MythBusted - The Pervasive Myth of a Perfect Security
System
November 25, 2006
By James Childers
With the recent events in the press and the publicity
surrounding the "Mythbusters test" regarding the Defeat of a
Biometric Security Systems (Again), I felt it was important to
discuss the events surrounding these successful
attempt to defeat specific biometric products.
For those of you that don't know,
Mythbusters is a television program on the Discovery Channel
that features a couple of intrepid Hollywood special effects
gurus that "take on" current myths of the day and try to prove
or disprove the basis of the myth. I must say that as an
avid fan of the MythBusters television show, I was intrigued by
the very thought of Biometric Technology being tested by these
two.
Over the years there have been several media reports,
studies and other documentaries about "The Defeat of Biometrics"
and I have some very well known opinions about this premise.
You can read an article that I wrote in June of 2002 that
discussed the topic of
"Biometrics in the Real World" where I clearly state my
opinions on the subject and offer some advise on implementing a
Biometric Security System.
These same theories that I espoused over 4 years ago still hold true
today and I am happy to say that YES I am glad that
Adam Savage and Jamie Hyneman have brought some sense of
reality to this industry that has for too long said "my product
can't be broken or my biometric system can't be defeated".
It's time for sanity to prevail in this argument about security
systems and how easy it is or is not to break a biometric system.
There is even an entry in the modern cultural lexicon, Wikipedia discussing this topic.
Wikipedia.org is a collectively updated and verified web
encyclopedia.
"Recently the television program Mythbusters attempted to
break into a commercial security door equipped with
biometric authentication as well as a personal laptop so
equipped. The results were shocking as they were able to
easily defeat the technology with not one, but all of the
different techniques they used. The most eye-opening was
their quick success with a simple photocopy of a
fingerprint. That the technology was so easily undermined
strongly suggests that biometrics, in its present form,
cannot yet be considered a strong form of authentication.
(Wikipedia.org)"
OK, now with that out of the way, let's discuss WHY this
happened and WHY there is no such thing as a perfect security
system.
Rule Number One - There is no impervious security
system on the planet. There never will be.
Rule Number Two - When a vendor tells you that there
system is completely unbreakable - they lie. Nothing
is unbreakable.
See Rule Number ONE.
Security System Types (Factors) -
Biometric - Biometry Based (Who you are)
Password or Pin - Knowledge Based (What you know)
Keys or Tokens - Possession Based (What you have)
Biometric Systems -
Single Factor Authentication (SFA) - asks the
question and grants access based upon "who is this person?".
A SINGLE form of authentication is used to grant access
based upon IDENTIFICATION.
Multi-Factor Authentication (MFA) - asks the
question and grants access based upon "is this person whom
they claim to be?" By using a statement of user
identity (Card, PIN, Password or other token) and then
authenticating access based upon VERIFICATION of this
identity.
Single Factor Authentication (SFA) is considered weak
security no matter what the factor. Several
unscrupulous biometrics vendors (mostly off-shore in origin) are
vigorously promoting their single factor systems as unbreakable,
live sensing, blah, blah, blah...
There is no system
on the planet that cannot be beaten. Passwords can be
guessed, tokens can be stolen, and yes Virginia, while there is
a Santa Claus, there is no free ride in the security world.
Biometrics can
be spoofed. Any time you trust something important to a
single factor authentication system, the risks should reflect
the security level and never use this as your only line of
security.
- Are SFA biometric systems more secure than a password? -
most often times yes.
- Are SFA biometric systems more secure than a key based
system that can be readily copied, shared or lost? - Again a resounding YES.
- Are MFA (VERIFICATION) systems more reliable than SFA
(IDENTIFICATION) systems? - ALWAYS.
Biometrics have firmly taken a solid place in security
practices, however they should however NEVER
be your ONLY security method if you are protecting highly
valuable or sensitive information or facilities. Alarm
systems, monitoring and recording systems, biometric systems and
good security practices should all go hand-in-hand based upon
the level of security required. Remember, your mileage may
vary and treat EVERY system as if it were capable of being
compromised.
Our premiere access control solution for small business, the
Lucky Technology iGuard is a VERIFICATION system.
Thank you for your time and consideration.
James Childers
CEO iQBio, Inc.
Intelligent Biometric Solutions
If you have any other questions you would like answered here
or in our Blogs, please email me at
james@iqbio.net with the
subject line - "I want to know"...
|