More good stuff, including how to make a gummy finger, at
Six leading academics have written to a Parliamentary committee to express their dismay at the way biometrics has been used as a magic wand which would have supposedly stopped Darling's great data giveaway. The six said of claims by the Prime Minister and his Chancellor: "These assertions are based on a fairy-tale view of the …
I suppose it is a lot more practical than my usual rants to el-Reg (and anyone else).
I do however question whether any politician with an ID card agenda will
a) Read it
b) Understand it
c) Care about it
They'll probably just spew the usual rubbish; mention the words Terrorist/Peadophile/Organized Criminals and just expect everyone to forgive and forget for the "sake of the children".
Isn't it wonderful how politicians never bother to answer any questions (even in Parliment) and just stick to their briefs/agenda/agreed position/party-line irrespective of the points raised.
Biometric technology has a long way to go. My former workplace didn't bother using the biometric logins on their laptops on the basis that removing the hard drive of a stolen laptop would gain access to the data anyway, so other (less irritating to the staff) encryption methods would have to be used on the data itself. Seriously, this is just a push to enroll everyone in a scheme where misuse and theft would become commonplace. Sigh.
It dismays me that the blatantly obvious seems to need to be pointed out all the time. What does that say about my fellow citizens, or those elected to high office on the basis of their own interest, who they know, and good social/people skills?
What seriously? You mean the bad guys can change the biometric details and still use the ID, and yet the ID is more trusted than ever before? Who'd have thought it? Well that's it then, everyone on the database, and police and shopkeepers and Uncle Tom Cobbley make spot checks of everyone's card data, say 5 times a day, on their hand held radio connections to the database? Just so long as the initial data load is ok, don't worry, just do as you're told. Trust me, I'm an authority figure, I don't go around tasing anyone.
It's about time these idiots stepped down. They are clueless about the technology, think the public are idiots and seem to think saying sorry and ordering a review will fix it.
Why not review all practices and examine the workings before anything goes wrong?
Have they not heard of the term "audit"?
The first thing any minister should do when they take the reigns of a department is discover how it works
"Once lost, it would be impossible to issue a person with new fingerprints."
Really? Maybe I watch too many movies, but can't you burn off your fingertips with acid? I would have thought you could at least alter them with a quick exposure.
If I'm right about this, the government will probably make regular fingerprint changes mandatory for security, like companies make employees change their work passwords regularly. It would at least be satisfying to watch El Reg's local IngSoc comment trolls go through it. "Yep, time to change my fingerprints. I don't mind, after all we do need to defeat terrorism and keep out those filthy ni^H^H^H^H secure Britain's borders. And I have nothing to hide, so I have nothing to OH GOD IT BURNS MAKE IT STOP OH GOD PLEASE PLEASE STOP IT BURNS PLEASE so anyway like I was saying it's a small price to pay for security, don't talk to me about human rights, what about our right not to be killed by terrorists, and if you don't like Britain, why don't you leave?"
It's interesting to see journalists in the mainstream media waking up to the shortfalls of biometric technology (The Register excluded of course). The movies have covered this many times; latex fingerprints, realistic face masks, severed digits or someone else's eyeballs. Biometrics are not a foolproof security mechanism - they are not secret (in particular facial biometrics!), can therefore be spoofed (depending on the level of countermeasures in the biometric system) and are really difficult to revoke once compromised (so-called cancellable biometrics have been researched but have somewhat limited applicability).
However - this does not make biometrics irrelevant as a means of adding security in relation to identity. After all, biometrics are used in this way by humans everyday - whether facial recognition, voice recognition or gait recognition. It is the appropriateness of the application that is important. Being able to access valuable services in an unsupervised environment using a total internal reflection fingerprint scanner based on a single factor only (i.e. the finger) is indeed foolish. It is relatively straightforward to overcome this security and once your biometric has been compromised you can't do much about it until the system is changed. Do the same thing with 2 factors however and the security is increased. The fraudster has to first get hold of your token or pin, which you can cancel like a credit card. This level of security is adequate for many applications.
In terms of "spoofability" - everyone agrees that faking fingerprints is relatively straightforward. This is partially true, though scanners by some manufacturers are much much more difficult to overcome, such as 3d systems (e.g. touchless biometric systems) and multispectral scanners (e.g. lumidgim) - something not covered by the somewhat poorly researched bad science article linked to by Neil. Others biometric modes such as fingervein are much more difficult to fake. Combine different modes together and the difficulty present to the fraudster is extremely high (imagine trying to present a fake 3d face biometric and fake hand biometric at the same time).
