Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another Setback for Biometric Passports

Posted by ScuttleMonkey on from the tin-foil-bag-with-your-tin-foil-hat dept.

trydk writes "The Register has an article on the lack of security in biometric passports. This time, according to Dutch TV program Nieuwslicht (Newslight), the Dutch biometric passports have been cracked, potentially revealing all biometric information stored in them." From the article: "[...] an attack can be executed from around 10 meters and the security broken, revealing date of birth, facial image and fingerprint, in around two hours. Riscure notes that that the speed of the crack is aided by the Dutch passport numbering scheme being sequential."

11 of 70 comments (clear)

  1. Precision & Recall by eldavojohn · · Score: 5, Insightful

    The biggest setback to biometric security is that few companies post the actual numbers concerning their precision and recall.

    Before I ever buy into a biometric security device, I want to be able to sit down with the numbers and see what happens to the F-measure when I slide beta between zero and one.

    Their sites should have a slider that goes between zero and one with the resulting number. That way, I would know how many times out of a hundred my guards are going to let Bin Laden Jr. through my security check points. But I also want to know how many times my guards are going to throw Grandma-down-the-street against the hood of a car and arrest her for being a dead hijacker from an infamous attack. Implementers of biometric security just don't seem to grasp the concept that a false positive can be a problem just like a true negative. Every white paper I've read on this issue makes certain that they include these figures at the end of their paper.

    Because if you hit the production line, these numbers are all that matter to your consumer.

    --
    My work here is dung.
    1. Re:Precision & Recall by voice_of_all_reason · · Score: 1, Insightful

      Implementers of biometric security just don't seem to grasp the concept that a false positive can be a problem just like a true negative.

      Because it's not their problem...

      //nyuk nyuk nyuk

    2. Re:Precision & Recall by dazedNconfuzed · · Score: 3, Insightful

      Another angle:

      Statistics mean nothing when they happen to YOU.

      --
      Can we get a "-1 Wrong" moderation option?
  2. It will never be safe. by IAAP · · Score: 4, Insightful
    These things will NEVER be completely secure. Someone will always figure a way to hack them.

    Eventually, folks will realize, that no matter how hard you try, you will never be completely safe: even if you become a shut-in. We just have to accept that life is terminal and it has inherit risks. Without those risks, life would be waaayy to fucking boring - for me anyway!

    1. Re:It will never be safe. by Corbets · · Score: 2, Insightful

      While there is some element of truth to that, it's far from the whole story. By that argument, why have speedlimits? Why restrict the sale of weapons to children? Why have any security at an airport whatsoever?

      Yes, we take risks, but we have to decide where to draw the line between mitigating them and inconveniencing ourselves. I don't believe it's an issue of whether to draw that line but actually where to draw it.

    2. Re:It will never be safe. by IAAP · · Score: 2, Insightful
      Yes, we take risks, but we have to decide where to draw the line between mitigating them and inconveniencing ourselves. I don't believe it's an issue of whether to draw that line but actually where to draw it.

      The thing is that we're, as a society, so concerned with risks that are quite rare and completely oblivious to risks that are not so rare - heart disease, lung disease, etc.... The odds are we'll die or, worse from my perspective, become disabled from one of those diseases; which can be mitigated with diet and exercise.

      I actually know some folks in health who actually think that McDonald's, Coke, etcc.. should be restricted because of their impact on pulbic health. That's how overboard people are willing to go to keep us safe. I resent that I would get a $50 ticket for not having my seatbelt becuase "it's for my safety". That's true, but that's my problem and my families. Having laws and using police to act like my mommy is a complete waste.

      As far a airport security, I'd rather have none. We don't need it. One, it's not that effective, and two, if anyone actually tried anything, they'd get their asses kicked - see Richard Reid. In the meantime, my civil liberties have had one more chip taken out of them.

      I gues that's where you and I will disagree - I'd rather err on recklessness.

    3. Re:It will never be safe. by wfberg · · Score: 1, Insightful



      I propose a 2D datagram that uses 256 values of greyshades that stores biometric information such as the distance between your eyes, the shape of your head, etc.

      I endeavor to make this datagram human readable.

      I shall call it.. the photograph.

      --
      SCO employee? Check out the bounty
  3. Er.... by brunes69 · · Score: 3, Insightful

    I think you missed the point.

    The point is not that people who crack it can make fake cards (which they *can*, but anyways...), it is that people can read the info off my "secure" biometric ID card from a relativly long distance and use it to steal my identity, for any reason whatsoever.

    I mean, 10m? Some guy could set up a listening post outside my office and read it all through the wall at 10m. The capacity for identity theft is very alarming.

  4. My card reeks data by spyrochaete · · Score: 4, Insightful

    No private information should be made available over RFID. If that information has to be transmitted or broadcasted in any way, it should be from a patchable computer system that can change to reflect up-to-date security fixes. Otherwise, as soon as the encryption scheme is cracked, you could just walk down the halls of an airport for 10 minutes and record thousands of IDs.

    Everything gets cracked. In this day and age even "security" is "security through obscurity". RFID is a fantastic technology but it shouldn't be a transmission vector for information of value. That's like visiting a bank in China and yelling your PIN in German, hoping nobody will understand. RFID should only be used for asset tracking, broadcasting otherwise useless data like serial numbers.

    Why do we need RFID for passports anyway? Is it so hard to swipe a card? I wager it's just to give citizens the illusion of privacy while they are scanned from afar. I hope the decision to incorporate RFID - for passports, clothing, or anything people carry - will be debated profusely by governments before being adopted. I think many countries' constitutions are in conflict with technologies of such invasive potential.

  5. Fingerprint authentication is a bad idea by Orange+Goblin · · Score: 2, Insightful

    So normally when your password is compromised, you change it and try and be more careful next time. What happens when it is possible to duplicate a rubber finger from a fingerprint - done in films, but is it possible now? I don't know. You can't change your fingerprint, so do you just leave it as it is and let whoever it is keep their access?

    1. Re:Fingerprint authentication is a bad idea by SeekerDarksteel · · Score: 5, Insightful

      And this is why I think that ALL machine readable biometric measures will eventually fail. The inherent problem with all biometrics is there is NO method to resecure your authentication method once a compromise has occurred. If someone steals your password you can change it easily. If someone steals a physical key, the lock can be replaced. (A bit costly, but doable). If someone steals your fingerprint, from that point on for the rest of your life you cannot be guaranteed security in a process that uses your fingerprint as authentication. Worse yet, you leave your fingerprints EVERYWHERE. I don't know about you, but I don't leave hundreds of copies of my passwords lying around every day. There's also the argument that it isn't feasable to create fake fingers to pass fingerprint authentication with someone else's prints, but the data has to get digitized somewhere. Once it's all ones and zeros someone doesn't need to create a fake finger. They just need to figure out the right place to put their ones and zeros.

      --
      The laws of probability forbid it!