Archive for the ‘Biometrics’ Category

HelpNet has an article up by Paul Foote and Reena Hora about why biometrics are a “must have” for banks – the title (“Biometric Security for Financial Meltdown Solutions”) seems to imply a link between the crazy stuff going on in the bankerage world and biometrics, but it’s really more about how to prevent fraud by using biometrics. Interestingly, this article got some play over at eWeek as well. If you haven’t done so, it’s an interesting bit of reading.

Now, I’ve been a huge advocate of biometrics. I want to believe… I really do. I started my career at a biometrics company, I’ve tried (in almost every job I’ve had) to push biometrics in all sorts of industries. I was a dedicated follower of HAAPI and the BioAPI. I’ve tried them all: fingerprint (with optical and capacitance readers), iris, voice, signature, etc. And I have consistently obtained no traction on deploying them past a pilot stage. Particularly in a banking context. Historically, it’s been a tough sell.

Foote and Hora tell us:

“To prevent a recurrence of a fraud like this, financial institutions can improve security by adding biometric systems to their ERP systems, or by replacing their legacy systems with SAP and bioLock. Most biometric systems are used for access control. Realtime North America

I am not in the habit of defending sex offenders, and I’m not about to start now. I do, however, have to question whether anybody has seriously thought through the ramifications of North Carolina’s plan to use iris scanning to register sex offenders. I came across this gem via the Biometrics Discussion Email list (what arose out of the ashes from the Biometrics Consortium forums) and did some digging around. Apparently, the system they are planning on using is called SORIS (Sex Offender Registry and Identification System) which positively identifies sex offenders based on their iris.

Granted, identifying sex offenders is important, but for the life of me I can’t figure out why iris scanning helps. Look, the argument is that this iris scanning will help locate sex offenders, right? How exactly are we planning on doing this identification? I can’t remember ever having been asked to have my iris scanned outside of biometrics tradeshows or specific iris-scanning pilot deployments. Where exactly are we going to introduce the iris scanning “checkpoint” to locate these sex offenders? Are we going to start requiring mandatory iris-scanning for people moving in to a new state? Iris scanning at the DMV? Iris scanning as part of standard employment background checks? I hope not. However, it seems that unless there’s a plan for more iris scanning somewhere, that this registry is all but useless. Just some whiz-bang gadgetry that the North Carolina taxpayer has to pay for.

I mean – is it me or does this not make any sense? Compare it with fingerprint. Don’t we have fingerprinting already for just about everything nowadays? Get a job, get fingerprinted. Get arrested, get fingerprinted. Go to the DMV, get fingerprinted. We already have fingerprints for every convicted sex offender on file, therefore allowing the creation of a database with no new enrollment and no change to current processes. We also have people actively checking people’s fingerprints occassionally (not commonly, but it’s out there.) Why not use (oh let me think about it) FINGERPRINT to track the legions of roving chesters loose in suburbia? Is it because the iris is supposedly more “unique”? Hype. It is theoretically more unique and maybe more accurate – but I haven’t seen any tests to back this up. Actually, the tests I’ve seen show better performance for fingerprint because fingerprint is easier to use and train people on. Even if iris was marginally better than fingerprint, you’re talking about fractions of a percent. Is that fractional percentage increase in accuracy worth the tremendous extra expense, inconvenience, and use of police resources associated with deploying an entirely new recognition infrastructure?

Oh, and it’s expensive all right – training costs are high as is processing time. At one point in my career, I piloted an iris-scanning system let me tell you – you actually have to *work* to use an iris scanner. It’s not like fingerprint where you roll your finger around in some ink and slap it on a pad. You basically have to stare into this tube at an LED and adjust your eye muscles in such a way that you bring two concentric circles into alignment. It’s hard to do, it takes learning on the part of the scannie to use it properly, and it gives you eyestrain with frequent use. It’s hard to do with a willing participant – which your average perv isn’t likely to be. So, ante up Charlotte residents and when you figure out that you bought the proverbial “alaskan refrigerator” you’ll know who to thank.

I’ll keep this entry short, since I’m not sure how many of you will care… But, I’ll tell you a secret: I love biometrics. I got my start in security in the biometrics industry, and I’ve tried to be an active voice ever since. I’ve tried to help folks in the community steer their solutions away from things that are doomed to fail (like using them for online banking) and towards things that are more likely to work (using them to enforce licensing schemes the way Bloomberg has done.)

As an interested party, I am a bit saddened by the recent passing of the Biometrics Consortium email list. Apparently, the proverbial bell is tolling for the Biometrics Consortium – and it’s tolling loud. The BC email discussion list was a haven for everything biometric for years, and for anybody who has been keeping up, the list is gone and the community is worse off for it. The quick story is this: a few government employees got together (the BC is a government-funded endeavor) and decided that an email list was too expensive to maintain… so they replaced it with a web forum that nobody uses. Reaction to the move was mixed (but primarily negative) – alternative lists were proposed, but the traffic on those lists is minimal.

I’ve never seen solidarity like what the the BC list represented in any other security discipline: academics, business folks, government, and vendors all participating in a central universal forum – sharing research, sharing insights, and everyone playing nicely together. It really was a haven. All in all, it is a solemn time for biometric innovation.

Aritcle about the “state of affairs” in quantum cryptography. While almost completely content-free, the conclusion of this article where Martin Illsley says, “[Quantum cryptography] still needs biometric proof” did sufficiently raise my hackles enough to comment.

Will someone please explain to me how quantum cryptography and biometrics are related? I’m just not seeing it… Unless the photons in question are bouncing off my fingerprint, iris, or retina, I would contend that the two technlogies are completely unrelated…

In addition to being unrelated, I keep going on record, having worked for a biometrics company at one point, that biometrics are in some cases worse than a password or token. Just ask the poor guy who lost his finger for his beamer a few weeks back.