Identity theft is not a new concept. The term was first coined in 1964 and is typically used to describe the deliberate use of someone else’s identity for personal gain.
Identity theft typically involves the use of another person’s identifying information such as their name, identification documents/number or credit card without their knowledge or permission.
Whilst identity theft has been around since the early 1960s, the increase in the storage of data online over the past decade has led to a huge leap in the amount of identity theft worldwide. The Identity Theft Resource Centre (ITRC) predicts that identity theft protection services will primarily focus on data breaches, data abuse and data privacy as we move forward into 2020.
According to a 2019 report on Newsroom, 133,000 New Zealanders are hit by identity theft each year. Globally, this number is around 3m per year with data breaches also on the rise.
Obtaining personally Identifiable Information (PII) via hacking is now so commonplace that even Fortune 500 companies are beginning to use the defence that it happens to everyone and it is impossible to stop. As a result, attention needs to shift from hacking prevention to ensuring that what is lost can’t be used or doesn’t have value outside the system from where it was obtained.
How biometrics is changing the playing field
One of the potential game-changers in the world of identity theft is biometrics. Biometrics is a technical term for body measurements and calculations and refers to metrics related to human characteristics. Biometrics is used in computer science as a form of identification and access control.
There are many strands of biometrics – facial recognition, iris recognition, fingerprint and palm recognition, finger vein recognition, voice recognition and inner ear acoustic recognition.
Many people think that when a biometric such as your face template is collected and stored, that it is the photo or facial scan that is being stored and that it could then be compromised via a later hack. However, this is not the reality.
When a face biometric is created or “templated” as it is known in IT-speak, an algorithm creates a mathematical interpretation or representation of the face. This is the face “template”.
The algorithm that creates the template is secret and proprietary to the algorithm owner and is the “secret sauce” that turns your face into numbers. At no time can anyone, even the algorithm provider themselves, ever take this numerical representation of your face and turn it back into the picture of your face. It simply isn’t possible.
Furthermore, if someone wants to create a template or read your face template, they need the exact “secret sauce” algorithm to do it. What’s more, an algorithm from one provider can’t read the templates produced by a different provider. The template (numbers) themselves are useless unless the hacker/imitator can somehow obtain the exact algorithm that turns a face into the template.
When people think about a biometric being collected and stored somewhere, the original source (the picture or photo) isn’t or shouldn’t be stored, Once templated, this image isn’t needed again. And without the algorithm, the template is more or less useless to anyone who might obtain it. In this way, a biometric is far more secure than a password or a credit card number, both of which are often transmitted and/or stored in clear text or can easily be guessed with things like brute force computer attacks which try millions of passwords every second until it stumbles on the correct one.
Such unsophisticated approaches simply won’t work with biometrics. You need the algorithm.
In some circumstances, as well as the security provided by the secrecy of the algorithm, NEC goes even further by storing information or disbursing information across multiple systems geographically. When this happens, to obtain even the biometric, the hacker has to compromise all the distributed systems and piece together the data. A herculean task.
Collecting and storing biometric data
Here in New Zealand, we have very strict guidelines on the collection and storage of biometric data and laws that protect the public against the unlawful collection or use of such data.
In the first instance, you need to have a lawful reason to collect any biometric data and that collection is appropriate for that purpose. The collection of biometric data needs to be done transparently and with the individual’s knowledge and understanding of why you are collecting the data and what you will do with it. If the user doesn’t wish to provide a biometric, an alternative pathway should exist for them to obtain your service.
Once you have collected any biometric data, you also have a further range of obligations under the Privacy Act relating to the security, accuracy, retention and disclosure of that data. For example, you must only use the data for the stated purpose (you can’t “repurpose” the data for another function), you can only collect the data you need (so not a date of birth if it isn’t needed) and once the biometric has served its purpose, you should delete it.
The laws and ethics of such use are incredibly important for creating a trusted partnership and relationship with your customers and users. Transparency and integrity are key.
Protecting your identity
Whilst it is the responsibility of organisations collecting your private data to securely store that information, there are of course steps you can take to protect yourself, on and offline.
Just as you wouldn’t hand over your credit card so someone can take a photocopy, you also need to protect other important identification documents in the same way.
How many times have you been asked to hand over your driver’s license or passport as a way of identifying yourself? In many overseas countries, and even here in NZ they insist on taking a copy of your passport to verify who you are. This leaves you open to many different types of identity theft and is something you should be extremely wary of. In fact, you should provide only the information required to assert that “you are you”. And if you can do so in person by physically showing a document rather than sending a scan of it over the internet, then that is much safer.
Don’t confuse scanning and emailing your driver’s license with providing or creating a biometric. They are two different things. Someone having a picture of your license or passport on file is far less secure than having your facial template on file because no ‘secret sauce’ algorithm is required to read a photo of your driver’s license.
Even here in New Zealand, there are numerous situations where you might be asked for a copy of your passport or to scan a copy and email it to someone. For example, dealing with a profession like real estate has anti-money laundering regulations that compel the agency to prove you are who you say you are.
This often turns into the Agency asking you for a scan of your passport and/or birth certificate and/or driver’s license. But these pictures or scans end up on their IT system which may exist anywhere and not enjoy much security protection! Instead, showing up in person holding your passport so they can verify “you are you” satisfies the need for proof and doesn’t involve them collecting or storing your valuable passport scan on their often unprotected IT system.
This sort of uninformed request for scans can leave you wide open to identity theft as you have no idea how your information is going to be stored at the other end, who has access and how it is protected. Don’t do it if you can avoid it. To contradict the Borg in Star Trek, “Resistance isn’t futile”!
How NEC is helping to tackle Identity Theft
NEC biometrics are safe. Far safer than passwords or credit cards. NEC takes immense care to protect their algorithms, without which an NEC biometric is useless. This is why agencies such as Law Enforcement, Immigration, Border Patrol, Airlines and others rely on NEC biometric technologies.
And remember, don’t fall into the trap of thinking that pictures or scans of important documents are proper biometrics. They aren’t. They are simple scans or pictures!
Know your rights and don’t provide something just because it is requested. There is often a much better way that is a lot more secure and safe.