Assessing the damage related to fingerprints in hacked government database

How Much Damage Can OPM Hackers Do With a Million Fingerprints? (Nextgov)

Though the idea of hacked fingerprints conjures up troubling scenarios gleaned from Hollywood’s panoply of espionage capers, not much is currently known about those that OPM said were swiped in the data breach, which began last year and has been privately linked by officials to China. In fact, the agency said it didn’t even know yet specifically which personnel have had their prints compromised.

The linked article is really good in that it spends a great deal of analysis of the unknowns, and there are many.

While a collection of images of the fingerprints of US government employees — if that is an accurate description of that was taken — certainly has its uses, not all potential uses are equal or equally likely.

In terms of identity fraud, the 1.1 million government employees who had their fingerprints stolen may not be a whole lot worse off than the 20 million or so other government employees who had their personal information stolen minus the fingerprints, though that is cold comfort indeed to the victims. If the individuals whose information was stolen are given the precise details of the personal information that is now “out there” they will be able to make informed decisions about how they wish to manage their affairs going forward. That includes how they might interact with biometric ID management technologies in the future both in and outside of government applications.

The intelligence value of the fingerprints of government employees is different story. With time, money, and pictures of a million fingerprints, it is possible to build a fingerprint watch-list. Probably, not all of the pictures of fingerprints will be of a high enough quality to be enrolled in an automated system today but more time and more money could help. From there, the new watch-list could be accessed by a new or existing biometric ID technology deployment such as a checkpoint serving whatever purposes its owner has for it.

There is probably a lot the government still doesn’t know about what was stolen, and even more that hasn’t been shared with the public and more importantly with the individuals whose information has been compromised. It will also take some time for the stolen information to be put to use. The Office of Personnel Management has a lot of work ahead of it.

Not a bug, but a feature

Massive errors mar Aadhaar enrolment (Times of India)

The enrolment process for Aadhaar in Odisha is dogged by massive rejection of data due to errors. According to the directorate of census operations here, enrolled biometric data of 40 lakh people stand rejected by the Unique Identification Authority of India (UIDAI), the Aadhaar body, as on June 15.

Some facts:
Odisha is a state in eastern India. The wiki has its population at 43.73 million as of 2014.
1 lakh = 100,000
1 crore = 10,000,000
All numbers not quoted from the article are in more familiar units.

The article goes on to say a lot about the numbers. 31,700,000 out of 38,400,000 people (82%) of the eligible population have been registered successfully.

The 4 million rejected applications are divided as follows.

2 million were rejected because they were submitted by operators who have been barred from submitting applications. UID works by outsourcing enrollment to private operators who are then paid by the government for accepted applications. Operators who have submitted too many error-riddled or fraudulent applications have been banned from the market.

1 million have been rejected for being duplicate applications, as is proper.

That leaves 1 million true “errors,” or failed enrollments that are potentially valid and are described as those submitted on behalf of “very old people and children (between five to 10 years), whose finger prints and iris scans were not registered properly.” Now, it may turn out that some of these failed enrollments are duplicate applications as well and it will probably turn out that many (if not most) of these people can be enrolled on a second pass where extra care is taken during the enrollment process. Nevertheless describing 1 million failed enrollments out of 32.7 million presumably legitimate applications as “massive errors” seems uncharitable.

Also, UID contains a “Biometric Exception Clause” which allows for creating UID numbers for people whose biometrics cannot be enrolled. As of May 2015, across India, around 618,000 (0.07%) of UID numbers have been issued with biometric exceptions.

Massachusetts contemplating biometrics to curb welfare fraud

Bill proposes Mass. study implementation of fingerprinting, biometrics to reduce welfare fraud (MassLive)

Under the provision, the Department of Transitional Assistance and the Office of Health and Human Services would be required to study the feasibility of using biometrics – which includes fingerprints – to reduce fraud in public benefit programs.

The language, part of a $15.4 million amendment assembled by the House Committee on Ways and Means, cleared the House on a 158-0 vote Tuesday afternoon.

New York City actually implemented a system like this a few years back. It worked, too. Mayor Bloomberg liked it. Governor Cuomo didn’t. Survey data at the time indicated that a majority (53%) of Americans favored such an approach.

