The Myth of Biometrics Enhanced SecurityJul 23rd, 2009 | By Innovya | Category: Articles, Featured Posts, michas-thoughts, News, Opinions | Print This Post
By: Michael (Micha) Shafir – Security Park
Current Biometric documents are useless. ePassports don’t make much sense without one-only or unequalled biometric passport reader. Let’s face it once and for all, any electronic data storage method by which content can be read (e.g. RFID, smart/storage cards, etc.), gives it the obvious potential to be hacked, copied and cloned. There’s a reason why “Random Access”, “Write Only Memory” (“WOM”) devices have never sound logical. What purpose would there be to store data that cannot be read? Let’s take this one step further. If stored information is designed to be read, then a device must exist with the ability to read the stored information for it to be of any value.
Now, let us apply that simple logic to stored information that’s meant to be read in a widespread application. In this type of application, multiple standardized reading devices must exist in order to always yield the same result from that stored information. As an example, standardization gives us the ability to use our credit cards regularly because each and every point of sale reader is reading the information contained within the card’s magnetic strip in the exact same way.
We must therefore recognize that these same benefits of standardization create reciprocal risks of fraud. Once the ability to read stored information exists, the ability to either reverse engineer the reading process or clone the coded stored information exists as well. What purpose does, a means of identification serve, if we cannot be near certain that it has not been compromised? Further, once that ID has been compromised, how can it be prevented from yielding positive identification where not intended? To illustrate the point, let us use your everyday ATM cash withdrawal as an example. After inserting the card into the ATM, one is prompted to enter the PIN associated with that card.
If the correct PIN is entered, even by someone other than the authorized user, the ATM will approve the transaction because its predetermined means of authentication is a combination of a card and its associated PIN. As we are well aware, magnetic strip cards and the like can be easily read, thus creating the opportunity for thieves to create a copy of that card. All that’s left is the PIN. For professional thieves, that’s less of a challenge than we’d like to believe.
For years, as technology developers would have it, much effort has been focused on providing more and more secure methods of storing sensitive information, without addressing the root of the problem. Regardless of how securely information is stored, because it is designed to be read, illicit methods by which to read the information will be found. Once that has been accomplished, the ability to create both fake and cloned ID’s exists. ePassport readers are addressing the standards and recommendations of predefined requirements like the Machine Readable Travel Documents (MRTD). In order to make them usable, they must be consistent.
If you have a set of identical targets (e.g. ePassports or National IDs or Driving Licenses or Employee cards etc.), breaching one of them is a breach of all of them. Identical electronic device is a single point of failure. It is unfathomable for governments to change their entire population’s ID’s and documents every time someone, somewhere across the globe hacks and clones a single chip.
It would seem as if the only real way to prove you are who you claim you are to an automated system is through the use of biometrics as a means of authentication. Identity theft is exceedingly common these days. The use of biometrics, however, creates a whole new area of concern. When non-biometric security authentication elements are breached, security can be reestablished by selecting new authentication elements. The same cannot be done in an instance where stored biometric information is breached. Biometric information cannot be changed. Our fingerprints, face, retina and all, are what they are. The question we are faced with is how we can truly secure our biometric information. We can change our name or address, but we cannot change our body parts.
Turning the human body into the ultimate identification card is extremely dangerous. The possibility of fraud with electronic chips and biometric data should not be underestimated. Exposing or losing biometric property is a permanent problem for the life of the individual, since, as we’ve mentioned, there is no practical way of changing one’s physiological or behavioral characteristics. How do you replace your finger if a hacker figures out how to duplicate it? If your biometric information is exposed, in theory, you may never be able to prove who you say you are, who you actually are or, worse yet, prove you are not who you say you aren’t.
The best secrets are secrets that are never shared. Storing those secrets on a readable electronic card from which any simple RF dump reader can extract that information, in the same way as international border readers do, or storing your personal information together with your biometric characteristics on a readable electronic device is like sticking a label with your PIN on the back of your ATM card!
Biometric authentication is a powerful tool, able to bridge the gap between human and machine interaction in everyday instances such as ATM withdrawals, on-line banking and credit card transactions and all sorts of general user authentication. The use of biometric authentication enables a high threshold of security by reducing identity fraud incidences of unauthorized user access. It is also an easy method of authentication from the user’s point of view because a user’s biometric information is always with them. The most critical flaw in the use of biometrics as a means of authentication, however, is that the authentication process cannot work if the subject is a stranger to the system.
We’ve already concluded that storing the biometric information on an external device carried by the user, such as a smart card, is far too risky in that it risks losing one’s biometric information forever. Alternatively, databases are breach-prone, and inefficient, especially when used in large scale applications. Databases also require real-time access to be of any value, communication with which may not always be available. Where then can such sensitive information be stored? Furthermore, why risk storing that unique biometric information in a database, smart card, or other external devices to make it useful?
Another problem with common biometric systems is that the most effective way to achieve maximum system matching is to compare biometric images to a template by using raw data. Biometric Encryption is the process of using a characteristic of the body as a method to code or scramble/descramble data. Since these characteristics are unique to each individual, the biometric information readers, cameras and sensors must all yield identical results.
Most biometric authentication systems use a similarity score as an internal variable, whereby if enough numbers of starting points are given, it is possible to find the highest point without being trapped by local minima. However, different readers, cameras and sensors, manufactured by different manufacturers, generate ever so slightly different biometrics results. Varying starting results, when encrypted alike, will not yield the exact same decrypted result.
Biometric standards can be obtained only if the common information is unconcealed. That, in and of itself, creates system wide vulnerability, and thereby renders the system unsecure. At present, each biometric scanner’s vendor generates their own encryption method. Raw biometric data is critical data. It should not be exposed or stored in public space. As difficult as it might be to create a secure standard for identical encryption paths, it is seemingly not possible to create standards for non-identical encryption paths. Overcoming the encryption matching hurdle is the see-saw that creates the security blind spots because the template can be tapped during the authentication process.
Traceable biometric authentication systems extract features from scanned biometric elements and pattern match it with an enrolled template. Theoretically, a system cannot authenticate strangers to its data store. The other side of that theory is exactly where the hackers look. The inability to “recognize” strangers is an opportunity to breach the authentication barrier. If a biometric authentication system has a blind spot, it can then be take advantage of and used to clone or rob ID. It also means that when the real ID owner will try to use their legitimate ID, they might find that they have been revoked from the system without understanding why. An electronic chip that contains identity elements is only one of the many threats facing traceable biometric authentication systems.
Template leakage is an even bigger problem because once that information is gotten a hold of, the ability to prevent illegitimate copies and “fake originals” of legitimate ID’s is gone unless the template is changed. Any change to the template requires changing ALL associated ID’s, just as is the case when a “master key” is lost. The only solution is to change the key and distribute new keys to all who use it. Can one possibly imagine if such an instance were to occur with Driver’s Licenses? Now try to imagine if it were to happen with Passports. Unfathomable! At least with keys, the ability to change the template or lock is not ideal, but possible. That is not the case with biometrics as biometric elements are with the individual for life. Dear security decision maker, how can you sleep at night?
People want to be able to draw a circle around their personal information, and do not want parts of their body electronically stored in databases. Our system of government tells us that we are entitled to control all that falls inside this circle; we ought to be able to regulate how, to whom, and for what reasons the information within this circle is disseminated. Some people object to biometrics for cultural or religious reasons. Others imagine a world in which cameras identify and track them as they walk down the street, following their activities and buying patterns without their consent. They wonder whether companies will sell biometric data of their body parts the way they sell email addresses and phone numbers. People may also wonder whether a huge database will exist somewhere that contains vital information about everyone in the world, and whether that information would be safe there.
Cloneable, traceable or collectable biometric systems could be designed to have the capability to store and catalog information about everyone in the world. The violation of privacy created by the collection of biometric data creates a prophylactic paradox; the bigger the privacy violation, the farther away it moves away from its intended goal.
How then can the power of biometric authentication be made useful without bumping up against these numerous serious challenges?
Innovya’s Traceless Biometrics approach, using non-unique remedies and a Real Time Reactive Authentication process solves all such cloneable, deflectable and privacy challenges. The Traceless Biometric workflow uses the time tested photo ID concept, wherein you match a picture to a person, no different than in any typical biometric authentication process. In a very simplistic way, just as in a mirror reflection, anyone can “authenticate” a stranger’s reflection without the need to compare the reflection against any other source of stored information. It does so, however, in a manner that is, as its name suggests, traceless, without storing any biometric data anywhere.
Innovya’s Traceless Biometric Authentication process consists of a comparison of only a portion of predetermined biometric elements against the users’ associated access device, wherein the “instructions” for which such portions and their mathematical modifiers are stored on the access device, somewhat similar, in an oversimplified sense, to the PIN on an ATM card. Unlike the ATM card, however, the system will not authenticate unless that specific user is the one seeking authentication because positive identification is derived from biometric elements on the user’s person, and therefore becomes useless without the user. Should the access device be hacked exposing the numerical string derived in the Traceless Biometric Authentication process, an alternative Traceless Biometric Authentication element can easily be programmed and reissued to the user.
Therein lays the essence of Innovya’s novel approach. Innovya has overcome the major challenge of creating a secure and efficient authentication solution that is stronger and less disturbing than electronically cloning human intrinsic characteristics on databases or electronic chips by eliminating them from the equation altogether. Additionally, because only a portion of the total biometric data is used in the process, should that data be compromised, the ability to recreate the biometric element from which it was derived is simply impossible.
Today, most systems are designed to work specifically in place where they are located, like office buildings or hospitals. The information in one system isn’t necessarily compatible with the other’s, although several organizations are trying to standardize biometric data. Once identical information is stored outside of governmental boundaries, the potential of using it commercially is huge, especially by hostile governments that might be willing to pay a lot for these otherwise indiscoverable information elements. Above all the advantages and disadvantages this technology, we will unintentionally be creating ripples in the field of security and privacy.
Adopting traceless guidelines by using real-time reactive authentication process methods for current biometric authentication systems will result in an efficient and unobtrusive authentication solution, wile treating personal privacy as the critical issue that it is. Biometric scanning, not storage, as is necessary for the limited purpose of authenticating a user should suffice. Authentication systems should dismiss all biometric information or traces thereof from the scanning devices immediately after the authentication process, and mustn’t use any external storage systems. Innovya has developed the solution to all of these challenges.
Although there are severe restrictions on collecting, creating, lodging, maintaining, using, or disseminating records of identifiable personal data, there are no legal restrictions on the processing of biometric authentication systems. Biometric authentication processes must be recognized for the risk that they pose, and must therefore be done so only in ways that are Traceless and Anonymous.