IP: c't: unsupervised biometric scanners more toys than serious security measures]

[Dave Farber <dave () farber net>]

------ Forwarded Message
From: Ben Laurie <ben () algroup co uk>
Date: Thu, 30 May 2002 11:02:55 +0100
To: David Farber <dave () farber net>
Subject: [Fwd: c't: unsupervised biometric scanners more toys than serious
security measures]


-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff


------ End of Forwarded Message

> --- Begin Message ---
>
>
> From: Markus Kuhn <Markus.Kuhn () cl cam ac uk>
>
> Date: Wed, 29 May 2002 19:16:20 +0100
>
> An even more fatal blow to off-the-shelf *unsupervised* biometric
> identification products was given recently by three authors in an
> article in the well-respected German computer magazine c't:
>
>   Lisa Thalheim, Jan Krissler, Peter-Michael Ziegler: Körperkontrolle --
>   Biometrische Zugangssicherungen auf die Probe gestellt.  c't 11/2002,
>   Heise Verlag, ISSN 0724-8679, p 114-, 17 May 2002.
>
> An online English translation is now available on
>
>   http://heise.de/ct/english/02/11/114/
>
> The team tested:
>
>   - six products involving capacitive fingerprint scanners
>     (Biocentric Solutions, Cherry, Eutron, Siemens and Veridicom)
>
>   - two optical (Cherry, Identix) fingerprint scanners
>
>   - one thermal (IdentAlink FPS100U) fingerprint scanner (Atmel FCD4B14 sensor)
>
>   - Authenticam by Panasonic
>
>   - an iris scanner that is currently being marketed in the USA
>     and is scheduled to enter the European market in the near future
>
>   - FaceVACS- Logon, a technical solution for recognizing faces
>     developed by the Dresdner Cognitec AG
>
> The authors "were able, aided by comparatively simple means, to outwit
> all the systems tested" and concluded that "the products in the versions
> made available to us were more of the nature of toys than of serious
> security measures" and that "business should not treat the security
> needs of its customers quite so thoughtlessly".
>
> It is worth stressing that none of the deception techniques used are
> really applicable in a *supervised* two-factor application, for example
> where a border control or social benefits officer watches someone using
> the finger or iris scanner in order to confirm the identity information
> stored in a presented smartcard. The relevance of these attacks to the
> discussion about the use of biometric features in a national identity
> infrastructure is unfortunately sometimes misrepresented. I am still
> convinced that both iris scanning and finger print recognition in a
> *supervised* scan can be made easily several orders of magnitude more
> reliable than human photo/face comparisons.
>
> What currently marketed sensors lack is a really robust detection
> technique for whether the detected signal comes from live human tissue,
> and this still looks very much like an open research problem. Parts of
> suitable solutions might be:
>
>  - tests of various involuntary reactions that require significant
>    effort to simulate, for example, is the iris pattern deforming
>    correctly when the pupils contract because of illumination?
>
>  - test whether the body part is functional, i.e. can the fingerprint
>    be detected from a finger that is typing fluently on a keyboard
>    or can the pupil inside the contracting iris read text at the same
>    time?
>
>  - is it possible to build low-cost spectrographic cameras/scanners that
>    can distinguish materials and tissues by using hundreds instead of
>    just three (red/green/blue) wavelength bands, etc.
>
> Markus
>
> -- 
> Markus G. Kuhn, Computer Laboratory, University of Cambridge, UK
> Email: mkuhn at acm.org,  WWW: <http://www.cl.cam.ac.uk/~mgk25/>
>
>
>
>
>
> --- End Message ---