7February 2008 Biometric Technology Today

data which can then be compared to the live data during admission to the event. Two alternatives are conceivable from a technical perspective. The first option is to record the biometric data of all partici-pants ahead of the event, for instance, within the scope of pre-enrolment. In this kind of closed user group, the biometric data would then be stored with the consent of the users and compared with the live data during admission controls. This leads to a number of questions concerning practicability since it means a considerable degree of additional effort for all those involved and requires an enrol-ment procedure ahead of the event.

Since enrolment is to take place at the time the admission ticket is purchased, the impact on the infrastructure used would be enormous. Even though this model does appear interesting for peo-ple with season tickets, it cannot be the preferred model for people who visit sports events on an irregular basis, and it does not seem to be suitable for open user groups.

This means that a system used by open user groups would have to be designed in a completely different way. By using existing official electronic ID documents to verify the identity of the holder, biometric enrolment for the individual event could be avoided. Of course it must be clarified whether

the country’s legal regulations permit this use case or not. Privacy is particularly protected because unlike any other document, a highly secure, gov-ernment-issued document meets all security and data protection requirements. Moreover, the use of ePassports or ID cards in applications of this kind creates synergies and boosts acceptance of these technologies among citizens.

Interoperability Since only part of the population have passports, electronic ID cards are particularly suitable for the purpose here – at least in countries that issue such documents. Electronic ID cards are currently issued by a number of European countries and it can be expected that this number will increase strongly in the future. Special challenges in this context are the question of interoperability of electronic ID cards and electronic ID services. How can a citizen of one EU country use his/her electronic ID card to take part in an event in another country? The cross-border interoperability of electronic ID services is a challenge that has yet to be mastered and which has been picked up at EU level in several projects, such as the Large Scale Trials STORK (Secure Identity Across Borders Acknowledged). The aim is to

implement a pan-EU system for recognition of ID cards and authentication in order to make use of electronic ID services. However, it is still early days for this pan-European co-operation to create an integrated solution for cross-border recognition and authentication of electronic ID cards.

In addition to technical agreements, a frame-work of this kind naturally calls for the acceptance and recognition of country-specific enrolment processes and hence mutual trust between coun-tries in security and organisational processes.

This means that it will take some time before French nationals, for instance, can come to a football game in Germany and have their identity verified in a secure and convenient way, using their electronic ID cards. However, public authori-ties and industry have the opportunity to boost acceptance of biometric technologies and electronic ID cards and, at the same time, strengthen co-operation within the EU by establishing joint eID services.

This feature was provided by Gregor Költzsch, business development manager, application marketing at Bundesdruckerei. He can be contacted at: Tel: +49 2598 3018, Fax: +49 30 2598 1717, email: gregor.koeltzsch@bdr.de, web: www.bdr.de

SURVEY

With the increased reliance of modern society on technology, fraudsters have devel-oped new exploitative techniques to prey upon the unsuspecting and the vulnerable. Identity thieves, for example, send realistic, yet illegitimate, emails designed to harvest passwords and identity information from the careless and the inexperienced. One infa-mous email scam, for example, alleges that a target’s bank account has been compromised and directs the target to a spoofed website which records personal data submitted by the target in an attempt to regain control of the supposedly compromised account.

The cost of identity fraud, which includes tangible sums lost and expenditures to recover stolen goods, identities, or privi-

leges, can be enormous. In 2002, the United Kingdom Home Office estimated identity fraud costs of around £1.3 billion, annu-ally. In 2006, this number increased to £1.7 billion, annually, according to conservative United Kingdom government estimates. That same year, identity theft, alone, victim-ized over eight million people in the United States to the tune of more than US$49 bil-lion, according to the California Office of Privacy Protection. Unfortunately, losses due to identity fraud are likely to increase as fraudsters and thieves expand their reach thanks to increased globalization and rapid development of technology.

Identity is often seen as a proxy for trust-worthiness, whether through linkage of

identity to a historical and/or transactional record, or through connection of identity to a privilege or right. Trustworthiness is the first victim of any fraudulent act. Security, robustness, and confidence of identity are therefore critical. Biometrics, if employed judiciously and with apprecia-tion for the limitations and vulnerabilities of the technology, can satisfy such crucial needs.

By focusing on elements that are inherent to an individual, biometrics technologies enable the deterrence, inhibition, and miti-gation of identity fraud. Biometrics offer additional protections that are unavailable or weaker through more traditional authen-tication or identification technologies. These include:

• convenience;• accountability; and• security.

Biometrics can obviate the carrying of identifying tokens or cards that can be lost, misplaced, or – more saliently – stolen,

This month’s survey will address the intersection of biometrics and identi-ty fraud. Specifically, it will discuss three topics: how biometric technolo-gies improve upon alternative identification and authentication technolo-gies in the fight against identity fraud; how biometric systems themselves can be targets of identity fraudsters and what countermeasures can be adopted; and societal and operational challenges and concerns which arise from the utilization of biometrics in combating identity fraud.

Biometrics and identity fraud

8Biometric Technology Today February 2008

SURVEY

leading to fraudulent access or unauthorized transactions. Biometrics can also eliminate the need to remember passwords or PINs. Often, people select simplistic passwords that can be easily guessed or hacked because they fear they will forget more complex passwords.

Biometric technologies are excellent when transferability is of concern. Instead of relying on force or compulsion, identity thieves achieve success through convinc-ing, coercion, and deception designed to encourage victims to surrender, or provide access to, a privilege, right, or item of value. Sophisticated scams can lead victims con-sciously and willingly to hand over personal data to perpetrators of fraud.

Biometric characteristics are distinctive and personal. Their transference from one individual to another can be, as mentioned earlier, extremely challenging. Phishing attacks are impeded. This can also contrib-ute markedly to accountability, in addition to deterring and inhibiting fraud. If it is difficult for a fraudster to trick an indi-vidual into giving up their biometric, then any action taken that can be linked to that biometric is likely to have been undertaken by the legitimate possessor of the biometric in question. This helps deter false claims of identity theft or victimization.

With more traditional authentica-tion/identification technologies, however, transferability can translate into reduced accountability. A fraudster could borrow access cards or passwords that allow him to take advantage of services or privileges intended for another. There could even be complicity in this effort – something that would take a high degree of personal sacrifice if biometrics were involved. In order to prevent such types of abuse, Texas’ Health and Human Services Commission implemented, with IBG guidance, a finger-print-based patient check-in and check-out process for those receiving Medicaid-funded services. In this way, family members would be deterred from trying to receive medical services intended for their relatives by pre-tending to be the proper Medicaid recipient.

Biometrics can also add an element of accountability by deterring and inhibiting fraudulent attempts at establishing or rely-ing on multiple identities. In the past, for instance, certain fraudsters with histories of cashing bad checks would assume several iden-tities: some invented, some stolen. The intro-duction of biometric technologies and sys-tems, however, has helped identify and address problems of multiple registrations by linking personal, biometric characteristics, rather

than just nominal identities, to transactional histories and other historical records. This has also aided in the combating of fraudulent acts including multiple civil ID registrations and visa shopping.

Biometric characteristics also provide additional anti-identity fraud security ben-efits thanks to their inherent nature; com-pared to passwords/PINs and cards/fobs/tokens, biometric characteristics are gener-ally more difficult to capture, steal, repli-cate, and fake. Cards, for instance, are often designed to be robust, yet flexible enough that, in case they are lost, a replacement can be relatively easily created. PINs can be sniffed out through tracking or hidden monitoring technologies. They can also be readily discovered, in several cases, through brute force and trial-and-error techniques. Replication of a compromised PIN is then no more complicated than re-entering the newly revealed PIN.

