HUMAN BIOMETRIC EVIDENCE IN FORENSIC
INVESTIGATION, THE CHALLENGES OF NIGERIA
(Richard Mayungbe, PhD, CPFA, Member ACFE Advisory Council)
Introduction:
Biometrics refers to metrics related to human characteristics.
Essentially, biometrics is the science and technology of measuring and
statistically analyzing human biological data. In information technology,
biometrics usually refers to technologies for measuring and analyzing human
body characteristics such as:
- fingerprints
- eye retinas and irises
- voice patterns,
- facial patterns and
- hand measurements, especially for authentication purposes
Authentication by biometric verification is becoming increasingly common in corporate and
public security systems, consumer electronics and point of sale (POS)
applications. In addition to security, the driving force behind biometric
verification has been convenience.
Biometric devices, such as finger scanners, consist of:
·
A reader or scanning device
·
Software that converts the scanned
information into digital form and compares match points
·
A database that stores the biometric
data for comparison
To prevent identity
theft, biometric data is usually encrypted when it's gathered.
Here's how biometric verification works on the back end: To convert the
biometric input, a software application is used to identify specific points of
data as match points. The match points in the database are processed using
an algorithm that
translates that information into a numeric value. The database value is
compared with the biometric input the end user has entered into the scanner and
authentication is either approved or denied.
Types of Biometrics
DNA Matching
Chemical
Biometric: The identification of
an individual using the analysis of segments from DNA.
Ear
Visual
Biometric: The identification of
an individual using the shape of the ear.
Eyes - Iris Recognition
Visual
Biometric: The use of the
features found in the iris to identify an individual.
Eyes - Retina Recognition
Visual
Biometric: The use of patterns
of veins in the back of the eye to accomplish recognition.
Face Recognition
Visual
Biometric: The analysis of
facial features or patterns for the authentication or recognition of an
individual’s identity. Most face recognition systems either use eigen faces or
local feature analysis.
Fingerprint Recognition
Visual
Biometric: The use of the ridges
and valleys (minutiae) found on the surface tips of a human finger to identify
an individual.
Finger Geometry Recognition
Visual/Spatial
Biometric: The use of 3D
geometry of the finger to determine identity.
Gait
Behavioural
Biometric: The use of an
individuals walking style or gait to determine identity.
Hand Geometry Recognition
Visual/Spatial
Biometric: The use of the
geometric features of the hand such as the lengths of fingers and the width of
the hand to identify an individual.
Odor
Olfactory
Biometric: The use of an
individual’s odor to determine identity.
Signature Recognition
Visual/Behavioral
Biometric: The authentication of
an individual by the analysis of handwriting style, in particular the
signature. There are two key types of digital handwritten signature
authentication, Static and Dynamic. Static is most often a visual comparison
between one scanned signature and another scanned signature, or a scanned
signature against an ink signature. Technology is available to check two
scanned signatures using advances algorithms. Dynamic is becoming more popular
as ceremony data is captured along with the X,Y,T and P Coordinates of the signor
from the signing device. This data can be utilised in a court of law using
digital forensic examination tools, and to create a biometric template from
which dynamic signatures can be authenticated either at time of signing or post
signing, and as triggers in workflow processes.
Typing Recognition
Behavioral
Biometric: The use of the unique
characteristics of a person’s typing for establishing identity.
Vein Recognition
Vein
recognition is a type of biometrics that can be used to identify individuals based
on the vein patterns in the human finger or palm.
Voice / Speaker Recognition
There
are two major applications of speaker recognition:
Voice - Speaker Verification / Authentication
Auditory
Biometric:
The use of the voice as a method of determining the identity of a speaker for
access control.
If the speaker claims to be of a certain identity and the voice is used to verify this claim. Speaker verification is a 1:1 match where one speaker's voice is matched to one template (also called a "voice print" or "voice model"). Speaker verification is usually employed as a "gatekeeper" in order to provide access to a secure system (e.g.: telephone banking). These systems operate with the user's knowledge and typically require their cooperation.
For example, presenting a person’s passport at border control is a verification process - the agent compares the person’s face to the picture in the document.
If the speaker claims to be of a certain identity and the voice is used to verify this claim. Speaker verification is a 1:1 match where one speaker's voice is matched to one template (also called a "voice print" or "voice model"). Speaker verification is usually employed as a "gatekeeper" in order to provide access to a secure system (e.g.: telephone banking). These systems operate with the user's knowledge and typically require their cooperation.
For example, presenting a person’s passport at border control is a verification process - the agent compares the person’s face to the picture in the document.
Voice - Speaker Identification
Auditory
Biometric:
Identification is the task of determining an unknown speaker's identity.
Speaker identification is a 1:N (many) match where the voice is compared against N templates. Speaker identification systems can also be implemented covertly without the user's knowledge to identify talkers in a discussion, alert automated systems of speaker changes, check if a user is already enrolled in a system, etc.
For example, a police officer compares a sketch of an assailant against a database of previously documented criminals to find the closest match(es).
In forensic applications, it is common to first perform a speaker identification process to create a list of "best matches" and then perform a series of verification processes to determine a conclusive match.
Note: There is a difference between speaker recognition (recognising who is speaking) and speech recognition (recognising what is being said). These two terms are frequently confused, as is voice recognition. Voice recognition is a synonym for speaker, and thus not speech, recognition. In addition, there is a difference between the act of authentication (commonly referred to as speaker verification or speaker authentication) and identification.
Speaker identification is a 1:N (many) match where the voice is compared against N templates. Speaker identification systems can also be implemented covertly without the user's knowledge to identify talkers in a discussion, alert automated systems of speaker changes, check if a user is already enrolled in a system, etc.
For example, a police officer compares a sketch of an assailant against a database of previously documented criminals to find the closest match(es).
In forensic applications, it is common to first perform a speaker identification process to create a list of "best matches" and then perform a series of verification processes to determine a conclusive match.
Note: There is a difference between speaker recognition (recognising who is speaking) and speech recognition (recognising what is being said). These two terms are frequently confused, as is voice recognition. Voice recognition is a synonym for speaker, and thus not speech, recognition. In addition, there is a difference between the act of authentication (commonly referred to as speaker verification or speaker authentication) and identification.
CHARACTERISTICS OF BIOMETRIC SYSTEMS
These are
the important factors necessary for any effective biometric system:
·
accuracy,
·
speed
and throughput rate,
·
acceptability
to users,
·
uniqueness
of the biometric organ and action,
·
resistance
to counterfeiting,
·
reliability,
·
data
storage requirements,
·
enrollment
time,
·
intrusiveness
of data collection, and
·
subject
and system contact requirements.
AccuracyAccuracy is the most critical characteristic of a biometric identifying verification system. If the system cannot accurately separate authentic persons from impostors, it should not even be termed a biometric identification system.
False Reject Rate
The rate, generally stated as a percentage, at which authentic, enrolled persons are rejected as unidentified or unverified persons by a biometric system is termed the false reject rate. False rejection is sometimes called a Type I error. In access control, if the requirement is to keep the “bad guys” out, false rejection is considered the least important error. However, in other biometric applications, it may be the most important error. When used by a bank or retail store to authenticate customer identity and account balance, false rejection means that the transaction or sale (and associated profit) is lost, and the customer becomes upset. Most bankers and retailers are willing to allow a few false accepts as long as there are no false rejects.
False rejections also have a negative effect on throughput, frustrations, and unimpeded operations, because they cause unnecessary delays in personnel movements. An associated problem that is sometimes incorrectly attributed to false rejection is failure to acquire. Failure to acquire occurs when the biometric sensor is not presented with sufficient usable data to make an authentic or impostor decision. Examples include smudged prints on a fingerprint system, improper hand positioning on a hand geometry system, improper alignment on a retina or iris system, or mumbling on a voice system. Subjects cause failure to acquire problems, either accidentally or on purpose.
False Accept Rate
The rate, generally stated as a percentage, at which unenrolled or impostor persons are accepted as authentic, enrolled persons by a biometric system is termed the false accept rate. False acceptance is sometimes called a Type II error. This is usually considered to be the most important error for a biometric access control system.
Crossover Error Rate (CER)
This is also called the equal error rate and is the point, generally stated as a percentage, at which the false rejection rate and the false acceptance rate are equal. This has become the most important measure of biometric system accuracy.
