Innovya Press Room: For immediate release

Electronic Human Body Parts For Sale

The Myth of Biometrics’ Enhanced Security

By: Michael (Micha) Shafir and David J. Weiss

Tel-Aviv, Israel. — February 17, 2009 — Innovya Traceless Biometric System

Current Biometric documents are useless. ePassports don't make much sense without
one-only or unequalled biometric passport reader. Let’s face it once and for all, ANY
electronic data storage method by which content can be read (e.g. RFID, smart/storage
cards, etc.), gives it the obvious potential to be hacked, copied and cloned. There’s a
reason why “Random Access”, “Write Only Memory” (“WOM”) devices have never
sound logical. What purpose would there be to store data that cannot be read? Let’s
take this one step further. If stored information is designed to be read, then a device
must exist with the ability to read the stored information for it to be of any value.

Now, let us apply that simple logic to stored information that’s meant to be read in a
widespread application. In this type of application, multiple standardized reading
devices must exist in order to always yield the same result from that stored information.
As an example, standardization gives us the ability to use our credit cards regularly
because each and every point of sale reader is reading the information contained within
the card’s magnetic strip in the exact same way.

We must therefore recognize that these same benefits of standardization create

reciprocal risks of fraud. Once the ability to read stored information exists, the ability to
either reverse engineer the reading process or clone the coded stored information exists
as well. What purpose does, a means of identification serve, if we cannot be near
certain that it has not been compromised? Further, once that ID has been
compromised, how can it be prevented from yielding positive identification where not
intended? To illustrate the point, let us use your everyday ATM cash withdrawal as an
example. After inserting the card into the ATM, one is prompted to enter the PIN
associated with that card. If the correct PIN is entered, even by someone other than the
authorized user, the ATM will approve the transaction because its predetermined means
of authentication is a combination of a card and it’s associated PIN. As we are well
aware, magnetic strip cards and the like can be easily read, thus creating the
opportunity for thieves to create a copy of that card. All that’s left is the PIN. For
professional thieves, that’s less of a challenge than we’d like to believe.

For years, as technology developers would have it, much effort has been focused on
providing more and more secure methods of storing sensitive information, without
addressing the root of the problem. Regardless of how securely information is stored,
because it is designed to be read, illicit methods by which to read the information will be
found. Once that has been accomplished, the ability to create both fake and cloned ID’s
exists. ePassport readers are addressing the standards and recommendations of
predefined requirements like the Machine Readable Travel Documents (MRTD). In
order to make them usable, they must be consistent. If you have a set of identical
targets (e.g. ePassports or National IDs or Driving Licenses or Employee cards etc.),
breaching one of them is a breach of all of them. Identical electronic device is a single
point of failure. It is unfathomable for governments to change their entire population’s
ID’s and documents every time someone, somewhere across the globe hacks and
clones a single chip.

It would seem as if the only real way to prove you are who you claim you are to an
automated system is through the use of biometrics as a means of authentication.
Identity theft is exceedingly common these days. The use of biometrics, however,
creates a whole new area of concern. When non-biometric security authentication
elements are breached, security can be reestablished by selecting new authentication
elements. The same cannot be done in an instance where stored biometric information
is breached. Biometric information cannot be changed. Our fingerprints, face, retina and
all, are what they are. The question we are faced with is how we can truly secure our
biometric information. We can change our name or address, but we cannot change our
body parts. Turning the human body into the ultimate identification card is extremely
dangerous. The possibility of fraud with electronic chips and biometric data should not
be underestimated. Exposing or losing biometric property is a permanent problem for
the life of the individual, since, as we’ve mentioned, there is no practical way of
changing one’s physiological or behavioral characteristics. How do you replace your
finger if a hacker figures out how to duplicate it? If your biometric information is
exposed, in theory, you may never be able to prove who you say you are, who you
actually are or, worse yet, prove you are not who you say you aren’t. The best secrets
are secrets that are never shared. Storing those secrets on a readable electronic card
from which any simple RF dump reader can extract that information, in the same way as
international border readers do, or storing your personal information together with your
biometric characteristics on a readable electronic device is like sticking a label with your
PIN on the back of your ATM card!

Biometric authentication is a powerful tool, able to bridge the gap between human and
machine interaction in everyday instances such as ATM withdrawals, on-line banking
and credit card transactions and all sorts of general user authentication. The use of
biometric authentication enables a high threshold of security by reducing identity fraud
incidences of unauthorized user access. It is also an easy method of authentication
from the user’s point of view because a user’s biometric information is always with
them. The most critical flaw in the use of biometrics as a means of authentication,
however, is that the authentication process cannot work if the subject is a stranger to
the system. We’ve already concluded that storing the biometric information on an
external device carried by the user, such as a smart card, is far too risky in that it risks
losing one’s biometric information forever. Alternatively, databases are breach-prone,
and inefficient, especially when used in large scale applications. Databases also require
real-time access to be of any value, communication with which may not always be
available. Where then can such sensitive information be stored? Furthermore, why risk
storing that unique biometric information in a database, smart card, or other external
devices to make it useful?

