Monday, December 12, 2005

Harsh Realities of Security - Part 1 of 2

Stephanie Schuckers at Clarkson Uni in the USA is investigating the foolproofness of biometric scanners (although only mentions fingerprints, plus I'm sure technology to detect "live" vs "dead" fingers existed already...)

The article reads more like a press release at times, but serves as a good introductory point for some thoughts on niometric technology. Far too many times, "biometrics" is mentioned as a buzzword to conjure up all kinds of sci-fi images based on "not-so-far-fetched" movies and security company marketing campaigns. But there's a very serious reality that sits just out of sight, obscured by politicians' imaginations and lust for infallible technology.

In this "reality", things like costs and human fallibility exist - d'oh. The great thing about writing a sci-fi story is that, well, it's "fi". The details of implementation in an economically-acountable society can be glossed over (not so far removed from reality there, then), and humans act as... well, as you want.

The UK government have made it clear that want as many people using the NIR as possible. This means that "access points" need to be just as equally widespread. Now, the purpose of the card itself has always been somewhat fuzzy - the argument that because biometrics tie an "identity" with a person extends to explain the reason why carrying a card won't be necessary, but also also therefore questions whether the card even need be optional. People don't mind cards, but might start at having things scanned all the time instead.

So the card is optional, technology-wise, but is set as a "limit" in terms of acceptance. Now when the scheme comes in, you're obviously going to want card-readers wherever proof of ID is needed - just like we have credit-card readers everywhere currently. In terms of relative cost, I suspect this won't be too much. It'll still be a large sum, but relative to part 2, it's not so bad. Card technology is (I assume) pretty simple and cheap, compared to the more complex biometric technology. The majority of card costs will likely be in the development of anti-forgability measures (although I'd love to see figures for the breakdown of card development).

But I can foresee situations where simply checking the card that someone is carrying won't be enough, and that an optional biometric scanner will be brought in - extra checks for added security for instance (e.g. Police checks), or because the validity of the cards is questionable after some time perhaps (the race against technology), or maybe even just to make it easier for people who forget their card a lot.

So we end up with a dual-verification system, which is important as it provides a dual-vector mode of attack against the system. To return to costs, biometric systems are more likely to cost more. In a public-sector environment, this isn't generally a good thing - budgets are getting tighter and "efficiency" remains on the lips of most.

It's worth mentioning now that there is a "good" reason why so many computer systems are, and remain, vulnerable to crackers - because securing a system isn't good value-for-money. If security is good, then no-one will notice - nothing will have changed after an attempted attack, and nothing will look different to before the attack. You are, then, paying to "get" nothing, as it were. Hence, people spend the cash on things that people can see does make a difference, and security gets forgotten about.

This principle applies on a micro level as well though. In an environment where efficiency and cost-cutting often seizes the rudder, expensive bioemetric systems can be a burden. But the hype around the system - the push to ensure that the system gets used so that the government doesn't look foolish - will mean that people will want to/attempt to implement a biometric channel as well. The end result of all this is that we will have some systems that have a "standard" card-reader validation channel, alongside a "cheapest-option" biometric validation channel.

As the article above points out though, there are different levels of biometric validity. And just as with all products, a range of functionality will likely be offered by the biometric equipment vendors, the cheapest probably being of the "90% false verification rate" set, and the most expensive being, perhaps fool-able 0.01% of the time (a completely random assumption, but no system is foolproof). Given the afore-mentioned budgetary constraints, which end of the scale will most public bodies go for, do you think?

If the government are taking their concerns about identity theft seriously, on a national basis, then this clash between security and economics needs to be taken seriously. To date, I've not heard any minister address anything like the issue. Inspire confidence?

Part 2, to follow later (I have a talk on hacking to go to...), will look at the more human aspects of validation.

No comments: