Security industry fingered over biometric zeal

 

Gallery

By Matt Whipp

Posted on 23 Jan 2007 at 17:17

The IT industry has invested so much in biometrics as the solution for authenticating identity that it is refusing to acknowledge its failings, claimed a security professional.

Giving evidence recently to the House of Lords' Security Science and Technology Committee in an investigation into personal Internet security, Adam Laurie - director of secure hosting data centre The Bunker and independent security researcher - said that the trend to silo personal information into a single database and then rely on biometric authentication to secure it is a risky strategy.

'One of the main things that concerns me the most - the reliance on biometrics ... If you spend millions on systems that say biometrics are foolproof and we are going to use these biometrics to prove our identities and we have spent lots of money on it and it is foolproof, that causes a real problem for somebody caught up in the system when their identity has been spoofed.

Red Hat's Alan Cox, representing the open-source community in the evidence giving session described just how easy it is to step around biometric authentication.

'You can make copies of fingerprints,' he said. 'The fingerprint is also on the [RFID chip of new passports]. I assume the Passport Office use very high quality ones, but to fool a fingerprint scanner all I end up needing to make is a small piece of plastic that fits over the end of my finger which is almost invisible ... You can make it with a laser printer, PVA glue and a couple of printer's tools. That is all it needs.'

According to Laurie, industry has convinced itself of the infallibility of biometrics and has now spent too much money on it to consider other choices.

'How do I convince this huge industry that they have got it wrong?,' he claimed. 'There is a serious inertia against admitting that there is a problem with the system, so the more you claim a technology is foolproof and the more money you spend on it the harder it gets to show they were wrong.'

He claimed ID cards would be vulnerable to abuse because of the industry's over commitment to biometrics and that such technologies will become obsolete over time. 'What system have we got currently that was invented ten years ago, was issued over a secure system and is still secure now?' he asked.

George Skaff, VP of biometrics company DigitalPersona, told us that biometrics still has a role in authenticating and securing identities, but that it should be deployed alongside other measures.

'All security is about layers. Most doors, such as the lock on a front door can be cracked open. A lock picking kit can be bought on eBay for just a few pounds. However, many people will feel safe even though it is possible to pick that lock. But some people go out and buy an alarm system or put on another lock or bolt.

'Everything in the physical world and in the computer world is about layers. Nothing is 100 per cent but by adding more layers, you can make it more and more secure. The threat and the risk model is such that a fingerprint by itself gives that extra assurance on a person's identity, improving compliance and audit logs.

'The key is to allow a combination of security layers, for example a smart card and a fingerprint, or you can have a PIN and a fingerprint, the more the layers, the more assurance.'