‘Spoofing’ of biometrics addressed by Biometrics Institute with release of ‘Top 10 Vulnerability Questions’ guidance
The Biometrics Institute has just released a detailed guidance document for members and key stakeholders entitled: ‘Top 10 Vulnerability Questions’ in which the organisation duly provides clarification around some of the most frequently asked questions about the ‘spoofing’ of biometrics.
“We’ve been following the research of fake biometrics very closely and, indeed, with great interest,” commented Isabelle Moeller, CEO at the Biometrics Institute. “Recently, claims have been made that individuals can steal fingerprint detail using only a camera. This notion was presented at the Chaos Computer Club Conference in Germany last December. It’s one of the subjects we’ll be discussing at Biometrics 2015: Secure Identity Solutions Now!, which takes place in London from 12-15 October.”
It has been known for many years that, under ‘just right’ circumstances, a fingerprint image may be captured from a distance with a high resolution camera, but is this a practical method for hackers or other criminals and terrorists to pursue, etc?
Even if this is indeed possible, the question remains as to whether or not it’s worth the effort required compared to more traditional methods in which security may be breached (by stealing passwords, for example).
Biometrics can provide a higher level of security than PINs and passwords but, as is the case with most security solutions, biometrics do harbour vulnerabilities that need to be addressed.
Most modern matching algorithms use a variety of technologies to increase the difficulty of producing or using a fake biometric and the race is very much on in terms of attack versus countermeasures. For host organisations, it’s always important to ensure security policies maintain a balance between the security strength and what’s actively being protected.
The Top 10 Vulnerability Questions look at whether a biometric can be stolen, what mitigation may be considered and what to do should this scenario ever arise. The document was intentionally designed to demystify some of the regular headlines around biometric spoofing, but more importantly, perhaps, it will serve as a discussion paper for the Biometrics Institute members and stakeholders around which they can raise awareness about the importance of vulnerability assessments and the fact that mitigation solutions are available.
ISO/IEC standards project: the detail
There are a number of technologies, both software and hardware-based, that can be used to detect such spoofing attacks. The international community is addressing this emerging area of technology through an ISO/IEC standards project designed to develop data interchange formats and testing principles for software and hardware used to combat biometric spoofing (called ‘spoof detection’ or ‘presentation attack detection’).
“The Biometric Vulnerability Assessment Expert Group (BVAEG) – a sub-committee of the independent Biometrics Institute – consists of many of the most experienced experts in this area from around the world,” outlined Dr Dunstone, head of the BVAEG at the Biometrics Institute.
“The BVAEG’s mission is to raise awareness of the need for vulnerability detection to be included with biometric devices, to promote standards, enhance privacy protection, performance measures and testing and help facilitate the dissemination of new research or findings in this area.”
Back in October 2013, the Group responded directly to the iPhone 5s ‘fingerprint attack’ which used a number of steps including laser printing the fingerprints in high resolution to transparent film, etching to a printed circuit board and using a latex material to make a fake fingerprint. In truth, the steps required render such an attack difficult under realistic usage scenarios.
The Biometrics Institute encourages the manufacturers of equipment that include biometric sensors to be proactive in adopting spoof detection technology in order to maximise the chances of successfully rejecting a biometric spoof. In addition, the organisation recommends Government agencies and top-level decision makers become aware of the need for appropriate biometric vulnerability testing and certification as they consider both the risk and the convenience of the security mechanism(s).
*The Top 10 Vulnerability Questions document is available to members of the Biometrics Institute. For further information send an e-mail to: firstname.lastname@example.org. Membership information is available online at: www.biometricsinstitute.org
**The Biometrics Institute is an independent and impartial international forum for end users and other interested parties. At present, there are 188 member organisations including Government departments, financial services institutions, aviation sector representatives and also vendors of biometric products and services. The Institute was established to promote the responsible use of biometric technologies and has offices in Australia and the UK