Biometric authentication systems for secured e-transactions in Saudi Arabia. An empirical investigation of the factors affecting users' acceptance of fingerprint authentication systems to improve online security for e-commerce and e-government websites in Saudi Arabia.

Al-Harby, Fahad M.

January 2010

Security is becoming an increasingly important issue for business, and with it comes the need for appropriate authentication; consequently, it is becoming gradually more important to develop secure e-commerce systems. Fraud via the web, identity theft, and phishing are raising concerns for users and financial organisations. In addition, current authentication methods, like passwords, have many problems (e.g. some users write them down, they forget them, or they make them easy to hack). We can overcome these drawbacks by using biometric authentication systems. Biometric systems are being used for personal authentication in response to the rising issue of authentication and security. Biometrics provide much promise, in terms of preserving our identities without the inconvenience of carrying ID cards and/or remembering passwords. This research is important because the securing of e-commerce transactions is becoming increasingly important. Identity theft, hacking and viruses are growing threats to Internet users. As more people use the Internet, more identity theft cases are being reported. This could harm not only the users, but also the reputation of the organisations whose names are used in these illegal acts. For example, in the UK, online banking fraud doubled in 2008 compared to 2007. More users took to e-shopping and online banking, but failed to take necessary protection. For non-western cultures, the figures for web security, in 2008, illustrated that Saudi Arabia was ranked ninth worldwide for users who had been attacked over the web. The above statistics reflect the significance of information security with e-commerce systems. As with any new technology, user acceptance of the new technology is often hard to measure. In this thesis, a study of user acceptance of biometric authentication systems in e-transactions, such as online banking, within Saudi society was conducted. It examined whether Saudis are practically willing to accept this technology. This thesis focuses upon Saudi Arabia, which has developing economy. It has achieved a rapid rate of growth, and therefore makes an interesting and unique case study. From an economist¿s point of view, Saudi Arabia is the powerhouse of the Middle East. It has the leading regional economy, and, even though it is still relatively young. It has a young and rapid growing population; therefore, this makes Saudi Arabia an attractive potential market for all kinds of e-commerce applications. Having said that, with more than half of population under the age of 30 are more to be expected to take the risk of accepting new technology. For this work, 306 Saudi participants were involved in the experiments. A laboratory experiment was created that actively tested a biometric authentication system in combination with a survey. The Technology Acceptance Model (TAM) was adopted in the first experimental phase as the theoretical basis on which to develop the iv research framework, the model has proven its efficiency as a good predictor for the biometric authentication system. Furthermore, in a second experimental phase, the Unified Theory of Acceptance and Use of Technology (UTAUT) with moderating variables such as age, gender and education level was examined as a proposed conceptual framework to overcome the limitations of TAM. The aim of the study was to explore factors affecting users¿ acceptance of biometric authentication systems. The findings from Structural Equation Modelling (SEM) analysis indicate that education level is a significant moderating factor, while gender and age do not record as significant. This thesis added new knowledge to this field and highlighted the importance of the perceptions of users regarding biometric security technologies. It helps determine the factors affecting the acceptance of biometric technology. To our knowledge, this is the first systematic study of this issue carried out by academic and non-biased researchers in Saudi Arabia. Furthermore, the thesis presents security technology companies and developers of information security products with information to help in the determination of what is significant to their user base when taking into account the introduction of new secure systems and products.

Authentication

Biometric

E-government

E-commerce

E-transactions

Fingerprint

Saudi Arabia

Web security

Technology acceptance

User acceptance

Fraud

Identity theft

Vulnerability in online social network profiles. A Framework for Measuring Consequences of Information Disclosure in Online Social Networks.

