- Email: [email protected]
Smart card matches fingerprint data for PKI
News Testing
BioIS cracks 50% of biometric systems Alarming statistics reveal that one in two biometric systems have been cracked by a German research group looking at the effectiveness of biometric technologies. Moreover, less than 20% of the biometric systems tested operated “excellently” in field trials. Btt has gained exclusive access to the statistics, which come from the BioIS study in Germany (Btt April ’99, p4). Since March, the study has looked at the performance of biometric technology under field conditions and under penetrative attack. It is being run by the Fraunhofer Institute of Computer Graphics. Although the research into penetrative attacks is not yet complete, it will no doubt prove unpleasant reading for many of the project’s suppliers, especially considering the relative simplicity with which their systems were foiled. So far, almost half (45%) of the systems have been duped using methods, such as video playbacks, fake fingerprints and pictures of enrolled persons. The field investigation statistics were only slightly better with just two of the 10-12 systems tested giving excellent results. Five to six systems operated within acceptable parameters, while three to four performed poorly. That said, a researcher at the institute told Btt: “A system performing perfectly in the field investigation may have been easily foiled.” The field investigation, which is now complete, was made up of approximately 40 people representing different age, employment, educational and ethnic groups. Its main objectives were threefold. First, to gather experience with biometric systems and to identify any weak points. Second, to obtain statistical information on false rejection rates and third to observe the behaviour of users over a prolonged period of time. The study has found a number of potential problems with the technology under investigation. For example, with speech analysis problems such as background noise and poor quality microphones hindered identification. And with fingerprint techniques certain groups of people experienced problems. Other areas of the study are looking at biometric systems from a legal, financial and social stand-
2 • Btt December 1999/January 2000
point. There is also a forensic aspect to the study, to investigate the admissibility of biometric evidence in a court of law. The study is being financed by the Bundesamt fur Sicherheit in der Informationstechnik (BSI), the German Information Security Agency, and the Bundeskriminalamt (BKA), Germany’s Federal Police Agency. When the study is complete in March 2000, full results will be made available to the vendors of the systems tested, while more extensive results will be made public at an open conference in February 2000 (see events column). BSI is currently considering extending the study with the aim of formulating technical test methods. BSI hopes these could eventually form the basis of a recognised standard for security of biometric systems. Contact: Axel Munde at BSI, Tel: +49 2 28 95 82 342, Fax: +49 2 28 95 82 427, email: [email protected]
Fingerprint/Smart Cards
Smart card matches fingerprint data for PKI French smart card manufacturer Oberthur Card Systems (Btt September ’99, p5) has announced a smart card-based fingerprint authentication solution that applies biometrics to PKI architectures. Developed with id3 Semiconductors, the cards are designed to create digital signatures once an individual has been successfully authenticated through fingerprint matching. Comparisons between reference and sample biometric templates traditionally occur outside of the smart card chip – exposing the template to possible alteration. But with this product, matching takes place inside the smart card’s chip using a proprietary matching algorithm. Btt has learned that the stored template is normally between 100-300 bytes, while the total software package is around 3 Kbytes. The chip capacity is 16 Kbytes and verification typically takes under two seconds. Ademonstration at Cartes 99 in Paris, France, last month showed how email could only be electronically signed once the individual had been successfully authenticated. An upgraded AuthentIC card is introduced into a modified smart card reader with fingerprint sensor. The specific id3-designed ASIC
Participating vendors for BioIS • AlphaNet Online • Cherry • DCS • Dermalog • Hesy • Infineon Technologies • NCR • ZN
Biometric systems available for BioIS • Face recognition • Scan of the fingerprint • Scan of the hand geometry • Parallel measurement of several biometrics • Scan of the iris • Signature verification
News (Application Specific Integrated Circuit) extracts the appropriate information from the fingerprint image, which is then sent to the smart card. This is compared to the reference template and if it matches the card is temporarily unlocked, allowing the smart card to generate an electronic signature for the email message. According to Oberthur Card Systems’ technology development manager, Benoit Leterrier: “Customising the AuthenIC applet to add a ‘bio verification’ instruction and the related access condition to signature generation has been a relatively simple process for our developers.” Development of the reader, software, matching algorithm and card took around six months and the launch date for the product is expected to be mid-2000. Oberthur Card System’s e-business director Marc Bertin told Btt: “We wanted to prove the feasibility of using the Java-based Authentic card for this sort of biometric application. The biggest challenge was the design of an efficient algorithm and to ensure compatibility with the reader.” Contact: Marc Bertin at Oberthur Card Systems, Tel: +33 1 49 69 25 70, Fax: +33 1 49 69 25 02, email: [email protected]
users wanted to see more iris recognition systems installed in their town. Bank United is a technologically progressive company and is now considering taking the pilot further. As executive vice president of Bank United Ron Coben pointed out: “The survey results make a very compelling case for expanding the pilot.” The survey results follow an announcement by Sensar that four of the world’s largest bank teller software providers will showcase iris ID products to financial institutions around the world. The four software providers are : The Broadway Seymour Group of Science Applications International Corporation (SAIC), Fiserv, GetronicsWang and Unisys. In order to authenticate the identity of a customer, a bank would install an iris identification camera at the bank counter. According to Sensar, 36% of consumers’ retail transactions were made inside bank branches in 1998 and this is only expected to fall slightly to 28% by 2003. Contact: David Shane at Sensar Tel: +1 856 222 9090, Fax: +1 856 222 9020 Ron Coben at Bank United, Tel: +1 713 543 7952, Fax: +1 713 543 6100, email: [email protected]
Hand Geometry Banking
Bank customers say yes to iris ATM technology
Sensar sizes up market According to Sensar, 15 banks in nine countries, including the USA, are authenticating customers at selected ATMs and teller stations. Sensar’s iris recognition products use standard video cameras and real-time image processing to acquire a picture of a person’s iris. The iris image is digitally encoded and compared with one on file.
Iris ATM technology has been given a boost following positive consumer feedback from a survey at three Bank United branches in Texas, USA. The independent survey comes six months after installation of the ATMs (Btt June ’99, p2) and shows that 98% of users thought their first experience was positive. Encouraging from a business case point of view, the survey also found that a number of “EyeTM” users moved their bank accounts to Bank United, purely because of the new technology. The iris ATMs, installed at Bank United branches inside Kroger supermarkets in Houston, Dallas and Fort Worth, were supplied by Diebold and use iris recognition products from Sensar, an Iriscan licensee. Half of the users thought the best feature of the technology was that they did not need to use an ATM card. The survey also discovered that most
Handful of deals won in the Israeli market The Israeli market is awash with a number of new hand geometry systems, following installation by system integrator Opticom Technologies. Five locations have installed HK II hand geometry readers from Recognition Systems (Btt November ’99, p2), including: the Tel Hashomar Hospital in Tel Aviv; Teva, a pharmaceutical company; Tel Aviv University; Internet Gold, an internet service provider; and the Israeli Military. At Tel Hashomar Hospital a reader is being used for access control to its operating theatre storerooms and additional units are to be supplied at the hospital’s nursing school and blood bank. The system uses Opticom’s OptiSec access control software. The first unit installed at Teva was designed to protect access to its central computer room in Petah Tikva. Additional units are now being installed at all its facilities in Israel, also to protect and control access to its computer rooms. Notably, all the units will be connected via Ethernet
Btt December 1999/January 2000 • 3
BioIS cracks 50% of biometric systems Alarming statistics reveal that one in two biometric systems have been cracked by a German research group looking at the effectiveness of biometric technologies. Moreover, less than 20% of the biometric systems tested operated “excellently” in field trials. Btt has gained exclusive access to the statistics, which come from the BioIS study in Germany (Btt April ’99, p4). Since March, the study has looked at the performance of biometric technology under field conditions and under penetrative attack. It is being run by the Fraunhofer Institute of Computer Graphics. Although the research into penetrative attacks is not yet complete, it will no doubt prove unpleasant reading for many of the project’s suppliers, especially considering the relative simplicity with which their systems were foiled. So far, almost half (45%) of the systems have been duped using methods, such as video playbacks, fake fingerprints and pictures of enrolled persons. The field investigation statistics were only slightly better with just two of the 10-12 systems tested giving excellent results. Five to six systems operated within acceptable parameters, while three to four performed poorly. That said, a researcher at the institute told Btt: “A system performing perfectly in the field investigation may have been easily foiled.” The field investigation, which is now complete, was made up of approximately 40 people representing different age, employment, educational and ethnic groups. Its main objectives were threefold. First, to gather experience with biometric systems and to identify any weak points. Second, to obtain statistical information on false rejection rates and third to observe the behaviour of users over a prolonged period of time. The study has found a number of potential problems with the technology under investigation. For example, with speech analysis problems such as background noise and poor quality microphones hindered identification. And with fingerprint techniques certain groups of people experienced problems. Other areas of the study are looking at biometric systems from a legal, financial and social stand-
2 • Btt December 1999/January 2000
point. There is also a forensic aspect to the study, to investigate the admissibility of biometric evidence in a court of law. The study is being financed by the Bundesamt fur Sicherheit in der Informationstechnik (BSI), the German Information Security Agency, and the Bundeskriminalamt (BKA), Germany’s Federal Police Agency. When the study is complete in March 2000, full results will be made available to the vendors of the systems tested, while more extensive results will be made public at an open conference in February 2000 (see events column). BSI is currently considering extending the study with the aim of formulating technical test methods. BSI hopes these could eventually form the basis of a recognised standard for security of biometric systems. Contact: Axel Munde at BSI, Tel: +49 2 28 95 82 342, Fax: +49 2 28 95 82 427, email: [email protected]
Fingerprint/Smart Cards
