How Biometric Security Is Far From Foolproof
By WILLIAM M. BULKELEY
The Wall Street Journal
December 21, 2006
Growing numbers of companies are relying on biometric devices like fingerprint readers and iris scanners to identify customers and employees and make sure they aren't poseurs.
But with increasing use has come increasing worry that these security devices can be faked out. Deception methods including well-made copies of fingerprints, masks or contact lenses that replicate iris patterns might be used to defeat the new identification technologies.
In a sign of the growing fears, Financial Services Technology Consortium, a New York-based group of financial institutions, has hired a consulting firm to examine how successful biometric devices are at thwarting impersonation -- or "spoofing," as biometricians like to call it.
The preliminary view of the consultants, International Biometric Group, based on an early look at research, is that the devices aren't spoof-proof.
"Any high-resolution fingerprint image will have a high chance of spoofing an optical sensor," says Ross Mitchell of International Biometric. He says most fingerprint-sensing technologies -- which essentially take a picture of a fingerprint and match it against a database -- are potentially vulnerable to spoofing. Systems that use sensors that aren't optical but rely on thermal or ultrasonic imaging, may be less vulnerable to fakery, "but they're still susceptible," Mr. Mitchell says.
In 2002, Tsutomu Matsumoto, a mathematician at Yokohama National University in Japan, reported he had fooled a number of fingerprint readers by creating fake fingers out of the kind of gelatin used in candy Gummy bears. Researchers at Biomedical Signal Analysis Laboratory at West Virginia University have reported they were able to fool various types of fingerprint readers between 40% and 94% of the time using cadaver fingers or fingers made of Play-Doh.
Use of biometrics in various applications is exploding. Scott Moody, chairman of AuthenTec Inc., a Melbourne, Fla., company that is the largest maker of chips used for reading fingerprints, says it will sell 6.7 million chips this year, more than double the three million last year. Fingerprint readers are increasingly common on cellphones in Japan and Korea.
Mr. Moody estimates that about 9% of all laptop computers shipped next year will have fingerprint readers to secure and simplify remote log-ons. John Morris, president of Solidus Networks Inc., a San Francisco company whose Pay By Touch system is used by a growing number of retailers, says it now has readers installed in almost 3,000 stores, up from 30 just 18 months ago.
International Biometric estimates the total market this year rose 47% to about $2.2 billion from $1.5 billion last year.
Makers of biometric devices downplay the risk of spoofing. Mr. Moody of AuthenTec says most reported spoofs have involved making a mold of a finger, which would be difficult without the individual's knowledge. Experts say it would be even more difficult to make an accurate finger replica from a latent print on a glass.
Mr. Morris -- whose Pay By Touch system is in use at 3,000 retail locations, up from just 30 two years ago -- says "the chances are extraordinarily low. We've never had an incident of any kind." He says that even if spoofing is theoretically possible, fingerprint readers are less vulnerable to thieves and hackers than credit-cards or passwords.
International Biometric says the testing it is doing will provide buyers useful guidance about potential risks. Mr. Mitchell says the researchers have proved that even sophisticated fingerprint scanners, "despite high matching accuracy, could be fooled using cheap materials." The tests will be completed during the 2007 third quarter with results reported to the sponsor in the fourth quarter.
Iris recognition technology, which is becoming increasingly popular because it is considered more accurate than fingerprint reading, may be more difficult to spoof. Mr. Mitchell says there have been informal reports that some scanners have been fooled by high-resolution photos of the eye.
Some eye scanners now include a flashing light designed to make the pupil contract to prove the eyeball is real. International Biometric plans to test whether it can design a contact lens with an imposter's iris pattern to fool a scanner. Currently it doesn't plan to test face recognition or handprint geometry biometric devices.