Slashdot Mirror
Fun with Fingerprint Readers
Two pieces of news that came in today make a fun counterpoint to each other. First, a grocery chain is trying out a biometric checkout system. Bring your groceries, pay with a fingerprint. Unfortunately, a story in Bruce Schneier's monthly newsletter notes that fingerprint scanners can be fooled with a bit of gelatin.
Can I buy the Gelatine at the Store and use it to falsely pay for my groceries? How convenient! :)
'mmmmmmmmm.... forbidden donut'
I'd rather that someone be able to go through a fair amount of trouble and fool the device, because if they didn't, then they might have to resort to cutting off my finger. Give them an easier way, and one that leaves me digitally intact!
Any way you look at it, it's still more secure than credit card numbers. Then again, you can always cancel your credit card number. What would you do here, cancel that finger, and start using another? You can only do that for so long...
Kevin Fox
Bill Cosby... As a security consultant? Yikes.
Mod me if I'm wrong, but this still sounds like a fairly secure system. Right now, any old bum can steal a credit card and run down to Safeway. With this, people have to put in a little effort to card that bottle of JD. There will always be holes.
Wow, this is a much better solution than I've been using, and much less bloody.
Need Free Juniper/NetScreen Support? JuniperForum
Bruce quotes research showing that you *can* fake fingerprints. Something that the vendors claim is impossible.
However, the kroeger system falls back to the old "bring something, know something" mode which makes it much more secure.
Sure someone can duplicate my fingerprint (how easy that would be to both do and hide when checking out is another point, but let's assume that it's reasonable to lift a latent print, make a mold and check through without the clerk noticing), but they still must know my pin.
This is no worse than the current system of debit cards with mag stripes on the back that are trivial to duplicate with not much more equipment.
It is, however, much more convenient.
Assuming I can change my pin to be something other than my telephone number, I'd use this system.
"His more interesting experiment involves latent fingerprints. He takes a fingerprint left on a piece of glass, enhances it with a cyanoacrylate adhesive, and then photographs it with a digital camera. Using PhotoShop, he improves the contrast and prints the fingerprint onto a transparency sheet. Then, he takes a photo-sensitive printed-circuit board (PCB) and uses the fingerprint transparency to etch the fingerprint into the copper, making it three-dimensional"
Bah! Too much work - I just wanna shape shift ala Mystique!
Women in particular appreciate SecureTouch, he said, because they don't have to bring in their purses
Yes - leave those purses out in the car so the guy stealing your stereo can get your credit cards too.
Kroger customer Mary Smith said she has a daughter in Katy who wants nothing to do with the finger image method of payment. She told her mother that it is "a way to get into your identity."
It's funny, Smith said, "you'd think it would be the old fart who'd be afraid."
This is funny because she doesn't appear to realize that her daughters fear is based on having more knowledge about technology and is justified fear. She is thinking "I'm not old- I'm cool and cutting edge." and that vanity is letting her opt in to a system where one day her checking account will be cleaned out by a bunch of tweakers who got her fingerprints off her car door and bought all the sudafed they could carry. Smart enough to build a meth lab - smart enough to make gelatin fingers.
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
tsutomu@mlab.jks.ynu.ac.jp
someone is going to find a whole shitload of emails tomorrow morning
The last user will have left a latent print on the reader.
Used to be, you could just shine a flashlight into the reader and get enough contrast out of the previous user's print to satisfy some readers.
There have been improvements since, and it would never have fooled a live finger detector anyway. But it's a good example of low-tech bypassing of high-tech security.
How can you care about the risk of someone faking your finger print when most financial transactions are verified with a signature?
Hacker Media
This certainly doesn't mean that biometrics based on fingerprints should be ruled out.
Just as you need both a username and a password to log in to any computer system, a combination of a fingerprint and password, or fingerprint and pin should be used for any reasonable authentication.
Combined with decent access controls (this person may only do X at Y time) and a complete audit of actions, fingerprint biometrics can fit nicely into an extremely secure environment.
I'd certainly rather use my finger than my RSA number keychain!
If a credit card database is compromised, you lose integrity of the card. This means someone else can use the card to impersonate you. But it's a number. You don't really care, since you can get another number and revoke the compromised one.
On the other hand, if a biometric database is compromised, you lose the integrity of a part of your body. This means someone can now use tricks like the gelatin one outlined here to impersonate you. But you can't get another body. You can't revoke the compromised data.
In general, biometrics are more accurate for authentication, but their failure modes are much more severe.
How about this?
You shop at a supermarket where your checkout is governed by your fingerprint. This works pretty well, for you... they store some personal info (CC#, name, address, etc.) and you just touch a pad to check out.
Now imagine that someone manages to replicate your fingerprint (which sounds like it will take about $10 and an afternoon). What do you do? If it were a credit card which had been stolen you could have it destroyed and reissued... but that doesn't work with your finger! Once someone spoofs your finger, it's over. You can never use your finger for ID again, because it's not certain that you're the only one.
That's bad.
Or how about this: Biometrics are easy. Really easy. I mean, you don't have to carry anything, you don't have to remember anything, it's great!
Which is why all kinds of places like video stores, restaurants, etc. would love it... they could make things more convenient for their customers and get faster customer service times, etc. The big drawback is that every transaction is indellibly associated with _you_. Right now, you can pay cash, give fake names, etc. and leave no trail as to what porn you rent, or how much cabbage you buy (you cabbage loving sicko!), but with super-convenient biometrics they know _exactly_ who you are every time.
That's probably bad too.
What's worse? Well, consider that you're pretty attached to your body in general. Though it's possible for you to get fake ID, a fake birth certificate, etc. there's very little in the way of a fake body you can get (plastic surgery aside, modifying the bits used for biomentrics isn't generally feasble - think retinal scans). So now, if for some reason you need a new identity, you pretty much can't have one. There's just no slipping through the cracks.
Why is that bad? Well, it's really only bad if you are doing something illegal, right? Sadly, "something illegal" often can be translated as "something politically unpopular". The idea that we should have the ability to change our government, by revolution if need be, is so deeply ingrained into the Western conciousness (and maybe the Eastern as well, though I don't know...)that it's not at all surprising you get creeped out by biometrics.
Behold the Power of Cheese!
On the other hand, if a biometric database is compromised, you lose the integrity of a part of your body. This means someone can now use tricks like the gelatin one outlined here to impersonate you. But you can't get another body. You can't revoke the compromised data.
Well, I've got ten fingers and ten toes. That makes me good for twenty lost body parts, if I can get my foot up onto the checkout without straining my groin.
Yours Sincerely, Michael.
Were these experiments performed for Starfleet? His presentation logo looks like the Starfleet logo.
Miko O'Sullivan
Let's leave out, for now, the fact that it's not possible to verify this claim at all: there's no way to test all living people and compare their prints. This is troubling, but a bit of a red herring.
More troubling is the way fingerprinting is practiced. There's a case in Philly right now where a federal judge has prohibited the prosecution from testifying that two fingerprints "match." From this article: The answers, respectively, are "no," "no one knows," and "no."
I'm home sick and I don't feel like doing more research on this right now. The above links and Google will help if you want to look at it more.
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
Why is that bad? Well, it's really only bad if you are doing something illegal, right?
Wrong! What if you're in a witness protection program?
OR if you simply have a stalker and need to change your identity? Or if you have a shite name and you wanna change it. Or if things about you change, like you had leprosy but are now cured. Somone with outdated info will read you still have leprosy.
Your data is probably readily available from many sources, some of which will be insecure. You're screwed.
Liberty.
Ban gelatin.
How to fake retinal scans using mirrored contacts and laser etching. Story on next year's Slashdot.
I'm a Security Consultant and I'm currently working on purchasing and installing some Biometrics authentication system at my company. This probably makes me biased towards Bio, but at the same time, it also means I've been studying and contemplating the issue for some time now.
Biometrics, like any other system, has it's flaws. Schneier himself points out in a previous article "Biometrics is a unique identifier, not a secret". And now it doesn't even appear to be a unique identifier. So what gives?
What gives is that it's quite possibly the best system around, at least when compared to all the others. What are your alternatives? Passwords? Digital Certificates? Smart (dumb) cards? SecureID tokens? None of these are as unique to a user as a Biometric is. As a matter of fact, NONE of these are unique to a user - Certs are unique to the computer or card they reside on, the cards and tokens are physical objects that anyone can have, and finally your password everyone knows because you wrote it on a Post-It(TM) note on your monitor (or under the keyboard or tape dispenser).
Now, that doesn't mean you can blindly put a Biometrics system in place and call it a day. Installing a setting up Biometrics requires thought, consideration and risk analysis.
To answer some of the fears, no, most Biometrics databases don't give you anything when compromised. Why? Because they don't store the biometric. They merely store minutiae from the sample. These can be loosely defined as a series of data points illustrating some of the salient features of the biometric registered. If it's your fingerprint, the database merely contains a bunch of vectors illustrating where the most important ridges and forks and such are on your print. THIS INFORMATION IS NOT ENOUGH TO RECOVER THE PRINT. It's encryption, it's processing (the database might be encrypted, though). While you could potentially create a Biometric from the minutiae (assuming you understood the data format and what it describes) that fooled the algorigthm the minutiae were sampled from, your "faked" fingerprint would not fool a different algorithm.
Regarding anonymity, it will still exist. Nobody will stop you from going to the ATM and picking up cash before you head to the store to get the Goatse man's greatest gaps volume 16.
Anonymity needs to exist, but so does liability and responsibility. That ever-necessary anonymity will continue to exist, and you will probably be able to get it just as well as you can now. The difference is you will not be able to erase yourself and get away from your previous responsibilities/liabilities. The two are different concepts.
As for the "identification" issue with Biometrics, allow me to illustrate one simple point - most commercial Biometric fingerprint systems have a false acceptance rate of 1 in 100000 at most. Any decently sized organization compiling Biometric data will probably register a heck of a lot more. Identifying a user in a big population from a random biometric sampling is a data processing nightmare - that's why that whole Visionics video-camera-at-stadium thing sucked so bad. Biometrics however are really good for saying "My name is John Doe, and here's a fingerprint (or two) to prove it". Or, at a company case "my userid is jdoe and here's my fingerprint to prove it".
This problem is the identification (finding user in a population) versus authentication (verifying a claimed ID) problem, and it's much discussed in Biometric literature. God knows I've had to preach this one out about 600 times in the past few months when meeting with different departments.
So it really comes down to implementation, and alternatives. You can have your money tied to a credit card number, and when someone finds the receipt you threw away they can impersonate you at Amazon.com until the next bill arrives. Or, you can have it tied to you card, but need a fingerprint to access the card. The idea is enhancing, not necessarily replacing.
As a lot of you have heard, authentication/verification systems usually work with something you know (password, pin), something you have (token, smart card, mag card) or something you are (biometric). The best systems use all of the above.
Even then you still need to figure out your risk scenario. For your average office building with access controls at doors and other entry points a system asking for "userid" and "biometric" will probably be good enough. If you're running a DoD installation with nuclear weapons, I expect a system with ID check, Smartcard, 10 fingerprints, retina scan and password will be necessary (I hope).
Finally to address this cool gelatin crack - this is neat stuff. I'm glad to see that people are coming up with potential attacks - it makes the developers of this stuff work even harder to create systems that can't be fooled. The latest capacitive sensors I've seen might not even be fooled by this - they claim they read the second or third layer of skin, not the external one. But even if it does fool them, it won't in a few months.
Remember, biometrics are not your enemy - if anything they help keep your privacy stronger by providing better control of who gets to pretend to be you (imagine your PGP keys being protected by a passphrase AND a fingerprint or two). There will always be issues with this or any other system - I just can't think of one that will be better than a properly implemented Biometric system.
-Jack Ash
For any transaction where something ther than hard cash is accepted (and I am using transaction is a broad sense here, such as being able to enter a secured area for exampleas well as making a purchase), it is necessary to authenitcate the client, be it with a credit card number, signature, photo id, fingerprint, retinal scan, facial scan, DNA test, some other mechanism or a combination.
In all such transactions:
- Authentication is necessary. (ie the transaction requires at least one of these mechanisms).
- All the authentication methods are vulnerable - no security mechansim is perfect.
- All of these could be subverted by to invade your privacy.
However, if you can't use cash for your transaction or you prefer not to for the convenience, you've got to live with the authentication tradeoffs.
As pointed out, authentication is necessary for many transactions - there is no escaping this fact. So the best questions when evaluating the technology is RELATIVE to its alternatives.
So fingerprint readers can be spoofed easily (assuming you can get a copy of the finger you want to copy, which is not necessarily easy). Well credit cards numbers can be obtained and used fradulently; signatures can be forged.
None of these mechanisms are fundamentally good or bad. However, I believe having alternatives IS good for two reasons:
1. It provides competition between different authentication mechanisms so that people get a choice in what security/convenience tradoff they want to make.
2. Having multiple authentication mechanisms automatically increases the diversity of the authentication infrastructure which means that it is harder for an organisation to subvert because they need to coordinate your identity across multiple systems rather than having a single one.
In the scenario described (and many previous articles on the same subject at Slashdot), these new systems augment rather than replace existing ones. As long as this continues to be the case, I am more than happy for these mechanisms to exists and compete.
any decent security needs to include at least two out of "somthing you are", "something you know", and "something you have".
In this case "somthing you are" is a fingerprint.
"something you know" is a pin number or password.
"something you have" is typically something like a credit card, smart card, security fob, etc. This category doesn't apply to the case at hand.
So, once somebody replicates your fingerprint, all you need to do is change your pin number. Problem solved.
The first $10 gelatin trick requires you to have the original finger.
"Hey, let me use your finger so I can copy it and steal stuff with your prints!"
The second method that allows latent prints to be used requires more work. Still, if you have a laser printer, I'd estimate it runs only $50-100. And the costs of the trick can probably be reduced quite a bit.
As to the security issues: Prints alone = bad. Prints + PIN = Somewhat bad. But most crooks prolly aren't going to be that desperate.
It is probably best to use fingerprints as a method of correcting for the deficiencies of credit cards. i.e. verifying that the person with the card is indeed the owner.
It's probably most useful if fingerprint scanners can ever be made economical for the home user - Person makes a CC purchase online, pushes their thumb on a reader, and the image of their thumb gets hashed and sent to the CC company for verification. As a result, a CC thief has to steal the user's fingerprint in addition to their CC #. Theft of a fingerprint no longer means you've permanently lost its usefulness, as it's only used in conjunction with other methods. Your only problem is that the next time around the thief only needs to yoink your CC # - But I have a feeling repeat strikes of CC theft almost never happen.
retrorocket.o not found, launch anyway?
that won't beat retinal scans which also check for blood flow...
Several people have pointed out the issue of key revocation (you'll find it very hard to type).
But what's worse in *this* particular case is the demonstration that latent finger prints can near-trivially be developed into a fingerprint glove that fools the device. Just picture it... A would-be thieve would watch you in the supermarket, picking up a bottle of Coke, put it back because you do prefer Mountain Dew after all. He picks up that bottle by the neck, pays for it with cash. From there on he could plunder your credit card.
Sounds scary to me...
Bert Driehuis -- All I asked was a friggin' rotatin' chair. Throw me a bone here, people.
I've experimented with a popular fingerprint reader.
If the previous person to use the reader had greasy or sweaty hands, and they don't intentionally wipe or smear the plate you can fake their print easily.
Either hold your palm closely over the plate, or breath gently over the reader. Enough to create enough warmth to simulate a finger.
With a little practice I could do it over and over. Quite fun giving a demo to security people!