Linux.com Article DB: Biometrics: Just in a James Bond Flick? Not Anymore!

Properties and Vulnerabilities of Biometric Security Systems

One important property of biometric systems is what i call : 'Sensitivity-Security balance'. If you approach this logic mathematically, it can be put forward as: the sensitivity of a biometric system is a direct function of the level of security it provides. In other words if you increase the sensitivity of a biometric system you will effectively make it ruder and sterner to your authentication/authorization requests, leading to greater security. But this also causes higher erroneous rejections of authorized users: increased FRR.

Setting the sensitivity lower makes the product more forgiving but simultaneously decreases the security level adding to the fear of an invalid user spoofing or impersonating somebody else: Increases FAR.

These biometric systems are very adaptable. They can integrate with your existing operating systems (Linux, Unix, WinNT) and existing authentication and authorization applications. For example, authentication tokens generated from a biometric device can be transmitted to a WinNT domain controller or any other authentication server for user validation and authorization. Apart from that biometric inputs can also be used as encryption keys providing more robust and secure encryption.

Vulnerabilities

Before reading this article (especially this portion of the article) I need to say that this information is not meant to make you a biometric hacker but just to make you aware of the potential security hazards. So just consider it as a short primer on attacks commonly related to bypassing the biometric devices.

At the same time, you have to know that most of these security issues are under consideration by the biometric device manufacturers and quite a few of these issues might have already been taken care of by the time you read this.

Fooling the Face Recognition Biometric

Fooling the face recognition system can make one perform silly antics in front of the biometric-cameras. Tactics like using disguises/masks, changing a haircut, growing or shaving a beard, or even making faces at the computer have been tried.

Fooling Fingerprint Recognition

Taking a valid users finger print on a sheet of a transparent material (like, (umm, say..a very thin plastic sheet) and sticking that plastic-imprint on your finger (above a very thin padding) is a common technique used to defeat fingerprint recognition devices. And, no, that's not just in the movies.

Pressure variations on fingerprint scanners should also be considered.

Fooling Voice Authentication

Playing a recorded voice of a valid user or for that matter mimicking the voice of a valid user often still works with voice authentication.

Lets wish best of luck to celebrities like Mr Devanand, Shatrughan Sinha, whose voice is frequently mimicked. Let's hope they don't get into any trouble with biometric systems!

All the techniques mentioned here have been tried by people across the world, on biometric systems set to low sensitivity, with moderate success rates. As with any security system both those trying to gain access and those trying to prevent access are both working hard on the same properties of the system just from, obviously, different perspectives. Biometric security is not yet perfect, but is getting better every day.

If biometric systems are to survive the test of time they will need to address the technical flaws, pricing issues and equally important, privacy issues. If these challenges are met, Biometrics will become more consumable and find a place in society like other beautiful pieces of technology.

Shashank Pandey aka ~ AcE ~ reach_shash@linuxmail.org

Originally Published: Thursday, 30 August 2001	Author: Shashank Pandey
Published to: enchance_articles_security/Advanced Security Articles	Page: 3/3 - [Printable]
Biometrics: Just in a James Bond Flick? Not Anymore! We all know that Linux is growing in popularity with embedded device makers of all kinds. Due to a variety of compelling factors Linux may well be the operating system behind all kinds of items of technology you use every day, without even knowing it. Security systems will be one of those. This article provides a brief overview of the new science of biometrics and how it is shaping up in the security technology sector.

	<< Page 3 of 3
Properties and Vulnerabilities of Biometric Security Systems One important property of biometric systems is what i call : 'Sensitivity-Security balance'. If you approach this logic mathematically, it can be put forward as: the sensitivity of a biometric system is a direct function of the level of security it provides. In other words if you increase the sensitivity of a biometric system you will effectively make it ruder and sterner to your authentication/authorization requests, leading to greater security. But this also causes higher erroneous rejections of authorized users: increased FRR. Setting the sensitivity lower makes the product more forgiving but simultaneously decreases the security level adding to the fear of an invalid user spoofing or impersonating somebody else: Increases FAR. These biometric systems are very adaptable. They can integrate with your existing operating systems (Linux, Unix, WinNT) and existing authentication and authorization applications. For example, authentication tokens generated from a biometric device can be transmitted to a WinNT domain controller or any other authentication server for user validation and authorization. Apart from that biometric inputs can also be used as encryption keys providing more robust and secure encryption. Vulnerabilities Before reading this article (especially this portion of the article) I need to say that this information is not meant to make you a biometric hacker but just to make you aware of the potential security hazards. So just consider it as a short primer on attacks commonly related to bypassing the biometric devices. At the same time, you have to know that most of these security issues are under consideration by the biometric device manufacturers and quite a few of these issues might have already been taken care of by the time you read this. Fooling the Face Recognition Biometric Fooling the face recognition system can make one perform silly antics in front of the biometric-cameras. Tactics like using disguises/masks, changing a haircut, growing or shaving a beard, or even making faces at the computer have been tried. Fooling Fingerprint Recognition Taking a valid users finger print on a sheet of a transparent material (like, (umm, say..a very thin plastic sheet) and sticking that plastic-imprint on your finger (above a very thin padding) is a common technique used to defeat fingerprint recognition devices. And, no, that's not just in the movies. Pressure variations on fingerprint scanners should also be considered. Fooling Voice Authentication Playing a recorded voice of a valid user or for that matter mimicking the voice of a valid user often still works with voice authentication. Lets wish best of luck to celebrities like Mr Devanand, Shatrughan Sinha, whose voice is frequently mimicked. Let's hope they don't get into any trouble with biometric systems! All the techniques mentioned here have been tried by people across the world, on biometric systems set to low sensitivity, with moderate success rates. As with any security system both those trying to gain access and those trying to prevent access are both working hard on the same properties of the system just from, obviously, different perspectives. Biometric security is not yet perfect, but is getting better every day. If biometric systems are to survive the test of time they will need to address the technical flaws, pricing issues and equally important, privacy issues. If these challenges are met, Biometrics will become more consumable and find a place in society like other beautiful pieces of technology. Shashank Pandey aka ~ AcE ~ reach_shash@linuxmail.org
	<< Page 3 of 3