Blog article
See all stories »

Object reference not set to an instance of an object.

Comments: (2)

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 11 September, 2012, 08:51Be the first to give this comment the thumbs up 0 likes

Sorry, the security of biometrics is entirely deniable.

No biometric today provides lasting signatures on electronic transactions. Biometric security is much more focused on access control – to secure data centres or to log on to computers – than transaction authentication. A biometric doesn't let you "leave your mark" on the transactions you later create. Biometrics just don't meet the business needs of paperless applications.

We must remember biometric devices are imerfect. Even if individuals' biological traits  were intrinsically unique (and few actually are), the ability of real world commercial devices to measure them flawlessly is limited. Lenses (and bodies) get dirty, lighting varies, body parts age and scar, and each time they get presented to the scanners in subtly different ways, with variable pressure, angle, volume etc.

Therefore, every biometric system commits errors. They can confuse one user with another (False Positive) or they can fail to recognise an enrolled user at all (False Negative). The very best technologies have trial-by-trial False Positive rates of around one in a million - which sounds good but for biometric ATMs is actually not good enough; see below. Typical error rates are actually more like one in a hundred or worse, which has an impact in even small scale usage.

When deployed without any other authentication factor, in what's called "1:N identification", biometric performance becomes critical. If the trial-by-trial False Positive Rate rate is 1 in a million, the chance of getting at least one False Match when identifying someone against a database of N enroled users is P = 1-(1-0.000001)^N. So for 100,000 people using a 1-in-a-million accurate vein scaner, the probability of at least one false match is surprisngly high 9% [the maths isn't hard; Google "Birthday Pardox"]. For very 100 attempted withdrawls at a biometric-only ATM, around nine of those accesses will hit the wrong bank account. For N = one million customers, P = 1-(1-0.000001)^N = 74%. That is, 3 out of 4 withdrawls will hit someone else's account!!

So if you look at the much vaunted Japanese biometric ATMs they don't use vein scanning alone. Rather, customers must enter their PIN and their Date of Birth!

Biometrics suffer significant performance concerns especially in large scale deployments where users must be matched against big databases. Tests were conducted by the UK Passport Office in May 2005 on over 10,000 people using fingerprint, face and iris technologies. Average verification times were 39 seconds for face, 58 secs for iris and 73 secs for fingerprints. Accuracy was disappointing too: success rates were 96% for iris, 81% for fingerprints, and 69% for face.

These performance stats are old, but sadly there isn't much more recent information available in the public domain. Biometrics vendors tend to be rather secretive. A critical spec is the "Detection Error Tradeoff" curve which shows how False Positives go up (security worsens) when False Negatives are pushed down (for better convenience). But I find it impossible to get vendors to talk about their DET curves.

Biometrics are not really mature technologies. Different vendors use different algorithms; biometric scanners & software applications for now rarely interoperate across manufacturers. Single vendor solutions are usually mandatory, and migration to alternate suppliers is difficult. Many algorithms have only just come out of the R&D lab.

Perhaps the worst problem is this: it is impossible to revoke a compromised biometric and reissue a new one. In contrast, one of the best security features of smartcards and most other authenticators is they can be cancelled and replaced if lost or stolen. No security system is perfect; all good security systems have fallback mechanisms. 

Mark Sitkowski
Mark Sitkowski - Design Simulation Systems Ltd - Melbourne 14 September, 2012, 05:03Be the first to give this comment the thumbs up 0 likes

I agree with Stephen and, in this context, find it a little strange that even the FBI which, surely, must have access to the same research, is actually begging the Senate for a mountain of money, to move to biometrics - specifically, face recognition - as an authentication technology. Seems to me that everyone is scraping the sides of the box in which they're thinking, trying to squeeze something new out of old and, largely, discredited technology. Fortunately for a few banks and other organisations, they've chosen to adopt an Australian authentication system, which is as near foolproof as is possible, given the compromise that has to be made between robustness, and user-friendliness. If you can tell the difference between a zero and a one, and can match them to a word, which only exists in your head, then there will never be a false positive or negative, and the spy cameras, keyloggers and network snoopers will all fail. This is, because you're entering different patterns of zeros and ones with each access, and don't need to refer to your bank for updates, passwords or encryption keys. There's a technical description of the algorithm at, and a working ATM which, unfortunately, is only giving out virtual cash :)