How-to fake Fingerprints 

                           Biometrics Authentication Abuses



          Michael (Micha) Shafir – CTO, Inventor - Innovya traceless Biometrics

 

The government and corporations are aggressively collecting information* about your personal life and your habits. They want to track your purchases, your medical records, and even your relationships. Government's policies, coupled with invasive new technologies, could eliminate your right to privacy completely.

There has been a significant surge in the use of cloned biometric information for subject authentication, especially in the recent years. As we all know, the weakest link in any online transaction system is always the interactions between an individual and a computerized system, but we cannot compensate for this inescapable computerized weakness by scarifying our privacy rights and the Total Surveillance Society. Biometrics-based authentication indeed offers many advantages over other authentication methods, especially in a computerized environment. However, turning the human body into the ultimate identification card is extremely dangerous, the possibility of fraud with biometric data should not be underestimated, exposing or losing biometric property is a permanent problem for the life of the individual, since there is no way to change the physiological or behavioral characteristics of the individual. The best secrets are secrets that are never shared. How do you replace your finger if a hacker figures out how to duplicate it?** If your biometric got exposed, theoretically you will never be able to prove you are who you say you are or more unfavorable situation, prove you are not who you say you are not. Purloining a person's electronic authenticity is the most insidious way for invading individual privacy. One of the main logical paradoxes, governments needed to address with the current biometrics is, stored biometric information is useful ONLY, if a subject is already known to the system… From the security point of view, Biometrics authentication will not work if the subject is a stranger to the cloned biometric system. The subject is always carrying his biometrics with him, why then unique biometrics information, should be collected and stored in databases or smart cards, or other external devices, in order to make it useful? People want to be able to draw a boundary circle around information about themselves and how they behave. People, in general, do not want parts of their body duplicated in databases. They feel entitled to the ability to control all that falls inside this circle, and they want to be able to regulate how, to whom, and for what reasons the information within the circle is disseminated. The current Biometrics form, will not work for cyber access to digital systems, because biometrics cannot be change and cannot remain secret. Adopting Innovya's traceless biometrics approach with their non-unique remedies and Real Time Reactive Authentication process might help solve privacy problems. The traceless biometric workflow is using the similar old Photo ID's concept when you can match a face to a person like a mirror reflection, an innocent stranger could identify one's self, even if he's not known to anyone. The Traceless Biometrics' Authentication major challenge is to create a secure and efficient authentication solution that is stronger and less disturbing than cloning human intrinsic characteristics solutions.

 

 

Traceless Biometrics guidelines:
 

  • Be able to authenticate innocent's strangers, even if they're not known to the system.
  • Does not require infrastructure (can work offline)
  • No need for proprietary scanners/readers (any mix fits)
  • No need for central databases, No storage, No templates
  • Privacy friendly – Non unique nor clonable and must be Traceless.
  • Cancelable biometrics - Letting the subject to cancel/change his own biometric or key by himself anytime anywhere.
  • Standard without secrets give-away - Easy integration with foreign applications without changing their core procedures (transparent)
  • Can be spread anywhere (no single key) without risk of breach
  • Fast, reliable, anonymously, mobile, non-unique, irreversible, accurate, unidirectional, high entropy.
  • Be able to authenticate anywhere across the globe! (Even in the desert or high seas) without communication.


 

Current biometric systems required huge databases.

In order to make a huge stored biometric “accessible” and up to dated, the authorities need to grant access to several insecure foreign parties/countries to some of their most sensitive information areas, to provide authentication assistance. In order to grant access to the biometrics records the authorities must, 1) centralize and organize huge biometric databases, 2) establish protocol that would aid them in collecting sensitive data, which in most cases is done in a haphazard manner catering to the immediate need of the new surveillance deployments being conducted, 3) build high capacity infrastructure, and 4) let the unique biometrics information of innocent citizens to flow on the network lines. The other options are much worst – like cloning the databases and spread them allover (In any case, the information updates will flow on the network lines).

 

The social acceptability obstruction

Traceable Biometrics are clonable... Biometrics is not universally used because there is no standard for storing the data. As long biometric information is stored in databases, there is no cancelable biometric… You cannot grant access to the public to control owned entries, especially stored biometrics information… Biometric is more private to you than a number that somebody assigned to you. Security requires secrets, if someone tries to create a standard to collect “widespread known secrets”, it cannot be called a “secret” any more since the best secrets are never shared. There is a class of biometric information that can be perfect secrets and still be useful – Traceless Biometrics are the only secrets that we know of that we can (a) avoid sharing, and, (b) usefully deploy. The owner of the biometric can prove that he or she has it without sharing it. No other types of authentication knowledge are useful if they are not kept as perfect secrets.


Adopting the above traceless guidelines, using real-time reactive authentication processes method for the current biometrics authentication systems will present an efficient and friendlier authentication solution. Obviously, privacy is an issue, which is potentially solved, Biometric scan as is necessary for a function or activity to authenticate the subject should be sufficient. The new traceless authentication systems should after the authentication process, dismiss all the biometric information or traces from the scanning devices and mustn't use any storage systems.

 
__________
Author:

Michael (Micha) Shafir – Innovya CTO, Inventor, seasoned entrepreneur (RadWare, MagniFire (F5), PonsEye, PonsHoldings - Technology Greenhouse, CrossID, Innovya)

 
Email: Micha (AT) Innovya.com