (no fault of your own, it’s because they were hacked). So you sit in a big room with a big screen and slowly use a joystick to enter your password. They keys you select are illuminated on the screen for everyone to stare at and see. Do you ask everyone to come back in five minutes?

I actually wrote a solution to this problem and patented it but I still see consoles (e.g. NetFlix on Playstation) that illuminate your keystrokes and thereby display your actual password to everyone. Perhaps the thinkst story will generate more demand for use of the patented authentication mechanism. In brief, I proposed a token system that had a password for initial registration but a simplified identification system later for unique input devices like joysticks, phone keypads and touchscreens..

Imagine logging into the Playstation network by using a token and the joystick button sequence “XO^X->”, for example. If people can figure it out for easter eggs and cheats, I knew they could use it to login. I mean why not setup your system for login with your RockBand Guitar? The point of the patent was to leverage the universal input capabilities of devices and tie it to a token created on a computer, rather than try to pound everything into being more like a keyboard.

The designers and product managers at Apple probably thought they were doing users a favor by illuminating keys pressed in order to simulate the feedback of a physical keyboard. And then the other product companies while copying (should I say “embracing and extending“?) the Apple touch interface (Android/RIM) unfortunately also copied the illumination aspect of the keypad. It’s good that they masked the password but they should have thought more about the risk. Then again, I wouldn’t consider Apple product design suitable for an environment with any real risk. That’s not really what they’re designed for…

Ever notice that Apple’s iPad marketing campaign has them floating in some kind of utopian emptiness of just one superuser?

No perspective on who might be looking over your shoulder; no uncontrolled environments…you don’t see any messaging about product design from them related to real-world risks, especially not like this:

Full disclosure: I own a Panasonic Toughbook. It’s the best laptop I’ve ever owned. I’ve sold all my Apple products and don’t miss fixing them.

Computerworld, via CSO, is claiming that people searching for porn are “attacking” Microsoft’s platform with “poison”.

Microsoft on Saturday disabled the search tool on its Safety & Security Center after attackers poisoned results with links to pornographic URLs.

[…]

Although search poisoning is not unusual — it’s a well-worn tactic by those hoping to spread malware and dupe users into visiting scamming sites — this is different, said [CEO of Sunbelt Software] Eckelberry.

“This is crafty,” Eckelberry said today in an interview. “This isn’t normal search poisoning. It’s poisoning the results with actual searches. Users were getting back a prior search as a search result.”

Now you know a “crafty” way to “poison” search statistics — search for something.

Nowhere in the story does anyone mention that searches for porn are expected to be a huge percentage of total search results. Meanwhile the recent news from Nepal, which has tried to ban porn, is that search statistics show porn is popular.

Despite the August 2010 Home Ministry ban on pornographic websites in Nepal, the number of Nepali internet users surfing pornographic contents online has not dwindled.

Currently, the number of porn content seekers on Google—the most popular search engine—stands at a staggering growth rate of over 140 percent.

The Microsoft attack is described by CSO like this:

By repeatedly searching for sites using pre-selected phrases — “sex” and “girl,” for example — on the Safety & Security Center, criminals tricked the site into saving those searches, which then popped up near the top of the results of any subsequent searches by others.

Now consider that the Nepal news is written like this:

Google states the searches are often done with titles such as “hot babes”, “beautiful girls”, “cute hotties”, “sexy models wallpapers” and “bollywood babes”. […] Searches for naked and vulgar images have also rocketed to around 90 percent in the last few years.

So was the Microsoft site actually “tricked” or was it reflecting a predictable search statistic as a result of an open policy on results?

Eckelberry does not explain whether the saved searches were linked to actual human searches or falsified (i.e. automated) accounts. The article speculates a Twitter feed may have been related to the surge but it also sounds like a search engine ranked porn pages as popular when a lot of users searched for porn. That means they could have called it a search engine data point on behavior (i.e. Nepal’s news) instead of an attack. The CSO story follows the trend of experts who like to call attacks “sophisticated” or “crafty” without offering any guidance on what that really means relative to daily threats/behavior.

Scientific American reports that NCR is developing an ATM for customers who are illiterate and often have no pockets. No pockets? It’s interesting that they call that out as a major consideration.

