printer friendly version

An inconvenient truth

IT security in SA is behind the biometric advances deployed in physical security.

IT security professionals can learn a great deal from their peers in physical security about reinforcing security with biometrics. Perhaps the greatest lesson of all is that the technology pays for itself by cutting the losses caused by unauthorised access and activity.

Motivated by the need to minimise losses caused by unauthorised access and activities, local companies have been deploying biometric-based security solutions on a massive scale. In southern Africa, over 65 000 Morpho fingerprint scanners now control the physical access for some 2,5 million people, making the region one of the world’s biggest markets for biometrics.

For several years, organisations have been replacing cards, PINs and passwords with fingerprint-based identification to strengthen physical security and more accurately monitor people’s attendance and location. Biometric systems have demonstrated consistent effectiveness to manage identity within environments ranging from mines, factories and warehouses to offices, colleges and residential estates.

What is driving biometrics?

The large-scale adoption of biometric technology within physical security is based on its ability to accurately identify people and to manage their access and activities accordingly. Cards, PINs and passwords (CPPs) have never been an effective way to identify people simply because one person can use another person’s card, PIN or password to gain access or to clock-in for that person at work.

This form of abuse is so widespread within payroll solutions that for some organisations the biometric business case is based on straightforward ROI: the technology pays for itself by preventing the recurring losses caused by buddy-clocking. Make the investment, cut the losses. Simple as that.

In other organisations, the investment in biometrics might be based on the need to prevent and deter theft by strictly controlling and monitoring access to specific areas. Once again, biometric-based security is considered a cost-effective means of reducing losses.

Physical security in SA is highly advanced

Back in 2004, when fingerprint identification was starting to gain ground within physical access control in SA, there was the usual uncertainty that is often associated with new technology applications. In the following years, the local market discovered through a good deal of trial and error that not all biometric technology shares the same performance characteristics in terms of accuracy, consistency, speed and capacity. There were many examples of organisations that purchased ineffective biometric systems. A great deal of money and time was wasted as operational performance fell way short of expectations and inferior systems had to be replaced with ones that actually delivered.

Many hard lessons were learnt financially by all sorts of organisations before Morpho emerged as the top technology and secured its pre-eminent position with perhaps as much as an 80% share of the local market.

Although not as widespread today as it was five years ago, companies still make the error of selecting biometric systems based on price rather than performance. As the old Scottish saying highlights, ‘Nothing is for nothing and you get very little for sixpence.”

Today, fingerprint technology is not only commonplace within local physical access control and automated workforce management solutions, it is also being used within systems that range from monitoring drug trials and dispensing programmes to licensing systems such as the SA Police Services Small Arms and Light Weapons Project.

Massive IT security risks

The majority of organisations – including those who use biometrics for physical access control – are still reliant on passwords or cards and PINs to authenticate IT users and authorise their activities. Yet the exploitation of these credentials is by far the most common method for gaining unauthorised access to corporate systems. CPPs are so frequently exploited because they are so easy to exploit.

As a security measure within physical access solutions, it is accepted that the inherent insecurity of CPPs is caused by four fundamental flaws: they are all routinely lost, forgotten, shared and stolen. When CPPs are used to control IT access, their flaws create huge security risks. Every day, they are abused used by insiders and outsiders to make fraudulent payments, to modify and delete data and to steal sensitive information.

And the damage caused by this abuse can be astonishing. Between 2005 and 2008, a futures trader at the French bank, Société Générale, used colleagues’ passwords to make rogue trades that cost the bank some R52 billion. More recently, the Swiss banking giant, UBS, announced a $2 billion loss due to illicit trading by a London-based employee that began in 2008.

Closer to home, the SA media regularly reports on instances of password-based EFT fraud in organisations ranging from cellular providers to government departments.

Of perhaps even greater concern is the fact that the cyber theft of corporate secrets and sensitive information is causing far greater losses than the more widely publicised crimes of identity fraud relating to payment cards and internet banking.

A total lack of access control?

So why is corporate IT not leveraging the proven security benefits of biometrics to minimise the enormous losses caused by unauthorised IT activity? Should corporate IT be taking a closer look at modern biometrics and the far higher levels of security it offers? Perhaps people are so accustomed to using CPPs that the direct consequences of their abuse are overlooked. Can it be that users’ familiarity with CPPs is nurturing a false sense of IT security?

In an open acknowledgement that their systems are vulnerable to abuse and in an effort to combat IT-based crime, many companies have introduced strong, complex passwords that are routinely changed according to a prescribed schedule. Other organisations have chosen to go the route of two-factor authenticators such as chip- and-PIN cards or a combo of passwords and one-time-PINs.

Somehow, we seem to be ignoring the fact that these credentials are just as easy to share, forget, lose and steal as their simpler predecessors. Are companies really just spinning their wheels as their IT-related losses continue to rise?

A strong password is far more likely to be written down and consequently exposed than one based on the user’s name or date of birth. So-called smartcards still get shared when someone forgets theirs at home or leaves it in another office or in the car. More significantly, one of SA’s big banks has incurred losses running into the millions due to employees ‘selling’ chip-and-PIN cards that authorise their access to internal payment systems.

The blunt truth is that as long as one person can use another’s IT access credentials we really have no way of securing our systems and controlling who can do what, where and when within them. The doors are wide open and the cyber villains are simply walking in and taking what they want.

Replacing CPPs with biometrics is neither costly nor complex

It is important to recognise that passwords, cards and PINs are not a free solution. Back in 2004, RSA, the security division of IT giant EMC, demonstrated that managing passwords within a 1000-user organisation will typically cost $661 200 (R4,6m) over a three-year period in terms of calls to an IT helpdesk, wasted user time and lost productivity.

Based on these figures alone, it is more cost-effective to switch to fingerprint authentication rather than continuing with a system based on conventional credentials. Whether or not one agrees with the password costs suggested by RSA, there is of course some level of recurring cost associated with using CPPs. And whatever their management costs may be, CPPs are still a woefully inadequate barrier to unauthorised IT access and activity.

Whenever an IT user is required to use a card, PIN or password, this can be automatically replaced with a request to scan their fingerprint. It is quite possible to replace all CPP-related dialogue boxes with a biometric prompt and for users to authenticate themselves with a small, USB-linked fingerprint scanner.

The operating software that enables fingerprint-based security can mirror all the access protocols used by existing systems such as Active Directory. It can also be configured to request biometric authentications for specific transactions and to provide a definitive audit chain that links users to their activities within an IT system.

For even higher levels of security, two-factor biometric authentication combines fingerprint and finger vein recognition in a single scanner. Such technology addresses concerns about deceiving a scanner with a fake fingerprint print and has applications where illicit IT access might result in highly damaging consequences.

So, the next time there is an IT security breach that was based on the abuse of CPPs – and which ones are not? – perhaps biometrics should be considered as a means to really secure the system. Companies may well be surprised by how easy they are to introduce and by their ability to stem the astonishing losses caused by unauthorised IT access and activity.

The adoption of biometric-based security in IT is at a point similar to the physical security market six or so years ago. In terms of operational issues in the real world, IT security can certainly learn much from biometric-based access control within the physical environment and within a South African context.

The major difference is that the way forward for IT has already been highlighted and there is a wealth of practical experience to guide us.

Share this article:

Further reading: