Can Biometrics be Fooled?

Industry insights
August 1, 2012

In the movies, iris scanning protects high-security vaults and super-secret labs while personalizing billboard ads. In the real world, it helps New York City police track prisoners, screens employees of Bank of America Corp. and travelers at London's Heathrow Airport. Outside of transplanting dead eye balls, asTom Cruise did in Minority Report, surely you can't fool iris scans.Well, apparently you can.At this year's Black Hat conference in Las Vegas, Javier Galbally, a researcher and professor at the Universidad Autonoma de Madrid, revealed ways a cyber criminal could thwart iris scans by duplicating an image of the eye membrane.Here's how the hack works:

  1. A person's eye is scanned by an iris scan
  2. A software-based recognition tool produces an iris code, which is then filed in a database and used for future matching
  3. The hacker accesses the database
  4. The hacker uses a genetic algorithm to alter the synthetic code over several iterations to create a near identical template
  5. Print the image onto a contact lens
  6. Wear the contact lens to defraud a bank, gain building access or do other bad stuff

According to Galbally, "The commercial [iris] system only looks for the iris code and not an actual eye."  That said, iris scans are still among the most reliable (albeit one of the most expensive) forms of identification out there. And it should be noted, that there have not been any reported breaches as a result of cybercriminals bypassing these systems through synthetic iris images.So, what does this mean to the companies and law enforcement agencies that have deployed iris scans to permit access to sensitive information?It means they have to be diligent.You can't deploy Fort Knox security measures at the front door, but leave the back door wide open.  Today's security controls are often cobbled together with disparate systems that leave gaps open to attack.So given the expense of biometrics and need for specialized equipment, perhaps it's better to distribute your budget using a multilayered fraud prevention approach. Today, attacks can come from many directions, and cyber criminals utilize an increasing variety of tools and tactics.  This is why having a multilayered system eliminates single points of failure and ensures that, in the rare event criminals succeed in breaching one layer, the doors beyond are locked.It's probably impossible to design the perfect system for identity verification, even using biometrics, so it's imperative for companies to implement countermeasures as part of a layered approach.Free image courtesy of

Related posts