It’s also an exaggeration to say that a biometric "is lost for life" once compromised. We have a face photo on our passport to prove it is ours. If someone manages to create a Mission Impossible style mask so they can look like you is your facial biometric lost for life? Or a more realistic example - before chip & pin, if someone was able to forge your signature did that mean you could never use that signature again?
Anyway, the point is that while biometrics are not a panacea, and only form part of a security system anyway, they can in many circumstances add to that security (and here's the usual bleedin obvious ending) provided they're used appropriately.
Re "if you don't like Britain, why don't you leave?"
Lets go, then see them try to build a database. Anyone got any suggestions as to where? Should be lots of work in outsourced projects available, after all doesn't the fatherland need an ID card system? We could probably make a billion or two profit.
"Really? Maybe I watch too many movies, but can't you burn off your fingertips with acid? I would have thought you could at least alter them with a quick exposure."
Yes, you can use acid to remove your prints, but the problem is they re-appear as your body heals and come back the same as before.
well Sir David Varney may help with his plans "to create a giant centralised government database containing information about everybody in the country" might be enough to push it
I used to think HMG incompetence would be on our side with ID card scheme - i.e. they wouldn't be able to get it to work, but now it appears they can make it worse than paying a bit more tax - free data to fraudsters
What's protecting the biometric data? What happens when someone gets the hashes/pictures/etc of the fingerprints, matched up to owners, then uses that data? There's still data to be lost/misappropriated/stolen/faked.
What I would like to know, is if they make the readers accurate, would that argument I once had with a blunt pen knife render me unrecognisable for a week?
What biometrics are they planning on using for people with no hands? There would have to be more than one biometric system in place to cater for that, but most biometric things I've seen either concentrate on finger prints or iris scans.
AC, "some perspective on biometrics", thank you for your +5 insightful post.
As is suggested, one of the traditional biometrics (the signature) is being phased out as it is too simple to defeat - not helped by the fact that the two security factors (the card and the signature) were kept together, and the signature was visible. For a number of years before Chip'n'Pin I had a cheque/debit card which had an additional biometric factor - my photo was etched into the reverse of the card. This works both ways - as this was genuine it would prevent the casual misuse of by card by an opportunistic villain, but if it had been falsified it would have presented a false verification.
The prevalence of identity fraud today is partly due to the security factors in many cases being *only* ones protected by obscurity. "What is your mother's maiden name" isn't much help if, like me, all your family details are published in Debrett. And so many systems today have a genuine security factor (a password) which can be defeated using a less secure factor. As long as agencies use obscurity protected security factors, sources like the NIR will be the ultimate honeypot, with or without the biometric silver bullet.
The thing is, villains don't need to defeat the tightest security, they only need to defeat the weakest bit. If your datacentre has a three factor security controlled front door, they only need to jemmy the yale on the back door (assuming it isn't on the latch). They don't need to guess your password, they only need enough information to reset it. They don't need to dive through your used teabags for your old bank statements, they just need to find a lost mailbag - you see, for most fraud they don't need to target a specific victim, anyone will do. That is why the HMRC discs are so valuable - if good fortune provides them with one security factor for *anybody*, the discs will provide other obscurity protected ones with a 50% likelihood of success.
Your fingerprints may (indeed offen do) reappear after being burned off, depending upon how much scarring you leave behind, they are no good if they are compromised by scar tissue. What noone seems to have a solution to (or even be discussing) is what about the 5%ish of people who have jobs that constantly wear down their fingertips:
Brickies / builders
I'm sure there is more, but that would seem a significant portion of the population, enough to trash the whole biometrics aspect of the ID cards (if not the whole thing) anyway.
the current government have such a hard-on for biometrics.
It could have been just wishful thinking and a load of flannel from putative sellers of equipment but there have been so many people showing them how it can go wrong, so little saying how that could be fixed and so many adamant statements that it WILL go ahead that it cannot be just that.
But even if it were so that the current stock of MPs can go (like Blunkett did) to biometrics firms for a job when the MP job falls through, that would
a) be too obvious
b) not enough to override other venues of feather-bedding
so I'm left wondering what the clucking bell is happening to make them so blind to the problems with the NIR.
For Tony and GWB I could see that it could be religiously led: the rapture will be preceeded by several signs, including a hidden mark on each person without which they cannot live work and buy (oooh! NIR!!!) and then all the good people will be taken to heaven to watch the bad people being fried for all eternity.
But it can't be all that widespread.
So what's going on?
I think there is a general misunderstanding of how they propose to use biometrics to link individuals to an electronic identity/identity card. As far as I understand it the proposal is to use a biometric to unlock a digital certificate stored on a smartcard which may have other identifiers on it also, such as photo, name, mag stripe, 3D barcode etc. The biometric replaces the PIN normally used to release such information from a card (such as a credit card etc). I don't think anyone is proposing to have a single biometric identifier system since that would be pretty unworkable (the computing power needs to identify 'who am I' rather than 'am I who I say I am').
The biometric is just used to create a very large number when hashed through an algorothim; you can't steal it since it is just a number, and most secure systems will reject exact matches anyway, while encrypting and timestamping traffic between reader and card.
It does all work, but very expensive, and you need to be very sure who people are at registration. Only took 3 months to do paper ID cards though last time
It is sufficient to bind the issuing of the ID to biometrics.
From there on simple PKI will do which does not need any connection to the central database. That can be implemented using currently existing mass produced tech. Smart card readers have been around for ages. Most smart cards can carry 32-64K data which is enough for your certificate and a signed photo.
1. Forgery becomes practically impossible. You cannot forge a PKI signed ID.
2. It is trivial to hook up the reader to a display to show the data of the person.
3. It does not need verification versus a centralised database.
So the ID can work and it does not need an access to centralised database on every verification.
I know there are other biometric systems but I don't really expect my local branch to have a 3d body scanner outside the local hole in the wall. I don't really expect it to have an iris scanner. It will be a simple fingerprint reader on the card or on the machine itself followed by insertion of the card to read the chip (validated as being held by me) and then the PIN (which validates the chip).
I really don't see how this stops the criminal from mugging me as I extract the money from the machine. Tell you what would tho.. simple CCTV.
"Was this you taking the money out of this machine?" "Yes"
"And is this the guy mugging you?" "Yes"
"I'm sorry sir but he doesn't appear to have a National ID card on him, we therefore can't prosecute him".
I wonder how many Nulabour freaks watched Diamonds are Forever the other week where Q fashions a fake fingerprint Bond could stick on his fingers.
Extreme scifi you would think, I wonder if they saw the Mythbusters episode where the same thing was done for real, and fooled their vast array of security devices - even the airport style readers.
Now, would you want anybody downloading the data to do that to you!
Drill and sandpaper may be the only way of escaping fraid - thats if the meat cleaver is unavailable.
"Combine different modes together and the difficulty present to the fraudster is extremely high (imagine trying to present a fake 3d face biometric and fake hand biometric at the same time)."
Imagine also the cost of providing a hand and face biometric scanner at every EPOS in the country. Or even every benefit office. Imagine *another* zero on the end of the bill for implementing it. For no increase in the return.
Biometric ID will do nothing to protect the identities of members of the public in ways that are meaningful. Greedy loan companies will still allow postal applications in your name. Stuff can still be bought across websites from overseas using your details. How do you validate a biometric ID token from so far away?
FYI - based on what's happening in Japan I wouldn't expect simple fingerprint scanners to be used at cash machines. in Japan many cash machines already incorporate finger vein scanners, which are used by customers in conjuction with PIN and cash card. Simple fingerprint scanners weren't seen as appropriate by the Japanese Banks. Also worth adding that in Japan cash dispensers are rarely if ever outside "hole in the walls", and are instead located within shops, offices, stations etc.
While it's true that some of the bio systems you mention are hard to compromise, you can bet your boots that our governement will buy the cheapest, shittest hardware / software systems they can lay their hands on.
Then they'll 'protect' it by making sure anybody can access it ('admin' and 'password' are tried and tested favourites) - this should save on costs a bit (especially if somebody forgets their password)
Then they'll give every public servant you can think of access whilst selling as much of the information as they can to companies (and remember, the NIR has been enabled with statutory instruments that will allow the home secretary to increase the amount of data collated about you with NO recourse to parliament).
Well come on - how else are you going to raise revenue when we've got no industry and are massively in debt?
It beggars belief that this government don't understand that, by *losing* 25 million citizens' personal information, they have forfeited any rights they might conceivably have had to even consider thinking about collecting and storing even more personal information. Which is to say: Gordon, get f**ked.
"so-called cancellable biometrics have been researched but have somewhat limited applicability" - Forgive me, but I wondered how one might go about cancelling someone's biometrics - and then immediately thought of a large leather-clad bloke with a shotgun - "Your biomedric dada has been turminaded!" *BANG*
The only thing that biometrics would have achieved in this case would have been even more detail included in the data lost by Civil "Service" incompetence.
