The assessment of vulnerability is vital for ensuring biometric security, and is a concept distinct from system accuracy. A perfectly accurate biometric system may still be highly vulnerable to attack, as unauthorized users may find alternates ways by which they can be falsely accepted by a system.
Compared with the effort expended on determining performance accuracy, significantly less effort has been given to the problem of determining if a presented biometric is real or fake. With the increasing use of biometric systems, the understanding of vulnerability related risks and their appropriate treatment will be a vital part of future biometric deployments.
All the attack methods described in this chapter are vulnerabilities that are publicly known. As a general principle, the public dissemination of points of vulnerably is an important step towards ensuring system designers can put in place appropriate risk mitigations. Secrecy about avenues of attack can help potential fraudsters more than the disclosure of risks, since where the risks are not understood by the system owners, attack methods may be easily exploited. The principle of security through transparency is accepted practice in the cryptographic community.
KeywordsReplay Attack Biometric System Iris Recognition Face Recognition System Attack Method
Unable to display preview. Download preview PDF.
- 1.Biometric device protection profile BDPP. (http://www.cesg.gov.uk/site/iacs/itsec/media/protection-profiles/bdpp082.pdf (2001)
- 2.Communications security establishment certification body canadian common criteria evaluation and certification scheme. (http://www.cse-cst.gc.ca/documents/services/ccs/ccs_biometrics121.pdf (2001)
- 3.U.S. government biometric verification mode protection profile for basic robustness environments. (http://www.niap.bahialab.com/cc-scheme/pp/pp_bvm_mr_v1.0.pdf (2001)
- 4.Common criteria common methodology for information technology security evaluation: Biometric evaluation methodology supplement BEM. (http://www.cesg.gov.uk/site/ast/biometrics/media/BEM_10.pdf (2002)
- 5.Transcript: Defense department briefing. (http://www.america.gov/st/washfile-english/2002/Octoberemail@example.com (2002)
- 6.Episode 59 -crimes and myth-demeanors 2. (http://en.wikipedia.org/wiki/MythBusters_ (season_4)#Episode_59_.E2.80.94_.22Crimes_and_Myth-Demeanors_2.22(2006)
- 7.Adler, A.: Sample images can be independentlyrestored from face recognition templates. Electrical and Computer Engineering, 2003. IEEE CCECE 2003. Canadian Conference on 2 (2003)Google Scholar
- 8.Boyce, C., Ross, A., Monaco, M., Hornak, L., Li, X.: Multispectral iris analysis: A preliminarystudy. Proc. Conf. Computer Vision and Pattern Recognition Workshop pp. 51–59 (2006)Google Scholar
- 9.Czajka, A., Strzelczyk, P., Pacut, A.: Making iris recognition more reliable and spoof resistant. SPIE The International Society for Optical Engineering (2007)Google Scholar
- 10.Daugman, J.: Iris Recognition and Anti-Spoofing Countermeasures. 7th International Biometrics Conference (2004)Google Scholar
- 11.Drahansky, M., Lodrova, D.: Liveness detection for biometric systems based on papillary lines.International Conference on Information Securityand Assurance, 2008. ISA 2008. pp. 439–444 (2008)Google Scholar
- 12.Dunstone, T., Poulton, G., Roux, C.: Update, Biometrics Institute vulnerability assessment project. In: The Biometrics Institute, Sydney Conference (2008)Google Scholar
- 13.Faundez-Zanuy, M.: On the vulnerability of biometric security systems. Aerospace and Electronic Systems Magazine, IEEE 19(6), 3–8 (2004)Google Scholar
- 14.Godesberger, A.: Common criteria protection profile biometric verification mechanisms, german federal office for information security (bsi). (http://www.bsi.bund.de/zertifiz/zert/reporte/PP0016b.pdf (2005)
- 15.Harrison, A.: Hackers claim new fingerprint biometric attack. (http://www.securityfocus.com/news/6717 (2003)
- 16.Hill, C.: Risk of masquerade arising from the storage of biometrics.Bachelor of science thesis, Dept. of CS, Australian National University (2002)Google Scholar
- 17.Kryszczuk, K., Drygajlo, A.: Addressing the vulnerabilities of likelihood-ratio-based face verification. Proceedings of 6th International Conference on Audio-and Video-Based Biometric Person Authentication (AVBPA), T. Kanade and NR (AK)Jain, Eds., vol. LNCS 3546, 426–435 (2005)Google Scholar
- 18.Maltoni, D., Maio, D., Jain, A., Prabhakar, S.: Handbook of Fingerprint Recognition.Springer (2003)Google Scholar
- 19.Matsumoto, T.: The test object approach in measuring security of fingerprint and vein pattern authentication systems.In: The Biometrics Institute, Sydney Conference (2008)Google Scholar
- 20.Matsumoto, T., Matsumoto, H., Yamada, K., Hoshino, S.: Impact of artificial gummy fingers on fingerprint systems. In: Proc. of the SPIE, Optical Security and Counterfeit Deterrence Techniques IV, vol. 4677 (2002)Google Scholar
- 21.Pan, G., Sun, L., Wu, Z., Lao, S.: Eyeblink-basedanti-spoofing in face recognition from a generic webcamera.Computer Vision, 2007. ICCV 2007. IEEE 11th International Conference on pp. 1–8 (2007)Google Scholar
- 22.Parthasaradhi, S., Derakhshani, R., Hornak, L.A., Schuckers, S.: Time-series detection of perspiration as a liveness test in fingerprint devices. Systems, Man and Cybernetics, Part C, IEEE Transactions on 35(3), 335–343 (2005)Google Scholar
- 23.van der Putte, T., Keuning, J., Origin, A.: Biometrical fingerprint recognition: Don’t get your fingers burned. Smart Card Researchand Advanced Applications: Ifip Tc8/Wg8. 8 Fourth Working Conference on Smart Card Research and Advanced Applications, September 20-22, 2000, Bristol, United Kingdom (2000)Google Scholar
- 24.Schuckers, S.: Spoofing and anti-spoofing measures. Information Security Technical Report 7(4), 56–62 (2002)Google Scholar
- 25.Statham, P.: UK government biometrics security assessment programme, cesg biometrics. (http://www.biometrics.org/bc2004/CD/PDF_PROCEEDINGS/bc247a_Statham.ppt (2003)
- 26.Thallheim, L., Krissler, J., Ziegler, P.: Body check: biometrics defeated. (http://www.extremetech.com/print_article/0,3998,a=27687,00.asp (2002)
- 27.Uludag, U., Jain, A.: Attacks on biometric systems: a case study in fingerprints. Proceedings of SPIE 5306, 622–633 (2004)Google Scholar