Biometric authentication – ISO/IEC standards project to help combat biometric hacking

Since the launch of the iPhone 5, there has been considerable attention on the successful hacking of the new Touch ID fingerprint scanner. The group that has claimed success, the Chaos Computer Club from Germany, has been involved in similar biometric attacks on different fingerprint sensors going back to at least 2004.

This attack technique of presenting a fake biometric to a biometric sensor for identity theft or concealing one’s identity is commonly known as spoofing, and such attacks are well known and studied. There are several technologies, both software and hardware, that can be used to detect such spoofing attacks. The international community is addressing this emerging area of technology through an ISO/IEC standards project to develop data interchange formats and testing principles for software and hardware used to combat biometric spoofing (called ‘spoof detection’ or ‘presentation attack detection’).

Biometric authentication has the potential to ease the burden of security given its simplicity and usability. However, as with all security measures, it has vulnerabilities. The Biometrics Institute encourages manufacturers of equipment that include biometrics sensors to be proactive in adopting spoof detection technology to maximise the chance of successfully rejecting a biometric spoof. It also recommends government agencies and top-level decision makers be aware of the need for appropriate biometric vulnerability testing and certification as they consider both the risk and the convenience of the security mechanism(s).

The Biometrics Institute’s Vulnerability Assessment Expert Group (BVAEG) consists of many of the most experienced experts in this area from around the world. Its mission is to raise awareness of the need for vulnerability detection to be included with biometric devices, to promote standards, enhance privacy protection, performance measures, and testing, and to help facilitate the dissemination of new research or findings in this area.’

Summarised from a Biometrics Institute media release, 2 October 2013.

Published in business and ICT.