Capital Commerce: Can identity thieves steal fingerprints?
Even a retina scan may not protect against identity theft these days. Security experts at government agencies as well as banks and credit card companies are worried that biometric data such as retina patterns, fingerprints, and even earlobe mapping can be stolen from electronic files and used to commit fraud. The idea behind biometrics is that such personal characteristics, once the stuff of spy movies, can be used as identity "keys" that provide access to financial accounts or sensitive facilities.
Among other things, biometric markers are more secure than passwords or PINs, since they're unique to every individual and don't have to be memorized or written down.
But to log in to a computer account or gain access to a building by offering your eye or thumb to be scanned, that biometric information needs to be stored in electronic files that computers can match against. And the recent theft of thousands of Social Security numbers and other bits of personal information from company dossiers–and even the U.S. Air Force–has raised fears that biometric data might be just as vulnerable.
"Can somebody steal your fingerprint?" posits Nalini Ratha, a researcher at IBM who is studying the problem. With phishers and other scam artists growing remarkably sophisticated, the answer almost certainly is yes.
The prospect is doubly disconcerting, since biometrics is considered the gold standard of security–a fraudster who gets past a biometric firewall, theoretically, could pilfer with impunity. Organizations with supersecret information to protect, such as government intelligence agencies, guard their data with complex cryptography and other expensive technology. But private and public companies need more affordable, universal protection.
One emerging option is "cancelable biometrics," being developed by IBM for clients in the financial sector. Banks or other organizations with biometric data on their customers would deliberately distort each characteristic, using an electronic algorithm that only the bank has access to. In a demonstration IBM has prepared for potential buyers, an individual's fingerprint is stretched so that it still looks like a fingerprint but will not show up as a match against the original.
The computers at the organization doing the security check would be able to identify the distorted biometric, but nobody else would, rendering stolen data useless. In another IBM demo, the face of Ratha, the researcher, is electronically squished so that it is still recognizable but so far out of proportion that computers would never match the actual face with the squished one without the distortion code. (See http://researchweb.watson.ibm.com/ecvg/biom/cancel.html.) IBM says none of its clients has yet purchased the technology but that several big banks are interested. There are possible government applications too, at agencies that deal regularly with sensitive consumer information, such as the IRS, the Social Security Administration, and state motor vehicle departments.
Capital Commerce tells usnews.com readers how decisions made in Washington affect business.