‘Spoofing’ of biometrics addressed by Biometrics Institute with release of ‘Top 10 Vulnerability Questions’ guidance

Most modern matching algorithms use a variety of technologies to increase the difficulty of producing or using a fake biometric

Most modern matching algorithms use a variety of technologies to increase the difficulty of producing or using a fake biometric

The Biometrics Institute has just released a detailed guidance document for members and key stakeholders entitled: ‘Top 10 Vulnerability Questions’ in which the organisation duly provides clarification around some of the most frequently asked questions about the ‘spoofing’ of biometrics.

“We’ve been following the research of fake biometrics very closely and, indeed, with great interest,” commented Isabelle Moeller, CEO at the Biometrics Institute. “Recently, claims have been made that individuals can steal fingerprint detail using only a camera. This notion was presented at the Chaos Computer Club Conference in Germany last December. It’s one of the subjects we’ll be discussing at Biometrics 2015: Secure Identity Solutions Now!, which takes place in London from 12-15 October.”

It has been known for many years that, under ‘just right’ circumstances, a fingerprint image may be captured from a distance with a high resolution camera, but is this a practical method for hackers or other criminals and terrorists to pursue, etc?

Even if this is indeed possible, the question remains as to whether or not it’s worth the effort required compared to more traditional methods in which security may be breached (by stealing passwords, for example).

Biometrics can provide a higher level of security than PINs and passwords but, as is the case with most security solutions, biometrics do harbour vulnerabilities that need to be addressed.

Most modern matching algorithms use a variety of technologies to increase the difficulty of producing or using a fake biometric and the race is very much on in terms of attack versus countermeasures. For host organisations, it’s always important to ensure security policies maintain a balance between the security strength and what’s actively being protected.

The Top 10 Vulnerability Questions look at whether a biometric can be stolen, what mitigation may be considered and what to do should this scenario ever arise. The document was intentionally designed to demystify some of the regular headlines around biometric spoofing, but more importantly, perhaps, it will serve as a discussion paper for the Biometrics Institute members and stakeholders around which they can raise awareness about the importance of vulnerability assessments and the fact that mitigation solutions are available.

ISO/IEC standards project: the detail

There are a number of technologies, both software and hardware-based, that can be used to detect such spoofing attacks. The international community is addressing this emerging area of technology through an ISO/IEC standards project designed to develop data interchange formats and testing principles for software and hardware used to combat biometric spoofing (called ‘spoof detection’ or ‘presentation attack detection’).

Risk UK is an Official Media Partner for Biometrics 2015 which runs in central London during October

Risk UK is an Official Media Partner for Biometrics 2015 which runs in central London during October

“The Biometric Vulnerability Assessment Expert Group (BVAEG) – a sub-committee of the independent Biometrics Institute – consists of many of the most experienced experts in this area from around the world,” outlined Dr Dunstone, head of the BVAEG at the Biometrics Institute.

“The BVAEG’s mission is to raise awareness of the need for vulnerability detection to be included with biometric devices, to promote standards, enhance privacy protection, performance measures and testing and help facilitate the dissemination of new research or findings in this area.”

Back in October 2013, the Group responded directly to the iPhone 5s ‘fingerprint attack’ which used a number of steps including laser printing the fingerprints in high resolution to transparent film, etching to a printed circuit board and using a latex material to make a fake fingerprint. In truth, the steps required render such an attack difficult under realistic usage scenarios.

The Biometrics Institute encourages the manufacturers of equipment that include biometric sensors to be proactive in adopting spoof detection technology in order to maximise the chances of successfully rejecting a biometric spoof. In addition, the organisation recommends Government agencies and top-level decision makers become aware of the need for appropriate biometric vulnerability testing and certification as they consider both the risk and the convenience of the security mechanism(s).

*The Top 10 Vulnerability Questions document is available to members of the Biometrics Institute. For further information send an e-mail to: manager@biometricsinstitute.org. Membership information is available online at: www.biometricsinstitute.org

**The Biometrics Institute is an independent and impartial international forum for end users and other interested parties. At present, there are 188 member organisations including Government departments, financial services institutions, aviation sector representatives and also vendors of biometric products and services. The Institute was established to promote the responsible use of biometric technologies and has offices in Australia and the UK

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts