Tags: security, umd
On Friday, I got an email from my University's dining services. It outlined some major (and long rumored) changes to the campus dining system, including an elimination of all takeout and a shift to "unlimited" meal plans as part of initiatives to reduce food wastage and meal insecurity. There's more to the changes than that, but they're not particularly important to this post.
My attention was grabbed by this paragraph under "Dining Hall Access":
Students will wave a hand through a reader, the turnstile will open, and the student can come in and enjoy. By scanning your palm, we chart the distance between a few distinct points that are unique to each person and come up with an identifying number based on those distances. Palm prints are not stored, and the data we store cannot be re-created into a palm print image.
If you've ever watched a police procedural or Law and Order-type show, you've almost certainly seen databases of finger and palm prints being matched up against the prints of suspects. These shows often portray print matching as a form of image recognition or comparison, with images being overlaid to demonstrate similarities.
While this actually is a way to perform print recognition (the technical term is correlation matching), it's fairly rare on the commercial level due to difficulties in ensuring the uniformity of image quality. It's the computational equivalent of overlaying two x-rays of the same person's bones (taken at different times) and comparing them to some degree of tolerance.
In reality, the overwhelmingly popular matching method is minutiae matching, which works by measuring the characteristics of and distances between discrete palm features (minutiae). The result is a set of coordinates and/or vectors that can be hashed or otherwise combined to produce a (semi)random number, which is then used for identification or verification purposes.
Although governments and organizations may retain images of finger and palm prints, matching of those prints to a given input is done overwhelmingly via minutiae. Furthermore, organizations that adopt biometric scanners may opt to only store minutiae data, without any images whatsoever. As such, it is not usually the images of prints that are compared, but a discrete set of data points obtained from them
Although only storing minutiae data is arguably better than storing whole palm prints, it is still not an acceptable identification policy (for a university).
Unless the scanners are equipped with infrared, spoofing an individual's palm print will be as trivial as printing out a picture of their hand and holding it to the scanner.
Even with infrared, a sufficiently motivated attacker can easily use any number of skin analogues. Deviant Ollam's DEFCON talk on safecracking is a good example of this.
Although my school claims that they will not store images of palm scans, they do not state whether or not the minutiae are stored (and not just the number generated) from them. If this is the case, anybody who breaks into or has access to the minutiae database will be able to at least partially reproduce the layout of every individual's palm.
Since UMD does not have a good record with respect to computer security, this is cause for concern.
The use of palm scans is also troubling from a privacy perspective. Unlike a student ID number that can be changed as required, an identifier generated from print minutiae is inextricably linked to an individual's body. Unless the minutiae data is salted dynamically (which it can't be for the sake of identification), the number generated from it will be permanently associated with the individual.
There are over 38,000 students at the University of Maryland, plus nearly 10,000 academic and non-academic staffers. A sizable percentage of those nearly 50,000 people eat regularly at the two main diners on campus (not counting the convenience stores or 251 North).
Assuming (extremely conservatively) that only 50% of those people eat 5 times weekly at a campus diner, that's 125,000 prints a week. Each of those people needs to be registered initially, then has to have their print recognized reliably each time they enter a dining hall.
Print recognition technology has improved remarkably over the last decade (we even trust it on our smartphones now!), but that's a very tall order. The margin of error on minutiae reads will probably be fairly large (especially across different scanners), so the acceptable margin of error will probably be sizable to avoid asking individuals to scan their palm more than once per entry. The result will likely be easier exploitability (see above).
Maintaining an infrastructure of multiple scanners and their associated database of identifiers and minutiae will also be nontrivial. Will they be linked into the current identifier system (magnetic stripes + student IDs)? Will they remain distinct? How restricted will access to them be? The email I received answers none of these questions, which makes me think that UMD either doesn't have them or thinks that their answers would be unsatisfactory (either option is equally likely).
In the grand scheme, I don't think that these problems can be justified by the "simplicity" of palm scanners.
Instead, the school should look at moving away from magnetic stripes and towards chip cards (preferably with baked-in keys). This would also involve a significant change in infrastructure, although this could be staggered by issuing cards with both a magnetic strip and a chip. If chips prove to be too tedious when accessing buildings, RFID may also be a reasonable addition (in tandem, the security of a chip is greatly preferable for payments).
Overall, my school's decision to pursue biometrics for the new dining hall system is a bit of a mystery to me. It's not cheaper or more secure (with commercial minutiae scanners, at least), and it will only make the school's identification significantly more complex and fractured.
Edit 5/10/16: This is the same school that stored students' unencrypted Social Security Numbers on magnetic stripes for years.