Slashdot Mirror

← Back to Stories (view on slashdot.org)

Biometric Thumb Drives?

Posted by ryuzaki0 on from the portable-data-storage-with-a-twist dept.

osopolar asks: "I work as a security analyst for a 10 billion dollar bank and we are currently looking for biometric thumb drives as emergency backup/recovery solutions for our local branches. We do not have IT people at every branch so the backup must be done by a branch manager, so the device needs to be easy to use. How would you backup information securely? What thumb drives do you recommend?"

4 of 66 comments (clear)

  1. Where to start... by Zadaz · · Score: 5, Informative
    I'm going to get modded down as "redundant" but this whole thing feels like such an overwhelmingly bad idea I can't think straight.

    1) To answer you question: Trek makes one that doesn't require external drivers. But it's only up to 512k and USB 1.1, and I can't find any indication to see if it actually encrypts the info. (My bet: no)

    2) What kind of "security analyst for a 10 billion dollar bank" are you, and can you be put in a room with the rest of us who are answering this question that we might have a chance to kill you, take your salary and put an untrained monkey in your job?

    3) Or are you just being clever and trolling for answers to a stupid idea your VP had?

    If it's the last one:

    Why Biometric? Biometrics are awful security. Terrible terrible terrible. The only advantage they have is, when it actually works, it works and a person doesn't have to think about it. And that's one of it's problems: People should be thinking about security. After that, it's less reliable than passwords (which have a 100% pass/fail reliability) and the whole issue of not being able to change your biometrics. If someone figures out how to fake my thumb, my whole life is fucking over. I can't get new thumbs. (or a new face or whatever). And the other stuff that's been talked about ad nauseam.

    Biometric thumb drives are even worse because it anyone who wants what's "protected" on it just has to steal the thing. Given physical access to the device, it's trivial to circumvent the biometrics.

    What information at individual branches is important that needs to be backed up? And why the hell isn't it being done already, and off site? Seriously. You're a "10 billion dollar bank" You should have private data lines between your branches and central computers.

    And lastly, under what circumstances would you want backups done by unskilled people? I mean C'mon. Are you telling me that you don't know that these guys are the weakest link in your security anyway?

    A better security idea would be to automate your backups through your private lines and disable all access to removable media drives in your whole company. Why you'd allow someone to be able to connect a USB drive to a computer that has access to information that needs to be protected makes my nerve endings hurt.

  2. HOW does a bank operate with this mindset?!?!?! by samdu · · Score: 3, Informative

    Okay, banks deal with money and businesses. Businesses being their main source of profit. How is it that a bank can see it as okay to not have an IT infrastructure that, at the very least, has a steady backup regimine?!?!? The answer is not finding some new gadget that'll let the branch manager wing it. The answer is to either have IT personnel available for such matters or to train existing personnel to do the job correctly. Backup is no insignificant endeavor and shouldn't be treated as such. What bank is this? I a) want their business and b) don't want to give them mine.

  3. Adata Fingerprint Disk by sane? · · Score: 2, Informative
    I won't bother to do the usual /. thing of calling you an idiot for looking at this solution, on the basis of your one paragraph summary. You know more of the details than me.

    I have sitting in front of me a fingerprint USB flash drive from Adata. Cheap. Comes in capacities up to 2GB. Study in a plastic sort of way, it would take abuse. Perhaps most interesting there are no drivers to install, when you plug it in it runs the autorun code which does the fingerprint check and then runs up a tray icon with access to a number of utilities (eg email client) which are stored on the disk. Only takes up 7Mb of the space, the rest of which is available to you. Windows only however. No fingerprint, no access to any of the files.

    I've no idea how secure it really is against access, my bet is not very. However it might be possible to change the tray program to contain programmes of interest to you and a Truecrypt partition and driver software could be included for more security.

  4. Evaluate VERY carefully by sjames · · Score: 3, Informative

    One biometric thumb drive I tested had no actual security. The windows driver would ask it if it was authenticated and if no, would deny access. In Linux, it looked like a standard drive and 100% of the 'secured' data was trivially accessable with no authentication.

    Another I evaluated did only slightly better. When in the unauthenticated state, it would report 10 sectors capacity rather than 8000 (OK so far). When authenticated, it reported all 8000. However, I then tried accessing sectors 10-8000 using raw SCSI commands while unauthenticated, and it LET ME DO IT! The 'secured' data was 100% available with no authentication. In fairness, when I noted this, the manufacturer sent me a one off that did it right but I don't know if they ever put those changes into their production model.

    Yet another actually denied access to the blocks when unauthenticated, but when the admin recovery procedure was used, it only erased the partition table. So all I had to do was 'recover' admin access then write in a reasonable partition table. All of the old data was available.

    I never got around to cracking them open to see if I could bypass the drive emulation and dump the raw flash memory.

    There MIGHT be a few drives that actually ARE secure, but too many of them are toys.