Tag Archives: Iris recognition

Black Hat Iris Biometrics Attacks Don’t Tell The Whole Story

3 Replies
An iris biometrics expert clarifies the truth behind the technology in response to the Black Hat conference paper claiming to have hacked an iris template, recreated the image and fooled a recognition system

Is it really that easy to re-engineer an iris image? Not so fast…

Planet Biometrics released an article today “Iris attacks no surprise to iris recognition inventor” which details an interview with John Daugman, Professor of Computer Vision and pattern Recognition at Cambridge in response to the recent Black Hat conference paper that hacked into an iris system and re-engineered images to fool a recognition device.  Professor Daugman is credited with developing and patenting the first algorithm for iris recognition which is still widely used across the world.

Professor Daugman acknowledges in the article:

“This is a classic ‘hill-climbing’ attack that is a known vulnerability for all biometrics….the vulnerability in question, which involves using an iterative process to relatively quickly reconstruct a workable iris image from an iris template, is a classic “hill-climbing” attack that is a known vulnerability for all biometrics.”

The primary vulnerability in the Black Hat conference paper was the full disclosure and access to the Iris Code template, as well as having the ability “to generate an IrisCode template from an image, and to do so repeatedly and iteratively.” In other words, without access to the encoding algorithm or to a hardware device that implements it, the “attack” would not have been possible. Be that as it may, the Black Hat scientists did have access to the encoding algorithm but not all iris biometrics algorithm research and developers give access to the Software Development Kit (SDK) that is needed in order to perform the “attack.”

According to Daugman, this should be a sign, “to maintain cryptographic security on IrisCode templates” to maintain the highest level of security and thwart would be system attacks. Daugman went on to say that in addition to cryptographic security, there is also the issue of iris hardware detecting an artificial iris vs. a real one. Most of the higher quality iris biometrics recognition systems on the market are equipped with sophisticated technology to detect the presence of an artificial eye and tell when they are being spoofed. The bottom line is that a quality, modern iris biometrics recognition system would not have been fooled by the re-engineered iris image used in the Black Hat conference paper .

What is rather unfortunate about the content of this article is that virtually no one who was exposed to the Black Hat Conference paper will have the opportunity to hear the points brought out by Daugman and will automatically deduce that iris biometrics systems should be avoided at all costs since they can be easily hacked and your iris template stolen. Daugman’s view will be known by few, fueled in large part by organizations like the Electronic Frontier Foundation who immediately pounced on the Black Hat conference paper and began their mission to spread the word that iris biometrics are just as susceptible to attacks as any other biometric modality, without reporting both sides of the issue.

We hope that you will take the time to educate yourself on the entire issue so you can formulate your own intelligent opinion when presented with all of the facts. Please share your thoughts with us on where you stand on the issue and why in the comments section below.

Iris Recognition vs. Retina Scanning – What are the Differences?

1 Reply

In biometrics, iris and retinal scanning are known as “ocular-based” identification technologies, meaning they rely on unique physiological characteristics of the eye to identify an individual. Even though they both share part of the eye for identification purposes, these biometric modalities are quite different in how they work. Let’s take a closer look at both and then explain the similarities and differences in detail:

In biometrics, are iris recognition and retinal scanning the same thing and does the technology work the same way?

The Retina

Retinal Scanning: The human retina is a thin tissue composed of neuralcells that is located in the posterior portion of the eye. Because of the complex structure of the capillaries that supply the retina with blood, each person’s retina is unique. The network of blood vessels in the retina is so complex that even identical twins do not share a similar pattern.

Although retinal patterns may be altered in cases of diabetes, glaucoma or retinal degenerative disorders, the retina typically remains unchanged from birth until death.

A biometric identifier known as a retinal scan is used to map the unique patterns of a person’s retina. The blood vessels within the retina absorb light more readily than the surrounding tissue and are easily identified with appropriate lighting. A retinal scan is performed by casting an unperceived beam of low-energy infrared light into a person’s eye as they look through the scanner’s eyepiece. This beam of light traces a standardized path on the retina. Because retinal blood vessels are more absorbent of this light than the rest of the eye, the amount of reflection varies during the scan. The pattern of variations is converted to computer code and stored in a database. Retinal scanning also has medical applications. Communicable illnesses such as AIDS, syphilis, malaria, chicken pox well as hereditary diseases like leukemia, lymphoma, and sickle cell anemia impact the eyes. Pregnancy also affects the eyes. Likewise, indications of chronic health conditions such as congestive heart failure, atherosclerosis, and cholesterol issues first appear in the eyes.