All biometric systems have sensitivity adjustment capability. If false acceptance is not desired, the system can be set to require (nearly) perfect matches of enrollment data and input data. If tested in this configuration, the system can truthfully be stated to achieve a (near) zero false accept rate. If false rejection is not desired, this system can be readjusted to accept input data that only approximate a match with enrollment data. If tested in this configuration, the system can be truthfully stated to achieve a (near) zero false rejection rate. However, the reality is that biometric systems can operate on only one sensitivity setting at a time.
The reality is also that when system sensitivity is set to minimize false acceptance, closely matching data will be spurned, and the false rejection rate will go up significantly. Conversely, when system sensitivity is set to minimize false rejects, the false acceptance rate will go up notably. Thus, the published (i.e., truthful) data tell only part of the story. Actual system accuracy in field operations may even be less than acceptable. This is the situation that created the need for a single measure of biometric system accuracy.
The crossover error rate (CER) provides a single measurement that is fair and impartial in comparing the performance of the various systems. In general, the sensitivity setting that produces the equal error will be close to the setting that will be optimal for field operation of the system. A biometric system that delivers a CER of 2% will be more accurate than a system with a CER of 5%.
Speed and Throughput Rate
The speed and throughput rate are the most important biometric system characteristics. Speed is often related to the data processing capability of the system and is stated as how fast the accept or reject decision is annunciated. In actuality, it relates to the entire authentication procedure: stepping up to the system; inputting the card or PIN (if a verification system); input of the physical data by inserting a hand or finger, aligning an eye, speaking access words, or signing a name; processing and matching of data files; annunciation of the accept or reject decision; and, if a portal system, movement through and closing the door.
Generally accepted standards include a system speed of 5 seconds from startup through decision annunciation. Another standard is a portal throughput rate of 6 to 10/minute, which equates to 6 to 10 seconds/person through the door. Only in recent years have biometric systems become capable of meeting these speed standards, and, even today, some marketed systems do not maintain this rapidity. Slow speed and the resultant waiting lines and movement delays have frequently caused the removal of biometric systems and even the failure of biometric companies.
Acceptability to Users
System acceptability to the people who must use it has been a little noticed but increasingly important factor in biometric identification operations. Initially, when there were few systems, most were of high security and the few users had a high incentive to use the systems; user acceptance was of little interest. In addition, little user threat was seen in fingerprint and hand systems.
Biometric system acceptance occurs when those who must use the system — organizational managers and any union present — all agree that there are assets that need protection, the biometric system effectively controls access to these assets, system usage is not hazardous to the health of the users, system usage does not inordinately impede personnel movement and cause production delays, and the system does not enable management to collect personal or health information about the users. Any of the parties can effect system success or removal. Uncooperative users will overtly or covertly compromise, damage, or sabotage system equipment. The cost of union inclusion of the biometric system in their contracts may become too costly. Moreover, management has the final decision on whether the biometric system benefits outweigh its liabilities
COMPARISON of the advantages and
disadvantages of biometric technologies
What are the goodness and weakness about the current technology?
Each
one of the Technologies used in our days bring us a manner to restrict the
access to a system, allowing the entrance only to those persons who know a
specific code, own a card or have determined physic marks. The more complex is
the system, the most difficult is to be attacked, although it will be more
expensive and will require more software and hardware resources. When a new
authentication system is implanted, it is essential a judgement between
simplicity, price and efficiency, as well as social acceptability.
The
password method is the cheapest and simplest technology, because it only
requires elementary software resources.
On
the other hand, this system is easily attackable, since he is quite simple to
obtain the data from a person, either extracting the information to the person
itself using deceits, or attacking the software of the system. For example, it
can be easily installed in the computer, a program that simulates the “user
name and password” window, so that when the user introduces his data in that
window, that will be collected by the “Spy” program. Immediately after this, it
appears the true window, identical, and the user will simply believe that he
has been mistaken. So, this method, in spite of being usually used, for
example, to access banking accounts, is not at all the most indicated if we
want a safe system, and in a short-time future is tried to be changed by most
immune methods.
The
Smart Cards are very useful since they can be easily combined with other
authentication systems, serving as storage system. Self-containment of smart
card makes it resistant to attack as it does not need to depend upon
potentially vulnerable external resources. But its small size and bend
requirements (which are designed to protect the card physically), limits the
memory and processing resources. And used like the only identification system,
is not excessively trustworthy, since it can be easily stolen, lost or simply
forgotten at home. Besides, sometimes they are combined with cryptography
methods, which makes them more difficult (more expensive) to implement.
The
Digital Signature is very difficult to falsify, since is encrypted by
complicated mathematic operations. It is considered that is even less
falsifiable than the manual signature recognition (although this last is
already enough trustworthy).
The
advantage that Biometrics presents is that the information is unique for each
individual and that it can identify the individual in spite of variations in
the time (it does not matter if the first biometric sample was taken year
ago).The pillars of e-learning security are: authentication, privacy (data confidentiality)
authorization (access control), data integrity and non-repudiation. Biometric
is a technique that can provide all this requirements with quite lot
reliability.
Although
biometrics is considered the most effective and safe method (is very difficult
to falsify), we have to bear in mind its disadvantages, for example, that since
it is a relative new technology, it is not still integrated in PC, so IT
departments need to make a conscious decision before making the purchase and
change its structure.
We
also have to consider the advantages and disadvantages of each individual
system. In the next paragraphs, we will make an enumeration of the problems
that these techniques can present:
Facial recognition:
Advantages:
a.
Non intrusive
b.
Cheap technology.
Disadvantages
a. 2D
recognition is affected by changes in lighting, the person’s hair, the age, and
if the person wear glasses.
b.
Requires camera equipment for user identification; thus, it is not likely to
become popular until most PCs include cameras as standard equipment.
Voice recognition:
Advantages:
a.
Non intrusive. High social acceptability.
b.
Verification time is about five seconds.
c.
Cheap technology.
Disadvantages:
a. A
person’s voice can be easily recorded and used for unauthorised PC or network.
b.
Low accuracy.
c. An
illness such as a cold can change a person’s voice, making absolute
identification difficult or impossible.
Signature recognition:
Advantages:
a.
Non intrusive.
b.
Little time of verification (about five seconds).
c.
Cheap technology.
Disadvantages:
a.
Signature verification is designed to verify subjects based on the traits of
their unique signature. As a result, individuals who do not sign their names in
a consistent manner may have difficulty enrolling and verifying in signature
verification.
b.
Error rate: 1 in 50.
DNA:
Advantages:
a.
Very high accuracy.
b. It
impossible that the system made mistakes.
c. It
is standardized.
Disadvantages:
a.
Extremely intrusive.
b.
Very expensive.
Retinal scanning:
Advantages:
a.
Very high accuracy.
b.
There is no known way to replicate a retina.
c.
The eye from a dead person would deteriorate too fast to be useful, so no extra
precautions have to been taken with retinal scans to be sure the user is a
living human being.
Disadvantages:
a.
Very intrusive.
b. It
has the stigma of consumer's thinking it is potentially harmful to the eye.
c.
Comparisons of template records can take upwards of 10 seconds, depending on
the size of the database.
d.
Very expensive.
Iris recognition:
Advantages:
a.
Very high accuracy.
b.
Verification time is generally less than 5 seconds.
c.
The eye from a dead person would deteriorate too fast to be useful, so no extra
precautions have to been taken with retinal scans to be sure the user is a
living human being.
Disadvantages:
a.
Intrusive.
b. A
lot of memory for the data to be stored.
c.
Very expensive
Fingerprint:
Advantages:
a.
Very high accuracy.
b. Is
the most economical biometric PC user authentication technique.
c. it
is one of the most developed biometrics
d.
Easy to use.
e.
Small storage space required for the biometric template, reducing the size of
the database memory required
f. It
is standardized.
Disadvantages:
a.
For some people it is very intrusive, because is still related to criminal
identification.
b. It
can make mistakes with the dryness or dirty of the finger’s skin, as well as
with the age (is not appropriate with children, because the size of their
fingerprint changes quickly).
c.