So as well as being able to obtain known accurate NI numbers, names, addresses, dates of birth, and bank details, they'd have had all the biometric data as well.
So, would Brown or Darling care to explain, in great detail, how the hell that's supposed to be better than what happened? Of course not, because they're a couple of stinking liars, just like everyone else who thinks ID cards are a great idea and will do anything to convince the general population, who sadly are unquestioning enough to fall for their crap. Bloody sheep.
Agreed regarding the cost issue (at present day prices anyway) but that's all part of the cost benefit argument - i.e. is the solution appropriate to the problem, funding etc. Some multibiometric systems can be achieved in theory at relatively low cost, e.g. 2d face + voice, face + finger etc. Then there are other issues around usability, ergonomics and the like. Anyway, stating the obvious I guess.
Regarding chopped off fingers, there's at least one biometric scanning mouse (!) available now that scans for vein action in the palm - it needs a living sample to do this by some process involving blood flow through the veins. That's one step in the right direction.
Regarding partial fingerprints, forget all your spy nonsense about acid and skin grafts. I have eczema which is worst on my fingers, and although it's not always present, when it gets bad, basically my outer layer of skin (= my fingerprints) dies and peels off. For a while I have no fingerprints, and depending how well I treat it or how badly I treat it, I may have blank or scarred fingertips for quite some time. This does not bode well for fingerprint logons.
Just some thoughts...
The trouble is, Anton, that, as you admit, biometric forgery is only 'practically' impossible. In other words it IS possible given enough time and effort.
And unlike when someone gets hold of your pin, once someone has forged your biometrics, you are totally f*cked!
Even if you manage to convince the powers-that-be that your ID has been forged (and you were lucky that it was just someone cleaning out your bank account and not buying bomb making gear using it) then the only option is to blacklist your ID so nobody can do that again. Trouble is, you are stuck with it, so YOU are, in effect, blacklisted yourself.
Imagine living with 'blacklisted' biometrics. Try to open a bank account, get a loan, rent a car, travel by air, etc, etc, etc.
"there's at least one biometric scanning mouse (!) available now that scans for vein action in the palm - it needs a living sample to do this"
And how many fingers will be chopped until all of the criminals realise it ain't working?
Will *every* machine have this feature, and a big sign telling the world and their dog, in multiple languages (for the foreign criminals...) that it needs a *living* finger to work?
You need to affect to key points (deltas/loops/whorls) to change/destroy your prints. It doesn't heal back the same if you use a chemical like lye:
This is (sort of) common knowledge. If you use a scalpel to cut the core, delta, and any other really bold characteristics (epidermis only, not deep into the dermis), making a 2-3mm incision and then use tweezers to insert a small grain of lye (yes, this will really really really hurt, and the chemical burn will take about a minute to complete) there will be a nice dark cavity burnt into the dermis with not too much outer damage. Clip away epidirmis to leave the cavity completely open, apply healing salve, bandage finger and move on to the next finger.
The traumatised dermis will heal, but it will do so unevenly and although the ridges in the epidermis will heal to an extent, the ridges will be misaligned, and your cores and deltas will be destroyed.
I've never tried this but I'm confident that it would work. I do have one missing print due to a sustained 240V shock that burnt a very deep hole into the end of my right index finger. This happened 14 years ago and theres still no ridge detail at all there.
I'm slightly confused and disappointed by the academics response and, to some extent, by the other comments on the piece. Either I'm missing the point or they are.
The real significance of the political comment of the form "Biometrics would have helped prevent" the datastrophe is that it reveals that politicians have no idea about the role of biometrics or data security.
The disaster happened because 25 million records were copied, insecurely, to CDs and then posted, insecurely to the Audit office.
At what point in this chain would they expect biometrics to be invoked? Personally, I would quite like it if only the person whose biometric matched the data being requested could access that data, but that is certainly not what government has in mind for large scale data sharing. (It would imply the need for 25 million people to log on, perform biometric authentication and agree to the data transfer)
The only role I can see for biometrics within that kind of data sharing transaction is in confirming the identity of those requesting the data and those transmitting it. How the hell would either of those prevented the leak of the actual sensitive data?
Given that they already know the identity of the guilty parties and those identities are not - so far as I know - being disputed, the biometrics would have added no value whatsoever to the process.
