Biometrics and Your Identity

1
Biometrics and Your Identity
UBC Computer Security October 4, 2007 Gordon
Ross President VIRTUAL PERCEPTIONSYSTEMS
INC. gordon_at_my-spy.com www.my-spy.com
2
Biometrics and Your Identity

• Biometrics
• A unique physical or behavioral characteristic
  which can practically be collected, stored, and
  compared against for the purpose of positive
  identification.

3
Biometric Terms

• Behavioral and physiological
• Static and dynamic
• One to one compare
• One to many searching
• False Acceptance Rate (FAR)
• False Rejection Rate (FRR)
• Failure to Enroll (FTE)

4
Various types of Biometrics

• Fingerprint
• Facial recognition
• Iris
• Voice recognition
• Hand Geometry

5
Additional types of Biometrics

• Keystroke dynamics
• Retinal Scan
• Palm Print
• Signature

6
How does a biometric work?

• Capture a Biometric-Enrollment
• Process the Biometric-Algorithm
• Store Result-Template
• Compare-one to one
• verification
• Find-one to many
• identification
• Accept or Reject

7
Some Uses of Biometrics

• Controlling access
• Monitoring
• Authentication
• Identification
• ATM applications

8
How could biometrics be used and For what
purpose?

• Open the door please.
• Is this the person on record?
• Who are you?
• Can this smart card log me in?
• Am I the rightful owner of this password?

9
How could Biometrics be used and For what purpose?

• Open doors-physical access
• City of Baltimore-Department of Public Works uses
  Voice Authentication for Access Control

10
Or

• Is this the person on record?
• Identification
• State of Connecticut-Department of Social
  Services uses Finger Print Imaging to reduce
  welfare fraud-23M savings

11
Or

• Who are you?
• Nation Bank - TX
• ATM application

12
Or

• Do we know you?
• Facial recognition at Super Bowl in Florida.
• Match against known image.

13
Or

• Am I the rightful owner of this password?
• Login by
• Typing user name and password
• AND
• Your unique Biometric.

14
How can a Biometric be Bypassed or Defeated?

• Social Engineering
• Collusion
• Theft or Fraud

15
Make an Artificial Finger Print
Making A Mold
Final Mold.
Soften Plastic Material with Hot Water
Press Live Finger into Plastic.
From Tsutomu Matsumotos research..
16
Make an Artificial Finger Print
Artificial Finger Print
From a Real Finger.
Make the Liquid and Gelatin mix where the gelatin
is at 50 wt.
Add Boiling Water 30cc to 30g of gelatin and mix.
Process takes approximately 20 minutes.
From Tsutomu Matsumotos research..
17
Make an Artificial Finger Print
From a Real Finger.
Pour Liquid Into Mold.
Refrigerate To Cool.
Final Gummy Print.
This Process takes approximately 10 Minutes.
From Tsutomu Matsumotos research..
18
Devices that were spoofed..
Manufacturer/Selling Agency Type Sensor Type Live Detection
1 Compaq Computer Corp. DFR -200 Optical Unknown
2 Mitsubishi Electric Corp. FPR-DTmk11 Optical Unknown
3 NEC Corp. N7950-41, PK-FP002 Optical Unknown
4 OMRON Corp. FPS-1000 Optical Unknown
5 Sony Corp. FIU-002-F11,FIU-710 Capacitive Yes
6 SecuGen Corp. SMB-800 Optical Unknown
7 FUJITSU Limited FS-200U Capacitive Unknown
8 Siemens AG EVALUATION-KIT Capacitive Unknown
9 Enthetica Inc. MS 3000 Optical Unknown
From Tsutomu Matsumotos research..
19
How can a Biometric be Bypassed or Defeated?

• Tsutomu Matsumoto tsutomu_at_mlab.jks.ynu.ac.jp
• http//www.cyberpunks.org/display/630/article/
• ct Magazine from Germany
• http//www.heise.de/ct/english/02/11/114/
• Just Google - Defeating Biometrics for more
  information.

20
Facial Iris Recognition systems
FaceVACS-Logon can be outfoxed with a short
video clip of a registered person.
Once Live-Check has been activated all attempts
at deception with stills are foiled.
A short .AVI video clip with the webcam in which
a registered user was seen to move his head
slightly to left and right. The program did
in fact detect in the video sequence played to it
a moving 'genuine' head with a known facial
metric, whereupon it granted access to the system.
ct magazine Germany
21
ROI on biometric projects

• Quantify likelihood of previous cases
• Costs
• Technology Acquisition (HW SW)
• User training-hard enrollment
• FTR
• Deployment-configuration check
• Process change
• Help desk calls
• Hardware product lifecycle

22
Summary

• Biometrics field is old, industry is new
• Entire industry was 65M in 1999
• Global Industry Analysts Inc. states biometric
  sales are to exceed 6.48 billion by 2010 (July
  2007)
• Not a technology issue but a people issue
• Due diligence is key.
• Privacy is also a concern.
• Biometrics helps with authentication
• Nothing is absolute!

23
Biometric resources

• www.bioapi.org
• www.ibia.org
• www.biometricgroup.com
• www.biodigest.com

24
Thank you

• QUESTIONS?
• Gordon Ross BScEE CET HSG
• VIRTUAL PERCEPTION SYSTEMS INC.
• gordon_at_my-spy.com
• www.my-spy.com