Monday, February 21, 2011

About Biometrics...

(ATM with vein scanner technology)
As mentioned earlier, I had the pleasure of attending the opening of the Biometrics lab at NISLAB, part of Gjøvik University College. I was invited by Professor Christoph Busch to participate in a panel discussion on biometric authentication. Now I am definitely not an expert on biometrics, but I believe I'm rather good at playing the role of being the Devils advocate. While on the train from Oslo to Gjøvik early tuesday morning (that's a 2 hour trip), I scribbled down some thoughts on Attacking Biometrics. Partially as a simple brain dump for myself, partially as a possible introduction from my side. After 10 slides I decided I had too many questions and concerns, but here are some simple questions.
Oh, and Bian Yang: you sure answered several of my questions with your presentation! :-)

Here's a simple one:
Introducing biometric authentication to my credit card, my wife suddenly can't go shopping with my card anymore.

Mr Hisao Ogata of Hitachi-Omron Terminal Solutions explained that in Japan they've used ATMs with biometric authentication for some 5 years already (see top picture). They still support authentication using chip/magstripe/pin, but with lower withdrawal limitations compared to full biometric authentication. This way a stolen card can only be used to withdraw a smaller amount, either set by the owner or the card issuer. Really elegant solution!
(Using special light, a vein scanner can see your unique blood vein patterns)

One of the things I expressed concerns about was the lack of end-to-end security, where a hardware biometric authenticator is attached typically using USB to a Microsoft Windows system inside an ATM. The operating system will be equipped with hardware drivers (most probably not digitally signed, and the application will then talk to the drivers, and the drivers talk to the hardware. With an attack towards the operating system, a concern would be that an attacker can intercept and record the biometric data being sent from the hardware to the operating system/application, and use this in a replay attack. (Hi, my name is Werner Brandes. My voice is my passport. Verify Me.) 

Not the easiest attack of course, but I've seen ATMs running Windows with easily accessible Ethernet and power cables, without camera coverage. Never say never.

Thomas Bengs from PFU Imaging Solutions (part of Fujitsu) answered this one for me: they are working on removing as many steps as possible in the process of authentication, lowering the possible entry points for any hacker wanting to break, see or even manipulate the process. I can't see that happening overnight, but still a good answer to my concern.

Bian Yang mentioned the use of biometric templates, which could be used for (too me) the obvious question:
What happens if somebody can steal my biometric password, be it my fingerprint or the digital representation of either my fingerprint or vein pattern?

I've got to be honest here: I need to get this explained again. And again. I can hear what you're saying, but I can't see this being any better than resetting a password to something *completely* different than the last one.  (Edit-distance metrics of password generations contributed to this concern...)

Now Mr Waldemar Grudzien of Bundesverband deutscher Banken, as well as Andreas Ewig of Deutscher Sparkassen- und Giroverband had some realistic views of this technology. Nicely summarized, they wanted this technology to be faster, more secure and cheaper than current technology for it to become widely adopted and deployed. Probably easier said than done at present time, but they were also very realistic on something else: Current losses are increasing due to fraud. Still not at a level that is "unacceptable" financially, and certainly not enough to defend the adoption of biometric authentication for ATMs yet.

Their very best statement though: This is a question about trust. If people loose their trust in current systems, banks (and others) may not have any alternatives than to migrate to new technologies that may not really be needed now.

Fear, Uncertainty and Doubt. Most certainly some of the more powerful business drivers in our society today.
(More to come in the future)


  1. My wife with her Biology background had nothing but ridicule for the vein analysis as proof of identity, much less authentication. Vein analysis for medical purposes has been a long standing area of study and the only agreement in such studies is that the patterns change in ways not understood.

    As was noted by another: biometrics can form a basis to prove identity *not* authentication. I like to think of it as a part of two factor authentication.

    I'm still waiting for a good response to password change in a biometric world. Password/pin change is a relatively straight forward event. I can't change my biometrics nearly as easily.

    I still have a lot of questions for Bendik that I haven't had time to author but some of the easiest ones are outlined above. I would love for anyone to refute my points and show my ignorance in the topic so that I can understand how such measures may be justified in the real world.

    Oh and love the Sneakers reference!

  2. "Introducing biometric authentication to my credit card, my wife suddenly can't go shopping with my card anymore.", what else could you wish for :)

  3. Now a couple of comments on vein biometrics and on the password change problematic in biometrics...

    1) All biometrics change. Some of them dramatically from one second to another like face mimics and speaking patterns or from day to day like face recognition challenged with different hair styles, glasses and so on. This is not known in advance. Biometric systems must cope with that, the feature extraction algorithms are advanced methods to extract the core information.

    2) We are ageing. Our body changes over time, so do our biometric samples. Biometric patterns need to be updated. The question of the rate of change is important here. Vein patterns might change because of the medical state of subjects, but mainly major veins can be made visible with current state of the art (biometric) sensors and are used for the authentication. In the hand and finger area some less widespread syndromes (e.g. AVM or HHS) are known to changes the patterns. Other biometrics like fingerprint or face are much more likely going to change due to injuries. Solution here: updating templates, like we update credentials (like credit cards) or our passwords. Also a second authentication channel as fall-back strategy.

    “Updating” biometrics:
    Biometric information is limited, we can “change” our fingerprint template nine times (in the average case). And then?
    Simple question, difficult answer. A simplified version (there exist many solutions, search for “PET”, “Template Protection”, …): we use crypto. Following the same principles as with password hashing and salting we can transform the biometric information into a binary string, add some salt and hash it. That’s it. In practice it looks a little bit more difficult, so there are some mechanisms to cope with the noise. But it works and the same biometric can be used for completely different references. So revocation is possible, cross-linking and profiling not.


All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.