The world has changed. No longer do we live in small communities where everyone knows everyone. In the physical world we are anonymous, and in the online world even more so. So if we need to strongly prove or protect our identity, e.g. to open a bank account or perform and online transaction how do we do it? We can point to our biographic footprint and provide a whole range of credentials - passport, birth certificate, bank statements etc. But this is fairly weak in itself (see confidentialaccess.com as a scary example of how vulnerable many of these documents are) and many of these credentials give away a lot of other information about ourselves - e.g. where you've travelled to recently, your parent's middle names, and how good you are with your finances. Instead we can cryptographically tie a difficult to copy electronic measure of our personal biology (that says nothing about us as a person) to a credential that can be revoked. Am I the only one that thinks this is a technically reasonable solution? It might be expensive (though cost is a separate argument), and there may be flaws (there's always a security "arms race" to contend with, and not all biometrics are suitable for all people), but in principle it seems to me a good way forward.
Principle and practice can be very different, and cost-benefit debates depend a lot on your personal circumstances. What I want to understand is whether people here are against biometric credentials in principle, as a technical solution - or whether it's about implementation incompetence, lack of trust in government and/or cost?
Not much point in saying that the government has no "right" to do this. The government can do whatever it likes. That's what makes it the government. We lost /our/ right to question what rights the government had when we decided that having an entity periodically take over half our earnings away at swordpoint (now gunpoint) was not only bearable, but somehow right and proper.
Some require blood in the "finger" but don't use proper scanning techniques, so you can take a photocopy of someone's fingerprint (paper) and hold it there with... your LIVE finger.
Alternatively, jusr replay the data of a valid biometric validation and it doesn't matter what the *sensor* says. This is known as code injection.
So as long as this sort of identification can be done in private (or with a few people who you can buy off or include in the deal) you can bypass ANY security. As long as the payoff is enough.
"Code injection", or rather replay attacks, applies just as much to passwords etc as toit does to biometrics. You just have to handle the biometric data in a way that prevents code injection from the sensor to the recipient code.
As for the photocopied fingerprints - the attack works on *some* optical devices only. This is unlikely to work on capacitive sensors, and no fake finger attack that I'm aware of (including gummis) works on mutlispectral scanners (which use the subdermal layer to build a fingerprint image).
"...don't use proper scanning techniques" - what does that mean technically? In fairness though, most *fingerprint* biometric systems are poor at liveness detection (as opposed to fake finegr detection). Ones that check blood flow or pulse don't work well on those with poor circulation and even if they did this extra check introduces significant errors that increase the number of "false rejects" from a system. An interesting question here is what is "liveness"? I've seen demos of tech that can potentially detect the live activity of sweat glands in the skin but this too is likely to be prone to error.
You've hit the nail on the head in terms of ID in private. It's about payoff versus effort. If for example you design your biometric to use palm vein, then it's going to be expensive (assuming replay attacks are prevented) to overcome. If the payoff is enough though then you might want to kidnap the person with the biometric to get past the security, or construct an elaborate 3d vein model that can fool the system. I think many criminals would opt for the former - just as they have as a reaction to modern car security (many more car jackings now, and burglaries to get keys, than in the past - fewer overall car thefts though!).
I think that what Darling and Brown meant was that even though the criminals may have your bank account, NI, address, and childrens details, said criminals could not use it because they would not be able to do anything without your physical biometrics.
This assumes that all future credit applications will require a biometricly verified ID before it is granted. This may also close down the 'loans over the phone' service, unless someone sets up biometric actuaries to allow you to identify yourself remotely from the loan company (at the moment, it just requires signatures). Also, how are we to set up Direct Debits
What they appeared to say was that the data could not be seen without the biometrics. Imagine that.....
"Ring Ring... Good afternoon. This is the National Audit Office. We've been sent your child benefit details by Revenue and Customs, but we can't see it unless you come down and let us scan your fingerprints"
Repeat 17 million times.
No, biometrics will not PROTECT the data (which is what they said) but it may prevent it being USED. Or not. I'm sure you could scam your local Blockbuster, and get a few DVD's with the info. They will not check biometrics.
Biometric data cannot be confidential - anyone can capture someone else's fingerprints or iris or facial image. Biometric data could only be of value on the assumption that risk-holders will rely on unsupervised capture of biometric data - which would be thoroughly unsound. If that is what the scheme is proposing then it is flawed, however well protected the data in the register itself may be.
For remote or unsupervised access, other means - e.g. dedicated devices not unlike those some banks are issuing - could be used to provide two-factor authentication. This may not be quite as strong in theory as biometric verification (especially with match on chip) but it will cover most day-to-day risks. The larger risks will probably need additional measures anyway.
