Biometrics, although it's been around for a while, is suddenly hot within the security industry. Over the years, I've talked with various biometric vendors and security individuals, and I've always come away with a lukewarm feeling about the matter. I like biometrics on my notebook, but not at the airport. Now biometrics – specifically, fingerprint scanners -- may soon be coming to a retail store near you as a convenient form of payment. The genie appears to be out of the bottle, with talk of library cards and even cars equipped with biometric security devices available or coming soon. Yet the question remains: Are biometric devices more secure than existing methods? I think not.
Fingerprint scanning in a nutshell
You may not realise it, but the ridges in our fingertips have evolved over the years to allow us to grasp and grip objects with our hands. The ridges and valleys of skin are formed based on genetic and environmental factors; thus, fingerprints are said to be unique from individual to individual. Even identical twins do not share the same fingerprints.
There are two basic methods for scanning fingerprints: optical scanning and capacitance scanning. Optical scanning uses a charged coupled device (CCD) to take a picture of your fingerprint. In doing so, it flips the image so that the valleys appear dark and the ridges appear light.
In capacitance scanning, electrical current instead of light is used to make up a fingerprint sample. Your finger rests against an array of tiny cells. The benefit here is that capacitance scanning is much harder to forge than a mere optical scan of a fingerprint.
Whether it be an optical image or a capacitance scan, the fingerprint must be compared to an existing database. To compare the entire print would require a lot of processing power; instead, as seen on CSI and other crime shows, unique identifiers are tagged and compared against a standing database using algorithms. Unfortunately, there are no standards regarding fingerprint analysis -- at least not among the many new commercial systems about to roll out.
Closed-system versus open-system use
When it's used on a closed system, such as a notebook or a flash drive, I have no problem with biometric security. Your unique fingerprint data is stored on media inside a device that is within your control. Any inaccuracies (any false identifier about your particular fingerprint) are confined to that closed system; there is virtually no chance of another individual having a fingerprint close enough to your own that it would give them access to that system. So in this sense, biometric devices are secure.
What I have a problem with is the use of fingerprints for open system use, such as identification at airports or biometric cash registers. Companies such as Pay By Touch (in the US) are racing to install fingerprint readers at local points of sale. The idea, according to companies such as Pay By Touch, is that swiping your debit card and keying your PIN takes too much time; it creates long lines at the checkout. With biometrics, they argue, you simply press your index finger to a pad, and your debit account is automatically accessed, and more people buy more things faster.
But is it secure?
I question the security of a one-touch payment system. With a debit card, I'm using two-factor authentication: I need the card and I need a PIN number. With one-touch payment systems, you have only the fingerprint between you and fraud.
Built-in flaws in the system
Before we get too carried away with the intoxicating freedom afforded by using our own fingertips as valid authentication, Simson Garfinkel points out, in a recent issue of CSO magazine, several examples of built-in flaws regarding fingerprint scanning. What about children with faint and sometimes ill-defined ridges and valleys? Certain ethnic groups are at a disadvantage, having less-distinct fingerprints than others. And what about people without hands?
And certainly if you've watched enough television or read an issue of Ellery Queen Mystery Magazine, you know of a few ways to lift fingerprints using talcum and tape. In April 2005, security analyst Bruce Schneier wrote about a carjacking in Malaysia that involved the attacker sawing off the index finger of the victim in order to gain access to the victim's biometrically secured Mercedes S-class.
Also, we're human, and as we age, so do our fingerprints. Stored fingerprint data isn't perfect (as mentioned above, it's only a sampling of unique data points and not your whole fingerprint) and hasn't been thoroughly tested over time. In other words, could a fingerprint sample provided as a teenager differ significantly by the time you reach your fifties? It could; we just don't know yet what impact that may have on your electronic identity. That's why I don't think we should be jumping at the first opportunity to use fingerprint scanning instead of other forms of ID.
But the bigger issue is...
What will companies do with this new database of fingerprint information? My main objection to using biometric data in open systems lies within the database. We haven't yet solved the problem of warehousing credit card and social security numbers, so why should I feel better about companies recording my fingerprint templates? A credit card you can cancel, and with some difficulty, you can also change your social security number (although you are better off not doing so). But if someone steals a database of unique fingerprint markers -- well, then what?
