Give biometrics the FINGER: Horror tales from the ENCRYPT This week’s sorry tale of security-lapse-by-design might reveal plenty about political interference but it tells us even more about human nature in general. Due to some poorly thought-out US government policy some 20 years ago, yet another security lapse has raised its ugly head, drawn back its lips and threatened to sink its …
He has a point. More importantly, having implemented these "secutity measures", banks will be able to deny any fradulent access to your account happened.
Some smart-arse nicks your phone, lifts your finger prints from it and then uses that to wipe your bank account clean and the bank will just claim "not possible, guv! we've got biometric security!"
Biometerics are well know for false results - especially false negatives. So the detection threshold would have to be set so low as to be a joke.
"Biometerics are well know for false results - especially false negatives."
That's a very real problem. And when people can't access their stuff thanks to false positives, they stop using biometrics.
So companies deploying biometric sensors go and drive down the false negative rate by boosting the false positive rate. This mostly works, because owners are very nearly always the only ones who try to access their stuff, but in real life it opens the door to near-useless psuedo-security, and scanners that will allow many, many other people into your system.
And you will never, ever see statistics on either of these measures offered by those selling this jiggery-pokery.
The specifications are open and quite easy to follow:
https://fidoalliance.org/specifications
To summarise:
1. YOUR FINGERPRINT DOES NOT AUTHENTICATE YOU TO THE BANK!!
2. Your phone contains a secure module, which contains a private key. It's this key which authenticates you to the bank.
3. Your bank learns the corresponding public key during registration.
4. The fingerprint sensor is hard-wired to the secure module and is used to activate it, i.e. enable it to engage in a cryptographic authentication exchange.
The key never leaves the module. However in the case that the key is compromised (e.g. your phone is stolen), you can just revoke the key at the bank, and register a new key/device.
Hence there is no need to cut off your finger and replace it with a new one :-)
Is this 100% perfect security? Of course not, no system is 100% secure. But it raises the bar considerably, especially when it comes to your phone being taken over by malware (which seems to be the more prominent threat these days)
Couldn't this be greatly improved by minaturising the secure module, putting a short-range RFID interface on it and implanting it into the user's hand?
It'd have to be an open standard and have a functionality for allowing the module to disclose its public key on request, because it wouldn't be practical to shove six different modules into one hand - you'd want to use the one device to authenticate at the ATM, unlock your phone, unlock your car, clock in at work, open the front door and so on. One little implant and you've solved authentication for everything.
What makes us unique? I'd have thought - pardon the self-reference - it was our thoughts, or more specifically "brainwave patterns". Why not combine our basic EEG pattern with one generated by thinking a specific phrase as the security test? We just need an appropriate set of sensors. Perhaps a small data port on the back of the neck connected to a web of embedded electrodes would do it. Hmmmm.
Of course, as with all things digital, if you can physically get between the sensor and the software you can still hack the system...
Seems to me if one wants to keep some vestige of security/privacy then there's probably no other option than to work on an offline PC with its LAN and wireless ripped out and the screen equipped with a secure screen utility—and if one needs to access the net then one would have to copy info from the secure PC to a networked one by pencil and paper!
Essentially, security's kaput. Every day, there's a new exploit, hole in Windows, network or protocol vulnerability, governments ransacking one's data, etc., etc., it's seemingly endless.
Seems, something has to give sooner or later. The obvious solution is to start from scratch—that's after we've figured out exactly what we want from (or mean by) security/privacy.
Unfortunately, me too.
Many years ago, a schoolteacher said of my handwriting 'it's Chinese hieroglyphics done by the wanderings of a demented spider'.
Not far from the truth, and such colourful analogies are never forgotten! ;-)
Jason Bourne records a phone conversation with Noah Bosun, and plays back the first two words (Noah Bosun) to Noah's safe. The safe opens and is full of incriminating evidence.
Years ago, early attempts at speech recognition (understanding what was said) succeeded at voice recognition (identifying who is speaking). I could say 'Help! Help! He has a gun!' and voice recognition would happily allow access to my account. Someone can do an excellent impression of me saying 'Flock of crows', and get access to his own account.
Finger prints are just as good as voice: they give you a list of account names of people with similar fingers/voices. If you have few enough customers, that list might have only one entry, and you have a useful identification device. Identification (the account name) is not the same as authentication (confirming the user is the owner of the account).
Understanding the difference between voice and speech recognition is beyond the ability of most PHBs. Clearly no-one has yet been able to explain the difference between identification and authentication to a bank manager.
I see your "Sneakers" and raise a "Green Ice (1981)" - over a decade earlier, they already knew the way to trash a biometric vault is to record the owner with a film camera (!) and a dictaphone saying his own name, then use a portable projector to impersonate him. I shudder to think what sort of evil alien technology must have been hiding behind the lock that could do face and voice recognition in that era...
"... and (3) gradually alters by itself naturally over a period of time?"
I immediately thought of a relatively short period of time and started having ideas about a suitable receptacle and testing/measuring device. However, I'm not sure if my ideas are suitable for this publication.
Lower colon, that's the answer.
Of course the 'scanning probe' is a touch invasive. However, I'm envisioning a suite of work cubicles all with the patented iSecureChair - logs in when you sit down, logs out when you go for a break.
Cash point? Please back into the hole in the wall Sir/Madam, what could possibly go wrong, your money is safe with us.
You say arseprint, I say "where have I seen this before?".
Ah, found it: Monsters vs Aliens.
The red button joke is funny too, especially if you've been in bank computer rooms of the 90s where the exit button and the emergency shutdown button were of the same design..
However, the major risk of fingerprint biometrics is budget and bad education. Budget, because there are FP readers out there which require the finger offering the print to be still attached to a living body (some even scan for a pulse), but they cost a lot more (I would not argue that can NOT be defeated, only that it's much harder). The next thing is education of the masses, so that it is generally known that fingers are not usable post removal, otherwise you first get a wave of people no longer being able to count to 10 on their fingers before the message gets through to that segment of criminal fraternity that left school early, as opposed to the criminal segment that stuck it out and became politician, banker or stock trader (safer work, and better company in jail when it goes wrong).
I find the FP reader in the iPhone very amusing, because all you need to break it is left on the shiny surface right above it. Although I always use a matte, oleophobic screen foil which makes this less possible, I have disabled the facility and use ye good olde password (a long, numbers-only version which looks like a 4 digit lock but isn't). I have worked extensively with biometrics, and there are good readers out there (typically based on a "swipe" model so you can't leave a print behind), the problem is more that nobody seems to consider it important enough to spend the extra $5 or so it takes to buy them.
"Surely what we need is a biometric check on something that (1) generally remains out of sight, (2) can’t be conveniently faked, and (3) gradually alters by itself naturally over a period of time?"
Now we all know what you were setting us up for there don't we? Then you chicken out and plump for the back bottom instead!
Well obviously the reverse mechanics must be involved. Let us phrase it thus.. say, a "positive involvement" by 50% of the population is required. It stands to reason the other 50% of the population require "negative involvement" (or feedback) in order to balance matters.
It might be that the 1st 50% insist upon tunnel biometrics, wherein there may be some clamping action whilst the device activates.
Conversely, it might be said that the 2nd 50% are disadvantaged. One might even argue they need to dig themselves out of a hole. Doubters would say there's something fishy.
The FREAK thing is putting webhosts in a bit of a bind, as did POODLE...the fix is to upgrade to OpenSSL version to at least 1.02 and turn SSL3 off, respectively. This kills IE6 on XP users (until TLS 1.0 is enabled in advanced settings). So if you have your own server (or image) you can update if you want to explain the TLS thing to your users; but on a shared server they probably won't risk it and so you'll remain unpatched - even otherwise pretty good webhosts.
You can see their point...people still using XP and IE6 is the very last group of people you want to have to explain something technical to. But it also means that these holes are going to hang around for some time to come.
But it also means that these holes are going to hang around for some time to come.
Ooerr - I saw what you did there :). I disagree - only when you let them. I don't see why I should be catering for the idiots out there, and then later get it in the neck from those same idiots when something gets wrong. This is also the approach to getting this crap cleaned up in company (and government): you make a simple, clear statement of risk if they persist in being stupid, and you get that acknowledged.
The moment you move to a position where it's their neck on the line, not yours, most barriers quietly slink out of the way. If you cannot make that observation, rest assured that you have been already earmarked as the sacrificial bunny when it goes wrong. You may want to hop jobs before it gets that far.
Hey don't blame me; these are the facts of life as explained to me by an otherwise excellent webhost and I was just relaying that to you guys as it's relevant and good to know. Coming from years of doing one site for everybody else and then doing it all over again for IE6 my opening position would be "fuck IE6 and all it stands for" and working from there.
I said that I could understand the webost's position -let users take the (hard to prove even if it happens) risk versus a guaranteed swamping of complaints from users of a now-broken IE6- I didn't say I approve, endorse or in any way agree with it.
You can test for freak here:
Client:
https://freakattack.com/clienttest.html
Server:
https://tools.keycdn.com/freak
...and POODLE here:
https://www.ssllabs.com/ssltest/
If you're on a shared server and you're vulnerable, though, it may well not get patched. And now you know why.
Well, I've just finished re-configuring all the web servers for one of our client's sites.
It's a high traffic public ecommerce site for a travel company, and after discussion they took the decision that the 2 or 3 percent of users still on XP (taken from web analytics of the site) were not as important as the security of the other 97 percent.
According to the Qualsys SSL Labs site test, the site is now safe against FREAK, Poodle and Heartbleed, but is unable to be connected to over SSL by any version of IE running on XP, plus any client running OpenSSL 0.98 or below, or any client running Java 6.4.5.
We'll see what that does to overall hits over the next week...
Given that the markers used to fingerprint DNA just happen to be known junk sequences, altering them shouldn't be that much of a problem. [Functioning sequences by their nature will be common throughout the population, at the very least any particular distinctive group within said population.] So, performing genetic surgery wouldn't be absolutely hazardous although missing the target sequence may be common. It hasn't been done often enough to tell what those risks are. Yet.
The House of Commons Science and Technology Committee published its report yesterday, Current and future uses of biometric data and technologies.
Drugs companies have to undertake extensive trials before letting their products loose on people and ditto aircraft manufacturers.
But not biometrics systems suppliers (para.54):
When biometric systems are employed by the state in ways that impact upon citizens’ civil liberties, it is imperative that they are accurate and dependable. Rigorous testing and evaluation must therefore be undertaken prior to, and after, deployment, and details of performance levels published. It is highly regrettable that testing of the ‘facial matching technology’ employed by the police does not appear to have occurred prior to the searchable national database of custody photographs going live. While we recognise that testing biometric systems is both technically challenging and expensive, this does not mean it can be neglected.
The deployment of mass consumer biometrics without first establishing that the technology is reliable is not scientific, businesslike or responsible. It is wishful thinking.
It is wishful thinking when it comes to biometrics based on face recognition and on all the other candidate modalities, including flat fingerprints.
The Science and Technology Committee made that point in July 2006. Here they are making it again, nearly nine years later. There has been no progress in between.
"It strikes me that the IT industry enjoys watching security go titsup time and time again, simply so that it can fix it."
Not originally. We used to try to make it work, securely, right from the git-go. Then Management decided to try to make the over-head of the IT plumbing a profit center. As a direct result, most IT staff don't give a rat's ass anymore, secure in the fact that the computer-illiterate management making the IT rules will do/pay almost anything to cover up their mistakes.
Fun work? No. But my Daughter's making more than I ever did in a 9-5 ;-)
That's the whole point.
When your biometric data is your username, it doesn't matter whether it's in the public domain. It's no more or less secure than using "Alistair Dabbs".
The fact that Apple uses biometrics for passwords shows how seriously they take security. It's just a sales gimmick.
But this is my point: if it's unique, it's a security nightmare. As soon as the biometric data is stolen, what do you do? Change your gut flora?
A couple of things. First of all, biometrics are PART of an authentication process (what you are), there's also what you know (password) and what you have (token, smartcard, bluetooth ident) - taking one doesn't invalidate all factors. What biometrics do is simply changing the risk equation, as it requires a physical presence to pick them up as well as to present them. This is, incidentally, what I dislike most about the iPhone implementation, you leave the required print on the very sensor (the better readers are actually swipe based so you never leave a print behind.
Secondly, I don't think that will be the main worry. If someone is willing to present your biometrics physically, they will find it much more efficient to aim a gun at your kids/loved ones/beer collection instead of engaging in complicated subterfuge.
....that dark and dangerous place outside the US known as "the rest of the world" (AKA "terrorists").
I think you're oversimplifying things a bit implying that the US goverment thinks everybody outside the US is a terrorist. We here in the US are quite aware that not all foreigners are terrorists: there are also Communists, drug dealers and white slavers.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
