• Biometrics, not just for the movies

In 1991 I was held up at gun point in the parking lot of a fast food restaurant. At only 21 years of age you would think this would be a pretty unique event. For me, it was the second time in just a few years. In the first case I was selling tickets at a movie theater when a customer approached and instead of pulling out his wallet he pulled out the biggest hand gun I had ever seen. Being robbed in this manner twice in such a short period of time has to have an effect. For someone who already saw life as suspect this was just a catalyst to a level of paranoia that is most often found in asylums. Don’t get me wrong, I didn’t stop going out in public and I never thought I was being followed by the devil but I have become very suspicious. I trust no one. I doubt everything. I question every answer. I am truly one step from being committed. I am not sure if getting into the security field has elevated this paranoia or if because I was so paranoid I excelled in the security field. In either case when I was told to write an article on Biometrics I originally thought I would write an article on the inevitable failures of biometrics. I mean look around, biometrics have been available for years yet the mainstream market has avoided this technology like a bum on a street corner. Sure the technology looks cool and it’s in all the really futuristic movies but when was the last time you scanned your retina to purchase a Twix at the local quickie mart?

With my suspicious nature, I was convinced that one main reason biometrics could not succeed is that you are moving into databases that are no longer just numbers assigned to names but instead actual physical characteristics from you that are stored with your name. To the person on the edge this smacks of Big Brother. Who is to stop the government from getting a copy of the database and then comparing the finger print they just found at the scene of a crime to the database of fingerprints on file used to purchase a sofa bed at Sears? Sure you have civil rights and a few years ago you would say the government couldn’t do that without a warrant but now that the Foreign Intelligence Surveillance Act (FISA) has new teeth due to 9/11 and can be used to obtain just about anything without a standard warrant it’s not so cut and dry.

So why is it that instead of continuing with that rant and trashing the whole concept of biometrics I am instead writing on the reasons why Biometrics must succeed? It’s simple, because I know how easy it is to become a victim of identity theft. Everyday I spend my hours breaking into organizations around the world. The goal for the majority of these jobs, obtain confidential information that could be used for identity thief. The problem is that I succeed more then I fail. Up till recently I felt this was a way of life. People have numbers that are assigned to them, social security, ATM, credit card, loans, etc. are all based on a number. If you can get the numbers you can get the keys to the kingdom. Each company compromised is given the same song and dance. Need stronger network security, need stronger physical security, need stronger policies, need stronger employee training. One or more of those four basic concepts has failed and therefore I can ruin the lives of thousands of people.

In addition to all this I too have been a victim of identity theft. Twice. The first time from that robbery in which that took my wallet. I spent the next year cleaning up my record and clearing my name. Only to find several years later my social security number was used to open a phone account in another state where I had never lived. Of course this account was never paid and racked up very large long distance bills. By the time I became aware of the situation it was already in collections and it took almost two years of very angry phone calls and nasty letters to finally get it removed from my credit report.

And so here I sit with the realization that biometric technology might just be a solution that even the truly paranoid have to consider necessary. For the first time I truly believe there is a way to combat identity theft. No, it’s not a silver bullet and ultimately hackers may find ways to exploit the system I’m sure but biometrics are a real step in the reduction of fraud. Start with something small like the purchase of gas. Ever had your credit card stolen and on your next bill found several charges for gas at numerous gas stations? It’s a very quick and easy way to make a few bucks off a stolen card. Go to the gas station, tell people you don’t have any cash and forgot your ATM card and will pay for their gas if they pay you cash. In return for their kind service you will give them and extra couple bucks of gas free. In less then 20 minutes you have made several hundred dollars. Now, take that same scenario and add in biometrics. With or without the need for the credit card you are still prompted to place your thumb on the machine. Without it, the card is useless. This goes for ATM as well. Now immediately people say that’s what pin codes are for. Unfortunately it’s been proven time and again that pin codes can be guessed or stolen. However you are not going to be guessing a thumbprint.

Taking this to the next step. Fraudulent check cashing rings have become very sophisticated. Printing high quality checks and producing quality identification. Targeting several banks in a single community the members of the ring cash small denomination checks of a few hundred dollars at a time. Each check small enough to keep below the radar yet when added up amounting to thousands of dollars. Often times the same locations can be hit multiple times over several weeks or months. How would Biometrics combat something like this? It turns out one company is specifically targeting this type of crime. US Biometrics www.usbiometrics.com has a product called CheckQ. The key to this product is the database. Rather then just having a database at each bank, this particular product maintains a master database. With this simple yet effective design, a criminal who attempts to cash a check at one location would be entered into the system with their information including a thumb scan. The first time there are no red flags. Now the criminal goes down the street to another bank with the CheckQ service, he gives his same identification and thumb print. This employee however will be prompted with information showing that this person just cashed another check 10 minutes earlier at a different bank. With this new information the employee can decide how to proceed. On the other hand if the criminal supplies different identification and their thumb print, the employee will instead be prompted with a notice showing there is a conflict in information.

Obviously in the short term this means bad news for some banks. Kelly Shoemaker of US Biometrics said it best “If a criminal sees our service being used at a bank, they tend to go to another bank further away. It’s like adding a drop of oil to water, it spreads further out.” And so in lies the problem. As this technology becomes more prevalent it will become a matter of the haves and have-nots. If your bank doesn’t have it and the bank across the street does, then the criminal is more apt to visit your bank without the service. “Financial institutions spend hundreds of thousands of dollars on trend analysis software to detect fraud that has already taken place. Where I see Biometrics strength is in the proactive solution to attempt to stop fraud before it starts.”, Said Kelly Shoemaker. It is clear this technology will not be a have and have-not for long. Much like ATM cards, biometrics will become standard technology in financial institutions if for no other reason then peer pressure. That’s right, much like the school yard antics of cursing, drinking and smoking, financial institutions will have to follow the trends of the first few who take the plunge.

Biometrics are finally in a price point that average companies can afford and the software has caught up allowing for thousands of practical applications. Thumb print readers are now offered in the side of your mouse or keyboard and laptops can be ordered with readers as well. The time for social security numbers as identification is over. The time for weak 4 digit pins at your ATM and impossible to remember alphanumeric passwords at your computer has passed.

And what about big brother looking through that master database of fingerprints just aching to violate your rights? Well it turns out that most biometric companies are not storing pictures of fingerprints at all but instead a digital signature that represents your fingerprint. This signature can not be converted back into a picture ultimately having no real use the to government. Of course my paranoid side still has some concerns about this database but when all is said and done it comes down to this. I don’t plan on robbing a bank. I don’t plan on committing a criminal act. I have nothing to hide. On the other hand I have had my identification stolen. I have had my credit cards stolen. I have had accounts opened in my name that were not mine. (God I have bad luck.) If this technology could have stopped even one of these crimes, my life would have been a lot easier. So yes, my paranoia is the reason I welcome the coming age of Biometrics and look forward to the day I can start my car by looking at the retina reader in the rear view mirror.

If you enjoyed this article, be sure to check out Stickley's book "The Truth About Identity Theft"