Brian Bloom is a staff writer at ComputerWorld Canada. You can find him on Google+. He covers enterprise hardware and software, information architecture and security topics.
Protecting financial information and using innovative single sign-on
technologies were among the topics explored in depth at a security conference hosted by Sentry Metrics Inc.
in Toronto on Thursday.
Bashir Fancy, managing director of Corporate Solutions and Services Inc
. and special advisor on business risk to Grant and Thornton LLP, spoke about the perils of outsourcing in the payment card industry. A critical step in outsourcing payment card-related work is drafting a detailed and coherent agreement, he said, demarcating exactly where responsibilities lie.
“A lot of things have been outsourced,” he said, “and the agreements don’t actually speak to some of the challenges, and who is going to monitor them, and what they’re on the hook for.”
Ultimately, it is up to companies to do proper due diligence on the companies they deal with, Fancy said. Quite often, he noted, outsourcing doesn't confer any particular advantage to the contracting company other than lowering its costs. This can lead to problems.
“You can outsource as much as you want. But you don’t outsource responsibility,” he said.
There are plenty of unscrupulous organizations around the world that have much different views on what are acceptable business — or political — practices, he said, giving the example of a country he declined to name that was uncomfortable with BlackBerry’s strong encryption. As a workaround, someone arranged for a kind of malware to be installed via a device update from a wireless provider.
“I would assume the government was behind it,” Fancy said.
In another presentation, Guillaume Turbide, vice-president of business development at Verimetrics Inc
., a Sentry Metrics partner, spoke about single sign-on technologies. His company has developed both a fingerprint
reader and a smart-chip card with a PIN to address the myriad problems caused by employees juggling multiple passwords.
The fingerprint scanners have been installed at a hospital in Trois-Rivières, Quebec, with 3000 employees initially set up to use the technology, he said. “I think today it’s more than 4000, Turbide added.”
Asked about the privacy implications of an organization asking (or compelling) its employees to submit to fingerprinting, Turbide said there are legally-binding restrictions on biometric data in Quebec that prevented abuses from occurring.
“If an employee in the organization, whether it is a hospital or a shop or store, doesn’t want to get his fingerprint, well, the organization cannot force this person.”
He recalled that two doctors at the Trois-Rivières hospital had initially refused to have their fingerprints taken, despite being reassured that it was quite different than traditional ink fingerprinting.
“What we keep in the database is a mathematical representation of your fingerprint,” he said. “So it’s zeros and ones.
“It’s called minutiae,” explained Dave Millier, CEO of Sentry Metrics. “[You] take a number of minutiae points. You’re not actually taking a picture of the fingerprint itself. You’re actually identifying those minutiae points.
“It would be impossible with the data we keep to re-create the real image,” added Turbide. “And you need to understand that it is not the same solution you use for criminal identification.”
The biometric information would also be unusable for legal purposes, Millier and Turbide said.
“The police couldn’t come and ask for the fingerprint, for example,” said Millier. And in court, fingerprint minutiae would not be acceptable as a substitute for the traditional 10-finger fingerprinting used by law enforcement agencies, Turbide said.
Image: touching screen, courtesy of Shutterstock