Fingerprints fail to tackle football hooligans

Biometrics 2007: trial at Dutch clubs found biometrics were easy to spoof

A fingerprint recognition system failed to prevent black-listed fans from entering football grounds and was easily fooled by simple spoofing techniques, according to a trial by Dutch research organisation TNO.

Jurgen den Hartog, who undertook the research, said that with a false accusation rate of 0.1% - a low rate being a requirement for such a system, given the volume of supporters and the fact that false accusations could spark trouble - the fingerprint system failed to spot 15% to 20% of those on a volunteer black-list, recruited to test the technology, a level he described as "unexpected".

"This has serious implications for a lot of other negative identification scenarios," den Hartog told a session of the Biometrics 2007 conference in Westminster on 18 October. "It's very easy not to look like yourself, so I wonder what the impact of these results will be on other programmes."

Negative identification fails if a black-listed person can fool the system into thinking they are not on that list, involving technically challenging one-to-many checks. Identity verification checks, such as with passports, require only a one-to-one check that the biometric recorded matches the individual, and fails only if someone else's identity is hijacked.

Den Hartog said that fooling the fingerprint systems, LScan 100 scanners provided by NEC and HSB, proved easy for the volunteers, who were asked to attempt such spoofing. They used techniques including latent fingerprints on sticky tape and a layer of glue on fingers: "The trick is, do not press too hard," he said of the latter. Both techniques also fooled a spoof-resistant scanner from Lumidigm in TNO's labs.

Furthermore, the tests brought up other problems: the devices could check 12 fans a minute at best, but as few as four or five a minute on one occasion when it was in direct sunlight by Feyenoord's ground. "The french fries stand outside the stadium couldn't do business any more, because of the queue for our gate," den Hartog said.

"The live system did not meet important requirements of speed, accuracy and robustness against manipulation," den Hartog concluded. "I think speed and accuracy can be solved, but robustness against manipulation really remains a challenge."

The research involved 6400 checks at 26 matches at three Dutch football clubs. TNO chose fingerprints in preference to iris or facial recognition, on a range of criteria including speed, reliability and proof against being fooled.

This article first appeared on the web-site of Infosecurity magazine,

Read more on IT risk management