Debate Session (III) – Why risk
management and vulnerability
assessment is important?
Dr Ted Dunstone, Chair Technical
Panel Biometrics Institute,
CEO Biometix
Some Debate Questions
• What are the main vulnerability points of ABC systems and
their known (and unknown) strengths and weaknesses?
• What are current known real world biometric attacks?
• What are the implications of these attacks? And how to
mitigate them?
• How to insure vulnerability is included in overall ABC risk
management?
• How to assess the risks and what are the methods for
penetration testing?
• What is a research direction for vulnerability detection for
ABC systems?
• How to encourage border management agencies to address
potential vulnerabilities?
• How to exchange and share the experiences on this topic?
Biometrics & Vulnerability Now
• Things are changing rapidly (at last!)
– BVEAG Meeting In London
– ISO standards still primarily address performance testing
but 30107 addresses presentation attack (spoofing)
– Two NIST conferences on biometric performance – both
had significant content relating to vulnerabilities
– LivDet – 2009, 2011, 2013 fingerprint liveness detection
competition
– Tabula Rasa – Trusted Biometrics under Spoofing Attacks
– BEAT – Biometrics Evaluation and Testing
– Governments are including “spoof resistance” in
procurement specs
Some Real Vulnerability Cases
Japan: Fingerprint Spoofing
(Published 29 January 2010)
•
Two South Korean women using
special tapes on their fingers;
US: Fingerprints Removed
• Cancer drug Capecitabine
removed fingerprints
Canada: Facial Spoofing
(November 2010) - Air Canada
•
• Brazilian Hospital
•
(March 2013)
Vulnerability Web Results
•
•
•
•
•
Biometric Spoofing: 8,140,000
Fingerprint Biometric Spoofing : 547,000
Face Biometric Spoofing: 276,000
Iris Biometric Spoofing: 97,900
Voice Biometric Spoofing: 3,200,000 (!)
• Speaker Verification Biometric Spoofing
(1,750,000)
5
Aims
• Recognise that biometric vulnerability has become
mainstream and share some of the activities that are
underway
• Find ways to improve transparency so that all parties
speak a common language and understand how
systems can be/have been tested.
• Procurements specs, test results and statements about
performance should be objective and unambiguous.
• Improve the performance of biometric systems spoof
resistance, leading to wider deployment.
Vulnerability Checklist
 What are the common vulnerabilities for your technology (including
biometrics)?
 Do you have a risk management plan, and does it include the potential for
biometric vulnerability?
 Are you aware of the difference between a standard false accept rate and
a biometric vulnerability?
 For your system what vulnerability related documentation exists?
 Are there any configuration options to for the vulnerability detection?
 Will there be tradeoffs in performance using the vulnerability detection?
 How is a potential vulnerability notified?
 What types of conditions might create a false vulnerability alert?
 Do you have a plan in your enrolment or verification workflow that
supports vulnerability?
 What mitigations can be established to protect against vulnerabilities?
 Would you use external resources to conduct an assessment?