2003-08-22 – The ultimate flaw in biometric security – you!

\”That realization dawned on [Berry] when he called Det. Dave Harned, a veteran in the Commercial Crimes Division of the Los Angeles Police Department.

Harned takes all the calls about identity theft and directs them to the right place.

His department has resources to investigate only a tiny fraction of the 100-plus identity theft complaints it receives every day.\”

The quote above is taken from a very long article available here about a man in the United States who had his identity stolen by a murderer. Perhaps needless to say, it has wrecked his credit, upset him, and it is still a full-time job sorting it out a year later.

Now imagine if it was a hundred times worse… Mr. Berry could prove he wasn’t the same guy quite easily, as he was a big white man, and Hunter, the con-man, was afro-carribean. Besides which, the conman had access to very little of Berry’s information, and the nature of the dozens of places that were tricked is such that there was, thankfully, no definitive ID question and answer. This alone meant that Berry could prove that he wasn’t the con-man, as the address was wrong, etc. However, he says it is still a full time job trying to correct everything.

With the new panic about terrorism, however, all that is likely to change. Modern PC fingerprint scanners are easily available for less than $100/£50 and they plug right into the nearest USB port. Iris scanning webcams are also less than £25, including the software. This has inspired the politicians to try to get everyone to have a unique ID card, some ultimate form of ID that is \”perfect\”. What could be better than a thumbprint?

As it turns out, almost anything…

Imagine if you mugged me, or pickpocketed me, and got a hold of my keys. I carry a lot of keys, and they have no link to me, except through a blind-drop 3rd party, who hold my name and address and promise to send them back to me should they wind up in a postbox. No-one can get my address from them, without knowing who I am, and even then, they will be of little use, since I would know that the physical keys had been compromised. After all, it would take at least half an hour to copy them, and I always know where, exactly, my keys are. So, if you turned up at my house, I would catch you, and beat you within an inch of your life, if you were lucky. If you were smart, and waited till I was out, surprise! I changed the locks! The many layers of physical security were not breached at any time, but I had to spend a fortune changing my locks (but the house insurance has locks cover)

Now, imagine if the key was totally unique, and everyone knew it was unique, and therefore it was a \”perfect\” security device. These are how the biometric security crowd hope to convince us that we should all form an orderly queue in front of the machine and have a barcode burned into our skin. Sorry, have our retinas scanned and our fingerprints taken, then locked into a card with a sample of DNA to confirm who we are, all of which goes into a big government database. A government that can’t even set up a system so doctors can email each other for £5 million pounds, but that wants us all to be happy to pay £36 for this mandatory card.

So let us assume that we are good sheep, and that we do this. For the next few years, everything is hunky-dory, and all the bad people get caught just before chopping of a person’s finger or gougeing an eye, or as is more likely, that the shop assistant spots it at point of sale, except that many will be ATMs or other automatic systems. But let us assume this is true.

Now, you go to the machine one day, and it says that you have no money left in your bank accont, nor your credit card. This is bad, since you got paid three days ago. So you contact the bank, and they tell you that you got your money out from an ATM 300 miles away from where you normally hang out. They tell you the exact time, the amount, and that you verified it with a fingerprint. You complain, so they involve the police, and you go in to the bank for an interview, Mr. Plod coming along too.

At the branch, you go up to a room, and you see a video of yourself, apparently, in grainy CCTV, walk up to a place you have never been, press your finger to the ATM to confirm you are who you say you are, withdraw all your money, then leave. You protest, saying you can prove that you weren’t ever there, so the bank has you arrested for attempted fraud.

Now, dear reader, how could such a thing happen?

Imagine if you had an infinite number of copies of your front door key, each with your address tagged nicely to it. You would probably lose a few, and after a while you would get careless, and, since they are infinite, how could you tell if you dropped one somewhere? Especially if the keys were really small, or almost invisible?

Not to push the analogy too far, but that is exactly what you do every single time you touch anything. Your DNA slews off from your body everywhere you go, and everything you touch that is even remotely smooth leaves behind a set of prints for the enterprising identity theif to walk away with. He doesn’t even need to know who the print belongs to at the time, since he could easily take your photo with his phone, then run another idenity matching system to ID you from your face. He takes your glass, or even a photo of your hand holding the glass, and bingo! One iron clad fake ID!

What next? Well, once a fake slip-on latex mould of your print was ready, your identity is ready to sell to the highest bidder. Put simply, anyone who was nearly your physical description, or looked a bit like you, would bid highly for your prints and a mugshot, plus all the usual info that scammers like to get.

The next step is almost too easy. Wait till dark, then go to the shops. Grow a bit of stubble, change your hair to match, whatever… A wig could be your first big purchase! Or even some customised contacts that just *happen* to match the iris scan of your victim… All verified by the fake fingerprint and general matching of appearance. Needless to say, generally you wouldn’t need to match the photo, unless it was a higher level of security.

So, as the victim here, how do you:

  1. know your identity has been stolen? (the keys are invisible, yet public)
  2. prove you didn’t have anything to do with it? (that it isn’t you trying a fraud)
  3. change your keys? (My fingers are quite firmly attached, thank you!)

These are the most obvious issues. Good personal security of your biometrics might be a help, but you are still going to have to give that data away a hundred times a week, and remember, it is generally the shop staff on minimum wage that steal credit card numbers, so who will be surprized when they start selling iris scans?

As far as I can see, this is a fatal flaw with 90%+ of biometric systems. Don’t even get me started on computer log-ons that try to follow you around the room by your laugh… The only funny thing about that is that someone funded the study!

In summary, the ultimate flaw in biosecurity is the lack of key revocation. Until someone fixes this problem, biometrics will be open to abuse. This is likely to be unsolvable.

Leave a Comment