Debate Session (III) – Why risk management and vulnerability assessment is important? Dr Ted Dunstone, Chair Technical Panel Biometrics Institute, CEO Biometix Some Debate Questions • What are the main vulnerability points of ABC systems and their known (and unknown) strengths and weaknesses? • What are current known real world biometric attacks? • What are the implications of these attacks? And how to mitigate them? • How to insure vulnerability is included in overall ABC risk management? • How to assess the risks and what are the methods for penetration testing? • What is a research direction for vulnerability detection for ABC systems? • How to encourage border management agencies to address potential vulnerabilities? • How to exchange and share the experiences on this topic? Biometrics & Vulnerability Now • Things are changing rapidly (at last!) – BVEAG Meeting In London – ISO standards still primarily address performance testing but 30107 addresses presentation attack (spoofing) – Two NIST conferences on biometric performance – both had significant content relating to vulnerabilities – LivDet – 2009, 2011, 2013 fingerprint liveness detection competition – Tabula Rasa – Trusted Biometrics under Spoofing Attacks – BEAT – Biometrics Evaluation and Testing – Governments are including “spoof resistance” in procurement specs Some Real Vulnerability Cases Japan: Fingerprint Spoofing (Published 29 January 2010) • Two South Korean women using special tapes on their fingers; US: Fingerprints Removed • Cancer drug Capecitabine removed fingerprints Canada: Facial Spoofing (November 2010) - Air Canada • • Brazilian Hospital • (March 2013) Vulnerability Web Results • • • • • Biometric Spoofing: 8,140,000 Fingerprint Biometric Spoofing : 547,000 Face Biometric Spoofing: 276,000 Iris Biometric Spoofing: 97,900 Voice Biometric Spoofing: 3,200,000 (!) • Speaker Verification Biometric Spoofing (1,750,000) 5 Aims • Recognise that biometric vulnerability has become mainstream and share some of the activities that are underway • Find ways to improve transparency so that all parties speak a common language and understand how systems can be/have been tested. • Procurements specs, test results and statements about performance should be objective and unambiguous. • Improve the performance of biometric systems spoof resistance, leading to wider deployment. Vulnerability Checklist What are the common vulnerabilities for your technology (including biometrics)? Do you have a risk management plan, and does it include the potential for biometric vulnerability? Are you aware of the difference between a standard false accept rate and a biometric vulnerability? For your system what vulnerability related documentation exists? Are there any configuration options to for the vulnerability detection? Will there be tradeoffs in performance using the vulnerability detection? How is a potential vulnerability notified? What types of conditions might create a false vulnerability alert? Do you have a plan in your enrolment or verification workflow that supports vulnerability? What mitigations can be established to protect against vulnerabilities? Would you use external resources to conduct an assessment?