Biometrics, although it's been around for a while, is suddenly hot within the security industry. Over the years, I've talked with various biometric vendors and security individuals, and I've always come away with a lukewarm feeling about the matter. I like biometrics on my notebook, but not at the airport. Now biometrics – specifically, fingerprint scanners -- may soon be coming to a retail store near you as a convenient form of payment. The genie appears to be out of the bottle, with talk of library cards and even cars equipped with biometric security devices available or coming soon. Yet the question remains: Are biometric devices more secure than existing methods? I think not.
Fingerprint scanning in a nutshell
You may not realise it, but the ridges in our fingertips have evolved over the years to allow us to grasp and grip objects with our hands. The ridges and valleys of skin are formed based on genetic and environmental factors; thus, fingerprints are said to be unique from individual to individual. Even identical twins do not share the same fingerprints.
There are two basic methods for scanning fingerprints: optical scanning and capacitance scanning. Optical scanning uses a charged coupled device (CCD) to take a picture of your fingerprint. In doing so, it flips the image so that the valleys appear dark and the ridges appear light.
In capacitance scanning, electrical current instead of light is used to make up a fingerprint sample. Your finger rests against an array of tiny cells. The benefit here is that capacitance scanning is much harder to forge than a mere optical scan of a fingerprint.
Whether it be an optical image or a capacitance scan, the fingerprint must be compared to an existing database. To compare the entire print would require a lot of processing power; instead, as seen on CSI and other crime shows, unique identifiers are tagged and compared against a standing database using algorithms. Unfortunately, there are no standards regarding fingerprint analysis -- at least not among the many new commercial systems about to roll out.
Closed-system versus open-system use
When it's used on a closed system, such as a notebook or a flash drive, I have no problem with biometric security. Your unique fingerprint data is stored on media inside a device that is within your control. Any inaccuracies (any false identifier about your particular fingerprint) are confined to that closed system; there is virtually no chance of another individual having a fingerprint close enough to your own that it would give them access to that system. So in this sense, biometric devices are secure.
What I have a problem with is the use of fingerprints for open system use, such as identification at airports or biometric cash registers. Companies such as Pay By Touch (in the US) are racing to install fingerprint readers at local points of sale. The idea, according to companies such as Pay By Touch, is that swiping your debit card and keying your PIN takes too much time; it creates long lines at the checkout. With biometrics, they argue, you simply press your index finger to a pad, and your debit account is automatically accessed, and more people buy more things faster.
But is it secure?
I question the security of a one-touch payment system. With a debit card, I'm using two-factor authentication: I need the card and I need a PIN number. With one-touch payment systems, you have only the fingerprint between you and fraud.
Built-in flaws in the system
Before we get too carried away with the intoxicating freedom afforded by using our own fingertips as valid authentication, Simson Garfinkel points out, in a recent issue of CSO magazine, several examples of built-in flaws regarding fingerprint scanning. What about children with faint and sometimes ill-defined ridges and valleys? Certain ethnic groups are at a disadvantage, having less-distinct fingerprints than others. And what about people without hands?
And certainly if you've watched enough television or read an issue of Ellery Queen Mystery Magazine, you know of a few ways to lift fingerprints using talcum and tape. In April 2005, security analyst Bruce Schneier wrote about a carjacking in Malaysia that involved the attacker sawing off the index finger of the victim in order to gain access to the victim's biometrically secured Mercedes S-class.
Also, we're human, and as we age, so do our fingerprints. Stored fingerprint data isn't perfect (as mentioned above, it's only a sampling of unique data points and not your whole fingerprint) and hasn't been thoroughly tested over time. In other words, could a fingerprint sample provided as a teenager differ significantly by the time you reach your fifties? It could; we just don't know yet what impact that may have on your electronic identity. That's why I don't think we should be jumping at the first opportunity to use fingerprint scanning instead of other forms of ID.
But the bigger issue is...
What will companies do with this new database of fingerprint information? My main objection to using biometric data in open systems lies within the database. We haven't yet solved the problem of warehousing credit card and social security numbers, so why should I feel better about companies recording my fingerprint templates? A credit card you can cancel, and with some difficulty, you can also change your social security number (although you are better off not doing so). But if someone steals a database of unique fingerprint markers -- well, then what?
Without adequately answering these questions, the US Department of Homeland Security will soon issue biometric ID cards to its employees. And biometrics are being used in library cards in Naperville, Illinois. And now some theme parks are using hand geometries (not fingerprints) to track individual customers visiting the park, marketing it as a ticketless way to access rides. Meanwhile, in the UK, a combined biometric passport and ID card package is to be introduced from 2008.
I think using fingerprints to secure a personal electronic device is fine. But I don't think it'll be more convenient or safe to use your fingerprint at the grocery store, not without an additional layer of security such as a PIN -- but that defeats the convenience argument. And finally, what will we do to police these various companies and organisations that now want to store our fingerprints in addition to our credit card and social security numbers? I plan to avoid these systems wherever possible and, for the time being, if alternative methods are not offered, I'll boycott the businesses using them.
Story URL: http://reviews.zdnet.co.uk/hardware/inputdevices/0,1000001008,39230993,00.htmCopyright © 1995-2008 CNET Networks, Inc. All rights reserved
ZDNET is a registered service mark of CNET Networks, Inc. ZDNET Logo is a service mark of CNET Networks, Inc.