Biometrics And Computer Forensics

Published Date: 02 Nov 2017

Identity theft is not a new crime in today’s world; in fact, it is one of the fastest growing forms of crime in the United Kingdom and the rest of the world. In 2012, identity theft and identity fraud cost the UK economy around £2.7 billion. The main risk arising from identity theft is that criminals are able to use your information in order to make gains for themselves, this ranges from taking out loans in your name, opening bank accounts, setting up contracts with companies, using your details to get utilities and benefits and using your details to get government documentation such as a passport or driving licence. This risk is clearly not acceptable, peoples’ identities deserve to be protected and more should be being done to counter it by the government, police and other government agencies along with corporations, banks and other businesses.

This dissertation was undertaken due to the fact that I’m currently studying a computer forensics course and I wish to further my knowledge on identity theft particularly related to two subjects, one being biometrics and the other being computer forensics. From studying and carrying out my own research, I will be able to write up my own research, giving my opinion on how both of these topics can move forward.

1.1 Hypothesis

My hypothesis for this topic would be that I expect to discover the ins and outs of how biometrics can be used to counter identity theft along with the weaknesses biometrics presents, secondly, I expect to discover the ways in which computer forensics can be used to discover whether or not identity theft has actually been carried out with the objective being to clear the victim’s name and allow them to get back to a normal life if it is indeed the case. I also plan to survey several groups to gain their knowledge of identity theft and how big of an issue it is throughout the United Kingdom along with coming up with my own ideas on how identity theft awareness could be improved as well as suggesting improvements upon the current issues surrounding biometrics and computer forensics related to identity theft.

I believe that the person/s reading this dissertation will benefit from my investigations along with some members of the general public (those who I intend to survey) as I will be able to inform them of certain aspects of identity theft that they may not know about, thus, their awareness will be increased and this will hopefully lead to them being a lot safer with their personal details.

This dissertation will contribute to what is already known by those who investigate identity theft by expanding on many key elements of it, providing suggestions regarding how current methodologies could be improved on, as well as expanding on how biometrics could be used in this field and how computer forensics analysts go about investigating identity theft.

1.2 Aims and objectives

The aims of the dissertation are:

The objectives of my dissertation is to research and study identity theft in the United Kingdom, the statistics, the warning signs that people should look out for, the currently available counter measures (along with general awareness), to create a survey in which I can gather accurate data regarding people’s knowledge of identity theft and the information surrounding it, investigate how biometrics and computer forensics can be used to combat and even counter identity theft in today’s world. I will also discuss identity theft that occurs in the real world, however, this will be a brief section compared to the online and computer related sections of my dissertation along with highlighting the scale of identity theft and providing a thorough review of the literature and recent advances in identity theft prevention.

1.3 Scope

The scope for this dissertation, as stated before, will focus specifically on biometrics and how they can be used to try and counter and nullify the threat of identity theft along with computer forensics and how the techniques involved can be used to catch identity criminals and clear innocent victims’ names, thus, enabling them to return to a normal, trouble free life. I feel that in carrying this research out, I will be much more prepared for the industry in which I plan to enter into after university, the more knowledge I have now; the easier it will be for me to work with colleagues to catch these types of criminals in the future. The limits imposed in relation to this dissertation were virtually non – existent, I specifically chose to go down the route of identity theft related to computer forensics due to the reasons stated above, along with the topic being a highly interesting one to research and study about.

I am looking to resolve this identity theft problem by improving awareness amongst those who I survey (this data will be collected, analysed thoroughly and presented in a table or graph of some sort) by providing them with statistical knowledge, introducing facts to them about identity theft and how common it really is in the United Kingdom and the rest of the world. I will also introduce to them the method of biometrically capturing our identities and how in the future this will be a likely means of protecting our identities along with travelling. I will also explain to them that if they ever become a victim of identity theft online, that there are computer forensics specialists who are able to investigate how it came about. In doing so, I will also be able to provide the people I survey with knowledge on how to protect themselves both in the physical world and in the online world against identity thieves. I plan to go about gathering this information about people’s awareness of identity theft by creating an online survey using a service such as Surveymonkey or similar.

Of course, as with any study, there will be limitations from my survey, the primary one being that people may not decide to even carry it out or begin filling it in, only to become bored of it and not finish it. I must ensure that the survey I create is concise, accurate, to the point and easy to follow. In doing so, I will be able to gather a lot of information from multiple users.

1.4 Roadmap

The remainder of this dissertation is structured as follows:

Chapter 2 provides the necessary background to aid the reader with the interpretation of the rest of the dissertation. In particular, the chapter considers types of identity theft and provides an overview of biometrics and computer forensics. Chapter 3 then provides a literature review which describes current practices and state of the art developments. Chapter 4 will provide an analysis of the problem at hand and the requirements needed to resolve it. Chapter 5 will discuss the proposed methodology or artefact and discuss how the current identity theft problems and issues could be resolved. Chapter 6 will discuss the conclusions and further work (survey) and show how much interest people have in identity theft and whether or not they realise it is a massive risk in our lives.

2.0 Background:

From the readers’ perspective, I am assuming that the person(s) whom are reading this paper are entirely unaware of the risks that identity theft poses to the worldwide society, especially in this modern, digital age. The risk from identity theft is always around us, whenever we are shopping online, out in the public using ATMs and point of sales machines, even our identities are at risk whenever we throw out our rubbish for the council to collect. Criminals and computer hackers have been coming up with more and more ingenious ways of acquiring identities along with the more classic forms of identity theft.

Therefore, government, government agencies, police forces, corporations and civilians have had to come up with ideas and methods in which to protect themselves against the risk of identity theft. Two of these methods in which I am going to discuss in this dissertation are biometrics and computer forensics, both of these standpoints have their own positives and negatives and these will be discussed also.

2.1 Types of Identity Theft

To begin with, we must discuss the multiple forms of identity theft, their weak points and how one can go about countering the risk that they pose. There is a multitude of ways that identity theft criminals can gather personal information about one to carry out identity fraud in the offline world; I will compose a list of these different types along with a brief description below:

Thievery of wallet or purse – Like any of us, our wallet or purse will contain a lot of important and valuable information about our personal lives, items such as debit or credit cards, driving licence, any other form of identity, national insurance card, membership cards and of course, money. It is imperative that if your wallet or purse is stolen that you contact the correct authorities and entities such as your bank, HMRC and your local police force. Thievery usually occurs when the carrier of the wallet or purse are too lenient in their carrying, they will display their wallet in view of the public or keep it in a backpack or pouch which makes it easy for thieves to steal, the solution to this problem is a relatively simple one, the carrier of the wallet or purse must ensure that they keep it in a secure place such as their front pocket or an area which it will be monitored at all times such as a handbag.

Bin sweeping – one of the most common forms of identity theft, bin sweeping involves thieves rummaging through your bins and rubbish to seek out personal information such as letters from banks, bills, receipts (which have debit/credit card information on them), old passports or other forms of identity, personal letters and in more recent times, old computers, mobile phones and other electrical equipment can be found by these thieves and used to gather personal information about the previous owner/s. Bin sweeping can only prove to be an effective method of identity theft if home owners refuse to destroy their personal information, a lot of people still do not shred their personal information before throwing it out in the rubbish, this can possibly lead to identity theft if bin sweepers are able to seize a utility bill or bank statement, the solution to this issue is to either not throw out documents that contain sensitive information, shred all personal letters or burn letters which contain personal information.

Card skimming – Card skimming is a means of copying your debit/credit card information via the use of a special device which is usually unrecognisable to the untrained eye, this form of identity theft usually occurs in public areas such as paying for a meal in a restaurant or paying for fuel at a petrol station. Criminals will interfere with one or multiple card readers by taking it apart and inserting the special device on inside of the device before putting it back together. Now all the criminals have to do is stay close to the targeted card reader and wait for the unsuspecting victims to use the machine, once they insert their card, the information stored on it will be transmitted wirelessly back to the criminal’s laptop, smart phone or electronic storage device. These details can then be used to access your bank account and the criminal can then proceed to order new credit cards, change account details, increase overdrafts or take out loans. Card skimming usually occurs in a public area such as a restaurant or petrol station in which the card is taken from the holder and placed under a counter or taken to the back to ‘process’ the payment, this happens more than people think and it is one of the biggest causes of identity theft. To counter card skimming is quite simple, card holders should ensure that their cards are not taken out of their sight; this ensures that the person carrying out the transaction does not interfere with the portable credit/debit card reader before they enter their PIN.

Mail interception – This is quite a simple one and will usually occur if one lives in a shared accommodation building such as student halls or a flat complex. Since all the mail is delivered to one central area, fellow neighbours can intercept and read your mail and thus, intercept your personal information or even your identity. The same thing can occur if you do not inform Royal Mail, your bank, utility companies that you have moved from one address to another. Many victims of this form of identity theft are people who, as mentioned above, have moved house or people that have passed away. Mail interception’s main weakness in relation to identity theft is that all the mail is delivered to one centralised area, to correct this home owners should insure that if they move home to have all of their mall redirected to their new address, however, some companies due to sheer stupidity refuse to update their administration and thus, mail is still sent to the previous address.

Unsought phone calls – These phone calls usually come in the form of an identity thief pretending to be someone from a company you buy goods or services from such as your telephone company, your bank or your digital television provider. Again, it is most likely that people who are unaware of the risks of identity theft such as elderly people will be targeted for these sorts of scams. The weakness in relation to unsought phone calls is that the person who is receiving the call does not understand that identity thieves are carrying out these pranks in order to gather information by pretending to be genuine callers (such as Sky, BT, Virgin and the like), of course it can be hard for the person receiving the call to tell the difference between a genuine caller and a scam, therefore, in order to correct this, we should educate people that these types of scams occur almost daily and in order to combat these scams we can ask the callers questions which only a genuine representative of the said company would know, alternatively we can ask to speak to their branch or administration manager before proceeding with the remainder of the call.

Data breaches – This form of identity theft is completely beyond our control, data breaches may occur in companies that hold valuable information about us, information such as our name, address details, passport number, credit/debit card details, date of birth and much more. Hackers can attack specific companies with the idea to steal some if not all of the companies’ customers or users to use for their own benefit. An example of this would be the attack on the Playstation Network in April 2011 or the recent attack on U.S banks. Unfortunately this method of identity theft is hard for the average person to combat due to the fact that it is down to the businesses who hold this information to ensure that they retain it in a secure and safe format, of course businesses can be hacked and have information stolen, however, businesses should have adequate protection in place to prevent being hacked, protection such as firewalls and encryption software which will make it harder for the information of their customers to be stolen and maliciously used in the future.

Shoulder surfing – Simply involves one person glancing over your shoulder whilst you are filling out important information about yourself, has been made much easier over the past ten years thanks to the creation of mobile phones with cameras along with small, portable video cameras. Shoulder surfers can now take photos of important documents whilst you are filling them out (documents such as a passport update or a medical update) or photos of your credit/debit card. The weakness in relation to shoulder surfing is that it can be hard to combat against due to the fact that we will not be looking over our shoulders whilst filling out documentation which must be 100% accurate (due to having to fill in bank details or similar), we will be completely focused on ensuring the information is accurate and therefore, this presents shoulder surfers with the perfect opportunity to make a mental note or take a photo or video of our details. To combat this, we should always fill out documentation such as mentioned above in a secluded area where there is no one else such as a workstation or even in our homes.

Card overlays – This method is very similar to the card skimming idea, however, this time it involves tampering with ATMs instead of card readers found in restaurants or shops. Overlays are devices which look almost identical to the standard ATM faceplate. These overlays are placed over the ATM faceplate and just like the card skimmers, the criminals will stay in a nearby area with a wireless device or laptop connected to the transmitter in the overlay which will begin transmitting unsuspecting users’ credit/debit card details as soon as they insert their card into the overlay. Criminals could gather hundreds, if not thousands of credit/debit card details over the space of a couple of days and use these details for their own gain. These details can then be used to access your bank account and the criminal can then proceed to order new credit cards, change account details, increase overdrafts or take out loans. As stated so often before, the weakness with most identity theft including card overlays is that most people do not understand the risks that are being presented to them or they choose to ignore them. The key to preventing card overlay identity theft is to educate ATM users on how to properly examine the ATM before inserting their card; this involves checking above the ATM for cameras, checking the keypad to see if it’s loose or not and finally to check whether the card reader is loose or not. If any of these three occur it is strongly advised not to use the specific ATM.

Impersonation of the dead - Another form of identity theft is the one of impersonation, this involves in many cases, illegal immigrants seeking the legal right to live in the country they have emigrated to by impersonating people who have died (usually babies or children who died when they were very young). They can then pretend to be this person and use their name to gain access to all sorts of credit, credit/debit cards, loans, legal application forms (medical, passport) and the like. For example, one could go to a cemetery and find a grave in which the deceased passed in 1991 as this would match my current age, then, I could use that name and create myself an entirely new identity. This can be a hard one to combat due to the fact that there is no way to monitor a graveyard to check for people trying to impersonate the dead. If impersonation of the dead does occur, there is also no way in which the family would be notified due to the fact that the impersonator will have no ties or communication with the family of the deceased. The only way in which identity theft could be prevented in this matter is for the family of the deceased to inform all the authorities, utility companies, banks and the like that the specific member of the family has passed away and thus, they will never be in contact to open an account or set up payments under the said name.

2.2 Digital Identity Theft

Identity theft is becoming a bigger and bigger problem for the general public, businesses, corporations and the governments of the world. Fraud statistics in the United Kingdom for 2011 rose 28% with a reported 236,516 frauds occurring compared to 2010. There may be many reasons for this sharp increase, however; perhaps the biggest reason is down to the every growing popularity of smartphones in today’s society, (Software, 2012) state ‘This increase can be attributed to the emergence of the smartphone as the ‘must-have’ gadget; as it is both valuable and aspirational, and more difficult to obtain than a standard mobile phone contract due to more stringent verification and vetting procedures. Some identity fraudsters feel that there is a greater chance of getting the phone they want if they use someone else’s identity. Other more organised fraudsters attempt to obtain these devices en masse in order to sell them on.’

Due to this ever rising increase of fraud occurring in the United Kingdom and around the world businesses risk losing billions of pounds in theft and fines and perhaps the most crucial being the loss of trust from their customers. Due to these losses, businesses and corporations are turning to biometrics due to the fact that in relation to the service they provide they are quite cheap and they prove to be an attractive investment as it will ensure they can authenticate their employees and potential customers. Biometrics uses physical characteristics, human characteristics like our fingerprints, palm prints, iris patterns and voice patterns and tone. Using human characteristics it allows companies and other entities (border control, airports) to positively verify a said individual, all of these characteristics will be stored electronically after they have been converted to binary code.

Of course with any information that is stored electronically is that the threat of it being stolen remains at the same level due to the fact that all of this information will be stored in a database in which a hacker could still access and steal information from, this binary coding that makes up our human characteristic information can be stolen, converted and used. Criminals will be able to attach their fingerprints and the like on to your file, this then allows them to become you in effect which takes away their criminal record, this works both ways also, they can attach your fingerprint into their profile and thus, frame you of any future crimes due to the fact that it is your human characteristics on file, not the criminal’s. Our biometric information cannot be lost or given to a friend to lend, however, can our biometric information be replaced if it is stolen and how would the specific agencies go about carrying this out, how difficult would it prove to be?

We, along with businesses, corporations and governments must realise that biometrics will not entirely resolve the identity theft problem found worldwide, there have been many protocols cracked by criminals in the past (wireless encryption protocols and the three digit security code found on all credit/debit cards) criminals will eventually find a way to break the security that would protect our biometric information, therefore, the proper care, protection and attentiveness must be implemented or else biometrics related to our identities will fail.

2.3 Biometric Technology

Biometric technology has given businesses and governments some of the most concrete defence against the ever rising threat of identity theft, governments around the world are even beginning to implement biometric cards in a method to combat and prevent illegal immigration. The real question arises when we ask ourselves, who is going to give us a new set of fingerprints, palm prints, iris patterns or voice if this information is obtained by identity thieves? In the long term, the same problems that exist now with standard forms of identity theft will reappear whenever biometrics start to become the norm, this is due to the fact that the way biometrics will work and how similar they are to the credit/debit cards of today in the way they operate.

Credit, in the financial form, is nothing more than a set of binary numbers that are stored in a bank’s computer, whenever we are out shopping and we us our credit/debit cards, the information gets sent from the card machine to a server at our bank, if the verification is completely successfully the shopper gets to leave with the items they have purchased, if not, the purchase cannot be completed.

Many believe that biometric security is the future and that it will provide humanity with the ultimate form of identity protection due to the fact that no two fingerprints are the same, no two voices are the same and no set of eyes are the same, however, biometric security will only be achievable if the details accompanying our identities are true, if identities thieves discover means to trick fingerprint scanners (can be achieved by duplicating a fingerprint and printing it off with a laser printer), iris scanners and voice scanners into believing they are someone else and a crime is committed, how is the ‘innocent’ person going to prove they are innocent?

Proving to the relevant authorities you are who you say you are isn’t going to get you released due to the fact your fingerprints or iris patterns have been used in relation to the crime. Besides, biometric databases will store information about us but it will not reveal to anyone who we are, it will however, halt us from using somebody else’s identity in the same database or system which can only be a good thing, criminals on the other hand (most likely to be from third world/poorer countries) will be able to get around this by simply not being in the system and thus, they will be able to hack in and steal any set amount of information and reuse for whatever purposes they see fit.

Biometry as stated before is the analysis and compilation of human physical and biological characteristics, after the compilation the information will be converted to computer format (bits) and stored in an electronic database, biometric technology will be used in situations where there is a necessity for a person to be 100% identified and confirmed. This allows for complete verification and trust to be had in the given situation (whether this is a transaction, passport or border control or simply to deter identity theft), the best means of ensuring people are who they say they are would be to possibly combine already existing methods (such as PINs and passports) with this new biometric technology, thus, ensuring and guaranteeing peoples’ identities.

Biometry has been used by the United States since the 1970’s and is quite common place in most westernised governments; it was designed with the idea to ensure those who gain access to homeland defence computers (which relates to nuclear silos, critical infrastructure and the like) are the correct people. Obviously since the 1970’s governments have started to lean towards introducing biometric technology in areas outside of homeland defence, areas such as airports and border control.

The benefits of using biometric technologies in the future allow corporations, governments and businesses to:

Safeguard personal information stored in databases such as customers by implementing and making them verify themselves via fingerprint, iris and facial recognition scans

Access ATMs and their bank accounts by using iris and facial recognition

Protect and use credit/debit cards to purchase shopping and other items by verifying the sale with fingerprints

Carry out and complete e-commerce and other online transactions using one of voice, iris, fingerprint or facial recognition

Complete transactions via the telephone thanks to voice recognition software

The limitations of using biometric technology is as follows:

Some groups of people or countries may believe that biometric technology and all the collection of biometric information is an incursion into privacy information

The costs, though have greatly reduced since the 1970’s, are still high

There is also the risk that an investment into biometric technology is not a guaranteed fail safe as there is an extraordinary chance that the same identity problems that exist today can simply be replicated for biometrics

Data protection is a big issue, how is the biometric information protected?

Would biometrics be used to track people wherever they may go? If a person uses some form of biometric verification will a notification appear in the database that the verification was done in the specific place or city?

Biometric technology is not the 100% fail proof way of correctly identifying people, there is at most a 3% failure rate when it comes to the current technology, what if we were to use voice recognition and we get a cold and our voice slightly changes, will we still be able to be verified correctly?

Businesses, corporations and governments want more advanced and secure methods of protecting the identities of their customers and their people, biometric technology seems to be a step in the right direction as it allows for a 97% chance to positively identify and verify people, as stated before, biometric technology uses attributes that are unique to every single person, characteristics such as fingerprints, iris patterns and voice patterns.

Progression and investment is constantly pouring into the biometric technology industry and with the multiple benefits that are apparent for all to see, biometric technology seems like it could be a major step in the right direction to slowing down or even stopping identity theft, however, as with anything, computer hackers and identity thieves will work out ways to break encryption protocols and steal people’s identity. The big issue arises when if this was to happen, how would people go about clearing their name when their digital biometric information has been attached to a crime?

2.4 Computer Forensic Investigation of Identity Theft

Moving on to how computer forensics can be used in relation to identity theft, particularly identity theft that occurs on computers or other personal devices such as tablets, smart phones and the like. Below you will find a list detailing online methods of identity theft along with a brief description:

Online interception – personal information such as credit card/debit card information which is transmitted whilst carrying out online transactions can be intercepted via the use of computer viruses, spyware or key loggers which can then be transmitted back to the identity thief, thus, allowing them to use your information and money to purchase goods or services. Some novice or even beginner users of the internet do not understand the importance and necessity of having up to date security software is whilst other users are ignorant enough to post their personal information on websites which others can freely use such as Facebook, Twitter or any social networking website. Online interception occurs due to the failure of the user not having an adequate computer protection system installed on their machine or the failure of the user to update their computer protection system at least once every twenty four hours, of course, there are cases in which the user can do their utmost to protect their machine (and their personal information) but this will be to no avail due to the skill of the hacker. The only way one can go about correcting this issue is to ensure that we as users update our computer security systems every single day, install a strong firewall and all the other various anti-virus, anti-malware and the like and hope that we do not get our security bypassed.

Phishing – Phishing is one of the oldest and most common forms of gathering personal information via the use of the internet. Identity thieves often use phishing as a means to act genuine, whilst doing so they will email thousands and thousands of email addresses with the idea that one, ten, a hundred will fall into the trap. The identity thieves will act as a bank, credit card company or African royalty and in their messages they will state that the user must click a link inside the email that will direct them to a website in which the user will fill out all their personal details which will later be used by the identity thieves to gain access to the user’s real bank account or e-commerce account and the like. Again it comes down to the lack of knowledge from users who will be receiving these types of emails, a sense of stupidity almost, they genuinely believe that their bank would email asking them to update their details or that they are entitled to a sum of money from African royalty, it is down to a sheer lack of common sense or knowledge. In order to correct this, it is imperative that users are educated in the risks of scamming and the steps that they can take to spot spam email and prevent themselves from giving malicious computer users personal information such as banking details and the like.

Risk from insecure networks – Many wireless networks now have wireless encryption protocols such as WPA2, however, some users fail to utilise these protocols and our leaving their wireless networks insecure. This means that anyone within range of your wireless network can access it freely, thus, this will allow any potential hacker free access to intercept and retrieve all of the personal information you could be transmitting over your unsecured network and potentially use it against you or for their own benefit whilst at the same time they could gain access to your machine and access confidential files and even destroy data. The same idea applies in public networks such as restaurants, cafes, coffee shops and the like, if the network is insecure, do not use it. The risk from insecure networks is obvious, to combat it we as users should insure that we refuse to connect to them as it will ensure that our devices do not become compromised and that we do not lose any of our personal details or information.

Pharming – Pharming is in many ways similar to phishing in how it tries to gather personal information about any specific target, the only difference between the two being that phishing tries to con the user via the use of an e-mail or otherwise to fill out their personal information whereas pharming goes about gathering the information secretly by inserting malicious code on to a user’s machine, this code will then go about misleading users (who will be unaware that this is happening) to web sites in which their personal information can be stolen. As has been said before, it is imperative that users are educated in the risks of scamming and they must ensure that have adequate forms of computer protection in order to counter the risk of the malicious coding that can be inserted.

Social engineering – Social engineering can apply to both offline and online identity theft, however, I’ve decided to include in my online section as I feel it has more relevance. A social engineer is a computer hacker who instead of having an amazing hacking repertoire is able to fool certain individuals in to believing that they are someone they are not, in doing so, the social engineer will be able to gather personal information about the person they are impersonating. The way to counter this would be to ensure that one always goes about questioning the caller, their motives, why they are contacting you and the like (if a phone call is made), ensuring that emails discussing your bank or finances are immediately deleted, ensuring that randomly found USB devices are not connected to our machines as they could contain viruses, trojans and malware that can come into effect and steal personal information and verifying URLs before clicking on them.

Key loggers – Key logging is a simple yet effective means of capturing data maliciously, they work by merely recording every single key stroke of the user whilst they are interacting with their machine. During this recording, the attacker will be transmitted every key stroke and from this information, they can go about accessing the victim’s email account, online banking, Facebook, Twitter, instant messaging software and much more. To counter key logging, many software companies have created software which can be used to scan our machines and discover whether or not they are infected with key loggers, if they are, the software will go about quarantining and removing it/them. There is of course a physical means of key logging, however, it requires tampering with the PS2/USB port in which the keyboard will be connected to by inserting a ‘key catcher’, this being a piece of hardware, this is of course easier to detect and remove.

3.0 Literature Review:

This literature review will provide a clear line of argument between various authors in relation to identity theft related to biometrics and computer forensics, this review will take a look at the critical notes made by the said authors along with my own personal comments, in doing so; I will be able to express my own personal academic opinion/critical discussion. To begin with I shall look at the various authors who have published articles/journals on biometrics related to identity theft and then move on to computer forensics.

As discussed before, there are many crimes that criminals can commit via the use of identity theft and there are vast arrays of means in which they can go about doing so; these range from common thievery to online scams such as phishing. The objective of these criminals will always be the same – they wish to impersonate another person in order to make their own lives better. Unfortunately, in many cases, the outcome will be a malicious one; claiming state benefits, gaining legal citizenship, gaining legal documents, opening new bank accounts under another name or simply going on a spending spree to purchase goods in someone else’s name. Therefore, it is imperative that we analyse the available solutions and tactics which can be implemented in order to fight and halt identity theft from ever occurring in the first place, this involves the use of biometric technology which is becoming more and more popular with every passing year and the implementation of computer forensics (web forensics, email forensics and network forensics) into individuals and businesses daily lives and structure. In doing so, it is hoped that identity theft can be reduced significantly or stopped altogether, however, criminals usually have means and ways of beating ‘the system’ and thus, a constant battle will forever be taking place in order to see who comes out victorious.

Moving swiftly on to the review of the literature analysed, beginning with papers, journals and websites discussing biometrics and how they can be used to combat identity theft. From here, we will move on to papers, journals and websites discussing computer forensics and how it can be used to combat identity theft.

Biometric recognition by Anil K. Jain discusses how automated means of identifying human beings via their own biometric identification (anatomy) and how biometric technology and equipment seem to be becoming more and more popular and featured in this modern era. The purpose of this article is to discuss biometric techniques and technologies and how they offer a much more secure and sacred way of allowing human beings to gain access to other nations and their personal computing equipment along with detailing how exactly biometric technology works, the reliability and accuracy provided by these technologies and the means in which biometric errors can be reduced. Finally, Jain discusses the security issues surrounding biometrics.

Biometric technology is a much safer haven and method of identifying human beings in any given scenario (border control, gaining access to smartphone, paying for goods and services) due to the fact that this technology is a lot more advanced and much more difficult to break and attack than out-dated identification methods (passports, shoulder surfing for PINs and codes). Biometrics and the human anatomy are also much, much harder to lose track of, much harder for criminals to attempt to find out (almost impossible) and almost impossible for criminals to forge. ‘conventional recognition techniques such as passwords or ID cards, which are based on ‘what you know’ or ‘what you have’, biometric recognition is based on ‘who you are’: anatomical features such as face, fingerprint or iris, or behavioural traits such as signature or gait.’ (Jain, 2007)

With the constant increase of identity theft throughout the world every single year, many individuals are under severe scrutiny and pressure to keep their identities protected and although the current methods allow us to do so in a reasonable manner, criminals still have ways and means of stealing identities, therefore, should the people of the world demand that their governments stand up and take charge in the fight against identity theft by introducing biometrics into all of the critical infrastructures, services and livelihoods. It is believed that governments would jump at the opportunity to introduce biometric technology as a part of normal society and life as it would allow them to keep track of the bodies entering and leaving their borders, this would also be related and ensure that individuals who are receiving state benefits are indeed who they say they are. ‘Crucially, public acceptance of the technology is also growing: citizens worried about identity theft are willing to use biometric systems for accessing laptops and mobile phones, and for making payments using credit cards at point-of-sale terminals.’ (Jain, 2007)

Of course, with any new technology being introduced into the world, many people are going to be sceptical (and will probably always remain sceptical) about it. Regarding biometrics, the biggest issue is whether or not the biometric data and information can remain secure and out of the reach of hackers and other computer attackers who could potentially hack into the databases in which the biometric information is housed, intercept and steal this data and potentially have hundreds of thousands if not millions of ‘identities’ at their disposal. Hackers could potentially find ways of marketing these ‘identities’, selling them to the highest bidders and make a lot of money from it, therefore, it is imperative that governments who wish to introduce a nationwide biometric system introduce safety protocols to protect these databases; this could be intrusion detection systems, intrusion prevention systems, other standardised forms of computer security along with implementing biometric technology which can decide whether the anatomy placed on the scanner is ‘alive’ or ‘dead’, this is just one way of preventing identity theft of people who have passed. ‘The most sensitive parts of a biometric system are the enrolment database. Both can be protected through clever combinations of biometrics with cryptographic techniques to prevent hackers intercepting, relaying or modifying information’ (Jain, 2007).

An Introduction to Evaluating Biometric Systems by P. Jonathon Phillips et al discusses the various types of biometric recognition available to governments, businesses and consumers along with the performance levels of biometric recognitions (however, the reader must bear in mind that this article was written in 2000 and may appear out of date, biometric recognition is very accurate and reliable with a 99.9% success rate). The paper goes on to define and distinguish the errors related to biometric recognition, along with discussing what an ‘evaluation protocol’ is in relation to biometric technology. The purpose of the paper is to debate, discuss and analyse the real life performance of biometric systems and technologies involved throughout the world today, thus, this allows the reader to understand the positives and negatives related to biometric technologies and methods.

Biometric data is a secure, dependable, assured means of gaining access wherever the technology has been implemented; thanks to popular Hollywood movies, the use of biometrics has appeared as something which is ‘cool’ and ‘futuristic’ when in reality is a common entity and rather simple to understand. As discussed before, biometric counterparts are almost impossible to clone, copy, steal or misuse, users of biometric systems also cannot lose these biometric counterparts due to the fact they are part of the human anatomy, therefore, it makes sense that the human anatomy should be used to gain access to a wide range of goods, services and jobs due to the fact that it ensures that users do not have to remember long, complex passwords or PINs. ‘All members of the population possess the characteristic that the biometric identifies, like irises or fingerprints;’ (P. Jonathon Phillips, 2000).

Of course, it is understandable to state the benefits of biometric measures and technologies, however, do the benefits weigh up in a real world scenario, and do the advantages outweigh the negatives and risks posed by introducing biometrics? If so, what is the best type of biometric system to introduce in certain scenarios? There are two versions of biometric systems available for governments, businesses and consumers, these being – an identification system and a verification system. The identification system works by comparing a new biometric signature entry with the currently existing biometric database, if the new biometric signature entry is not found within the database it is added and given a unique identifier (this could be a unique key, passport number, birth certificate number, driving licence number or the like), if the ‘new’ biometric signature entry is found to be currently existing on the biometric database, the ‘new’ entry is scrapped which helps governments and businesses to deter identity theft in a massive way.

The verification system works slightly different, a new biometric signature entry is added to a biometric database along with a unique piece of data stating that the signature belongs to Joe Blogs, the algorithm system within the verification system will analyse this unique piece of data along with the signature entry and decide whether or not the biometric signature is genuine or not. The verification biometric system is usually accessed during the purchase of goods or services at a point of sales terminal within a shopping centre, petrol station and the like. This again helps to deter identity theft due to the fact that criminals would not be able to use stolen cards as they do not have the matching credentials (whether this is a fingerprint, iris recognition etc.) ‘Each biometric signature differs from all others in the controlled population;’ (P. Jonathon Phillips, 2000)

There is an association created by the United States entitled the ‘International Biometric Industry Association’ (IBIA), this association has been created to ensure that the correct evidence and facts are presented when the population of each nation discuss biometric technology and debate as to whether or not it is a suitable, safe form of technology. The IBIA goes about enlightening governments, businesses and individuals about how biometric technology can deal a heavy blow to the identity theft trade, the IBIA also has went about taking a hold of the mantelpiece of biometrics by creating their own set of rules and integrities with the idea of promoting the moral, safe and correct use of biometric technology.

As with any computing system or new piece of technology, there will eventually be errors, problems, breakdowns and failure, biometrics is no different. The manufacturers of biometric technology accepted that the system will run into failures and therefore, introduced error handling, specifically two forms of error handling – false reject rate and false alarm rate. The false reject rate relates to the failure of the system to verify and recognise an approved and legitimate user, however, genuine users are generally rejected due to a minute problem with the biometric equipment being used – this usually being dirt or dust within the scanner (thus, requiring cleaning) or the failure of the user to correctly use the scanner (aligning their finger in a wrong manner). The false alarm rate relates to the biometric scanner (and database) accepting the identity of a user who is not and has never been placed within the biometric system, thus, allowing unauthorised users to gain access to areas they shouldn’t be. In a perfect world scenario, both of these false rates would not need to exist but technology can break or not function correctly, therefore, companies along with the costumers must create a suitable trade-off between the false reject rate and the false alarm rate in order to ensure that 99% of genuine users can use the biometric technology. ‘Adjust a system parameter to achieve a desired false-alarm rate, which results in a corresponding false-reject rate.’ (P. Jonathon Phillips, 2000).

As with any system as crucial to the infrastructure of governments and businesses as biometrics is, it is entirely necessary that the biometric systems implemented are constantly monitored, checked and evaluated to ensure that they are working correctly, in doing so, this will help to reduce the risk of identity theft significantly as non-legitimate users will be able to use biometric scanners and the like. A biometric system evaluation consists of inspecting and testing the particular scanner (or scanners) within a system and analysing the performance levels of said scanner. The evaluators go about doing so by inserting a new biometric signature entry into a government/business biometric system and analysing as to whether or not the system becomes updated and accepts the new biometric signature entry. If this is the case, the evaluators will come to the conclusion that the biometric system is in full working order, if not, the evaluators can provide suggestions and ideas on how the biometric system can be fixed or improved.

Social Acceptance of RFID as a Biometric Security Method by Christine Perakslis and Robert Wolk discusses the ways and means in which the September 11th attacks on the World Trade Centres by Al Qaeda have affected the global opinion on the need for greater homeland security in the now happening information age, the means in which governments and nations can go about increasing homeland security is to introduce new biometrics measures and technologies, in this case radio frequency identification or RFID. This paper by Perakslis and Wolk goes on to discuss how RFID can be implemented into currently existing biometric technologies and how this implementation can greatly improve the effectiveness and reliability of biometric systems along with the usual, reoccurring concerns regarding biometrics such as privacy and security of data.

The September 11th attacks on the World Trade Centres in New York City went down in human history for being the largest attack on American soil by a terrorist group in which more than three thousand civilians died. Due to these attacks, America (and must of the rest of the Western world) decided to go about rethinking their homeland security due to how the attacks came about and realising how vulnerable they could be to future attacks (evident in the March 11th 2004 bombings in Madrid and the July 7th 2005 bombings in London). One means in doing so was to introduce biometric security systems in all public border entry points into their nations (especially relevant in the United States and their borders). Thanks to the implementation of biometric systems along with greater homeland security, there hasn’t been a major terrorist in the Western world since 2007, ‘With these emerging technologies, government, healthcare, academic, and industry components of our culture are likely to combine their efforts to collect and share pertinent information on a real-time basis.’ (Christine Perakslis, 2005)

A reoccurring pattern throughout the papers being analysed is that the authors always seem to be in the same opinion of biometric technology allows for a much more secure, quicker and more convenient method and means of identification compared to the more traditional methods such as passports, birth certificates, credit/debit cards, driving licences and identification cards (European). Of course, these currently existing methods are socially acceptable and the mainstream, however, there will be a time when these methods will become out-dated and the citizens of the world must realise that the only means in which their identity will be protected is to accept the use of biometric technology sooner, rather than later. One means in which biometric systems and security could be bettered would be via the use of RFID chips implanted into the human body at birth, most citizens in the world will accept the collection of their biometric data (iris, fingerprinting, facial recognition, voice recognition) however, some may feel slightly paranoid or even afraid that the implementation of chips into the body at birth may be a step too far in the invasion of privacy.

