Developing secure software and systems is hard. Even if the most experienced engineers use the best tools and follow best practices, bugs and vulnerabilities can slip through. Add to that the amount of legacy or 3rd-party code in use today, developer turnover and the use of outsourcing, and we can see that it is very difficult to eliminate all vulnerabilities from within a solution. This is why security by design and defence in depth are important principles. By designing-in security right from the start, and having multiple independent and overlapping methods of protection, the impacts of vulnerabilities can be reduced.
Back in 2002, biometrics seemed futuristic to say the least. Minority Report was released in that year and I vaguely recall a scene where Tom Cruise trades-in his eyes (yes, his eyes!) to fool, what was supposed to be a retinal scanner.
We’re now in 2015 and biometrics do not seem that sci–fi anymore. Biometrics are insidiously creeping in our lives, via a plethora of services and solutions. But whilst I do passionately follow how widespread biometrics are getting, I still remain very sceptical when it comes to saying that biometrics are the ultimate answer to security.
Let’s take fingerprints for example. Granted, fingerprints are truly efficient when it comes to authentication. They are part of you, and they are unique. Unless I am in serious, serious trouble, I would not be ready to have new fingerprints stitched, were that procedure to be available.
Fingerprints are unique:
A fingerprint is the representation of dermal ridges of a finger. Dermal ridges form a combination of genetic and environmental factors; the genetic code in DNA gives general instructions on the way the skin should form in a developing fetus, but the specific way it forms is the result of random events such as the exact position of the fetus in the womb at a particular moment. This is the reason why even the fingerprints of identical twins are different.
But, this perceived uniqueness is not without some loopholes:
Doddington et al developed a statistical framework based on the matching performance of individual users.[…]. Their work focused on determining user-induced variability. In particular, they identified four categories of users:
(sheep) users who are easily recognized,
(goats) users who are particularly difficult to be recognized,
(lambs) users who are easy to be imitated,
(wolves) users who are particularly successful at imitating others.
Fine then, my fingerprints are supposed to be unique. What if there was a “wolf” out there who knows he can access my biometrically locked services, consciously, not by hacking, but simply by the trick of his finger? I’d be having a “finger twin” (remember Joey in Friends in the hand twin episode), albeit an evil one.
This situation, though infinitesimally probable (and even more improbable when it comes to me, with my abnormally high number of minutiae, but that is another story!), does pose a pertinent question. Should I be able to repudiate a service which was authenticated biometrically?
The straightforward answer would be no. However, there have been, in the past, numerous cases in which innocent people have been wrongly singled out by means of fingerprint evidence.
In 2004, Brandon Mayfield was wrongly linked to the Madrid train bombings by FBI fingerprint experts in the United States.
Shirley McKie, a Scottish police officer, was wrongly accused of having been at a murder scene in 1997 after a print supposedly matching hers was found near the body.
These cases do prove one thing: An unlucky string of circumstances, though highly unlikely, could be enough to repudiate the alleged non-repudiable: fingerprints.
Mind you, I have not even stepped into the “conventional” debate – Tsutomu Matsumoto, the Japanese guy who made fake fingerprints out of gelatine – nor started a discussion on the challenges facing biometrics – varying physiological aspects in population and environmental effects on both the biometrics to be sensed and the sensor used. And I am miles away from two three-letter acronyms: FAR and FRR.
Mass market biometrics are currently only about convenience, not security. Not having to remember PINs is nice (particularly if you collect bank cards like I do), but relying solely on biometrics is hazardous.
Security is added, or rather implemented, by combining other factors (something you have, something you know), but here is the catch – the more you secure, the less convenient is the solution. Phone + fingerprint + PIN definitely imply that my evil twin finger would have to get hold of my phone, know my PIN to access my services, but would I, as a lazy client, be bothered if I had to have the phone on me, key in a PIN and place my finger on the reader for each access to a service?
But besides this well-known trade-off between convenience and security, there is another crucial aspect in biometrics: sustainability. Unlike “conventional” credentials which can be revoked and changed in case of attack, revoking compromised biometrics is certainly more difficult. Revocable biometric algorithms may be the answer, but I prefer make abstraction of it in this article. In view of ensuring the viable trust of future biometric solutions, emphasis should be laid on zero-flaw in current roll-outs.
L’Observatoire appelle également les acteurs à être vigilants durant les phases d’expérimentation de solutions fondées sur la biométrie, la compromission d’empreintes biométriques utilisées par celles-ci pouvant mettre en cause le déploiement de solutions futures à plus grande échelle.
The panel also calls on players to be vigilant during the experimental phases of solutions based on biometrics. The use of compromised fingerprint may seriously challenge the deployment of future solutions on a larger scale.
Trust, once shattered might be hard, impossible even, to rebuild, especially if the same client pool has been compromised. A case in point here is the Mauritian Biometric Identity Card Scheme. The fingerprints enrolled were stored on the chip, which is secure enough, and a not-so-secure centralised database. A couple of years, frenzied passion against biometrics and doubt-instilling database procedure malfunctions, were enough to convince legal authorities to destroy the much controversial biometric database. The Mauritians are paying the high price of a rapid and not sufficiently prepared solution. I’m not sure they’ve gauged the extent of the problem though.
Les empreintes digitales de 947 000 citoyens, collectées pour la nouvelle carte d’identité, ont été supprimées de la base de données. […]Les données biométriques seront désormais sauvegardées uniquement sur la puce insérée dans la carte.
The fingerprints of 947 000 Mauritian citizens previously collected for the new identity card scheme, have been deleted from the database. […] The biometric data shall be saved only on the identity card chip.
Were I to be one those 947 000 enrolled, the court’s order to destroy the biometric database, limiting the credential to the chip, would not reassure me at all. There has been a point in time where the database was operational with people behind accessing them. Damage could already have been done, and leaving my fingerprint data on the identity card chip is like having a key in a safe when the duplicate key is either destroyed or lost somewhere.
Our approach to biometrics needs to change rapidly. The stars are getting lined up for biometrics. Demand for new authentication methods, enhanced reliability as well as more affordable price ranges are starting to build up a huge potential for future solution deployments. It is up to us to develop new archictectures. Assessing the expected convenience levels and maintaining the high levels of trust will ensure consistency in the security of biometric solutions.
It’s the convenience and trust, convenience and trust only. Security is the outcome of it.
News arrives that our Scandinavian cousins are getting serious in the war on cash.
The Danish government has proposed getting rid of the obligation for selected retailers to accept payment in cash, moving the country closer to a “cashless” economy. Nearly a third of the Danish population uses MobilePay…
Actually half of the adult population of Denmark use MobilePay, the mobile-initiated account-to-account (mA2A) immediate payment services, the equivalent of Barclays’ PingIt, that is offered by Danske bank in Denmark. It was launched two years ago and has attracted more than two million users out of a population of 5.5 million which, when you look at the demographics, means that already has around two thirds of its total addressable market (i.e., Danish smartphone users aged 13 and up). Right now it is processing around 200,000 transactions per day with an average value of around €33.
The mobile phone provides a secure and convenient A2A initiator.
MobilePay has over 7000 merchants signed up and has an “small business acceptance” app in place so that merchants can accept electronic payments without a POS terminal. They charge merchants a flat 1% fee (with a maximum of five Danish Krone, or abut 50p) for payments and I’m told (by a very reliable source) that the fraud levels through this channel are significantly lower than they are on cards. They are now extending the app to provide a contactless NFC and Bluetooth option for point of sale. What interests me most about their roadmap is that they have a very good API and are now trialling it with some merchants because, as we all know, merchants want on their own apps to deliver the best customer service and the future is “app and pay”. I saw a very good example of this using a Copenhagen coffee shop app.
Direct A2A payments from inside merchant apps look set to grow.
In the UK, we have two mA2A mobile-centric front ends to the faster payments service (FPS). These are the aforementioned PingIt, offered by Barclays, and Paym, offered by everyone else. Paym has around two million people registered and transferred around £26m in 2014, We happen to be a Barclays-centric household, so I use PingIt all the time and find it very convenient. Therefore I was very excited that they decided to extend their addressing from mobile phone numbers to Twitter names!
Barclays has declared on 25 February that it will be the first British bank to allow people to pay each other and small business through their Twitter handles from 10 March.
If you want to try this out for yourself by supporting a good cause, by the way, then simply fire up the PingIt app on your mobile phone, select a modest amount for test purposes (say, £250) and send it to @dgwbirch. I will let you know as soon as your payments reaches the Dave Birch Holiday Home in the South of France Emergency Appeal Fund. Both PingIt and Paym are a long way from being used by half the adult population of the UK and edging cash out of the way for the person in the street but, back across the North Sea, Mobile Pay is playing a key role is edging Denmark closer to cashlessness.
The Danish government said as of next year, businesses such as clothing retailers, petrol stations and restaurants should no longer be legally-bound to accept cash. The proposal is part of a pre-election package of economic growth measures aimed at reducing costs and increasing productivity for businesses.
They are doing this because to try to get the total cost of the payment system in Denmark down to the lower levels that are seen in, for example, Finland and Norway.
if you include household costs, the total social cost of payments in Denmark is calculated at 0.55% of GDP, of which 0.35% is attributed to cash and 0.15% to the domestic PIN debit scheme.
[From I trashed my cash]
The context here is specific to Denmark. In common law countries (e.g., the UK and the USA) there is no requirement for retailers to accept any form of payment at all, cash included. It’s a misunderstand of what “legal tender” means to imagine that they do. But in Denmark, the law says that certain types of retailer must accept cash and so the law is being changed so that they don’t have to.
The Danes are very welcoming to visiting consultants.
I think it is really interesting to see this approach to national payment strategy – that is, one based on productivity and economic efficiency – in contrast to the UK’s where the mere idea of ending cheque clearing in a decade was enough to induce apoplexy in the shires and a shake up of the UK payments industry governance.
I had the great good fortune to be asked by the GSMA to chair the Mobile Identity session at this year’s Mobile World Congress in Barcelona. During the absolutely excellent session, which featured input from Telesign, Payfone, Early Warning, Telenor, the UK Cabinet Office and Nok Nok, I happened to mention in passing that I thought that a global mobile-centric authentication push (perhaps using FIDO) was possible and that it would make life easier for many people, but that it wasn’t clear to me at all that a global identification platform was getting any closer.
A couple of people asked me about this afterwards, and so I thought it would make an interesting blog topic to look at real-world, population-scale identification as discussed in the session. I’ll use Pakistan as an example. Pakistan has very strong identification laws around mobile and rigorously-enforced mandatory SIM registration.
[Pakistanis] have to show their IDs and fingerprints. If the scanner matches their print with the one in a government database, they can keep their SIM card. If not, or if they don’t show up, their cellphone service is cut off.
This will help to stop criminals and terrorists from obtain mobile phones and operating with impunity in Pakistan because it depends on the integrity of the national identity register. Oh, wait…
The famous green-eyed ‘Afghan girl’ immortalised by the National Geographic magazine on its 1985 cover has been living in Pakistan on fake documents, prompting authorities to launch a probe. Four officials were suspended on Wednesday for allegedly issuing fake Computerised National Identity Card (CNIC) to Sharbat Gula and her two ‘sons’.
National identity registers are a single source of failure and a natural honeypot for crime and corruption, as Pakistan has discovered.
The National Database and Registration Authority [NADRA] reports that it has deployed a state-of-the-art facial matching system with the capabilities to stop fraud and forgery in identity documents, yet people are still able to obtain forged identity cards. This was very puzzling to understand given the supposed surety, accuracy and privacy of NADRA database that such a scam was still happening even after the introduction of new chip-based identity cards.
It’s not “puzzling” as at all as far as I am concerned.
Identity theft is more common in single reference systems such as centralised national population registers, as they create a single point of failure, and centralisation increases rather than reduces the potential for fraud. Doppelganger matches also become more likely in large scale databases.
So while it makes sense for service providers to rely on biometric authentication to digital identities that they themselves will bind to virtual identities (with attributes), it is not so clear that it makes sense for service providers to rely on biometric identities established by third parties. In fact, when it comes to mobile phones, in this case I might go even further and say that it is not at all clear to me that we should be attempting to stop the bad guys from using mobile identities at all!
Surely it would be better to have criminals running around with iPhones, sending money to each other using mobile networks and generally becoming data points in the internet of things than to set rigorous, quite pointless identity barriers to keep them hidden.
There’s a further point to make here, away from the exigencies of national security and the war on terror and in the world of business. As the banks have long understood, the issue of identification is inextricably linked to liability. There’s a world of difference between me as an operator saying to a service provider that “this is subscriber XYZ and it’s the same person who logged in last time and it’s still the same handset and SIM” and saying to a service provider that “this is Dave Birch”. I know I sound like a broken record on this, but it the overwhelmingly majority of interactions, who you are is not the point. The point is whether you are allowed to do something, whether you have credit, whether you are a subscriber or whatever. Trying to work out who someone “really” is means a world of legal pain.
According to the Post, “…sources say Instagram, owned by Facebook, ran into “serious legal problems” over its verification process and has been forced to pause it. Some suspect Twitter, which also has a verification system, had an issue with Instagram’s.”
Therefore it seems to me that in business terms, it makes sense for service providers to rely on bank identification since banks already have to comply with know-your-customer regulation. For this work, however, there must be a kind of identity “safe harbour” (i.e., if the person turns out to be using a false identity that the liability rests with the bank but if the bank has followed KYC procedures then it has no liabilty) from zealous prosecutors otherwise the wheels of commerce will become gummed up with identity junk.