Biometrics and the Gullible, Wide Eyed Public

I read with interest and concern the recent article claiming that the public's resistance to the adoption of biometric technologies was fundamentally a marketing problem, resolved by developing an industry code of conduct.

With the current state of biometric technologies and the questions surrounding the security and integrity of stored biometric data, I would not describe the public as gullible. I would describe them as rightly sceptical and prudent.

There are a myriad of issues surrounding biometric technology, the two fundamental issues being fraudulent use and security of biometric profiles.

Fraudulent Use (a.k.a. Masquerading)

The current generation of biometric technologies are unable to distinguish between the animate and inanimate. They cannot differentiate between the living and the dead. Personal biometric data is not secret. We carry it around with us on public display. We engage in biometric identification every time we recognise someone. We also leave millions of copies in our wake, from fingerprints to photographs.

It's just too easy to fool a biometric system. With fingerprint recognition you could simply cut of a persons finger and place the severed digit on the reader - bingo you're in. You could also take a less violent approach, like Japanese cryptographer Tsutomu Matsumoto and produce a fake finger. With $5.00 worth of products he made a simple gelatine mould of a finger, superimposed a lifted fingerprint and was able to fool nine out of ten readers he tested.

Broader tests were conducted in Germany and were able to fool an iris scanner by getting a photograph of a persons face, place the photograph of the eyes before the scanner and they were in.

Sure there is a little work involved but it isn't rocket science. Respected cryptologist Bruce Schneier said - you can fool 80 percent of the biometrics systems 100 percent of the time. Until the technology is more fraud proof it is unlikely to be adopted by the public and its use will remain in highly controlled environments.

Protection of Biometric Profile Data

Identity theft - the fastest growing crime in the world and one that can literally destroy a person's life! This is a core issue and the greatest obstacle to adoption.

We constantly hear from security types, myself included, that there is no 100 percent secure IT system. With the best will in the world no biometrics organisation can guarantee the security of biometric profile information. The information is being stored on the technology we attempt to secure with varying degrees of failure. In this context conduct regarding the handling of information is a necessary element for protection but does not solve the fundamental problems.

Where multiple vendors of the technology have multiple data bases of biometric profiles, there are that many more opportunities for the information to be stolen. The notion of one massive centralised database also falls short - single point sensitive. Experience tells us that not all vendors will necessarily operate at the highest standards.

The argument about the odds of having your data stolen is shallow. If there was only a 1 percent chance of your data being stolen it is cold comfort if you are in that 1 percent. The ramifications of identity theft are too great to take such a risk.

Currently with online transactions there is a very real risk of identity theft from stolen credit cards and other forms of psuedo identity. With a credit card it is easily cancelled and a new one issued. With biometrics this is impossible - a new finger, eyeball, hand?

Biometrics is a new frontier and promises solutions to many security issues we are confronted with but its time is yet to come. I for one will embrace the technology when it comes of age but in the meantime I will watch with interest.

The obstacles to adoption of biometrics are technology based. The issue is security, not marketing. Unless you define marketing as "spin".

The public are not gullible about technology, they have learnt a lot of hard lessons at the hands of technology spinmeisters. Wide-eyed? No, just not blindly accepting.

Glenn Miller is the managing director of IT security specialist distributor Janteknology e-Distribution

• Related stories

• Alerts

Add your opinion

Yehah, sane comment at last. Y ...Anonymous -- 10/10/02

Yehah, sane comment at last.

Your argument could also have been bolstered by asking "why do we need this stuff at all?". Identity theft only works where there is a system of identity to be fooled, it doesn't work otherwise.

The US social security number is essentially an ID number for every citizen. So get enough info on someone and steal their number and bingo, you're them. Much harder here in Aus; you need to steal quite a bit of stuff, and even then you'd be hard pressed to prove you're "me".

There is also the reverse situation, where if the security system is down, no access at all is allowed. I love the bit in "The Bank" where the hero locks in the bank employees in their IT "cell" by putting white-out on the finger print reader that opens the exit door. Much harder to copy a physical key and foul a lock.

Keep the biometric stuff for those environments it is suitable for and leave the rest alone.

• Reply to comment
• Reply to story
• Report offensive content

That's what I keep saying ever ...JDN -- 18/10/02

That's what I keep saying every time I hear "Biometrics will rule security."

Hell, consider this: your office uses retina scanners to log onto the network from anywhere including home. Down the street, your video rental store uses retina scanners to identify you instead of a card.

Corporate spy walks past you, notices this, hacks the video store, steals your retina key, and posts it everywhere. Then pilfers your network by sending it with a utility.

And funny thing is: what you gonna do, poke your eyes out and replace them with new ones? Nope, your biometrics are stone: they don't change. Visit a hospital, pilfer birth certificates with finger prints - the owners will never again be secure.

Because biometric devices operate through software and software is DUMB. Send a security system the right code, it doesn't care!

Thumb-print access for car door locks? HAH! Swipe the sensor with a lifting tape, reproduce, stick tape on finger, open door, steal car.

Biometrics have in reality a very low-end security value for more run-a-day doesn't matter much uses. Everyting you touch gives out yor fingerprints and once filched, they'll never change again. Might as well walk around writing your password down on sticky notes and leaving them everywhere.

Useful, but when I see sci-fi flicks using voice ID and retina scans for high-level security, I wanna laugh. That is rediculous - in the future more so.

• Reply to comment
• Reply to story
• Report offensive content

Biometric security can work if ...Anonymous -- 07/11/02

Biometric security can work if properly implemented, that is as an adjunct to normal security. It does not replace normal security protocols.

If you spoof a finger print reader with a fake finger, you have to continue to do it every time, not just once. So provided there is proper survelance of the print reader device, you shouldn't get away with it for very long, if at all.

The same for retina scans. I can't imagine that the local video store would ever use it, but the algorithm for a more secure site would be different, therefore you couldn't use the key from one system for another (though the possibility still exists). And entering a high security site with someone else's photo taped to your dial should be somewhat obvious to even a casual observer.

Where biometrics fail dismally is when used as the initial access key, but never again, such as if used for passport control. Once a person spoofs the test on entry to a country, they then ditch the biometric. You have no idea who they are and nor does your system, kinda security in reverse?

• Reply to comment
• Reply to story
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials