Tag Archives: biometric

If Your Identity System Only Manages People, It Is Flawed

This is painful, but it has to be done.

I’ve spent 30 years working with the identities of PEOPLE and ensuring that all PEOPLE accessing a system are properly identified.

In other words, leaving a huge GAPING security hole.

Look at what Okta is doing;

“[N]ew Okta Platform capabilities…help businesses secure AI agents and other non-human identities with the same level of visibility, control, governance, and automation as human ones. The Okta Platform will now bring a unified, end-to-end identity security fabric to organizations for managing and securing all types of identities across their ecosystem, from AI agents to API keys to employees.”

I think that “unified” will take the place of “trust” as the identity buzzword. Thankfully.

If you’re only selling biometrics, or maybe biometrics and ID cards, where will your customers go to get the rest of their systems? Or will you just be a commodity supplier to the companies that provide the REAL systems?

(Unified security AI picture from Imagen 3)

You Can’t Prove that an International Mobile Equipment Identity (IMEI) Number is Unique

I’m admittedly fascinated by the parallels between people and non-person entities (NPEs), to the point where I asked at one point whether NPEs can use the factors of authentication. (All six. Long story.)

When I got to the “something you are” factor, which corresponds to biometrics in humans, here is what I wrote:

Something you are. For simplicity’s sake, I’ll stick to physical objects here, ranging from pocket calculators to hand-made ceramic plates. The major reason that we like to use “something you are” as a factor is the promise of uniqueness. We believe that fingerprints are unique (well, most of us), and that irises are unique, and that DNA is unique except for identical twins. But is a pocket calculator truly unique, given that the same assembly line manufactures many pocket calculators? Perhaps ceramic plates exhibit uniqueness, perhaps not.

But I missed one thing in that discussion, so I wanted to revisit it.

Understanding IMEI Numbers

Now this doesn’t apply to ceramic plates or pocket calculators, but there are some NPEs that assert uniqueness.

Our smartphones, each of which has an International Mobile Equipment Identity (IMEI) number.

Let’s start off with the high level explanation.

IMEI stands for International Mobile Equipment Identity. It’s a unique identifier for mobile devices, much like a fingerprint for your phone’s IMEI number.

Now some of you who are familiar with biometrics are saying, “Hold it right there.”

  • Have we ever PROVEN that fingerprints are unique?
  • And I’m not just talking about Columbia undergrads here.
  • Can someone assert that there has NEVER been two people with the same fingerprint in all of human history?

But let’s stick to phones, Johnny.

Each IMEI number is a 15-digit code that’s assigned to every mobile phone during its production. This number helps in uniquely identifying a device regardless of the SIM card used.

This is an important point here. Even Americans understand that SIM cards are transient and can move from one phone to another, and therefore are not valid to uniquely identify phones.

What about IMEIs?

Are IMEIs unique?

I won’t go into the specifics of the 15-digit IMEI number format, which you can read about here. Suffice it to say that the format dictates that the number incorporate the make and model, a serial number, and a check digit.

  • Therefore smartphones with different makes and models cannot have the same IMEI number by definition.
  • And even within the make and model, by definition no two phones can have the same serial number.

Why not? Because everyone says so.

It’s even part of the law.

Changing an IMEI number is illegal in many countries due to the potential misuse, such as using a stolen phone. Tampering with the IMEI can lead to severe legal consequences, including fines and imprisonment. This regulation helps in maintaining the integrity of mobile device tracking and discourages the theft and illegal resale of devices.

IMEIs in India

To all of the evidence above about the uniqueness of IMEI numbers, I only have two words:

So what?

A dedicated person can create or modify multiple smartphones to have the exact same IMEI number if desired. Here’s a recent example:

The Indore Police Crime Branch has dismantled two major digital arrest fraud rackets operating in different parts of the country, seizing a massive database containing private details of 20,000 pensioners in Indore….

A dark room in the flat functioned as the nerve centre of the cyber fraud operation, which had been active since 2019. The group specialised in IMEI cloning and used thousands of SIM cards from select mobile networks.

IMEIs in Canada

“Oh, but that’s India,” you say. “That couldn’t happen in a First World country.”

O Canada?

A Calgary senior is warning others after he was scammed out of $1,000 after buying what he thought was a new iPhone 15 Pro Max.

“I didn’t have any doubt that it was real,” Boyd told Global News….

The seller even provided him with the “original” receipt showing the phone had been purchased down east back in October 2023. Boyd said he also checked the phone’s serial number and the International Mobile Equipment Identity (IMEI). All checked out fine.

Boyd said the first sign of a problem was when he tried to update the phone with his own information and it wouldn’t update. It was only after he took it to a representative at a local Apple retailer, that he realized he had been duped.

IMEIs in general

Even IMEICheck.net, which notes that the threat of stealing one’s phone information is overrated, admits that it is possible (albeit difficult) to clone an IMEI number.

In theory, hackers can clone a phone using its IMEI, but this requires significant effort. They need physical access to the device or SIM card to extract data, typically using specialized tools.

The cloning process involves copying the IMEI and other credentials necessary to create a functional duplicate of the phone. However, IMEI number security features in modern devices are designed to prevent unauthorized cloning. Even if cloning is successful, hackers cannot access personal data such as apps, messages, photos, or passwords. Cloning usually only affects network-related functions, such as making calls or sending messages from the cloned device.

Again, NOTHING provides 100.00000% security. Not even an IMEI number.

What this means for IMEI uniqueness claims

So if you are claiming uniqueness of your smartphone’s IMEI, be aware that there are proven examples to the contrary.

Perhaps the shortcomings of IMEI uniqueness don’t matter in your case, and using IMEIs for individualization is “good enough.”

But I wouldn’t discuss war plans on such a device.

(Imagen 3 image. Oddly enough, Google Gemini was unable, or unwilling, to generate an image of three smartphones displaying the exact same 15-digit string of numbers, or even a 2-digit string. I guess Google thought I was a fraudster.)

Oh, and since I mentioned pocket calculators…excuse me, calcolatrici tascabili

Know Your…Passenger

(Part of the biometric product marketing expert series)

OK, here’s another “KYx” acronym courtesy Facephi…Know Your Passenger.

And this is a critical one, and has been critical since…well, about September 11, 2001.

I saw Steve Craig’s reshare of the Facephi press release, which includes the following:

Currently, passengers must verify their identity at multiple checkpoints throughout a single journey, leading to delays and increased congestion at airports. To address this challenge, Facephi has developed technology that enables identity validation before arriving at the airport, reducing wait times and ensuring a seamless and secure travel experience. This innovation has already been successfully tested in collaboration with IATA through a proof of concept conducted last November.

More here.

The idea of creating an ecosystem in which identity is known throughout the entire passenger journey is not new to Facephi, of course. I remember that Safran developed a similar concept in the 2010s before it sold off Morpho, MorphoTrust, MorphoTrak, and Morpho Detection. And I’ve previously discussed the SITA-IDEMIA-Indico “Digital Travel Ecosystem.”

But however it’s accomplished, seamless travel benefits everyone…except the terrorists.

Writing Samples I (Mostly) Can’t Share Publicly

So a Bredemarket prospect requested samples of my internal and external sales enablement content, so they could evaluate my writing style.

There were only two problems with the request.

  • First, I can’t provide samples of internal content for other clients. Even privately. Because they’re…internal.
  • Second, reviewing samples of my external content gives no hint of my writing style, since I adjust my writing style to my clients.

But I provided external samples of what I do anyway: two client short data sheets, three client long data sheets, three Bredemarket data sheets, two client landing pages, one Bredemarket landing page, and two other samples.

So I will share one of the landing pages with you, but not a client one. This is one of mine, for Bredemarket’s identity/biometric prospects.

Drive Content Results with Bredemarket Identity Firm Services

Metal Injection Attack: The Ozzy Version

In my previous blog post about a fingerprint biometric security metal injection attack, I said:

“This metal injection attack isn’t from an Ozzy Osbourne video…”

Well, now there IS an Ozzy Osbourne video about the metal injection attack. The reel is on Instagram.

“Metal Injection Attack” Instagram reel.

Metal Injection Attack: Bypassing Biometric Fingerprint Security

(Image from LockPickingLawyer YouTube video)

This metal injection attack isn’t from an Ozzy Osbourne video, but from a video made by an expert lock picker in 2019 against a biometric gun safe.

The biometric gun safe is supposed to deny access to a person whose fingerprint biometrics aren’t registered (and who doesn’t have the other two access methods). But as Hackaday explains:

“(T)he back of the front panel (which is inside the safe) has a small button. When this button is pressed, the device will be instructed to register a new fingerprint. The security of that system depends on this button being inaccessible while the safe is closed. Unfortunately it’s placed poorly and all it takes is a thin piece of metal slid through the thin opening between the door and the rest of the safe. One press, and the (closed) safe is instructed to register and trust a new fingerprint.”

Biometric protection is of no use if you can bypass the biometrics.

But was the safe (subsequently withdrawn from Amazon) over promising? The Firearm Blog asserts that we shouldn’t have expected much.

“To be fair, cheap safes like this really are to keep kids, visitors, etc from accessing your guns. Any determined person will be able to break into these budget priced sheet metal safes….”

But still the ease at bypassing the biometric protection is deemed “inexcusable.”

So how can you detect this injection attack? One given suggestion: only allow the new biometric registration control to work when the safe is open (meaning that an authorized user has presumably opened the safe). When the safe is closed, insertion of a thin piece of metal shouldn’t allow biometric registration.

For other discussions of injection attack detection, see these posts: one, two.

By the way, this is why I believe passwords will never die. If you want a cheap way to lock something, just use a combination. No need to take DNA samples or anything.

Oh, and a disclosure: I used Google Gemini to research this post. Not that it really helped.

More on Injection Attack Detection

(Injection attack syringe image from Imagen 3)

Not too long after I shared my February 7 post on injection attack detection, Biometric Update shared a post of its own, “Veridas introduces new injection attack detection feature for fraud prevention.”

I haven’t mentioned VeriDas much in the Bredemarket blog, but it is one of the 40+ identity firms that are blogging. In Veridas’ case, in English and Spanish.

And of course I referenced VeriDas in my February 7 post when it defined the difference between presentation attack detection and injection attack detection.

Biometric Update played up this difference:

To stay ahead of the curve, Spanish biometrics company Veridas has introduced an advanced injection attack detection capability into its system, to combat the growing threat of synthetic identities and deepfakes…. 

Veridas says that standard fraud detection only focuses on what it sees or hears – for example, face or voice biometrics. So-called Presentation Attack Detection (PAD) looks for fake images, videos and voices. Deepfake detection searches for the telltale artifacts that give away the work of generative AI. 

Neither are monitoring where the feed comes from or whether the device is compromised. 

I can revisit the arguments about whether you should get PAD and…IAD?…from the same vendor, or whether you should get best in-class solutions to address each issue separately.

But they need to be addressed.

Age By Gesture?

(Churchill image public domain)

And I thought tongue identification was weird.

Biometric Update reported that the Australian government is evaluating a solution that estimates age by gestures.

At first thought I didn’t get it. Holding two fingers up in the air could be a 1960s peace hand gesture or a 1940s victory hand gesture.

Obviously I needed to give this a second thought. So I went to Needemand’s page for BorderAge. This is what I found.

« L’internaute doit simplement effectuer 3 mouvements de la main et l’avant-bras devant la caméra de son écran (ordinateur, tablette, smartphone). En quelques secondes, il/elle vérifie son âge sans dévoiler son identité. »

Help me, Google Translate; you’re my only hope.

“The Internet user simply has to make  3 movements of the hand and forearm  in front of the camera on their screen (computer, tablet, smartphone). In a few seconds, he/she verifies his/her age without revealing his/her identity.”

The method is derived from a 1994 scientific paper entitled “Rapid aimed limb movements: Age differences and practice effects in component submovements.” The abstract of the paper reads as follows:

“Two experiments are reported in which younger and older adults practiced rapid aimed limb movements toward a visible target region. Ss were instructed to make the movements as rapidly and as accurately as possible. Kinematic details of the movements were examined to assess the differences in component submovements between the 2 groups and to identify changes in the movements due to practice. The results revealed that older Ss produced initial ballistic submovements that had the same duration but traveled less far than those of younger Ss. Additionally, older Ss produced corrective secondary submovements that were longer in both duration and distance than those of the younger subjects. With practice, younger Ss modified their submovements, but older Ss did not modify theirs even after extensive practice on the task. The results show that the mechanisms underlying movements of older adults are qualitatively different from those in younger adults.”

So what does this mean? Needemand has a separate BorderAge website—thankfully in English—that illustrates the first part of the user instructions.

From http://www.borderage.com/.

I don’t know what happens after that, but the process definitely has an “active liveness” vibe, except instead of proving you’re real, you’re proving you’re old, or old enough.

Now I’m not sure if the original 1994 study results were ever confirmed across worldwide populations. But it wouldn’t be the first scheme that is unproven. Do we KNOW that fingerprints are unique?

Another question I have regards the granularity of the age estimation solution. Depending upon your use case and jurisdiction, you may have to show that your age is 13, 16, 18, 21, or 25. Not sure if BorderAge gets this granular.

But if you want a way to estimate age and preserve anonymity (the solution blocks faces and has too low of a resolution to capture friction ridges), BorderAge may fit the bill.

Injection Attack Detection

(Injection attack syringe image from Imagen 3)

Having realized that I have never discussed injection attacks on the Bredemarket blog, I decided I should rectify this.

Types of attacks

When considering falsifying identity verification or authentication, it’s helpful to see how VeriDas defines two different types of falsification:

  1. Presentation Attacks: These involve an attacker presenting falsified evidence directly to the capture device’s camera. Examples include using photocopies, screenshots, or other forms of impersonation to deceive the system.
  2. Injection Attacks: These are more sophisticated, where the attacker introduces false evidence directly into the system without using the camera. This often involves manipulating the data capture or communication channels.

To be honest, most of my personal experience involves presentation attacks, in which the identity verification/authentication system remains secure but the information, um, presented to it is altered in some way. See my posts on Vision Transformer (ViT) Models and NIST IR 8491.

By JamesHarrison – Own work, Public Domain, https://commons.wikimedia.org/w/index.php?curid=4873863.

Injection attacks and the havoc they wreak

In an injection attack, the identity verification/authentication system itself is compromised. For example, instead of taking its data from the camera, data from some other source is, um, injected so that it look like it came from the camera.

Incidentally, I should tangentially note that injection attacks greatly differ from scraping attacks, in which content from legitimate blogs is stolen and injected into scummy blogs that merely rip off content from their original writers. Speaking for myself, it is clear that this repurpose is not an honorable practice.

Note that injection attacks don’t only affect identity systems, but can affect ANY computer system. SentinelOne digs into the different types of injection attacks, including manipulation of SQL queries, cross-site scripting (XSS), and other types. Here’s an example from the health world that is pertinent to Bredemarket readers:

In May 2024, Advocate Aurora Health, a healthcare system in Wisconsin and Illinois, reported a data breach exposing the personal information of 3 million patients. The breach was attributed to improper use of Meta Pixel on the websites of the provider. After the breach, Advocate Health was faced with hefty fines and legal battles resulting from the exposure of Protected Health Information(PHI).

Returning to the identity sphere, Mitek Systems highlights a common injection.

Deepfakes utilize AI and machine learning to create lifelike videos of real people saying or doing things they never actually did. By injecting such videos into a system’s feed, fraudsters can mimic the appearance of a legitimate user, thus bypassing facial recognition security measures.

Again, this differs from someone with a mask getting in front of the system’s camera. Injections bypass the system’s camera.

Fight back, even when David Horowitz isn’t helping you

Do how do you detect that you aren’t getting data from the camera or capture device that is supposed to be providing it? Many vendors offer tactics to attack the attackers; here’s what ID R&D (part of Mitek Systems) proposes.

These steps include creating a comprehensive attack tree, implementing detectors that cover all the attack vectors, evaluating potential security loopholes, and setting up a continuous improvement process for the attack tree and associated mitigation measures.

And as long as I’m on a Mitek kick, here’s Chris Briggs telling Adam Bacia about how injection attacks relate to everything else.

From https://www.youtube.com/watch?v=ZXBHlzqtbdE.

As you can see, the tactics to fight injection attacks are far removed from the more forensic “liveness” procedures such as detecting whether a presented finger is from a living breathing human.

Presentation attack detection can only go so far.

Injection attack detection is also necessary.

So if you’re a company guarding against spoofing, you need someone who can create content, proposals, and analysis that can address both biometric and non-biometric factors.

Learn how Bredemarket can help.

CPA

Not that I’m David Horowitz, but I do what I can. As did David Horowitz’s producer when he was threatened with a gun. (A fake gun.)

From https://www.youtube.com/watch?v=ZXP43jlbH_o.

(February 2026: Independent testing of the capability to withstand injection attacks)