Skip to main content
European Commission logo print header

Business Environment of Biometrics involved in electronic commerce

Deliverables

The aim was to identify constraints and requirements concerning the use of biometrics for e-commerce. Additionally the aim was to formulate recommendations for the European Commission to stimulate the use of biometrics for e-commerce. In this chapter the resulting constraints, requirements and recommendations will be given. Europe is experiencing societal constraints compared to the benchmark USA on: - The willingness of End-Users to give a personal identifier; - The acceptance of biometrics in present applications; - The level of development of e/m-commerce. The European Commission could achieve stimulation of application of biometrics by demanding from the Member States that they perform pilots on biometric authentication for e-Government purposes. This will make Users more accustomed to the technology and at the same time knowledge about actual acceptance can be gathered. The level of development of e-commerce can be enhanced by stimulation of the development of better e-business models and by encouraging the research on the possibilities for m-commerce. Europe is the best performing benchmarking partner on the legal aspect. Europe is experiencing business constraints compared to the USA (the benchmark) on: - The expectations of the User on the cyber-crimes; - The expectations of the User on the reliability of biometrics; - The expectations of the User on the compatibility of biometrics with the current systems; - The present User acceptance of biometrics. Europe is experiencing constraints concerning standards compared to the benchmark the USA on: - The application of generic biometrics standards; - The development of biometrics standards. The fact that Europe performs less on three of the four aspects gives the impression that Europe lags much behind the USA. However, you should keep in mind that these aspects are interdependent. When the score on one aspect is lower, the scores of other aspects are likely to also be lower. Still, the USA is the overall best performer.
A detailed enrolment procedure is presented, followed by a UML diagram. This procedure describes how the user can safely enrol to a TTP and store his private keys and biometric templates to a smart card. The procedure defines that the key pair and biometric template generation takes place during the enrolment and are not stored in a central database.
The consortium was supported by an advisory committee, called BIOWORK, whose goal was two-fold: - Firstly, BIOWORK monitored, reviewed, contributed and enhanced BEE's findings from a broader point of view; - Secondly BIOWORK remains a network of biometric experts. The Biowork event took place on the 14th of January 2002 in Brussels and was combined with an event organised by the European commission regarding biometrics. Thirty-one (31) experts were present that day, evaluating the D6.2 deliverable, which was presented in detail by the consortium. Five case studies were presented, regarding the application of a security model combining biometrics, PKI and Smart Cards in three promising areas (e-banking, e-health, e-government). The two first case studies concerned the e-banking area, the third the healthcare sector, the fourth the e-government and the last one was a report on a specific e-commerce case. The deliverable was e-mailed to the participants ten days before the meeting, providing them with the ability to comment on it and express a concrete opinion the day of the event. A questionnaire was also developed and submitted to the experts, giving the consortium the opportunity to drive the conversation into specific matters of discussion. The experts were asked to provide feedback within the next 15 days. We collected this feedback, processed it and discussed it, making all necessary modifications to each one of the case studies and improving the marketing and business strategies deliverable. These improvements are mentioned in the appendix of the deliverable D6.2. The experts were contacted and informed about the final version of the deliverable as promised.
We provided an overview of the various biometric technologies, categorized in physiological and behavioural-based techniques. The basic principles of identification, the description of each of the architectures, the benefits and drawbacks were provided, giving the first idea about the level that biometrics has reached today. The presentation of each technique was concluded with a reference on the areas where each of them is most applicable. We presented the access control and authentication requirements in e/m commerce applications, assessed the biometrics in terms of the defined requirements: It dealed with specific e-commerce applications in which biometrics can be applied. The advantages of e/m commerce were identified, while highlighting the risks and threats that have to be assessed in order to make the transactions more trusted. Techniques for enhancing trust in e/m commerce were spelled out, followed by an analysis of e-commerce security requirements and the role of biometrics in this field. We described how biometrics could enhance Public Key Infrastructures (PKI) and Smart Cards, by presenting their architecture and detecting the need for an extra level of security. We provided detailed information on PKI in order to make clear the need of biometrics in this area. Smart card types were presented and associated with PKI and biometrics, proposing a security model for handling keys for access to private information. We presented the cost as a parameter in the broad adoption of biometrics by e-commerce and m-commerce and as a parameter among biometric implements using different methods and operating in various business environments. A cost model, that is ideal for the biometrics field was presented, while providing financial information about the biometric industry. We provided information about legal, societal, business and standardisation issues, presenting the current status of these issues and giving a full image of the needs that have to be satisfied, in order to make biometrics successfully adopted by e-commerce and m-commerce. Legislation shotfalls that have to be assessed in order to welcome biometrics and protect the citizens from abuse of their rights, societal issues that have to be considered in order to protect privacy and business matters that reflect the financial status of the biometric industry, were our main concerns. Information about the standards' basics and standardization efforts taken place in the last decade, were supplied. We covered the technological and manufacturing aspects of biometrics, by going deeper to the biometrics systems architecture, by classifying these systems and by presenting criteria and testing methods for evaluating them. A generic biometric system was presented, while examples make the comprehension of technological issues easier. Having examined, all these issues concerning the biometric industry, we were driven to some clear conclusions. Biometric technologies have reached a good level of performance and are ready to provide an extra level of security in e-commerce, when combined with existing technologies such as PKIs and smart cards. The biometric market is growing every year, making the approach of worldwide market connectivity clearly visible. The fingerprint market is the capital today and is expected to push even further ahead in years to come. Fingerprint verification, is combining high performance, medium acceptability and low cost, characteristics that make this technique the leader of biometrics today. Hand and face recognition come to the second and third place of the biometric markets' revenue, correspondingly. These three techniques are the most applied and supported by biometric companies.
Most significant points achieved through BEE were: Identify most significant issues that impede the widespread use of biometric technology. These are: - Performance; - Standardization; - Scalability; - Responsibility; - Interoperability; - Usability; - Liability. Suggest solutions that, if followed, will lift the above roadblocks and provide the foundation for widespread acceptance of biometrics technology. - Promote open systems; - Use benchmark data sets; - Promote public awareness of biometrics; - Improve performance and conduct research in pattern matching; - Enforce standards adherence on interfaces; - Promote device standardization as a whole. In summary, we can say that there are several players who must cooperate in order to promote biometrics: - The Governments must implement relevant decisions of appropriate regulatory bodies through the enactment of legislation and inform the people about biometrics; - The Standardization Bodies and the manufacturers must cooperate in order to define and disseminate international technological standards on different aspects of biometrics; - The Trusted Third Parties (TTP), the Certification Authorities (C.A) and the Computer Emergency Response Teams (C.E.R.T) must use technical and interoperable solutions and promote biometrics awareness. Only when all three players coordinate with one another, demonstrate the will and provide the resources to reach consensus in significant issues that need to be resolved, will biometrics reach its full potential and secure, biometrics-based, large-scale systems for all European citizens. As far as privacy is concerned, our recommendation is for the formation of a working group that will outline best practices followed by the industry, into an accepted standard. Even though privacy policies exist, their application is entirely voluntary. It is left up to the good will of the industry to apply them as and when they please. In contrast, a standard sets a formal framework that will ensure practices are followed, certified by a third body. Products will be categorized to different levels regarding handling of the user's privacy while the user will be able to judge which product offers a comprehensive coverage and protection of the data and is suitable for the particular application. The importance of properly addressing performance issues cannot be overemphasised. Industry should adopt benchmark data sets and report the performance on those, (so that comparisons between different algorithmic approaches are meaningful); while at the same time they should work to improve their systems' resiliency to simple attacks. In fact, following the example of standardisation of data sets for speaker verification, standardisation efforts should be expanded to other modalities as well. Of course the independent testing groups should conduct standardisation testing in order to reach impartial conclusions. Ethnicity is another major issue that needs proper and swift action. Since a European-level legal framework for the acquisition, storage and processing of ethnicity-related data has been put in place, it is now up to the working groups and standards-setting bodies to act upon this legislature and work together with the industry to create standards respecting and enforcing it. More specifically, it would be necessary to manipulate racial or ethnic data in order to collect statistics and other aggregate information from databases with biometric information. Our recommendation for this capability is that care has to be exercised so that the system is able to perform searches of a statistical nature (e.g. using aggregate functions), but forbid searches that can directly or indirectly be used to deduce the racial, or ethnic characteristics of particular people.
This is an assessment of risks of biometric technologies. Its scope is the identification of vulnerabilities of biometric technologies, firstly for extracting a conclusion regarding their security level and secondly for improving them by disseminating their weak points and triggering further research. It also justifies the need for combining biometrics with other technologies, such as smart cards and cryptography for building a concrete security infrastructure, which will exploit the capabilities of biometrics and at the same time minimize their vulnerabilities.
The most promising Vertical Markets, for the implementation of Biometrics are Banking, Government and Health Care. In order to be commercially successful, appropriate business development strategies have to be developed. We analysed the different players in the markets (technology providers, terminal/ smart card vendors, systems integrators, customers and end users) and their interrelated interests, and presents ways to combine these interests and to cooperate for mutual benefit. Biometrics is not a stand-alone security solution. The combination of biometrics, PKI and smart cards is the recommended product mix for all promising markets for biometrics, which are: banking, government and health. Biometrics technologies can offer a very significant reinforcement to security in PKI-enabled smart cards. PKI, smart cards and biometrics are complementary technologies and focussed research effort is recommended for combining them. Biometric products cannot be applied and exploited by users unless they are supported with appropriate services. This is due to the fact that these products consist of several hardware/ software components, which most often are inherently complex and which offer a wide spectrum of possible functions/ uses depending on their specific configuration. Therefore, related services (for customisation, implementation, deployment, training and operation) must be combined with the products to form what is usually called an "integrated IT solution". The most important role in the provision of the above services belongs to the systems integrators. The development and deployment of e-commerce applications, PKI, smart cards and biometric solutions is the object of complex systems integration projects, the success of which relies heavily on the use of proper methodologies and project management standards, as well as on relevant experience. Additionally, Trusted Third Parties (TTP) / Certificate Authorities (CA) are needed to help users in the set up and operation of PKI, by providing/ managing/ operating various components of the infrastructure and by undertaking various steps of the relevant user processes. The biometrics market has not been stabilised and an objective evaluation of the most promising biometric technology is not feasible. However, based on selected criteria, it was concluded that the primary technology for mass commercialisation in the banking sector is a product mix of PKI-enabled smart card with fingerprint recognition, whereas promising alternative technologies for this sector are dynamic signature verification and voice recognition. For the governmental sector the primary technology is a product mix of PKI-enabled smart card with fingerprint recognition and for health the same product mix with fingerprint or voice recognition. Focus on markets and getting the understanding of the customers' needs is crucial. Awareness efforts are recommended in a very focussed way. Measures are recommended in order to avoid project and market risks that may arise from the early adoption of biometrics in the promising areas.
This model targets at the description of a concrete security solution that will be able to address the security needs of sensitive e-commerce applications, such as e-banking, e-government, e-health applications. The model is based on the combination of biometrics, PKI and smart cards. The security needs of electronic transactions environments are translated to the provision of the basic security principles such as identification, authentication, authorization, integrity, confidentiality and non-repudiation. A Public Key Infrastructure is an approach to the satisfaction of these needs. The smart cards are tamper resistant mediums that are portable and could easily replace existing magnetic stripe, barcode or any other type of cards already accepted by the public and widely used. Smart cards include secure memory modules that can guarantee a high level of security if well implemented and solve the privacy open issues in the same time, while sensitive data (e.g. biometric templates) remain with the owner all the time. Details about smart cards are provided in another part of this deliverable. Smart cards are the safest type of cards but they are not impossible to crack. Encryption is the second layer of security that increases the level of trust in the architecture. An embedded crypto-processor in the card ensures that sensitive data is stored and only encrypted/ decrypted inside the card for comparison procedures. The third ingredient addresses the weakness of a PKI system, which is the authentication procedure for gaining access to the private key. Biometrics add a third factor to authentication; increasing security A smart card capable of cryptographic functions, with the sensor embedded and a set of procedures would be the best security solution. The need for an integrated sensor on card is a result of the security requirement for the template never to leave the card. All comparisons (templates from measurement against pre-stored templates) should take place inside the card, for not exposing the biometric template to risks related with insecure mediums and communication channels. If the identity of the person is positively verified, the PKI infrastructure will be used to transfer this authorization and give access to a remote system.

Searching for OpenAIRE data...

There was an error trying to search data from OpenAIRE

No results available