By Steve Ranger, 20 July 2006 15:35
NEWS
Watch where you leave your fingerprints - soon they could be the target of thieves looking to break into your bank account.
Although biometric security systems - using fingerprints, iris scans and facial recognition - are only just now entering the mainstream, they are likely to be common within a few years.
And as soon as biometrics begin to be used to protect bank accounts or benefit systems, crooks will start looking at ways of breaking into them, according to Bori Toth, biometric research and advisory lead at Deloitte & Touche.
Biometric spoofing is a "growing concern", she said.
Toth told silicon.com: "We are leaving our prints everywhere so the chance of someone lifting them and copying them is real.
"Currently it's only researchers that are doing spoofing and copying. It's not a mainstream activity - but it will be. It's just human nature; if it can be done it will be done if you can achieve some benefit from it."
Different biometrics may be attacked in different ways. For example, researchers have proved in the past it is possible to trick fingerprint systems with fake fingers made of gelatine.
Similarly, would-be thieves could try to spoof facial recognition systems with photos, videos or facial disguises in order to get access to the systems or information they protect.
Part of the problem is that many of the biometrics used by these systems are easily visible.
Toth warned: "Many people are trying to regard biometrics as secret but they aren't. Our faces and irises are visible and our voices are being recorded. Fingerprints and DNA are left everywhere we go and it's been proved that these are real threats."
In response vendors are building tighter security into their biometric systems - for example to check that a finger has a pulse, or that a real iris is being presented rather than a photo.
Read silicon.com's A to Z of biometrics for the lowdown on this controversial security technology - from cash machines and keystroke dynamics to voice verification.
Comments
There are 9 comments. Join the discussion
1. John Stanhope
I think that this article, although true, simplifies the issue slightly.
Sure, it is possible to create fake finger - but the time and effort involved is not inconsiderable - and requires the skills of a dentist and his drill to create the grooves found in a fingerprint.
It's rather like Chip and PIn - Yes, it is theoretically possible to clone and chip and PIN card - but is the effort worth it - currently no.
2. Karen Challinor
Ok check for a pulse ... then check for a very thin layer of latex with a fingerprint pattern on it and some small holes to simulate pores and let sweat through so it's conductive
Anything else that should be checked ?
Ok latex probably won't work but someone will find a material that will
3. Jay
Hang all the oxygen thiefs, less tax wasted. less problems, better society
4. Simon
So how long before we have an "I told you so" incident ?
It's been known for decades how to 'plant' fingerprints, and it's trivial to 'plant' DNA at a crime scene.
When it comes to biometrics for authentication, given that it's easy to fake a fingerprint (even when the reader is checking for a pulse), what are we supposed to do WHEN (not if) our details are compromised. I can change a password, but I sure as hell have no intention of changing my fingerprints !
More proof (not that any is needed) that the governments ID project is heading for an almightly big crash.
5. anonymous
If biometrics are seen as a stand alone solution then they will be attacked and overcome almost as easily as any other available system. Biometrics should be seen as another element available for 3 factor authentication.
Fingerpirnt recognition systems have been shown to be quite easily passed with gelatine fingers etc. but fingerprint verification systems where the fingerprint is verified against another factor (PIN - proximity card etc.) makes the breaking of the system much harder.
6. Kurt Kleinmann
Sounds like a boone to the glove industry. That way you can be more picky about where you leave your prints.
7. anonymous
The Biometric data capture device is a minor part of the security system.
I am expanding on what a previous commentator said.
The biometric data capture device is just a way of producing a stream of bits unique (we hope) to the bearer - a replacement for a password. You have to protect this stream of bits all the way to the sensitive data storage that it is supposed to safeguard. This includes inside the data capture device itself.
This device needs to be demonstrably tamper-proof. It may need a 24-hour security guard to ensure it doesn't get replaced by a look-alike.
8. anonymous
The main threats come from firmware hacks in readers and spyware in computers. If hackers obtain your fingerprint pattern, they can spoof your ID. Unfortunately, unlike PIN's and passwords you cannot change your biometric characteristics. If your biometric data is used illegally, you may have difficulty prooving your innocence.
Biometric sensors may be useful to institutions where firmware integrity can be guaranteed, but not in insecure environments like home or office PC's.
9. Lesley Payne
As previous commentors have said it is obvious that biometric systems will fall foul of those determined to compromise them and as we cannot change our fingerprints etc then we will find it incredibly difficult as individuals to rectify the problem. The governmet needs to rethink its whole philosophy on ID cards and we as individuals need to mitigate the risks and really wake up to information security in all its forms.