Tom Olzak

Archive for the ‘Biometrics’ Category

Android fingerprint security not so secure

In Access Controls, Android Security, Biometrics on July 10, 2015 at 13:40

Since the introduction of Apple’s Touch ID, I’ve warned readers and clients about the complacency possible with fingerprint recognition on smartphones.  At Black Hat USA next month, two different presentations demonstrate how to steal fingerprint images from a compromised Samsung Android phones.

In one instance, FireEye researchers Tao Wei and Yulong Zhang demonstrate how to steal fingerprint images from the phone.  No finger stealing required…

At most, fingerprint recognition on smartphones is a convenience for accessing confidential information (in a public, confidential, critical classification scheme).  It should never be used for critical data.

FUD: Scientist Installs Virus-Infected RFID in His Body

In Application Security, Biometrics, Hacking, Privacy on May 27, 2010 at 10:13

Recently, a scientist in the UK was interviewed (Scientist Installs Virus-Infected RFID in His Body) about his work with malware-infected RFID devices implanted in humans.  There is no discussion in the video about the difficulty involved or how input validation techniques can easily defeat any real attack against a person or a group of people.  So this ended up being just one more way to scare the hell out of people for no good reason.

Biometrics slipping as a viable access control technology?

In Biometrics on May 17, 2009 at 14:07

Looking for a way to implement a second factor of authentication, many organizations have boarded the good ship Biometrics, only to find the vessel adrift due to user, application, and functionality issues.  And this is before they try to integrate their solution into a single-sign on (SSO) environment.  So it’s no surprise that biometrics was given honorable mention in a list of the Top 10 Disappointing Technologies.

Biometrics was supposed to be the magic bullet that solved all our security needs. Look in any film where they are trying to be futuristic or high tech and you’ll see people getting their body scanned as a security measure.

However, the reality has proved less than we were promised. Fingerprint readers are in wide circulation but they are easily fooled these days with cheap materials, or by more direct means. Taiwanese robbers reportedly cut the finger of a man whose car had a fingerprint ignition, something that led scanner manufacturers to install a temperature sensor in future models to prevent a repeat.

Facial scanning was also touted as foolproof, and then quickly found to be anything but. Even DNA fingerprinting is now being questioned, either because the chemistry is defective or the lingering possibility that an individual’s DNA may not be unique. Hell, they still haven’t proved that fingerprints are even unique.

Maybe one day we’ll come up with the ultimate biometric solution but I have my doubts.

Source: Top 10 disappointing technologies, Iain Thomson and Shaun Nichols,, 16 May 2009

Most users will agree that biometrics doesn’t work all the time.  Logging in to a computer once a day with a troublesome biometric sensor isn’t a huge problem.  But when the problem sensor is attached to a shared device (e.g., a nurses station computer) or a time clock, user patience and business productivity both take a hit.

Moving beyond user issues, we arrive at problems integrating with applications.  The biggest problem I’ve found to date is getting a single solution that works across all business applications.  I don’t want multiple fingerprint hash repositories—created by multiple enrollment processes—scattered across the enterprise.

Another application problem is the failure of vendors to understand a fundamental requirement.  Biometrics isn’t just about security.  It’s also about making life easier for the  user population.  For example, shared workstations should allow for a network-level, generic login (with a password from Hades that only Security knows) to eliminate the need for user network logins.  Users should then be able to walk up to a workstation, scan a fingerprint, and access an application session unique to their account.  This should happen even if another user is logged in to the system.  There are products which support this.  However, they don’t always work across all applications, and they are very expensive for organizations with thousands of workstations to support.

Finally, there is the issue of getting the sensors to work without adjusting the sensitivity to the point at which false positives are so high only password access makes any sense.  Functionality is affected by the operating environment and the quality of the sensors used.  In many cases, the cost of getting the right sensor for the environment is too high.

So biometrics languishes, even while many managers rail against using smart cards and other token-based solutions—although most biometrics replacements aren’t too much better in solving functional issues.  The reason is usually the claim that users will forget their tokens.  They don’t want to be bothered with something else to remember.  This argument only stands up when users don’t already need a card to enter the building or other secure area.  Management is also often unwilling to sanction users for not remembering to bring their tokens to the office.

