In such systems, known as biometrics, a computer generally reduces an image to a template of "minutia points", notable features such as a loop in a fingerprint or the position of an eye.

Those points are converted to a numeric string by a mathematical algorithm, then stored for later analysis.

But those mathematical templates, if stolen, can be dangerous.

So researchers have developed ways to alter images in a defined, repeatable way, so that hackers who managed to crack a biometric database would be able to steal only the distortion, not the true, original face or fingerprint.

Charles Palmer, head security researcher for International Business Machines Corp., believes biometric fraud will become more sophisticated and problematic as border crossings, passports, financial networks, personal computers and even checkout counters increasingly use the technology.

Worldwide biometric industry revenue is expected to soar from $1.5 billion this year to $5.3 billion in 2010, with government and law enforcement accounting for almost half of the total, according to the International Biometric Group, a consulting firm.

Biometric fraud

"My Social Security number is not secret. My mother's maiden name isn't secret. What's worse, passwords aren't secret"

James Wayman,
Biometrics expert

While a standard biometric can't be torn up and reissued like a credit card or password, since it's based on unchanging aspects of a person's physical appearance, distortion makes that possible.

A bank or an office building that had its biometrics compromised could register new ones simply by changing the way it transforms images.

That's why IBM calls this "cancellable biometrics."

The method has been discussed in research circles for several years, and at least one biometrics vendor, iris-scanner Iridian Technologies Inc., says it offers a cancellable system.

Iridian alters the computer-generated template rather than the original image, but the effect is the same.

"You can't take a biometric out of one application and replay it in another," said Frank Fitzsimmons, Iridian's chief executive.

Perhaps the biggest benefit, experts contend, could be to improve public perceptions about what happens to biometric data behind the scenes as the technology becomes more widespread.

If an organisation can check only its version of distorted biometrics, that could reduce fears, some realistic, some paranoid, that government or big companies might maintain a vast database of biometric data for intrusive tracking or
marketing purposes.

Privacy

The system could be seen as
being more privacy-protected

The system "could be understood as being more privacy-protected by the normal, everyday consumer," said Philip Youn, a consultant with the International Biometric Group.

Even so, Youn said the distortion approach might not necessarily offer significantly better privacy than systems in which biometric data are not stored in vulnerable, centralized databases but rather on chip-embedded "smart" cards that people carry with them. In that scenario, the biometric reader determines simply that the person with the card is the person originally granted the card.

Other security experts said the cancellable method is a smart way to add a layer of protection to a technology that has some security holes despite being hailed as a huge improvement over more commonly used security measures.

"This is probably a nice thing to have, but it doesn't resolve all the issues," said James Wayman, a biometrics expert at San Jose State University.

After all, Wayman said, biometrics are not secret, they're based on physical characteristics that we carry around in plain sight.

There's no guarantee someone couldn't lift your real-life fingerprint or take a picture of your face, then figure out a way to present those images to a biometric system.

"But I don't want to pick on biometrics," Wayman said.

"My Social Security number is not secret. My mother's maiden name isn't secret. What's worse, passwords aren't secret."