Skip to content

Can Biometrics be Fooled?

August 1, 2012

Telesign Team
An illustrated image of different biometric fingerprints.

In the movies, iris scanning protects high-security vaults and super-secret labs while personalizing billboard ads. In the real world, it helps New York City police track prisoners, screens employees of Bank of America Corp. and travelers at London’s Heathrow Airport. Outside of transplanting dead eye balls, as Tom Cruise did in Minority Report, surely you can’t fool iris scans.

Well, apparently you can. At this year’s Black Hat conference in Las Vegas, Javier Galbally, a researcher and professor at the Universidad Autonoma de Madrid, revealed ways a cyber criminal could thwart iris scans by duplicating an image of the eye membrane.

What Are Iris and Retina Scanners, and How Do They Work?

Iris scanners and retina scanners are two different types of biometric scanning technology. Iris scanning tech uses a camera to scan the patterns of the iris, which are unique to each individual. Retina scanning technology uses a camera to scan the patterns of the blood vessels in the back of the eye, which are also unique to each individual.

Both iris and retina scanning technologies use algorithms to convert the scanned patterns into digital data. This data can then be used to verify the identity of the individual.

Are biometrics like iris scanners safe?

Though not meant to be the only form of digital defense to protect accounts, biometrics like iris scanners do provide a solid level of protection. However, fraudulent attacks and hacks do disrupt this form of security from time to time.

Here’s how one of the most common iris and retina scanner hack works:

  1. A person’s eye is scanned by an iris scan, part of the retina scan security system
  2. A software-based recognition tool produces an iris code, which is then filed in a database and used for future matching
  3. The hacker accesses the database
  4. The hacker uses a genetic algorithm to alter the synthetic code over several iterations to create a near identical template
  5. Print the image onto a contact lens
  6. Wear the contact lens to defraud a bank, gain building access or do other bad stuff

According to Galbally, “The commercial [iris] system only looks for the iris code and not an actual eye.”  That said, a retina scanner lock or an iris scan are among the most reliable (albeit one of the most expensive) forms of identification out there. And it should be noted, that there have not been any reported breaches as a result of cybercriminals bypassing these systems through synthetic iris images. So, what does this mean to the companies and law enforcement agencies that have deployed iris scans to permit access to sensitive information? It means they have to be diligent. You can’t deploy Fort Knox security measures at the front door, but leave the back door wide open.

Today’s security controls are often cobbled together with disparate systems that leave gaps open to attack. So given the expense of biometrics and need for specialized equipment, perhaps it’s better to distribute your budget using a multilayered fraud prevention approach. Today, attacks can come from many directions, and cyber criminals utilize an increasing variety of tools and tactics.

This is why having a multilayered system eliminates single points of failure and ensures that, in the rare event criminals succeed in breaching one layer, the doors beyond are locked. It’s probably impossible to design the perfect system for identity verification, even using biometrics, so it’s imperative for companies to implement countermeasures as part of a layered approach.