Questions you should ask before you allow certain forms of identification

Eye scan identification

CHARLOTTE, NC (WBTV) - You scan your palm at the doctor's office,  a picture of your eye proves you have the authority to pick your kids up at daycare, and soon a fingerprint will get you into your smart phone.

There are many great reasons why biometric identification can be useful.  It also raises many questions.  Is this data hackable too?  Can someone run off with your iris scan?  As more colleges adopt iris scans along with doctor's offices and the workplace, are there some questions you should be asking?  WBTV's cyber expert, Theresa Payton, says yes and shares her advice below:


Biometrics, such as iris scan, can quickly identify or verify the identity of a person.  Tonight we're talking about iris scans but biometrics can also include fingerprints; face and palm prints; gait; voice prints; and more.


As with any new technology, privacy and security risks are largely unknown>

A group of security researchers reverse engineered iris scans and tricked a commercial system 50% of the time

We saw a group of Chilean doctors fake a fingerprinting system to have their buddies clock them in at the hospital when they were elsewhere using silicone fingers

Databases are hackable and if your iris scan is stored along with other data points such as name, date of birth, social security number, the person holding that data has the keys to your life.

As iris scans get more popular, it just takes lifting your digital iris and submitting it to systems and they are unlocking the door to your life.

You only have 1 iris - be careful who you let scan and store it

Winthrop University in Rock Hill is piloting a program which uses iris scans.  When asked for comment about the scanning and how the information is stored, James Hammond, Associate Vice President for Information Technology shared this statement with us:

"Biometric identification and authentication techniques are definitely on the increase.  Biometrics boast a number of benefits that actually REDUCE the chance of identity theft.  Forging a biometric credential is far more difficult than hacking a password.  In some cases, biometric credentials cannot be forged at all using today's technology.

Biometric techniques vary significantly with regard to accuracy.  For example, iris scanning is more accurate than fingerprint or palm scanning.  Also, iris scanning is different from retina scanning, so the terms should not be used interchangeably.  The iris is seen on the surface of the eye.  The retina is on the inside of the eye and can change more drastically due to medical conditions.

If someone has concerns about an organization that uses biometric techniques, there are a few questions that can be asked to help determine if the organization is handling biometric data responsibly:

1)      Is an image being stored?  For example, is a picture of your iris being stored that could later be accessed?  An accessible or reproducible image of a fingerprint or iris should NOT be stored.  A high definition picture of your eyes or fingers should not be accessible to maximize your identity safety.

2)      What exactly is being stored?  The only thing that should be stored related to your biometrics is a version of your biometric that has been broken down into "data points" and then encrypted with a one-way encryption technique.  This means that the data points cannot be decrypted once they have been stored.

3)      What other personally identifiable information is being stored and how is it secured?  Just because a biometric credential is stored using best practice, it doesn't mean that other data is stored securely.  Although you would expect a name to be stored in a database with your biometric data, you may also wonder if your birthdate, driver's license, social security number, etc., is also being stored.  If sensitive information is also being stored, you should understand why.  It probably makes sense for your education records or your medical records to include some sensitive information so you can be properly identified for insurance, government reporting, and authorized exchange of data.  However, it may not make sense for sensitive information to be stored by an organization that doesn't need to know that information.  For example, your grocery store loyalty card or your gym membership doesn't need to be associated with sensitive information other than you name, address, and phone number.

The methods used above are similar to how best-practice websites (such as banking websites) store your passwords.  A highly secure website will NOT actually store your password.  Instead the database will encrypt your password with a one-way encryption algorithm that cannot be decrypted.  This means that your bank should not be able to look up your password.  That is why you have to reset your password when you forget it.  The bank cannot look up your password even if they wanted to.  If you have dealt with a website that is able to tell you what your password is, then that is an indication of poor security that is more vulnerable to identity theft.

So, you may wonder if your bank doesn't know what your password is, then how can they authenticate you when you type in your password.  They accomplish this by encrypting the password you type in and then comparing it to the encrypted version that they have stored.  If the two match, then they know the actual passwords match, even though they do not actually know your real password.  Good biometric techniques work in a similar way.

One area of concern that we have noted with iris scanning is the effect of color enhancing and color changing contact lenses.  We have had success scanning people who wear color enhancing lenses.  But, people who wear color changing lenses may not be successfully scanned.  This is due to the opaque nature of a color changing contact lens.  As a result, biometric identification techniques may need to include alternative methods of identification for exceptional situations.

Another area of concern is how the biometric technique determines "live-tissue".  The concern is whether a picture of a live body part can fool a biometric sensor.  There are also concerns about whether a body part removed from a body will fool a biometric sensor (as seen in some science fiction movies).  This is an area where some manufacturers have made progress and others have not.  However, in many cases these extreme cases are not a concern due to what the biometric is being used for.  For example, one of the best cases for an iris scanner is a gym that requires membership.  It is not likely that someone will go to extreme measures to forge a biometric with a picture or a removed body part to access a gym.  However, the advantage of using an iris scanner to enter the gym is a high degree of convenience.  A gym patron may be dressed in workout clothes and may not have a place to carry an ID card.  The patron can simply look into an iris scanner, be identified, and then access the gym.  The patron doesn't need to worry about remembering an ID card, remembering a password, or having their identity stolen."

Copyright 2013 WBTV. All rights reserved.