Slashdot Mirror
Biometrics: Prepare to be Scanned
npistentis writes "From an
article in the Economist: It has been a long time coming. But after years of false starts, security systems based on biometrics--human characteristics such as faces, hand shapes and fingerprints--are finally taking off. Proponents have long argued that because biometrics cannot be forgotten, like a password, or lost or stolen, like a key or an identity card, they are an ideal way to control access to computer networks, airport service-areas and bank vaults. But biometrics have not yet spread beyond such niche markets, for two main reasons. The first is the unease they can inspire among users. Many people would prefer not to have to submit their eyes for scanning in order to withdraw money from a cash dispenser. The second reason is cost: biometric systems are expensive compared with other security measures, such as passwords and personal identification numbers. So while biometrics may provide extra security, the costs currently outweigh the benefits in most cases."
The time it takes to make a perfect duplicate is about 15 minutes (with special material it can be reduced to less than 10 minutes). To make a duplicate of a lifted fingerprint took me several days in 1992 and I had to do a lot of experiments to find the right process/technique. Now it takes me half an hour and the material costs are $20 (also sufficient for about 20 duplicates), the only equipment you need is a digital camera and an UV lamp. Not only do I now make the duplicates in a fraction of the time, but also the quality is better.
No electrons were harmed creating this post, though some may have been subjected to electrical and/or magnetic fields.
I think you need to look into security principles. As you say, a lone password is easy to compromise, so is a lone biomtric. However, any truely secure system needs to use multiple forms of identification - preferably two or more of the following:
- something intrinsic (a biometric, dna scan, etc)
- somethign known (a password)
- somethign kept (a security card)
By having more than one step involved, the system is much more secure than any individual part. Somesteals your backcard - but do they have your pin? Or, someone sees your pin - but do they have your card or account number? PINs are actually very simple and easy to break (thoeretically), but are pains to break in reality because of the Other required piece of the puzzle, the bankcard, and how false authentications lead to the removal of the card (most ATMs shred your card after a few false PINs are entered).
similarly: Just because someone steals your face, how will they get ahold of your new bankcard?
After that fact comes the fact that most biometrics are hard to fake - fingerprint scanners these days can be made smart enough to check the temperature of the item placed on them - and some are even smart enough to look for normal temperature differences and gradients within the skin surface, and refuse authentication to 'fingers' that are too regularly or irregularly warm. Some very high end systems look for capilary blood flow... Most facial systems are smart enough to refuse a photo held up of your face, and carrying around a stiff 3d mask of someone's face is kind of obvious.
Also, the fact that every type of scanning device on the market practially has a different data format for the biometric data (which is all one-way, you can get the data from a fingerprint, but not the other way around), and spoofing the data becomes more restrictive - a spoof of, say, visa's system wouldn't work against mastercard's (unless they were using the same equipment).
Having said all that, I'd still like it to be pin+card+face/fingerprint rather than card+biomtric. Biometrics should be used to Enhance security, not replace known or kept-item security methods.
man is machine
It seems that these sorts of sensors can be fooled using a geletin finger.