News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


C. J. Kelly's picture
C. J. Kelly

A Day in the Life of an Information Security Officer

More posts | Read bio

April 18, 2006 - 2:44 P.M.

What's wrong with biometrics

5 comments

Banks need to implement two-factor or multi-factor authentication for online banking by the end of the year. What concerns me is the idea that biometrics is somehow going to solve the problem of identity theft and bank fraud. Let me lay it out for you.

Identity theft is the problem of the customer. Seriously. The customer is responsible for guarding his or her personal information while it resides in their possession: on a laptop or home computer, in a wallet, in a briefcase, in a PDA, etc. The customer is also responsible for ensuring the security of that data over the Internet (that is why we have personal firewalls, anti-virus, anti-spyware, and only send our information over encrypted sessions - https://).

Identity theft is also a problem for the bank because it leads to bank fraud. Someone charges thousands of dollars to your credit card or uses your ATM Visa/MC card to deduct same from your bank accounts. Someone approved those charges. Recent reports tell us that most of these fraudulent charges occur over the web, after the information has been stolen using a variety of methods. The bank has to give you your money back if they offer this type of security guarantee.

Transaction authentication is a huge problem for vendors and that is another topic altogether. Stay with me.

Bank fraud occurs when someone defrauds the bank of money. This might take the form of having to reimburse a customer for stolen funds without being able to recoup the loss.  There are many examples of bank fraud, but not pertinent to the point I'm going to get to. Suffice it to say that biometric authentication has been touted as solving both problems: identity theft and bank fraud.

The problem with authentication in general is that any customer supplied credentials can be spoofed by a criminal, especially a sophisticated one. It doesn't matter if it's your user name (login), password, pin, thumbprint, retina scan, or your mother's maiden name. It's all the same - information stored in a database. The "authentication" occurs when what you enter is succesfully matched against a database record. Sounds like database security becomes the paramount security focus, doesn't it?

So let's pick on that little fob you have to carry around too. A randomly generated number is provided when you push a button on the fob or hardware token. You enter that number within a certain time period. If that number matches the same number generated by the server, you're in. I slightly understated how it works, but the point is the same. If I get your fob, I get to push the button.

Authentication is not the only problem. There are several factors that come into play in this discussion.
The security of the banking infrastructure
The security of online banking
The security "behavior" of the consumer

Let's take the first one - banks understand how to protect their networks, servers, databases, ATM machines, and facilities. Check. Insider threats are their biggest concern.

Now, the second one - banks have absolutely no control over what goes on in the World Wide Web. Banks have to do something, so they might send their customers a hardware token, a thumbprint scanner, or institute some type of challenge-response question type of scenario. In any case, this is not going to cut the mustard.

The security behavior of the consumer is improving - vastly. Thanks to news stories and security awareness campaigns on every front.

The only thing biometrics brings to the table is another layer of authentication. One security colleague of mine refuses to participate in any type of biometric authentication. He says that you only have one thumbprint, one retina profile, etc. Once that information is compromised - it's compromised for life.

I am not sure what the answer is. But, I am afraid that confidence is being lost, if there was any. I am also investigating some alternative ways of solving the problem with the security of online banking. I think we may be looking at the problem backwards.

What People Are Saying

Add new comment

We need to be responsible

Submitted by Anonymous on April 20, 2006 - 2:40 P.M.

We need to be responsible for protecting our identity like we protect our children, around the clock and with great diligence.

I think the "thieves" have had adequate time to prepare for circumventing two-factor authentication.

Report this comment

It's a Joke, Right?

Submitted by Anon on April 19, 2006 - 2:54 P.M.

It's a Joke, Right?

This is either nonsense or inspired trolling. About half the stuff I read here makes me quote John McEnroe -- "you cannot be serious!" This is actually more in the other half, which I categorize as the "Master (or Mistress) of the Obvious" postings.

Why would we reasonably assume that *any* technology will eliminate a particular variety of crime? It seems to me that technologies typically serve not to eliminate crime, but to make it more difficult, or less rewarding, or to make detection that much easier. For example, cars have alarms, but they still get stolen. It's probably more difficult now than it used to be, but I imagine that the thieves are more skilled. Car alarms didn't eliminate car theft, they just raised the bar for car thieves. The same probably holds true embedded-chip car keys and several other technologies.

Why should we have a different expectation regarding strong authentication and identity theft? You make my point with your comment about hardware tokens -- "If I get your fob, I get to push the button." Hopefully you agree that it's probably more difficult for you to get my fob than it is for you to steal my password. The fob doesn't eliminate the crime, it makes the crime more difficult to perpetrate.

Will the actual incidence of identity theft decrease with the widespread implementation of multi-factor authentication? Who knows? But it'll require a different, and smarter, breed of crooks.

Report this comment

IDtheft is everyone’s

Submitted by barb on April 19, 2006 - 2:18 P.M.

IDtheft is everyone’s issue. We give our information everywhere (you only have to give SSN info to 3 entities by law- IRS, Banks for credit, and SS for you payout) and think nothing of it. People write their PIN numbers on the back of the ATM cards (happens all the time) or they give the kid the number one time to run out in the rain. Like your kid will ever forget that number, if you believe that I will sell you a bridge. How many of you throw away your bills when paid without shredding them or send checks to billers' in the mail (ooooh postal fraud).

The financial institutions do have a part and tools like biometrics and 2-factor authentification will help. So will encrypting all data both live on servers and at rest in storage, and shredding trash at FI’s. But CJ is ultimately correct, the consumer is the largest factor in their own IDtheft and needs to embrace as much as they can technology or security measures to protect their data.
From:
One who knows, that works at a FI, with all the security listed above in place.

Report this comment

While I agree that the

Submitted by J on April 19, 2006 - 11:02 A.M.

While I agree that the customer should be responsible for their own data, the banks that are holding that information are even more responsible while that data is in their possesson.

Real people have all kinds of issues to deal with, their kids and spouses, fixing the car, dealing with sickness etc. and worrying about all the ways someone may steal their identity (while a big deal) isn't their only one.

I find it amazing that technologies are put in place by companies (such as banks) with the main objective being making money and customer security coming in a distant second, third or fourth. Let's put some more of the blame where it really belongs.

Report this comment

Your publication runs story

Submitted by Anonymous on April 19, 2006 - 2:26 A.M.

Your publication runs story after story about personal data swiped from doctors' laptops, copied from business databases by wayward employees, and even published online by county governments, but ID theft is strictly the CONSUMER'S fault?! You are one nutty broad. Or is this satire and just not written well enough for us to tell?

Report this comment

Related Posts

Cloud computing: Lose my data, lose myself?
Spam culture, part 2: Russia
iPhone 3Gs jailbreak jeopardy: Apple pwns Dev-Team's 24kpwn
Role based access control, or RBAC 101

Today's Top Stories

Droid launch draws tech-savvy crowd
AMD graphics chip shortage hits PC vendors
First iPhone worm spreads Rick Astley wallpaper
Mozilla fixes Firefox crash bug
Update fixes iPhone sync problem with Windows 7 for some
First take: Apple's new MacBook offers sleek style, solid performance
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.