The future of biometric security is in twins’ hands, or faces

null

Owners of the expensive upcoming iPhone X from Apple will soon be able to impress their friends by unlocking the device just by looking at it. But is this new technology the future of digital security, or just a cheap party trick?    

In two decades, biometric recognition transformed from futuristic tech to an everyday utility. Biometric passports allow us to jump queues at airports. Personal devices, such as mobile phones, now come with state-of-the-art fingerprint scanners to unlock your personal information. Law enforcement agencies all over the world use facial recognition to look for suspects and identify threats. This tech is so easily available today that some drive-in restaurants, such as Wow Bao in the US, have started using facial recognition to match payments and authorise take-out delivery.   

Both facial and voice recognition are billed as a unique identifier into many modern services. But they are not foolproof, and the danger of overusing this flawed technology makes me fear potential disasters.    

Earlier this year, HSBC launched Voice ID, using biometric features to authorise access to people’s accounts. Creating a unique voice print consisting of “100 behavioural and physical vocal traits”, the bank claims that their system can recognise you even when you have a cold. As a professional software developer I am very skeptical of bold claims like this. It might be fine as a novelty feature, but I want to know that my money is protected by something stronger and more secure. 

There are several key problems with this. The first is that biometric data is not unique - rather, it identifies people with a very low probability of mix-ups. People sound and look alike, and it did not take too long for someone to discover how to cheat the ‘unique’ system. Dan Simmons, a journalist working for BBC Click, managed to fool HSBC’s Voice ID in May with his twin brother Joe. All the advertised means of identifying customers’ unique attributes were no match for a simple test case — a twin imitating his brother.  

The second big problem with biometrics is that the data is actually an identifier, not an authorisation mechanism. This means that while your fingerprint or voice can be used as a username, it is not a password. Even without finding a way to copy biometry, it is much easier to force someone to give up their biometric data than a piece of secret information. Yes - you may be able to unlock the phone just by looking at it, but so can someone else if they hold the device to your face. Privacy advocates have already begun to raise concerns about border agents and police officers taking people’s phones to unlock them without the owner’s permission, but my concerns are much greater than even that.   

Although biometric readers are becoming more ubiquitous in personal devices to prevent hacking, thieves do not actually need to enlist high-tech methods for theft. For example, in 2005, a Malaysian man named Mr. K Kumaran decided to protect his 75,000 USD Mercedes car with only a fingerprint scan. Thieves found a simple way around this when they decided to steal the vehicle, chopping off his finger and using it to get away in his poorly protected car. 

The third problem comes when we realise that it’s difficult to prevent unwanted collection of face or vocal data. Minority-report style shopping systems are popping up, identifying and tracking people as they enter and leave shops. While this tech is not very advanced yet, in a few years it will be safe to assume that your facial biometric data will be stored as frequently as you now appear on CCTV.    

Wow Bao - an innovative restaurant chain which uses facial prints to match customers when they pay and pick up food - experienced a real data crisis when their tech provider filed for bankruptcy. This led to concerns that someone could get hold of all the sensitive biometric data about millions of Wow Bao’s customers when they purchased any failing company assets. These concerns ultimately led to consumers filing a class-action lawsuit.    

The final problem to bear in mind is that biometric keys is that they are very difficult to replace, should you encounter any problems. For example, if someone makes a copy of your house keys, you can always change the locks. But when someone gets access to your biometric data, how do you begin to go about righting that? The more valuable that the things under biometric protection are, the more likely it is that they’ll become targets for hackers. The recent Equifax scandal is a prime example of this. Information on 150 million people was stolen in an instant and should give pause to anyone who thinks that the collection of biometric data is safe.   

Even when biometrics are used as identifiers - not passwords - the technology used is far from perfect. John Gass from Natick, Massachusetts, got a curious letter from the local Registry of Motor Vehicles in April 2011. His driver’s licence had been revoked as of five days prior without any explanation. He immediately phoned the registry, but staff refused to provide any explanation, and suggested that Gass could reinstate it if he could prove his identity. After ten days of phone calls and a legal hearing, the mystery was finally solved: an automated photo recognition system had wrongly matched him as someone in an anti-terrorism database.   

Finally, biometric matching mistakes can lead to some quite curious problems. Alicia and Alicen Kennedy from Evans, Georgia, were repeatedly denied drivers’ licenses by their local Department of Motor Vehicles in 2015. The DMV clerk wouldn’t let them take the test after handing in the paperwork, and the computer refused to accept Alicia’s photo. After several attempts at her application, the clerk finally gave up and called DMV headquarters. It turned out that a computer was flagging the applications as fraudulent because the system was recognising the twins as one person and could not, therefore, tell them apart. 

The truth of any AI reliant system is that it is only as good as its data, and it would seem that nobody is actively training their robots to recognise the anomaly that is twins. For those of you with an identical sibling, unfortunately this means that you won’t be able to drive cars or cross borders in the future. On the other hand however, you will easily be able to spend your sister’s cash. 

Gojko Adzic, Author of Humans Vs. Computers  

Image Credit: Anton Watman / Shutterstock