Subscribe

Biometrics: silver bullet or poison arrow?

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 16 Oct 2013
A fingerprint can be easily faked, using products found in most households.
A fingerprint can be easily faked, using products found in most households.

The convergence of biometric and mobile will pave the way for the eventual replacement of passwords, usernames and other more traditional forms of protection.

So says Marius Coetzee, MD of biometrics company Ideco, adding that the rise of identity theft and related fraud is driving the demand for the application of biometric technology, specifically as e-verification tools for online and mobile banking.

Coetzee says fingerprint scanning technology, such as Apple's newly introduced Touch ID, empowers the consumer to take control of their identity and make themselves less susceptible to attacks.

In addition, he says it removes the inconvenience of consumers having to continuously verify their identity.

"Biometric-based e-verification is an accurate, easily-integrated and managed infrastructure, and "lends itself to the automatic, real-time and constant nature of mobile technology and telephony".

Never enough security

De Wet Steyn, partner at biometrics provider Linx BioLock SA, says: "The fact is that one can never add too many security layers to ensure data protection and to avoid fraudulent activities."

He stresses this is obviously only true up to the point where one has to find a balance between login effort, such as the time it consumes, versus the benefits of an additional security layer.

However, he says the future calls for speed of use, speed of transaction processing, and suchlike ? in a nutshell, a quick login system that doesn't compromise security or controls. "Only biometrics offers this. It is commonly known that access to applications via mobile devices is the future. The mobile workforce means that users need access to systems on the go."

No system is perfect, but Steyn says biometrics user authentication is 99% fool-proof from potential fraud, and is the most reliable anti-fraud user authentication mechanism out there.

Easily faked

However, the recent hack of Apple's Touch ID, by the Chaos Computer Club (CCC), in Germany, would suggest otherwise.

At the time, CCC spokesman Frank Rieger said: "We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token."

He added that a fingerprint can be easily faked, using products found in most households.

It is his view that the public should "no longer be fooled by the biometrics industry with false security claims, and that biometrics was designed as a means of oppression and control, rather than for secure device access".

Steyn adds that while it is true that fingerprints are left everywhere, it is not quite so easy to convert these fingerprints to an object that will act as a living finger which is required by biometrics.

"How many people can actually enable such a conversion? Even if they manage to retrieve the biometrics of a specific individual and build an object with the biometrics, then one could overcome this with devices that also measure life, requiring a living finger."

The bottom line, says Steyn, is that nothing is fool-proof, one can only improve security and controls by implementing and applying as many measurements possible to enhance security and protect data and access to systems.

Additional security implications

Kaspersky Lab chief security expert, Costin Raiu, adds: "Considering the ongoing debate about privacy, Apple couldn't have chosen a worst time to release a biometrics solution."

He says there are many security implications of the Touch ID technology. "Indeed, while this can make things easier for regular users, it can also mean additional security issues. For instance, when hackers manage to get access to your device, they can also get access to your fingerprints. These can further be used for other malicious purposes."

It is his view that perhaps the worst thing about the new iPhone is that, in the future, users won't be able to buy one without the fingerprint sensors.

"Considering the fingerprint sensor is active by default and at all times, this will make it unattractive to a lot of security-aware customers."

As a doomsday scenario, he says to consider a worm or computer malware that manages to infect millions of iPhones and collect the fingerprints of millions of people. "Once you've collected a fingerprint, you need to remember that it will be 'active' forever. This is not something like your password that you can change when your account is compromised."

The attacker will have your fingerprint for life, concludes Raiu. "Good luck trying to change your fingerprint after such a massive data compromise."

'Spoof-proof' answer?

US-based NexID Biometrics believes it has a 'spoof-proof' solution to the problem.

Mark Cornett, COO of NexID, told ITWeb its software technology exploits the inherent differences between fingerprint images from both live and spoof fingerprints via real-time image processing and statistical analysis.

"We look at and analyse only the image that is captured by the scanner, and return to the scanner's operating system a 'liveness score' which represents the probability that an image is either from a live finger or a spoof."

He says most fingerprint scanners are highly vulnerable to spoofing. "In fact, we have been able to spoof every device we have tested."

Once the NexID solution is integrated, Cornett says most clients' scanners realise a "spoof resistance level" of 96% - 98%, a performance that is being improved through the continuous enhancement of its software algorithms.

He says an incorrect determination is made 2% - 4% of the time. "This obviously compares very favourably to scanners without spoof mitigation functionality since they can be spoofed nearly 100% of the time.

"Today, due to the limited deployment of 'liveness' detection solutions, fingerprint scanners remain vulnerable to spoofing."

It is his view that multi-factor authentication is always the best means for highly secure access: the combination of something you know, such as a PIN or password; something you have, such as a card or a key; and something you are - biometrics.

Share