 
|
|
In partnership with:
Published in the November/December 2007 issue How to dodge the red cardFingerprint recognition was vulnerable to manipulation in a trial attempting to block black-listed fans at three Dutch football clubs, found Jurgen den Hartog, formerly of TNO and now at Intrepix, and Ruud van Munster of TNO
Hooliganism is a worldwide phenomenon which has become a major concern over recent decades. In the Netherlands approximately 1500 people are currently banned from soccer stadia. For several years, the Dutch soccer association KNVB has been exploring the technological possibilities to enforce these bans. Early in 2006 KNVB started with preparations for a biometrical trial and it asked TNO, the independent Dutch research organisation, to investigate whether this technology is mature enough for large scale implementation. In January 2007 the trial went live in the stadia of Ajax, Feyenoord and Vitesse football clubs. Biometrical entry to a soccer stadium is far from trivial. A gate should be able to let 1000 visitors pass in only 90 minutes. The time to capture the biometrics is therefore limited to three seconds. Because gates are usually located outdoors, the capture device should operate in all kinds of weather conditions (temperature, light, humidity). The biometric technique has to be very accurate since false recognition of visitors as hooligans will have a negative impact on the visitor flow. Ideally, false accusation should be less than 0.01%, but not more than 0.1%. The chance of missing a hooligans on the other hand, should be 1% or less. Other important requirements are user acceptance, mobile use and affordable hardware, and it should still be possible to recognise people after a period of 10 years. Blacklist scenario A strict prerequisite was that the intended system should work using a blacklist scenario. Upon entry, the biometrics of each visitor are compared against the list of banned hooligans. Most entry scenarios are based on a positive verification, comparing the biometrics of a visitor against one or a few corresponding templates and giving entry based on a known identity. Verification requires the presence of reference data, either on a token or in a database. The verification approach is not an option as it would require a personal, non-transferable soccer card as well as massive enrolment of hundreds of thousands of visitors. Earlier attempts to introduce a personalised soccer card in the Netherlands met objections from both fans and clubs. Other measures such as CCTV surveillance reduced the need for strict personalisation. Only a blacklist scenario was an option. From the start we realised that a blacklist scenario would be a challenge. From a process point of view the blacklist scenario has important advantages but there are two disadvantages too. First, a blacklist scenario requires a one-to-many comparison (“identification”), which is known to be less accurate than the one-to-one comparison with verification. Secondly, there is a greater vulnerability to spoofing (gaining illegal entrance) attacks. Spoofing is more difficult with verification, as you have to take possession of a person’s token, and look like him or her. In a blacklist scenario, it is sufficient that the biometrics captured at the gate differ from the biometrics stored in the database. In general, it is much easier not to look like yourself than look like someone else. For face recognition for example, a contorted face is usually sufficient to stop you looking like yourself. Therefore, the biometric technique has to be resistant against (trivial) manipulation. We considered three proven technologies – face, fingerprint and iris – based on the above criteria. The ‘Biometrics compared’ table (below) shows our performance estimates prior to the trial. A key requirement here is the sensitivity to the outdoor environment. It is well known that face recognition is highly sensitive to facial shadows or highlights. At the time we could not find a system designed for outdoor iris recognition. Fingerprint scanners may also suffer from light variations, but it is easier to shield the sensor. Based on the information in the table, fingerprint recognition was chosen as the biometric for the trial.
++: best, +: good, o: neutral, -: poor, --: very poor Beyond the state of the art After choosing fingerprint recognition, a request for proposal was sent to 12 suppliers. We knew that the combination of all requirements was challenging the current state of the art. For example, error rates of 0.01% false accusation (“false match rate”) and 1% missed hooligans (“false non-match rate”) are not to be expected in the case of 1500 people, each with 10 fingerprints. Several suppliers, however, claimed without restrictions that all requirements were feasible. NEC and HSB were more realistic and explained that high accuracy and high throughput might be conflicting. Based on this response and the good results of NEC software in independent tests, they were selected. A permanent and a mobile system were developed. Both were PC-based and ran the same software using minutiae matching. Due to computational limitations, the database of the mobile system was reduced to index and middle fingers only. The experimental set-up is essential to measure all relevant performance indicators. The main evaluation criteria were accuracy, throughput, robustness against manipulation and user acceptance. We focus here on two indicators of recognition accuracy: the false accusation rate and the missed hooligan rate. To be able to measure both, two groups of test persons are needed: normal supporters and hooligans. For obvious practical reasons, the ‘hooligans’ were recruited from voluntary supporters and staff. The number of normal visitors passing the system varied between 200 and 400 per match. At each club about 40 ‘hooligans’ were enrolled and added to the trial blacklist. To simulate a nationwide system, the blacklist was extended to 1500 people (15 000 fingerprints) using a database from the US National Institute of Standards and Technology (NIST). Given the large number of normal supporters, we were able to measure throughput. User acceptance was determined in short interviews with participating supporters and from manual observation. Robustness against manipulation was tested by some voluntary ‘hooligans’ and in the laboratory. The 6400 fingerprint question The live trial