Secure Convenient Internet Banking utlizing biometrics

Introduction

Customers are expecting biometric authentication for services today. You only have to look at Apple Pay to understand that this is indeed the case.
In my view the cornerstone of Apple pay can be described by two facts.

1. It is simple. This might not be obvious at first glance, but if you compare the solution to similar solutions for mobile payments and especially if you look beyond the surface it becomes obvious.
2. It is convenient. Using biometrics for user authentication allows a smooth and convenient authentication. This also allows authentication to be performed in all purchase situations, while other solutions has been required to make a split where low value payments are with no user authentication to be perceived as convenient.l
3. It is secure. The secure word is a dangerous word to use since nothing is absolutely secure and anything usable will have to make provisions against utopia in regards of security. The solution arguably more secure than any other deployed solution in the market.

In this discussion I will use these factors as discussion points for the solution.

So what are you talking about ?

This is the solution.

Basically you get access to a full service Internet bank by your finger print, and we are talking really full service banking. Among the services:

• Payments to any domestic or foreign recipient.
• Order new or replacement cards.
• Retrieve pin codes for your cards on the screen.
• Stock portfolio management 

And a lot of other high security services. And this is for real and not some kind of mock-up its about real money and a solution for a real bank. (I know I made it and have the scars to show for it).

Evaluation

Convenience

The convenience is superb, to be grated access the only thing you have to remember or present is your finger print, and thats it. For high risk transaction performed after login the same applies, you will be queried for your fingerprint to authorize the transaction. No more and no less.

Security

The big question of cause would be if this is secure, and the answer is yes this is very secure. With all solutions there are new and different risks, arguably one risk with solution is the risk of somebody misusing you biometrics. This a valid case where somebody could have been incapacitated and the biometrics are used without the persons consent or even knowledge.
Such new treats needs to be evaluated against other treats which such an solution eliminates.

• Access is not possible without this particular device and the account holder. It can not be performed remotely by somebody on a different continent when you are at sleep at nigth.
• Arguably the biggest treat to your financial as far as fraud today is located at your desk and is called your PC. The platform used here is immensely stronger and resilient to attacks.
• Nobody rememberer passwords  except for the really bad ones like "123456" or "password". Almost everybody has their credentials which are normally weak on their phone anyway. So loose control or loose your phone you are in a really big risk of misuse or fraud as it is. This solution arguments this by requiring not only your phone but also your biometrics.

At the end of the day, unless you are afraid of being subjected to a rape drug for the purpose of financial robbery you are far better of with this solution than any alternative solution.

Platform support

Currently the only platform this is implemented is on IOS. It is conceivably to implement a simular solution on a few selected Android phones. Actually I have prototyped an identical solution on Samsung S5, however there are some quite big challenges.
The biggest challenge is that the TEE and repository is not documented in a convincing manner. Remember if you going to launch something like this you need to be very sure about every aspect of the platform security. Unfortunately this is not there on the Android side at the moment.
Secondly the fragmentation of Android which expends to the point where no biometric API exist is a really big show stopper.

The Big Picture

So this is really great right ? Simple really anybody could do this. Yes a lot of people could and probably will make similar solutions, some will be great secure solutions while others will look great but will be disasters waiting to happen.

The Devil

Like  most solutions the difference is in the details and this is also where the devil hides. The biometrics are great to authenticate the user locally on the phone. Translating this fact in a reliable manner to the back end systems are the task which separates the boys from men so to speak.

Signing off

I will probably expand this material with more details when time permit. In the mean time feel free to get in touch with me if you would like to discuss with me. Some stuff I can share while other aspects will have to remain a business secret.

  

 

 

Targeting wearables

This is general on any wearable but it absolutely applies to glasses. The important stuff is to realise how limited your information display is, how limited the navigation is and how intimate you are with the user.
So you will have short context switch time, limited integration time and very limited drill down opertuneties.

This is a challenge for anybody targeting these devices and it is a very big challenge for any business model which includes advertising. I guess we are facing something similar to the early days of mobile  services, granted the display are not as bad as they used to and the bandwidth is something altogether different.
However relative to the users main device I think a lot of the similarities still holds true and we will have to think quite differently when developing for these devices. To exciting thing is like all disruptive changes it places all incumbents in a disadvantage while opening the floor to new creative players. Just think about google, apple vs Microsoft back in days.

European Launch ?

Google IO would be an educated guess

As some of you may have understood Google has lately been having major problems with is Glass updates. This has made them issue a lot of replacements to customers within warranty. This has made glasses with CE markings to appear as replacements.

An educated guess would be that this huge requirements for replacement glasses has made Google dip into a stockpile which was not intended to be public just yet.

The big question of cause is if the explorer program is expanding to Europe or if this is also a commercial launch for a bigger market.

My belief is that its probably an expansion of the explorer program for now. Google may have some really improved glasses more suitable for the mass masked which may be launched later this year. At least my opinion is that the current models are not ready for mass adoption yet.

Glasses real world usability

Wearing glasses 

As I have indicated in an earlier post a lot of the stuff you will find about glasses are more artistic impressions about what they believe Google glasses could be or should be.
This will give you a fairly objective impression on how it is to wear glasses.

Do notice that its not quite as portrayed since your field of vision is different when wearing the glasses as compared to watching this on your screen. You will need to move your eyeball and focus on the glass projection if you would like to be able to view details of what the Glass is displaying, thus loosing focus on the rest of your field of vision while doing it.

You may chose to attack this problem in two ways.

• By structuring your use cases in such a way that its convenient and useful to refocus for a brief second.
• By structuring the display and information in such a way that you can cope with using your perefirial field of vision.

Putting aside the current restrictions of looking like something in between something from the Terminator and the Big Bang Theory the following use cases seems to be useful for glasses.

Please notice that I do not believe much of this will happen in any large scale with the current generation of glasses, but I do believe it will happen with the next generations based on this technology.

By the way what about banking a financial services ? Well nobody will spend 1 cent on something to do these services. People will get device for other reasons and then we will need to figure out how to use what they bought for other reasons.  

Customer Service   

The desk and the tablet/computer is something that produces a distance between a customer and a representative. By removing this it is perceivable to have a better and more dialogue, of cause this might go the wrong way  if the customer gets hanged up and suspicious about the glasses. This can be remedied by being very clear about when and for what they are used during the conversation.

Remember the device has a camera which can can items like QR codes or even complete pages.

Hands Free Operations

Any scenario where you really need both of your hands for something else and you do not have space of an elaborate set up with a mounted tablet. Possible use cases.

• Health  
• Dental work
• Complex maintenance
• Complex inspections 
• Emergency Services 

I guess there are countless opportunities.

Any service requiring remote assistance

 

Here the sky is the limit. By using the camera somebody else may see what you are seeing, by using the display visual instruction may be provided and by using the sound device oral instructions or help may be offered.

Bricked by google update

Bricked by Update ?

This seems to happen a lot I'm afraid. The symptoms are:

• You try to start your glasses and you are stuck on the glass logo.
• The device is producing a significant amount of heat. 

First rule

First of all don't panic. I panicked and it probably did cost me some extra effort.

Second rule

Your next step would depend on where you are and what you have planned. You should probably contact google but be aware that you probably will be sucked into answering a lot of irrelevant questions, waiting for replies and probably start answering a lot of the same and quite similar questions.

They are quite good at convincing you to believe in their confidence in resolving your problem no matter your deadline, even if they don't have the foggiest idea about what your problem is and in even lesser degree how to fix it. I guess there is some kind of positive emphasis customer support training at work. 

If your Geo locations or schedule permits it you should insist on replacements if you are still within warranty. 

So secondly don't trust google support, define your own point of no return where you will go off the reservation in persuit of anything that works.

Keep track on other users experiencing the same problem and if they are able to peg it down to a recent upgrade even if you can not be sure yourself. Your glasses will auto update on the strangest points of time and unless you are actively wearing them you will never know. 

Being in Europe with an important meeting to demonstrate the glasses this was not an option for me to get replacements and after 3 days of being lead around in the desert by Google support I had to take drastic action. 

Going off the reservation

So what to next ?

First of all: This will void your warranty and make your life with Google support difficult. So consider carefully if you are willing to proceed and if you should do so do it 100% at your own risk and peril.

Firs of all check that you are able to connect to the device using adb and retrieve the system logs.
adb shell logcat > log.txt

Google may love you for these in determine their problem.
If you don not get the logs I'm not sure if you should proceed or not since this might indicate that you have a different problem.

Preparations

• Charge you device to a sound level. 
• Be aware that it does not charge very well for very long in this state due to the heat it develops. I solved this by having a paper towel and ice water. Tear of a pice, put it water and press most of the water out. Be aware of the buttons, microphone and track pad.. Replace when you can feel it getting dry. 
• Monitor the charging light, once you observe it to get dull turn the device off and let it rest for half an hour. 
• You can expect to use more than 3 hours doing this. 

Prepare your computer use a computer you know to work. Do never,ever use a mac using a mac that I knew to work did cost me two days.

