security as a process or philosophy, not a product

The Atlantic | September 2002 | Homeland Insecurity | Mann

Unhappily, biometric measures are often implemented poorly. This past spring three reporters at c’t, a German digital-culture magazine, tested a face-recognition system, an iris scanner, and nine fingerprint readers. All proved easy to outsmart. Even at the highest security setting, Cognitec’s FaceVACS-Logon could be fooled by showing the sensor a short digital movie of someone known to the system—the president of a company, say—on a laptop screen. To beat Panasonic’s Authenticam iris scanner, the German journalists photographed an authorized user, took the photo and created a detailed, life-size image of his eyes, cut out the pupils, and held the image up before their faces like a mask. The scanner read the iris, detected the presence of a human pupil—and accepted the imposture. Many of the fingerprint readers could be tricked simply by breathing on them, reactivating the last user’s fingerprint. Beating the more sophisticated Identix Bio-Touch fingerprint reader required a trip to a hobby shop. The journalists used graphite powder to dust the latent fingerprint—the kind left on glass—of a previous, authorized user; picked up the image on adhesive tape; and pressed the tape on the reader. The Identix reader, too, was fooled. Not all biometric devices are so poorly put together, of course. But all of them fail badly.

This is a great article that shows how easy it is to do security badly. It’s not that hard to do it properly, but you have to understand that the job is never done, and that hard to sell. In these fallen times, we want results, not responsibilities.

In the end, people, paying even a modicum of attention, are what make a difference: people who will call the police if they see someone break into your car, who will notice a suspicious person at the ATM, who can override the inherently flawed system with his own judgment as needed.

See the link here for more.