Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ecrime Practical Biometric


Published on

eCrime security conference Kuwait organized by EEMC. Jorge Sebastiao presented practical biometrics.

Published in: Business, Technology

Ecrime Practical Biometric

  1. 1. E-Security Gulf Group WLL [email_address] Jorge Sebastiao, CISSP CEO Kuwait E-Crime Pragmatic Biometrics
  2. 2. <ul><li>“… aiming … </li></ul><ul><li>to scan 12 pupils a minute, but… only managing 5 so has been temporarily suspended as we do not want pupils' meals getting cold while they wait in the queue.&quot; </li></ul>
  3. 3. <ul><li>Travelers have been ordered not to look too happy in their passport photographs to avoid confusing facial recognition scanners. Toothy, open mouthed grins are being outlawed from the tiny 35mm by 45mm photographs because they will throw off scanners used at airports. </li></ul><ul><li>… </li></ul><ul><li>The new type of passports are being introduced in a bid to fight terrorism. A Home Office spokesman said: &quot;When the mouth is open it can make it difficult for facial recognition technology to work effectively.&quot; </li></ul>
  4. 5. New ID System in 1880s Alphonse Bertillon <ul><li>Anthropometric identification system 3 steps: </li></ul><ul><ul><li>Measurements w/special instruments </li></ul></ul><ul><ul><li>Precise physical description </li></ul></ul><ul><ul><li>“ Peculiar marks” recorded </li></ul></ul>Leading to Bertillon’s first successful matches in 1883 It all failed in 1903
  5. 6. Beyond Pins and Passwords… <ul><li>Verifying Identity </li></ul>PIN Know Have Are
  6. 7. <ul><li>“Biometrics are automated methods of recognizing a person based on a physiological or behavioral …” </li></ul>Definition
  7. 8. Biometrics 2D Biometrics (CCD,IR, Laser, Scanner) 1D Biometrics
  8. 9. How: Physiological
  9. 10. How: Behavioral
  10. 11. Why Biometrics? <ul><ul><li>Security? </li></ul></ul><ul><ul><li>The key to security </li></ul></ul><ul><ul><li>Verification/ Identification </li></ul></ul>
  11. 12. Biometric - Characteristics <ul><li>Universal </li></ul><ul><li>Consistent </li></ul><ul><li>Unique </li></ul><ul><li>Permanent </li></ul><ul><li>Inimitable (inseparable) </li></ul><ul><li>Collectible </li></ul><ul><li>Tamper Resistant </li></ul><ul><li>Affordable (templates) </li></ul>
  12. 13. Why NOT? <ul><li>Appear Stronger and Easier theory rather then in practice </li></ul><ul><li>Enrollment can be difficult </li></ul><ul><li>Replay attacks </li></ul><ul><li>Countermeasures may require double enrollment </li></ul><ul><li>Physical spoofing possible </li></ul><ul><li>Sensor may loose efficiency </li></ul><ul><ul><li>large scale usage </li></ul></ul><ul><ul><li>Environmental issues </li></ul></ul><ul><li>User Fears (Laser in iris scanning) </li></ul><ul><li>Some Biometrics vary with time </li></ul><ul><li>Bad quality of presentation (may deny access) </li></ul><ul><li>Performance, queuing theory </li></ul>
  13. 14. Identification vs. Authentication Identification Authentication Determine identity of the person Determines if person is indeed who he claims to be No identity claim M-1 mapping. Cost of computation  #records of users. Identity claim from the user 1-1 mapping. The cost of computation independent of #records Captured biometric signatures from a set of known biometric feature stored in the system Captured biometric signatures may be unknown to the system
  14. 15. High Grade Authentication <ul><li>High Security Areas </li></ul><ul><li>Multiple Factor Authentication </li></ul><ul><li>Multi-modal Biometrics </li></ul><ul><ul><li>At least 2 biometrics </li></ul></ul><ul><ul><li>Biometrics + other factor </li></ul></ul><ul><li>Challenge and Response Authentication </li></ul><ul><li>High Assurance of Identification </li></ul><ul><li>Data Retrieval Based on the USER </li></ul>
  15. 16. Part of Identity Mgmt Drivers Business Process (Track Personnel & Assets) National Security Threats (Deter, Prevent) Resource Optimization ($$$, Manpower) Applications Logical Access Physical Access Accountability Foundation Identity Authentication (Vetting and Fixing Identity)
  16. 17. Biometrics Components <ul><li>Hardware </li></ul><ul><ul><li>Sensor </li></ul></ul><ul><ul><li>Capture Device </li></ul></ul><ul><ul><li>Physical Transmitting </li></ul></ul><ul><li>Software </li></ul><ul><ul><li>Determine template </li></ul></ul><ul><ul><li>Interpretation </li></ul></ul><ul><ul><li>Acceptability </li></ul></ul><ul><ul><li>Key Exchange, Encryption </li></ul></ul><ul><ul><li>Validation of devices </li></ul></ul><ul><li>Process </li></ul><ul><ul><li>Enroll </li></ul></ul><ul><ul><li>Identify </li></ul></ul><ul><ul><li>Transmit </li></ul></ul><ul><ul><li>Store </li></ul></ul>
  17. 18. Biometric Process Enrollment stage Identification stage Biometric Present Sensor Signal Process Reject Accept Sensor Biometric Present Storage Decision Signal Process
  18. 19. Authentication
  19. 20. Matching – Probabilistic
  20. 21. Biometrics Technologies
  21. 22. Biometrics need Tuning False non-matches False matches
  22. 23. Biometrics Performance Tests
  23. 24. Preventing Spoofing <ul><li>Encryption of Data </li></ul><ul><li>Authentication of Biometric readers </li></ul>
  24. 25. Sample Biometric Attacks
  25. 26. Matsumoto Attack-1
  26. 27. Matsumoto Attack-2
  27. 28. Implementation Considerations <ul><ul><li>Policies </li></ul></ul><ul><ul><li>Security </li></ul></ul><ul><ul><ul><li>Templates Secure Storage </li></ul></ul></ul><ul><ul><ul><li>Secure Transmitting </li></ul></ul></ul><ul><ul><ul><li>Authentication of Devices </li></ul></ul></ul><ul><ul><ul><li>Protect from latency </li></ul></ul></ul><ul><ul><li>Technical </li></ul></ul><ul><ul><li>Operational </li></ul></ul><ul><ul><li>Testing </li></ul></ul><ul><ul><li>Administration </li></ul></ul><ul><ul><li>Political </li></ul></ul><ul><ul><li>Social </li></ul></ul>
  28. 30. Biometrics-enabled Authentication Applications
  29. 31. Physical Access Control <ul><li>Banks require a high degree of secured physical access </li></ul><ul><li>Biometrics control access by verifying identity </li></ul><ul><li>Biometrics safeguard vaults, teller areas and safety deposit boxes </li></ul><ul><li>Technologies include </li></ul><ul><ul><li>hand geometry </li></ul></ul><ul><ul><li>fingerprint, iris, </li></ul></ul><ul><ul><li>hand geometry, </li></ul></ul><ul><ul><li>facial recognition </li></ul></ul>
  30. 32. ATM Access <ul><li>ATM cards and PINs can be easily lost or stolen and misused </li></ul><ul><li>Biometrics save costs and hassles due to lost, stolen, and misuse… </li></ul><ul><li>Used alone or with smart cards, </li></ul><ul><li>Accurately verify the identity of persons attempting transactions. </li></ul><ul><li>Technologies include </li></ul><ul><ul><li>Iris </li></ul></ul><ul><ul><li>facial recognition </li></ul></ul>
  31. 33. Transactions Over the Telephone <ul><li>Universal telephone service provides very wide access to accounts </li></ul><ul><li>Increases the risk of fraud. </li></ul><ul><li>Biometrics provide added security without diminishing customer convenience. </li></ul><ul><li>Used technology: </li></ul><ul><ul><li>voice recognition </li></ul></ul>
  32. 34. Transactions from Home Computers <ul><li>PCs permit convenient online financial transactions, but increase the risk of fraud. </li></ul><ul><li>Biometrics safeguard online transactions by means of low-cost peripherals. </li></ul><ul><li>Used alone or in conjunction with digital certificates </li></ul><ul><li>Biometrics accurately verify the identity of the person attempting a transaction. </li></ul><ul><li>Technologies include: </li></ul><ul><ul><li>voice, </li></ul></ul><ul><ul><li>iris, </li></ul></ul><ul><ul><li>fingerprint, </li></ul></ul><ul><ul><li>facial recognition </li></ul></ul>
  33. 35. Japanese Banks use biometrics tellers …to curb rising fraud 11-Nov 2004 <ul><li>Fraudulent financial claims have increased 20 fold in one fiscal year in Japan. According to the Japanese Bankers Association, a total of 260 million yen was fraudulently withdrawn in 86 cases in 2003, compared to 12 million yen in four cases the previous year </li></ul><ul><li>Bank of Tokyo-Mitsubishi installed biometrics-based automated teller machines at 267 outlets in mid-October 2004. Depositors have their palm vein patterns contained on a bank card with an integrated-circuit chip which are scanned by a reading device and verified. </li></ul><ul><li>Suruga Bank who have installed their own identification system based again on palm vein patterns. </li></ul>
  34. 36. Part of Security Controls ASSESS ARCHITECT APPLY ADMINISTER Business Risk Controls Maturity
  35. 37. Implementation Requires: TPP Technology Process People
  36. 38. Always POC+Pilot Implementation
  37. 39. ?