It can be challenging, however, to create a replica of a biometric characteristic that has sufficient fidelity to work with a tar-geted biometric system. Creating a plausible fake iris, for example, requires more effort than just copying electronic data onto a new smart card or retyping a password (in which cases the artifact will be identical to the genuine sample). This is due in part to liveness detection, a security function that is built into several biometric systems. Liveness detection, a fraud countermeasure, deters or inhibits the presentation of arti-facts, called spoofs, as legitimate biometric characteristics. Examples of liveness detec-tion include: measurement of finger per-spiration over time, 2D Fourier spectrum analyses, and behavioral reactions to cues (e.g. – blinking upon command).

In addition, several biometric systems rely on templates, rather than full images of bio-metric characteristics, for reasons that range from privacy to cost to efficiency of data management and processing. Attempting to regenerate or reverse-engineer a com-plete biometric image from just a select template is a very challenging, if not, at times, outright impossible, task. Also, trying alternative, brute-force techniques to recre-ate a biometric characteristic could require extremely lengthy and impractical periods of time, given the vast number and variability of components that make up many biometric characteristics.

Furthermore, biometric systems can often be costly, expensive, and technologically complex. Spending large sums of money to obtain a biometric device for study and identification of vulnerabilities and

penetration points may not be cost effective. Likewise, even those who have the resources and know-how to create fake biometric characteristics, however, may find the effort of doing so to be cost-inefficient, especially when the value of the item or privilege being protected is outweighed by the cost of fraudulently obtaining it.

While biometrics offer significant advan-tages over more traditional and conventional authentication/identification technologies, it is important to note that this does not mean that biometrics should be employed in lieu of these other technologies. When issues of security and protection of identity are at stake, it may be optimal to leverage as many proven options as are practical and affordable, especially given the potentially high cost of identity theft and the ease with which identity theft and related fraud can often be committed.

Also, biometrics have their own inherent vulnerabilities. These potential weaknesses can sometimes be mitigated by adopting complementary technologies which can provide an extra – if not necessarily equally effective – layer of defense. Where fraud is involved, the need for security may out-weigh convenience and cost; such scenarios encourage reliance on an authentication trifecta that consists of:

• something you have;• something you know;• and something you are.

While biometric technologies can prove to be relatively robust and effective tools in fraud reduction through deterrence, inhibition, and mitigation, biometric sys-tems themselves are not wholly immune to fraudulent and exploitative attacks. These attacks can be classified according to three overarching categories:

• Input Level Attacks;• Processing and Transmission Level Attacks;

and• Backend and Storage Level Attacks.

Input Level Attacks generally fall into one of three categories:

• Spoofing Attacks; • Bypassing Attacks; and • Overloading Attacks.

Spoofing attacks consist of attempts to deceive biometric system sensors into accepting an artifact as a legitimate biometric sample, typically for false enrollment,

9February 2008 Biometric Technology Today

SURVEY

Table 1. Examples of spoof types for five established biometric modalities.

Fingerprint Face Iris Hand Geometry Voice Recognition

ProsthesesProps/ Models/Gag ItemsPhotograph ImitationsResidual PrintsLatent Prints

ProsthesesMasks/DisguisesPhotograph Imitations

ProsthesesVideo Playback RecordingsPhotograph ImitationsImprinted Contact Lenses

ProsthesesProps/ Models/Gag Items

Audio Playback RecordingsAudio Composite Recordings

verification, or identification purposes. Spoofing attacks are usually considered to be attempts at breaking into biometric sys-tems that are predominantly physiological in their focus. Biometric systems that are pre-dominantly behaviorally-based revolve less around the creation of spoof items and more around careful observation and practiced imitation of legitimate behavior. Examples of spoof types for five established biometric modalities can be seen in Table 1.

To address the threat of spoofing, IBG has established Spoof Effectiveness and Resistance Testing (SERT). SERT is the industry’s first attempt at systematically and extensively analyzing the susceptibility of fingerprint and iris recognition technologies to spoofing. SERT includes the introduction of novel anti-spoofing performance metrics, such as Response Training Count and Spoof Detection Rates.

Bypassing attacks consists of attempts to circumvent biometric system processes by creating artificial failures during enrollment or recognition so as to skip the biometric system altogether. One example of a bypass-ing attack would be to alter the quality of a biometric characteristic in such a way that a biometric system has difficulty acquiring that characteristic. This could, for example, entail artificially filing down fingerprints so that there is a failure to enroll. The risk, as a result, is that an individual could then possibly be excused from biometric system recognition requirements and permitted to use a less robust authentication/identification system.

Closely related to bypassing attacks are variants called overloading attacks. In an overloading attack, a fraudster attempts to defeat or circumvent a biometric system by damaging or overwhelming the biometric sensor(s). Overloading attacks can range from flashing strobe lights against an optical sensor to presenting artificial heat sources

to near-infrared-based sensors to short cir-cuiting of sensitive sensors using liquids. As with bypassing attacks, the goal of an over-loading attack is to either reduce the robust-ness, precision, and accuracy of the targeted biometric system and/or to encourage the substitution of the biometric recognition method with a less robust authentication/identification process and mechanism.

Processing and Transmission Level Attacks generally fall into one of three categories:

• hacking;• skimming/sniffing;• hill-climbing.

Strictly speaking, processing and transmis-sion level attacks are less acts of deception and fraud and more based on direct, techni-cal challenges. However, the result of success in any such attack on a biometric system could be the enablement of future acts of fraud, so it is important to be aware of these potential vulnerabilities.

Hacking, as herein defined, consists of electronically-based attempts to penetrate a biometric system by altering the operation and functionality of the system through non-physical modifications and subterfuge (often at the code or system communica-tions levels). A hacker could change the enrollment or recognition algorithms of a biometric system, lowering thresholds to accommodate less robust performance and security checks. They could program the sys-tem to forward to them copies of legitimate samples or instruct the system to allow them special, otherwise unauthorized, access.

Skimming and sniffing refer to tech-niques by which data is captured – often surreptitiously – during communication or processing of the information. Skimming devices, for example, could be designed to read and copy biometric data being submit-ted on a smart card to a biometric system

for comparison against a live sample. This data could then be later illegally replicated. Sniffing could occur if monitoring programs are put in place to capture data packets being sent from the capture sensor to the backend for verification.

Hill-climbing attacks consist, first, of the presentation of a test biometric sample to a biometric algorithm for comparison against an enrolled sample. A match score is then obtained and studied so that a new test sam-ple can be presented for re-comparison and the achievement of a higher match score. This process is re-iterated until the biomet-ric system’s threshold has been discovered and is penetrable.

Backend and Storage Level Attacks generally fall into two categories:

• infiltration; and• implantation.

As with the process and transmission level, the backend and storage levels are susceptible to malicious hacking. Skilled hacker-fraudsters could alter the permission levels tied to specific images or templates stored in databases. They could infiltrate the backend and alter the way biometric data is classified and stored. More of concern, they could perhaps steal biometric characteristics data and try to generate spoofs using the information captured.

In addition, acts of fraud can be facili-tated if fraudsters are able to gain unauthor-ized or complicit access to backend and storage databases of biometric information to perform acts of implantation. In this attack, fraudsters might implant their own biometric characteristics into a targeted bio-metric system’s database. By so doing, fraud-sters would be able to appear as legitimately authorized individuals with free access to the rights or privileges otherwise secured by the biometric system.

10

SURVEY

Biometric Technology Today February 2008

CountermeasuresIn order to counter – or at least inhibit – the three aforementioned types of attacks, certain countermeasures can be enacted. These countermeasures can be classified according to the level of attack they are best suited to address.

At the input level, spoofing is typically counteracted by the attempt to determine whether or not a live, real human sample is being presented to the capture device. This is, as mentioned earlier, called liveness detection and is based on the assumption that, with the exception of some cadaver recognition applications, a legitimate bio-metric will always be presented by the live possessor of that biometric characteristic. Examples of liveness detection methods for five established biometric modalities are shown in Table 2.

As for bypassing and overloading attacks, countermeasures include increased ruggediza-tion of capture devices and sensor equipment, conscientious form factor design (e.g. – creat-ing shielding from external light sources that could be potentially malevolent), supervision of enrollment and recognition submission processes, as well as rigorous fallback pro-cedures and processes. After all, those who seek to accomplish fraud will often target the weakest link. If this means taxing a biomet-ric system out so that, for example, access to a secure facility can be obtained through a potentially more fallible human guard inexperienced at identifying fake identity documents, that will often be the strategy of choice for motivated fraudsters.

At the processing and transmission levels, countermeasures may entail proven informa-tion systems and information technology security techniques, such as the use of firewalls

and encryption. After all, at a certain level, biometric data is often converted into streams of digital data that should be accorded no less than the rudimentary secu-rity protections already commonplace for digital information that is less personally sensitive. In addition, best practices should be implemented, such as requiring the use of data transmission shields (that limit the range at which data can be sniffed from contactless smart chips), as well as strict limitation of access to matching score data.

At the backend and storage levels, highly advisable countermeasures include firewalls, as well as extensive auditing functions and logs of modifications executed (whether they are additions, subtractions, or alterations of biometric data). A best practice countermea-sure would also be the frequent, though not necessarily habitual or scheduled, review of random images and templates for evidence of tampering, alteration, missing presence, or unexpected presence.

Further countermeasuresIn order further to deter or inhibit the abuse of biometric systems by fraudsters, biometric systems may also be designed with the fol-lowing four countermeasures:

• multifactor or multimodal authentication requirements;

• randomization of modality; • system challenges; and• emphasis on internal/subcutaneous

characteristics.

By adopting multifactor or multimodal systems, deployers increase the challenge for fraudsters by requiring them to defeat several disparate systems for which the optimum

exploitation and penetration techniques may be very different. Though there is a convenience tradeoff, the security that accrues can be signifi-cant, particularly when security of identity is at stake. The main caveat, however, is that poten-tial fraudsters are not encouraged to pretend to be unable to utilize one of the modalities so as to simplify their, say, spoofing task.

To provide a little more of a balance between convenience and security, a multi-modal system could still be employed, but with only one or two randomly selected bio-metric modalities required for authentica-tion/identification. Variations could also be introduced intra-modality (e.g. – requiring submission of a right index finger one day, and a left thumb on the next day).

The authentication/identification systems could also be designed to issue random-ized as well as cued challenges – even if the original submission would otherwise have been acceptable. At the very least, this implementation would provide the opportu-nity to obtain two biometric samples. Were the samples unusually similar, extra caution might be merited in case a spoof is involved, as the likelihood that a person will be so infallible as to place their biometric so con-sistently is slim.

Finally, biometric systems can be deployed and designed so as to focus on internal or subcutaneous characteristics that are generally much more difficult to capture surreptitiously, as well as to forge or modify.

Cancellable biometrics?While a lot of focus has been placed on the design and utilization of biometrics to deter, inhibit, and – to a lesser degree – mitigate non-biometric fraud, comparatively little attention has been paid to the consequences

Fingerprint Face Iris Hand Geometry Voice Recognition

Spectroscopic AnalysisTemporal Variation in Perspiration

Reactivity to Cues, Commands, and Stimuli (e.g. – blinking)

Photonic and Spectrographic AnalysisReactivity to Stimuli (e.g. – pupil dilation)Ink/Dye DetectionTimestamping and Byte Scrambling

RequiredContact with Specifically- Placed Prongs

Recitation of Randomly Generated Passphrases

Table 2. Examples of liveness detection methods for five established biometric modalities.

11

SURVEY

February 2008 Biometric Technology Today

and implications when fraudsters are success-ful in compromising biometric data. Because biometric characteristics are so intrinsic and relatively immutable, this is an issue of par-ticular concern that can impact the successful deployment of the technologies.