Alim, Sophia

January 2011

The increase in online social network (OSN) usage has led to personal details known as attributes being readily displayed in OSN profiles. This can lead to the profile owners being vulnerable to privacy and social engineering attacks which include identity theft, stalking and re identification by linking. Due to a need to address privacy in OSNs, this thesis presents a framework to quantify the vulnerability of a user¿s OSN profile. Vulnerability is defined as the likelihood that the personal details displayed on an OSN profile will spread due to the actions of the profile owner and their friends in regards to information disclosure. The vulnerability measure consists of three components. The individual vulnerability is calculated by allocating weights to profile attribute values disclosed and neighbourhood features which may contribute towards the personal vulnerability of the profile user. The relative vulnerability is the collective vulnerability of the profiles¿ friends. The absolute vulnerability is the overall profile vulnerability which considers the individual and relative vulnerabilities. The first part of the framework details a data retrieval approach to extract MySpace profile data to test the vulnerability algorithm using real cases. The profile structure presented significant extraction problems because of the dynamic nature of the OSN. Issues of the usability of a standard dataset including ethical concerns are discussed. Application of the vulnerability measure on extracted data emphasised how so called ¿private profiles¿ are not immune to vulnerability issues. This is because some profile details can still be displayed on private profiles. The second part of the framework presents the normalisation of the measure, in the context of a formal approach which includes the development of axioms and validation of the measure but with a larger dataset of profiles. The axioms highlight that changes in the presented list of profile attributes, and the attributes¿ weights in making the profile vulnerable, affect the individual vulnerability of a profile. iii Validation of the measure showed that vulnerability involving OSN profiles does occur and this provides a good basis for other researchers to build on the measure further. The novelty of this vulnerability measure is that it takes into account not just the attributes presented on each individual profile but features of the profiles¿ neighbourhood.

Personal information disclosure

Data retrieval

Vulnerability

Measurement

Privacy and OSNs.

Personal details in OSNs.

Online social networks (OSN)

Vulnerability algorithm

Identity theft

L’étude de l’influence des facteurs légaux et extralégaux dans le cheminement des affaires de fraude au Québec

Voltaire, Natasha

12 1900

L’objectif de cette étude consiste à mieux comprendre le phénomène de l’attrition pénale au Canada. D’une part, elle vise à déterminer quels sont les facteurs d’influence des décisions pénales motivant la poursuite ou l’arrêt des procédures. D’autre part, il est question de vérifier si ces facteurs sont comparables à chaque étape décisionnelle ou non. Pour y parvenir, une analyse de différentes décisions prises par des policiers, des procureurs et des juges fut réalisée. Un total de 525 affaires criminelles a été considéré. Les analyses descriptives montrent que l’échantillon est principalement constitué d’hommes (77%) sans antécédents criminels en matière de fraude (76%). Les analyses multivariées suggèrent que les facteurs légaux sont les meilleurs prédicteurs des décisions pénales. Comme observé dans la littérature, les antécédents criminels et la gravité de l’infraction semblent influencer les décisions. Ainsi, le fait d’avoir fait une tentative de vol d’un certain montant d’argent, le nombre d’infractions commis et la présence d’antécédents criminels de fraude semblent influencer ces décisions. Lorsque le suspect fait une tentative de vol et qu’une infraction a été commise (comparativement à plusieurs), des accusations sont moins susceptibles d’être recommandées contre lui par la police. Cette probabilité est également moindre lorsque le suspect possède des antécédents criminels de fraude (une relation marginale a été observée). De plus, il semble que l’influence des facteurs diffère d’une étape à une autre. Un retour plus explicite sur ces résultats est effectué dans la discussion. / This study aim to better understand the attrition phenomenon in Canada. On one hand, it seeks to identify the factors that influence criminal decisions in the pursuit or stay of proceedings. On the other hand, it seeks to verify whether or not these factors are comparable at each decision-making stage. To achieve this, an analysis of various decisions that have been taken by police officers, prosecutors and judges was carried out. A total of 525 criminal cases was considered. Descriptive analyzes show that the sample consists mainly of men (77%) with no criminal history of fraud (76%). Multivariate analyzes show that legal factors are the best predictors of criminal decisions. As observed in the literature, the presence of criminal history and the seriousness of the offense appear to influence the decisions. Thereby, the attempt to steal a certain amount of money, the number of offenses committed and the presence of a criminal history of fraud appear to influence these decisions. When the suspect makes an attempt theft and an offense has been committed (compared to several), charges are less likely to be recommended against him by the police. This probability is also lower when the suspect has a criminal history of fraud (a marginal effect was observed). Moreover, it seems that the influence of factors differs from one stage to another. A more explicit return on these results is carried out in the discussion.

Processus judiciaire

Facteurs légaux

Facteurs extralégaux

Fraude

Vol d'identité

Judicial processing

Legal factors

Extralegal factors

Fraud

Identity theft

Information Privacy: A Quantitative Study of Citizen Awareness, Concern and Information Seeking Behavior Related to the Use of the Social Security Number as a Personal Identifier

Clossum, Rhonda Marisa

01 May 2010

Information technology has transformed the manner in which personal identifying information is collected, stored and shared in government agencies and private businesses. The social security number has become the de facto identifier for individuals due to its notable qualities: a nine-digit number assigned to one person by the United States government. As individuals are increasingly asked to disclose personal information, the question arises: How does the lack of awareness of social security number laws contribute to the loss of privacy, loss of control of personal information and the threat of identity theft? This study examines awareness levels of social security number laws and policies that affect individuals’ daily lives from the perspective of the information science profession. This study also examines concerns relative to widespread usage of the social security number. A quantitative research method using an online survey was employed using convenience and snowball sampling of adult university students and other community members. Survey results were analyzed by age, gender, educational achievement and student status. Awareness levels were shown to differ significantly by age. There were no differences in overall concern found to exist by any demographic. Survey results showed libraries were consulted for privacy information less often than search engines. Study findings support increasing awareness levels of privacy laws by encouraging use of library resources.

Information Seeking

Privacy Literacy

Awareness

Social Security Number

Identity Theft

Law and Society

Legal Education

Library and Information Science

Other Law

Social and Behavioral Sciences

State and Local Government Law

Preserving privacy with user-controlled sharing of verified information

Bauer, David Allen

13 November 2009

Personal information, especially certified personal information, can be very valuable to its subject, but it can also be abused by other parties for identify theft, blackmail, fraud, and more. One partial solution to the problem is credentials, whereby personal information is tied to identity, for example by a photo or signature on a physical credential. We present an efficient scheme for large, redactable, digital credentials that allow certified personal attributes to safely be used to provide identification. A novel method is provided for combining credentials, even when they were originally issued by different authorities. Compared to other redactable digital credential schemes, the proposed scheme is approximately two orders of magnitude faster, due to aiming for auditability over anonymity. In order to expand this scheme to hold other records, medical records for example, we present a method for efficient signatures on redactable data where there are dependencies between different pieces of data. Positive results are shown using both artificial datasets and a dataset derived from a Linux package manager. Electronic credentials must of course be held in a physical device with electronic memory. To hedge against the loss or compromise of the physical device holding a user's credentials, the credentials may be split up. An architecture is developed and prototyped for using split-up credentials, with part of the credentials held by a network attached agent. This architecture is generalized into a framework for running identity agents with various capabilities. Finally, a system for securely sharing medical records is built upon the generalized agent framework. The medical records are optionally stored using the redactable digital credentials, for source verifiability.

Merkle hash tree

Credential

Medvault

Identity agent

Dependencies

Disclosure dependencies

Hash graph

Identity management

Security

Cryptography

Hash tree

Privacy

GUIDE-ME

GUCIdA

Identity theft

Computer security

Data protection

Information Privacy: A Quantitative Study of Citizen Awareness, Concern and Information Seeking Behavior Related to the Use of the Social Security Number as a Personal Identifier

Clossum, Rhonda Marisa

01 May 2010

Information technology has transformed the manner in which personal identifying information is collected, stored and shared in government agencies and private businesses. The social security number has become the de facto identifier for individuals due to its notable qualities: a nine-digit number assigned to one person by the United States government. As individuals are increasingly asked to disclose personal information, the question arises: How does the lack of awareness of social security number laws contribute to the loss of privacy, loss of control of personal information and the threat of identity theft? This study examines awareness levels of social security number laws and policies that affect individuals’ daily lives from the perspective of the information science profession. This study also examines concerns relative to widespread usage of the social security number. A quantitative research method using an online survey was employed using convenience and snowball sampling of adult university students and other community members. Survey results were analyzed by age, gender, educational achievement and student status. Awareness levels were shown to differ significantly by age. There were no differences in overall concern found to exist by any demographic. Survey results showed libraries were consulted for privacy information less often than search engines. Study findings support increasing awareness levels of privacy laws by encouraging use of library resources.

