Centralised biometry as an extreme sport

A few weeks ago, American telecoms giant, Verison, had to admit that hackers got access to data on 6 million clients. A month earlier, there was a leakage of data about 14 million people in the same company. UniCredit Bank can be quite happy because „only“ 400 000 customers personal data was compromised. In the meantime, Swedish police were not able to protect information about people who are currently under investigation. However, all of these cases are pretty small in comparison with the fact that unprotected information about 200 million American citizens, including their preferences and interests, got to the Internet during last presidential campaign.

The list of incidents could go on. Analytics of Comparitech server counted that there have been more than 5000 big data leakages from organisations such as Apple, American government, the Turkish government, T-Mobile, Sony and Yahoo since 2014.

It confirms that there is no chance to implement a 100% reliable data protection. No chance! Biometric database vendors claim that their security is perfect, but seldom anybody believes them.

It should be kept in mind because ID schemes based on centralised biometry databases are proposed again and again. It is typical for them that there is no physical document. Your fingerprint, face features or iris is recorded, and you can go home. Next time you will be identified and authenticated by comparing your biometry characteristics to a central database record. Everything is easy, comfortable… up to the moment when you find that somebody gets your biometric data, sold it to several criminal gangs and your copy of your fingerprint is used for transaction authorization.

There is no chance to build an ID solution without a physical document for the foreseeable future. However, the vulnerability of databases has also consequences for e-ID cards. It prevents verification through a comparison against a central database. Placing of biometric data on the card chip creates an acceptable risk (however, it would be better to protect it with PIN) but its transfer through a public network is too riskful, although it may be encrypted. Therefore we need another piece of information to be used. If simplicity is the key priority, document serial number can be used. If security is the key priority, the best option is OVImage by OPTAGLIO. Microholograms are scattered into a defined area of a document. Their position is photographed and saved into the database to enable later identification of the individual document. Each document is unique; even the producer is not able to make the same document again. No sensitive personal data is transferred.

It is likely that technology vendors will appear and state that their biometric databases are secure. It is an easy statement as long as their managers do not guarantee of it with their private properties.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s