back to article Give biometrics the FINGER: Horror tales from the ENCRYPT

This week’s sorry tale of security-lapse-by-design might reveal plenty about political interference but it tells us even more about human nature in general. Due to some poorly thought-out US government policy some 20 years ago, yet another security lapse has raised its ugly head, drawn back its lips and threatened to sink its …

  1. Anonymous Coward
    Anonymous Coward

    A bit over the top, but...

    He has a point. More importantly, having implemented these "secutity measures", banks will be able to deny any fradulent access to your account happened.

    Some smart-arse nicks your phone, lifts your finger prints from it and then uses that to wipe your bank account clean and the bank will just claim "not possible, guv! we've got biometric security!"

    Biometerics are well know for false results - especially false negatives. So the detection threshold would have to be set so low as to be a joke.

    1. JonP
      Coat

      Re: A bit over the top, but...

      ...smart-arse...

      It just keeps escalating -- security types come up with the arseword, hackers come up with the smart-arse...

    2. Six_Degrees

      Re: A bit over the top, but...

      "Biometerics are well know for false results - especially false negatives."

      That's a very real problem. And when people can't access their stuff thanks to false positives, they stop using biometrics.

      So companies deploying biometric sensors go and drive down the false negative rate by boosting the false positive rate. This mostly works, because owners are very nearly always the only ones who try to access their stuff, but in real life it opens the door to near-useless psuedo-security, and scanners that will allow many, many other people into your system.

      And you will never, ever see statistics on either of these measures offered by those selling this jiggery-pokery.

    3. Anonymous Coward
      Anonymous Coward

      Re: A bit over the top, but...

      The specifications are open and quite easy to follow:

      https://fidoalliance.org/specifications

      To summarise:

      1. YOUR FINGERPRINT DOES NOT AUTHENTICATE YOU TO THE BANK!!

      2. Your phone contains a secure module, which contains a private key. It's this key which authenticates you to the bank.

      3. Your bank learns the corresponding public key during registration.

      4. The fingerprint sensor is hard-wired to the secure module and is used to activate it, i.e. enable it to engage in a cryptographic authentication exchange.

      The key never leaves the module. However in the case that the key is compromised (e.g. your phone is stolen), you can just revoke the key at the bank, and register a new key/device.

      Hence there is no need to cut off your finger and replace it with a new one :-)

      Is this 100% perfect security? Of course not, no system is 100% secure. But it raises the bar considerably, especially when it comes to your phone being taken over by malware (which seems to be the more prominent threat these days)

      1. Alistair Dabbs

        Re: A bit over the top, but...

        1. YOUR FINGERPRINT DOES NOT AUTHENTICATE YOU TO THE BANK!!

        This is true. However, your scenario only considers the possibility of a user's phone being stolen. My opinion is that the greater threat is that the bank allows all of ITS records to be pilfered.

        1. Anonymous Coward
          Anonymous Coward

          Re: A bit over the top, but...

          > My opinion is that the greater threat is that the bank allows all of ITS records to be pilfered.

          And how exactly does stealing the user's *public* key affect security of this system?

      2. Suricou Raven

        Re: A bit over the top, but...

        Couldn't this be greatly improved by minaturising the secure module, putting a short-range RFID interface on it and implanting it into the user's hand?

        It'd have to be an open standard and have a functionality for allowing the module to disclose its public key on request, because it wouldn't be practical to shove six different modules into one hand - you'd want to use the one device to authenticate at the ATM, unlock your phone, unlock your car, clock in at work, open the front door and so on. One little implant and you've solved authentication for everything.

        1. Alistair Dabbs

          Re: A bit over the top, but...

          implanting it into the user's hand

          The gadget would be out of date before the stitches healed.

  2. sorry, what?
    Boffin

    Seriously, though...

    What makes us unique? I'd have thought - pardon the self-reference - it was our thoughts, or more specifically "brainwave patterns". Why not combine our basic EEG pattern with one generated by thinking a specific phrase as the security test? We just need an appropriate set of sensors. Perhaps a small data port on the back of the neck connected to a web of embedded electrodes would do it. Hmmmm.

    Of course, as with all things digital, if you can physically get between the sensor and the software you can still hack the system...

  3. RobHib
    Facepalm

    Come to the conclusion, security's a joke.

    Seems to me if one wants to keep some vestige of security/privacy then there's probably no other option than to work on an offline PC with its LAN and wireless ripped out and the screen equipped with a secure screen utility—and if one needs to access the net then one would have to copy info from the secure PC to a networked one by pencil and paper!

    Essentially, security's kaput. Every day, there's a new exploit, hole in Windows, network or protocol vulnerability, governments ransacking one's data, etc., etc., it's seemingly endless.

    Seems, something has to give sooner or later. The obvious solution is to start from scratch—that's after we've figured out exactly what we want from (or mean by) security/privacy.

    1. John Miles

      Re: no other option than to work on an offline PC

      Just stick with the paper and pencil - with my handwriting it is liable to be secure even from me

      1. RobHib

        @John Miles -- Re: no other option than to work on an offline PC

        Unfortunately, me too.

        Many years ago, a schoolteacher said of my handwriting 'it's Chinese hieroglyphics done by the wanderings of a demented spider'.

        Not far from the truth, and such colourful analogies are never forgotten! ;-)

        1. Captain DaFt

          Re: @John Miles -- no other option than to work on an offline PC

          Or said of my handwriting:

          "Is that handwriting, or did your pen sneeze on the paper?"

          1. Shrek

            Re: @John Miles -- no other option than to work on an offline PC

            The motivational critique of my handwriting was the teacher describing it as looking like "a drunken spider had fallen into an ink pot and crawled across the page"...

  4. Corinne
    Happy

    The wonderful 1992 film "Sneakers" has the heroes breaking in to a secure building controlled by voice passwords, with the phrase "my voice is my passport" - I think that was a few years before the release of MAC OS 9 so probably where Steve Jobs got the idea from.

    1. Rob 5
      Thumb Up

      That was a great movie - thanks for reminding me about it.

    2. Flocke Kroes Silver badge

      More recently

      Jason Bourne records a phone conversation with Noah Bosun, and plays back the first two words (Noah Bosun) to Noah's safe. The safe opens and is full of incriminating evidence.

      Years ago, early attempts at speech recognition (understanding what was said) succeeded at voice recognition (identifying who is speaking). I could say 'Help! Help! He has a gun!' and voice recognition would happily allow access to my account. Someone can do an excellent impression of me saying 'Flock of crows', and get access to his own account.

      Finger prints are just as good as voice: they give you a list of account names of people with similar fingers/voices. If you have few enough customers, that list might have only one entry, and you have a useful identification device. Identification (the account name) is not the same as authentication (confirming the user is the owner of the account).

      Understanding the difference between voice and speech recognition is beyond the ability of most PHBs. Clearly no-one has yet been able to explain the difference between identification and authentication to a bank manager.

    3. DropBear

      Psh...

      I see your "Sneakers" and raise a "Green Ice (1981)" - over a decade earlier, they already knew the way to trash a biometric vault is to record the owner with a film camera (!) and a dictaphone saying his own name, then use a portable projector to impersonate him. I shudder to think what sort of evil alien technology must have been hiding behind the lock that could do face and voice recognition in that era...

  5. frank ly

    Vertical Thinking

    "... and (3) gradually alters by itself naturally over a period of time?"

    I immediately thought of a relatively short period of time and started having ideas about a suitable receptacle and testing/measuring device. However, I'm not sure if my ideas are suitable for this publication.

    1. Richard 12 Silver badge

      Re: Vertical Thinking

      You also need two versions to cover about 99% of the population.

      No idea what you do for the last 1% or so.

  6. Hope Spirals
    Joke

    Just not found the right 'biometric' to use yet

    Lower colon, that's the answer.

    Of course the 'scanning probe' is a touch invasive. However, I'm envisioning a suite of work cubicles all with the patented iSecureChair - logs in when you sit down, logs out when you go for a break.

    Cash point? Please back into the hole in the wall Sir/Madam, what could possibly go wrong, your money is safe with us.

    1. Fred Flintstone Gold badge

      Re: Just not found the right 'biometric' to use yet

      It's turning "sitting on your money:" into a literal expression :)

    2. a pressbutton

      Re: Just not found the right 'biometric' to use yet

      i think you are referring to something called an iprod.

    3. Mark 85

      Re: Just not found the right 'biometric' to use yet

      This will work until the office prankster moves the office chairs around a bit....

    4. Martin Summers Silver badge

      Re: Just not found the right 'biometric' to use yet

      I'd probably rather that than sticking something *in* to a biometric glory hole.

  7. Anonymous Coward
    Anonymous Coward

    The biometrics - animated version

    You say arseprint, I say "where have I seen this before?".

    Ah, found it: Monsters vs Aliens.

    The red button joke is funny too, especially if you've been in bank computer rooms of the 90s where the exit button and the emergency shutdown button were of the same design..

    However, the major risk of fingerprint biometrics is budget and bad education. Budget, because there are FP readers out there which require the finger offering the print to be still attached to a living body (some even scan for a pulse), but they cost a lot more (I would not argue that can NOT be defeated, only that it's much harder). The next thing is education of the masses, so that it is generally known that fingers are not usable post removal, otherwise you first get a wave of people no longer being able to count to 10 on their fingers before the message gets through to that segment of criminal fraternity that left school early, as opposed to the criminal segment that stuck it out and became politician, banker or stock trader (safer work, and better company in jail when it goes wrong).

    I find the FP reader in the iPhone very amusing, because all you need to break it is left on the shiny surface right above it. Although I always use a matte, oleophobic screen foil which makes this less possible, I have disabled the facility and use ye good olde password (a long, numbers-only version which looks like a 4 digit lock but isn't). I have worked extensively with biometrics, and there are good readers out there (typically based on a "swipe" model so you can't leave a print behind), the problem is more that nobody seems to consider it important enough to spend the extra $5 or so it takes to buy them.

  8. Mage Silver badge
    Black Helicopters

    N'eer a truer word in jest.

    Now we know that that Dabs is the day job public identity of super hero^h^h^h^h security expert Schneier

    1. Anonymous Coward
      Anonymous Coward

      Re: N'eer a truer word in jest.

      Shirley 'tis the other way around.

  9. swampdog
    Childcatcher

    "Surely what we need is a biometric check on something that (1) generally remains out of sight, (2) can’t be conveniently faked, and (3) gradually alters by itself naturally over a period of time?"

    Now we all know what you were setting us up for there don't we? Then you chicken out and plump for the back bottom instead!

    1. Sarah Balfour

      Trouble is, that's only going to work for ~50% of the population…

      What about females - and androgynes…?

      1. Anonymous Coward
        Anonymous Coward

        Re: Trouble is, that's only going to work for ~50% of the population…

        What about females - and androgynes…?

        You got a point there. Speaking of point, nipple geometry could work with all of those groups, with added advantage that it could truly go tits-up on failure :)

        1. Alistair Dabbs

          Re: Trouble is, that's only going to work for ~50% of the population…

          nipple geometry could work

          Might need some tweaking.

          1. swampdog

            Re: Trouble is, that's only going to work for ~50% of the population…

            "nipple geometry could work"

            Fucking (Tory|Labour|etc) Govt. As if prossies don't have enough to do without HMRC measuring & taking angles thereof!

        2. Mark 85
          Coat

          Re: Trouble is, that's only going to work for ~50% of the population…

          But then you'll need nip readers at several levels as the boobs sag.,,,

        3. Myself-NZ

          Re: Trouble is, that's only going to work for ~50% of the population…

          How do the readers cope with someone who has their breasts removed due to cancer ? (or as a preventative measure)

      2. swampdog
        Childcatcher

        Re: Trouble is, that's only going to work for ~50% of the population…

        Well obviously the reverse mechanics must be involved. Let us phrase it thus.. say, a "positive involvement" by 50% of the population is required. It stands to reason the other 50% of the population require "negative involvement" (or feedback) in order to balance matters.

        It might be that the 1st 50% insist upon tunnel biometrics, wherein there may be some clamping action whilst the device activates.

        Conversely, it might be said that the 2nd 50% are disadvantaged. One might even argue they need to dig themselves out of a hole. Doubters would say there's something fishy.

  10. (AMPC) Anonymous and mostly paranoid coward

    Funny, funny

    Until some clueless management droids actually try this. Anal Probes (alien abduction style) are clearly the way forward.

    Myself, I am big fan of two-factor authentication and expiring pass codes. They worked during WW I and they still work now. Trust the math.

  11. Anonymous Coward
    Anonymous Coward

    The FREAK thing is putting webhosts in a bit of a bind, as did POODLE...the fix is to upgrade to OpenSSL version to at least 1.02 and turn SSL3 off, respectively. This kills IE6 on XP users (until TLS 1.0 is enabled in advanced settings). So if you have your own server (or image) you can update if you want to explain the TLS thing to your users; but on a shared server they probably won't risk it and so you'll remain unpatched - even otherwise pretty good webhosts.

    You can see their point...people still using XP and IE6 is the very last group of people you want to have to explain something technical to. But it also means that these holes are going to hang around for some time to come.

    1. Anonymous Coward
      Anonymous Coward

      But it also means that these holes are going to hang around for some time to come.

      Ooerr - I saw what you did there :). I disagree - only when you let them. I don't see why I should be catering for the idiots out there, and then later get it in the neck from those same idiots when something gets wrong. This is also the approach to getting this crap cleaned up in company (and government): you make a simple, clear statement of risk if they persist in being stupid, and you get that acknowledged.

      The moment you move to a position where it's their neck on the line, not yours, most barriers quietly slink out of the way. If you cannot make that observation, rest assured that you have been already earmarked as the sacrificial bunny when it goes wrong. You may want to hop jobs before it gets that far.

    2. heyrick Silver badge

      "people still using XP and IE6 is the very last group of people you want to have to explain something technical to"

      Turn the damn thing off. If people complain, point out that the web has moved on and a billion year old browser don't cut it no more.

      1. Anonymous Coward
        Anonymous Coward

        Hey don't blame me; these are the facts of life as explained to me by an otherwise excellent webhost and I was just relaying that to you guys as it's relevant and good to know. Coming from years of doing one site for everybody else and then doing it all over again for IE6 my opening position would be "fuck IE6 and all it stands for" and working from there.

        I said that I could understand the webost's position -let users take the (hard to prove even if it happens) risk versus a guaranteed swamping of complaints from users of a now-broken IE6- I didn't say I approve, endorse or in any way agree with it.

        You can test for freak here:

        Client:

        https://freakattack.com/clienttest.html

        Server:

        https://tools.keycdn.com/freak

        ...and POODLE here:

        https://www.ssllabs.com/ssltest/

        If you're on a shared server and you're vulnerable, though, it may well not get patched. And now you know why.

        1. Dan 55 Silver badge
          Devil

          Or if MS were at all serious about security they could push out a tiny update for XP to alter IE6's settings and if it isn't good for corporations then they have the option to block it with WSUS.

          But no, the web is still held back by IE...

    3. Alister

      Well, I've just finished re-configuring all the web servers for one of our client's sites.

      It's a high traffic public ecommerce site for a travel company, and after discussion they took the decision that the 2 or 3 percent of users still on XP (taken from web analytics of the site) were not as important as the security of the other 97 percent.

      According to the Qualsys SSL Labs site test, the site is now safe against FREAK, Poodle and Heartbleed, but is unable to be connected to over SSL by any version of IE running on XP, plus any client running OpenSSL 0.98 or below, or any client running Java 6.4.5.

      We'll see what that does to overall hits over the next week...

  12. Anonymous Coward
    Anonymous Coward

    Dental Records...

    ...er....any use?

    1. Mark 85

      Re: Dental Records...

      Only if a) you have teeth and b) can your dentist be trusted?

      1. Anonymous Coward
        Anonymous Coward

        Re: Dental Records...

        And you never had braces.

        1. Anonymous Coward
          Anonymous Coward

          Re: Dental Records...

          Is it safe?

  13. Bartholomew
    FAIL

    When someone compromises your password, you can change it.

    The real problem with biometrics is once it is compromised, it is not like you can change it. Unless they perfect altering DNA and not killing the subject.

    1. Anonymous Coward
      Thumb Down

      Re: When someone compromises your password, you can change it.

      Given that the markers used to fingerprint DNA just happen to be known junk sequences, altering them shouldn't be that much of a problem. [Functioning sequences by their nature will be common throughout the population, at the very least any particular distinctive group within said population.] So, performing genetic surgery wouldn't be absolutely hazardous although missing the target sequence may be common. It hasn't been done often enough to tell what those risks are. Yet.

    2. Anonymous Coward
      Anonymous Coward

      Re: When someone compromises your password, you can change it.

      Unless they perfect altering DNA and not killing the subject.

      My DNA has been altered. It didn't kill me, but I do get annoying cold sores occasionally.

  14. John Smith 19 Gold badge
    Gimp

    "someone somewhere" "still advising" "message encryption" "invented by Osama bin Laden"

    A perfect definition of a data fetishist.

  15. Solmyr ibn Wali Barad

    Weird.

    30-something comments, and nobody has threatened to cancel the subscription yet? Or wanted 10 minutes of time back?

    Gosh, I so hope that Mr Dabbs hasn't lost the knack.

    1. Anonymous Coward
      Anonymous Coward

      Re: Weird.

      Are you implying that this column was a joke that we all got?

      1. Alistair Dabbs

        Re: Weird.

        Are you implying that this column was a joke that we all got?

        How dare you imply that my column is a joke? I'll have you know, it's written as a tutorial.

        1. Martin Maloney
          Trollface

          Re: Weird.

          Is your arseword Dr00p3?

  16. John Smith 19 Gold badge
    Coat

    Add's a whole meaning to the phrase "back orifice" compliant

    Time to be gone.

  17. D Moss Esq

    Wishful thinking as a platform

    The House of Commons Science and Technology Committee published its report yesterday, Current and future uses of biometric data and technologies.

    Drugs companies have to undertake extensive trials before letting their products loose on people and ditto aircraft manufacturers.

    But not biometrics systems suppliers (para.54):

    When biometric systems are employed by the state in ways that impact upon citizens’ civil liberties, it is imperative that they are accurate and dependable. Rigorous testing and evaluation must therefore be undertaken prior to, and after, deployment, and details of performance levels published. It is highly regrettable that testing of the ‘facial matching technology’ employed by the police does not appear to have occurred prior to the searchable national database of custody photographs going live. While we recognise that testing biometric systems is both technically challenging and expensive, this does not mean it can be neglected.

    The deployment of mass consumer biometrics without first establishing that the technology is reliable is not scientific, businesslike or responsible. It is wishful thinking.

    It is wishful thinking when it comes to biometrics based on face recognition and on all the other candidate modalities, including flat fingerprints.

    The Science and Technology Committee made that point in July 2006. Here they are making it again, nearly nine years later. There has been no progress in between.

    1. Alistair Dabbs

      Re: Wishful thinking as a platform

      Thankfully, the UK Government has an excellent track record in rolling out IT systems.

      1. Someonehasusedthathandle

        Re: Wishful thinking as a platform

        In this case we should be grateful.

        The combination of deadlines and budget will mean it would never see the light of day, incompetence as a defense of civil liberties. I like it!

  18. jake Silver badge

    System security.

    "It strikes me that the IT industry enjoys watching security go titsup time and time again, simply so that it can fix it."

    Not originally. We used to try to make it work, securely, right from the git-go. Then Management decided to try to make the over-head of the IT plumbing a profit center. As a direct result, most IT staff don't give a rat's ass anymore, secure in the fact that the computer-illiterate management making the IT rules will do/pay almost anything to cover up their mistakes.

    Fun work? No. But my Daughter's making more than I ever did in a 9-5 ;-)

    1. DiViDeD

      Re: System security.

      "It strikes me that the IT industry enjoys watching security go titsup time and time again, simply so that it can fix it."

      And yet you say that like it's a BAD thing.

  19. king of foo

    ARSEWORD

    My arse is most definitely "having words" today...

    I blame the baked beans I had with my bacon roll...

  20. Anonymous Coward
    Anonymous Coward

    Is it just me?

    Why does the author and virtually everyone commenting assume the biometric data is the password? It's not and never should be!

    Are you deliberately missing the point?

    The biometrics are your username.

    Your password is as secure as you choose to make it.

    1. Alistair Dabbs

      Re: Is it just me?

      Your password is as secure as you choose to make it.

      Whereas it's perfectly OK for my biometric identity to be in the public domain? BTW, Apple treats your fingerprint as your password on iOS devices.

      1. Anonymous Coward
        Anonymous Coward

        Re: Is it just me?

        That's the whole point.

        When your biometric data is your username, it doesn't matter whether it's in the public domain. It's no more or less secure than using "Alistair Dabbs".

        The fact that Apple uses biometrics for passwords shows how seriously they take security. It's just a sales gimmick.

  21. Anonymous Coward
    Anonymous Coward

    Your gut flora, although generic, is unique. Porcelain seat outside every secure door. Just shit in the scanner and let them do a DNA analysis

    1. Alistair Dabbs

      Re: gut flora

      But this is my point: if it's unique, it's a security nightmare. As soon as the biometric data is stolen, what do you do? Change your gut flora?

      1. Anonymous Coward
        Anonymous Coward

        Re: gut flora

        But this is my point: if it's unique, it's a security nightmare. As soon as the biometric data is stolen, what do you do? Change your gut flora?

        A couple of things. First of all, biometrics are PART of an authentication process (what you are), there's also what you know (password) and what you have (token, smartcard, bluetooth ident) - taking one doesn't invalidate all factors. What biometrics do is simply changing the risk equation, as it requires a physical presence to pick them up as well as to present them. This is, incidentally, what I dislike most about the iPhone implementation, you leave the required print on the very sensor (the better readers are actually swipe based so you never leave a print behind.

        Secondly, I don't think that will be the main worry. If someone is willing to present your biometrics physically, they will find it much more efficient to aim a gun at your kids/loved ones/beer collection instead of engaging in complicated subterfuge.

  22. David Roberts
    Coat

    Usual shit security, then?

    Sorry, couldn't resist.

  23. GBE

    TROW

    ....that dark and dangerous place outside the US known as "the rest of the world" (AKA "terrorists").

    I think you're oversimplifying things a bit implying that the US goverment thinks everybody outside the US is a terrorist. We here in the US are quite aware that not all foreigners are terrorists: there are also Communists, drug dealers and white slavers.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like