Smart card matches fingerprint data for PKI French smart card manufacturer Oberthur Card Systems (Btt September ’99, p5) has announced a smart card-based fingerprint authentication solution that applies biometrics to PKI architectures. Developed with id3 Semiconductors, the cards are designed to create digital signatures once an individual has been successfully authenticated through fingerprint matching. Comparisons between reference and sample biometric templates traditionally occur outside of the smart card chip – exposing the template to possible alteration. But with this product, matching takes place inside the smart card’s chip using a proprietary matching algorithm. Btt has learned that the stored template is normally between 100-300 bytes, while the total software package is around 3 Kbytes. The chip capacity is 16 Kbytes and verification typically takes under two seconds. Ademonstration at Cartes 99 in Paris, France, last month showed how email could only be electronically signed once the individual had been successfully authenticated. An upgraded AuthentIC card is introduced into a modified smart card reader with fingerprint sensor. The specific id3-designed ASIC
Participating vendors for BioIS • AlphaNet Online • Cherry • DCS • Dermalog • Hesy • Infineon Technologies • NCR • ZN
Biometric systems available for BioIS • Face recognition • Scan of the fingerprint • Scan of the hand geometry • Parallel measurement of several biometrics • Scan of the iris • Signature verification
News (Application Specific Integrated Circuit) extracts the appropriate information from the fingerprint image, which is then sent to the smart card. This is compared to the reference template and if it matches the card is temporarily unlocked, allowing the smart card to generate an electronic signature for the email message. According to Oberthur Card Systems’ technology development manager, Benoit Leterrier: “Customising the AuthenIC applet to add a ‘bio verification’ instruction and the related access condition to signature generation has been a relatively simple process for our developers.” Development of the reader, software, matching algorithm and card took around six months and the launch date for the product is expected to be mid-2000. Oberthur Card System’s e-business director Marc Bertin told Btt: “We wanted to prove the feasibility of using the Java-based Authentic card for this sort of biometric application. The biggest challenge was the design of an efficient algorithm and to ensure compatibility with the reader.” Contact: Marc Bertin at Oberthur Card Systems, Tel: +33 1 49 69 25 70, Fax: +33 1 49 69 25 02, email: [email protected]
users wanted to see more iris recognition systems installed in their town. Bank United is a technologically progressive company and is now considering taking the pilot further. As executive vice president of Bank United Ron Coben pointed out: “The survey results make a very compelling case for expanding the pilot.” The survey results follow an announcement by Sensar that four of the world’s largest bank teller software providers will showcase iris ID products to financial institutions around the world. The four software providers are : The Broadway Seymour Group of Science Applications International Corporation (SAIC), Fiserv, GetronicsWang and Unisys. In order to authenticate the identity of a customer, a bank would install an iris identification camera at the bank counter. According to Sensar, 36% of consumers’ retail transactions were made inside bank branches in 1998 and this is only expected to fall slightly to 28% by 2003. Contact: David Shane at Sensar Tel: +1 856 222 9090, Fax: +1 856 222 9020 Ron Coben at Bank United, Tel: +1 713 543 7952, Fax: +1 713 543 6100, email: [email protected]
Hand Geometry Banking
Bank customers say yes to iris ATM technology
Sensar sizes up market According to Sensar, 15 banks in nine countries, including the USA, are authenticating customers at selected ATMs and teller stations. Sensar’s iris recognition products use standard video cameras and real-time image processing to acquire a picture of a person’s iris. The iris image is digitally encoded and compared with one on file.
Iris ATM technology has been given a boost following positive consumer feedback from a survey at three Bank United branches in Texas, USA. The independent survey comes six months after installation of the ATMs (Btt June ’99, p2) and shows that 98% of users thought their first experience was positive. Encouraging from a business case point of view, the survey also found that a number of “EyeTM” users moved their bank accounts to Bank United, purely because of the new technology. The iris ATMs, installed at Bank United branches inside Kroger supermarkets in Houston, Dallas and Fort Worth, were supplied by Diebold and use iris recognition products from Sensar, an Iriscan licensee. Half of the users thought the best feature of the technology was that they did not need to use an ATM card. The survey also discovered that most
Handful of deals won in the Israeli market The Israeli market is awash with a number of new hand geometry systems, following installation by system integrator Opticom Technologies. Five locations have installed HK II hand geometry readers from Recognition Systems (Btt November ’99, p2), including: the Tel Hashomar Hospital in Tel Aviv; Teva, a pharmaceutical company; Tel Aviv University; Internet Gold, an internet service provider; and the Israeli Military. At Tel Hashomar Hospital a reader is being used for access control to its operating theatre storerooms and additional units are to be supplied at the hospital’s nursing school and blood bank. The system uses Opticom’s OptiSec access control software. The first unit installed at Teva was designed to protect access to its central computer room in Petah Tikva. Additional units are now being installed at all its facilities in Israel, also to protect and control access to its computer rooms. Notably, all the units will be connected via Ethernet
Btt December 1999/January 2000 • 3