While biometrics promises to solve the world’s authentication and identity verification problems, the reality is that the technology tends to fall short of expectations.  I don’t believe, however, that it is a lost cause.  Reviving it will take vendor focus on value beyond security and a willingness to work with others to develop standards to meet business requirements for a fast, simple, user-acceptable, secure access method.  But it will take a lot of pushing by users to move this damaged ship to port.

Implementing biometrics requires a little thought

In Access Controls, Biometrics on April 30, 2009 at 13:52

Implementing the right biometrics solution is not an easy task.  There are several considerations which, if analyzed carefully, might even result in a decision to look at other identity verification methods.  I’ve written about this in the past, but a recent post to The Daily WTF about an implementation-gone-wrong provides an opportunity to drive home some basic points once again… and apparently it’s needed.

Problem 1, failing to analyze the operating environment

The fingerprint biometrics system described in the article was intended to perform various tasks in a workout facility, including member check-in and check-out.  Check-ins seemed to work OK.  Check-outs, however, were problematic.  Finger characteristics temporarily changed while members were in the facility, caused by contact with normal gym environments, including exposure to water in the pool, sauna, or whirlpool as well as contact with lattice patterns on weight equipment. And the sensor quickly became unusable as it came in contact with a stream of unwashed hands.

Problem 2, failing to understand the technology

No allowance was made for sensor failure.  So no manual workaround was implemented.  If the check-out sensor failed, the only recourse was jumping over the turnstile, which remained locked until a recognizable print was read by the system.  To reduce the number of “jumpers”, the technicians turned recognition sensitivity down low.  In other words, the biometrics system would accept data which fell far short of what it normally considered effective print analysis.  This resulted in a high number of false positives; people were being identified as another member when they placed their digit on the sensor.

Problem 3, failing to understand how members would react to biometrics

It wasn’t clear from the article, but it appeared as if the gym manager jumped into biometrics without a lot of thought, including thinking about whether his customer would decide to change membership to a place where they didn’t have to provide personal information.  Privacy issues is a big reason why biometrics are rejected by employees and customers.  Another reason is the fear of picking up some disease from sensors used by more than one person.  In this case, it was clear many of the members chose to use the old method of using a touch screen to log in.

Lessons to take away

The business made three common errors when implementing new biometrics.  So you don’t make the same mistakes, I’ve provided a list of how to avoid them.

  1. It’s important to understand the environment in which biometrics will be used.  In this case, sweat and grime made the sensors useless.  In manufacturing environments, it might be lubricants or other substances in the air; even the cleanest hands won’t solve this problem.  If the sensors fail often, employees or customers will become frustrated and reject the technology, resulting in employee turnover or lost revenue.  In cases where environmental conditions are not friendly to biometrics, consider tokens such as magnetic stripe cards.
  2. Many business managers don’t understand the pros and cons of biometrics.  For example, I wonder if the vendor told the gym manager that no biometrics solution works on every print every time.  There will be false negatives and false positives.  Adjusting the system to reduce false positives will increase false negatives and vice versa (see Figure 1).  The gym manager, in turning down false negatives, allowed false positives to increase.  Some organizations, in the interest of tight security, go in the other direction, tuning their systems to eliminate false positives.  This increases the false negative rate to a point where the solution might be more trouble than its worth.  In the figure below, the CER is the ideal setting for a biometrics system.  The CER (Cross-over Error Rate) is the point at which the number of false positives and false negatives are equal.  The quality of a biometrics solution is often determined by the size of its CER, usually expressed as a percentage of total scans.  In any case, errors will occur.  Not having a manual workaround is a big oversight.
  3. Figure 1

    Figure 1

  4. Finally, there is the user factor.  Employees and customers may reject biometrics for a variety of reasons, including: fear that the company stores unique personal information and fear of contracting diseases through contact with publicly used sensors.  Another big reason people reject biometrics is frustration.  It probably wouldn’t take many jumps over the turnstile before gym members simply returned back to the old way of logging in and out.  The best way to deal with these issues is to hold open and honest discussions about how the systems work, the health risks involved, and how the organization plans to use the information. Remember, user acceptance doesn’t depend on how you perceive biometrics identity verification. Rather, it depends on how your employees and customers perceive it.
%d bloggers like this: