Do villains care about biometrics?

Inadequate biometrics systems could be creating a false sense of security in banks, security estates and office blocks, and in effect rolling out a red carpet to criminals.

By Marius Coetzee, Managing Director of leading identity fraud solutions provider Ideco

Biometrics-based security devices, in particular fingerprint readers, are now widely in use across South Africa. But in many cases, they could be creating a false sense of security among enterprises, and worse – serving to enable criminal activities.

This is because not all fingerprint readers are created equal. Although all fingerprint readers use minutiae points to match fingerprints, not all have the ability to detect the difference between real minutiae of a fingerprint and spoofed minutiae. Typically, enterprises investing in fingerprint readers believe the biggest risk facing them is a scenario in which a fraudster or criminal replicates someone else’s finger or fingerprint, and uses it to gain access to a premises or to authenticate their identity. But because most fingerprint readers are manned by cashiers, tellers or security guards, the chances are slim that the fraudster will have an opportunity to introduce an entire fake finger into the process unnoticed.

A lesser known risk, and one far easier for villains to employ, is to fake or ‘spoof’ minutiae. The simplest methods are simply to wind thin thread around the fingertip, or to introduce a series of cuts to the fingerprint. This creates scores of new minutiae points, increasing the risk that the spoofed fingerprint will be a close enough match to that of an authorised person on the estate or bank database. No one should underestimate the ingenuity of criminals – they know the reader uses minutiae points to match them against a profile, and they also know that by introducing a lot of false minutiae points, they will increase the chances of their matching an existing profile on the system. Only the most advanced technology has the ability to differentiate between typical cuts and true minutiae to determine whether a fingerprint has been spoofed or not.

Performance requirements and consequential recourse

Another major risk lies in the fingerprint system’s performance and standards: in many cases, the images they produce are of a low quality and characterised by noise, or they simply do not meet the standards required by law enforcement agencies and courts. This means that in the case of fraud or a criminal opening a bank account using such a fingerprint reader, the biometric records and images generated cannot be processed against the SAPS criminal record system, or indeed most international law enforcement systems.

Equally concerning is the fact that these systems produce images that are of a quality too poor to be admissible as evidence in a court of law. The mere fact that many fingerprint readers used today are not compliant to international standards for evidence and criminal investigation defeats the entire objective of using fingerprints for proof of identity in the FICA or RICA process.

Inadequate biometrics-based identification and security systems therefore, could not only give villains access to accounts and assets; they could also help them to avoid prosecution.

Organisations need be very careful in their choice of biometric devices deployed for customer identification, security and protection of assets, to ensure they are compliant with all key standards and legislation, and that the systems deliver the security they promise.

When selecting systems, organisations need to ask:

–          Is it fit for purpose at the site, and for effective governance, risk and compliance?

–          Does it fully adhere to regulatory requirements from the process of taking the customer aboard through to post-event audits?

–          Can it be spoofed by added minutiae caused by thread, cuts, wrinkles and blisters?

–          Does the technology discard false minutiae and only process true minutia?

–          Is the data collected by the device, including all records and images, fully compliant to all international standards?

–          Can this data be processed against the SAPS criminal record system?

–          Is this data accepted as evidence in a court of law?

Always remember that mass adoption does not constitute great technology, but rather great sales effort. A simple “show me how accurate it is”, is always recommended.

Posted in Ideco News

Identity ecosystem must learn from banks’ example

There are clear parallels between the development of financial services and identity verification ecosystems, but the identity ecosystem has to take urgent steps to catch up with the banking ecosystem.

By Marius Coetzee, Managing Director of leading identity fraud solutions provider Ideco

The recent high-profile identity data breaches in South Africa are symptomatic of the overall chaos the identity ecosystem currently finds itself in. Lacking a cohesive strategy, an interlinked architecture and a comprehensive regulatory framework, most organisations have been building their own identity verification databases in isolated pockets, using a variety of data sources, standards and protocols.

But in a rapidly digitising world, the identity environment has to take urgent steps to consolidate, regulate and order the ecosystem, before trust is seriously compromised and irreparable damage is caused.

The identity verification environment is developing along much the same lines as banking developed over the years: moving from a handshake to a paper-based token, to a smart card and now to an Identity 4.0-type model, pioneered in South Africa by identity solutions leader Ideco, where a digital token will serve as trusted identity assurance. But the banking sector is far advanced in managing its trusted financial transactions. With the input of self-regulatory bodies, a stringent regulatory framework in place, and a cohesive integrated ecosystem, digital banking systems are a trusted and effective means of connecting the issuer, acquirer and account owner to authorise a secure transaction in real time, anywhere in the world, and with a clear audit trail.

In the broader identity management ecosystem, however, disparate systems still operate in siloes, with legislation and regulations drafted in a reactive manner, and no collective, smart method of facilitating responsible identity information within a trusted ecosystem that allows customer identities to be verified on a global basis without risk to the owner of the identity.

Amid rising customer expectations for secure, seamless, omni-channel engagement, businesses have been compelled to develop their own identity management systems to remain compliant, deliver on customer expectations and mitigate fraud, cyber threats and reputational risk. Identity solutions today are typically driven by vendors and manipulated by available technology. What seems to be an asset has possibly become organisations’ the largest governance, risk and compliance challenge today.

Several factors stand in the way of a cohesive identity verification ecosystem, including legacy frameworks, regulatory requirements and the current thinking that the State owns identities. Changing times and spiralling cyber crime mean action must be taken fast and traditionally, government organisations adapt slowly to change.

While the Department of Home Affairs is the custodian of identity for citizens, for transactional purposes we will likely see the emergence of a small number of trusted, bank-like organisations serving as identity clearing bureaus, although these organisations will have to generate sufficient revenue to be sustainable.

There is also a move in the world for self-sovereign identities, in which consumers will take responsibility for their own identities. However, a trusted authority will still be needed to underwrite that identity.

By following the example set by banks, the identity verification industry should enable the consumer to entrust a custodial organisation with their identity, while retaining ownership over that identity. A cohesive ecosystem must then be enabled to facilitate transactions with an approved acquirer, validated by the issuer but under the control of the identity owner.

To set the foundations of this system in place, urgent steps must be taken to assess how the financial industry is regulated, using the banking environment as a benchmark. Ideco is taking the lead in developing world-first solutions to support the development of this next-generation identity ecosystem, including advanced new identity switching mechanisms and real-time digital identity authentication solutions.  In addition, stakeholder will need to move towards consolidated standards and a sound regulatory framework must be established in collaboration with lobbying and self-regulating industry bodies, to establish a trusted identity framework for the future.

Posted in Ideco News

The greatest asset every person has is his or her identity

Who you are, where you come from, what work you do and where you live are some of the most common questions being asked when meeting a stranger for the first time. And based on these few questions one will form an opinion of your identity and most likely relate to you accordingly.

You can learn even more about the identity by looking at their digital footprint. A quick search on Google, Facebook, Twitter or the like and you have access to a terrifying amount of additional data that defines that person. These technological giants touch almost every part of our existence and continuously harvest vast amounts of data about each one of us. Stitching all these touch points together, they form an accurate profile of your identity without you even being aware of it.

This fuels the never-ending debate between what is personal information and what is private, what is intimate and what is public knowledge? Most of us believe that all our personal data should be regarded as private but with the same conviction we hand out hundreds of business cards with personal information.

Identity is basically defined as whatever makes an entity definable, unique and recognizable. Every person has multiple traits that define them and it is the collective sum of all these traits that makes each one of us a uniquely definable giving each person a unique identity of our own. To manage all of this, governmental identity schemes will assign a unique identity number to each of their citizens.

It is also important to ask the question: What influences the identity? There are obviously some absolutes (such as place of birth, family, gender, etc), but in many cases people find their identity in their association, religion, education and even their property or assets. There are many benefits in having an official and verifiable identity. According to the World Bank, the main advantages for citizens can be summarised as electoral participation, educational opportunities, health and social welfare, banking and economic inclusion.

Trust is however the most valuable attribute of any identity and it is estimated that 94% of all identity verifications are based on visual verification. In other words, if the person looks like the picture presented in the identity document, it is assumed to be the same person. This is why in most cases, proof of identity requires a copy of the identity document and this is exactly where the risk of identity fraud starts.

It is virtually impossible for any individual to “own” his or her identity, if there are hundreds of organisations who deals with a person in his lifetime, each requiring copies of this identity.  The question also remains, how much trust can be associated with this copy if the identity document, even if a Commissioner of Oath certifies it.

The Ideco Identity-as- a-Service (IDaaS) ecosystem offers next generation identity assurance, designed to deliver fraud-proof trusted identity authentication, confirmed with a digital certificate of authenticity in seconds. When this service is used at point of contact with the customer, full trust in the identity is established without any privicy risk to the owner of the identity.

Tagged with: , ,
Posted in Ideco News

New head for Technology Innovation Expert Group

Ideco Biometric Security Solutions director Francois Vermeulen has been appointed as the new head of the Technology Innovation Expert Group (TIEG) for the Biometric Institute. The Group focuses on the provision of accurate and unbiased technical information, training and education to the board and members of the Biometrics Institute.

TIEG is developing a best practice guide to assist members in the implementation and selection of biometric systems. It aims to assist the market with the responsible use and implementation of biometrics.

“The Biometrics Institute is playing a key role with regards to responsible use and implementation of biometrics. I believe that we need to assist the market in harmonising biometric enrolment processes where possible, to stop the continual re-enrolment of the same biometric with numerous entities,” says Vermeulen.

“Continual awareness around biometric image quality standards is essential in today’s environment. Especially with the introduction of new modalities, educating the market in standards becomes essential,” he adds.

With many modalities still in their infancy, the misuse and wrong implementation can cause serious harm, not only to the specific biometric utilised but also to the biometric industry as a whole.

“Over the past year, there has been a significant number of advances in technology and innovation in regards to the use and application of biometrics. This can mostly be attributed to the rapid adoption of biometrics in consumer products, ranging from iris identification in mobile phones to advances in the enrolment of infant fingerprint capturing devices,” he explains.

Vermeulen says there is a drive in the market toward the enrolment and utilisation of multiple modalities for the purpose of verification, identification and creation of foundational registries. “This not only provides the added advantage of additional security but also starts to cater for cases where some biometrics may not be present for a person.”

Governments now require equipment that can cater for the generation of foundational registers containing multiple biometric modalities, leading to advances in enrolment equipment. There is currently multimodal mobile enrolment equipment which caters for as much as six biometric modalities in one device, enabling Governments to create these foundational registries and to provide services to the correct person at the correct time.

“With all the additional biometric modalities being captured by different entities, it is essential to ensure that these entities use capture devices that comply with international image quality standards and that they manage the captured biometrics in a secure and responsible manner,” he concludes.


Posted in Ideco News

Ideco strengthens security with two factor authentication

To keep abreast of latest technologies and the ever-evolving security environment, local biometrics solutions provider Ideco has announced enhanced features to its Electronic Visitor Identity Management (EVIM) solution.

The company has introduced OTP verification to protect the portal against unauthorised access and has also included an In-Out daily count on its dashboard.

EVIM is a mnew-evim-(no-background).pngobile data capture and fingerprint scanning device that reinforces security with a digital visitor register, making visitor access management quick and easy. Unlike the traditional paper-based visitor book, this ingenious device captures, registers and verifies all data in real time with the National Centre of Certified Identities (NCCI).

Ideco managing director Marius Coetzee says these new features will ensure a higher level of security. “As with any high security web site, it is essential that only authorised users have access to the password protected areas of the site.”

“We have therefore introduced OTP verification, after entering the username and password on the EVIM web portal, an OTP will automatically be sent via SMS to the user’s registered mobile number which then needs to be entered to gain access to the web portal,” he says.

For terminals that have the ‘Direction’ function enabled, two additional counters have been introduced to the EVIM portal dashboard. These counters will display the number of people who indicated IN as well as the number of people who indicated OUT on the current day.

A growing number of business parks and residential estates are deploying Ideco’s EVIM solution to improve access security and enhance the overall effectiveness of existing services. Not only does EVIM enhance the visitor handling process, it also minimises the risk for criminal behaviour associated with identity fraud and provides improved accountability.

