Govt biometric ID cards could be vulnerable to fraud, warn experts

A leading biometrics expert has warned the government that biometric ID cards, due to be rolled out from 2007, could be...

A leading biometrics expert has warned the government that biometric ID cards, due to be rolled out from 2007, could be vulnerable to fraud unless it invests in more sophisticated iris recognition technology.

Professor John Daugman, who pioneered the developed of iris recognition at Cambridge University said that the biometric systems under test by the government were not sophisticated enough to distinguish between real and fake eye images.

"I am quite worried about the way that national ID cards will work out if the wrong camera is chosen. This is a technology that depends on choosing the right camera," he said.

Daugman was speaking after a Japanese academic revealed new research at the Biometrics 2004 conference in London, demonstrating that commercial iris recognition readers can be fooled by using eye images printed on paper.

Professor Tsutomo Matsumoto, of Yokohama National University, found that two commercial iris readers could be fooled 100% of the time and a third was fooled 50% of the time.

In the wake of the research, Daugman said it was essential for the government to choose advanced iris recognition cameras cable of distinguishing between real and fake eyes.

Biometric suppliers are in the process of developing readers capable of distinguishing the movement and light reflections of living eyes from iris images, he said.

Fingerprint readers are also at risk from spoofing from "gummy fingers" - artificial fingers made from gelatine, Matsumoto revealed.

He presented research to show how researchers were able to crack the fingerprint protection in a mobile phone and secure PKI token using the fake fingers.

The success of the UK’s ID card scheme would depend on how securely the government is able to store biometric on the central population database, he told Computer Weekly.

"The storage of data on the central database is a crucial issue. Once such information is disclosed, if there is no mechanism to protect the information that might be a problem," he said.

Read more on Antivirus, firewall and IDS products