Home Code Snippets Oracle Reference Oracle Functions Oracle Error Codes Forum Oracle Jobs Oracle Blogs

Biometric IDs: A Really, Really Bad Idea

A lot of security "experts" like to push the idea of "biometric security", that is, using some part of your biological identity (a fingerprint, a retinal pattern, etc) to use as an access code instead of crusty old things like passwords. This sounds great, I mean, only you have your fingerprints, right? And who could fake your retinal pattern? As it turns out, bypassing or spoofing these kinds of systems is actually pretty easy. But it's much worse than that.

Fingerprint Scanners

Although you can use something as simple as a Gummi Bear to fool a fingerprint scanner, that's not the real problem. (Tsutomu Matsumoto, a Japanese cryptographer, uses gelatin, the stuff that Gummi Bears are made out of to fool fingerprint scanners with an 80% accuracy rate. That's pretty bad, no?) However, being able to fool a fingerprint scanner isn't the real problem.

Facial Recognition Scanners

Facial recognition is another technique that's getting a lot of press in security circles these days. These are devices that measure various points on a person's face  and use a mathematical "signature" to identify them.  Fooling facial scanners is still a bit of an art, but people who know about this stuff say it can indeed be done. In fact, according to them, the problem is that "people who look alike can fool the scanners". The other side of the coin is that there are many ways in which people can significantly alter their appearance, like slight change in facial hair and style.  So, get that awesome new haircut and maybe you won't be able to access your bank account or get into the office.It'll probably be a temporary inconvenience, but you get the point. But, fooling a facial scanner isn't the real problem.

Retinal Scanners

And then there's retinal scanning. Retinal scanning uses an photographic scan of the veins in the retina—the innermost layer of wall of the eyeball. The pattern in each person's eye is unique and can be compared to a previously-recorded "retinal signature". Unfortunately, trauma to the eye and certain diseases can change the retinal vascular structure. Some prescription drugs are also claimed to alter the pattern enough to invalidate a recorded scan. Retinal scans are tough to fool at the moment, but like with any technology you can bet that it's only a matter of time until they can (and will) be spoofed.

DNA-Based Scanners

DNA-based access devices are still in their infancy, but as time goes by they'll be deployed more and more widely until they become commonplace. It'll happen, mark my words. DNA access devices are probably going to be even easier to fool than fingerprint, facial, or retinal scanners, in part because of the very tiny sample size that's used to validate the user. And anyone who wants your DNA can get it. Throw away a used paper cup, they get it. Shed a hair, they get it. Spit on the sidewalk, they get it. Blow your nose and discard the tissue, they get it. And so on. We shed DNA all the time -walking, sitting, sleeping- and there's no way to prevent it. But, at the risk of repeating myself, the ability to fool a DNA-based access device also isn't the real problem.

The Real Problem

So, what is the real problem, Uncle Mike? Tell us, tell us! Gosh, I thought you'd never ask. The real problem is what happens when your biometric identity is stolen. Think about that for a moment…just how do you go about get a new retinal pattern? How do you get a new set of fingerprints? You can't- once they've been copied or recorded the game is over. To put it in real world terms, how can you invalidate your fingerprints so they can't be used at an ATM, for example? Again, you can't. What happens is that your fingerprints have to be invalidated for any kind of useful or secure access. Welcome to the "Problems With No Solution" club.

The wonders of technology that promise to make sure that it's really "you" when you visit that ATM also mean that once it's shown to be "not you",  what it means is that now it's "not you" forever. Your personal, one-time, utterly-unique identification method is now worthless, and you can't get a new one.

But it could be even worse than that. If your fingerprint, DNA, or retinal pattern is taken as absolute "proof" that it was you who accessed that ATM (and it really wasn't you), what's your recourse? Yes, maybe you were somewhere else at the time and maybe you have a way to prove it…or maybe you don't. Then what? Is the bank going to go to bat for you? (Excuse me while I laugh like a crazed gibbon for a moment…)

Tying a person's identity to their biological parameters sounds great at first -and it would be- if not for the bad guys. The bad guys steal credit card numbers by the millions; what makes anyone think that they won't focus on biometric identity "numbers" as well? How long before it's possible to spoof a retinal scanner with a moderately inexpensive device? If you guessed, "not very long", you're probably right. Technology moves quickly, and that's true of the stuff the bad guys use too.

My advice is to be very wary of all of the biometric-based identity crap out there. It'll solve your problem right up until the moment it doesn't. But what do I know? I'm just an old fogey who inherently distrusts all these new-fangled doohickeys the techno-brains come up with. Now, get off of my lawn!

This entry was posted in General and tagged , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

Post a Comment

Your email is never published nor shared. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Spam Protection by WP-SpamFree