Second of two parts: What works, what doesn’t, and why Gummy Bears can be used to fool advanced security technology.
In part one of this topic we started at the top with an overview of biometrics and its base technology. Now, let’s ratchet that up a notch and drill down a bit into some of the details.
While biometrics has a lot of potential tools, presently there are only two that are in wide-scale deployment—fingerprint and facial scanning. “Of those two, fingerprints account for 60% to 70% of all applications,” says Dimitrios Pavlakis, research analyst for digital security at ABI. Other technologies include iris, retina, face and palm or hand scans. The following talks a bit about the metrics of these two tools.
One of the key issues of biometric verification is accuracy. It is worth drilling down a bit into the methodology that is used to get that “exact” match.
Basically, to get a match, the system must analyze the data, compare it to a database, and pick the best choice. That is essentially a process of controlled trial and error, and algorithms are used to analyze the errors and logically eliminate all but the best possibility.
There are two types of verification errors a biometric system can make. The first is mistaking the biometric measurements from two different individuals as being from the same individual, known as a false match rate (FMR). The second is by mistaking two biometric measurements from the same individual to be from two different individuals, known as false non-match rate (FNMR). These are the two parameters that are characterized by the Receiver Operating Characteristic (ROC).
Algorithms are applied to these metrics to deduce the best-case match. They are also the metrics that determine the level of precision (see Figure 2a/2b). They are parameters that can be varied to change the quality of verification algorithms, and the curve reflects the effect of the variations. Following is a brief description of the process [See reference 1].
A sample population containing matching (genuine) and non-matching (impostor) image pairs is presented to the biometric algorithm and the match score, t, calculated to estimate the genuine (g(t)) and impostor (f(t)) match score distributions. From these distributions, the DET is typically plotted as the FMR on the x-axis against the FNMR on the y-axis, by varying a threshold , and calculating:
The DET summarizes the verification performance of the biometric algorithm on the sample population on which it is calculated. Technology evaluations, such as the FRVT and FpVTE tests [See references 2 and 3] use DET curves (the ROC), to describe their results. This methodology works for any type of biometric technology.
However, as exotic types of biometrics that are still in the developmental stages come on line, this methodology likely will need some modification. However, the basic principle is sound and will perpetuate forward to these new technologies.
Some biometrics, such as iris and retina scans and blood vessel mapping, are intrinsically more secure that others, such as fingerprint, hand and face scans. “The underground, as we know it today, is motivated by financial incentives,” say Hagai Bar-El, Sansa Security’s chief technology officer. “So we have to look at what would be the easiest and most profitable areas for compromise and focus efforts to secure them, proportionately.”
Another interesting security perspective comes from Dr. Patrick Gill, senior research scientist at Rambus, who notes that “fingerprints, irises and such should take a similar role to the kind of authentication credentials that currently one doesn’t want to change if they are compromised—things like your name, or your social security number. There are very few circumstances where such things would be changed.”
Some of these, such as fingerprints, irises, and retinas cannot be changed.
“Even if you have a social security number, a password and a biometric in combination, each of them has significant flaws, and if you combine them, it doesn’t necessarily mean you get something better than the individual benefits of each,” said Paul Kocher, president and chief scientists at Cryptography Research, a division of Rambus.
As it turns out, issues with biometric security and its hacks are the same as current applications (credit cards, computers, and smartphones, for example). The first is identity theft, the second is data compromise. The identification and verification are different, but the outcome is the same. The only difference between biometrics and conventional security is how the data is captured, and how the identity can be stolen.
So what are the most common issues with biometrics? Let’s take a look:
1. Privacy or discrimination. Data that is captured during the biometric enrollment process has the possibility of being used in ways that may compromise the enrolled individual. For example, biometric employee DNA could also, without consent and unknowingly, screen for genetic diseases or “undesirable” traits that DNA can reveal. This can be used by insurance companies or the government in security clearance, for example.
2. Misuse of personal information. The concern here is that information discovered by biometrics may reveal information that is personal, such as criminal records, derogatory credit data, or financial distress. Such information can be used to refuse an individual a position, for example, even if the data is sealed or has nothing to do with the current reason for the biometric profile.
3. Identity theft. Perhaps the most disconcerting problem is how easy it is to fool a fingerprint sensor, which is the prevailing and cheapest technology and likely to be very pervasive for low-end Internet of Things applications. While it’s difficult to fool face or eye scans, it’s relatively easy to thwart fingerprint biometrics.
Believe it or not, rubber cement is one of the most effective ways to copy a fingerprint. This usually requires the cooperation of the individual, but this technique has been used in criminal activities where the person is being held against their will and their fingerprint is duplicated forcefully.
Gelatin is another simple and easy way to capture a fingerprint. Gelatin has many of the same properties as human skin and can fool the more sophisticated readers that are smart enough to detect fake (rubber) fingerprints. “With just a laser printer and Gummy Bear material, one can produce a ‘shim’ that can be placed over your finger and give you someone else’s finger print,” says Gill. “It was a typical maneuver that was popular in high school, some years back, to be able to cut classes while someone else would check you in with this shim.” And it is edible, so the evidence can be quickly destroyed with no traces.
Other measures, such as cellophane tape, photocopies, even “removed” phalanges all have some measure of success in fooling fingerprint scanners. Of course the measure of success is directly related to the sophistication of the scanning system.
However, hardware is improving all the time, as are the layers of security. This is where the security chip vendors play a critical role. They are integrating verification and security measures in biometric sensors and processing hardware. That helps to ease some of the concerns, especially with some of the fingerprint compromises discussed.
As the IoT evolves, so will biometrics. They offer perfect, convenient credentials for the many IoT applications that will require authentication. There are so many biometric traits that can be used to uniquely identify individuals.
One thing worth noting, according to Bar-El, “is that biometrics will, in most cases, not be the single technology for identification and verification.” There are several reasons for that, some of which were discussed. Simply put, it is fairly easy to duplicate the current biometric verification process on the lower-end applications. Other peripheral issues will be discussed in an upcoming article on advanced biometrics.
Facial, hand, iris, retina and voice scans are the ones working today that will evolve. “There are futuristic solutions on the design table, but there is little, real hard evidence that some work, and some are so complex that we don’t really have the technology to make it happen,” said Kocher, pointing to DNA as an example. “And, there are the issues of forgeries. For example, all one has to do is hold a video of the person taken on a smartphone up to the camera, and it will happily accept that as the person being present. I’m skeptical of claims that say these solutions will be foolproof. Tricking a sensor into thinking there is a match, even when the particular human isn’t there, tends to be very possible.”
But looking to the future, there are a lot of other biometric vectors that can be investigated. Moreover, technology will double a few more times as the years pass. So things such as vein scans, facial thermography, DNA matching, odor sensing, blood pulse measurements, skin pattern recognition, nailbed identification, gait recognition, even ear shape recognition, may well become more secure down the road. And there are the more eclectic biometrics, such as electroencephalogram (EEG) and electrocardiogram (ECG), which also are intriguing. Research has shown that individuals have distinct brain and heart patterns that are unique for each individual. This “futuristic” technology is more fraud-resistant than conventional biometrics such as finger and hand prints, and eye patterns.
Just imagine what it will be like to put your head into a biometric scanner to start your car.
1. Andy Adler and Michael E. Schuckers “Calculation of a Composite DET Curve.” Adler – School of Information Technology and Engineering, University of Ottawa, Ontario, Canada. Schuckers – St. Lawrence University, Canton, NY, USA and Center for Identification Technology Research (CITeR) West Virginia University, Morgantown, WV, USA.
2. NIST: Face Recognition Vendor Test, 2002.
3. NIST: Fingerprint Vendor Technology Evaluation (FpVTE).