Tuesday, October 2, 2007

Biometrics


At Walt Disney World, biometric measurements are taken from the fingers of guests to ensure that the person's ticket is used by the same person from day to day
At Walt Disney World, biometric measurements are taken from the fingers of guests to ensure that the person's ticket is used by the same person from day to day
For the use of statistics in biology, see Biostatistics.

Biometrics (ancient Greek: bios ="life", metron ="measure") is the study of methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits.

Some researchers , have coined the term behaviometrics for behavioral biometrics such as typing rhythm or mouse gestures where the analysis can be done continuously without interrupting or interfering with user activities.

Overview

Biospecies are used to identify the identity of an input sample when compared to a template, used in cases to identify or specific objects by certain characteristics.

  • possession-based: using one specific "token" such as a security tag or a card
  • knowledge-based :the use of a code or password.


Standard validation systems often use multiple inputs of samples for sufficient validation, such as particular characteristics of the sample. This intends to enhance security as multiple different samples are required such as security tags and codes and sample dimensions.

Common Human biometric characteristics

Classification of some biometric traits
Classification of some biometric traits

Biometric characteristics can be divided in two main classes, as represented in figure on the right:

  • physiological are related to the shape of the body. The oldest traits, that have been used for more than 100 years, are fingerprints. Other examples are face recognition, hand geometry and iris recognition.
  • behavioral are related to the behavior of a person. The first characteristic to be used, still widely used today, is the signature. More modern approaches are the study of keystroke dynamics and of voice.

Strictly speaking, voice is also a physiological trait because every person has a different pitch, but voice recognition is mainly based on the study of the way a person speaks, commonly classified as behavioral.

Other biometric strategies are being developed such as those based on gait (way of walking), retina, hand veins, ear recognition, facial thermogram, DNA, odor and palm prints.

Comparison of various biometric technologies

It is possible to understand if a human characteristic can be used for biometrics in terms of the following parameters:


  • Universality describes how commonly a biometric is found individually.
  • Uniqueness is how well the biometric separates individually from another.
  • Permanence measures how well a biometric resists aging.
  • Collectability ease of acquisition for measurement.
  • Performance accuracy, speed, and robustness of technology used.
  • Acceptability degree of approval of a technology.
  • Circumvention ease of use of a substitute.


The following table shows a comparison of existing biometric systems in terms of those parameters:

Comparison of various biometric technologies, according to A. K. Jain (H=High, M=Medium, L=Low)
Biometrics: ↓ Universality ↓ Uniqueness ↓ Permanence ↓ Collectability ↓ Performance ↓ Acceptability ↓ Circumvention* ↓
Face H L M H L H L
Fingerprint M H H M H M H
Hand geometry M M M H M M M
Keystrokes L L L M L M M
Hand veins M M M M M M H
Iris H H H M H L H
Retinal scan H H M L H L H
Signature L L L H L H L
Voice M L L M L H L
facial thermograph H H L H M H H
Odor H H H L L M L
DNA H H H L H L L
Gait M L L H L H M
Ear recognition M M H M M H M

* - circumventability listed with reversed colors because low is desirable here instead of high

A. K. Jain ranks each biometric based on the categories as being either low, medium, or high. A low ranking indicates poor performance in the evaluation criterion whereas a high ranking indicates a very good performance.

Biometric systems

The basic block diagram of a biometric system
The basic block diagram of a biometric system

The diagram on right shows a simple block diagram of a biometric system. When such a system is networked together with telecommunications technology, biometric systems become telebiometric systems. The main operations a system can perform are enrollment and test. During the enrollment, biometric information from an individual is stored. During the test, biometric information is detected and compared with the stored information. Note that it is crucial that storage and retrieval of such systems themselves be secure if the biometric system is be robust. The first block (sensor) is the interface between the real world and our system; it has to acquire all the necessary data. Most of the times it is an image acquisition system, but it can change according to the characteristics desired. The second block performs all the necessary pre-processing: it has to remove artifacts from the sensor, to enhance the input (e.g. removing background noise), to use some kind of normalisation, etc. In the third block features needed are extracted. This step is an important step as the correct features need to be extracted and the optimal way. A vector of numbers or an image with particular properties is used to create a template. A template is a synthesis of all the characteristics extracted from the source, in the optimal size to allow for adequate identifiability.

If enrollment is being performed the template is simply stored somewhere (on a card or within a database or both). If a matching phase is being performed, the obtained template is passed to a matcher that compares it with other existing templates, estimating the distance between them using any algorithm (e.g. Hamming distance). The matching programme will analyse the template with the input. This will then be output for any specified use or purpose (e.g. entrance in a restricted area).

Functions

A biometric system can provide the following two functions :

  • Verification does the template match the input sample? A pre-stored template is matched against a sample directly, e.g a card or known database entry.
  • Identification what is the input sample? identifying from all the templates which one is the closest match to the input sample.

Performance measurement

  • false accept rate (FAR) or false match rate (FMR): the probability that the system incorrectly declares a successful match between the input pattern and a non-matching pattern in the database. It measures the percent of invalid matches. These systems are critical since they are commonly used to forbid certain actions by disallowed people.
  • false reject rate (FRR) or false non-match rate (FNMR): the probability that the system incorrectly declares failure of match between the input pattern and the matching template in the database. It measures the percent of valid inputs being rejected.
  • receiver (or relative) operating characteristic (ROC): In general, the matching algorithm performs a decision using some parameters (e.g. a threshold). In biometric systems the FAR and FRR can typically be traded off against each other by changing those parameters. The ROC plot is obtained by graphing the values of FAR and FRR, changing the variables implicitly. A common variation is the Detection error trade-off (DET), which is obtained using normal deviate scales on both axes. This more linear graph illuminates the differences for higher performances (rarer errors).
  • equal error rate (EER): the rate at which both accept and reject errors are equal. ROC or DET plotting is used because how FAR and FRR can be changed, is shown clearly. When quick comparison of two systems is required, the ERR is commonly used. Obtained from the ROC plot by taking the point where FAR and FRR have the same value. The lower the EER, the more accurate the system is considered to be.
  • failure to enroll rate (FTE or FER): the percentage of data input is considered invalid and fails to input into the system. Failure to enroll happens when the data obtained by the sensor are considered invalid or of poor quality.
  • failure to capture rate (FTC): Within automatic systems, the probability that the system fails to detect a biometric characteristic when presented correctly.
  • template capacity: the maximum number of sets of data which can be input in to the system.

Performance

The following table shows the state of art of some biometric systems:


State of art of biometric recognition systems
Biometrics ↓ EER ↓ FAR ↓ FRR ↓ Subjects ↓ Comment Reference
Face n.a. 1 % 10 % 37437 Varied lighting, indoor/outdoor FRVT (2002)[4]
Fingerprint n.a. 1 % 0.1 % 25000 US Government operational data FpVTE (2003)[5]
Fingerprint 2 % 2 % 2 % 100 Rotation and exaggerated skin distortion FVC (2004)[6]
Hand geometry 1 % 2 % 0.1 % 129 With rings and improper placement (2005)[7]
Iris <> 0.94 % 0.99 % 1224 Indoor environment ITIRT (2005)[8]
Iris 0.01 % 0.0001 % 0.2 % 132 Best conditions NIST (2005)[9]
Keystrokes 1.8 % 7 % 0.1 % 15 During 6 months period (2005)[10]
Voice 6 % 2 % 10 % 310 Text independent, multilingual NIST (2004)[11]


One simple but artificial way to judge a system is by EER, but not all the authors provided it. Moreover, there are two particular values of FAR and FRR to show how one parameter can change depending on the other. For fingerprint there are two different results, the one from 2003 is older but it was performed on a huge set of people, while in 2004 much less people were involved but stricter conditions have been applied. For iris, both references belong to the same year, but one was performed on more people, the other one is the result of a competition between several universities so, even if the sample is much smaller, it could reflect better the state of art of the field.

Issues and concerns

As with many interesting and powerful developments of technology, there are concerns about biometrics. The biggest concern is the fact that once a fingerprint or other biometric source has been compromised it is compromised for life, because users can never change their fingerprints. A theoretical example is a debit card with a personal Identification Number (PIN) or a biometric. Some argue that if a person's biometric data is stolen it might allow someone else to access personal information or financial accounts, in which case the damage could be irreversible. However, this argument ignores a key operational factor intrinsic to all biometrics-based security solutions: biometric solutions are based on matching, at the point of transaction, the information obtained by the scan of a "live" biometric sample to a pre-stored, static "match template" created when the user originally enrolled in the security system. Most of the commercially available biometric systems address the issues of ensuring that the static enrollment sample has not been tampered with (for example, by using hash codes and encryption), so the problem is effectively limited to cases where the scanned "live" biometric data is hacked. Even then, most competently designed solutions contain anti-hacking routines. For example, the scanned "live" image is virtually never the same from scan to scan owing to the inherent plasticity of biometrics; so, ironically, a "replay" attack using the stored biometric is easily detected because it is too perfect a match.

The television program Mythbusters attempted to break into a commercial security door equipped with biometric authentication as well as a personal laptop so equipped. While the laptop's system proved more difficult to bypass, the advanced commercial security door with "live" sensing was fooled with a printed scan of a fingerprint after it had been licked. Assuming the tested security door is representative of the current typical state of biometric authentication, that it was so easily bypassed suggests biometrics may not yet be reliable as a strong form of authentication.


Marketing of biometric products

Despite confirmed cases of defeating commercially available biometric scanners, many companies marketing biometric products (especially consumer-level products such as readers built into keyboards) still claim the products as replacements, rather than supplements, for passwords. Furthermore, regulations regarding advertising and manufacturing of biometric products are (as of 2006) largely non-existent. Given the low security, consumer-level products are most likely to be bought and used by most people, leading to the risk of large-scale economic and social problems associated with biometric identity theft.[citation needed]

Sociological concerns

As technology advances, and time goes on, more and more private companies and public utilities will use biometrics for safe, accurate identification. However, these advances will raise many concerns throughout society, where many may not be educated on the methods. Here are some examples of concerns society has with biometrics:

  • Physical - Some believe this technology can cause physical harm to an individual using the methods, or that instruments used are unsanitary. For example, there are concerns that retina scanners might not always be clean.
  • Personal Information - There are concerns whether our personal information taken through biometric methods can be misused, tampered with, or sold, e.g. by criminals stealing, rearranging or copying the biometric data. Also, the data obtained using biometrics can be used in unauthorized ways without the individual's consent.

Danger to owners of secured items

When thieves cannot get access to secure properties, there is a chance that the thieves will stalk and assault the property owner to gain access. If the item is secured with a biometric device, the damage to the owner could be irreversible, and potentially cost more than the secured property. In 2005, Malaysian car thieves cut off the finger of a Mercedes-Benz S-Class owner when attempting to steal the car.

Uses and initiatives

Brazil

Since the beginning of the 20th century, Brazilian citizens have user ID cards. The decision by the Brazilian government to adopt fingerprint-based biometrics was spearheaded by Dr. Felix Pacheco at Rio de Janeiro, at that time capital of the Federative Republic. Dr. Pacheco was a friend of Dr. Juan Vucetich, who invented one of the most complete tenprint classification systems in existence. The Vucetich system was adopted not only in Brazil, but also by most of the other South American countries. The oldest and most traditional ID Institute in Brazil (Instituto de Identificação Félix Pacheco) was integrated at DETRAN (Brazilian equivalent to DMV) into the civil and criminal AFIS system in 1999.

Each state in Brazil is allowed to print its own ID card, but the layout and data are the same for all of them. The ID cards printed in Rio de Janeiro are fully digitized using a 2D bar code with information which can be matched against its owner off-line. The 2D bar code encodes a color photo, a signature, two fingerprints, and other citizen data. This technology was developed in 2000 in order to enhance the safety of the Brazilian ID cards.

By the end of 2005, the Brazilian government started the development of its new passport. The new documents started to be released by the beginning of 2007, at Brasilia-DC. The new passport included several security features, like Laser perforation, UV hidden symbols, security layer over variable data and etc.. Brazilian citizens will have their signature, photo, and 10 rolled fingerprints collected during passport requests. All of the data is planned to be stored in ICAO E-passport standard. This allows for contactless electronic reading of the passport content and Citizens ID verification since fingerprint templates and token facial images will be available for automatic recognition.

United States

The United States government has become a strong advocate of biometrics with the increase in security concerns in recent years, since September 11, 2001. Starting in 2005, US passports with facial (image-based) biometric data were scheduled to be produced. Privacy activists in many countries have criticized the technology's use for the potential harm to civil liberties, privacy, and the risk of identity theft. Currently, there is some apprehension in the United States (and the European Union) that the information can be "skimmed" and identify people's citizenship remotely for criminal intent, such as kidnapping. There also are technical difficulties currently delaying biometric integration into passports in the United States, the United Kingdom, and the rest of the EU. These difficulties include compatibility of reading devices, information formatting, and nature of content (e.g. the US currently expect to use only image data, whereas the EU intends to use fingerprint and image data in their passport RFID biometric chip(s)).

The speech made by President Bush on May 15, 2006, live from the Oval Office, was very clear: from now on, anyone willing to go legally in the United States in order to work there will be card-indexed and will have to communicate his fingerprints while entering the country. Many foreigners will have to subject themselves to these procedures, formerly only imposed to criminals and to spies, not to immigrants and visitors, and even less to citizens.

"A key part of that system [for verifying documents and work eligibility of aliens] should be a new identification card for every legal foreign worker. This card should use biometric technology, such as digital fingerprints, to make it tamper-proof." President George W Bush (Addresses on Immigration Reform, May 15, 2006)

The US Department of Defense (DoD) Common Access Card, is an ID card issued to all US Service personnel and contractors on US Military sites. This card contains biometric data and digitized photographs. It also has laser-etched photographs and holograms to add security and reduce the risk of falsification. There have been over 10 million of these cards issued.

According to Jim Wayman, director of the National Biometric Test Center at San Jose State University, Walt Disney World is the nation's largest single commercial application of biometrics.However, the US Visit program will very soon surpass Walt Disney World for biometrics deployment.

Germany

The biometrics market in Germany will experience enormous growth until 2009. “The market size will increase from approximately 12 million € (2004) to 377 million €” (2009). “The federal government will be a major contributor to this development” . In particular, the biometric procedures of fingerprint and facial recognition can profit from the government project . In May 2005 the German Upper House of Parliament approved the implementation of the ePass, a passport issued to all German citizens which contain biometric technology. The ePass has been in circulation since November 2005, and contains a chip that initially will hold a digital photo of the holder's face. “Starting in March 2007, fingerprints also will be stored on the chips – one from each hand” . “A third biometric identifier – iris scans – could be added at a later stage” . An increase in the prevalence of biometric technology in Germany is an effort to not only keep citizens safe within German borders but also to comply with the current US deadline for visa-waiver countries to introduce biometric passports . In addition to producing biometric passports for German citizens, the German government has put in place new requirements for visitors for apply for visas within the country. “Only applicants for long-term visas, which allow more than three months' residence, will be affected by the planned biometric registration program. The new work visas will also include fingerprinting, iris scanning, and digital photos” .

Germany is also one of the first countries to implement biometric technology at the Olympic Games to protect German athletes. “The Olympic Games is always a diplomatically tense affair and previous events have been rocked by terrorist attacks - most notably when Germany last held the Games in Munich in 1972 and 11 Israeli athletes were killed” .

Biometric technology was first used at the Olympic Summer Games in Athens, Greece in 2004. “On registering with the scheme, accredited visitors will receive an ID card containing their fingerprint biometrics data that will enable them to access the 'German House'. Accredited visitors will include athletes, coaching staff, team management and members of the media” .

Australia

Visitors intending to visit Australia may soon have to submit to biometric authentication as part of the Smartgate system, linking individuals to their visas and passports. Biometric data are already collected from some visa applicants by Immigration. Other applications include authentication of gym users etc.

Israel

Biometrics have been used extensively in Israel for several years. [citation needed]

The border crossing points from Israel to the Gaza Strip and West Bank are controlled by gates through which authorised Palestinians may pass. Thousands of Palestinians (upwards of 90,000) pass through the turnstiles every day to work in Israel, and each of them has an ID card which has been issued by the Israeli Military at the registration centres. At peak periods more than 15,000 people an hour pass through the gates. The ID card is a smartcard with stored biometrics of fingerprints, facial geometry and hand geometry. In addition there is a photograph printed on the card and a digital version stored on the smartcard chip. [citation needed]

Tel Aviv Ben Gurion Airport has a frequent flyer's fast check-in system which is based on the use of a smartcard which holds information relating to the holders hand geometry and fingerprints. For a traveller to pass through the fast path using the smartcard system takes less than 10 seconds. [citation needed]

The Immigration Police at Tel Aviv Airport use a system of registration for foreign workers that utilises fingerprint, photograph and facial geometry which is stored against the Passport details of the individual. There is a mobile version of this which allows the police to check on an individual's credentials at any time. [citation needed]

Iraq

Biometrics are being used extensively in Iraq to catalogue as many Iraqis as possible providing Iraqis with a verifiable identification card, immune to forgery. During account creation, the collected biometrics information is logged into a central database which then allows a user profile to be created. Even if an Iraqi has lost their ID card, their identification can be found and verified by using their unique biometric information. Additional information can also be added to each account record, such as individual personal history. This can help American forces determine whether someone has been causing trouble in the past. One major system in use in Iraq is called BISA. This system uses a smartcard and a users biometrics (fingerpint, iris, and face photos) to ensure they are authorized access to a base or facility.

Japan

Several banks in Japan have adopted palm vein authentication technology on their ATMs. This technology which was developed by Fujitsu, among other companies, proved to have low false rejection rate (around 0.01%) and a very low false acceptance rate (less than 0.00008%).

Posted by at No comments:

Magnetic stripe card

A magnetic stripe card is a type of card capable of storing data by modifying the magnetism of tiny iron-based magnetic particles on a band of magnetic material on the card. The magnetic stripe, sometimes called a magstripe, is read by physical contact and swiping past a reading head. Magnetic stripe cards are commonly used in credit cards, identity cards, transportation tickets, an RFID tag, a transponder device and/or a microchip mostly used for business premises access control or electronic payment.

A number of International Organization for Standardization standards, ISO 7810, ISO 7811, ISO 7812, ISO 7813, and ISO 4909, define the physical properties of the card, including size, flexibility, location of the magstripe, and magnetic characteristics. They also provide the standards for financial cards, including the allocation of card number ranges to different card issuing institutions.

The magnetic stripe

The process of attaching a magnetic stripe to a plastic card was invented by IBM under a contract with the US government for a security system. Forrest Parry, an IBM Engineer, had the idea of securing a piece of magnetic tape, the predominant storage medium at the time, to a plastic card base. He became frustrated because every adhesive he tried produced unacceptable results. The tape strip either warped or its characteristics were affected by the adhesive making it technically unusable. After a frustrating day in the laboratory, trying to get the right adhesive, he came home with several pieces of magnetic tape and several plastic cards. As he walked in the door at home, his wife was ironing and watching TV. She immediately saw the frustration on his face and asked what was wrong. He explained the source of his frustration: inability to get the tape to "stick" to the plastic in a way that would work. She said, "Here, let me try the iron." She did and the problem was solved. The heat of the iron was just high enough to bond the tape to the card.

There were a number of steps required to convert the magnetic striped media into an industry acceptable device. These steps included: 1) Creating the international standards for stripe record content, including which information, in what format, and using which defining codes. 2) Field testing the proposed device and standards for market acceptance. 3) Developing the manufacturing steps need to mass produce the large number of cards required. 4) Adding stripe issue and acceptance capabilities to available equipment. These steps were initially managed by Jerome Svigals of the Advanced Systems Division of IBM, Los Gatos, California from 1966 to 1975.

In most magnetic stripe cards, the magnetic stripe is contained in a plastic-like film. The magnetic stripe is located 0.223 inches (5.66 mm) from the edge of the card, and is 0.375 inches (9.52 mm) wide. The magnetic stripe contains three tracks, each 0.110 inches (2.79 mm) wide. Tracks one and three are typically recorded at 210 bits per inch (8.27 bits per mm), while track two typically has a recording density of 75 bits per inch (2.95 bits per mm). Each track can either contain 7-bit alphanumeric characters, or 5-bit numeric characters. Track 1 standards were created by the airlines industry (IATA). Track 2 standards were created by the banking industry (ABA). Track 3 standards were created by the Thrift-Savings industry.

Magstripes following these specifications can typically be read by most point-of-sale hardware, which are simply generic general-purpose computers that can be programmed to perform specific tasks. Examples of cards adhering to these standards include ATM cards, bank cards (credit and debit cards including VISA and MasterCard), gift cards, loyalty cards, driver's licenses, telephone calling cards, membership cards, electronic benefit transfer cards (e.g. food stamps), and nearly any application in which value or secure information is not stored on the card itself. Many video game and amusement centers now use debit card systems based on magnetic stripe cards. An Example of one of these is ECS by Embed International.

Counterexamples of cards which intentionally ignore these standards include hotel keycards, most subway and bus cards, and some national prepaid calling cards (such as for the country of Cyprus) in which the balance is stored and maintained directly on the stripe and not retrieved from a remote database.

Magnetic stripe coercivity

Magstripes come in two main varieties: high-coercivity (HiC) at 4000 Oe and low-coercivity (LoC) at 300 Oe but it is not infrequent to have intermediate values at 2750 Oe. High-coercivity magstripes are harder to erase, and therefore are appropriate for cards that are frequently used or that need to have a long life. Low-coercivity magstripes require a lower amount of magnetic energy to record, and hence the card writers are much cheaper than machines which are capable of recording high-coercivity magstripes. A card reader can read either type of magstripe, and a high-coercivity card writer may write both high and low-coercivity cards (most have two settings, but writing a LoC card in HiC may sometimes work), while a low-coercivity card writer may write only low-coercivity cards.

In practical terms, usually low coercivity magnetic stripes are a light brown color, and high coercivity stripes are nearly black; exceptions include a proprietary silver-colored formulation on transparent American Express cards. High coercivity stripes are resistant to damage from most magnets likely to be owned by consumers. Low coercivity stripes are easily damaged by even a brief contact with a magnetic purse strap or fastener. Because of this, virtually all bank cards today are encoded on high coercivity stripes despite a slightly higher per-unit cost.

Magnetic stripe cards are used in very high volumes in the mass transit sector, replacing paper based tickets with either a directly applied magnetic slurry or hot foil stripe. Slurry applied stripes are generally less expensive to produce and are less resilient but are suitable for cards meant to be disposed after a few uses.

Financial cards

There are up to three tracks on magnetic cards used for financial transactions, known as tracks 1, 2, and 3. Track 3 is virtually unused by the major worldwide networks such as VISA, and usually isn't even physically present on the card by virtue of a narrower magnetic stripe. Point-of-sale card readers almost always read track 1, or track 2, and sometimes both, in case one track is unreadable. The minimum cardholder account information needed to complete a transaction is present on both tracks. Track 1 has a higher bit density (210 bits per inch vs. 75), is the only track that may contain alphabetic text, and hence is the only track that contains the cardholder's name.

The information on track 1 on financial cards is contained in several formats: A, which is reserved for proprietary use of the card issuer, B, which is described below, C-M, which are reserved for use by ANSI Subcommittee X3B10 and N-Z, which are available for use by individual card issuers:

Track one, Format B:

  • Start sentinel — one character (generally '%')
  • Format code="B" — one character (alpha only)
  • Primary account number — up to 19 characters
  • Field Separator — one character (generally '^')
  • Name — two to 26 characters
  • Field Separator — one character (generally '^')
  • Expiration date — four characters
  • Service code — three characters
  • Discretionary data — may include Pin Verification Key Indicator (PVKI, 1 character), Pin Verification Value (PVV, 4 characters), Card Verification Value or Card Verification Code (CVV or CVK, 3 characters)
  • End sentinel — one character (generally '?')
  • Longitudinal redundancy check (LRC) — one character

LRC is a form of computed check character.

The format for track 2 was developed by the banking industry (ABA). This track is written with a 5-bit scheme (4 data bits + 1 parity), which allows for sixteen possible characters, which are the numbers 0-9, plus the six characters : ; < = > ? . The selection of six punctuation symbols may seem odd, but in fact the sixteen codes simply map to the ASCII range 0x30 through 0x3f, which defines ten digit characters plus those six symbols. The data format is as follows:

  • Start sentinel — one character (generally ';')
  • Primary account number — up to 19 chars
  • Separator — one char (generally '=')
  • Expiration date — four characters
  • Service code — three characters
  • Discretionary data — as in track one
  • End sentinel — one character (generally '?')
  • LRC — one character

Note: It is possible for these strips to be completely erased if brought close to high strength Neodymium magnets

Driver's Licenses (USA)

The data stored on magnetic stripes on American driver's licenses is specified by the American Association of Motor Vehicle Administrators (AAMVA).

The following data is stored on track 1:

  • Start Sentinel - one character (generally '%')
  • State or Province - two characters
  • City - unknown length
  • Field Separator - one character (generally '^')
  • Last Name - unknown length
  • Field Separator - one character (generally '$')
  • First Name - unknown length
  • Field Separator - one character (generally '$')
  • Middle Name - unknown length
  • Field Separator - one character (generally '^')
  • Address - unknown length
  • Field Separator - one character (generally '^')
  • Unknown (spaces on mine) - unknown length
  • End Sentinel - one character (generally '?')

The following data is stored on track 2:

  • ISO Issuer Identifier Number (IIN)
  • Drivers License / Identification Number
  • Field Separator — generally '='
  • Expiration Date
  • Birth date (YYYYMMDD)
  • DL/ID# overflow

The following data is stored on track 3:

  • Template V#
  • Security V#
  • Postal Code
  • Class
  • Restrictions
  • Endorsements
  • Sex
  • Height
  • Weight
  • Hair Color
  • Eye Color
  • ID#
  • Reserved Space
  • Error Correction
  • Security

Other card types

Smart cards are a newer generation of card containing an integrated circuit chip. The card may have metal contacts connecting the card physically to the reader, while contactless cards use a magnetic field or radio frequency (RFID) for proximity reading.

'Hybrid' smart cards include a magnetic stripe in addition to the chip — this is most commonly found in a payment card, so that the cards are also compatible with payment terminals that do not include a smart card reader.

Posted by at No comments:

Physical security

Physical security describes measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media. It can be as simple as a locked door or as elaborate as multiple layers of armed guardposts.

Elements and design

Spikes atop a barrier wall
Spikes atop a barrier wall

The field of security engineering has identified three elements to physical security:

  • obstacles, to frustrate trivial attackers and delay serious ones;
  • alarms, security lighting, security guard patrols or closed-circuit television cameras, to make it likely that attacks will be noticed; and
  • security response, to repel, catch or frustrate attackers when an attack is detected.

In a well designed system, these features must complement each other. There are four layers of physical security:

  • Environmental design
  • Mechanical and electronic access control
  • Intrusion detection
  • Video monitoring

The initial layer of security for a campus, building, office, or physical space uses environmental design to deter threats. Some of the most common examples are also the most basic - barbed wire, warning signs and fencing, concrete bollards, metal barriers, vehicle height-restrictors, site lighting and trenches.

Electronic access control
Electronic access control

The next layer is mechanical and includes gates, doors, and locks. Key control of the locks becomes a problem with large user populations and any user turnover. Keys quickly become unmanageable forcing the adoption of electronic access control. Electronic access control easily manages large user populations, controlling for user lifecycles times, dates, and individual access points. For example a user's access rights could allow access from 0700 to 1900 Monday through Friday and expires in 90 days.

The third layer is intrusion detection systems or alarms. Intrusion detection monitors for attacks. It is less a preventative measure and more of a response measure. Although some would argue that it is a deterrent. Intrusion detection has a high incidence of false alarms. In many jurisdictions, law enforcement will not respond to alarms from intrusion detection systems.

Closed-circuit television sign
Closed-circuit television sign

The last layer is video monitoring systems. Like intrusion detection, these are not much of a deterrent. Video monitoring systems are more useful for incident verification and historical analysis. For instance, if alarms are being generated and there is a camera in place, the camera could be viewed to verify the alarms. In instances when an attack has already occurred and a camera is in place at the point of attack, the recorded video can be reviewed. Although the term closed-circuit television (CCTV) is common, it is quickly becoming outdated as more video systems lose the closed circuit for signal transmission and are instead transmitting on computer networks. Advances in information technology are transforming video monitoring into video analysis. For instance, once an image is digitized it can become data that sophisticated algorithms can act upon. As the speed and accuracy of automated analysis increases, the video system could move from a monitoring system to an intrusion detection system or access control system. It is not a stretch to imagine a video camera inputting data to a processor that outputs to a door lock. Instead of using some kind of key, whether mechanical or electrical, a person's visage is the key.

Private factory guard
Private factory guard

Intertwined in these four layers are people. Guards have a role in all layers, in the first as patrols and at checkpoints. In the second to administer electronic access control. In the third to respond to alarms. And in the fourth to monitor and analyze video. Users obviously have a role also by questioning and reporting suspicious people. Aiding in identifying people as known versus unknown are identification systems. Often photo ID badges are used and are frequently coupled to the electronic access control system. Visitors are often required to wear a visitor badge.

For example, the response force must be able to arrive on site in less time than it is expected that the attacker will require to breach the barriers; and

  • persuading them that the likely costs of attack exceed the value of making the attack.

For example, ATMs (cash dispensers) are protected, not by making them invulnerable, but by spoiling the money inside when they are attacked. Attackers quickly learned that it was futile to steal or break into an ATM if all they got was worthless money covered in dye.

Conversely, safes are rated in terms of the time in minutes which a skilled, well equipped safe-breaker is expected to require to open the safe. These ratings are developed by highly skilled safe breakers employed by insurance agencies, such as Underwriters Laboratories. In a properly designed system, either the time between inspections by a patrolling guard should be less than that time, or an alarm response force should be able to reach it in less than that time.

Hiding the resources, or hiding the fact that resources are valuable, is also often a good idea as it will reduce the exposure to opponents and will cause further delays during an attack, but should not be relied upon as a principal means of ensuring security (see security through obscurity and inside job).

Posted by at No comments:

Door security


Door security relates to prevention of door-related burglaries. Such break-ins take place in various forms, and in a number of locations; ranging from front, back and side doors to garage doors.

Common Residential Door Types

The following are the types of doors typically used in residential applications: solid wood door, panel doors (hollow and solid core), metal skinned wood-edged doors and metal edge-wrapped doors. Typically, door frames are solid wood. Residential doors also frequently contain windows.

Security Weakness of Common Residential Door Types

Security tests by Consumer Reports Magazine in the 1990s found that many residential doors fail or delaminate when force is applied to them. Solid wood doors withstood more force than the very common metal skinned wood-edged doors used in newer construction. A broad range door manufacturer, Premdor (now Masonite) once stated in one of its 1990s brochures entitled "Premdor Entry Systems" page 6 that "The results of tests were overwhelming, Steel edged doors outperform wood-edged doors by a ratio of 7 to 1 When you consider the practically two-thirds of all illegal entries were made through doors... One hit of 100 lb strike force broke the wood-edged stile and opened the door. To actually open the steel-edged door required 7 strikes of 100 lb pressure." Most door manufactures offer a number of different types of doors with varying levels of strength.

Consumer Reports Magazine also reported in its test results that door frames often split with little force applied and lower quality deadbolts simply failed when force was applied to the door.


The Chula Vista Residential Burglary Reduction Project which studied over 1,000 incidents; "We also learned what prevention techniques seemed to have little effect on whether a burglary would be successful. Methods found to have relatively low effectiveness included: sliding glass door braces, such as wooden dowels, as opposed to sliding door channel or pin locks; deadbolts installed in the front door only; and outdoor lights on dusk-to-dawn timers... burglars typically ransacked or vandalized at least 25% of the homes they burglarized..." The Chula Vista Residential Burglary Reduction Project - Summary

Burglary Tactics

The Chula Vista Residential Burglary Reduction Project there were the following findings: "From victim interviews, we learned that in 87% of the break-ins that occurred when intruders defeated locked doors with tools such as screwdrivers or crowbars, the burglars targeted "the one door that had no deadbolt lock."... not one burglar attempted to break a double-pane window during the course of successful or attempted burglary." The Chula Vista Residential Burglary Reduction Project - Summary

Door security devices

  • Alarms
  • Deadbolts - many manufacturers make deadbolts that are resistant to impact failure, picking and lock bumping[citation needed]. However, most deadbolts are not pick-resistant[citation needed]. Consumer Reports Magazine's testing showed that many manufacturers make deadbolts that break apart and otherwise fail when force is applied to the door.
  • Door strike reinforcers - general there are two products: frame reinforces (one, metal strips installed vertically on or behind the door frame and two, strike pocket reinforcers whereby 3" screws are often provided to tie the deadbolt pocket beyond the thin door frame material, and directly to the stud or other wall).
  • Deadbolt / door / frame reinforcements - various products are made to prevent delamination and or splitting of the door frame - metal wraps can be placed under the deadbolt and wrap the door edge to prevent delamination and heavy duty products that place plates on either side the door and/or frame which are tied together with screws or bolts prevent delamination.
  • Door Chains - allows the doors to be opened slightly.
  • Secondary, internal locks - sliding bolts, hooks and specialty latches, or more accurately, metal blocks or bars mounted internally.
  • Door viewers - small fish-eye lenses that allow residents to view outside.
  • Door Windows - There are three common methods to add security to windows in or beside doors - one, security films (coatings applied to the glass in windows to reinforce it), two, security bars and grates, and three breakage resistant plexiglas, lexan and other glass replacement products.
  • Hinge screws - longer 3" screws, and specialized screws that prevent the door from being simply pushed in after removing the hinge pins.
  • Sliding door /patio door locks - there are numerous specialized products to prevent sliding doors from being defeated easily.
  • Visibility - Most police departments recommend shrubs be cleared from near doorways to reduce the chance of a burglar being hidden from public view.
Posted by at No comments:

home security

Burglar alarm

Burglar (or intrusion), fire and safety alarms are found in electronic form today. Sensors are connected to a control unit via either a low-voltage hardwire or narrowband RF signal, which is used to interact with a response device. The most common security sensors indicate the opening of a door or window or detect motion via passive infrared (PIR). In new construction systems are predominately hardwired for economy while in retrofits wireless systems may be more economical and certainly quicker to install. Some systems are dedicated to one mission, others handle fire, intrusion, and safety alarms simultaneously. Sophistication ranges from small, self-contained noisemakers, to complicated, multi-zoned systems with color-coded computer monitor outputs. Many of these concepts also apply to portable alarms for protecting cars, trucks or other vehicles and their contents (i.e., "car alarms"). See also fire alarm control panel for specific fire system issues. Burglar alarms are sometimes referred to as alarm systems, see burglar alarm control panel for a discussion of hard-wired burglar alarm system design.

System connections

The trigger signal from each sensor is transmitted to one or more control unit(s) either through wires or wireless means (radio, line carrier, infrared). Wired systems are convenient when sensors (such as smoke detectors) require power to operate correctly, however, they may be more costly to install. Entry-level wired systems utilize a Star network topology, where the panel is at the center logically, and all devices "home run" its wire back to the panel. More complex panels use a Bus network topology where the wire basically is a data loop around the perimeter of the facility, and has "drops" for the sensor devices which must include a unique device identifier integrated into the sensor device itself. Wired systems also have the advantage, if wired properly, of detecting tampering with the wiring connections. Wireless systems, on the other hand, often use battery-powered transmitters which are easier to install, but may reduce the reliability of the system if the sensors are not supervised, or the batteries maintained. Depending on distance, construction materials, or one or more wireless repeaters may be required to get the signal reliably back to the alarm panel. Hybrid systems utilize both wired and wireless sensors to achieve the benefits of both. Transmitters, or sensors can also be connected through the premises electrical circuits to transmit coded signals to the control unit (line carrier). The control unit usually has a separate channel or zone for burglar and fire sensors, and better systems have a separate zone for every different sensor, as well as internal "trouble" indicators (mains power loss, low battery, wire broken, etc).

Alarm connection and monitoring

The desired result of an alarm system is to cause an appropriate alarm output and response when the sensors indicate the valid conditions for triggering of the alarm. The ability of the panel to communicate back to the Monitoring Center is crucial to the concept of monitoring, and it is often overlooked or down played.

Depending upon the application, the alarm output may be local or remote or a combination. Local alarms do not include monitoring, though may include indoor and/or outdoor sounders (e.g. motorized bell or electronic siren) and lights (e.g. strobe light) which may be useful for signaling an evacuation notice for people during fire alarms, or where one hopes to scare off an amateur burglar quickly. However, with the widespread use of alarm systems (especially in cars), false alarms are very frequent and many urbanites tend to ignore alarms rather than investigating, let alone contacting the necessary authorities. In short, there may be no response at all. In rural areas (e.g., where nobody will hear the fire bell or burglar siren) lights or sounds may not make much difference anyway, as the nearest responders could take so long to get there that nothing can be done to avoid losses.

Remote alarm systems are used to connect the control unit to a predetermined monitor of some sort, and they come in many different configurations. High-end systems connect to a central station or responder (eg. Police/ Fire/ Medical) via a direct phone wire (or tamper-resistant fiber optic cable), and the alarm monitoring includes not only the sensors, but also the communication wire itself. While direct phone circuits are still available in some areas from phone companies, because of their high cost they are becoming uncommon. Direct connections are now most usually seen only in Federal, State, and Local Government buildings, or on a school campus that has a dedicated security, police, fire, or emergency medical department. More typical systems incorporate a digital telephone dialer unit that will dial a central station (or some other location) via the Public Switched Telephone Network (PSTN) and raise the alarm, either with a synthesized voice or increasingly via an encoded message string that the central station decodes. These may connect to the regular phone system on the system side of the demarcation point, but typically connect on the customer side ahead of all phones within the monitored premises so that the alarm system can seize the line by cutting-off any active calls and call the monitoring company if needed. Encoders can be programmed to indicate which specific sensor was triggered, and monitors can show the physical location (or "zone") of the sensor on a list or even a map of the protected premises, which can make the resulting response more effective. For example, a water-flow alarm, coupled with a flame detector in the same area is a more reliable indication of an actual fire than just one or the other sensor indication by itself. Many alarm panels are equipped with a backup dialer capability for use when the primary PSTN circuit is not functioning. The redundant dialer may be connected to a second phone line, or a specialized encoded cellular phone, radio, or internet interface device to bypass the PSTN entirely, to thwart intentional tampering with the phone line(s). Just the fact that someone tampered with the line could trigger a supervisory alarm via the radio network, giving early warning of an imminent problem (e.g., arson). In some cases a remote building may not have PSTN phone service, and the cost of trenching and running a direct line may be prohibitive. It is possible to use a wireless cellular or radio device as the primary communication method. There is controversy within the alarm industry as to the usage of the Internet as a primary signaling method, due to the twin issues of the immediacy and urgency of an alarm signal, and the lack of quality of service within the current design of the public internet.

Monitored alarms and speaker phones allow for the central station to speak with the homeowner and/or intruder. This may be beneficial to the owner for medical emergencies. For actual break-ins, the speaker phones allow the central station to urge the intruder to cease and desist as response units have been dispatched.

The list of services to be monitored at a Central Station has expanded over the past few years to include: Intrusion Alarm Monitoring; Fire Alarm & Sprinkler Monitoring; Critical Condition Monitoring; Medical Response Monitoring; Elevator Telephone Monitoring; Hold-Up or Panic Alarm Monitoring; Duress Monitoring; Auto Dialer tests; Open & Close Signal Tracking, or Supervision; Open & Close Reporting; Exception Reports; and PIN or Passcode Management. Increasingly, the Central Stations are making this information available directly to end users via the internet and a secure log-on to view and create custom reports on these events themselves.

Alarm response

Depending upon the zone triggered, number and sequence of zones, time of day, and other factors, the monitoring center can automatically initiate various actions. They might be instructed to call the ambulance, fire department or police department immediately, or to first call the protected premises or property manager to try to determine if the alarm is genuine. They could also start calling a list of phone numbers provided by the customer to contact someone to go check on the protected premises. Some zones may trigger a call to the local heating oil company to go check on the system, or a call to the owner with details of which room may be getting flooded. Some alarm systems are tied to video surveillance systems so that current video of the intrusion area can be instantly displayed on a remote monitor, not to mention recorded.

The first video home security system was patented (patent #3,482,037) on December 2, 1969 to Marie Brown, an African American inventor. The system used television surveillance.

Access control and bypass codes

To be useful, an intrusion alarm system is deactivated or reconfigured when authorized personnel are present. Authorization may be indicated in any number of ways, often with keys or codes used at the control panel or a remote panel near an entry. High-security alarms may require multiple codes, or a fingerprint, badge, hand-geometry, retinal scan, encrypted response generator, and other means that are deemed sufficiently secure for the purpose.

Failed authorizations should result in an alarm or at least a timed lockout to prevent "experimenting" with possible codes. Some systems can be configured to permit deactivation of individual sensors or groups. Others can also be programmed to bypass or ignore individual sensors (once or multiple times) and leave the remainder of the system armed. This feature is useful for permitting a single door to be opened and closed before the alarm is armed, or to permit a person to leave, but not return. High-end systems allow multiple access codes, and may even permit them to be used only once, or on particular days, or only in combination with other users' codes (i.e., escorted). In any case, a remote monitoring center should arrange an oral code to be provided by an authorized person in case of false alarms, so the monitoring center can be assured that a further alarm response is unnecessary. As with access codes, there can also be a hierarchy of oral codes, say, for furnace repairperson to enter the kitchen and basement sensor areas but not the silver vault in the butler's pantry. There are also systems that permit a duress code to be entered and silence the local alarm, but still trigger the remote alarm to summon the police to a robbery.

Fire sensors can be "isolated", meaning that when triggered, they will not trigger the main alarm network. This is important when smoke and heat is intentionally produced. The owners of buildings can be fined for generating False alarms that waste the time of emergency personnel.

False / no alarms

System reliability can be a problem when it causes nuisance alarms, false alarms, or fails to alarm when called for. Nuisance alarms occur when an unintended event evokes an alarm status by an otherwise properly working alarm system. A false alarm also occurs when there is an alarm system malfunction that results in an alarm state. In all three circumstances, the source of the problem should be immediately found and fixed, so that responders will not lose confidence in the alarm reports. It is easier to know when there are false alarms, because the system is designed to react to that condition. Failure alarms are more troublesome because they usually require periodic testing to make sure the sensors are working and that the correct signals are getting through to the monitor. Some systems are designed to detect problems internally, such as low or dead batteries, loose connections, phone circuit trouble, etc. While earlier nuisance alarms could be set off by small disturbances, like insects or pets, newer model alarms have technology to measure the size/weight of the object causing the disturbance, and thus are able to decide how serious the threat is, which is especially useful in burglar alarms.

Posted by at No comments:
Subscribe to: Posts (Atom)