covered 26 soccer matches at three clubs over five months. During the trial about 6400 fingerprints were taken, with 700 of those being on the blacklist. The outdoor conditions were not really representative as we had an unusually dry spring. The temperature was mostly around 10-15ºC. At one stadium, the scanner was often in direct sunlight. Under optimal conditions, a check required 4.5 seconds on average, excluding time to switch between supporters. For this it was necessary to let people pass in case of a proper capture and not wait for the database search outcome. The time to compare the fingerprint with the database was then used to let the next supporter move into place. If two seconds later a hooligan warning was raised, it was still possible to stop the person. This strategy allowed nine people per minute under optimal conditions. In less than optimal conditions however, throughput could drop to five per minute. Finger quality was most important for throughput. In case of low quality (such as dry, wet or hard skin) the scanner may have problems with image capture resulting in a time-out or reject requiring a second attempt. Direct sunlight also proved to be hard for the optical scanner we used. People moving in place for the scanner usually blocked the sun. The sudden difference in lighting caused the scanner to recalibrate resulting in a few seconds delay. Normally, a gate had a throughput of 12 people per minute. Using fingerprint recognition, it should be possible to get this throughput for many gates as well. Since old or female hooligans are quite rare, this could be achieved by testing only the target group of males between 16 and 40 years old. Balancing the rates The false accusation rate and the missed hooligan rate are closely connected. Decrease of one rate will lead to an increase of the other. Depending on the application, a proper balance between both has to be found. For a stadium throughput is very important, while for a nuclear power plant security is dominant. In our trial, false accusation was minimised to 0.1%. This led to a missed hooligans rate of 15% to 20%, a rate we did not anticipate. One of the main causes was the required high throughput rate. It is often not possible to capture a high quality image when little time is available. One example of low image quality is breaking up of the fingerprint ridges resulting in false line endings (false minutiae) which are used for recognition. The importance of enrolment quality was demonstrated when in one stadium quality was set from high to medium to speed up the registration of the ‘hooligans’. The result was an increase in the missed hooligans rate from 20% to 25%. For computational efficiency, the number of minutiae was limited to 30. Analysing the effect of this number led to the observation that using all minutiae could lower the missed hooligan rate to 12% to 15%, however at the cost of a significant increase in computation time. Getting the best of both worlds is possible by using all minutiae on the few doubtful results coming from the normal analysis using 30 minutiae. It is often assumed that people object to fingerprints because of the connotation with criminal investigations. We found however that people in general did not object to fingerprint recognition. At one stadium, most visitors were not aware of the trial. When kindly asked to scan their fingerprint virtually no one objected or asked for the exact purpose. From the interviews it appeared that even people doubting the effectiveness of the trial did not object to have their fingers scanned. It must be remarked that the trial covered family entrances. At entrances with fanatic supporters, more resistance against biometrics is to be expected. Not yourself today We already remarked that it is easier to bypass a blacklist scenario as it is possible to do this by changing the appearance of your own biometrics. In the end, all scanners can probably be tricked but as a general rule, standard optical scanners are easier to fool. Capacitive scanners may be harder to trick but their major disadvantage is a relatively small scan surface. Our early tests with this latter scanner type revealed that people often place the fingerprint core outside the scan area resulting in failure to capture and low throughput. Optical scanners have a bigger surface and a higher throughput, but we found that given the limited time for capture at the gate, the high quality scanner (Lscan 100) we used was not resistant against various attacks. One successful technique was to put liquid transparent glue on the fingertip. By pressing another fingerprint in the drying glue, an optical scanner will capture both glue and the real fingerprint making it impossible to correctly recognise the real fingerprint. After the trial it was clear that a standard optical scanner is not robust against trivial attacks in a blacklist scenario with high throughput demands. We carried out a few additional laboratory experiments with a new spoof-resistant multi-spectral optical scanner (Lumidigm J-series). It appeared from the experiments that it could provide good image quality in very challenging conditions in about a second. Nevertheless, this scanner is designed for verification scenarios. In a blacklist scenario we were able to manipulate it successfully and consistently using glue and slight pressure. The multi-spectral approach however is promising, and we are planning to test the latest version of the scanner. Open to manipulation In the trial, the live system did not meet important requirements on speed, accuracy and robustness against manipulation. This was caused by a combination of the high demands on both accuracy and throughput, the blacklist scenario and limitations of current scanner technology. The latest scanner technology is expected to solve the speed and accuracy issues. Robustness against manipulation however remains a challenge for the moment. We believe that the manipulation issue applies to many blacklist scenarios, such as database comparison in the US-VISIT immigration system, and our results may therefore impact those programmes. This article is based on a presentation given by Jurgen den Hartog (www.intrepix.nl) at the Biometrics 2007 conference in London on 18 October 2007 More from November/December 2007 Take it on board
Comment: Biometrics industry
must challenge government Biometrics articles from Infosecurity
|
|