What is iris scan? Iris recognition and retinal scanning are two different biometric identification technologies

The Iris

Iris Scanning: The iris (plural: irides or irises) is a thin, circular structure in the eye, responsible for controlling the diameter and size of the pupils and thus the amount of light reaching the retina. “Eye color” is the color of the iris, which can be green, blue, or brown. In some cases it can be hazel (a combination of light brown, green and gold), grey, violet, or even pink. In response to the amount of light entering the eye, muscles attached to the iris expand or contract the aperture at the center of the iris, known as the pupil. The larger the pupil, the more light can enter. Iris recognition is an automated method of biometric identification that uses mathematical pattern-recognition techniques on video images of the irides of an individual’s eyes, whose complex random patterns are unique and can be seen from some distance.

Unlike retina scanning, iris recognition uses camera technology with subtle infrared illumination to acquire images of the detail-rich, intricate structures of the iris. Digital templates encoded from these patterns by mathematical and statistical algorithms allow unambiguous positive identification of an individual. Databases of enrolled templates are searched by matcher engines at speeds measured in the millions of templates per second per (single-core) CPU, and with infinitesimally small False Match rates. Hundreds of millions of persons in countries around the world have been enrolled in iris recognition systems, for convenience purposes such as passport-free automated border-crossings, and some national ID systems based on this technology are being deployed. A key advantage of iris recognition, besides its speed of matching and its extreme resistance to False Matches, is the stability of the iris as an internal, protected, yet externally visible organ of the eye.

Similarities and Differences: While both iris and retina scanning are ocular based biometric technologies, there are distinct similarities and differences that differentiate the two modalities. Iris Recognition uses a camera, which is similar to any digital camera, to capture an image of the Iris. The Iris is the colored ring around the pupil of the eye and is the only internal organ visible from outside the body. This allows for a non-intrusive method of capturing an image since you can simply take a picture of the iris from a distance of 3 to 10 inches away.

Retinal Scanning requires a very close encounter with a scanning device that sends a beam of light deep inside the eye to capture an image of the Retina. Since the Retina is located on the back of the eye, retinal scanning was not widely accepted due to the intrusive process required to capture an image.

Here is an overview of some similarities and differences between the two modalities:

Similarities:

  • Low occurrence of false positives
  • Extremely low (almost 0%) false negative rates
  • Highly reliable because no two people have the same iris or retinal pattern
  • Speedy results: Identity of the subject is verified very quickly
  • The capillaries in the iris and retina decompose too rapidly to use a amputated eye to gain access


Differences:

  • Retinal scan measurement accuracy can be affected by disease; iris fine texture remains remarkably stable
  • An iris scan is no different than taking a normal photograph of a person and can be performed at a distance; for retinal scanning the eye must be brought very close to an eyepiece (like looking into a microscope)
  • Iris scanning is more widely accepted as a commercial modality than retinal scanning
  • Retinal scanning is considered to be invasive, iris is not

 

Chart: Iris vs. Retinal Scanning: What are the similarities and differences?

 

Biometric Modality

Iris

Retina

Category

Extremely fastand reliable search results

    x       x

Uses safe, low energy-infrared light for scanning (same as what is used in TV remote controls)

Uses a digital camera to capture the image

       x

Has absolutely no negative impact on human health

    x

Ability to save biometric images for auditing purposes

    x       x

Ideal for large databases

    x       x

Completely contactless

    x       x

Measurement accuracy affected by disease

       x

Requires close proximity to camera for successful scan

       x

Works with all ages – no patient re-enrollment required

    x       x

Avoiding Patient Identification Problems with Biometrics

Leave a Reply
Using biometrics to identify unconscious patients or those with Alzheimers or dementia

Photo courtesy of elefanterosado

Two stories in the news caught our eye over the past week where hospitals appealed for the public’s help to identify patients who were admitted under different circumstances. Occasionally, a person will enter a hospital or medical center without any patient identification and due to their medical condition (unconsciousness, dementia, Alzheimer’s, etc.) the facility is unable to determine their identity.

The first case happened when officials and police in Shreveport, LA asked for the public’s help to identify the victim of an automobile accident when the unidentified patient was brought to the hospital without an ID. The only information that police and hospital officials had to go on was a possible first name and a theory on where the victim was from.

The second case comes from Los Angeles, CA where a man was brought to Memorial Medical Center by ambulance without any documentation or evidence of his identity. The article did not elaborate on why there was a problem identifying the patient since he appeared to be conscious but perhaps he was unable to speak or may have been suffering from Alzheimer’s or another type of dementia.

Both of these cases demonstrate the periodic problems that hospitals and medical centers can experience when attempting to positively identifying a patient in the absence of a relative or friend or any type of insurance card or picture ID. To circumvent these types of problems in the future, healthcare facilities can deploy biometric patient identification to ID any patients who may have an existing medical record linked with a biometric template. If the patient arrives without the ability to confirm their identity, the healthcare facility can take a picture of their iris or scan their palm and quickly scan the master patient index (MPI) to determine if they have visited in the past.

In times of emergency (especially if someone arrives without the ability to identify themselves) a patient may have a special medical condition that would affect the care they receive and could die if a proper identification tool did not exist. Biometric patient ID can help to quickly identify that patient if their information has previously been established and is on file. Just another example of how biometric patient identification is a great fit for healthcare.

M2SYS CEO @themizan to Speak at 2012 Biometrics Summit in Miami

Leave a Reply
M2SYS CEO will be speaking about public safety and biometrics at the 2012 Biometrics Summit in Miami

M2SYS CEO to Speak at 2012 Biometrics Summit

Where: Miami Hilton Downtown, Miami, FL

When: February 27 – March 1, 2012

M2SYS Informational Session: Day two,  02/29/12, 3:25pm

M2SYS CEO Mizan Rahman will be speaking next week at the 2012 Biometrics Summit in Miami, FL. Mizan will be joined by James Rokosky from our partners at DSI-ITI, LLC. to dicsuss using multi-modal biometrics to enhance the public safety sector by securing the identification and tracking of inmates and visitors.

Due to increasing crime rates, correctional facilities are finding it difficult to securely manage the ever-growing number of identification records for prisoners and visitors. Proper identification of inmates prior to release is critical to public safety, and often times, over-populated and under-staffed jails may release unauthorized inmates due to human error or to inmates swapping ID bracelets with other inmates. Multi-modal biometric identification solutions provide a fail-safe way to properly manage correctional facilities. By using biometric identification at key areas throughout a detention center, the management system can track inmate and visitor movements throughout the day. Inmate and visitor whereabouts can be determined at any time, which increases accountability and in turn, increases overall jail security and safety.

Sharing experiences of how biometrics has evolved in the public safety sector, this session will focus on the functionality and advantages of using multi-modal biometric identification in detention centers for inmate and visitor management, including:

  • How to deploy biometric identification for prisoner and visitor identification within a facility
  • Why liabilities inherent with identity management in the public safety sector are virtually eliminated with biometric identification
  • Using accurate and efficient multi-modal biometric technology to track and control visitor registration and inmate intake, release, medicine dispersal and location

If you are in Miami for the conference, please drop in to hear Mizan speak. Hope to see you there!

Is that the Right Patient?

Leave a Reply
Today, we welcome a guest post from Iatric Systems.

 

Meaningful Use brings increased utilization of electronic records, providing instant access to patients’ medical information – which is a great thing. It also brings the heightened chance for error in patient identification and the subsequent disaster that creates. The ability to select the correct patient and verify their identity based on their prior visit medical record demographics from the health information system becomes more important than ever before. Misidentification at the point of entry creates major problems throughout the life of the patient’s account.  First and foremost is the contamination of the patient’s medical chart and the impact incorrect medical information could present to the patient. We could contend that cleaning up incorrect patient information was in some ways easier when everything was paper-based compared to what it will be with electronic records.

The HIPAA impact of sharing the incorrectly selected patient’s information with the wrong patient or patient’s family also looms on the horizon. What if the patient who the record really belongs to shows up for care during this event? If the error goes unnoticed, the backend ramifications include billing the wrong insurance company and incorrect data going out to multiple places resulting in more work to correct the error and rebill the correct payer. If the patient finds out you selected the wrong patient for their care episode, how does that impact their perception of the hospital and level of competent care they can expect?

Many factors impact the incorrect selection of a patient, including the HIS system, staff carelessness or patients providing incorrect information during the admitting process. A common error is the patient changing their last name since the last visit, thus creating a new MPI number that does not include the patient’s vital past medical history.

Another area of concern is medical identify theft. Over 14 million people have become victims of identity theft this year alone. Medical identify theft is the fastest growing aspect of identify theft. What ramifications can you expect if your hospital provides care to a patient who used a stolen medical identify for treatment? Both a contaminated medical record that may impact the care of both patients and a financial loss when the payor denies payment may result.

Never before has selecting the correct patient at registration been more important. Our current method of asking for a driver’s license to verify identity is no longer a guarantee. Hospitals need to look at new methods to make sure that the patient is correct. Biometrics is one possibility that I have felt is an effective solution for years. Patients, for the most part, show up in the hospital with a finger, palm or iris that could be used to validate the patient’s identify. Patients that arrive unconscious pose another level of concern.

What better community service could a hospital provide than assuring their patients that their identify will be protected by installing biometric technology? Biometric technology could also assist with the Red Flag regulation. Providing patients an easy way to establish identify by hosting health fairs to register their biometric identify in advance of care is both a community service and improves each patient’s medical safety.

Iatric Systems

Kay Jackson

Kay Jackson is Manager of Software Certification, Compliance and Financial at Iatric Systems. Iatric Systems provides solutions for Meaningful Use including a Meaningful Use Manager Dashboard, Public Health Interfaces, Patient Portal, CPOE, Patient Discharge instructions and Clinical Document Exchange.

You can follow Iatric Systems on Twitter: @IatricSystems
You can also find them on LinkedIn