According to Winston Churchill, there is no worse mistake in leadership than to hold out false hopes. One area where false hopes have long abounded is information security, and it's happening again.
This time the false hope we're extending is that we can deploy one simple piece of technology that will significantly reduce the problem of identity theft. Of course, identity theft is a huge and growing problem. Each year, the identifying information of millions of Americans is stolen from corporate databases. Companies face billions of dollars in theft, millions of dollars in fines and, perhaps most important, the loss of customer trust.
Worse, identity theft can harm victims through lost savings, rejected loans and denied jobs. CIOs are faced with a security challenge that threatens the viability not only of the IT organization but of the entire corporation as well. To date, the countermeasures that we've deployed -- passwords, PINs and authentication tokens -- have been ineffective. All can be stolen and used by the nefarious.
This has made inexpensive biometrics look attractive for authenticating employees, customers, citizens, students and any other people we want to recognize. But do the benefits of biometrics outweigh the risks?
Biometrics rely not on something you have (a credit card) or something you know (a PIN), but something you are(your fingerprints, palm prints or retinas). Those unique biological identifiers are electronically read and converted to a string of ones and zeros and sent to an authenticator. There the information is compared with the string of numbers on file in the authenticator database.
And there is the weakness, for the risk of transmission interception or database theft remains unchanged. If a credit card number can be stolen, then the sequence of numbers that make up a fingerprint can be stolen just as easily. It might take thieves a little time to gear up to this new challenge, but gear up they will. Undoubtedly, in the years to come, news reports about fingerprint, palm print and retinal eye scan thefts will be just as common as credit card number thefts are today.
Other Columns by George Tillmann
So, does that mean biometrics will leave us right where we are? No, they will leave us in a worse place. Think about it: If you lose your credit or ATM card, the issuing company can replace it. If your PIN becomes compromised, the bank can give you a new one. Even a Social Security number can be replaced. But what do you do if someone steals your retina scans? Who is going to give you new eyeballs?
What will stop thieves from electronically sending your stolen fingerprints to your bank to confirm that you really do want to clean out your bank account through an ATM in Islamabad? What will you do when your digitized fingerprints wind up on a government No Fly list? If you think it takes forever to board a plane now, wait until every law enforcement agency in the free world has your fingerprints on file as a suspected thief or, worse, a terrorist.
The reality is that biometrics are a feel-good measure designed to give people the false impression that they are more secure than they were before, when in fact they are more at risk. Identity theft victims report that it can take three, five or more years to clean up the financial mess left after a stolen Social Security number. How long will it take to clean up a stolen fingerprint?
Where does this leave the CIO? Not in a very comfortable position. While the threat of information theft is unchanged, the risk of inflicting unnecessary hardship on employees, customers and citizens is very real. In the coming years, we will see how many CIOs stand up to the unenviable task of confronting the uncomfortable facts and how many surrender to spreading false hope to a fearful constituency.
George Tillmann is a former CIO, management consultant and the author of The Business-Oriented CIO (John Wiley & Sons, 2008). He can be reached at firstname.lastname@example.org.
This story, "The case against biometric identity theft protection" was originally published by Computerworld.