Sensitive data should at least use two-factor authentication. Truly critical data should use all three factors.
Something I know (password)
Something I have (security card)
Something I am (biometric)
Only the correct combination of all three factors should unlock sensitive data.
Ben Goldacre wrote a piece on the fallibility of biometrics in last Saturday's Guardian (http://www.badscience.net/2007/11/make-your-own-id/), and for his trouble, he was subjected to a bizarre rant by Andrew Orlowski on 27 November in El Reg (http://www.theregister.co.uk/2007/11/27/guardian_use_me_as_a_mouthpiece/).
Can someone please explain to me exactly how the points which Goldacre made are substantially different from those highlighted by the six academics, and reported in this article in El Reg?
And why did Orlowski's piece not have a link to enable readers to add their comments?
As the intrepid Miffbusting team proved, fingerprint scanners can be fooled. They set the lock to accept *only* Mr. Imahara's fingerprints, so his robot collection would be safe.
But then, Kari Byron used her Feminine Wiles on the poor defenseless robo-geek, flashed her big brown eyes at him and asked him: "Oh Grant, would you copy these CDs for me?" Grant, of course, was helpless. They then proceeded to lift his fingerprints off the nice smooth CD case, photo-copied them, cleaned up the thumb print and transferred it to a latex model. They were then able to open the door.
The main problem when dealing with fingerprints in a criminal context is *not* leaving them all over the place. Obtaining fingerprints that were inadvertently left somewhere incriminating, then identifying the miscreant, is one of the greatest blows against Crime.
I object to ID cards in principle. This Sceptred Isle has always shied away from forcing everyone to carry ID. We don't want to give the Government the opportunity to direct what we do based on who we are.
I object to the specific proposed implementation of ID cards on a number of additional grounds: cost; ineffectiveness at achieving the objectives for which its proponents will claim it is a panacea; the lasting and serious consequences of mistakes in the system; abiding suspicion of the motives of the scheme's proponents, given its general uselessness
I object to the use of biometrics in the ID scheme itself on many similar grounds plus the fact that they magnify already stated objections to little additional gain.
Actually, I wonder now whether the inclusion of biometrics in the scheme's plans is just there as a boondoggle to distract the opposition to the cards froma rguing on the principles.
Orlowski has said (in other comments sections that were complaining about this) that people can comment by emailing him and that they will always get a reply.
Fair enough, I suppose, but I, and others, would like to see what others think of his articles (which DO often border on being rants).
It seems he is quite happy to receive criticism of his views ( most of his comment-free articles ARE headed as 'Opinion'), as long as nobody else actually *sees* that criticism.
While we are on the subject of identity theft, I have noticed that there is nothing to prevent anyone else creating an account on The Register with the same name as an existing user.
People seem to be forgetting its not about the best biometric, it doesn't matter if palm vein patterns are better the fingerprints, you can't leave them behind at a crime scene so it doesn't fit in with the government's agenda of fingerprinting everyone so the police can consider everyone to be a criminal suspect.
All that waiting for someone to commit a crime, presumption of innocence until proven guilty, right to a fair trail, etc is so last millennium when you can just trawl a huge database and solve all the county's ills - as ID card advocates seem to beleive.
The more we push the view that fingers prints aren't sufficient, the greater reason they will have of moving on to stage 2, which is to require a DNA sample too. Assuming they haven't already managed it, by arrest the entire population over the next couple of years, as seems to be the current intent.
"Sensitive data should at least use two-factor authentication. Truly critical data should use all three factors.
Something I know (password)
Something I have (security card)
Something I am (biometric)
Only the correct combination of all three factors should unlock sensitive data."
Perfect politician misunderstanding of technology?
All those 3 things have to be boiled down to a unique number, or else how would a computer know your answers are correct. That number is all you need to unlock the sensitive data.
For instance, a shop has a biometric reader which converts your anatomy to a hashed number that is matched to the card. A fake ID can either simulate the anatomy or alter the hash on the card. Thus, all you really need is a card reader and writer and you have everything you need to fake points 2 and 3.
Which leaves a password as the only secure bit - just (not) like a PIN.
Of course, with obscurity, you could ensure that the hashed number is secret and known only to a central server, in which case every transaction would be routed through the ether. But the hashed number would be stored in government files against the biometric data and this file, once compromised, would make the entire ID card as secure as a Chip/PIN combination.
Even if it were not compromised, the number of possible exploits are unlimited - as they are currently. The difference though would be that the ID card would be sold as 'preventing' these current types of fraud, when in practise they will be as secure as a number, or as secure as HMRC data, or as secure as any other human generated password...
It's fair enough - I guess he doesn't want to get flamed by Ben Goldacre fan boys! I must admit to liking much of Ben's work, but that last article (or rather rant) on biometrics was ridiculously biased and seemingly weakly researched (or the research was done but inconvenient facts that got in the way of his point were left out). If Ben is to criticise "bad science", he needs to up his impartiality and do proper research!
"The difference though would be that the ID card would be sold as 'preventing' these current types of fraud, when in practise they will be as secure as a number, or as secure as HMRC data, or as secure as any other human generated password..."
And this is, IMHO, the crux of the matter, and my main objection to the introduction of biometric ID cards. It is *precisely* the authorities' obsession that the system will be infallible when it is, quite patently *very* fallible, that make it so *very* dangerous.
Biometrics work, they have their place. They;re convenient and work extremely well 'in the right environment' like logging into the computer system at work or opening the door to the secure area. My kids use it for buying donuts at their school.
For those who don;t like the idea of centralised databases (like me) you can use 'match on card' where the encrypted template/s are stored on the card.
A well specified installed and managed system is at least as secure as chip and pin. Print & Pin is my personal favourites.
But, 'everything' can be spoofed/cracked or cloned if the incentives are big enough.
My credentials for these comments are that I worked in IT security for over 16yrs, specifically in the biometrics business for 2 of those and I use bio-authentication every day without a hitch.
Conceptually this bit is important: Verification can only ever be "the person carrying this card, is the person to whom it was issued" Just try and stop determined people from posing as someone else when they apply for a biometric ID card. Biometrics DO NOT stop ID theft. The theft takes place first.
Also, biometrics DO NOT stop terrorism at our borders, everyone of the July bombers was a legit UK resident. All the 9/11 bombers had legit reasons for being in the USA, it wouldn't have stopped them getting on the planes.
It;s a rubbish idea let's not do it. Let's give the money saved to MI5 and local community projects to stop home grown terrorism before it starts.
The Government (this one & the last lot) is very good at wasting our money. They have a terrible record on implementing large scale IT projects, NHS Programme for IT(£20bn, rubbish and late), London Ambulance Service (over budget, late and collapsed), and the pitiful Child Support Agency project (£500m over budget, never finished,caused the agency folded with no one accountable).
The wrong systems, badly spec'd, installed by the inept and run by the poorly trained and apathetic. As I said before bad idea, of limited benefit, will be expensive, and is already late.
Late what do I mean late!? Guess what the project started several years ago, DVLA, Passport Office, Immigration, HMRC and NHS already linked and Biometrics are mandated for Passports (oh yeah that's running late as well).
There's a response from Goldacre in the comments on his site here from where someone posted a link to the Orlowski piece:
Doesn't seem quite as simple as the story on The Reg makes out. Did Orlowski contact Goldacre before publishing it to offer right of reply or anything?
Finally a bit of common sense trying it's hard to break through.
Once again, we see the same old attitude that security is simply a product you buy and plug-in. For the millionth time, it's a concept! A complex, writhing, many facted beast, that needs careful control and solid groundwork laid down, in order to look after it.
that Harry Stottle is the only one who has picked up on the completely illogical argument that the politicians were making. The only biometrics that would have made the loss of data inconsequential would be a lock on who could read the CDs.
If biometric data on the population was taken, and was included on the CDs it would either be more useful or unusable to protential crims (depending on whether it was reverse engineerable), but it would not have stopped them reading the rest of the data, addresses, bank details etc.
1. Through HMRC the UK government have clearly demonstrated their unsuitability to be a Trusted Third Party - incompetence, arrogance, lack of accountability, and bending the truth are some of the wrong qualifications for this role.
(I cannot see that any TTP can be that trusted to the level that they could invalidate someone's identity.)
2. For biometric data to be publically and widely used to generate a valid key will require an algorithm; just how secure will that algorithm be?
If that algorithm is to be used for acceptance of ID for international travel you can just kiss security goodbye. It's just a matter of what causes it to crack first for the 'bad guys' - bribery, incompetence or technical ingenuity.
If you can't see how useful it would be for 'bad guys' to be able to create cards which will pass the authentication algorithm <Computer says YES! Ka-ching!> then you probably don't get Dunstan Vavasour's point above.
