Sunday, November 12, 2006

Debate on the Reliability of Biometrics

Comment From Jeremy Wickins:
Firstly, an iris or fingerprint is actually not that hard to fake. as security guru Bruce Schneier has famously said "Biometrics are not secrets". Fingerprints can be lifted very easily from any surface, including a credit/debit card. A piece of sellotape can lift a fingerprint sufficiently to fool a fingerprint scanner. Iris scans can equally be spoofed, but it requires a reasonably high-res picture to do so.

On the second point, one of the problems with facial biometrics is exactly that they are so sensitive to changes that the human eye would not be fooled by. In the only large scale test of biometrics in the UK, a woman brushed back her hair from her face between enrolling the facial biometric and verifying it - the system did not recognise her. Hats, beards and spectacles also baffled the system, and we should all become familiar soon with the fact that any facial expression other than the bland one required will result in a refusal of recognition. At the very least these things are denying us the humanity of self-expression.

At the bottom of this article I've added some references to tests performed on Biometric equipment and how it was fooled. From looking at the tests, you can see that every single one of the Biometric devices was eventually fooled. However, I don't see this as suitable reason to pack up and join the anti ID card camp for the following reasons:

First, looking at the tests performed from the references below, the best fingerprint scanner needed a silicon mould constructed from the impression of a fingerprint. Since these tests were performed in 2002 it's safte to say that any scanners used by the time the system comes into play will take at least this level of effort to fool.

Next, we need to examine where these devices will be used. A few guesses of mine are:
  • Getting medical treatment at a Hospital
  • Signing on/ applying for benefit
  • A security check when travelling abroad
  • Applying for a bank account/loan/mortgage
This is a far from extensive list, so please suggest additions, but a common point about them is that there will always be someone present, meaning that using the bit of sellotape or silicon mould technique would not really be an option unless whoever was supervising this were to look the other way.

The combination of these factors mean that in order to pass yourself off as someone els, you would need:
  • Someones ID card (or alternatively a forgery)
  • Suitable copies of someones fingerprints
  • Help on the inside
The difficulty in achieving a combination of these factors means that cheating the system is not as easy as you might think.

Stay out of trouble Citizens

References
Biometric Sensors Beaten Senseless Article on The Register, a quick outline of the test used to fool biometric scanners.
Test by c't Magazine The full details of the tests

1 comment:

Anonymous said...

You are correct about the likelihood of impersonating someone else with fake fingerprints. Almost zero. The problems are likely to come about when the equipment can't match your fingerprints. False negatives. However, a photo and/or password will get round that problem and the ID Card Act makes provision for that. More than one biometric will be required.

Tesco are not having any problems, and I believe cheap fingerprint detectors are available for PCs.

As you say, there is no need for many ID checks. I don't see why it would be needed for medical treatment. The NHS computer system will soon have your medical records available everywhere. Once your ID is checked, it need never be checked again. In fact, you already have an NHS number which should be checked, but isn't. If you're on the GP's computer, you're in the system.

You can't get expensive treatment, a heart by-pass operation for example, without going through your GP. If someone fakes an ID card and fingerprint to get antibiotics for flu, then all I can say is they have more money than sense. I wouldn't risk faking an ID card for a heart by-pass though. I could easily end up with the wrong blood and die.