By Brian Bergstein
BOSTON — A trick reminiscent of a fun-house mirror might improve the security and privacy of the access-control technology that examines fingerprints, facial features or other personal characteristics.
In such systems, known as biometrics, a computer generally reduces an image to a template of "minutia points" — notable features such as a loop in a fingerprint or the position of an eye. Those points are converted to a numeric string by a mathematical algorithm, then stored for later analysis.
But those mathematical templates, if stolen, can be dangerous.
So researchers have developed ways to alter images in a defined, repeatable way, so that hackers who managed to crack a biometric database would be able to steal only the distortion — not the true, original face or fingerprint.
Charles Palmer, head security researcher for International Business Machines Corp., believes biometric fraud will become more sophisticated — and problematic — as border crossings, passports, financial networks, personal computers and even checkout counters increasingly use the technology.
Worldwide biometric industry revenue is expected to soar from $1.5 billion this year to $5.3 billion in 2010, with government and law enforcement accounting for almost half of the total, according to the International Biometric Group, a consulting firm.
"Let's face it: When it becomes worth hacking, it will be (done)," Palmer said. "The threat right now might not be massive, but I do believe the threat will be large very soon."
Although it is considered impossible to take an image's minutia points and re-create the original, it is possible to concoct an image that shares those points and use it to trick a biometric system. This chicanery requires either hacking into a biometric-equipped network or using a low-tech scam such as making a fake finger out of something like latex or gummy bears.
IBM's solution is to make biometric readers distort the image before it is scanned. For example, a face might be made to appear lumpy, or squished up around the eyes. Then a template of the distorted image would be stored.
When someone returned to the scanner, the real-life image would be transformed according to the same patterns, creating a match with the tweaked image in the database.
The original image isn't stored anywhere. And even if hackers could obtain the altered biometric, it would be of limited use as long as individual organizations maintained their own formulas for transforming images before scanning.
Therein lies the real advantage of the method. While a standard biometric can't be torn up and reissued like a credit card or password — since it's based on unchanging aspects of a person's physical appearance — distortion makes that possible. A bank or an office building that had its biometrics compromised could register new ones simply by changing the way it transforms images.
That's why IBM calls this "cancelable biometrics."
At least one biometrics vendor, iris-scanner Iridian Technologies Inc., says it offers a cancelable system. Iridian alters the computer-generated template rather than the original image, but the effect is the same.
"You can't take a biometric out of one application and replay it in another," said Frank Fitzsimmons, Iridian's chief executive.
Perhaps the biggest benefit, experts contend, could be to improve public perceptions about what happens to biometric data behind the scenes as the technology becomes more widespread.
If an organization can check only its version of distorted biometrics, that could reduce fears — some realistic, some paranoid — that government or big companies might maintain a vast database of biometric data for intrusive tracking or marketing purposes.
The system "could be understood as being more privacy-protected by the normal, everyday consumer," said Philip Youn, a consultant with the International Biometric Group.
Even so, Youn said the distortion approach might not necessarily offer significantly better privacy than systems in which biometric data are not stored in vulnerable, centralized databases but rather on chip-embedded "smart" cards. In that scenario, the biometric reader determines simply that the person with the card is the person originally granted the card.
Other security experts said the cancelable method is a smart way to add a layer of protection to a technology that has some security holes despite being hailed as a huge improvement over more commonly used security measures.
"This is probably a nice thing to have, but it doesn't resolve all the issues," said James Wayman, a biometrics expert at San Jose State University.
After all, Wayman said, biometrics are not secret — they're based on physical characteristics that we carry around in plain sight. There's no guarantee someone couldn't lift your real-life fingerprint or take a picture of your face, then figure out a way to present those images to a biometric system.
"But I don't want to pick on biometrics," Wayman said. "My Social Security number is not secret. My mother's maiden name isn't secret. What's worse, passwords aren't secret."