|(ATM with vein scanner technology)|
As mentioned earlier, I had the pleasure of attending the opening of the Biometrics lab at NISLAB, part of Gjøvik University College. I was invited by Professor Christoph Busch to participate in a panel discussion on biometric authentication. Now I am definitely not an expert on biometrics, but I believe I'm rather good at playing the role of being the Devils advocate. While on the train from Oslo to Gjøvik early tuesday morning (that's a 2 hour trip), I scribbled down some thoughts on Attacking Biometrics. Partially as a simple brain dump for myself, partially as a possible introduction from my side. After 10 slides I decided I had too many questions and concerns, but here are some simple questions.Oh, and Bian Yang: you sure answered several of my questions with your presentation! :-)
Here's a simple one:
Introducing biometric authentication to my credit card, my wife suddenly can't go shopping with my card anymore.
Mr Hisao Ogata of Hitachi-Omron Terminal Solutions explained that in Japan they've used ATMs with biometric authentication for some 5 years already (see top picture). They still support authentication using chip/magstripe/pin, but with lower withdrawal limitations compared to full biometric authentication. This way a stolen card can only be used to withdraw a smaller amount, either set by the owner or the card issuer. Really elegant solution!
|(Using special light, a vein scanner can see your unique blood vein patterns)|
One of the things I expressed concerns about was the lack of end-to-end security, where a hardware biometric authenticator is attached typically using USB to a Microsoft Windows system inside an ATM. The operating system will be equipped with hardware drivers (most probably not digitally signed, and the application will then talk to the drivers, and the drivers talk to the hardware. With an attack towards the operating system, a concern would be that an attacker can intercept and record the biometric data being sent from the hardware to the operating system/application, and use this in a replay attack. (Hi, my name is Werner Brandes. My voice is my passport. Verify Me.)
Not the easiest attack of course, but I've seen ATMs running Windows with easily accessible Ethernet and power cables, without camera coverage. Never say never.
Thomas Bengs from PFU Imaging Solutions (part of Fujitsu) answered this one for me: they are working on removing as many steps as possible in the process of authentication, lowering the possible entry points for any hacker wanting to break, see or even manipulate the process. I can't see that happening overnight, but still a good answer to my concern.
Bian Yang mentioned the use of biometric templates, which could be used for (too me) the obvious question:
What happens if somebody can steal my biometric password, be it my fingerprint or the digital representation of either my fingerprint or vein pattern?
I've got to be honest here: I need to get this explained again. And again. I can hear what you're saying, but I can't see this being any better than resetting a password to something *completely* different than the last one. (Edit-distance metrics of password generations contributed to this concern...)
Now Mr Waldemar Grudzien of Bundesverband deutscher Banken, as well as Andreas Ewig of Deutscher Sparkassen- und Giroverband had some realistic views of this technology. Nicely summarized, they wanted this technology to be faster, more secure and cheaper than current technology for it to become widely adopted and deployed. Probably easier said than done at present time, but they were also very realistic on something else: Current losses are increasing due to fraud. Still not at a level that is "unacceptable" financially, and certainly not enough to defend the adoption of biometric authentication for ATMs yet.
Their very best statement though: This is a question about trust. If people loose their trust in current systems, banks (and others) may not have any alternatives than to migrate to new technologies that may not really be needed now.
Fear, Uncertainty and Doubt. Most certainly some of the more powerful business drivers in our society today.
(More to come in the future)