Establishing the identity of an individual, whether they are someone applying to become one of your customers or someone wanting to gain access to your building or computer system, is becoming a major

Stealing someone's identity, or creating a false identity, is one of the fastest growing forms of white-collar crime. It is the enabler for a whole host of further crimes, such as fraud, money laundering, drug trafficking, illegal immigration and terrorism.

According to the National Criminal Intelligence Squad, the British economy suffers a loss of £1.3bn per year as a result of identity fraud. The Department for Work and Pensions has estimated that up to £50m was lost by way of benefit theft carried out by identity fraudsters in 2001/02. The Association for Payment Clearing Services (APACS) reported that credit card scams caused losses of nearly £430m in 2002.

Clearly, something needs to be done to counter this threat. However, identity fraud is a topic frequently hijacked by emotive issues such as biometric technologies, ID cards, or centralised identity registers, often seen as elements of a 'Big Brother' state. Ignoring the hype, what practical strategies can companies use to ensure the people they deal with are who they say they are?


There are three main elements to identity. First, there is an individual's biometric identity: in other words, a unique and measurable physical characteristic.

Examples of biometrics include the patterns found in DNA, fingerprints, voices, retinas, hands, faces and even inner ears.

Then there is attributed identity. This includes a person's name, date and place of birth, the names of parents, plus numbers such as National Insurance and bank account details.

Lastly comes biographical identity, which builds up over time as an individual goes through life. Registration of birth, place of education and qualifications, electoral registry details, employment history, marriage certificate, place of abode, interactions with banks, utilities, public authorities and so on create this identity.


Commonly, when one talks about using biometrics to prove someone's identity, what is really meant is verification. In day-to-day life, individuals typically use a name, personnel number or account number to establish identity. A biometric is used to back up and verify this identity, for example, by comparing a digitised version of a fingerprint against a master version stored on either a smart card or central database.

It is important to remember that biometrics are not 100% reliable. A biometric is, in fact, a weak form of identification since the human body is infinitely variable. We can compensate for this, but how much variance is acceptable? Too much tolerance and someone else's biometric might be accepted. Too little and a genuine biometric could be rejected. Finding the right balance is crucial. Although never having to remember another password is an appealing thought, unreliable and unusable systems will lead to frustration.

Verifying an identity through a biometric, is just one approach. An individual can also be verified through something that they know, for example, a secret such as a PIN or a user ID/password. Finally, identity can also be verified by something that they have. This might be a key, a token, an internet cookie on a computer hard disk drive or a smart card.

Given that none of these authentication methods are foolproof, the best strategy is to combine a biometric with other factors of authentication.

Known as 'two factor ID', this puts less reliance on the biometric, but still offers stronger security than traditional approaches. Biometrics will not supplant old fashioned techniques just yet; the two will be used together for the foreseeable future.


Much of the debate on biometrics tends to focus on the technical and social advantages of, say, iris patterns over fingerprints. Less attention is paid to how this technology is actually embedded with day-to-day operational procedures. For example, the registration process - the point at which a biometric is tied to an individual's name or reference number - is absolutely key. Ensuring the integrity of this process and protecting it from error or deliberate manipulation are vital.

Another frequently overlooked area is when things go wrong. What happens when an employee forgets his or her biometric ID pass and needs to get into the building? Will the temporary pass include a biometric? If not, the overall security of the system will be weakened. Will the re-issued pass require the biometric to be captured again, or can it be rebuilt from a central database? What happens with visitors' passes? What happens if a scanner fails to verify an individual for some reason? Issues such as these might lack glamour, but will be absolutely fundamental to the success of a biometric strategy.


When considering introducing a new security measure such as biometric technology, a risk analysis is essential. Identify threats and vulnerabilities, assess the likelihood of their happening and quantify the impact, should they occur. With that understanding, you can put in place appropriate security measures to mitigate the risk.

It is important to ask whether you really need biometrics. A revision of internal procedures and more checks and balances in the right places may suffice. There has to be a strong security case for justifying biometrics in a commercial environment. In the worst case some very expensive state-of-the art equipment may be left gathering dust on the shelf.

David Porter is head of security and risk at Detica, Tel: 01483 734 505, E-mail:,