Information Seeking

Privacy Literacy

Awareness

Social Security Number

Identity Theft

Law and Society

Legal Education

Library and Information Science

Other Law

Social and Behavioral Sciences

State and Local Government Law

Vulnerability in online social network profiles : a framework for measuring consequences of information disclosure in online social networks

Alim, Sophia

January 2011

The increase in online social network (OSN) usage has led to personal details known as attributes being readily displayed in OSN profiles. This can lead to the profile owners being vulnerable to privacy and social engineering attacks which include identity theft, stalking and re identification by linking. Due to a need to address privacy in OSNs, this thesis presents a framework to quantify the vulnerability of a user's OSN profile. Vulnerability is defined as the likelihood that the personal details displayed on an OSN profile will spread due to the actions of the profile owner and their friends in regards to information disclosure. The vulnerability measure consists of three components. The individual vulnerability is calculated by allocating weights to profile attribute values disclosed and neighbourhood features which may contribute towards the personal vulnerability of the profile user. The relative vulnerability is the collective vulnerability of the profiles' friends. The absolute vulnerability is the overall profile vulnerability which considers the individual and relative vulnerabilities. The first part of the framework details a data retrieval approach to extract MySpace profile data to test the vulnerability algorithm using real cases. The profile structure presented significant extraction problems because of the dynamic nature of the OSN. Issues of the usability of a standard dataset including ethical concerns are discussed. Application of the vulnerability measure on extracted data emphasised how so called 'private profiles' are not immune to vulnerability issues. This is because some profile details can still be displayed on private profiles. The second part of the framework presents the normalisation of the measure, in the context of a formal approach which includes the development of axioms and validation of the measure but with a larger dataset of profiles. The axioms highlight that changes in the presented list of profile attributes, and the attributes' weights in making the profile vulnerable, affect the individual vulnerability of a profile. iii Validation of the measure showed that vulnerability involving OSN profiles does occur and this provides a good basis for other researchers to build on the measure further. The novelty of this vulnerability measure is that it takes into account not just the attributes presented on each individual profile but features of the profiles' neighbourhood.

004

New method for learning decision trees from rules and its illustration for online identity application fraud detection

Abdelhalim, Amany

10 November 2010

A decision tree is a graph or model for representing all the alternatives in a decision making process. Most of the methods that generate decision trees for a specific problem use examples of data instances in the decision tree generation process. We propose a new method called "RBDT-1"- rule based decision tree -for learning a decision tree from a set of decision rules that cover the data instances. RBDT-l method uses a set of declarative rules as an input for generating a decision tree. The method's goal is to create on-demand a short and accurate decision tree from a stable or dynamically changing set of rules. The rules used by RBDT-1 could be generated either by an expert or induced directly from a rule induction method or indirectly by extracting them from a decision tree. We conduct a comparative study of RBDT-1 with four existing decision tree methods based on different problems. The outcome of the study shows that in terms of tree complexity (number of nodes and leaves in the decision tree) RBDT-1 compares favorably to AQDT-1 and AQDT-2 which are methods that create decision trees from rules. RBDT-1 compares favorably also to ID3 while is as effective as C4.5 where both (ID3 and C4.5) are famous methods that generate decision trees from data examples. Experiments show that the classification accuracies of the different decision trees produced by the different methods under comparison are equal. To illustrate how RBDT-1 can successfully be applied to an existing real life problem that could benefit from the method, we choose identity application fraud detection. We designed a new unsupervised framework to detect fraudulent applications for identity certificates by extracting identity patterns from the web, and crossing these patterns with information contained in the application forms in order to detect inconsistencies or anomalies. The outcome of this process is submitted to a decision tree classifier generated using RBDT-1 on the fly from a rule base which is derived from heuristics and expert knowledge, and updated as more information are obtained on fraudulent behavior. We evaluate the proposed framework by collecting real identity information online and generating synthetic fraud cases, achieving encouraging performance results.

identity theft prevention

computer crimes prevention

machine learning

Guidelines for formulating questions to interview applicants of identity documents

Mabasa, Christopher

02 1900

The aim of this research is to investigate guidelines for formulating questions to interview applicants of identity documents, for the use of the Department of Home Affairs (DHA) officials during the interviewing of applicants of identity documents. The research further intends to share and introduce a number of important concepts, namely: Interviewing, Crime Investigation, Information, Identity Docu-ment, Immigration Officer, Department, and Case File. The research will explain the objectives of investigation and guidelines for developing proper questions for use by officials of the DHA, to test information on new applicants of identity documents. The object of the investigation is to obtain information to prove the correct techniques on how to interview appli-cants of identity documents. It further explains that criminal investigation can be defined as the process of discovering, collecting, preparing, identifying and presenting evidence, to deter-mine what happened and who is responsible. Interviewing is defined as the process of gathering testimonial evidence through interviewing, and it has a predetermined objective, namely discovering the truth about the matter under investigation. It is also explained that during guidelines for formulating relevant questions to use to enable the official or immigration officer to formulate test questions that are clearly understood better by DHA. The relevant questions should be formulated by DHA officials, so that the questions get to the heart of the issue. This can enable the official to avoid applicants submitting fraudulent documents which could later result in litigation. The research will assist in decreasing the high rate of corruption, and also litigation, as these represent the main problem of the research. / Criminology and Security Science / M. Tech. (Forensic Investigation)

Interviewing

Crime investigation

Information

Identity document

Questioning

Application

Fraud

Immigration officer

Department

Crime and case files

364.16330968

Identity theft -- South Africa

Fraud investigation -- South Africa

Criminal investigation -- South Africa

Proposition de nouveaux mécanismes de protection contre l'usurpation d'identité pour les fournisseurs de services Internet / Proposal for new protections against identity theft for ISPs

Biri, Aroua

25 February 2011

De plus en plus d’organisations sont informatisées et plus une organisation est grande, plus elle peut être la cible d’attaques via Internet. On note également que les internautes utilisent de plus en plus Internet pour faire des achats sur des sites de commerce électronique, pour se connecter à l’administration en ligne, pour voter de manière électronique, etc. Par ailleurs, certains d’entre eux ont de plus en plus d'équipements électroniques qui peuvent être raccordés à Internet et ce dans divers sites (domicile, voiture, lieu de travail, etc.). Ces équipements forment ce qu’on appelle un réseau personnel qui permet la mise en place de nouvelles applications centrées sur l’internaute. Les fournisseurs de services Internet peuvent ainsi étoffer leurs offres de services en présentant une offre de sécurisation de ce genre de réseau. Selon le rapport du cabinet « Arbor Networks » intitulé « Worldwide Infrastructure Security Report », les menaces identifiées comme les plus sévères sont relatives aux attaques de déni de service distribué. Ce type d’attaque a pour but de rendre indisponible un service en empêchant les utilisateurs légitimes de l'utiliser. Il utilise la technique de l’usurpation d’identité qui consiste en la création de paquets (de type IP, ARP, etc.) avec une adresse source forgée et ce dans le but d’usurper un système informatique ou d’usurper l’identité de l’émetteur. La technique de l’usurpation d’identité permet ainsi de rendre un service indisponible, d’écouter, de corrompre, de bloquer le trafic des internautes ou de nuire au bon fonctionnement des protocoles de routage et des réseaux personnels des clients. De plus, la technique de l’usurpation d’identité est également utilisée pour des activités interdites par la loi « Hadopi » en rigueur en France comme le téléchargement illégal. De ce fait, les fournisseurs de services Internet se doivent de prémunir leurs clients des attaques basées sur la technique de l’usurpation d’identité. Ces dits fournisseurs comptent sur les protocoles de routage qu’ils déroulent pour participer au bon acheminement des données de leurs clients. Cependant, le protocole intra-domaine OSPF et le protocole inter-domaine BGP sont vulnérables aux attaques utilisant la technique de l’usurpation d’identité qui peuvent conduire à l’acheminement des paquets vers des destinataires non légitimes ou au déni de service. Nous proposons donc deux mécanismes dédiés respectivement au protocole intra-domaine OSPF et au protocole inter-domaine BGP. D’une part, afin de protéger les routeurs OSPF contre les attaques utilisant la technique d’usurpation d’identité, nous avons préconisé le stockage de l’identité et du matériel cryptographique dans un coffre-fort électronique que sont les cartes à puce. Les cartes déroulent ensuite un algorithme de dérivation de clés avec les cartes des routeurs voisins ainsi qu’avec celle du routeur désigné. Les clés dérivées entre les cartes à puce servent à signer les messages OSPF et à authentifier le niveau MAC. Nous avons décrit par la suite la plateforme du démonstrateur et les scénarios de tests adoptés pour évaluer les performances de notre prototype et les comparer avec ceux du logiciel Quagga sur la base de trois critères : le temps requis pour traiter une annonce d'état de liens, le temps de convergence ainsi que le temps de re-calcul d’une table de routage après un changement. Ces temps augmentent peu avec l’introduction de la carte à puce implémentant les fonctions de sécurité proposées. Ainsi, cette solution permet de renforcer la sécurité du protocole OSPF avec un impact raisonnable sur les performances. D’autre part, afin de protéger les routeurs BGP contre les attaques utilisant la technique d’usurpation d’identité, nous avons préconisé la « clustérisation » des domaines Internet et la sécurisation des liens entre les clusters ainsi qu’au sein de chacun d’eux grâce aux paradigmes de « web of trust » et de la cryptographie sans certificats […] / More and more organizations are computerized and more an organization is great, plus it can be the target of Internet attacks. Moreover, some of them have a growing number of electronic equipments that can be connected to the Internet from various locations (home, car, workplace, etc.). These devices form a so-called personal area network that allows the development of new applications centered on users. The ISPs can then expand their service offerings by providing a secure supply of such networks. According to the report of the firm “Arbor Networks”, entitled "Worldwide Infrastructure Security Report ", the most severe threats are related to distributed denial of service. This type of attack aims to make available a service by preventing legitimate users from using it. It uses the technique of identity theft that involves the creation of packages (like IP, ARP, etc.) with a forged source address and that in order to usurp the Identity of the issuer or of the computer system. Thus, the technique of identity theft allows to render a service unavailable, to listen, to corrupt, to block traffic from Internet users or to undermine the legitimate operation of routing protocols and personal networks. Moreover, the technique of identity theft is also used for prohibited activities by "HADOPI" law in France and related to illegal downloading issues. Thus, the ISPs have a duty to protect their customers from attacks based on the technique of identity theft. The mechanisms of protection against spoofing attacks for access networks are crucial for customer adoption of new applications offered by Internet service providers. This part of the doctoral thesis is part of the European project “MAGNET Beyond" whose vision is to put into practice the concept of personal networks, with the ultimate objective to design, develop, prototype and validate the concept. In the context of user equipment’s access to the network of an Internet services provider from a public place, we proposed a cross-layer protocol based on the principles of information theory. This protocol fixes the security hole not addressed by other proposals that is the attack of identity theft that occurs at the beginning of communication and thus protects users against the middle man attacks. We proposed that the person who wants to have secure access to the Internet must be on a specific circle has been called "RED POINT" so that the attacker is not able to be on the same circle at the same time. The proposed cross-layer protocol can be divided into three phases: the phase of checking the position of the user, the extraction phase of the shared secret of the physical layer and the phase of the derivation of the shared key at the MAC layer. We subsequently validated our solution through a formal tool AVISPA and presented the results of its implementation. In a private context, communication between devices convey users' personal data which may be confidential, so we must prevent equipment not belonging to the legitimate user to access its network. Thus, we proposed two mechanisms of protection against attacks based on spoofing so that illegitimate equipment is unable to impersonate legitimate equipment. The first phase will be dedicated to personal networks and the second will be dedicated to the particular case of medical networks. Regarding the mechanism dedicated to personal networks, we have proposed the use of a protocol based on out-of-band channel in order to provide certificates to user equipments. We derive bilateral key for personal network’s equipments of the same site and between equipments at remote sites. Concerning the particular case of medical networks, we proposed to cover their deployment phases and their operational phases. This proposal was submitted to the IEEE 802.15.6 working group that conducts research for the standardization of medical networks […]

Usurpation d'identité

Fournisseurs de services Internet

Protocoles de routage

DNSSEC

Mécanismes d'appairage

Cryptographie

Hotspots

Canaux hors bande

Identity theft

ISP

Routing protocols

DNSSEC

Peering mechanisms

Cryptography

Hotspots

Out-of-band channels