back to article Biometric data stolen from corporate lunch rooms system

A US payment kiosk vendor has been stung by malware scum. Avanti Markets helps employers monetise the lunch-room and get rid of counter-service, going beyond a simple vending machine to cover the whole sandwiches-fruit-drinks-junk-food with one payment system. Last week, as first spotted by Brian Krebs, the company posted …

  1. Nolveys
    Thumb Up

    The bad news: they can't change people's fingerprints.

    The good news: the rectal scanning wands have already been installed.

    1. allthecoolshortnamesweretaken

      "The bad news: they can't change people's fingerprints."

      Does "delete" qualify as "change"? (Fingers grow back, right? Right?)

      1. Sway

        Sure, just CTRL + Z

        Oh wait, you have no fingers.. sorry.

    2. Anonymous Coward
      Anonymous Coward

      "rectal scanning wands"

      There's always colonsequences with them you know.

  2. sanmigueelbeer

    Inhouse IT

    Is this an in-house IT or outsourced to IBM?

    1. Voland's right hand Silver badge

      Re: Inhouse IT

      Even if it was, it should not have anything to do with the canteen payment system. It should be self-contained.

  3. John Smith 19 Gold badge

    "Biometrics." It's a security "feature"

    Until it isn't

    Then it's just a f**king liability.

    And now someone has a nice of personalized (very personalized) finger prints you can run off leaving at crime scenes, in addition to other issues with this scheme.

    1. Anonymous Coward
      Anonymous Coward

      Re: "Biometrics." It's a security "feature"

      I've worked on biometrics.

      Rule 1 is to NEVER, EVER even transport the raw data - you pre-process at the point of collection.

      You hash and encrypt before transport, if possible salted, and salt the storage yet again. That way, only your local interpretation of the biometrics can ever leak, and that cannot be used to reconstruct the raw source data for use somewhere else. Anyone doing it differently should get hit with the maximum possible fines, something that will make new incoming EU privacy laws extra interesting.

      That goes for fingers, eyes, face geometrics, rectal scans, gait analysis* - the works. Not mentioning voice prints because they're too easy to replicate to be of any use (natural variation alone already mandates significant forgiveness in what you accept, rendering it pointless).

      * No, gait. Not goat. That's still "something you have" :)

      1. VinceH

        Re: "Biometrics." It's a security "feature"

        "Rule 1 is to NEVER, EVER even transport the raw data - you pre-process at the point of collection."

        If I've read the article and breach notice correctly, the malware was on the kiosks - and was therefore operating at the point of collection.

        1. Anonymous Coward
          Anonymous Coward

          Re: "Biometrics." It's a security "feature"

          If I've read the article and breach notice correctly, the malware was on the kiosks - and was therefore operating at the point of collection.

          In that case it depends on how much the sensor does in firmware, but that still exposes recorded users on any platform that uses the same sensors (read: accepts the same data format) and which can be accessed electronically. *Not* good indeed.

      2. Alistair Silver badge

        Re: "Biometrics." It's a security "feature"

        " No, gait. Not goat. That's still "something you have" "

        Considering that my SO and I tend to wrap arms about our shoulders whilst we walk, I can tell you now that if one is using gait as a biometric, your sense of security is subject to shoes. I have dress shoes, running shoes and sandals, as does SWMBO, and when we walk together, different shoes require that we do different things to match stride. Thus, our gaits are substantially altered by the shoes we wear. Furthermore, I'll be at some point getting foot surgery to correct structural damage done whilst I was a rather young figure skater. I will be required to *re* learn how to walk after that is done. I'll not mention the twenty something offspring of a friend of mine who has had not one but two knee reconstructions due to baseball accidents.

      3. joed

        Re: "Biometrics." It's a security "feature"

        I can see (and use) biometrics as a convenient way to "locally" gain access to a secret (like payment data, unlock an iPhone) but I'd never consider shared device for biometrics input. I have no business in exposing any of that to 3rd party (business or hackers). I have some level of trust to the way iPhone handles fingerprint data (someone would have to lift my fingerprints and use them only on my "paired" device) but any centralized scheme is a no go. Especially when considered how little is known with regard to how this biometric data is handled (and the more complex the biometrics the more likely it's not done in hardware outside OS access). For this reason I don't plan on using it with any other system (like MS' Windows Hello). Also, frequency and circumstances of access (like when driving) are major factors to weigh in the compromise between security and convenience. Why would someone consider using biometrics for a vending machine (instead of a CC) is beyond me.

  4. Jin

    Mix up ‘Unique’ with ‘Secret’ and confuse ‘Identification’ with ‘Authentication’?

    Biometrics follows “unique” features of individuals’ bodies and behaviors. It means that it could be well used when deployed for identification of individuals who may be conscious or unconscious, alive or dead. Due respect could be paid to biometrics in this sphere.

    Being “unique” is different from being “secret”, however. It would be a misuse of biometrics if deployed for security of the identity authentication of individuals.

    Confusing “Identification” with “Authentication”, we would be building a sandcastle in which people are trapped in a nefarious false sense of security. However gigantic and grandiose it may look, the sandcastle could melt away altogether when we have a heavy storm.

    Video: Biometrics in Cyber Space - "below-one" factor authentication

  5. Anonymous Coward

    POS biometric devices infected by Russian malware

    How does this Russian malware get onto the devices in the first place. Of what use is a biometrics security device that can be remotely hacked. Who sold Avanti the kiosks in the first place.

  6. msknight

    Goes to prove....

    ...there's no such thing as a free lunch.

    But this one was more expensive than most!

  7. joshimitsu

    I was working on a similar system for schools ten years ago - USB based fingerprint reader which was sending our software the full image, which would then hash and register (if it's the registration console) or verify (if it's the kiosk).

    Thinking back I suppose there was a risk of children's fingerprints being stolen before they were old enough to even understand data security!

    1. Martin an gof Silver badge

      Thinking back I suppose there was a risk of children's fingerprints being stolen before they were old enough to even understand data security!

      It's a system being pushed by the school my own children attend. Their justification is that children can't be bullied to hand over their dinner money and can't lose their "charge cards". Apparently the children don't really like the system because it "goes wrong" so often - they are convinced it actually makes the dinner queue slower.

      Right from the start we weren't entirely happy with the company offering the machines, so our children (and a small handful of others) have never had their fingerprints registered. Looks like my default position of paranoia might have something going for it :-)


  8. fidodogbreath

    Corporate blackwhite has bad bellyfeel

    The linked Avanti Markets Data Incident Notification is brimming with the usual corporate newspeak that means the exact opposite of what it purports to say.

    "Avanti Markets deeply values the relationships we have with money of individuals who utilize kiosks supported by Avanti Markets."

    "We treat all personal information in a confidential the cheapest possible manner and are proactive clearly incompetent in the careful handling of such information."

    They're also setting up a hot line. Prediction: your call will be very important to them, and their menu options will have recently changed.

    But don't worry about Avanti, though; they'll be fine. They're lawyered up ("We retained [...] outside legal counsel to assist"), and their TOS requires customers to use arbitration, which will pretend to listen to both sides and then rule in favor of the company. However, victims can look forward to some lame credit monitoring from the lowest bidder.

  9. Stevie


    Biometrics are dumb, dangerous and dumb.

    I know I wrote "dumb" twice, but that just reflects the depth of my feelings towards this dumb technology.

    The idea is sound enough. It's every phase of the execution that has "fail" writ large upon it.

    Passports that can be stolen from feet away without leaving one's pocket, Photo IDs that requires the owner adopt facial poses never worn in nature and to doff pop-bottle spectacles needed to avoid walking into walls and idiot biometrics stations. And fingerprints, which have been demonstrably fakable since about one year after they were first adopted as a means of identification.


    1. kristensk

      Re: Bah!

      I registered to comment to this site just so I could up vote these comments

  10. Count Ludwig

    Repeat after me...

    A fingerprint is a username, not a password, and you can never change it.

    A fingerprint is a username, not a password, and you can never change it.


POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like