Should common security technologies be blended with biometrics for accuracy and reliability?
For centuries, security was synonymous with secrecy. The shared secret between two parties conducting business was a worldwide approach. But secret passwords require a great deal of trust between parties sharing the secret. Can we always trust the administrator or other users of the Internet network service provider that we access?
Most computer break-ins today are due to compromise by system users or hackers who use legitimate accounts to gain access to general security. Determining the identity of a person is becoming critical in our vastly connected information society. As a large number of biometrics-based identification systems are being deployed for many civilian and forensic applications, biometrics and its application have evoked considerable interest.
Accenture , predicts that the "Internet economy will top US $1 trillion by the end of 2002." No one can afford to ignore the presence of the Internet economy or its future potential growth. Analysts suggest that there is no way of making the Internet "100 percent safe," therefore, organisations and government are forced to implement security policies, technological software and regulations in order to control unauthorised intrusion into corporate networks . Corporate data are at risk when they are exposed to the Internet. Current technologies provide a number of ways to secure data transmission and storage, but other approaches to Internet security focus on protecting the contents of electronic transmissions and verification of individual users. Secure electronic transmissions are an important condition for conducting business on the Internet.
Biometrics -- technology that uses the human beings' physical or behavioral traits for identification purposes -- will play an important role in the near future of desktop computing, mobile phones, and, in particular, access to institutional computers and sensitive data via the Internet. This paper discusses common Internet security technologies and blended Internet security methods with references to other areas where biometrics technologies has been adopted.
Security is a major concern for Internet users and system administrators. Whether to protect confidential data and information in individual files, lock a computer system to unauthorised users, control access to an intranet or an extranet, or conduct business on the Internet, one needs to determine an appropriate level of security and the effective means to achieve the objectives. The threat to Internet security is one of the main barriers to electronic transaction via the Internet medium. With the current popularity and the potential profits of electronic business, many executives face a conflict situation. That is, connecting to the Internet and expanding their business would lead to risks and threats of intrusion. On the other hand, remaining disconnected from the Internet would sacrifice their customer contact and services to their competitors.
The Internet uses simple mail transfer protocol (SMTP) to transmit electronic mail and most business transactions. These transmissions have as much privacy as a postcard and travel over insecure, untrusted lines. Anyone anywhere along the transmission path can obtain access to a message and read the contents with a simple text viewer or word processing program. Because the transmission lines are insecure, it is easy to forge e-mail or use another person's name. Theft of identity is becoming the nation's leading incidence of fraud. A person can even claim that someone else sent a message, for example, to cancel an order or avoid paying an invoice.
Organisations in both the public and the private sectors are aware of the needs of Internet security. It is interesting to know how both sectors take action to protect their Internet data and corporate systems. The best way to keep an intruder from entering the network is to provide a security wall between the intruder and the corporate network. Since the intruders enter the network through a software program, such as a virus or worm etc., or a direct connection, firewalls, data encryption, and user authentication can restrain a hacker to some extent.
The first objective to improving security is to control physical access by limiting it to authorised individuals. The principle is that the fewer people who can get physical and administrative access to sensitive files or to server systems, the greater the security will be. Most applications rely on passwords, personal identification numbers, and keys to access restricted information or confidential files. Passwords, cards, personal identification numbers and keys can be forgotten, stolen, forged, lost or given away. Moreover, these devices serve primarily to identify the person. They cannot verify or authenticate that the person really is who he or she claims to be.
The information age is quickly revolutionising the way transactions are completed. Everyday actions are increasingly being handled electronically, instead of with pencil and paper or face to face. This growth in electronic transactions has resulted in a greater demand for fast and accurate user identification and authentication. Biometric technology is a way to achieve fast, user-friendly authentication with a high level of accuracy.
Current developments in Internet security
Every industry has its own particular needs and requires certain safeguards to protect its data from damage. The public and private sectors have their own strengths and weaknesses on Internet security. Each industry requires certain safeguards to protect its data while in transit. Developing a plan that has proportionately more strength than weakness is always the goal. However, the Internet is an untamed frontier that is still young and growing. It may take some time to develop stronger methods for data security.
Protecting an organisation from the perils of the Internet is similar to the job of a security guard working during the night shift: As long as he stays awake and keeps his eyes open, the chances are that nothing will happen. While companies arm themselves with the latest IDS and virus software, there is still a chance that someone from the outside can get in and wreak havoc on the company's system. Software and hardware configurations keep most of the intruders at bay, but being able to recognise abnormal activity when it occurs seems to be the best method. This requires a well trained IT staff to constantly monitor the network for deviants, using the system software to set up audits in all the right places. As technology continues to evolve and software and hardware improvements are implemented, there may come a time when hackers not only will be forced to stay outside the company walls, but also will be exposed by law enforcement during the process.
The future of Internet security, therefore, resides in human intervention and innovation. Implementing hardware and software solutions, as well as using human intervention to continually monitor the network, are two of the best ways to keep abreast of attacks from the outside.
One of the latest technologies in the security market, which was introduced at the NetWorld + Interop trade show in Atlanta, is a technology called adaptive security. This development is a result of Internet Security Systems' (ISS) formation of the Adaptive Network Security Alliance (ANSA) around an application program interface for its real secure intrusion detection system . The technology requires the enlistment of major infrastructure vendors, such as 3Com, Lucent, Compaq, Entrust and Checkpoint, to enable their products to talk with ISS's intrusion detection monitors. By communicating between ISS's monitor and the vendor's products, firewalls and switches could be reconfigured in response to perceived break-ins, thereby diminishing the lag time between detection and prevention and ultimately, making the network virtually impossible to penetrate.
In addition, SSL, the standard for secure Internet transmissions used by credit card companies, may get a face-lift in the near future. To improve the security between themselves and their customers, the credit card companies have been developing another standard called the secure electronic transaction (SET) standard, which may have an effect on the security of Internet transaction. SET focuses on confidentiality and authentication. SET-compliant software will not only make sure that thieves cannot steal a credit card number, but also keep a merchant from seeing the number while still providing assurances that the card is valid. The transmission will pass through the merchant's hands directly to the credit card user, which will then decrypt it and credit the merchant's account .
The possibility of the back-end authentication process (in a networked situation) being compromised by the passing of illegal data may represent a point of vulnerability. The authentication engine and its associated interface could be fooled. It is necessary to suggest a measure of risk to the biometrics system in use, especially when the authentication engine may not be able to verify that it is receiving a bona fide live transaction data (and not a data stream from another source). Even a highly accurate biometrics system can reject authorised users, fail to identify known users, identify users incorrectly, or allow unauthorised person to verify as known users. In addition, if a third-party network is utilised as part of the overall biometrics system -- for example using the Internet to connect remotely to corporate networks --the end-to-end connection between host controller and back-end application server should be carefully considered.
However, in most cases, biometrics system cannot determine if an individual has established a fraudulent identity, or is posing as another individual during biometrics enrollment process. An individual with a fake passport may be able to use the passport as the basis of enrollment in a biometrics system. The system can only verify that the individual is who he or she claimed to be during enrollment, unless a large-scale identification system is built in which all users are matched against all other users to find duplicates or individual attempts to enroll more than once.
Blended Internet security methods
The past decade has witnessed dramatic changes in business processes. The number of organisations that store and access confidential and business-critical data in digital form on computer networks or over the Internet has increased dramatically. The importance of Internet security will therefore become an important aspect as the threat-level of electronic crime increases. Although the global community has gained numerous benefits from using new computing technologies, these technologies have at the same time made the wired community more vulnerable to breaches in electronic information transfer security.
Biometrics has been used for years in high-security government and military applications, but the technology is now becoming affordable for use as a network authentication method and general security feature. It is tempting to think of biometrics as being sci-fi futuristic technology that we should in the near future use together with solar-powered cars, food pills, and other fiendish devices. There are many references to individuals being formally identified via unique physiological parameters such as scars, measured physical criteria or a combination of features such as complexion, eye colour, height, etc.
Automated biometrics has been in existence for more than 30 years now. As we know, matching fingerprints against criminal records is important for the law enforcers to find the criminal. But the manual process of matching is very tedious and time-consuming. In 1960s, the Federal Bureau of Investigation (FBI) in U.S. began to automatically check finger images and by 1970s a good number of automatic finger-scanning systems had been installed. Among these systems, Identimat was the first commercial one. The system measured the shape of the hand and looked particularly at finger length . Its use pioneered the application of hand geometry and set path for biometric technologies as a whole.
Internet security methods can work together within a network in various ways. Figure 1 below illustrates how common Internet security technologies such as a firewall or remote access service (RAS) server with biometrics user authentication can be used to protect against data intrusion from the outside and within. If a user tries to access this server with combined biometrics and is not authorised to do so, the IDS will alert information technology (IT) staff of that entry, even though the user may or may not have the right biometrics user authentication.
Figure 1: Combining common Internet security technologies with biometrics
Since the IDS uses both static and dynamic monitoring systems to monitor direct attacks and abnormal network accesses, the server is dually protected from potential harm.
Data encryption is also used throughout the network. Users calling in from a switched telephone network to a RAS server on a Windows NT network can use data encryption via point-to-point tunnelling protocol (PPTP) to exchange data from their laptop or home computer to the Internet through the corporate network and vice versa. When a user connects to the network through a RAS server, the user is given the same access right as any other user in the company. The user can connect to the RAS server and send encrypted data to another computer or server using PPTP. The RAS server also has its own safeguards, such as user call-back to a specific phone number to establish a connection and user authentication, encrypted passwords and user permissions.
Data encryption can be implemented between a corporate server and a vendor or supplier through an extranet. If data security is imperative on an extranet, both parties could use encryption to ensure privacy and data protection. By incorporating a virtual private network (VPN) on an extranet, both a company and its supplier can ensure maximum data protection on the Internet.
In addition to extranets and VPN, digital certificates and key management are two other alternatives for data security. If a company has an enterprise network that spans a large geographical area, corporate officials could use this technology to protect sensitive data from unauthorised access. For example, if the human resources and finance departments need to share sensitive data, they could communicate through the corporate intranet and use key management to protect the data and digital certificates to verify the accuracy of transmission.
Even though the VPNs and extranets provide some type of security, key management and digital certificates are simply two more locks and keys that could be set in place for peace of mind. Setting up a secured network is a daunting task. It requires careful thought, adequate planning and the perspectives and recommendations of a team of IT staff. The Internet service provider network should be configured so that it is scalable and flexible to handle additional hardware and software as the network grows with combined Internet security technologies and biometrics.
Indeed, much attention has been paid to biometrics in recent months as a means to increase security for public places and businesses. Biometrics technology is superior to other identification solutions because it verifies a person's identity based on a unqiue physical attribute rather than some paper or plastic ID card, and as such, the number of biometric implementations is on the rise. Public awareness and acceptance of biometrics is increasing steadily as well. People realise the improved safety this technology offers us collectively as a society.
The Newham Borough Council is a case in point where biometric technology has been adopted to combat the frequent street crimes within the Borough. The Newham Borough Council in east London uses a facial recognition system in a closed-circuit television (CCTV) control-room application as part of an anti-crime initiative. FaceIt, from the US firm Visionics, is part of a CCTV-based system called Mandrake. The Mandrake system uses the FaceIt software in conjunction with other control-room software and hardware to automatically scan the faces of people passing 144 CCTV cameras located around Newham. The system's objective is to reduce crime in Newham by searching for matches in a video library of known criminals stored in a local police database.
