Community

Yup, that would be the stupidest report I've seen in a long time.  And maybe the stupidest research.  They say it has important lessons for implantable medical devices.  Ummmm ... then why not study implantable medical devices, not RFIDs? 

Nick wrote "no one has ever claimed that biometrics are 100 per cent".  I'm sorry to be pedantic, but actually almost all biometrics vendors claim exactly that -- implicitly -- when they use the term "unique" to describe how biometrics work.  Biometrics lacks the rigor of conventional cyber security, where practitioners are required to steer clear of words like "guarantee" and "perfect".  It's deeply problematic to describe biometrics as "unique" when they're simply not.  Loose talk sets up false expectations, and it numbs business people so they don't know to ask the tough questions, about False Detects, False Rejects, Fail to Enrol Rate, Different Day error rates, and actual test conditions.

Hi Rik,

I urge great caution in respect of biometrics. It sounds like you are at the start of a fresh study of this family of technologies. Good luck with it. So I hope you don't mind if I correct some basic points? This is in the interests of rigor. I find that the biometrics field as a whole lacks rigor ... perhaps because it's all so very sexy. I've seen vendors use filmclips from sci-fi movies in their marketing materials, as if they're case studies. At the same time, most vendors avoid disclosing their full specifications. False Match and False Non Match specs are often missing, and the test conditions are always missing from spec sheets, because there are no standards. Or the best case FMR and FNMR are reported side by side with the dishonest implication that these may be achieved at the same time.

The very basis for biometrics is often misrepresented. The definition you quote says: "biometrics is the study of unchanging measurable biological characteristics that are unique to each individual". There are two problems here.

Firstly, biometrics are not necessarily unique.  For example, there is actually not a lot of evidence that fingerprints are inately unique. Moreover, the way we measure any trait introduces uncertainty.  Look closely at DNA testing.  People speak casually of DNA as a biometric (even though there is no sign of a commercially viable DNA based access system).  But forensic DNA testing doesn't measure the whole genome, only a tiny and statistically representative subset, which leads to the possibility of False Matches.  The inventor of DNA testing Alec Jeffreys was quoted years ago on the risks of the method when large databases are compiled:

Jeffreys estimates the probability of two individuals' DNA profiles matching in the most commonly used tests at between one in a billion or one in a trillion, "which sounds very good indeed until you start thinking about large DNA databases." In a database of 2.5 million people, a one-in-a-billion probability becomes a one-in-400 chance of at least one match.

Secondly, most biological traits do in fact change. For example, fingerprints lose definition as the skin ages, and can be impossible to acquire from the elderly.  In practice, any skin damage changes the fingerprint.  And the voice changes from day to day with colds and fatigue. Understanding this natural variability is critical, because it means any biometric processing system must cope with uncertainty. It means that False Matches are inevitable.  Any biometric system that was so specific that it never ever had a false match would by the same token be so 'fussy' that it would frequently reject genuine users, because of day-to-day variability in the way their traits present.  This is why False Rejects rise as False Detects fall.

In all seriousness, I argue that the word "unique" in biometrics represents false advertising. Even if a certain trait is inherently unique (as the iris seems to be) it does not follow that the trait is detected in exactly the same way every time it is presented. Sensors get dirty, lighting conditions change, there will be simplifying assumptions built into the recognition algorithm and signal processing sub-systems that cause a loss of specificity. Due to equipment variability, biometric error rates can rise dramatically when different vendors' equipment is used for enrolment and presentation. Similarly, error rates for "different day" performance (when some time passes between enrolment and presentation) is often markedly worse than "same day" testing (some finger vein testing shows deterioration by a factor of 100 in different day testing).

If it was really true in any meaningful sense that biometrics are "unique" then we should expect to see False Match rates of precisely 0.00%. But no, False Match performance is always finite -- and sometimes very modest, like 2 or 3% or higher. 

I'm a great believer in the subtle power of language. People need to beware of the optimisim and exageration that are built into the words used to loosely describe biometrics!

Steven Murdoch mentions two ATM applications for biometrics, which seem to be working, as opposed to PayByTouchand Tip2Pay which failed.  A crucial difference is that the ATM applications involve a plastic card as well.  The biometric serves to replace the PIN, in a "one-to-one" match of the customer to the card they're presenting. But the failed biometric systems involved much more ambitious "one-to-many" matching, where there is no card presented, and instead the customer is matched against a large database of registered users.

[Just for completeness, it's difficult to imagine how one-to-many matching could ever work for an ATM.  Only in sci-fi movies can you stare at a machine and have cash dispensed from the proper account.  In practice, you need to desigtn for the fact that any one person using an ATM might have more than one account, at more than one bank.  If you had a biometric-only ATM without a card, the system would have to scan the entire databases of all networked banks, present all the matches to the customer, and ask them which account they wish to access.  And then what to do about false matches?  Such a system would occasionally show me other peoples' accounts.  What would stop me accessing their cash?  Nope, biometric ATMs will still always involve traditional cards.]

I wonder if there are real life performance figures available now from the finger vein ATMs in Japan?  The bench testing reported false match and false non match rates are I think only barely acceptable.  Steven mentioned a False Non Match of 1.2% at a False Match Rate of 0.01%.  The International Biometric Group reported slightly worse figures of up to 5% FNMR at FMR of 0.01%.  That is, 1 in 20 legitimate finger vein presentations would be rejected and require a re-try.  This seems quite high.  What will it do for queue lengths at busy ATMs? 

And as I mentioned previously, the FBI cautions that in real life as opposed to the lab, biometric performance is hard to predict. Moreover, if the 'zero effort imposter' assumption applied to the reported bench test results, then the resistance to concerted attack remains unknown.

So, does anyone know how these Japanese ATMs are performing in the field?  Do the banks report error rates and fraud rates I wonder?

I don't know about the South African myth, but I believe this story was true, as reported by the BBC: a Malaysian had his finger chopped off by a gang stealing his fancy car. 

Biometrics have a chequered history in payments.  Here on Finextra you can read about the troubles at the Dutch supermarket with "Tip2Pay" which had to be shelved after error rates got too high. 

Vendors' claims are near hyperbolic.  There is an unfortunate tendency to report the best False Accept Rate and the best False Reject Rate at the same time, as if these figures can be achieved simultaneously.  But they can't.  I debated this at length with vendors and advocates in another forum. 

We were discussing finger vein recognition, which is an advanced technique, with good resistance to theft.  But the independent testing is very worrying when you look closely at the Detection Error Trade-off (DET) curves. The vendor claims a fantastic False Match Rate of 0.0001% ... but the False Non Match Rate then deteriorates to as bad as 20%.  The vendor also claims best case False Non Match Rate of 0.01% ... but the corresponding False Match Rate is 80% or worse.

To summarise my concerns:

- biometrics just don't work as well as vendors claim; 

- in particular, biometrics are susceptible to identity theft

- once stolen, no commercial biometric solution is able to be cancelled and re-issued

- there is no standardised way to test biometric performance

- most if not all biometric testing uses the "zero effort imposter" assumption, which ignores deliberate attempts to spoof the system.  Therefore, reported False Accept Rates don't trell us anything about how well the biometric resists criminal attack.

I don't have figures on the incidence of fraudulent accounts opened using fake or stolen id documents.  This does occur; the fact that counterfeit passports etc. are available to criminals is what drives the development of the "Document Verification System".

It is also noteworthy that at least one Australian state is moving to smartcard driver licence technology, to resist counterfeiting. Theoretically, this move plus the chip-based e-passport we now have, would almost eliminate counterfeiting ... except that the ability to electronically verify the bona fides of these documents (with chip readers) is not on the horizon in Australia. So a high grade counterfeit or copy will still fool many humans depending on it.

[In contrast, I believe that in the UK, it is proposed that under the national ID smartcard, banks will indeed have the ability to read the chip to verify its authenticity.]

Having said all that, the great majority of retail banking fraud in Australia happens by taking over existing accounts (skimming, carding, CNP fraud, stealing new cards from post boxes etc.) and not by opening fake ones.