To address concern over the immutabil-ity of biometrics, research has been con-ducted by entities like IBM and the Korean Biometrics Engineering Research Center into cancellable biometrics, also known as changeable biometrics. The high-level concept of such research has been to look into altering biometric data that is cap-tured before it is actually fully processed and stored in template form. In this way, a compromised biometric can theoretically be revoked and a new algorithm can generate a novel distortion of the affected individual’s biometric characteristic – essentially giving them a new biometric.

However, one should keep in mind that if a fraudster were able to get a hold of the original source biometric characteristic (or an equivalent spoof ), this approach would not suffice, as the fraudster would then still be able to regenerate a new cancellable/changeable biometric characteristic just as easily as the legitimate bearer of the original source biometric.

As biometric systems increasingly protect sensitive data and items or access privileges of high value, the incentive fraudulently to exploit them will also increase. And at some point, as has been the case with virtually every major security technology in the past, biometric data will be compromised.

Separating biometrics and biographicsOne of the important ways in which the impact of such compromise can be mitigated is to separate, whenever feasible and reason-able, the connection between an individual’s nominal identity and their biometric iden-tity. If, for instance, a deployment merely requires a determination as to whether or not a given individual, represented by their biometric characteristics, should be granted access to a given secure location, then there

is no need permanently to link the indi-vidual’s name and background information to their biometric data after an initial back-ground check has been conducted.

Whereas names have often served as prox-ies for trustworthiness or transactional histo-ries, biometrics can now serve this purpose going forward. With biometrics there is also the possibility of selecting different biometric aspects for accreditation or validation given each distinct application or deployment. A single biometric characteristic, thus, has the flexibility to serve in a variety of functions that process that biometric differently – with-out making that biometric into a universal identifier rife with the problems of overuse that have plagued the United States social security number.

In the scenario described, above, if a fraudster compromises one biometric sys-tem, the damage is mitigated insofar as other systems and deployments may still be protected, in addition to sensitive and private information tied to one’s nominal identity.

Value of biometric dataFinally, one of the remaining challenges with respect to biometrics and identity fraud is the determination of how to value biometric data. This is especially important as fraud-sters increasingly target not just data protect-ed by biometrics, but biometric data, itself.

Traditionally, items have been valued based on three factors:

• scarcity;• uniqueness; and• demand.

With biometrics, however, such a framework for assessing value is of little use: virtually each and every given biometric characteristic is inherently distinct (if not unique), scarce, and of high demand for both the possessor and potential imposters/fraudsters. It would seem, therefore, that all biometric characteristics should be deemed priceless or at least assigned extremely lofty values.

However, this would be impractical in an age of risk calculations and need by insurance

companies, governments, and other entities realistically to quantify the impact and cost of fraud. Therefore, valuation of a biometric is best conducted according to a different set of three factors:

• value of the biometrically-protected item or privilege;

• range of utility; and • spoofability.

In addition, whenever a biometric system is designed, careful consideration needs to be taken as to whether templates or images should be used. Generally, images will be more valuable from perspectives concerned with forensics, interoperability, and scalabil-ity. Templates, however, will be more desir-able from an identity-protecting perspective. Thus, from an identity fraud reduction perspective, the guiding principle should be that templates, which are more limited than images, normally, should be employed whenever possible in lieu of images. To achieve this balance, a negative incentive should be implemented such that there will be stiffer legal penalties for compromised biometric image data versus biometric template data.

SummaryIn summary, biometric technologies offer a promising tool in the fight against identity fraud. If deployed with a careful under-standing of their realistic capabilities and vulnerabilities, as well as an appreciation for their potential and likely impacts on society, biometric technologies can help deter, com-bat, and mitigate identity fraud.

There will certainly be challenges in obtaining such understanding and apprecia-tion, but with proper guidance from inde-pendent and experienced biometric experts, a future with reduced and more manageable levels of identity fraud will be in reach.

This survey was contributed by the Victor Lee, senior consultant with International Biometric Group, an international biometric consultancy and integrator. For more information Tel: +1 212 809 9491, email vlee@biometricgroup.com or visit www.biometricgroup.com