Biometrics provides greater protection of our personal data and financial assets, which more essential than ever before. Biometrics can better safeguard our most critical data that could cause us the most harm if accessed by the wrong person. Some of the biggest potential applications include the use of biometrics for access to Automated Teller Machines (ATM) or for use with credit or debit cards and as a general use for combating credit card fraud. Many types of financial transactions are also potential applications e.g., banking by phone, banking by Internet, and buying and selling securities by telephone or by Internet.
In the US, several states have saved significant amounts of money by implementing biometric verification procedures. Not surprisingly, the numbers of benefits claims has dropped dramatically in the process, validating the systems as an effective deterrent against multiple claims.
With as little as a home address, driver's license number or bank account number, criminals can use the Internet to find out all kinds of personal information about an individual. In some US prisons, visitors to inmates are subject to verification procedures in order that identities are not swapped during the visit. Criminals can obtain the necessary data to get new credit cards issued in your name, print fake checks in your name, obtain bank loans in your name, and perpetrate other creative scams in your name to profit at your expense. By the time you find out what has happened, serious damage can be done. Victims of identity theft often spend years and thousands of dollars clearing their names and credit reports.
Implementing payment processing systems that utilise biometrics with private account management can easily prevent credit card crime. Biometrics can be incorporated at the point of sale, thereby enabling consumers to enroll their payment options e.g., checking, credit, debit, loyalty, etc., into a secure electronic account that is protected by, and accessed with, a unique physical attribute such as a fingerprint. Cash, cards or cheques are not needed to make purchases, so there is no need to carry them in a purse or wallet. Not carrying a purse or wallet eliminates the chances of it being stolen or lost while shopping.
Biometric transaction-processing systems allow consumers to manage point-of-sale payment easily and securely. This solution is particularly well suited for personal check use. Biometrics can also offer increased protection for check-cashing services, whether personal or payroll. By requiring biometric identity verification before allowing a check to be cashed, the possibility of it being presented by anyone other than the intended payee is eliminated.
Biometrics technologies has been gaining recognition as a security solution that can improve the collective safety of society, and it is undoubtedly useful in this manner. Since the September 11 terrorist attack on US, many questions have been raised concerning airport security. Although biometrics technology alone could not have prevented the September 11 attacks from happening, biometrics can be implemented as one component of a security system. A biometrics verification and identification can ensure that a person is who he or she claims to be, or can identify a person from a database of trusted or suspect individuals. If the identity of a traveller or employee is in question, biometrics can be a highly effective solution. An individual using a forged or stolen badge or ID card, if required to verify biometrically before entering a secure area, would likely be detected if his or her biometric does not matched the biometric on file. An individual claiming a fraudulent ID can be identified from a database of known criminals and linked to biometric identification systems, which may prevent him or her from boarding an airplane.
The UK's Barclays Bank has been using finger-scan technology for employee access to buildings since 1996 and is also currently involved in a pilot program for PC logins to the corporate networks. In 1998, Nationwide Building Society became the first organisation in the world to trial iris recognition technology supplied by ATM manufacturer NCR. 91 percent of their customers said they would chose iris identification over PINs or signatures in the future [6,7]
Government agencies, businesses and consumers are increasingly recognising the limitations of passwords and PIN numbers as computer hacking, identify theft and other forms of cyber crime become more prevalent. Biometrics devices offer a higher level of security because they verify physiological or behavioural characteristics that are unique to each individual and are difficult to forge. Biometrics devices also relieve security personnel, network managers and customer service representatives of the tedious and often intrusive tasks of identity verification and password/PIN administration.
Personal identification numbers were one of the first identifiers to offer automated recognition. However, it should be understood that this means recognition of the PIN, not necessarily recognition of the person who has provided it. The same applies with cards and other tokens. We may easily recognise the token, but it could be presented by anybody. Using the two together provides a slightly higher confidence level, but this is still easily compromised if one is determined to do so.
A biometric, however, cannot be easily transferred between individuals and represents a unique identifier as compared with the traditional PIN. In practice this means that verifying an individual's identity can become both more efficient and considerably more accurate as biometric devices are not easily fooled. In the context of travel and tourism, for example, one immediately thinks of immigration control, boarding gate identity verification and other security related functions. Everyday questions such as, "should this person be given access to a secure system?" "Does this person have authorisation to perform a given transaction?" and "Is this person a citizen of our country?" are asked millions of times.
All these questions deal with how to correctly identify human beings. Currently there are two popular ways of solving such security problems. One is related to something most of us have, such as credit cards, physical keys, etc., and the other depends on something that we are familiar with, such as a password or PIN. Both methods give the authority to some media, such as password or keys, other than end users. If a user gets the password or other media, he will get the authority; otherwise he loses the authority. Under such a security schema, people have to keep various cards and remember tens of passwords.
Losing a card or forgetting password may bring users into great deal of trouble. In the meanwhile, banks, telecommunication companies and other government set-ups are suffering from losing millions of pounds per year due to the breaches of current card or password based security systems. In order to solve this problem, researchers are trying various ways of solving these problems and biometrics approach is most promising.
Biometrics is a technology that uses human beings unique physical or behavioural features to identify or verify persons. It relies on "something that you are" to make a personal identification and therefore can inherently differentiate between authorised person and a fraudulent impostor. Because one's unique characteristics cannot be stolen, forgotten, duplicated, shared or observed, biometrics based security system is nearly impossible to fraud. This does not mean that biometrics is a universal remedy for all our personal identification related issues, but they do represent an interesting new tool in our technology tool box, which we might usefully consider as we march forward into the new millennium.
Recognition based on retina, iris, voice evolved during 1970s, while signature and facial verification are relatively new. In the nineteenth century, there was a peak of interest as researchers into criminology attempted to relate physical features and characteristics with criminal tendencies. With this background, it is hardly surprising that for many years a fascination with the possibility of using electronics and the power of microprocessors to automate identity verification had occupied the minds of individuals and organisations both in the military and commercial sectors. The role of biometrics in law enforcement has grown rapidly since the 1960s and automated fingerprint identification (AFIS) are used by a significant number of police throughout the world. A widespread commercial adoption of biometrics its unlikely to take place until there are universal standards in place. Such standards should, in theory, make biometric technology consistent, interoperable and interchangeable. This will in turn encourage more end users to experiment with the biometric technology.
It is equally important to mention that there is no perceived simple manner in which to integrate biometric authentication mechanisms into existing applications. However, the early implementers of biometric technology have found themselves limited to single application implementations based on single vendor product offerings. This limits the use of such technology in any practical sense.
Consumers in the Internet marketplace want to control what personal information is disclosed about them, to whom, and how that information will be used and further distributed. The state of the art technology has been addressed and pointed out the imminent integration of business self-regulation and the consumer's ability to enhance individual privacy protection through the use of technology. We need emerging technologies to protect privacy on the Internet. Depending on the type of business and the value of the data, a company has the choice of using virtual private networks, digital certificates, data encryption, and network operating systems to protect their data while in transit, ensure the identity of a user, and mask the data from unauthorised eyes.
However, the future is not all rosy. There remains much that needs to be done in order to make the Internet a widely acceptable marketplace for the exchange of goods and services between merchants and consumers. Technology continues to become more complex, the safeguards used today may be severely out of date tomorrow.
I believed biometric will be most effective when used in tandem with other security measures. Strong encryption is not the answer to every security issue. Buggy software, human error and greed and poor server administration provide opportunities for unscrupulous hackers. The increasing number of private communications over the Web, particularly business transactions, will require a higher level of security. If a problem occurs with a business transaction or a Web company is accused of bad business practices, it may become very difficult to establish liability. Who should be held accountable -- the business, the bank, or the trust intermediary? The authentication may become an important condition of conducting business electronically.
Many questions concerning biometrics remain unanswered: "Will it produce an underworld of cyber criminals who pose a threat to the very structure of the society?", "To what extent can companies trust their employees with sensitive employees coded biometrics information?". Indeed, the problems of Internet security cannot be ignored by companies as this would result in the loss of competitive advantage in the market place. What the future holds for Internet security technology such as biometrics cannot be predicted to the rate technology is advancing.
The ethical issues surrounding biometrics technologies are of grave concern. The right to privacy is one of our most cherished freedoms. As society grows more complex and people become more interconnected in every way, we must work even harder to respect the privacy, dignity and autonomy of each individual. We must develop new protection for privacy in the face of new technological reality .
This issue of privacy is central to biometrics. Critics complain that the use of biometrics poses a substantial risk to privacy rights. Evaluating this argument requires a proper understanding of what privacy rights entails. But if biometrics are the way forward in making sure that all transactions are fully secure then the questions to ask are: "How much will it cost to implement such security solution(s)?", "Who should be trust with genetics information?", and "How long will it take the expert hacker to decrypt such human genetic codes?" These are some of the concerns of businesses and online shoppers.
Indeed, the human race has not only brought its business to cyberspace, it has brought its exploration of the psyche there, too. In the digital world, just as everywhere else, humanity has encountered its dark side. Information Age business, government, and culture have led to Information Age crime, Information Age war and even Information Age terror [2,9,10].
It is a well established fact that the traditional security measures such as password and identification cards cannot satisfy every security requirement. Various physiological and behavioural biometrics for the authentication of individuals have broader applications such as the control of access to personal computers, private files and information repositories, building access control, and many others. Although biometrics is still relatively expensive and immature, integrated multiple biometrics features such as fingerprints, palm prints, facial features and voice patterns to authenticate a person's identity and verify his or her eligibility to access the Internet are in the development stage. The biometrics devices will continue to improve, becoming even more accurate and reliable as Internet technology evolves.
As biometrics technology becomes more acceptable, the proliferation of applications should multiply into many phases of our daily activities. The growing interest in combining common Internet security technologies with biometrics will increase the growth and popularity of blended Internet security methods in the future. Nevertheless the ethical issues surrounding biometrics technologies must be weighed against any potential benefits.
 Accenture (2001) 'Internet economy will top $1 trillion by end of 2001', Financial Times, 19 March.
 Shoniregun, C.A., (2002) 'Are existing Internet security measures guaranteed to protect user identity in the financial services industry?', Int. J. Services Technology and Management, Vol. X, No. 2002, pp.000-000.
 Eschelbeck, G., (2000), "Active Security:A proactive approach for computer security systems", Network and Computer Application, 23, pp. 109-130.
 PC Magazine (1999), "The future of Internet security", March.
 Zhang, D.D., (2000) 'Automated Biometrics Technology and Systems', Kluwer Academic.
 Clinton W.J., (1997), Commencement Address at Morgan State University, 18 May .
 Liu, et al. (2001) E-Commerce Agents, Marketplace Solutions, Security Issues, and Supply and Demand, Springer.
 Timmers, P. (2000) Electronic Commerce (Strategies and Models for Business-to-Business Trading), John Wiley.
 Desmarais, N. (2000) 'Body language, security and E-commerce', Library Hi Tech, Vol. 18, No. 1, pp.6174.
 White, M. (2001) 'Networking in a networked economy', Finance on Windows, Summer pp.8283.
...Oppliger R. (2002) Internet and Intranet Security, Second edition, Artech House Publishers. Proctor P.E. (2002) The Practical Intrusion Handbook, Pretice Hall.
Charles Adetokunbo Shoniregun is a lecturer in Business Information Systems at the School of Computing and Technology (University of East London) and a visiting lecturer at the School of Computing Information Systems and Mathematics (South Bank University). His research and consultancy interests are in Internet security, risks assessment of technology enabled information, electronic and mobile commerce (emC), and risk assessment of telecommunication infrastructure and applied information systems.