“EVIM gives a whole new meaning to keeping a competent visitor register. This is a fantastic opportunity for gated communities and organisations to implement visitor management within their existing access control systems. At the same time, security at access points can now provide truly effective access control,” he concludes.

For more information contact Ideco on 086 104 3326 (IDECO) or visit

Posted in Ideco News

New solution to beat Identity Theft The Future of Who I AM

Some experts call biometrics the answer to identity theft. Biometric verification is a process of identity authentication that is used to confirm identity through uniquely detectable biological traits and may be an effective tool in the war on crime.

With the drastic rise of identity theft, it has become more difficult to prevent unauthorised access to information resources and installations. Methods of positively verifying and authenticating people may mitigate the current identity theft crisis.

However, to combat this ever growing threat, Ideco is launching its new all-in-one mobile biometrics unit in South Africa. The Biometric Identity Management System (BIMS) enables biometric identification across a range of modalities, from fingerprint through to iris scanning.

BIMS is highly mobile, readily configurable and can be rolled out rapidly in any environment requiring agile identification and processing of crowds. It is capable of six biometric modalities and delivers a full range of connectivity options including Bluetooth, WiFi, GSM, GPS, LAN and Cloud. It is encapsulated in a device the size of a ruggedised laptop.

Ideco CEO Marius Coetzee says most biometric systems on the market today only offer single factor authentication. “Until now, no one could deliver six modalities in a single portable device, which can be used in any configuration for multiple levels of identification, as well as integrating into existing enterprise systems quickly and easily.”

Although technology has been a scapegoat for many identity thefts, in many ways technology has provided some of the most solid defenses against the rising tide of identity theft. Fingerprints and facial recognition are becoming the new tools for banks and retailers to fight credit-card fraud.

Coetzee says there was a need for an eminently configurable, mobile advanced biometrics identification unit. “BIMS is unlike any other solution currently on the market for biometric user identification and access control. It enables agile, rapid roll-out of advanced biometrics-based solution; and has relevance for both the public and private sector across any number of verticals.”

Multi-functional and uniquely configurable, the unit has been designed to the world’s most stringent hardware and software security standards, and harnesses intelligent power management for prolonged battery life of up to 12 hours.

BIMS’ mobile and uniquely configurable abilities facilitate both identity enrolment and identity validation efficiently, securely and authentically at any place, any time. With the intelligent use of APIs, the solution can be integrated with any backend system. This is a world first multi-modal, multi-functional, uniquely configurable mobile identity management solution.



Posted in Ideco News

SA innovator takes on the world

BIMS and its supporting system were designed and built in South Africa at a cost of over R20 million in R&D and two and a half years of man-hours by a team of skilled software and firmware developers and engineers.

Ideco says there is a huge global interest in this configurable, mobile advanced biometric identification solution. BIMS enables biometric identification across a range of modalities – from fingerprint through to iris scanning – as well as being highly mobile and readily configurable. It can be rolled out rapidly in any environment requiring agile identification and processing of crowds.

It is capable of six biometric modalities and delivers a full range of connectivity options, including Bluetooth, Wi-Fi, GSM, GPS, LAN and cloud. Multi-functional and configurable, the unit has been designed to the world’s most stringent hardware and software security standards, and harnesses intelligent power management for prolonged battery life of up to 12 hours.

Ideco CEO, Marius Coetzee, says there is already a massive interest in BIMS. “We specifically chose this event for the launch because BIMS is a solution of international significance. It is unlike any other solution currently on the market for biometric user identification and access control.”

The need for secure and authentic identity management has reached crisis proportions globally, with demand for advanced, agile and multi-modal biometric identity management. Coetzee says most of the systems currently on the market offer single factor authentication. “Until now, no one could deliver six modalities in a single portable device, which can be used in any configuration for multiple levels of identification, as well as integrating into existing enterprise systems quickly and easily.”

BIMS enables agile, rapid roll-out of advanced biometrics-based solutions and has relevance for both the public and private sector across any number of verticals. With the intelligent use of APIs, the solution can be integrated with any backend system.

For more information contact Ideco, 086 104 3326 (IDECO),

Posted in Ideco News