See:
New York City: Fingerprints for Auditing Food Stamps (October, 2011)
Governor Proposes to Prevent New York City From Using Biometrics To Stem Welfare Fraud (May, 2012)

US GAO: To reduce fraud, MediCare smatrcards need biometrics

Smart cards would do little to curtail Medicare fraud: GAO (McKnight’s)

…[K]ey [smartcard] benefits, including the ability to electronically exchange beneficiary medical information and electronically convey beneficiary identity and insurance information to providers, would do little or nothing to deter fraud, experts said.

Adding certain layers of protection to smart cards like biometric biometric information or a picture ID could help to deter fraud, the GAO said.

Note: GAO = Government Accountability Office

News you can use

Florida man, initially thought dead, arrested after facial recognition match (Ars Technica)

A Florida businessman accused of falsifying his death overseas was located and then arrested by federal authorities after facial recognition software returned a match to his face in passport records. Jose Salvador Lantigua now faces one federal count of providing a false statement on a passport application.

Though never easy, it’s getting harder to fake your own death.

“Get me some biometrics, stat!”

How biometrics could improve health security (Fortune)

For the last two years, the health industry suffered the highest number of hackings of any sector. Last year, it accounted for 43% of all data breaches, according to the Identity Theft Resource Center. To help prevent these costly issues, medical companies have begun adopting an array of biometrics security systems that use data from a patient’s fingerprint, iris, veins, or face.

There really isn’t an identity management challenge that health care doesn’t have.

India: Biometrics for pensioner proof of life

PM Modi launches digital life certificate ‘Jeevan Pramaan’ for pensioners (Yahoo)

The proposed digital certification will do away with the requirement of a pensioner having to submit a physical ‘life certificate’ in November each year, in order to ensure continuity of pension being credited into his account. The Department of Electronics and IT has developed a software application which will enable the recording of the pensioner’s Aadhar number and biometric details from his mobile device or computer, by plugging in a biometric reading device.

The earlier requirement entailed that a pensioner either personally presents himself before the Pension Disbursing Agency, or submits a Life Certificate issued by authorities specified by the Central Pension Accounting Office (CPAO).

This application sounds like a real benefit to everyone. The pension can be more assured that it isn’t making payments to the deceased and pensioners and/or their care-givers save a trip to the “prove you’re alive” office.

More Brazilian rubber-fingered ghosts

This time it’s the port of Paranaguá (Portuguese – Folha de S. Paulo)

A Federal Police (PF) operation Monday at the port of Paranaguá found “silicone fingers” that were used by employees to forge their attendance and receive credit for days not worked.

The 25 “fingers” were tailor-made, reproducing the fingers of 14 employees. They were stored in desks at the port, labeled with the name of each worker. Even a tray (ed. mold?) was found.

Each of the workers have worked there for at least eight years, according to PF.

Federal Police are investigating whether there are other people involved in the fraud.*

According to their site, the port at Paranaguá is the largest bulk port in latin America.

Paranaguá port                                                                                                                 ©Digital Globe & Microsoft Corporation

See Brazilian ghost doctors have rubber fingers for a more in-depth analysis of why forcing time-and-attendance fraud into the realm of rubber fingers is actually a good thing.

Long story short, every person who participated in creating a facsimile of their fingerprint has also had to create a lot of evidence that they participated in a conspiracy to defraud their employer.

The fraud kit in this most recent case can be seen at the Folha link.

*Translation from Google & Bing translation services with an assist by me. For now, robots still have a hard time with Brazilian Portuguese. I sympathize.

INDIA: Six people impersonated for 87 students on admittance tests (PaGaLGuY)

In a press conference held today at the NMIMS Mumbai campus, vice-chancellor Dr Rajan Saxena said that the school had filed an FIR about the impersonation on April 24, 2013. When asked if checks and balances could have been stronger during the NMAT stage itself to flag such impersonation he said, “In hindsight, it could have been but it is only because of the quality of the admission process that this has been detected.” Asked if the test would be made more secure next year he replied, “It would be difficult to say now. We will look at it.” Unlike the Common Admissions Test (CAT) and the Graduate Management Admission Test (GMAT), the NMAT does not employ biometric scanning measures such as fingerprint or palm-vein profiling, used to prevent impersonation, during the test check-in process. Despite arguably weaker security measures, the NMAT costs Rs 1,650, higher than the CAT which costs Rs 1,600.

More expensive and less exact is a tough value proposition for a testing service to maintain unless, you know, the target customer is one who will pay more for less exactitude. That doesn’t mean the universities have to go along with it, though.