Biometric Implementations: Myth and Reality
by Dionysios S. Demetis www.demetis.com
There is definitely something alluring in any technological artefact. Technology has seductive powers, and in the information age any technological application is surrounded by a myth, while the technological artefact itself becomes de-contextualised. But nothing exists in splendid isolation! Despite the fact that technology has become a necessary e-vil, technology is often incorporated hastily with little consideration about its systemic effects, and companies are always looking for the next ‘best’ thing. Sometimes technology can indeed help, but on many occasions it merely paves the way to failure and walks a company through it at broadband speeds.
Biometric implementations will be no different. All systems have one thing in common: they occasionally fail and the question then becomes how to mitigate the risks of a potential failure and its implications (i.e. operational and reputational risk). But the myth of technological perfection endures. Even the UK government has fallen victim to the instrumental belief of technology and its efficiency, suggesting the use of multiple biometrics at a population of 60 million, way before tests were carried out even in the range of a few thousands. The US has swiftly claimed success in biometrics when even their previous endeavours with the Social Security Number and the centralised database behind it has spawned identity theft reaching $48billion in economic losses over a 5-year period. Government claims the need is there to put these technologies in place. They claim black-lists, no-fly lists, lists-of-lists, profiling, data mining and the rest will solve the problems, prevent terrorism and resolve a spectrum of social dysfunction. Explain that rationale to Sister McPhee, who oversees Catholic Education in the US from nursery school through post-graduate and found herself on the no-fly list as a terrorist suspect because someone else was using her last name. It took Sister McPhee nine months to get off the list even though the Transportation Security Administration had paid $2million just to handle complaints. Apparently, this allocation was insufficient, as a quarter of that money was used to handle voicemail backlog and no one would ever respond to Sister McPhee despite numerous messages to the service.
While government re-enforces the myth of technology, some companies will blindly follow (the financial services industry being the most obvious example), and some have already done so. The technology industry itself is geared up to sell the products. Pay by Touch, a US based company, provides a fingerprint recognition device for several merchants (supermarkets and stores in the US have already bought the technology and the UK will soon follow); this allows the customer to place his fingerprint in a biometric reader and literally pay by touch. The device recognizes the fingerprint, matches it with a stored template which is connected to your credit or debit card and you’re done. This is only one example out of the various suggested implementations for biometrics. There are many more to come.
But what happens if such mechanisms and their by-products fail? What are the legal implications? Who owns the biometric data? The user, the company, the fraudster or all of them at the same time? One would say that there will always be an alternative (i.e. pay by cash instead of touch) and he/she would be perfectly happy if it weren’t for the distinct technological realm within which biometrics operate. The problem with biometrics is that if yours are stolen you lose them for good; you lose them for life. You can never issue another fingerprint or an iris and the person that has your biometric data in his/her possession will have ample opportunities to use them in various ways and circumstances; for life. Or simply trade them online in underground markets for biometric-data exchange. An additional problem is that biometric authentication systems are based on data that cannot be considered secret (i.e. you leave your fingerprints everywhere) whereas additional security mechanisms (pin numbers) can also be bypassed. Researchers around the world have successfully carried out attacks in biometric systems with the simplest of tools.
Security in biometric implementations is therefore crucial. A common misconception is that there are only two points of attack in biometric systems: the biometric reader (the device) itself and the template where the data is stored. In reality, there are roughly eight points of attack in any biometric system and there are ways to attack the security of nearly all of them. The reason for this complexity in security is that not only the underlying systems themselves can be attacked, but also their interconnections. For instance, if you can have access to the decision-end of the system which is binary (yes for authorizing access – no for restricting access) then the rest simply don’t matter. If you can tap into this process (and there are many more points like that) then what biometric data is read from the device becomes irrelevant. Large-scale implementations of such systems with centralised databases can therefore only increase the underlying complexity.Businesses will also be affected by such changes and they will have to act sensibly by seeing technology as part of the problem and not the solution. I can already foresee the myth being constructed: biometric systems will solve identity checks, they will make the vetting process of employees even more credible so that fraudsters will not infiltrate organizations, they will allow for secure access to sensitive facilities, limit fraudulent transactions, and so forth. The reality will be quite different as biometric devices are themselves limited by several factors. Without boring you with too many technical details, it is nevertheless crucial to see two major indicators that point towards biometric effectiveness.
The first one of these is the False Rejection Rate (FRR) that is essentially a measure of the percentage of the users that will be falsely rejected by the biometric system. In practice that would mean Denial of Service for the user and lack of access to the system itself. If you are a business then this translates to money being lost, customers irritated, complaints filed, internal audits initiated, and a range of other unsavoury outcomes. The second indicator poses a greater threat and is the False Acceptance Rate (FAR) whereby users gain access to the system without being the real owners of the biometric data. An additional problem however is that these two aforementioned indicators are generally mutually exclusive, so typically, it would be a utopia to make both zero and have a perfect system. The system therefore is limited in itself and scalability for large-user databases presents even more problems. Even with a perfect technology (that’s hard to imagine but let’s make this hypothesis for now) a wide spectrum of scenarios are bound to face considerable problems. It’s the context that is important here, not technology per se. Use but mostly misuse by people working outside of laboratory-environments where biometrics appear perfect will manifest itself in various ways.
To tech-savvy businesses such issues might swiftly turn to a background (prior to implementation and the enthusiasm that often comes with it) but their complications will have to be dealt with. At the same time, the industry that produces the biometric devices will be coupled with other products. RFID chips (Radio-Frequency Identification) that allow for the tagging of employees within their working environment is a classic example. In such a scenario (a working prototype of which I saw recently at a conference), each employee is biometrically scanned and also given an RFID chip. A database records the transmissions from the RFID chip and therefore a company can record the locations of its employees at any given point in time; something like ‘Asset Tracking’ of trucks and cargos with GPS devices, only this time it’s indoors, less expensive with RFID and involves real people. Vendors will do their best to disguise such pervasive methods as non-pervasive, hassle-free and security-enhancing.
Before businesses buy the products and proceed to biometric implementations, they will have to deal with their implications. Careful management (at senior level) will be required to tackle the emerging phenomena whereas organizational culture, potential risks and security threats will all have to be factored in prior to the implementation itself. If that doesn’t happen, an already complex domain (IT implementations) will become even more complex and give ample room to fraudsters – employees or not – to exploit the situation. My answer to those that would blindly follow the technology (biometrics or not) and/or have a blind faith in its instrumental utility is this: technology per se appears wonderful, technology in a context gives rise to a series of emergent problematic phenomena and complexities that need to be managed, and ultimately, you can rely on the effects that are spawned by the existence of a single entity that will always be present; corruption.
|
