Any action hero worth his salt can foil biometric tests, but now clay, algorithms and dismembered body parts are being used to make the systems fool-proof. By Owen Bowcott
Thursday July 1, 2004
How do you ensure that a multimillion pound airport security system is not fooled by a corpse? How do you convince a computer you are alive? Western governments are eagerly erecting outer defences of automated, biometric identity checks to protect their borders and prevent another terrorist outrage like September 11. Concerns about immigration have reinforced political demands for foolproof screening of all those entering the country.
So the race is now on to provide the technology - which authenticates individuals by means of their fingerprints or distinctive patterns in the iris of their eyes - with the necessary standard of scientific rigour to justify the claims made on its behalf.
Biometrics is an area in which creative imaginations and science-fiction have raced ahead, often highlighting potential flaws. As early as Diamonds Are Forever (1971), James Bond deceived Blofeld's cronies by glueing on fake fingerprints provided by Q. In Judge Dredd (1995), the heroic law-enforcer is wrongly convicted because DNA samples, taken from his identical twin, are linked to a murder.
It has been suggested that simply chopping off someone's finger and presenting it at a fingerprint-scanning machine could bamboozle an automatic checkpoint. Security experts counter that such dodges might work in a laboratory but would easily be spotted if conducted in front of an immigration officer. Nevertheless, these anxieties have generated a wave of research aimed at improving the reliability of biometric tests and creating a second generation of refined systems.
"Because of 9/11, biometrics has jumped out in front," says Edwin Rood, director of the Biometric Knowledge Centre at West Virginia University. "There's a rush to implement biometrics in the field but it doesn't have a good mature knowledge base."
Speaking at a conference organised by the West Virginia High Technology Consortium Foundation, Rood, who studied physics and then worked at the US office of naval research, said: "In future it's going to be combined biometrics, systems which test maybe both irises and fingerprints. We are now moving to a situation where it won't matter what your name is, it's your biometrics that will count."
"Liveness testing" has become the buzz phrase for those seeking to build in cross checks and additional layers of security. In terms of fingerprint-scanning, researchers are looking at devices which use electrocardiograms or measure perspiration, temperature and the skin's resistance to electrical currents.
A team at the Centre for Identification Technology Research in West Virginia, America's centre of expertise in the subject, has been trying several approaches. Its combination of practical experiments and academic resourcefulness involves the use of dismembered fingers.
A report by Sujan Parthnasardhi, Stephanie Schuckers and others said: "We tested cadaver fingers in an attempt to address the possibility that dismembered fingers could be used to spoof fingerprint devices. Fourteen cadaver fingers were enrolled and, if able to enroll, verified six times each. Cadaver fingers were able to be verified from 40-94% of the time."
In an examination of the fingerprint scanning machines already on the market, the researchers found their "spoofing techniques" - using casts of fingerprints made from such material as dental impression material, Play-Doh and clay - were highly successful. The researchers made moulds of 11 susbjects' fingerprints and for three of the subjects, these moulds maged to fool at least one biometric scanner.
One counter-measure the team has developed involves a "specific temporal perspiration pattern present in fingerprints acquired from live claimants". The researchers used a capacitive fingerprint scanner, which generates a fingerprint pattern by means of capacitors measuring electrical current, rather than scanners which sense the print through light.
The researchers found that "in live fingers, perspiration starts around the pores, and spreads along the ridges, creating a distinct signature of the process."
Analysis of such a distinctive pattern could then be incorporated into the mathematical algorithm used to compare fingerprints so that a decision could also be made about the "vitality" of any received image. This method, they suggested, would provide increased security at "only the cost of a software upgrade".
Similar techniques have been incorporated into iris-scanning technologies. Measurements of the constant movement of the pupil of the eye can be added to pattern-recognition algorithms to prevent false positives being generated when high-resolution still photographs of a subject's iris are put in front of a scanning camera.
In terms of standard face-recognition techniques there is now a move towards 3D images created by more than one camera angle, such as FaceEnforce, a system devised by the York-based firm Cybula. The resulting patterns are more complex and difficult to fool.
Soon it will be in everyone's interest to ensure that biometric technologies are fool-proof. Biometric systems that confirm your identity are now likely to become ever more sophisticated and spread into other areas of identity verification, including banking and computer access.
"Passwords should be a thing of the past," declares Dr Michael Yura, of the US National Biometric Security Project, which is also based in West Virgina. "A good password is very hard to remember. Rather than what we know, we are turning into who we are."
¡¤ What did you think of this article? Mail your responses to