Friday, July 21, 2006

Things that caught my attention: biometric spoofing

Yesterday, I started a category that I called Things I take for granted. Today, I am starting another category. This time, I will call it Things that caught my attention.

First to make it to this category is biometric spoofing. I've had this lingering concern about biometrics for a while now. If people start using biometrics as a means to authenticate, what happens when someone gets a hold of the digital representation of your fingerprint or your iris? A password is easy to change but how easy is it to change your fingerprint? How about your iris?

Today, my news aggregator caught this article from Slashdot . The article pointers lead to ZDNet Asia:

Crime of the future--biometric spoofing?


Watch where you leave your fingerprints--soon they could be the target of thieves looking to break into your bank account.

Although biometric security systems--using fingerprints, iris scans and facial recognition--are only just now entering the mainstream, they are likely to be common within a few years.

And as soon as biometrics begin to be used to protect bank accounts or benefit systems, crooks will start looking at ways of breaking into them


"We are leaving our prints everywhere so the chance of someone lifting them and copying them is real.

"Currently it's only researchers that are doing spoofing and copying. It's not a mainstream activity--but it will be. It's just human nature; if it can be done it will be done if you can achieve some benefit from it."

Different biometrics may be attacked in different ways. For example, researchers have proved in the past it is possible to trick fingerprint systems with fake fingers made of gelatine.

Similarly, would-be thieves could try to spoof facial recognition systems with photos, videos or facial disguises in order to get access to the systems or information they protect.

Part of the problem is that many of the biometrics used by these systems are easily visible.

Toth warned: "Many people are trying to regard biometrics as secret but they aren't. Our faces and irises are visible and our voices are being recorded. Fingerprints and DNA are left everywhere we go and it's been proved that these are real threats."

In response vendors are building tighter security into their biometric systems--for example to check that a finger has a pulse, or that a real iris is being presented rather than a photo.

For now, I don't trust biometrics as a means to authenticate. Maybe that's because I don't fully understand the technology behind it. But I like it better when you authenticate with something you know, something stored in your brain -- like a password that will in turn generate a random password. That way, the master password can easily be changed when there is a security breach. The random password, on the other hand is just that -- a randomly generated password that is valid only for a few seconds. This is the type of authentication that we use at Sun. Maybe one day, I will post something about that.

Perhaps, one day, biometrics will become really secure. But I will wait and see. Until I'm convinced, I won't sign up for any service that uses biometric authentication.

No comments: