Biometrics alone is not enough to prevent fraud

(20/10/2008)

Following US fraudster Frank Abagnale’s criticism of the UK’s ID card scheme, TSSI Systems agree that it does not go far enough to prevent impersonation. Abagnale made the comments in his opening address for the City IT and IT Security Forum.

“The big concern with ID verification is impersonation. Unfortunately, the Government’s ID card scheme does not go far enough to address this issue.” said Stewart Hefferman, COO, TSSI Systems Ltd.

“Stronger verification technology needs to be in place. Biometric technology alone does not suffice to prevent fraud – despite strong encryption, the Dutch biometric passports were cracked soon after launching. Unfortunately, there is no such thing as a 100% secure solution – and saying you’ve got one is an open invitation to hackers! All you can do is minimise the risk as far as possible.”

“What’s needed if the ID card scheme is to work, is firstly, a belt and braces approach. Storing the data as an algorithmic encryption makes it impossible for even the most sophisticated fraudster to read or substitute. Even authorised personnel – and therefore any successful hackers or corrupt employees - would only be able to view binary code, and not the finger, iris or facial data itself. They would also be unable to replicate the algorithm to clone the card.”

“Secondly, the way the information is stored and structured needs to be carefully implemented.

"If it is stored centrally, then the biometric data must be stored separately from any other personal data. This would make it harder for any hacker to join up the dots and steal someone’s identity or clone a card.”

“I also strongly advise that back-end systems enable an audit trail of those personnel who have accessed individual records on those back-end systems.”

“Although Abagnale praises the UK’s biometrics passports, I personally don’t believe that these are strong enough either - the supposedly ‘fakeproof’ British e-passports were cloned within minutes only to be passed as genuine by passport reader software used by the UN agency that sets standards for e-passports, despite using pictures of Osama Bin Laden and a suicide bomber!”

“A final concern that I’ve had since they announced these cards is - why on earth does an individual’s information need to be stored on both card and central database?”

“Why do they need to do this, unless they are planning to extend the usage of the cards in future? This is a major concern for the civil liberty groups. Other countries such as France and Italy have stipulated that biometric information is stored only on the cards themselves – thus still within the possession of the individual.”

“From a security point of view, central storage makes the most sense in an online world. But if you’re also storing this on the cards themselves, that invalidates the security argument. Obviously this also raises questions about the government’s long-term intentions for libertarians to tackle.

Related topics:  Data management and data security   Encryption   Eye biometrics   Fingerprint biometrics   ID card   Smart card 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources