I’ve spent the last several days looking through information on India’s new Unique Identity (UID) system, which is based on biometrics: ten fingerprints, two iris scans. While there’s broad support for an identification card, there have been questions about the biometrics.

So just today I came across this article that suggested it was possible to computer-generate iris scans that could mimic a biometric reading: Your iris may soon be the target of identity thieves.

“Security researchers have successfully fooled commercial iris-recognition scans with a computer-generated replica of a human eye, raising questions as to the effectiveness of such biometric systems. Generating the fake iris only takes a few minutes, and does not require the original eye to be present.”

This is the result of research at West Virginia University (together with Universidad de Autonoma de Madrid) intended to find out how to defeat a biometric system.  Generating the fake iris needs the biometric data provided by the real iris.

“Right now the research assumes that whoever is trying to beat the iris scanner has access to the codes that scanner would generate from a real iris. (In this case, the team used codes made public for research purposes.) In reality, those would hopefully be carefully protected and encrypted, meaning it would be another security task entirely to get hold of them. But unlike a password, you can’t just scrap your eyeball and get a new one. If a single large user database was breached, this technique could render thousands, or even millions, of irises insecure in an instant.”

I don’t know how easy (or not) this is. But it does suggest vulnerabilities.

Hackers are born in the same environment as IT professionals, and India has the all the preconditions. I can see it now: World class research into hacking biometric systems, being performed in a back alley in Wadala. With practical proofs of concept.