Another problem with common biometric systems is that the most effective way to
achieve maximum system matching is to compare biometric images to a template by
using raw data. Biometric Encryption is the process of using a characteristic of the body
as a method to code or scramble/descramble data. Since these characteristics are
unique to each individual, the biometric information readers, cameras and sensors must
all yield identical results. Most biometric authentication systems use a similarity score as
an internal variable, whereby if enough numbers of starting points are given, it is
possible to find the highest point without being trapped by local minima. However,
different readers, cameras and sensors, manufactured by different manufacturers,
generate ever so slightly different biometrics results. Varying starting results, when
encrypted alike, will not yield the exact same decrypted result. Biometric standards can
be obtained only if the common information is unconcealed. That, in and of itself,
creates system wide vulnerability, and thereby renders the system unsecure. At
present, each biometric scanner's vendor generates their own encryption method. Raw
biometric data is critical data. It should not be exposed or stored in public space. As
difficult as it might be to create a secure standard for identical encryption paths, it is
seemingly not possible to create standards for non-identical encryption paths.
Overcoming the encryption matching hurdle is the see-saw that creates the security
blind spots because the template can be tapped during the authentication process.

Traceable biometric authentication systems extract features from scanned biometric

elements and pattern match it with an enrolled template. Theoretically, a system cannot
authenticate strangers to its data store. The other side of that theory is exactly where
the hackers look. The inability to “recognize” strangers is an opportunity to breach the
authentication barrier. If a biometric authentication system has a blind spot, it can then
be take advantage of and used to clone or rob ID. It also means that when the real ID
owner will try to use their legitimate ID, they might find that they have been revoked
from the system without understanding why. An electronic chip that contains identity
elements is only one of the many threats facing traceable biometric authentication
systems. Template leakage is an even bigger problem because once that information is
gotten a hold of, the ability to prevent illegitimate copies and “fake originals” of
legitimate ID’s is gone unless the template is changed. Any change to the template
requires changing ALL associated ID’s, just as is the case when a “master key” is lost.
The only solution is to change the key and distribute new keys to all who use it. Can one
possibly imagine if such an instance were to occur with Driver’s Licenses? Now try to
imagine if it were to happen with Passports. Unfathomable! At least with keys, the ability
to change the template or lock is not ideal, but possible. That is not the case with
biometrics as biometric elements are with the individual for life. …Dear security decision
maker, how can you sleep at night?

People want to be able to draw a circle around their personal information, and do not
want parts of their body electronically stored in databases. Our system of government
tells us that we are entitled to control all that falls inside this circle; we ought to be able
to regulate how, to whom, and for what reasons the information within this circle is
disseminated. Some people object to biometrics for cultural or religious reasons. Others
imagine a world in which cameras identify and track them as they walk down the street,
following their activities and buying patterns without their consent. They wonder whether
companies will sell biometric data of their body parts the way they sell email addresses
and phone numbers. People may also wonder whether a huge database will exist
somewhere that contains vital information about everyone in the world, and whether that
information would be safe there. Cloneable, traceable or collectable biometric systems
could be designed to have the capability to store and catalog information about
everyone in the world. The violation of privacy created by the collection of biometric
data creates a prophylactic paradox; the bigger the privacy violation, the farther away it
moves away from its intended goal.

How then can the power of biometric authentication be made useful without bumping up
against these numerous serious challenges?

Innovya's Traceless Biometrics approach, using non-unique remedies and a Real Time
Reactive Authentication process solves all such cloneable, deflectable and privacy
challenges. The Traceless Biometric workflow uses the time tested photo ID concept,
wherein you match a picture to a person, no different than in any typical biometric
authentication process. In a very simplistic way, just as in a mirror reflection, anyone
can “authenticate” a stranger’s reflection without the need to compare the reflection
against any other source of stored information. It does so, however, in a manner that is,
as its name suggests, traceless, without storing any biometric data anywhere. Innovya’s
Traceless Biometric Authentication process consists of a comparison of only a portion of
predetermined biometric elements against the users’ associated access device, wherein
the “instructions” for which such portions and their mathematical modifiers are stored on
the access device, somewhat similar, in an oversimplified sense, to the PIN on an ATM
card. Unlike the ATM card, however, the system will not authenticate unless that
specific user is the one seeking authentication because positive identification is derived
from biometric elements on the user’s person, and therefore becomes useless without
the user. Should the access device be hacked exposing the numerical string derived in
the Traceless Biometric Authentication process, an alternative Traceless Biometric
Authentication element can easily be programmed and reissued to the user.

Therein lays the essence of Innovya’s novel approach. Innovya has overcome the major
challenge of creating a secure and efficient authentication solution that is stronger and
less disturbing than electronically cloning human intrinsic characteristics on databases
or electronic chips by eliminating them from the equation altogether. Additionally,
because only a portion of the total biometric data is used in the process, should that
data be compromised, the ability to recreate the biometric element from which it was
derived is simply impossible.
Today, most systems are designed to work specifically in place where they are located,
like office buildings or hospitals. The information in one system isn't necessarily
compatible with the other’s, although several organizations are trying to standardize
biometric data. Once identical information is stored outside of governmental boundaries,
the potential of using it commercially is huge, especially by hostile governments that
might be willing to pay a lot for these otherwise indiscoverable information elements.
Above all the advantages and disadvantages this technology, we will unintentionally be
creating ripples in the field of security and privacy.

Adopting traceless guidelines by using real-time reactive authentication process

methods for current biometric authentication systems will result in an efficient and
unobtrusive authentication solution, wile treating personal privacy as the critical issue
that it is. Biometric scanning, not storage, as is necessary for the limited purpose of
authenticating a user should suffice. Authentication systems should dismiss all biometric
information or traces thereof from the scanning devices immediately after the
authentication process, and mustn't use any external storage systems. Innovya has
developed the solution to all of these challenges.

Conclusion
Although there are severe restrictions on collecting, creating, lodging, maintaining,
using, or disseminating records of identifiable personal data, there are no legal
restrictions on the processing of biometric authentication systems. Biometric
authentication processes must be recognized for the risk that they pose, and must
therefore be done so only in ways that are Traceless and Anonymous.