[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] Unlocking Fingerprints
From: InfoSec News <alerts () infosecnews ! org>
Date: 2006-08-28 5:04:03
Message-ID: Pine.LNX.4.61.0608280003460.25390 () conundrum ! infosecnews ! org
[Download RAW message or body]
http://www.washingtonpost.com/wp-dyn/content/article/2006/08/27/AR2006082700511.html
By Griff Witte
Washington Post Staff Writer
August 28, 2006
The technology has been the stuff of movies for years: A secret agent
runs his fingertip and an encrypted ID card over a pair of sensors.
There's a match, and the door swings open.
In the coming months, a wave of government initiatives could start
making such high-tech methods of identification commonplace -- beginning
with the replacement this fall of federal employee IDs. Similar cards
are planned for transportation workers, first responders and visitors to
the United States.
Packed with biometric data such as fingerprints and containing a
computer chip with room to expand the amount of information stored, the
new IDs represent a potential boon to technology companies eyeing an
estimated $8 billion in identity-related contracts. Firms such as
BearingPoint Inc. and Lockheed Martin Corp. have set up showcase
identity labs, pulling technology from different companies into turnkey
operations. Hundreds of smaller companies, down to manufacturers of
plastic cards, are vying for part of the market.
The biggest business opportunity still looms: Driver's licenses, which
are due for a retooling under new federal laws.
"When you're talking about credentialing the federal workforce and
contractors, you're talking about maybe 10 million people. When you're
talking first responders, you're at 20, 30 or 40 million people," said
Thomas Greco, a vice president at Herndon-based Cybertrust Inc. "But
when you're talking credentialing all registered drivers in the United
States, you're up to hundreds of millions of people. Nobody is losing
sight of that."
In an era of chronic concern over terrorism and anxiety over
immigration, the business of determining who is who has become
increasingly urgent. But it is not without controversy. Americans have
long resisted the idea of a national ID card, for example. The growing
sophistication of computer databases and networks has heightened privacy
concerns -- as have data breaches, from the theft or loss of government
computers to AOL's online posting of 36 million keyword searches
conducted by hundreds of thousands of subscribers. If the pool of
government programs using the new identity technology gets large enough
and the amount of information collected gets detailed enough, "there
will be a lot of pressure for these programs to converge," creating a de
facto national identity system, said Barry Steinhardt, director of the
technology and liberty project at the American Civil Liberties Union.
Use of a new government standard may prompt the private sector to
follow. The banking, retailing and health-care industries are monitoring
the federal initiatives, ready to apply stricter identity standards when
dealing with their employees and customers. In an online world, the
technology could also be used to establish that two people who never
meet in person really are who they say they are.
Federal agencies are supposed to begin issuing their new ID cards in
October, complying with a 2004 Bush administration directive requiring
more stringent methods for tracking who gets access to federal
facilities.
The new cards must meet a rigorous federal standard that details -- down
to the size of the typeface -- what the new cards look like and how they
are used. At a minimum, the IDs will require fingerprints and possibly
retinal scans or other forms of biometric identification, depending on
the agency. The cards are also likely to incorporate magnetic strips,
personal identification numbers and digital photos, as well as holograms
and watermarks to deter forgery. Before employees and contractors can
get their new credentials, they will have to submit to a thorough
background check, if they have not already.
By employing multiple methods of checking identity, officials hope to
make it as difficult as possible for someone other than a card's owner
to use it. Ultimately, the cards will determine not just who gets into
buildings but also who receives access to computer applications and
files.
Because the information needed to verify an individual's identity won't
take up much space on the computer chip in each card, plenty more can be
added. An employee's skills, work hours, medical history and job
evaluations, for example, could all be included -- much to the dismay of
civil liberties advocates.
Already, other federal programs are borrowing from the new standard for
government workers. A program to issue credentials to all transportation
workers to monitor who has access to air and seaports, for instance,
will subject those workers to much the same process as federal
employees.
In addition, the Real ID Act, approved by Congress last year, aims to
standardize security features on driver's licenses by mid-2008. The
Department of Homeland Security has not yet set the standards that
states will have to follow. It probably won't include the advanced
biometrics the federal government is using for its employees, and states
are pushing hard to avoid a complex reengineering of the ubiquitous,
low-tech driver's license.
Nonetheless, the companies that make the cards, the scanning devices and
the software needed to run identity systems are closely watching the
driver's license requirements. They say they understand the privacy
concerns but also expect that security will remain a top priority --
with ID standards likely to get stricter, the technology more
sophisticated, and the business more profitable.
"No one's going to want technology that just exposes them to more risk,"
said Greco, whose company, Cybertrust, focuses on information security.
At BearingPoint's McLean offices, the company has set up a room to show
off a range of identity systems, including machines for taking
fingerprints, scanning irises, recognizing faces or even differentiating
between individuals based on the shape of a hand.
"We think it's a terrific area of opportunity," said Gordon Hannah, who
leads BearingPoint's efforts to win identity contracts.
Earlier this month, the General Services Administration awarded
BearingPoint a five-year deal worth up to $105 million to supply new IDs
to any agency that wants them. Agencies that do not buy their cards
through the GSA contract are holding their own competitions.
That may be just the beginning. A recent study by the Stanford
Washington Research Group and an expert in identity management put the
value of the 10 biggest U.S. identity initiatives at $8 billion over the
next five years, with an additional $14 billion coming from overseas.
From those programs, identity businesses expect other opportunities to
emerge.
"One of the inhibitors has been the cost of the technology. But with the
widespread adoption by the government, the cost of everything is going
to come down," said Jon Rambeau, director of credentialing at
Bethesda-based Lockheed Martin.
State and local governments are considered major potential buyers. Among
their needs are credentials for first responders so that officials can
verify the identity of people who show up to help in the event of an
emergency.
On the commercial side, too, boosters of identity technology say the
opportunities abound. Banks, for instance, may want secure cards that
can guarantee that someone trying to cash a check really is the intended
recipient. Hospitals are looking into using the identity systems for a
more reliable way of accessing medical records. And retailers have been
working on allowing consumers to make purchases with the swipe of a
finger, instead of a card.
Nor do the opportunities stop at the U.S. border. California-based
contractor Computer Sciences Corp. has enrolled 40 million people in
identity programs worldwide. But on a planet of 6.5 billion, the company
thinks it has only scratched the surface.
"Each country has exactly the same issues: How do you facilitate
security, facilitate movement across borders and protect privacy all at
the same time?" said Tim Ruggles, CSC's director of border and
immigration solutions. "That's a tough one."
Copyright 2006 The Washington Post Company
_________________________________
HITBSecConf2006 - Malaysia
The largest network security event in Asia
32 internationally renowned speakers
7 tracks of hands-on technical training sessions.
Register now: http://conference.hitb.org/hitbsecconf2006kl/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic