Do villains care about biometrics?
Inadequate biometrics systems could be creating a false sense of security in banks, security estates and office blocks, and in effect rolling out a red carpet to criminals.
By Marius Coetzee, Managing Director of leading identity fraud solutions provider Ideco
Biometrics-based security devices, in particular fingerprint readers, are now widely in use across South Africa. But in many cases, they could be creating a false sense of security among enterprises, and worse – serving to enable criminal activities.
This is because not all fingerprint readers are created equal. Although all fingerprint readers use minutiae points to match fingerprints, not all have the ability to detect the difference between real minutiae of a fingerprint and spoofed minutiae. Typically, enterprises investing in fingerprint readers believe the biggest risk facing them is a scenario in which a fraudster or criminal replicates someone else’s finger or fingerprint, and uses it to gain access to a premises or to authenticate their identity. But because most fingerprint readers are manned by cashiers, tellers or security guards, the chances are slim that the fraudster will have an opportunity to introduce an entire fake finger into the process unnoticed.
A lesser known risk, and one far easier for villains to employ, is to fake or ‘spoof’ minutiae. The simplest methods are simply to wind thin thread around the fingertip, or to introduce a series of cuts to the fingerprint. This creates scores of new minutiae points, increasing the risk that the spoofed fingerprint will be a close enough match to that of an authorised person on the estate or bank database. No one should underestimate the ingenuity of criminals – they know the reader uses minutiae points to match them against a profile, and they also know that by introducing a lot of false minutiae points, they will increase the chances of their matching an existing profile on the system. Only the most advanced technology has the ability to differentiate between typical cuts and true minutiae to determine whether a fingerprint has been spoofed or not.
Performance requirements and consequential recourse
Another major risk lies in the fingerprint system’s performance and standards: in many cases, the images they produce are of a low quality and characterised by noise, or they simply do not meet the standards required by law enforcement agencies and courts. This means that in the case of fraud or a criminal opening a bank account using such a fingerprint reader, the biometric records and images generated cannot be processed against the SAPS criminal record system, or indeed most international law enforcement systems.
Equally concerning is the fact that these systems produce images that are of a quality too poor to be admissible as evidence in a court of law. The mere fact that many fingerprint readers used today are not compliant to international standards for evidence and criminal investigation defeats the entire objective of using fingerprints for proof of identity in the FICA or RICA process.
Inadequate biometrics-based identification and security systems therefore, could not only give villains access to accounts and assets; they could also help them to avoid prosecution.
Organisations need be very careful in their choice of biometric devices deployed for customer identification, security and protection of assets, to ensure they are compliant with all key standards and legislation, and that the systems deliver the security they promise.
When selecting systems, organisations need to ask:
- Is it fit for purpose at the site, and for effective governance, risk and compliance?
- Does it fully adhere to regulatory requirements from the process of taking the customer aboard through to post-event audits?
- Can it be spoofed by added minutiae caused by thread, cuts, wrinkles and blisters?
- Does the technology discard false minutiae and only process true minutia?
- Is the data collected by the device, including all records and images, fully compliant to all international standards?
- Can this data be processed against the SAPS criminal record system?
- Is this data accepted as evidence in a court of law?
Always remember that mass adoption does not constitute great technology, but rather great sales effort. A simple “show me how accurate it is”, is always recommended.