[ISN] Unlocking Fingerprints

From: InfoSec News (alerts@private)
Date: Sun Aug 27 2006 - 22:04:03 PDT


http://www.washingtonpost.com/wp-dyn/content/article/2006/08/27/AR2006082700511.html

By Griff Witte
Washington Post Staff Writer
August 28, 2006

The technology has been the stuff of movies for years: A secret agent 
runs his fingertip and an encrypted ID card over a pair of sensors. 
There's a match, and the door swings open.

In the coming months, a wave of government initiatives could start 
making such high-tech methods of identification commonplace -- beginning 
with the replacement this fall of federal employee IDs. Similar cards 
are planned for transportation workers, first responders and visitors to 
the United States.

Packed with biometric data such as fingerprints and containing a 
computer chip with room to expand the amount of information stored, the 
new IDs represent a potential boon to technology companies eyeing an 
estimated $8 billion in identity-related contracts. Firms such as 
BearingPoint Inc. and Lockheed Martin Corp. have set up showcase 
identity labs, pulling technology from different companies into turnkey 
operations. Hundreds of smaller companies, down to manufacturers of 
plastic cards, are vying for part of the market.

The biggest business opportunity still looms: Driver's licenses, which 
are due for a retooling under new federal laws.

"When you're talking about credentialing the federal workforce and 
contractors, you're talking about maybe 10 million people. When you're 
talking first responders, you're at 20, 30 or 40 million people," said 
Thomas Greco, a vice president at Herndon-based Cybertrust Inc. "But 
when you're talking credentialing all registered drivers in the United 
States, you're up to hundreds of millions of people. Nobody is losing 
sight of that."

In an era of chronic concern over terrorism and anxiety over 
immigration, the business of determining who is who has become 
increasingly urgent. But it is not without controversy. Americans have 
long resisted the idea of a national ID card, for example. The growing 
sophistication of computer databases and networks has heightened privacy 
concerns -- as have data breaches, from the theft or loss of government 
computers to AOL's online posting of 36 million keyword searches 
conducted by hundreds of thousands of subscribers. If the pool of 
government programs using the new identity technology gets large enough 
and the amount of information collected gets detailed enough, "there 
will be a lot of pressure for these programs to converge," creating a de 
facto national identity system, said Barry Steinhardt, director of the 
technology and liberty project at the American Civil Liberties Union.

Use of a new government standard may prompt the private sector to 
follow. The banking, retailing and health-care industries are monitoring 
the federal initiatives, ready to apply stricter identity standards when 
dealing with their employees and customers. In an online world, the 
technology could also be used to establish that two people who never 
meet in person really are who they say they are.

Federal agencies are supposed to begin issuing their new ID cards in 
October, complying with a 2004 Bush administration directive requiring 
more stringent methods for tracking who gets access to federal 
facilities.

The new cards must meet a rigorous federal standard that details -- down 
to the size of the typeface -- what the new cards look like and how they 
are used. At a minimum, the IDs will require fingerprints and possibly 
retinal scans or other forms of biometric identification, depending on 
the agency. The cards are also likely to incorporate magnetic strips, 
personal identification numbers and digital photos, as well as holograms 
and watermarks to deter forgery. Before employees and contractors can 
get their new credentials, they will have to submit to a thorough 
background check, if they have not already.

By employing multiple methods of checking identity, officials hope to 
make it as difficult as possible for someone other than a card's owner 
to use it. Ultimately, the cards will determine not just who gets into 
buildings but also who receives access to computer applications and 
files.

Because the information needed to verify an individual's identity won't 
take up much space on the computer chip in each card, plenty more can be 
added. An employee's skills, work hours, medical history and job 
evaluations, for example, could all be included -- much to the dismay of 
civil liberties advocates.

Already, other federal programs are borrowing from the new standard for 
government workers. A program to issue credentials to all transportation 
workers to monitor who has access to air and seaports, for instance, 
will subject those workers to much the same process as federal 
employees.

In addition, the Real ID Act, approved by Congress last year, aims to 
standardize security features on driver's licenses by mid-2008. The 
Department of Homeland Security has not yet set the standards that 
states will have to follow. It probably won't include the advanced 
biometrics the federal government is using for its employees, and states 
are pushing hard to avoid a complex reengineering of the ubiquitous, 
low-tech driver's license.

Nonetheless, the companies that make the cards, the scanning devices and 
the software needed to run identity systems are closely watching the 
driver's license requirements. They say they understand the privacy 
concerns but also expect that security will remain a top priority -- 
with ID standards likely to get stricter, the technology more 
sophisticated, and the business more profitable.

"No one's going to want technology that just exposes them to more risk," 
said Greco, whose company, Cybertrust, focuses on information security.

At BearingPoint's McLean offices, the company has set up a room to show 
off a range of identity systems, including machines for taking 
fingerprints, scanning irises, recognizing faces or even differentiating 
between individuals based on the shape of a hand.

"We think it's a terrific area of opportunity," said Gordon Hannah, who 
leads BearingPoint's efforts to win identity contracts.

Earlier this month, the General Services Administration awarded 
BearingPoint a five-year deal worth up to $105 million to supply new IDs 
to any agency that wants them. Agencies that do not buy their cards 
through the GSA contract are holding their own competitions.

That may be just the beginning. A recent study by the Stanford 
Washington Research Group and an expert in identity management put the 
value of the 10 biggest U.S. identity initiatives at $8 billion over the 
next five years, with an additional $14 billion coming from overseas.

 From those programs, identity businesses expect other opportunities to 
emerge.

"One of the inhibitors has been the cost of the technology. But with the 
widespread adoption by the government, the cost of everything is going 
to come down," said Jon Rambeau, director of credentialing at 
Bethesda-based Lockheed Martin.

State and local governments are considered major potential buyers. Among 
their needs are credentials for first responders so that officials can 
verify the identity of people who show up to help in the event of an 
emergency.

On the commercial side, too, boosters of identity technology say the 
opportunities abound. Banks, for instance, may want secure cards that 
can guarantee that someone trying to cash a check really is the intended 
recipient. Hospitals are looking into using the identity systems for a 
more reliable way of accessing medical records. And retailers have been 
working on allowing consumers to make purchases with the swipe of a 
finger, instead of a card.

Nor do the opportunities stop at the U.S. border. California-based 
contractor Computer Sciences Corp. has enrolled 40 million people in 
identity programs worldwide. But on a planet of 6.5 billion, the company 
thinks it has only scratched the surface.

"Each country has exactly the same issues: How do you facilitate 
security, facilitate movement across borders and protect privacy all at 
the same time?" said Tim Ruggles, CSC's director of border and 
immigration solutions. "That's a tough one."
 
Copyright 2006 The Washington Post Company


_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Sun Aug 27 2006 - 22:18:25 PDT