Sponsor Links
ZK Software
ZKSoftware is one of the leading MultiBio and RFID providers in the world. We have branches in New Jersey, Sao Paulo, Dubai, Johannesburg, Madrid and Dubai
BIO-key
BIO-key develops and licenses advanced biometric finger identification technologies that are cost effective, scalable and easy to deploy.
Merkatum
Merkatum develops “out-of-the-box” multi-biometric and biographic identity resolution systems. Our flagship product, "emfiva F/FRS®", determines and manages the identity of individuals.
IEEE CBP
Increase your knowledge and establish credibility in the field of biometrics with the IEEE Certified Biometrics Professional™ (CBP) Program.
Million Dollar Border Security Machines Fooled with Ten Cent Tape
Jan-08-09
So much for biometrics and immigration security: A South Korean woman managed to fool a million-dollar fingerprint reading machine in Japanese border controls using a simple piece of tape stuck to her fingers.
It happened at Tokyo airport. The woman has repeatedly entered Japan using the same trick without anybody noticing. Japanese officials say that they suspect many others have been doing the same things, demonstrating that the biometric systems they installed in 30 airports in 2007—to the tune of $45 million—are completely useless. The woman was deported in July 2007 for illegally staying in Japan as a bar hostess in Nagano, but she entered again with the system, using the tape and a fake passport allegedly provided by a South Korean broker
Interestingly enough, the technology did not fail and performed as required. It was the Japanese Government and the biometric integrator that failed to understand what was required and provide the right solution in order to eliminate or make it almost impossible to fool the system. It appears that there was a failure on their part to clearly define project requirements and take into account known methods used to fool certain types of biometrics, thus resulting in the system not performing as required.
The Japanese began screening all foreigners entering Japan in November 2007 under which foreign nationals underwent fingerprinting and capturing digital facial images at airports and seaports nationwide to see if the data captured matched that on a ‘Watch List’ of deported or wanted foreign nationals.
What the press failed to print were the following facts: One year after the program’s introduction, 846 foreign nationals were refused entry to Japan since the beginning of the biometric immigration screening program. Most of the refusals were due to arriving passengers’ fingerprints matching those of people deported in the past and in several cases they matched those of know criminals. The number of refused entries was 297 South Koreans, 155 Filipinos and 90 Chinese.
The Japanese Government created a Watch List of all foreign national who had been deported from Japan. The software was required to verify that the biometric images being presented at the fingerprint scanner did not reside in the Watch List. The image being presented to the scanner by the woman using a ‘ten cent tape’ fingerprint did not exist on the Watch List and the results returned were “Negative”. Therefore, the system as designed met the requirements of the program. The problem was that the requirement for eliminating such a simple method for fooling the system was not included in the program requirements.
The issue is whether a biometric system or any system can be designed that can totally eliminate fraud. The answer is NO. There is no known system that can make the claim to being 100% fool-proof 100% of the time. However, there are biometric fingerprint scanners that could have been installed that would have eliminated the ‘ten cent tape” and reduced the possibility of the most sophisticated schemes for fooling the system to almost zero.
The failure to provide a working solution may have begun with the initial RFI (Request for Information) and RFP (Request for Proposals), if there were any at all. These proposals should be written by experts, but too often are written by those who have little experience in biometrics and the requirements necessary for providing solutions. Over the years, I have seen many RFP and Tenders in which the biometric requirements could not be met by any know biometric hardware or software product. Those that often write these RFP and Tenders have limited experience and knowledge in the area of biometric security and most likely obtained their knowledge by attending shows, talking with vendors, and integrators all of whom have a single interest – make a sale. Many so-called security consultants are no better qualified in evaluating solutions than the clients themselves.
Security systems and biometric technology requires human supervision at the authentification stage to make sure that what is being feed into the system is true and accurate. The old saying: garbage in – garbage out, holds even more so for biometrics.
There are simple steps that could have been used to prevent these and other issues found with the “ten cent tape”.
Biometric hardware is designed for capturing biometric data and the biometric software is required to translate this data into a digital format and compare the received data with the digital data residing in a database and make a decision based on a defined threshold if the received data matches or does not match the stored data. The Japanese biometric hardware and software at immigration successfully proved in 846 cases that the biometric data received matched data in the database. The number of cases, in which the system was fooled or received data that should have resulted in a match but failed to do so, is unknown.
First it must be made clear that there is no known hardware of software solution that is 100% fool-proof. The question remains could a solution have been provided for eliminating or highly reducing the possibility of fooling the Japanese immigration security solution and the answer is definitely ‘yes’.
So, how do we provide a biometric Watch List solution that can work in the real world with an unknown number of persons attempting to fool the system? I am sure that there are several excellent solutions available for solving this issue, and I will put forward one that I believe would meet the challenge very well at little or no additional cost.
I would have looked at a biometric solution that eliminates or reduces the possibility of altering the biometric data that is supposed to be feed into the system.
The Japanese immigration security solution is based on negative authentification: the person presently providing his or her biometric data does not appear on the Watch List.
Based on the information known publicly, all foreign nationals entering Japan, with the exemption of certain categories that include US military personnel, are required to provide fingerprint scans and be photographed at the port of entry as well as a passport valid for a minimum of six months. Based on this information, I would put forward the following suggestions of how a biometric system could have been designed that would have eliminate most if not all of the attempts made to fool the system.
A committee consisting of security, biometric, IT, and border experts is created to oversee the project. The committee sends out an international RFI in order to obtain the latest technical information on biometric hardware and software. After reviewing all the information received along with their own extensive knowledge, a RFP is put out with clearly defined requirements. After reviewing all the proposals, the committee selects those proposals that are best suited to meet the project requirements and budget, and then requests a POC (Proof Of Concept) for those proposals accepted for testing. The POC needs to be conducted under real world conditions, where hundreds of persons from various age groups, ethnic backgrounds, and occupations are enrolled into the system and authenticated multiple times over a period of months. Biometric, security, and IT experts should be invited to attempt to fool the system. If one of the solutions is successfully fooled, the solution provider is allowed a specified number of days to resolve the problem or be eliminated from the POC. Each expert that successfully “fools” the system is to be rewarded with a cash prize each time the solution was successfully fooled. The amount of data collected from the POC by the committee of experts will now allow them to make the correct decision concerning the solution to be installed at Japanese immigration.
There are many excellent fingerprint scanner that come to mind that are difficult to fool, but personally I would recommend using a fingerprint scanner that uses MSI (multi spectra imaging) that obtains image data from both the surface and subsurface. The capturing of surface and subsurface image data eliminates the problem of damaged, dry, oily, skin and receives fingerprint data not only from the surface but also from the subsurface fingerprint that making fooling the system very difficult if not impossible. I would also recommend the use of palm vein verification along with fingerprinting when a person is deported. Palm vein verification captures the vascular patterns appearing below the surface of the palm.
Since all persons entering Japan are required to provide a fingerprint, it should be standard procedure that before a person places their finger on the fingerprint sensor, the passport inspector examines the fingerprint before being placed on the sensor for obvious fingerprint damage, “tape”, or a “gummy finger”. A fingerprint sensor such as Lumidigm using MSI eliminates the possibility fooling the system by using ‘tape’, a gummy fingers, or altering the fingerprints surface to using super glue or scaring the print in order to fool the scanner, since MSI takes both surface and subsurface images of the fingerprint and in addition is unaffected by poor contact or ambient lighting.
Palm vein verification would be used when an inspector becomes suspicious about unusual fingerprint damage, the failure of the fingerprint scanner to obtain an image, or unusual behavior that would then require additional authentification using palm vein verification. To my knowledge, it would be almost impossible to successfully alter one’s vascular pattern in the palm of the hand without causing serious external and internal damage to the hand, which should ring certain bells with the immigration officer.
Conclusion: the right biometric solutions are available, but the Japanese government may have called in the wrong people to provide the solution.
by: Yona Flink
Managing Director
OptiSec Ltd.
Tel Aviv, Israel
P.O.B 6622 T.A. 61066
Tel: 972 3 5445920
Fax: 972 3 6054103
http://www.optisec.com