Therefore, it should be stated that the use of RFID chips can go about improving the personal security of citizens around the globe exponentially due to the fact that whilst citizens are using biometric technology to gain access to a new country or even to access their work facilities, at the same time, another biometric machine or security guard would scan their bodies for the RFID chip which would be inside them; this would almost make the use of biometric systems uncrack able and fool proof due to the fact that there are so many different stages of verification, it would also deal a massive blow to the chances of identity theft allowing criminals to steal identities and then leave for another country as there is various levels of authentication they would have to go about in bypassing. ‘Though the present world realities warrant greater security measures, global standards must encompass information protocols and protections to guarantee that the use of a global information system would truly serve those that rely upon it for protection at not only a national level, but also an individual level.’ (Christine Perakslis, 2005).

The benefits of implementing biometric systems along with RFID chips far outweigh the negatives brought up by privacy invasion and otherwise. Many individuals are starting to come around to the fact that biometric technology is the future and it is the most secure and noble way of protecting their identities simply due to the fact that it is a lot more convenient as individuals will not have to carry any form of identification around with them and if they did, it would only be one form of identification. Again in relation to identity theft, RFID chips could reach beyond the standardised border control, work entry and the like; it could be used along with biometric technologies to ensure that individuals are who they say they are whilst purchasing goods and services, receiving medical attention or prescription medication at a hospital or pharmacy, visiting historical landmarks, and the procurement of credit/debit cards, bank loans or credit. ‘Despite privacy concerns and the still emerging standardization of globally-acceptable methods and means, there is an every pressing push from industry and international governing bodies to move toward identity management methods with the use of contactless, easily accessible and ubiquitous tracking systems that integrate biometric data.’ (Christine Perakslis, 2005)

Biometric Authentication by Alfred C. Weaver of the University of Virginia discusses the controversy surrounding biometric technology and the potential invasion of privacy it could cause. Weaver also goes on to discuss the use of current RFID technologies and how these are also failing to protect peoples’ identities, Weaver also goes on to discuss biometric systems, false acceptance rate and the false rejection rate as discussed previously by Christine Perakslis and Robert Wolk. We already know and understand that the basic methods humans can identify themselves to a computer or computing system such as an ATM, these being user credentials such as a user account name, passwords and personal identification numbers (PINs) and again as discussed before, these methods of human identification do not allow for the full protection of human identity due to the fact that these methods are easy to analyse, intercept, steal and use in malicious ways.

With the introduction of RFID technology at the beginning of the millennium, governments set out to reduce the risk of identity theft occurring in their nations by implementing a national identity card system complete with RFID chips built into them which would save the citizens of certain nations from carrying their more expensive forms of identification with them at all times (passports and driving licences). Many people were fearful when certain European nations decided to implement national identification cards as they thought it could possibly be an invasion of privacy, however, the benefits far outweigh the negatives; they can lead to kidnapped children being found faster along with allowing doctors to pull up the medical records of patients admitted almost instantly as the data is stored on the RFID chips. However, the introduction of national identity cards hasn’t halted the rise and increase of identity theft due to the fact that computer hackers and criminals have developed means of attacking the chips over the air; this method is known as ‘wireless identity theft’ or ‘Wireless skimming’. Wireless identity theft allows computer hackers, identity thieves and criminals to steal all of the data from a RFID chip found on a national identity card using a wireless, over the air system. One method in protecting this data is to ask a further verification question when users attempt to use any of the data found on their RFID chips, unfortunately, computer hackers also have the means and capabilities to bypass such verification. Therefore, it boils down to introducing a new and enhanced method of identity protection, this being biometric security. ‘Technologies such as RFID cards and e-tokens— identity information encrypted on a flash memory card—also can be stolen.’ (Weaver, 2006)

There are many ways in which biometric technology can be used to potentially identify a human being, voice recognition, fingerprint scanning, iris scanning, retina scanning, facial recognition and DNA recognition but rarely is the question asked; how is this biometric information stored? During the capturing of biometric information, the person capturing the data for the benefit of another will go about using special computer software to compress the data into individual templates for each variation, these ‘templates’ usually being up to 256 bytes in size, are then securely uploaded into a government’s national biometric database.

Conversely, we must ask ourselves how the governments of the world plan to allow for the alteration of biometric data, will they enforce a policy in which biometric data must be updated every ten years or will they devise a method of identification verification even if the data has changed from the original (this would usually occur when people get older, our anatomy will change during this time). This is where the idea of a false acceptance rate and a false rejection rate are implemented; as discussed before, the false rejection rate relates to individuals who are not on a biometric database being judged as matches, even though they do not exist and the false acceptance rate relates to individuals who are on a biometric database but are judged as rejects. Along with the false acceptance rate and false rejection rate is a protocol known as the Hamming distance, this being ‘the degree of difference—between the bid sample and the enrolled template. The technology’s manufacturer sets the degree of equality required to define a match based on extensive experimentation with the technology in general and the scanning device in particular. The definition of match is always a probabilistic concept.’ (Weaver, 2006)