Interesting People mailing list archives
IP: c't: unsupervised biometric scanners more toys than serious security measures]
From: Dave Farber <dave () farber net>
Date: Thu, 30 May 2002 06:34:27 -0400
------ Forwarded Message From: Ben Laurie <ben () algroup co uk> Date: Thu, 30 May 2002 11:02:55 +0100 To: David Farber <dave () farber net> Subject: [Fwd: c't: unsupervised biometric scanners more toys than serious security measures] -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff ------ End of Forwarded Message
--- Begin Message --- From: Markus Kuhn <Markus.Kuhn () cl cam ac uk>
Date: Wed, 29 May 2002 19:16:20 +0100
An even more fatal blow to off-the-shelf *unsupervised* biometric identification products was given recently by three authors in an article in the well-respected German computer magazine c't: Lisa Thalheim, Jan Krissler, Peter-Michael Ziegler: Körperkontrolle -- Biometrische Zugangssicherungen auf die Probe gestellt. c't 11/2002, Heise Verlag, ISSN 0724-8679, p 114-, 17 May 2002. An online English translation is now available on http://heise.de/ct/english/02/11/114/ The team tested: - six products involving capacitive fingerprint scanners (Biocentric Solutions, Cherry, Eutron, Siemens and Veridicom) - two optical (Cherry, Identix) fingerprint scanners - one thermal (IdentAlink FPS100U) fingerprint scanner (Atmel FCD4B14 sensor) - Authenticam by Panasonic - an iris scanner that is currently being marketed in the USA and is scheduled to enter the European market in the near future - FaceVACS- Logon, a technical solution for recognizing faces developed by the Dresdner Cognitec AG The authors "were able, aided by comparatively simple means, to outwit all the systems tested" and concluded that "the products in the versions made available to us were more of the nature of toys than of serious security measures" and that "business should not treat the security needs of its customers quite so thoughtlessly". It is worth stressing that none of the deception techniques used are really applicable in a *supervised* two-factor application, for example where a border control or social benefits officer watches someone using the finger or iris scanner in order to confirm the identity information stored in a presented smartcard. The relevance of these attacks to the discussion about the use of biometric features in a national identity infrastructure is unfortunately sometimes misrepresented. I am still convinced that both iris scanning and finger print recognition in a *supervised* scan can be made easily several orders of magnitude more reliable than human photo/face comparisons. What currently marketed sensors lack is a really robust detection technique for whether the detected signal comes from live human tissue, and this still looks very much like an open research problem. Parts of suitable solutions might be: - tests of various involuntary reactions that require significant effort to simulate, for example, is the iris pattern deforming correctly when the pupils contract because of illumination? - test whether the body part is functional, i.e. can the fingerprint be detected from a finger that is typing fluently on a keyboard or can the pupil inside the contracting iris read text at the same time? - is it possible to build low-cost spectrographic cameras/scanners that can distinguish materials and tissues by using hundreds instead of just three (red/green/blue) wavelength bands, etc. Markus -- Markus G. Kuhn, Computer Laboratory, University of Cambridge, UK Email: mkuhn at acm.org, WWW: <http://www.cl.cam.ac.uk/~mgk25/>
--- End Message ---
Current thread:
- IP: c't: unsupervised biometric scanners more toys than serious security measures] Dave Farber (May 30)