Biometrics: Why Keys, Cards, PINs and Tokens are not secure. A Whitepaper by Fujitsu Frontech North America Inc. December 2013

Biometrics: Why Keys, Cards, PINs and Tokens are not secure

A Whitepaper by Fujitsu Frontech North America Inc. December 2013

Biometrics- Why Keys, Cards, PINs and Tokens are not secure

December 2013

Fujitsu Frontech North America Inc.

Contents Biometrics ..................................................................................................................................................... 3 Old Technology and Practices ................................................................................................................... 3 Common Experiences Related to Authentication Failure ......................................................................... 3 Factors in Password Creation vs. Percentage of Respondents ................................................................. 4 Access Cards .............................................................................................................................................. 5 The Case for Biometrics ................................................................................................................................ 5 But which form of Biometrics ................................................................................................................... 7 The Biometric Wallet ................................................................................................................................ 7 How it Works............................................................................................................................................. 7 Why Palm Vein is better............................................................................................................................ 8 Why Fujitsu ............................................................................................................................................... 8 Key Takeaways .......................................................................................................................................... 8 About Fujitsu Frontech North America Inc. .................................................................................................. 9 Endnotes ..................................................................................................................................................... 10

Biometrics- Why Keys, Cards, PINs and Tokens are not secure

December 2013

Fujitsu Frontech North America Inc.

Biometrics For those of you who are on the fence about using biometric authentication for your next security project, including physical access control, you are not alone. All industries are increasingly under pressure to protect and preserve sensitive and personal data. It could be protecting patient records, preventing patient fraud or restricting access to narcotics cabinets in a healthcare environment. Or it might be preventing unauthorized visitors on campus, on school buses or preventing fraud in the school cafeteria in the education environment. The applications can go on and on in a number of industries.

Old Technology and Practices Traditionally, passwords, personal identification numbers (PINs), tokens, access cards or keys have been sufficient for most, if not all applications. But as the number cards we carry, the number of passwords and PINS we have to remember grows exponentially, so does our challenge in managing our security programs. We’re human; we lose and misplace cards, sometimes keys are stolen and we forget passwords and PINs. Add to that the complexities of voluntary and involuntary employee terminations, new hires and the escalating use of contractors, and you have the perfect recipe for a major security breach. According to a presentation at ASIS 2013 by Michael Barrett, president of the FIDO Alliance1 (Fast IDentity Online), more and more users are frustrated by password complexity; the requirements are working against users instead of supporting them.

Common Experiences Related to Authentication Failure 70% 60% 50% 40% 30% 20% 10% 0% Forgot a too long or complex password

Locked out of Internet site US

UK

Took too long to reset password

Germany

Source: fidoalliance.com

Page 3 of 10 Biometrics-Why Keys, Cards, PINs and Tokens are not secure

December 2013

Fujitsu Frontech North America Inc.

To counter the problems of lengthy passwords and PINs, countering human fallibility, we create and use weak passwords. If allowable, we tend to use the same passwords or PINs over and over. We use our cat’s name, or our mother’s maiden name or perhaps the name of a child or other relative; something we won’t forget. And we use these passwords across multiple sites and across multiple applications. Overtime these passwords can be compromised by social networks, inadvertently clicking on phishing links that download malware or viruses. To compound the problem, when passwords or PINs are compromised on one site, they can open up the data breach to multitude of websites or applications. According to a recent survey of American consumers from CSID2 www.csid.com, “more than half of respondent (61%) admitted to reusing the same passwords for multiple sites, a practice that leaves consumers and businesses vulnerable.” The report goes on to say that 73% of consumers claim to be concerned with strength and security of password usage, but don’t seem to be “practicing what they preach. “

Factors in Password Creation vs. Percentage of Respondents

NONE OF THESE

EASY TO ENTER

SITE REQUIREMENTS

1% 12%

33%

57%

EASY TO REMEMBER

73%

STRONG/SECURE Source: Consumer Password Habits

For those of you who think access keys or cards are any safer, you better think again. According to global consulting firm Bishop Fox3, every single Fortune 500 company uses passive lowfrequency RFID readers in their employees' ID cards to regulate access into their office buildings. For years low-frequency cards were believed to be secure because the technology did not exist to read them from a distance, but that has all changed. Now the technology exists to read and copy everyone’s RFID card, say in your neighborhood Starbuck’s coffee. Even without removing your card from your purse or wallet, a fraudster could walk away with the office access codes to all of the offices in the area in a matter of minutes.

Page 4 of 10 Biometrics-Why Keys, Cards, PINs and Tokens are not secure

December 2013

Fujitsu Frontech North America Inc.

If you think this kind of attack is too hi-tech for the common criminal, just check the Internet. There are how to videos on YouTube and even step-by-step instructions on this kind of attack in a 2011 Consumer’s Report. Additionally, according to a recent report commissioned by the Federal Reserve, and appearing in the Journal of Digital Information Management4, Americans have a knack for losing, temporarily misplacing or having access cards stolen. So, you have the challenge, hassles and expenses of issuing a temporary or replacement card. The greatest percentage of lost or stolen cards appears to be among students and faculty in the education vertical, but it is also happening at an alarming rate in the Fortune 500.

Access Cards 90% 80% 70% 60% 50% 40%

Lost

30%

Misplaced

20%

Stolen

10% 0%

Source: Federal Reserve Board, 2013     

Lost means cards never found Misplaced for at least 10 working days or more Stolen: responder certain card stolen Survey includes all types of access cards, e.g., picture ID, mag stripe, IC, RFID Education data covers data for 12 months, other verticals covers data for 24 months

The Case for Biometrics Biometric authentication mitigates all of the problems with keys, PINs, tokens, passwords and access cards. Biometric authentication, according to Wikipedia, “refers to the identification of humans by their characteristics or traits. …Biometric identifiers are the distinctive, measurable characteristics used to label and describe individuals. Biometric identifiers are often categorized as physiological versus behavioral characteristics….Examples include, but are not limited to, fingerprint, face recognition, DNA, Palm vein, hand geometry, iris recognition, retina and odor/scent….biometric

Page 5 of 10 Biometrics-Why Keys, Cards, PINs and Tokens are not secure

December 2013

Fujitsu Frontech North America Inc.

identifiers are unique to individuals, they are more reliable in verifying identity than token and knowledge-based methods.” Unlike keys, PINs, passwords, biometric identifiers are:

    

Universal Unique Permanent Measurable Non-transferable

In addition, unlike ID cards or token, you always have your unique biometric identifiers with you; they are impossible to leave behind or lose. The potential for biometrics in many applications has not escaped the attention of investors on Wall Street. Ever since Apple acquired AuthenTec for $356 million in July 2012, there was speculation that it wouldn’t be long until they integrated the technology into one of their devices. And sure enough, they announced that this biometric technology (fingerprint, in this case) would be introduced in their newest operating system for the iPhone.

In a recent Wall Street Daily article, The Seven Most Investable Technology Trends of 2013, Louis Basenese, Chief Investment Strategist, selected biometric authentication as the number 2 investable technology for 2013. “With each passing year, more and more functionality keeps getting added to mobile devices. Want to deposit a check from your phone? There’s an app for that. Want to control your home’s thermostat on the go? There’s an app for that, too. Want to remotely log on to your work computer and network? No problem. But there is one major obstacle: Consumers and enterprises won’t embrace these conveniences – or any future ones that developers dream up – unless security can be absolutely guaranteed. And everyone knows that simple passwords and PIN codes won’t cut it. The solution? Biometric authentication. That is, leveraging the uniqueness of your fingerprints, palms, eyes (iris and retina), voice, face, hand geometry, signature and DNA to verify your identity…..The mobile market isn’t the only vertical for biometric authentication. It can be used for secure identification in any type of setting. And it is. Case in point: More than 50 school districts and 160 hospital systems in 15 states are currently using palm scanners to verify identities. Next up? ATMs and various retail transactions. So get ready to replace what you know (passwords) with who you are (biometrics).”

Ever since Apple’s announcement, there has been a parade of articles from Wall Street trumpeting the valuations of other biometric solution companies in the market. We should not expect industry giants like Intel and Microsoft to sit on the sidelines for very long. Page 6 of 10 Biometrics-Why Keys, Cards, PINs and Tokens are not secure

December 2013

Fujitsu Frontech North America Inc.

But which form of Biometrics But determining which form of biometric technology to incorporate in your solution can be a challenge also. You must carefully weigh the costs vs. the benefits. Not all biometric technologies are equal and not all perform and cost the same. Some forms of biometric technology may not be a good “fit” for your specific application. For instance, voice recognition for access control may not be the best solution for a noisy area or for customers with a cold or congestion. Facial recognition may not work well in poor lighting conditions. Fingerprint may not be the best application for identification in hospital settings where hygiene is paramount and the print can be lifted by tape. Iris scan may be impractical for physical access due its difficulty in use (a person must keep their head in a certain position and keep their eyes open) and reliability of reading the iris through special contact lenses. That makes reading the vein your most logical choice.

The Biometric Wallet Eliza Strickland, an associate editor for the international technology magazine, IEEE Spectrum5, penned an article, The Biometric Wallet last year. She evaluated the various forms of biometric technologies and concluded that vein recognition was superior due to (1) its ease of use; (2) its lower cost; (3) its higher accuracy and: (4) its higher security. Using vein patterns as an identifier over fingerprints has its obvious advantages. First, the vein Source: IEEE SPECTRUM pattern is extremely hard, if not impossible, to steal unlike finger prints. Novice thieves can steal finger prints with tape or can use silicon to lift fingerprints. And not to get too ghoulish, there have been documented cases where desperate criminals have severed fingers to steal the fingerprint. Secondly, veins must actively have blood flowing through them.

How it Works The concept of using veins and vein patterns as an identifier is relatively simple in its application, but quite ingenious in practice. The blood flowing through your circulatory system contains the protein hemoglobin, which carries oxygen from the lungs and deposits it in tissues throughout the body. The Page 7 of 10 Biometrics-Why Keys, Cards, PINs and Tokens are not secure

December 2013

Fujitsu Frontech North America Inc.

blood that returns to the heart through the veins contains deoxygenated hemoglobin, which absorbs light in the near-infrared part of the spectrum. The rest of the tissues of the hand, however, allow the infrared light to pass through. So shining near-infrared light, like that found in your TV remote, on a hand creates an image with shadowy lines where the veins absorb the light.

Why Palm Vein is better Of course, we have veins running throughout our entire body, but the “palm vein” is a particularly good candidate for authentication because of the concentration in the number of veins in the palm and the ease of using the hand for such a scan. Unlike other parts of the body, the palm is seldom covered. And the palm vein is a more reliable area to scan than say just a finger vein because Vein Pattern Image

Near Infrared Image

of the higher probability of matches and lower false acceptance rate (FAR).

Why Fujitsu Fujitsu has a very mature and sophisticated biometric engine. It generates encrypted numeric vein templates, which contains values of vein characteristics extracted from the near infrared image. So even if hackers break in to the server storing the palm vein database, they only access meaningless data. And once the palm vein is compared against the stored template, the data does not remain at the local sensor; it is deleted, so there is nothing left behind to steal like a fingerprint. The Fujitsu biometric engine includes a five level “decision tree” in evaluating and accepting the similarities of templates. The five levels evaluated in the decision tree provide one of the highest levels of accuracy in the market: a False Acceptance Rate (FAR) of 0.00008%, and a False Rejection Rate (FRR) of 0.01%.

Key Takeaways We hope that this whitepaper has convinced the fence sitters that staying with old technology like passwords, keys, tokens, access cards and PINs is no longer a viable option. The costs and risks associated with the old technologies are too high. Biometrics is the authentication technology of the future, that is available today; and it is always with you: your physiological characteristics. When you evaluate the biometric technology for your application, we encourage you to look at all the factors involved: ease of use, accuracy, cost, and security. When you take all of these factors into account, we’re confident that one technology will stand alone as a superior choice: palm vein technology patented by Fujitsu Laboratories and marketed around the world as PalmSecure®.

Page 8 of 10 Biometrics-Why Keys, Cards, PINs and Tokens are not secure

December 2013

Fujitsu Frontech North America Inc.

About Fujitsu Frontech North America Inc. Fujitsu Frontech North America Inc. offers a wide variety of products including retail point of sales terminals, self-checkout systems, kiosks, palm vein biometric authentication technology, RFID tags and currency handling equipment (dispensers, recyclers, and bulk note acceptors) – with sales, service and engineering support throughout the United States. Fujitsu Frontech North America Inc. is headquartered with operations and product development at 27121 Towne Centre Drive, Suite 100, Foothill Ranch, CA. 92610. For more information about Fujitsu products and services, call us at 877-766-7545 or visit us at: us.fujitsu.com/ffna. For more on Fujitsu’s award winning PalmSecure® biometric authentication technology, please visit us at http://www.fujitsu.com/us/services/biometrics/palm-vein/, email us at [email protected] or call us on our toll free number (877)-766-7545.

About Fujitsu Frontech Limited As part of the Fujitsu Group, Fujitsu Frontech Limited ties people and IT together through the development, manufacture and sale of front-end technology such as ATMs, operation branch, POS and totalizator terminals, and public display devices. Fujitsu Frontech also delivers related software, system integration and outsourcing as part of its total solutions offerings. The company supports the security sector by offering products incorporating Fujitsu's latest palm vein authentication technology, and is actively involved in the development of key technologies in various fields, with a current focus on color electronic paper and RFID systems. For more information, please visit: www.frontech.fujitsu.com/en.

Page 9 of 10 Biometrics-Why Keys, Cards, PINs and Tokens are not secure

December 2013

Fujitsu Frontech North America Inc.

Endnotes 1

The FIDO (Fast IDentity Online) Alliance is a 501(c) 6 non-profit organization nominally formed in July 2012 to address the lack of interoperability among strong authentication devices as well as the problems users face with creating and remembering multiple usernames and passwords. 2 CSID and consumer research find Research Now teamed up to survey a demographically representative sample of 1,200 U.S. adults (age 18 and above) from the Research Now Consumer Panel. The sample framework is selected based on U.S. Census data for age, ethnicity, gender, region and income. The survey also collected demographic data for education level and marital status. 3 Bishop Fox has provided security consulting services to the Fortune 1000, high-tech startups, and financial institutions worldwide since 2005. In early November 2013, Bishop Fox demonstrated the ability to grab RFID data from a distance of three feet using a high powered portable reader http://hackaday.com/2013/11/03/rfid-readersnoops-cards-from-3-feet-away/ 4 The Journal of Digital Information Management (JDIM), sponsored by the Digital Information Research Foundation, concentrates on all aspects of digital information management, and covers digital information processing, digital content management, digital world structuring, digital libraries, metadata, information management and other related fields. An international peer-reviewed journal, JDIM contains original research papers, ongoing research, technology reviews, reports on work-in-progress, short notes and announcements of forthcoming events. 5 IEEE Spectrum magazine is the flagship publication of the IEEE, the world's largest professional technology association with 385,000 subscribers. The magazine is read by technology innovators, business leaders, and the intellectually curious. Spectrum explores future technology trends and the impact of those trends on society and business. http://spectrum.ieee.org/biomedical/imaging/the-biometric-wallet This article was originally published under the name Blood and Money.

Page 10 of 10 Biometrics-Why Keys, Cards, PINs and Tokens are not secure

December 2013

Fujitsu Frontech North America Inc.