Without adequately answering these questions, the US Department of Homeland Security will soon issue biometric ID cards to its employees. And biometrics are being used in library cards in Naperville, Illinois. And now some theme parks are using hand geometries (not fingerprints) to track individual customers visiting the park, marketing it as a ticketless way to access rides. Meanwhile, in the UK, a combined biometric passport and ID card package is to be introduced from 2008.
I think using fingerprints to secure a personal electronic device is fine. But I don't think it'll be more convenient or safe to use your fingerprint at the grocery store, not without an additional layer of security such as a PIN -- but that defeats the convenience argument. And finally, what will we do to police these various companies and organisations that now want to store our fingerprints in addition to our credit card and social security numbers? I plan to avoid these systems wherever possible and, for the time being, if alternative methods are not offered, I'll boycott the businesses using them.
Talkback
You can have a new credit card issued to replace a stolen one. You can change your PIN. You can't change your fingerprint!
The entire issue of public fingerprinting is one huge financial accident waiting to happen.
I understand what people can do with a stolen card/PIN/ NI number and so on but what could they do with a finger print? I can see how an electronic copy could be used to forge online transactions also but in a shop?
Stop going on about people stealing this information or give some real examples of how you are going to buy a new TV in a shop with my fingerprint.
As a policeman with 20 years service in London (UK) and with a strong interest in computing etc I too (like Paul R) find the arguments put forward by Mr Vamosi a bit vacuous. Mr Vamosi states "But if someone steals a database of unique fingerprint markers - well, then what?" - then what indeed? What does one do with a database of fingerprints?
As for the (typically alarmist for a reporter) story of the detached digit - well what about the hundreds of thousands of people violently mugged or robbed of their credit cards (let alone cash) every week across the world?
How does someone without hands use a credit card? Or enter their PIN? They would have to have a different system entirely and realistically I expect such a person would have a helper to do these things for them, wouldn't they?
As for the age argument, I expect the software would be able to adapt to the tiny changes that may occur to ones prints over time - including new scars.
Having said all that, I don't see that the speed argument put forward by the organizations trying to implement this technology in a EFTPOS (electronic fund transfer at point of sale) context is valid either. The digital data created by the fingerprint scanner is still going to have to be validated 'down the wires' and that is what takes the time not the 2 seconds it takes to stick a credit card in a reader and enter your PIN (assuming you can remember it).
I, too, would like the second layer of security, be it PIN or whatever, but I can see that the future is definitely 'digital' if you will forgive the pun.
BIOMETRIC PARANOIA ABOUNDS !!!
Most objections revolve around the premise that someone will steal your data and then commence to empty your bank account.. (presuming there is anything in it in the first place) and this is the point.
I have traded on the internet for years using a simple system and never had a single problem with fraud, anyone can do it if they take the trouble to set it up.
Set up a second account at your bank and apply telephone banking. Before making a purchase simply do a telephone transfer from your main account to the slave account.
There is always a zero balance as such I welcome the added convenience that biometrics can provide.
I've ended up on this site due to a letter on the ITV Teletext news Channel. The writer had posed the question "What about people like me and my family who don't have fingerprints? There must be thousands like us." I thought everybody had them! Is the writer having a joke, or is it a fact? I can't find anything on the net about it. Anybody, please?
The concerns with fingerprints in the public arena are justified with the technologies that are currnetly beng used.
BUT i know of a british company that has hit on the solution. FingerPIN Ltd allows people to authorise with a sequence of fingerprints providing one step two-factor authentication. Using a sequence means that users are verified in 2 ways - their unique fingerprints, AND their private sequence in which they enter their fingerprints.
Its very secure, and very convenient, and is the biometric solution of the future. have a look at their website...
www.fingerpin.co.uk
Subject: Biometrics as a national security provider
In this realm of transnational communication, such monitoring system is needed for the homeland security which requires identifying people from their root traits. And I think using Bio-metrics for national security purposes is a great way. Where there is a question of spoofing, looking for authenticated experts is the only solution. My friend is in the Cop and he told me about the jail management software they are using in their office which is integrated with fingerprint recognition system offered by a Biometric research firm named M2SYS based in Atlanta. Fingerprint Scanners help them to keep track of all the criminals and help tighten the security system. I strongly feel that reputed Biometric experts should be authorized by the government to provide exclusive biometrics and be provided with adequate facilities for continuous research for the purpose of a comprehensive biometric identification system at a national level.
Edward Blue