October 2, 2013 -
The Biometrics Institute is campaigning for widespread adoption of spoof detection technology, and it’s not alone.
“This attack technique of presenting a fake biometric to a biometric sensor for identity theft or concealing one’s identity is commonly known as spoofing,” Ted Dunstone, Chair of the Biometrics Institute Vulnerability Assessment Expert Group (BVAEG) said. “And such attacks are well known and studied.”
Ever since the Chaos Computer Club successfully spoofed the iPhone 5S’s fancy Touch ID sensor (with little more than a gummy bear attack), the question of security has surrounded the conversation regarding Apple’s new device.
There is a significant camp of people that say security has never been the objective – arguing that convenience is the main reason for the sensor. But on the other hand, there are many that say that regardless of the intent, breaking into a smartphone shouldn’t be as easy as using silicon on a printed transparency. Nothing can ever be 100 percent secure, but we can certainly do better.
There are a number of technologies – both hardware and software – that can be used to detect spoofing attacks. The international community is addressing this emerging idea of technology though an ISO/IEC standards project to develop data interchange formats and testing principles for software and hardware used to combat biometric spoofing.
“The BVAEG – a subcommittee of the independent Biometrics Institute – consists of many of the most experienced experts in this area from around the world,” Isabelle Moeller, Chief Executive of the Biometrics Institute said. “The BVAEG mission is to raise awareness of the need for vulnerability detection to be included with biometric devices, to promote standards, enhance privacy protection, performance measures and testing, and to help facilitate the dissemination of new research or findings in this area.”
According to an issued statement, the Biometrics Institute encourages manufacturers of equipment that include biometrics sensors to be proactive in adopting spoof detection technology to maximise the chance of successfully rejecting a biometric spoof, and also recommends government agencies and top-level decision makers be aware of the need for appropriate biometric vulnerability testing and certification as they consider both the risk and the convenience of the security mechanism.
The BVAEG is holding its next workshop in March 2014.