Fingerprint and face scanners aren’t as secure as we think they are



File 20190304 110110 1tgw1we.jpg?ixlib=rb 1.1
Biometric systems are increasingly used in our civil, commercial and national defence applications.
Shutterstock

Wencheng Yang, Edith Cowan University and Song Wang, La Trobe University

Despite what every spy movie in the past 30 years would have you think, fingerprint and face scanners used to unlock your smartphone or other devices aren’t nearly as secure as they’re made out to be.

While it’s not great if your password is made public in a data breach, at least you can easily change it. If the scan of your fingerprint or face – known as “biometric template data” – is revealed in the same way, you could be in real trouble. After all, you can’t get a new fingerprint or face.

Your biometric template data are permanently and uniquely linked to you. The exposure of that data to hackers could seriously compromise user privacy and the security of a biometric system.

Current techniques provide effective security from breaches, but advances in artificial intelligence (AI) are rendering these protections obsolete.




Read more:
Receiving a login code via SMS and email isn’t secure. Here’s what to use instead


How biometric data could be breached

If a hacker wanted to access a system that was protected by a fingerprint or face scanner, there are a number of ways they could do it:

  1. your fingerprint or face scan (template data) stored in the database could be replaced by a hacker to gain unauthorised access to a system

  2. a physical copy or spoof of your fingerprint or face could be created from the stored template data (with play doh, for example) to gain unauthorised access to a system

  3. stolen template data could be reused to gain unauthorised access to a system

  4. stolen template data could be used by a hacker to unlawfully track an individual from one system to another.

Biometric data need urgent protection

Nowadays, biometric systems are increasingly used in our civil, commercial and national defence applications.

Consumer devices equipped with biometric systems are found in everyday electronic devices like smartphones. MasterCard and Visa both offer credit cards with embedded fingerprint scanners. And wearable fitness devices are increasingly using biometrics to unlock smart cars and smart homes.

So how can we protect raw template data? A range of encryption techniques have been proposed. These fall into two categories: cancellable biometrics and biometric cryptosystems.




Read more:
When your body becomes your password, the end of the login is nigh


In cancellable biometrics, complex mathematical functions are used to transform the original template data when your fingerprint or face is being scanned. This transformation is non-reversible, meaning there’s no risk of the transformed template data being turned back into your original fingerprint or face scan.

In a case where the database holding the transformed template data is breached, the stored records can be deleted. Additionally, when you scan your fingerprint or face again, the scan will result in a new unique template even if you use the same finger or face.

In biometric cryptosystems, the original template data are combined with a cryptographic key to generate a “black box”. The cryptographic key is the “secret” and query data are the “key” to unlock the “black box” so that the secret can be retrieved. The cryptographic key is released upon successful authentication.

AI is making security harder

In recent years, new biometric systems that incorporate AI have really come to the forefront of consumer electronics. Think: smart cameras with built-in AI capability to recognise and track specific faces.

But AI is a double-edged sword. While new developments, such as deep artificial neural networks, have enhanced the performance of biometric systems, potential threats could arise from the integration of AI.

For example, researchers at New York University created a tool called DeepMasterPrints. It uses deep learning techniques to generate fake fingerprints that can unlock a large number of mobile devices. It’s similar to the way that a master key can unlock every door.

Researchers have also demonstrated how deep artificial neural networks can be trained so that the original biometric inputs (such as the image of a person’s face) can be obtained from the stored template data.




Read more:
Facial recognition is increasingly common, but how does it work?


New data protection techniques are needed

Thwarting these types of threats is one of the most pressing issues facing designers of secure AI-based biometric recognition systems.

Existing encryption techniques designed for non AI-based biometric systems are incompatible with AI-based biometric systems. So new protection techniques are needed.

Academic researchers and biometric scanner manufacturers should work together to secure users’ sensitive biometric template data, thus minimising the risk to users’ privacy and identity.

In academic research, special focus should be put on two most important aspects: recognition accuracy and security. As this research falls within Australia’s science and research priority of cybersecurity, both government and private sectors should provide more resources to the development of this emerging technology.The Conversation

Wencheng Yang, Post Doctoral Researcher, Security Research Institute, Edith Cowan University and Song Wang, Senior Lecturer, Engineering, La Trobe University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Advertisements

Two Christian Families in Bangladesh Suffer Extortion, Beatings


Muslims vehemently protest baptism of converts, fabricate false charge against church leaders.

PINGNA, Bangladesh, August 2 (CDN) — Two Christian women in Bangladesh’s northern district of Jamalpur said village officials extorted relatively large sums of money from them – and severely beat the husband of one – for proclaiming Christ to Muslims.

Johura Begum, 42, of Pingna village said a member of the local union council, an area government representative and the father of a police officer threatened to harm her grown daughters if her family did not pay them 20,000 taka (US$283). The police officer whose father was allegedly involved in the extortion was investigating a fabricated charge that Christians had paid Muslims to participate in a river baptism on May 26.

Begum had invited seven converts from Islam, including three women, to be baptized on the occasion, she said. Only six men among 55 converts were baptized by the leaders of the Pentecostal Holiness Church of Bangladesh (PHCB), Christian leaders said, as the rest were intimidated by protesting Muslims; the next day, area Islamists with bullhorns shouted death threats to Christians.

“The council member threatened me, saying I had to give him 20,000 taka or else we could not live here with honor, dignity and security,” Begum said. “If I did not hand over the money, he said I my grown-up twin daughters would face trouble.”

Begum said her husband is a day-laborer at a rice-husking mill, and that 20,000 taka was a “colossal amount” for them. She was able to borrow the money from a Christian cooperative, she said.

“I gave the extortion money for the sake of our safety and security,” Begum said. “It not possible to say aloud what abusive language they used against me for inviting people to God.”

Villagers backed by a political leader of the ruling Bangladesh Awami League party also allegedly extorted 250,000 taka (US$3,535) from another Christian woman, 35-year-old Komola Begum of Doulatpur village, whose husband is a successful fertilizer seller.

The villagers claimed that she and her husband had become rich by receiving funds from Christians. After the baptisms, local Muslims beat her husband to such an extent that he received three days of hospital treatment for his injuries, she said.

Komola Begum, who had invited 11 persons including three women to the baptisms, told Compass that her husband’s life was spared only because she paid what the Muslims demanded.

“My husband is a scapegoat – he simply does business,” she said. “But he was beaten for my faith and activities.”

 

False Charge

The 55 baptisms were to have taken place on the banks of the Brahmanputra River in Mymensingh district, 110 kilometers or 68 miles north of Dhaka (Jamalpur is 140 kilometers or 87 miles northwest of Dhaka).

Leaders of the PHCB congregation had begun baptizing the converts, and the rage of area Muslims flared as they staged a loud protest at the site, area Christians said. Police soon arrived and detained the Christian leaders and others present.

At the police station, officers forced one of those present at the baptism, 45-year-old Hafijur Rahman, to sign a statement accusing four of the Christian leaders of offering him and others money to attend, Rahman told Compass.

Police swiftly arrested two of the Christian leaders, while two were able to flee.

Rahman told the Compass that he was not offered any money to go to the baptism service.

“I was not aware of the content of the case copy – later I came to know that a case was filed against the four Christian neighbors by me,” Rahman said. “I am an illiterate man. Police took my fingerprint on a blank paper under duress, and later they wrote everything.”

Rahman said he went to the baptisms because one of his neighbors invited him.

“I went there out of curiosity,” he said. “They did not offer us any money.”

The document Rahman signed charges that he and others were offered 5,000 taka (US$70) each as loan to attend a meeting in Mymensingh.

“Instead of attending a meeting, they took us to the bank of the Brahmanputra River,” the document states. “Some Christian leaders had some of us bathed according to the Christian religion. Then some of us protested. The Christian leaders said, ‘If you need to take loan, you need to accept Christian religion.’”

Denying that Rahman was forced to sign the document, local Police Chief Golam Sarwar told Compass that a fraud case was filed against four Christians.

“They lured local Muslims by giving them 5,000 taka to become Christian, and their activities hurt the religious sentiment of the Muslims,” Sarwar said.

For three days after the baptism ceremony, Jamalpur district villagers announced through bullhorns the punishment Christians would receive for their activities, chanting among other slogans, “We will peel off the skins of the Christians.” They also shouted that they would not allow any Christians to live in that area.

Johura Begum said that when she became a Christian 20 years ago, area Muslims beat her and forced her to leave the village, though she was able to return three years later.

“Local Muslims bombarded us with propaganda – that when I became a Christian, I would have to be naked in the baptism before the Christian cleric,” said Johura Begum. “Recently they are bad-mouthing Christianity with these kinds of disgraceful and scurrilous rumors, and my daughters cannot attend their classes.”

Report from Compass Direct News