The Trou­ble with Bio­met­rics

SLOW Magazine - - Contents -

The world of bio­met­rics is fast be­com­ing a norm for mod­ern tech users. Finger­printscan­ners are used at ac­cess gates, clock-in de­vices, and on cell­phones. How­ever, not since the iphone 5S has there been as sig­nif­i­cant a game changer as the re­cently launched iphone X’s Face ID. Built into the soft­ware and de­vice, Face ID uses fa­cial recog­ni­tion to un­lock your phone, grant ac­cess to sen­si­tive apps such as bank­ing and pass­words, and au­tho­rise pur­chases on app stores and on­line re­tail­ers. There are nu­mer­ous con­cerns re­gard­ing this tech­nol­ogy, most per­tain­ing to the se­cu­rity of us­ing bio­met­rics and the safety of such unique data once it is stored.

Fa­cial recog­ni­tion is not a new tech­nol­ogy. Nei­ther is it in­fal­li­ble. As far back as 2009, se­cu­rity re­searchers proved that the soft­ware could eas­ily be fooled by a good qual­ity pho­to­graph, while more re­cently in 2015, Dan Moren, a writer for Pop­u­lar Sci­ence, tricked an Alibaba fa­cial recog­ni­tion sys­tem sim­ply by us­ing a video that in­cluded him­self blink­ing (the blink­ing is nec­es­sary be­cause reg­is­ter­ing for fa­cial recog­ni­tion tech­nol­ogy typ­i­cally re­quires users to hold their smart­phone cam­era up to their face and blink or smile to val­i­date life). Ap­ple ar­gues that its Face ID soft­ware will not be as eas­ily fooled – or hacked, for that mat­ter. This is be­cause the new iphone X uses an in­frared sys­tem, Truedepth, to project a grid of 30,000 in­vis­i­ble light dots onto the user’s face, after which an in­frared cam­era cap­tures the dis­tor­tion of that grid as the user ro­tates his or her head, creat­ing a 3D map of the user’s face. The tech­nol­ogy is like that used by spe­cial ef­fects artists to cap­ture ac­tors’ faces and morph them into an­i­mated char­ac­ters.

While this sounds se­cure, Marc Rogers, a se­cu­rity re­searcher at Cloud­flare, be­lieves that in time, hack­ers will find a way to crack this. His sug­ges­tion as to how: a 3D print of a tar­get’s head. “The mo­ment some­one can re­pro­duce your face in a way that can be played back to the com­puter, you’ve got a prob­lem. I’d love to start by 3D print­ing my own head and see­ing if I can use that to un­lock it.”

One of the fun­da­men­tal prob­lems with fa­cial recog­ni­tion is that, un­like a pass­code, faces do not change. So, if some­one suc­cess­fully cap­tures your like­ness in a way that can fool fa­cial recog­ni­tion soft­ware once, they can fool it 100 times. More­over, if you are mugged or ar­rested or oth­er­wise de­tained, it will not be pos­si­ble to hide your face to stop some­one from gain­ing ac­cess to your de­vice. While Touch ID suf­fers from this same dilemma, the dif­fer­ence is that a per­son’s face is pub­lic and to­day, very likely to be widely – not to men­tion eas­ily – found on so­cial me­dia plat­forms, or the In­ter­net in gen­eral.

Us­ing your face, one of the most ob­vi­ous things about you, to ac­cess some­thing that holds sen­si­tive data is, well, a lit­tle daft, re­ally. Re­turn­ing to the whole 3D fa­cial pho­to­stat idea, re­searchers at the Univer­sity of North Carolina re­cently proved that it is, in fact, pos­si­ble to suc­cess­fully re­con­struct a 3D vir­tual model of some­one’s face us­ing noth­ing other than pho­tos found on Face­book. Their model was good enough to fool not one, not two, but five dif­fer­ent fa­cial­recog­ni­tion ap­pli­ca­tions they tested it against, and they had up to an 80% suc­cess rate do­ing it.

Of course, what should not be over­looked is that crim­i­nals are un­likely to go to the ex­treme of 3D print­ing the av­er­age per­son’s face to gain ac­cess to their phone. Also note­wor­thy is that one could al­ways de­ac­ti­vate that par­tic­u­lar se­cu­rity fea­ture on their phone, or per­haps only en­able it for cer­tain ap­pli­ca­tions, and re­vert to us­ing a tra­di­tional nu­meric pass­code. So, there are ways around this.

What is giv­ing se­cu­rity ex­perts – along with con­spir­acy the­o­rists – more cause for con­cern is that, as the cap­tur­ing of peo­ple’s fin­ger­prints be­comes in­creas­ingly com­mon, so does the like­li­hood that sup­pos­edly se­cure sys­tems can be hacked and the fin­ger­prints leaked or stolen, as hap­pens with pass­words and credit card in­for­ma­tion. Some ex­perts ar­gue that a fin­ger­print is even eas­ier to steal than a pass­word. And, once some­one has an im­age of your fin­ger­print, creat­ing a mould and model of it is no more dif­fi­cult. Once your fin­ger­print has been cap­tured, there is no chang­ing it like your 0123 ac­cess code.

Unique, per­ma­nent biological iden­ti­fiers are very valu­able to hack­ers – they have it, they have you. Se­cu­rity ex­perts are thus pretty firm in their in­sis­tence that the use of bio­met­rics to ac­cess things should be care­fully con­sid­ered.

Newspapers in English

Newspapers from South Africa

© PressReader. All rights reserved.