Debate Session (III) – Why risk management and vulnerability

assessment is important?

Dr Ted Dunstone, Chair Technical Panel Biometrics Institute,

CEO Biometix

Some Debate Questions• What are the main vulnerability points of ABC systems and

their known (and unknown) strengths and weaknesses?• What are current known real world biometric attacks? • What are the implications of these attacks? And how to

mitigate them?• How to insure vulnerability is included in overall ABC risk

management?• How to assess the risks and what are the methods for

penetration testing?• What is a research direction for vulnerability detection for

ABC systems?• How to encourage border management agencies to address

potential vulnerabilities?• How to exchange and share the experiences on this topic?

Biometrics & Vulnerability Now• Things are changing rapidly (at last!)

– BVEAG Meeting In London– ISO standards still primarily address performance testing

but 30107 addresses presentation attack (spoofing)– Two NIST conferences on biometric performance – both

had significant content relating to vulnerabilities– LivDet – 2009, 2011, 2013 fingerprint liveness detection

competition– Tabula Rasa – Trusted Biometrics under Spoofing Attacks– BEAT – Biometrics Evaluation and Testing– Governments are including “spoof resistance” in

procurement specs

Some Real Vulnerability Cases

Japan: Fingerprint Spoofing (Published 29 January 2010)

• Two South Korean women using

special tapes on their fingers;Canada: Facial Spoofing (November 2010) - Air Canada

•

US: Fingerprints Removed• Cancer drug Capecitabine

removed fingerprints

• Brazilian Hospital• (March 2013)

5

Vulnerability Web Results

• Biometric Spoofing: 8,140,000• Fingerprint Biometric Spoofing : 547,000• Face Biometric Spoofing: 276,000• Iris Biometric Spoofing: 97,900• Voice Biometric Spoofing: 3,200,000 (!)• Speaker Verification Biometric Spoofing

(1,750,000)

Aims

• Recognise that biometric vulnerability has become mainstream and share some of the activities that are underway

• Find ways to improve transparency so that all parties speak a common language and understand how systems can be/have been tested.

• Procurements specs, test results and statements about performance should be objective and unambiguous.

• Improve the performance of biometric systems spoof resistance, leading to wider deployment.

Vulnerability Checklist What are the common vulnerabilities for your technology (including

biometrics)? Do you have a risk management plan, and does it include the potential for

biometric vulnerability? Are you aware of the difference between a standard false accept rate and

a biometric vulnerability? For your system what vulnerability related documentation exists? Are there any configuration options to for the vulnerability detection? Will there be tradeoffs in performance using the vulnerability detection? How is a potential vulnerability notified? What types of conditions might create a false vulnerability alert? Do you have a plan in your enrolment or verification workflow that

supports vulnerability? What mitigations can be established to protect against vulnerabilities? Would you use external resources to conduct an assessment?