The pillar ATM’s form and function are the result of considerable socioeconomic research in low- and middle-income countries—including how and when residents in rural areas use money, the utility of ATMs to people whose clothing often lacks pockets and the practicality of delivering modern banking services to a population literally unable to read the fine print. “The invention of this unit was based on our examination of the underbanked in India, particularly in the neighborhoods of Mumbai,” says Lyle Sandler, NCR’s vice president of Design and Consumer Experience. “We’re talking about a community with a high level of illiteracy, so clearly the typical ATM that someone would approach would be impossible to maneuver.”

First I am curious if they considered spending the same money on literacy programs to achieve the same results (banking in rural regions) with greater benefits.

Second it seems to me the illiterate could put on a headset and listen to an ATM, like the blind. It already is deployed in ATMs to comply with ADA — Interactive Voice Response Services (IVRS). Is audio too expensive or fragile for this project?

And then there’s the security of the fingerprint data and the log of who was where and when. If the target population is using these boxes for small denominations on a regular basis then NCR is really building a surveillance box…

Speaking of illiteracy and security, the story claims a receipt is important even to those who can’t read.

NCR researchers also found that the users they queried wouldn’t consider a transaction complete without some form of receipt, “which is how and why NCR built the first cash register, so some things never went away,” Sandler says.

Is this really about illiteracy?

Something didn’t sound (pun not intended) right to me (e.g. illiterate customers with no pockets who want receipts) so I dug through the NCR research papers on ATMs. The key to unlock this story may be in a 2009 report called the “Financial Inclusion Whitepaper“.

NCR points to three steps of “Financial Inclusion”. Self service solutions appear to be the opposite end of banking from “accounts under utilized” as illustrated in their chart:

The under utilized end of the spectrum is then revealed to be a security concern; traditional methods of banking face risks from robbery and remoteness. Those are the two big inhibitors that NCR hopes to fix with technology.

Currently, the favored delivery channel for microfinance and microcredit is via the business correspondent (BC) model, whereby an agent (who may or may not be a direct employee of the financial institution) personally travels within a wide geographical area to enroll customers, delivers loans, and collects repayments. The ‘doorstep banking’ model has obvious restrictions of scale as well as security. Agents may abscond with their clients’ funds or may themselves be the target of thieves.

Conventional delivery model
Technology can improve conventional delivery channels such as the BC model by adding new levels of security, speeding up enrolment procedures or ensuring accuracy. Used in this way, technology offers conventional models the chance to increase scale, though to a limited degree. A conventional BC model will always be restricted by the amount of ground the agent can physically cover.

The real story is about banks looking for ways to lower their risk when lending in micro-finance environments. Now I see how this fits into literacy. NCR is building technology developed over the past two years meant to reduce cost for banks to offer services in high risk but also high interest areas. They aim to reduce the need to provide the security personnel that would protect lending staff/assets, to reduce the burden of audit, and to reduce the need to hire lending staff at all — all replaced by technology usable by even illiterate customers.

This technology solution is based on an infrastructure path already worn by the postal service. The research they cite provides some great data points for discussion on trust and security in a publicly shared service (cloud) environment. A “Collaborative model to provide postal and telecommunications facilities to [27,000] unserved villages”, for example, has developed “a network of fixed infrastructure that can be shared for delivering various services including banking and microfinance.”

The primary consideration is to create a tamper-proof cash box that will be inexpensive enough to make micro-finance profitable (with its 20-50% interest rate) when operated over long distances with limited (and shared) infrastructure.

NCR’s system will have a tough time competing with the rapid growth of mobile phone tokens used for payment, such as the M-PESA currency transfer and bank account service. Launched by Vodaphone in Eastern and Central Africa, Afghanistan and India, NEC mentions the system in their paper on financial inclusion.

It allows subscribers to deposit and withdraw money via Safaricom’s airtime-sales agents, and send funds to each other by text message (SMS). The service is now used by around a quarter of Safaricom’s 10.5m customers. Casual workers can be paid quickly by phone; taxi drivers can accept payment without having to carry cash around; money can be sent to friends and family in emergencies. More than twice as many people have a mobile phone than have a bank account in Kenya which indicates that mobile phones could act as an important tool for financial inclusion.

Mobiles can beat the no pockets and no literacy requirement but also operate without fingerprints and expensive tamper-proof boxes (surveillance is another story). NCR however believes the two will be complimentary, not competitive (mobiles will need assistance if cash is required). The issue is thus whether requiring a fingerprint to access a strange box without human interaction will help speed the demise of cash instead of making it more inclusive.