October 27, 2009, 9:04 PM — According to Winston Churchill, there is no worse mistake in leadership than to hold out false hopes. One area where false hopes have long abounded is information security, and it's happening again.
This time the false hope we're extending is that we can deploy one simple piece of technology that will significantly reduce the problem of identity theft. Of course, identity theft is a huge and growing problem. Each year, the identifying information of millions of Americans is stolen from corporate databases. Companies face billions of dollars in theft, millions of dollars in fines and, perhaps most important, the loss of customer trust.
Worse, identity theft can harm victims through lost savings, rejected loans and denied jobs. CIOs are faced with a security challenge that threatens the viability not only of the IT organization but of the entire corporation as well. To date, the countermeasures that we've deployed -- passwords, PINs and authentication tokens -- have been ineffective. All can be stolen and used by the nefarious.
This has made inexpensive biometrics look attractive for authenticating employees, customers, citizens, students and any other people we want to recognize. But do the benefits of biometrics outweigh the risks?
Biometrics rely not on something you have (a credit card) or something you know (a PIN), but something you are(your fingerprints, palm prints or retinas). Those unique biological identifiers are electronically read and converted to a string of ones and zeros and sent to an authenticator. There the information is compared with the string of numbers on file in the authenticator database.
And there is the weakness, for the risk of transmission interception or database theft remains unchanged. If a credit card number can be stolen, then the sequence of numbers that make up a fingerprint can be stolen just as easily. It might take thieves a little time to gear up to this new challenge, but gear up they will. Undoubtedly, in the years to come, news reports about fingerprint, palm print and retinal eye scan thefts will be just as common as credit card number thefts are today.
Related Links
Other Columns by George Tillmann
IT services account managers: Planning globally, acting locally
Customers and clients and consumers, oh my!
Aligning IT with the business is not enough
When it comes to IT's customers, one size does not fit all
Don't report to the CEO? Maybe that's OK
So, does that mean biometrics will leave us right where we are? No, they will leave us in a worse place. Think about it: If you lose your credit or ATM card, the issuing company can replace it. If your PIN becomes compromised, the bank can give you a new one. Even a Social Security number can be replaced. But what do you do if someone steals your retina scans? Who is going to give you new eyeballs?
What will stop thieves from electronically sending your stolen fingerprints to your bank to confirm that you really do want to clean out your bank account through an ATM in Islamabad? What will you do when your digitized fingerprints wind up on a government No Fly list? If you think it takes forever to board a plane now, wait until every law enforcement agency in the free world has your fingerprints on file as a suspected thief or, worse, a terrorist.
The reality is that biometrics are a feel-good measure designed to give people the false impression that they are more secure than they were before, when in fact they are more at risk. Identity theft victims report that it can take three, five or more years to clean up the financial mess left after a stolen Social Security number. How long will it take to clean up a stolen fingerprint?
