By: Héctor José García Santiago, Director of the Government and ICT Observatory of the Pontifical Xavierian University. Chairman of Camerfirma Colombia.
Facial biometrics become one of the key elements for digital security
According to the latest study carried out by the Colombian Chamber of Information Technology and Telecommunications (CCIT), “Tendencias Cibercrimen Colombia 2019-2020” (Colombia Cybercrime Trends 2019-2020), the main vectors of deception on the Web in 2019 were the following:
- Fraudulent personalised e-mails: 80%
- Identity theft: 60%
- Spoofing: 58%
- Infection of sites frequently visited by employees (Watering Hole attacks): 37%
Therefore, it is important that in Colombia we pay more attention to digital authentication, namely, to the process of validating the identity of a customer, entity or user by digital means. All entities that provide a service, market or distribute any good, must provide customers with an identity validation process to, for instance, open a savings or checking account, extend a line of credit, deliver a credit card, sell a mobile phone, make a national or international money order, process a driver’s licence or obtain a military passbook.
All these formalities are generally carried out in person, although in recent years there have been major advances in security such as fingerprint biometrics through consulting the National Database Register. The Automated Fingerprint Identification System (AFIS) of Colombia is a database that is used to verify a person’s identity through their fingerprints.
The challenge Colombia is facing, and which was accentuated by the pandemic, is to carry out all these procedures virtually, without the need to go in person to the offices of the service provider, bank, telecommunications company, state entity, etc. It is in this scenario that digital authentication and digital identity have gained key importance.
Digital authentication mechanisms
To achieve secure digital identification, we require strong authentication mechanisms that must be used simultaneously. These are:
- Something you know: password or PIN
- Something you have: physical token or mobile device
- Something you are: biometric features, fingerprints, face, iris, etc.
Circular 029/2019 of the Financial Superintendence stipulated that the strong authentication mechanisms are the following:
- Digital signature certificates
- OTP (One-time password)
- Cards that meet the EMV standard
Biometrics: Fingerprints, retina, iris, facial features, hand veins, or hand geometry represent examples of physical characteristics (static), while examples of behavioural characteristics include signature, gait, and typing (dynamic). Certain biometric traits, such as the voice, share physical and behavioural aspects.
Digital signature certificates: Law 527/1999 created Certification Entities as trusted third parties in the digital environment, with a view to making these entities, including Camerfirma Colombia, accredited by the Colombian National Accreditation System (ONAC), the ones in charge of issuing people’s digital signatures. This is a digital mechanism for signing documents (contracts, resolutions, notifications, etc.), which replaces the traditional handwritten signature, with the added value that said mechanism benefits from the legal presumption of authenticity and integrity and therefore of non-repudiation granted by the law.
Cards that meet the EMV standard: This refers to chip cards. They arrived in Colombia several years ago to replace magnetic stripe cards. This eliminated fraud relating to “card swapping” and “magnetic stripe information cloning”. Criminals now employ other techniques to trick the user into thinking that they should change their plastic card, and when they collect the card, supposedly obsolete, they extract the information from the chip.
Decree 620/2020 and Law 2052/2020 were recently issued, regulating the digital services model that will apply in the country. Digital authentication is one of the fundamental services of the model that focuses, precisely, on low and medium levels of trust where electronic signatures such as keys and passwords are found, and on high and very high levels, where we find digital signature certificates, facial biometrics and the digital citizenship card. Said standards are consistent with the guidelines issued in this regard by the Financial Superintendence of Colombia.
The importance of the database used to verify identity
While it is true that strong identification mechanisms such as biometrics are recommended, and even mandatory for certain sectors, they are also subject to fraud. Thus, despite the use of iris, palm or behavioural biometrics, there is always the chance of fraud if the source (database) against which it is checked is not highly secure or reliable.
In order to implement highly secure biometrics, the recommendation is to use databases that are public, reliable and highly secure. This refers to the National Database Register: the ANI (National Identification File) and the AFIS (Automated Fingerprint Identification System) and ABIS (Automated Biometric Identification System) databases, as well as financial and business databases such as the RUES (Single Business Register).
It is important to specify that the Register only manages a facial and fingerprint database, but does not have iris or voice databases. Therefore, when the procedures are in person, fingerprint or facial biometrics can be used. But for virtual procedures, facial biometrics must be used in combination with other authentication factors, always referring to public, reliable and secure databases that are up-to-date.
Finally, a significant number of financial institutions have implemented facial biometrics, but the databases against which the information is cross-checked are not highly reliable. Some are registering clients and cross-checking their face against their ID photo or the fingerprint image against the one that appears on the ID. However, this presents the following drawbacks:
- If the identity card is false, the entity will not be able to corroborate the true identity of the person.
- The storage of highly sensitive biometric personal data is extremely risky.
- Digital signature certificates or certified electronic signatures are not being used, but rather simple electronic signatures (single authentication factor), which presents security risks and the possible leak of sensitive data.