Innovya Press Room: For immediate release

Electronic Human Body Parts For Sale

The Myth of Biometrics’ Enhanced Security

By: Michael (Micha) Shafir and David J. Weiss

Tel-Aviv, Israel. — February 17, 2009

—

Innovya Traceless Biometric System

Current Biometric documents are useless. ePassports don't make much sense without

one-only

unequalled

biometric passport reader. Let’s face it once and for all, ANYelectronic data storage method by which content can be read (e.g. RFID, smart/storagecards, etc.), gives it the obvious potential to be hacked, copied and cloned. There’s areason why “Random Access”, “Write Only Memory” (“WOM”) devices have never sound logical. What purpose would there be to store data that cannot be read? Let’stake this one step further. If stored information is designed to be read, then a devicemust exist with the ability to read the stored information for it to be of any value.Now, let us apply that simple logic to stored information that’s meant to be read in awidespread application. In this type of application, multiple standardized readingdevices must exist in order to always yield the same result from that stored information.As an example, standardization gives us the ability to use our credit cards regularlybecause each and every point of sale reader is reading the information contained withinthe card’s magnetic strip in the exact same way.We must therefore recognize that these same benefits of standardization createreciprocal risks of fraud. Once the ability to read stored information exists, the ability toeither reverse engineer the reading process or clone the coded stored information existsas well. What purpose does, a means of identification serve, if we cannot be near certain that it has not been compromised? Further, once that ID has beencompromised, how can it be prevented from yielding positive identification where notintended?To illustrate the point, let us use your everyday ATM cash withdrawal as anexample. After inserting the card into the ATM, one is prompted to enter the PINassociated with that card. If the correct PIN is entered, even by someone other than theauthorized user, the ATM will approve the transaction because its predetermined meansof authentication is a combination of a card and it’s associated PIN. As we are wellaware, magnetic strip cards and the like can be easily read, thus creating theopportunity for thieves to create a copy of that card. All that’s left is the PIN. For professional thieves, that’s less of a challenge than we’d like to believe.For years, as technology developers would have it, much effort has been focused onproviding more and more secure methods of storing sensitive information, withoutaddressing the root of the problem. Regardless of how securely information is stored,

because it is designed to be read, illicit methods by which to read the information will befound. Once that has been accomplished, the ability to create both fake and cloned ID’sexists. ePassport readers are addressing the standards and recommendations of predefined requirements like the Machine Readable Travel Documents (MRTD). Inorder to make them usable, they must be consistent. If you have a set of identicaltargets (e.g. ePassports or National IDs or Driving Licenses or Employee cardsetc.),breaching one of them is a breach of all of them. Identical electronic device is a singlepoint of failure. It is unfathomable for governments to change their entire population’sID’s and documents every time someone, somewhere across the globe hacks andclones a single chip. It would seem as if the only real way to prove you are who you claim you are to anautomated system is through the use of biometrics as a means of authentication.Identity theft is exceedingly common these days. The use of biometrics, however,creates a whole new area of concern. When non-biometric security authenticationelements are breached, security can be reestablished by selecting new authenticationelements. The same cannot be done in an instance where stored biometric informationis breached. Biometric information cannot be changed. Our fingerprints, face, retina andall, are what they are. The question we are faced with is how we can truly secure our biometric information. We can change our name or address, but we cannot change our body parts. Turning the human body into the ultimate identification card is extremelydangerous. The possibility of fraud with electronic chips and biometric data should notbe underestimated. Exposing or losing biometric property is a permanent problem for the life of the individual, since, as we’ve mentioned, there is no practical way of changing one’s physiological or behavioral characteristics. How do you replace your finger if a hacker figures out how to duplicate it? If your biometric information isexposed, in theory, you may never be able to prove who you say you are, who youactually are or, worse yet, prove you are not who you say you aren’t. The best secretsare secrets that are never shared. Storing those secrets on a readable electronic cardfrom which any simple RF dump reader can extract that information, in the same way asinternational border readers do, or storing your personal information together with your biometric characteristics on a readable electronic device is like sticking a label with your PIN on the back of your ATM card!Biometric authentication is a powerful tool, able to bridge the gap between human andmachine interaction in everyday instances such as ATM withdrawals, on-line bankingand credit card transactions and all sorts of general user authentication. The use of biometric authentication enables a high threshold of security by reducing identity fraudincidences of unauthorized user access. It is also an easy method of authenticationfrom the user’s point of view because a user’s biometric information is always withthem. The most critical flaw in the use of biometrics as a means of authentication,however, is that the authentication process cannot work if the subject is a stranger tothe system. We’ve already concluded that storing the biometric information on anexternal device carried by the user, such as a smart card, is far too risky in that it riskslosing one’s biometric information forever. Alternatively, databases are breach-prone,and inefficient, especially when used in large scale applications. Databases also require

real-time access to be of any value, communication with which may not always beavailable. Where then can such sensitive information be stored? Furthermore, why riskstoring that unique biometric information in a database, smart card, or other externaldevices to make it useful?Another problem with common biometric systems is that the most effective way toachieve maximum system matching is to compare biometric images to a template byusing raw data. Biometric Encryption is the process of using a characteristic of the bodyas a method to code or scramble/descramble data. Since these characteristics areunique to each individual, the biometric information readers, cameras and sensors mustall yield identical results. Most biometric authentication systems use a similarity score asan internal variable, whereby if enough numbers of starting points are given, it ispossible to find the highest point without being trapped by local minima. However,different readers, cameras and sensors, manufactured by different manufacturers,generate ever so slightly different biometrics results. Varying starting results, whenencrypted alike, will not yield the exact same decrypted result. Biometric standards canbe obtained only if the common information is unconcealed. That, in and of itself,creates system wide vulnerability, and thereby renders the system unsecure. Atpresent, each biometric scanner's vendor generates their own encryption method. Rawbiometric data is critical data. It should not be exposed or stored in public space. Asdifficult as it might be to create a secure standard for identical encryption paths, it isseemingly not possible to create standards for non-identical encryption paths.Overcoming the encryption matching hurdle is the see-saw that creates the securityblind spots because the template can be tapped during the authentication process.Traceable biometric authentication systems extract features from scanned biometricelements and pattern match it with an enrolled template. Theoretically, a system cannotauthenticate strangers to its data store. The other side of that theory is exactly wherethe hackers look. The inability to “recognize” strangers is an opportunity to breach theauthentication barrier. If a biometric authentication system has a blind spot, it can thenbe take advantage of and used to clone or rob ID. It also means that when the real IDowner will try to use their legitimate ID, they might find that they have been revokedfrom the system without understanding why. An electronic chip that contains identityelements is only one of the many threats facing traceable biometric authenticationsystems. Template leakage is an even bigger problem because once that information isgotten a hold of, the ability to prevent illegitimate copies and “fake originals” of legitimate ID’s is gone unless the template is changed. Any change to the templaterequires changing ALL associated ID’s, just as is the case when a “master key” is lost.The only solution is to change the key and distribute new keys to all who use it. Can onepossibly imagine if such an instance were to occur with Driver’s Licenses? Now try toimagine if it were to happen with Passports. Unfathomable! At least with keys, the abilityto change the template or lock is not ideal, but possible. That is not the case withbiometrics as biometric elements are with the individual for life.

…Dear security decisionmaker, how can you sleep at night?

People want to be able to draw a circle around their personal information, and do not