Execution

• Get the system images located at Google.
• After booting in fastboot mode execute: 
  

  fastboot oem unlock

• Follow the procedure described at that page for "to flash Glass back to factory specifications".
• Do not panic if you are not able to flash the restore image.

That should do the trick. Do not panic when starting the device again first time start up after this will take some time (in the order of a few minutes).

Developing with Glass

Introduction

Once you have finished playing with the glasses and showing off to your friends you probably will like to start developing for the glasses. Hopefully these entries will help you. 

We have no stinking glasses

To get smarted with the mirror API you don't need glasses stinking or not. It is possible to simulate the behavior using the mirror playground. Be warned in my experience it's not completely identical but close enough for you to play around with.

Looking trough the Mirror

The first and probably recommended way of doing development for Glass is using the Mirror API. Getting good books are scares, and to be quite honest not worth it unless you are deeply unfamiliar with java development and really interested in learning about the google hosted appspot.
Sadly the documentation provided by Google falls short in some of the same areas. So here is how I chosen to solve this for prototyping.

First of all follow the procedure described here to setup a new application and retrieve an access token. 

Add your client Id, secret and request token in the following or similar program.

public class GenCredentials {
    private static String CLIENT_ID = <INSERT YOUR CLIENT ID>
      private static String CLIENT_SECRET = <INSERT YOUR CLIENT SECRET>

      private static String REDIRECT_URI = "urn:ietf:wg:oauth:2.0:oob";
     

    public static void main(String[] args)
    {
        // TODO Auto-generated method stub
        try {
            HttpTransport httpTransport = new NetHttpTransport();
            JsonFactory jsonFactory =  new JacksonFactory();
   List<String> scopes=Arrays.asList("https://www.googleapis.com/auth/userinfo.profile",
                   "https://www.googleapis.com/auth/glass.timeline",
                   "https://www.googleapis.com/auth/glass.location");
            GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow.Builder(
                httpTransport, jsonFactory, CLIENT_ID, CLIENT_SECRET, scopes)
                .setAccessType("offline")
                .setApprovalPrompt("auto").build();
           
            String url = flow.newAuthorizationUrl().setRedirectUri(REDIRECT_URI).build();
            System.out.println("Please open the following URL in your browser then type the authorization code:");
            System.out.println("  " + url);
            BufferedReader br = new BufferedReader(new InputStreamReader(System.in));
            String code = br.readLine();
           
            GoogleTokenResponse response;
           
                response = flow.newTokenRequest(code).setRedirectUri(REDIRECT_URI).execute();
            System.out.println(response.getAccessToken());
            System.out.println(response.getRefreshToken());
            System.out.println(response.getExpiresInSeconds());
           
        } catch (IOException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }
       
    }

} 

Save the access token, refresh token and token expiry in the way and manner of your own choosing. 

Add them to a program similar to this (paste the values), read from file or retrieve in whatever manner you choose.

public class InsertTimeLine
{

     /**
       * Insert a new timeline item in the user's glass with an optional
       * notification and attachment.
       *
       * @param service Authorized Mirror service.
       * @param text timeline item's text.
       * @param contentType Optional attachment's content type (supported content
       *        types are "image/*", "video/*" and "audio/*").
       * @param attachment Optional attachment stream.
       * @param notificationLevel Optional notification level, supported values are
       *        {@code null} and "AUDIO_ONLY".
       * @return Inserted timeline item on success, {@code null} otherwise.
       */
      public static TimelineItem insertTimelineItem(Mirror service, String text, String contentType,
          InputStream attachment, String notificationLevel) {
        TimelineItem timelineItem = new TimelineItem();
        timelineItem.setText(text);
        if (notificationLevel != null && notificationLevel.length() > 0) {
          timelineItem.setNotification(new NotificationConfig().setLevel(notificationLevel));
        }
        try {
          if (contentType != null && contentType.length() > 0 && attachment != null) {
            // Insert both metadata and attachment.
            InputStreamContent mediaContent = new InputStreamContent(contentType, attachment);
            return service.timeline().insert(timelineItem, mediaContent).execute();
          } else {
            // Insert metadata only.
            return service.timeline().insert(timelineItem).execute();
          }
        } catch (IOException e) {
          System.err.println("An error occurred: " + e);
          return null;
        }
      }
     
      public static void main(String args[])
      {
          try {
            String clientId=<INSERT YOUR CLIENT ID>
              String clientSecret=<INSERT YOUR CLIENT SECRET>
              String accessToken=<YOUR ACCESS TOKEN GOES HERE>
              String refreshToken=<YOUR REFRESH TOKEN GOES HERE>
              Long refreshTimeOut= new Long(3600);
             
              HttpTransport httpTransport = new NetHttpTransport();
                JsonFactory jsonFactory =  new JacksonFactory();
                ListableMemoryCredential store = new ListableMemoryCredential();
             
              GoogleCredential credential = new GoogleCredential.Builder().setJsonFactory(jsonFactory)
                        .setTransport(httpTransport).setClientSecrets(clientId, clientSecret).build();
                credential.setAccessToken(accessToken);
                credential.setRefreshToken(refreshToken);
                credential.setExpiresInSeconds(refreshTimeOut);
                store.store("xxxx", credential);
                String GLASS_SCOPE = "https://www.googleapis.com/auth/glass.timeline "
                          + "https://www.googleapis.com/auth/glass.location "
                          + "https://www.googleapis.com/auth/userinfo.profile";
                new GoogleAuthorizationCodeFlow.Builder(new NetHttpTransport(), jsonFactory ,
                        clientId, clientSecret, Collections.singleton(GLASS_SCOPE)).setAccessType("offline")
                        .setCredentialStore(store).build();
                //Mirror mirror=new Mirror.Builder(new UrlFetchTransport(), new JacksonFactory(), credential).setApplicationName("GlassPlayGround").build();
                Mirror mirror=new Mirror.Builder(new NetHttpTransport(), new JacksonFactory(), credential).setApplicationName("GlassPlayGround").build();
               
                Timeline tl=mirror.timeline();
                TimelineItem bloom_item=new TimelineItem();
                bloom_item.setText("HABA NADA");
                bloom_item.setTitle("NADA HABA");
                bloom_item.setHtml(<YOUR HTML GOES HERE> );
                bloom_item.setNotification(new NotificationConfig().setLevel("AUDIO_ONLY"));
                LinkedList<MenuItem> men_list=new LinkedList<MenuItem>();
               
                MenuItem play_bloom= new MenuItem();
                play_bloom.setAction("PLAY_VIDEO");
                play_bloom.setId("12345");
                play_bloom.setPayload(<YOUR STREAM SOURCE GOES HERE>);
                men_list.addFirst(play_bloom);
               
                MenuItem open_stock=new MenuItem();
                open_stock.setAction("OPEN_URI");
                open_stock.setId("1111");
                open_stock.setPayload(<WEB PAGE 1 GOES HERE>);
                men_list.addLast(open_stock);
               
                MenuItem open_dnb=new MenuItem();
                open_dnb.setAction("OPEN_URI");
                open_dnb.setId("9999");
                open_dnb.setPayload(<SECOND WEB PAGE GOES HERE>);
                men_list.addLast(open_dnb);
               
                MenuItem delete_item=new MenuItem();
                delete_item.setAction("DELETE");
                delete_item.setId("54321");
                delete_item.setPayload("Go Away");
                men_list.addLast(delete_item);
               
                bloom_item.setMenuItems(men_list);
                TimelineItem ret=mirror.timeline().insert(bloom_item).execute();
                System.out.println(ret);
        } catch (IOException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }
           
           
                 
      }

}

For dependencies (please notice that some of these may not be needed remove and test at your own pleasure).

    <dependency>
        <groupId>commons-lang</groupId>
        <artifactId>commons-lang</artifactId>
        <version>2.4</version>
</dependency>


<dependency>
<groupId>com.google.api-client</groupId>
<artifactId>google-api-client</artifactId>
<version>1.18.0-rc</version>
</dependency>
  <dependency>
        <groupId>com.google.http-client</groupId>
        <artifactId>google-http-client-jackson2</artifactId>
        <version>1.15.0-rc</version>
    </dependency>
   
   <dependency>
    <groupId>com.google.apis</groupId>
    <artifactId>google-api-services-mirror</artifactId>
    <version>v1-rev50-1.18.0-rc</version>
</dependency>

 
    <dependency>
    <groupId>com.google.api-client</groupId>
    <artifactId>google-api-client-extensions</artifactId>
    <version>1.6.0-beta</version>
</dependency>

<dependency>
    <groupId>com.google.http-client</groupId>
    <artifactId>google-http-client</artifactId>
    <version>1.16.0-rc</version>
</dependency>
<dependency>
    <groupId>com.google.oauth-client</groupId>
    <artifactId>google-oauth-client</artifactId>
    <version>1.18.0-rc</version>
</dependency>

   
   
      
 

That's it. You are now ready to explore the mirror api in a simple and understandable manner.  All things being said and done the mirror api gives you the opertunity to send notifications to the glass. They may be fancy, multimedia notifications but still that what you get. In other words this is suitable for push scenarios where some event happens and is pushed to the users glass. 

Pushing information can in many ways be compared to pushing commercials but with the important distinction of having a user opt out. To much information or even a fairly small amount of irrelevant information will cause the user to opt out on a device as intimate as the glass, a phone or any wearable device at all. 

So if you are going to use this commercially you either must be 100% certain of the relevance of your push or you need to make it really easy for the user to control and filter the notification feature. 

Neither of these approaches are a walk in the park, but neither is it impossible.

To be fair, this is not completely true it is possible to pin a card which means it will stay earli on in the timeline and thus making it not really a timeline. The content of a card might be on demand video, HTML pointing to a web page or service for content. So it is possible to get some kind of pull behavior also using the mirror api. 

Going native with the gdk

This is probably a misnomer since development will be done I java which arguably for most cases can be seen as less native that most other languages. 

However by using the gdk you will make an application which very specifically targets the glass, using its advantages and avoiding its pitfalls. 

The actual development is quite similar to general purpose android development keeping the statements above in mind. If you are completely new to android development the best advice would be not to try to do any glass development yet. Do a stint doing some general purpose android development beyond hello world and come back after you have done that.  It is much easier to play with your android phone first. If you don't have android phone but a cheap cut throat tablet, it's not going to useful for much else but it will be more than sufficient for Android programing 101. If you are not willing to even go that far you will be able to use the emulator provided with the SDK. 

Setting up the environment

As a knowledgeable Android programmer you have already set up the Android SDK with your favourite development environment. First thing to do is to be sure that it's up to date, GDK is pretty new so older SDK will not support it. 

Be aware that you at this point really need glasses, stinking or otherwise, there are currently no emulator support for glass. 

Make an android project and be sure to target glass and the appropriate version of Android only.

For those of you using eclipse this is what you would be looking for. 

• Minimum and Target SDK Versions: 19 (There is only one Glass version, so minimum and target SDK are the same.)
• Compile with: Glass Development Kit Developer Preview
• Theme: None (ADT and Android Studio usually assign a theme automatically, even if you specify no theme, so remove the android:theme property from your manifest after creating a project.)

Starting the development

The Google docs have some great starters. I'll be back with more information once I have had time to do more within this area.

Going Glassy

Introduction

Last Tuesday I got my hand on Google Glasses, this journal is about going glassy.

First Impressions

My first impression was a bit of a disappointment. I guess I had an idea of falling down the rabbit hole and into a completely new world when putting them on. Not quite, for one thing it really takes some time getting used to looking *that* major geeky, and being a software developer I'm kind of used to a lot of geeky stuff.


Secondly I had this idea of filling my complete field of vision with information from the glasses, again not so what you get is a small screen on your upper right eye which you need to focus on to get the information from the screen.

After recovery from the first impressions and after getting a little more familiar with the device I think I can summarize my experience as.

• This is not a commercial product.  This is really Iphone -2 if you get my drift. I believe it will have a great impact but not at it's current version. 
• Its clumsy to wear, not uncomfortable but it will need to be a bit more discreet.
• Battery lifetime is to low. No chance of lasting a day with normal usage.
• The visualization needs to be better. Preferably giving a complete HUD experience, or perhaps not I'm finding myself more and more in doubt if HUD is to prefer or not .

So it definitely has a lot of potential but its not there yet, which is ok with me since my intended usage is  about figuring the opportunities and limitations in a longer perspective.

In all fairness once you use it for some time you will get used to it and you will appreciate the idea of going on with your normal business and shifting your focus to the upper right field of vision when you would like to interact with the glasses.
Probably most of this was a result of artistic freedom (see below) and therefore getting rid of incumbent ideas and opening up to the true potential took some time. 

Beware of Artistic Freedom

 I guess that you have seen a lot of truly amazing stuff being shown on YouTube or other venues being done with glasses. I' afraid that a lot of these suffer from a large extent of artistic freedom and have been made by people who have never seen or used glasses, or if they have desired to make something with glasses as they imagined them to be.

If you are considering doing something in this field your best bet would be to contact somebody with glasses who have no interest in selling you a lot of pricy services to tap their brain. Even better would be to arrange to be able to use the glasses even for a few minutes since this will give you a fair idea of whats bogus and whats for real here.

Make no mistake: You can do absolutely amazing stuff and provide a fantastic value in may fields using this technology, but it will not be the stuff you find on YouTube in most cases.