India gave legal recognition to electronic documents on 17th October 2000 as equivalent to paper, by notifying Information Technology Act 2000 (ITA 2000). At the same time, a system of “Signing” of an electronic document was also given recognition in the form of “Digital Signatures” as defined in the Act itself. An authentication of an electronic document with digital signature was provided legal recognition as “Signature” on a paper document. The system that the Act defined as the accepted form of authentication of an electronic document was one which used hashing of the electronic document to be signed which is encrypted with the private key of an asymmetric crypto system. The legal recognition was conditional to the requirement that the standard algorithms for hashing and asymmetric encryption as notified by the Controller of Certifying Authorities (CCA) alone be used and that the digital certificate be issued by a licensed Certifying authority. The system of e-Sign which was notified last year is a different form of digital signature itself except that it is a “Single use system”.
Over the last 16 years, though digital signatures have come to be used mainly by the Companies for filing annual returns to the Ministry of Corporate Affairs and for filing Income Tax, its use for other commercial transactions have been minimal.
What is also observed is that the Banking industry has been conspiring against the system of digital signatures as a means of authentication of Cheques and Banking instructions and trying to project “Passwords” and “Two Factor Authentication” as a substitute for digital signature.
Recently, Indus Ind Bank has gone on a publicity blitz to promote “My Finger Print is My Password” and suggests its use through mobile phones to access Bank accounts. The ad campaign can be considered as attractive enough for many customers of Indus Ind Bank to start using the finger print enabled mobile phones to access the account with only the finger print.
In India, using finger print on paper documents have been in use since times immemorial partly because it was considered as a “Signature” of an illiterate person and more reliable for property transactions. Many semi literate persons find it difficult to develop unique written signatures and maintain consistency and in such cases, a thumb impression is easier to use though verification of a finger print may require some extra effort on the part of the person who wants to rely on the finger print. In case of Banks where a specimen thumb print is already registered, verification was possible but for others a written signature is more user friendly.
In recent days, after the Government took efforts to promote Aadhaar, there is a renewed interest in the use of “Finger Print” as a universal mechanism to authenticate an user of an electronic document. It will not be surprising that soon, finger print would be an acceptable form of authentication by other Banks as well and Government agencies to the extent that public may perceive it as a continuation of the paper based system of affixing thumb impression and adopt it readily.
It is here that there is a need to understand both the technical and legal risks associated with the use of thumb impressions (or finger print of any 10 fingers which is often used in mobiles) both by the public as well as the organizations and of course the Government, before too much hype is created on “Finger Print as Password” concept.
It must be considered as an eye opener that already a major fraud has been identified in Madhya Pradesh where a scam involving fake finger prints by proxy candidates in Police entrance examinations has been unearthed.
As per the details of the scam reported here in TOI , thumb impressions have been captured on films and converted into finger caps of “Synthetic bandages” which are then worn by the fraudsters and used on the finger print scanners. This is a low tech and low cost fraud that can be committed every where the finger print is used to identify a person and should expose the myth that finger prints are secure form of authentication.
When a person voluntarily wants some body else to use his identity, (as in MP scam) he can share his password or provide a copy of his finger print to create a synthetic replica. If the user of the authentication is negligent not to recognize a different face or observe the cap on the finger, then he will also be in complicity with the fraudster all of them are together trying to cheat the system. No security can fight this collusion of three human beings. This risk is more a human risk than a techno legal risk and should be handled as such.
On the other hand, a frequent question we receive is why did ITA 2000 not recognize “Thumb Print Scan” as a form of “signature” though thumb impressions have long been used as a substitute for signature in the physical world. It must be remembered that thumb impression only identifies a person but a digital signature identifies both the person and the document that he is authenticating. A thumb print (or a finger print) can be used in conjunction with the private key pair and hashing to replace the “password to invoke the private key” but not to replace the private key altogether. Hence, the system of Indus Ind Bank does not qualify as a ITA 2000 compliant system and does not meet the RBI guidelines under the Internet Banking guideline of June, 2001 or E Banking security guidelines of April 2011.
If however, finger prints need to be used in replacement of passwords in say ATM machines, it is necessary that the system of identification of a finger print has to be improved with an identification as to whether the finger print is “Live or Not”. One of the technologies that is recommended for this purpose is “Poroscopy” where the sweat pores present between ridges is also used for identification purpose.
Some finger print scanners use the updated technology where by a “Liveness Score” is computed to check if the finger print is of a living person or not. The latex prints will obviously fail this test.
Despite these innovations, any form of identity verification in electronic domain involves capture and transmission of an electronic data at the point of use and its verification with a pre-registered version. If therefore the back end system can be manipulated by a suitable malware, it is not difficult for the server to be cheated to believe that “What it sees is what it is expecting”.
Hence it is unsafe to use any form of finger print scanning as a substitute to “Signature” in Banking transactions. If a man in the middle attack can capture the finger print in an earlier transaction whether banking or otherwise, it is possible for the fraudster to use the same electronic file to spoof a “live finger print” in a subsequent attack on other transactions including banking transactions.
A man in the middle attack which steals a digital signature of one transaction however cannot be used in another transaction and to this extent, digital signature still has an edge. Digital signature may fail only of the digital certificate can be spoofed which may happen when the real time validation system is not used.
The increased publicity from Indus Ind Bank which can provide a false sense of security to the users of finger print as a means of authentication to critical resources though the insecure mobile network. In view of this and the MP scam, the CCA (Controller of Certifying Authorities) needs to release an advisory to alert the public that they should not perceive that “Finger Print Banking” is “As safe as Digital Signature Banking”.
Judicial authorities should also take note that use of finger print for authentication does not indicate compliance of RBI guidelines by the Banks and hence continue to be treated as “Lack of Due Diligence” under section 85 or Section 79 of ITA 2000/8 and the liability for fraudulent transactions where digital signature has not been used will still lie with the Bank and not with the customer.