An interesting 'take' on Biometrics and its implementation for our security ...
I found this to be an astonishingly profound article, and felt that others may care to take a read also.
- Magpye
Article from CNET
Quoting:
Biometrics, although it's been around for a while, is suddenly hot within the security industry. Over the years, I've talked with various biometric vendors and security individuals, and I've always come away with a lukewarm feeling about the matter. I like biometrics on my laptop but not at the airport. Now biometrics, specifically fingerprint scanners, may soon be coming to a retail store near you as a convenient form of payment. The genie appears to be out of the bottle, with talk of library cards and even automobiles equipped with biometric security devices available or coming soon. Yet the question remains: Are biometric devices more secure than existing methods? I think not.
Fingerprint scanning in a nutshell
You may not realize it, but the ridges in our fingertips have evolved over the years to allow us to grasp and grip objects with our hands. The ridges and valleys of skin are formed based on genetic and environmental factors, thus, fingerprints are said to be unique from individual to individual. Even identical twins do not share the same fingerprints.
There are two basic methods for scanning fingerprints: optical scanning and capacitance scanning. Optical scanning uses a charged coupled device (CCD) to take a picture of your fingerprint. In doing so, it flips the image so that the valleys appear dark and the ridges appear light.
The question remains: Is biometrics more secure than existing methods? I think not.
In capacitance scanning, electrical current instead of light is used to make up a fingerprint sample. Your finger rests against an array of tiny cells. The benefit here is that capacitance scanning is much harder to forge than a mere optical scan of a fingerprint.
Whether it be an optical image or a capacitance scan, the fingerprint must be compared to an existing database. To compare the entire print would require a lot of processing power; instead, as seen on CSI and other crime shows, unique identifiers are tagged and compared against a standing database using algorithms. Unfortunately, there are no standards regarding fingerprint analysis--at least not among the many new commercial systems about to roll out.
Closed system vs. open system use
When it's used on a closed system, such as a laptop or a flash drive, I have no problem with biometric security. Your unique fingerprint data is stored on media inside a device that is within your control. Any inaccuracies (any false identifier about your particular fingerprint) are confined to that closed system; there is virtually no chance of another individual having a fingerprint close enough to your own that it would give them access to that system. So in this sense, biometric devices are secure.
What I have a problem with is the use of fingerprints for open system use, such as identification at airports or biometric cash registers. Companies such as Pay By Touch are racing to install fingerprint readers at local points of sale; stores identified on its site are specific locations of Piggly Wiggly, Cub Foods, and Farm Fresh stores. The idea, according to companies such as Pay By Touch, is that swiping your debit card and keying your PIN takes too much time; it creates long lines at the checkout. With biometrics, they argue, you simply press your index finger to a pad, and your debit account is automatically accessed, and more people buy more things faster.
But is it secure?
I question the security of a one-touch payment system. With a debit card, I'm using two-factor authentication: I need the card, and I need a PIN number. With one-touch payment systems, you have only the fingerprint between you and fraud.
Built-in flaws in the system
Before we get too carried away with the intoxicating freedom afforded by using our own fingertips as valid authentication, Simson Garfinkel points out, in a recent issue of CSO magazine, several examples of built-in flaws regarding fingerprint scanning: What about children with faint and sometimes ill-defined ridges and valleys? Certain ethnic groups are at a disadvantage, having less-distinct fingerprints than others. And what about people without hands?
And certainly if you've watched enough television or read an issue of Ellery Queen Mystery Magazine, you know of a few ways to lift fingerprints using talcum and tape, or even gummi bears. In April 2005, security analyst Bruce Schneier wrote about a carjacking in Malaysia that involved the attacker sawing off the index finger of the victim in order to gain access to the victim's biometrically secured Mercedes S-class.
We haven't yet solved the problem of warehousing credit card and social security numbers, so why should I feel better about companies recording my fingerprint templates?
Also, we're human, and as we age, so do our fingerprints. Stored fingerprint data isn't perfect (as mentioned above, it's only a sampling of unique data points and not your whole fingerprint) and hasn't been thoroughly tested over time. In other words, could a fingerprint sample provided as a teenager differ significantly by the time you reach your fifties? It could; we just don't know yet what impact that may have on your electronic identity. That's why I don't think we should be jumping at the first opportunity to use fingerprint scanning instead of other forms of ID.
But the bigger issue is...
What will companies do with this new database of fingerprint information? My main objection to using biometric data in open systems lies within the database. We haven't yet solved the problem of warehousing credit card and social security numbers, so why should I feel better about companies recording my fingerprint templates? A credit card you can cancel, and with some difficulty, you can also change your social security number (although you are better off not doing so). But if someone steals a database of unique fingerprint markers--well, then what?
Without adequately answering these questions, the Department of Homeland Security will soon issue biometric ID cards to its employees. And biometrics are being used in library cards in Naperville, Illinois. And now some theme parks are using hand geometries (not fingerprints) to track individual customers visiting the park, marketing it as a ticketless way to ride rides.
I think using fingerprints to secure a personal electronic device is fine. But I don't think it'll be more convenient or safe to use your fingerprint at the grocery store, not without an additional layer of security, such as a PIN--but that defeats the convenience argument. And finally, what will we do to police these various companies and organizations that now want to store our fingerprints in addition to our credit card and social security numbers? I plan to avoid these systems wherever possible and, for the time being, if alternative methods are not offered, I'll boycott the businesses using them.