In terms of id theft prevention in Australia ... we have criminalised id theft and other cyber offences, and generated reams and reams of consumer id safety advice.  But there is no mechanism as far as I know for consumers to freeze their own credit.  We have a small number of licenced credit reporting agencies that compile credit histories.  These will provide histories to consumers (for free, or for a fee for fast service) and they provide alert services that let you know when someone has accessed your file (as might happen when a thief uses your identity behind your back).

My considered opinion is that most primary identity documents in Australia are robust and they are improving all the time, such that the ability for criminals to open fake accounts using copied or counterfeited primary ids is kept reasonably in check.  The bigger problem in my view, which is not well managed, is id takeover, especially the theft and replay of digital identities (payment card numbers, account numbers, passwords, corporate IDs etc). Crucially, no amount of consumer education ("only shop at websites with SSL padlocks") can protect them against CNP fraud when their account details are stolen not from dodgy websites but from merchant and processor databases.

To summarise, I reckon we do a reasonably good job of identifying people face-to-face and originating new digital identities, but we do a terrible of job protecting them once they're issued.  Digital identities are pure gold but we don't do enough to properly safeguard them.

In Australia ...

Identification of customers opening bank accounts has been regulated since the 1980s.  We have a roster of "evidence of identity" documents (passports, Australian driver licences, government issued cards of various sorts, other bank accounts, utility bills, birth certificates, naturalisation certificates ...) each of which is equated to a set number of "points" reflecting broadly the quality of the document as proof of id.  You need to present 100 points total to open an account.  Usually passport + driver licence suffices.

The last few years have seen policy efforts to improve the robustness of the system in the face of high quality forgeries.  An government operated online "Document Verification System" is in an advanced stage of development, and will provide confirmation of the validity of document numbers cited by banks and other institutions wanting to check given ids.  Basically a black list. 

There's a new crop of Electronic Verification (EV) services that purport to check id documents on behalf of banks etc.  The services are somewhat controversial, and they seem to be operating in a grey area of the 1980s law, where in-person presentation of the documents was expected but actually not mandated in all scenarios.  Hence we have customers opening purely online savings accounts on the basis of document numbers being quoted over the Internet, but without anyone at the bank sighting the original ids. 

However, to obtain credit of any sort in Australia does require the customer to present "100 points" worth of original id documents at a branch.

Good luck with your survey.

Sadly it's still impossible to answer the question 'is such a solution secure enough?' because -- scandalously -- there are still no agreed standards for measuring accuracy (False Detect and False Reject rates) for biometrics.  And whatever testing that is done is almost always performed under the "zero effort imposter" assumption in which no active effort is made to spoof the biometric under test.  So beware: when reviewing FAR and FRR (when the vendor is good enough to actually report them) you will find that they reflect accidental errors only.  Reported biometric performance specs reveal nothing about their resistance to concerted efforts by fraudsters.

See the FBI's "SABER" report which cautions that: "For all biometric technologies, error rates are highly dependent upon the population andapplication environment. The technologies do not have known error rates outside of a controlled test environment."

It's outrageous, when the primary concern allegedly addressed by biometrics is crime, that biometric bench testing bears no resemblance to real life efficacy against criminals.

Using a second, redundant channel to harden authentication does have a superficial attraction.  Security geeks like redundancy, so that's good.  And yes the mobile phone is almost ubiquitous (although in itself that doesn't make it inherently convenient if you needed to use your phone to confirm first-channel transactions like ATM withdrawls and POS payments all the time).

But a more important security principle is K.I.S.S!  I say let's make the first channel properly secure before we start to augment it with additional cumbersome, time-charged, and performance-limited channels like mobile telephony. 

Yes the primary (Internet) channel needs help.  I say let's add digital signatures from trusted chip devices like EMV cards, rather than add a whole extra channel.  If we simply signed our remote transactions using a chip at the browser then we could eliminate replay attack of stolen account numbers today.

What is Experian's response to last week's Australian experience that stolen passport details are good for opening online bank accounts?  And my criticism that there isn't much that EV can do about it?

See recent Finextra blog and comments.