Image captured at 500 dots per inch (dpi). Resolution: 8 bits per pixel. A 500
dpi fingerprint image at 8 bits per pixel demands a large memory space, 240
Kbytes approximately → Compression required (a factor of 10 approximately).
Hand Geometry:
Advantages:
a.
Though it requires special hardware to use, it can be easily integrated into
other devices or systems.
b. It
has no public attitude problems as it is associated most commonly with
authorized access.
c.
The amount of data required to uniquely identify a user in a system is the
smallest by far, allowing it to be used with SmartCards easily.
Disadvantages:
a.
Very expensive
b.
Considerable size.
c. It
is not valid for arthritic person, since they cannot put the hand on the
scanner properly.
Creation of Human Biometric Data Base in Nigeria
As
at the time of writing this paper, almost 4 times had Nigeria engaged in
biometric capture exercise under different name and purpose viz:
- GSM Telecommunication biometric sim registration
- National Identity biometric registration
- INEC Voters Card biometric registration
- Bank Verification Number biometric registration
In
all the above cases, security is the primary purpose of the exercise while the
secondary purpose is convenience and efficiency.
Biometric Data are useful in:
·
Airport
security
·
Building Access
·
Cars
·
Blood Banks
·
Schools and
Colleges, even Universities
·
ATM
·
Payroll
·
Government
·
Aviation
·
Military
·
Healthcare
·
Welfare
·
Workers Attendance
·
POS
·
Border Control and Immigration
·
Voting
·
Students Attendance
·
Student Examination
·
KYC as in Banking
·
Internet Banking
·
Crime Control
·
Forensic Investigation
The usage is endless
Forensic Investigation
An investigation is a
·
scrutiny,
·
exploration
·
examination,
·
inquiry,
·
research
·
an active effort
to find out
something
·
a systematic and thorough
attempt to learn
the facts about
something complex or hidden
·
it is often formal and official
·
an orderly attempt
to obtain information
about or to
make a test
of something
When
forensic is involved in the letters of the investigation, it simply means that
the end product of such investigation is intended for litigation or judicial
purpose, Tribunal or Panel or public discussion.
Most
investigative tasks follow this sequence:
·
definition
and establishment of objectives,
-
identifying
customers for outputs
-
determining
what outputs customers want
-
defining
specifications for desired outputs
·
planning
work flows to achieve those objectives,
-
selecting
a process to produce the outputs
-
defining
tasks, cost, schedules required by the process
-
assuring
resources to the process
-
defining
the process controls needed
·
staffing
the work with capable personnel
-
establishing
personnel specifications
-
selecting
competent personnel
-
preparing
personnel for tasks
-
providing
needed support
-
ensuring
proper staff compensation
·
directing
implementation of the planned process
-
assuring
supervision of work
-
implementing
monitoring plan
-
adapting
process to inputs, changes
-
tracking
progress
·
ensuring
that deliverables achieve desired objectives.
-
verifying
specified quality of work products
-
ensuring
timely delivery
-
soliciting
customer feedback
-
satisfying
problems, complaints
Synergy of Biometric Data bases in Nigeria
As
we have seen here, Nigeria could deploy a synergy of all the captured biometric
data in the four instances mentioned above to build a robust biometric data
base for the purpose of forensic investigation.
It
is a common fact that the greatest task before the investigator is ‘to connect
to the clue’. Biometric data creates the roadmap to arriving at the elusive
clue in most of the criminal investigations all over the world.
This
is an area in our investigative expertise that has not been adequately
harnessed and should as a matter of importance be looked into.
Another
important point is how to collect the fingerprint specimen from the scene of
crime, given that in white collar crime, it is a bit easier, while in violent
crime a different procedure is required.
The
challenge before most African countries is how to build and deploy the all
important biometric data base for crime control and forensic investigation. It
should not be impossible to identify the bad eggs in our midst if most European
countries and indeed America is able to do it.
In
conclusion, biometric database is crucial and indispensable in forensic
investigation and evidence collection.
References:
- Margaret Rouse (whatls.com) Tech Target
- https://en.wikipedia.org/wiki/Biometric
- www.wired.com/2013/01/biometrics/
- www.biometrics.pbworks.com/w/page/14811349/Advantages%20and%20disadvantages%20of%20technologies