Well maybe what was needed was an encryption key that was personal to another government official so that ONLY that official could decrypt the data.
That would work, and is pretty simple to do in an electronic world. Just have the government have its own key management system, secure THAT system so that the bits squeak and then issue people the public key of any government employee (or job post, such as "Media Representative") and then you can ensure that only the intended recipient can read it.
But that doesn't require the citizens to be tagged and bagged in a bit honking database, does it.
PS For Steve, there's also the fact that the bombers in Spain all had ID cards. Didn't slow them down. Just meant they could identify the people there.
The complaint letter is probably perfect in one sense because being only one page long it's just within the attention-span of your average Labour minister, but I think it also misses a very crucial point about Government data centralisation strategy, and the creation of the NIR.
Regardless of whether a Biometric is used to verify a transaction at the point of access or not, the underlying fact remains that the Government's collection, storage, integration between systems and planned data-mining activities with the data itself represents a huge danger to society, and one that is not protected at all by Biometrics.
In other words, the Government is planning to create a detailed, invasive, personal data profile of every single citizen in the UK; one where the "hub" data demanded by the NIR (and verified back to the Biometric) is then linked to your tax records, your bank accounts, your employment history, your house layout, your cars and thier movements, your medical and legal records, your telephone and email exchanges, your foreign travel, your educational history and any criminal activity from a speeding fine onwards.
Not only that, but it will be possible for them to link this data to that of your family, your employer, and your friends. They will also be able to link it to publicly available databases such as credit agencies, voters rolls and MOSAIC to establish items such as potential voting patterns even more accurately than they can currently.
In an environment like that, there is almost nothing you can do of any significance without it being recorded on one of the relevant databases. This data is simply priceless, and the Government is not only about to demand the pieces of legislation and data to link it all up, but by introducing the Biometric at the point of use will be able to control what you can and cannot access in terms of work, ownership, access to services such as schools/hospitals - and travel.
Indeed that level of control need not be explicit. Once the ID card is issued, people will realise very quickly (but, I suspect too late) that the Government is watching and approving thier every move. Will anybody want to join a public demonstration, or write a Government offensive blog, or even write a letter of complaint to the Guardian with the veiled threat of being registered as a troublemaker by the Government hanging over them?
More to the point is the public aware that all this data will in fact be insecure? How many public servants are going to have access to all of this? Do you think a single one of them will need your Biometric to look at your data, to data-process it, or to produce statistics from it. Who will stop someone printing your whole life out and publishing it without your consent, or saving it onto a couple of DVD's and posting it second class?
That is why I remain completely opposed to the ID Card and the NIR. What I find utterly depressing is that so many of my fellow countrymen are too apathetic or ignorant to care about this issue. It's depressing frankly...
is not just that someone may fake your biometric data to pretend to be you.
It is that someone *will* generate fake IDs for sale. So down to the pub and buy 3 or 4 fake ID's go on the benefit after all you can *prove* who you are (four times). Terrorists and criminals will come into the country and become 'legal' in moments.
They *will* swap their biometric data for yours. The one day you will get a knock on your door (at 4 o'clock in the morning, with a BIG door buster) and Mr Plod will be asking you about the look from the latest bullion robbery, 'cos *your* biometric data was all over the place. OK so this will get sorted out, eventually, but now who are YOU; officially?
The DBAs operations staff and input clerks (low grade 'civil servants' of course) will be *persuaded* to do the changes, if they like walking that is.
The more information that is in the system the more the SYSTEM will be trusted and the less that YOU will be trusted.
Another little problem with biometrics is that they change over time. It is well known that ears and nose in particular continue to grow until old age, not to mention changes in gait and posture. I guess you can get around this with structural facial recognition ignoring the soft tissues, otherwise the bio database will have to be updated regularly, a bit like passports are valid for only 10 years and you need a recent photo.
I'd see advantages in having ID cards in the UK, but NOT as proposed by this government. As French citizen, I have an ID card that is enough for me to identify myself to the authorities (it's validated by the plod). Only in exceptional cases do you have to provide proof of address along with your ID, which makes some bureaucracy that little bit easier. The bad side is that in France you are REQUIRED to carry ID with you at ALL times. Plods can ask you for it any time, and if you don't have it (and don't like you or you look too tanned for them) you can get pulled in. There is a thin line there in making things easier for everyone (police, citizens and gov) or just use this as tool of control for the masses (which ANY gov likes, don't think the Lib Dems or the Tories would be any different).
Biting the hand that feeds IT © 1998–2020