Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Sunday, 11 June, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Viewpoint from the Biometrics Institute – Spoof or proof?

by The Gurus
September 25, 2017
in This Week's Gurus
Share on FacebookShare on Twitter

The security of biometrics technology is in the spotlight and stakeholders must take a balanced view on its strengths and vulnerabilities, says Isabelle Moeller, Chief Executive, Biometrics Institute. As deployments proliferate, the technology’s credibility rests on the industry’s will to collaborate globally.  
 

The Oxford English Dictionary offers two definitions for the verb ‘spoof’: ‘To make (something) appear foolish by means of parody; to send up’ and ‘To render a system useless by providing it with false information.’

Sadly, where the spoofing of biometric security technologies is concerned only the latter applies and there is little to laugh about. The recent rise of biometrics deployments in consumer services has confirmed spoofing as a vulnerability that needs careful management. A wide variety of specialist interest groups, friendly and otherwise, make it their mission to expose the limitations of each solution brought to market. Indeed, detractors routinely use high profile failures to suggest that biometrics as a mode of security is just too risky a business to be worthwhile. They are wrong.
 
It’s the system, man
 
As with all flavours of security technologies, the weak points in biometrics have spawned a race between those creating and applying the solutions and those seeking to undermine them. As new solutions are launched weaknesses are identified, and countermeasures developed.
 
In May, a BBC reporter, with the aid of his twin brother, ‘cracked’ a high street bank’s voice recognition system, proving the insecurity of the system. The weak point here, however, stemmed more from how the solution was implemented than from a failing of the recognition technology itself. All biometric systems have some vulnerabilities (it’s worth noting that the iPhone’s fingerprint sensor was successfully hacked just a week after launch). What matters is how these vulnerabilities are mitigated.
 
In general, there are two factors that determine how effective a biometric solution is, and both require some trade-offs to before a useable solution can be reached.
 
Firstly, the solution is only as good as the biometric data it enrols and then recaptures each time the user authenticates. The recaptured ‘image’ can be impacted by myriad factors depending on the mode being used. Ambient noise can interfere with voice recognition, for example, eyelashes can obscure an iris image, varying skin conditions can impact fingerprints and so on.
 
Secondly, the matching process also depends on how tightly the solution’s parameters are set. Insisting on too high a degree of similarity between the stored and presented image creates too many ‘false negatives’, where the genuine user is denied access, and the system rendered unusable.
 
It’s also worth remembering that a hacker never needs to replicate an individual’s biometric image absolutely, they need only replicate enough of it to fool the system. So, if the matching process isn’t rigorous enough then ‘false positives’ result, where fraudulent users are granted access and the point of the system is defeated.
 
There is always a balance to be struck. How should the system conclude that it has sufficient verifiable data to confirm the user’s identity?
 
Horses for courses
 
The choice of biometric modality has a big impact here. The variations between different biometrics mean that some are better suited to particular use-cases than others. Fingerprints, for example, leave a latent image on the data capture surface, which make them excellent for criminal identification. That said, the latent image itself can be copied, replicated and used in a spoof attack. Irises, on the other hand, leave no replicable trace making them far less useful in criminal applications. Thanks to the social sharing revolution, digital pictures of people’s faces are in very easy supply, particularly in developed countries, meaning that facial biometric solutions have to work harder than ever to verify their subject, using 3D mapping and liveness detection techniques.
 
The technologies are responding. In the near future, the use of new, cheaper multispectral sensors (which simultaneously capture multiple biometric images within a narrow spectrum) will greatly improve the industry’s ability to detect false biometrics. In automated border control systems that use face recognition, for example, infrared sensors can now determine if a mask is being used.
 
High stakes, getting higher
 
The growing popularity of iris and voice recognition systems present fresh challenges. Siri, Cortana and Alexa are all gaining serious traction, and when banking and payment apps start to use iris recognition to grant access to the user’s account, the stakes rise significantly, and the motivations of the thieves will surely step up accordingly.
 
Although improving spoof detection is important, trying to chase a perfect anti-spoofing technique for any biometric is a fool’s errand. Try as the industry might, it cannot prove a negative; it can never say that a capture device is completely fool proof, simply because it can’t be tested against the unlimited universe of current and future spoofing techniques.
 
With facility comes responsibility
 
In terms of the end-user experience, biometrics are terrific; they are fast, convenient, reliable and, arguably, are untouchable by any other consumer-facing security technology today. Indeed, the facility enabled by biometrics is driving mass deployments across a host of devices and services; something that is bound to continue, despite its vulnerabilities.
 
This all adds up to an important point. A single biometric solution is not a ‘silver bullet’ and, in many cases, should be deployed as a factor in a multifactor authentication solution – one that is carefully designed and parameterised to mitigate the risks of failure associated with the use-case to which it is applied.
 
To this end, biometrics’ credibility, together with the security of those that use its technologies, will be determined by the industry’s ability to identify – and adhere to – best practice.
 
While the legal framework and policy creation for biometric data privacy remains a matter for lawmakers, commercially independent guiding principles for the design, deployment and operation of biometric technologies already exist. They are the product of international collaboration between academics, governments, vendors and other key stakeholders at the Biometrics Institute.
 
Only by sharing live deployment experiences, establishing guiding principles, creating best practice guidelines and promoting the responsible use of biometrics globally, can the industry truly claim to be representing the interests of end-users. Biometrics may be perfect, but our use of them is not. As the adoption of biometric technologies continues to accelerate, it is our collective responsibility to ensure we strike the right balance between delivering a great user-experience and mitigating security risks along the way.
By Isabelle Moeller, Chief Executive, Biometrics Insitute

FacebookTweetLinkedIn
Tags: CybersecurityTechnology
ShareTweet
Previous Post

Mass-Scale Ransomware Attacks Providing Hackers the Ability to Earn Quick Money

Next Post

A quarter of UK councils hit by ransomware

Recent News

Ransomware

Clop Ransomware Gang Extorts Household Names including BBC, British Airways and Boots

June 9, 2023
code

Developers Kept Away From Coding, Estimated £10.4bn a Year Wasted

June 8, 2023
large open office, bright.

Employees Feel 10 Times Calmer in an Environmentally Friendly Office Space

June 7, 2023
Blue Logo OUTPOST24

Outpost24 Acquires EASM Provider Sweepatic

June 7, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information