Slashdot Mirror
The Future of Crime - Biometric Spoofing?
AxisPower9 writes "What we often watch in films and television - circumventing biometric security access - is turning from science-fiction to reality. Bori Toth, biometric research and advisory lead at Deloitte & Touche, warned that biometric spoofing is a growing concern. From the article: 'We are leaving our prints everywhere so the chance of someone lifting them and copying them is real. Currently it's only researchers that are doing spoofing and copying. It's not a mainstream activity--but it will be. Many people are trying to regard biometrics as secret but they aren't. Our faces and irises are visible and our voices are being recorded. Fingerprints and DNA are left everywhere we go and it's been proved that these are real threats.'"
Nah! You can't reconstruct that data from minutae!
Oh wait. You can...
CRAP!
Chas - The one, the only.
THANK GOD!!!
Did OJ Simpson sponser this study?
When your fingerprints have been compromised (not very hard to do) you can't change them. For this reason, I don't think biometrics is a viable solution. A long passphrase is much better, in my opinion.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
...are the thoughts in your own mind.
Well, that's what I used to think.
No, you can't moderate me as paranoid.
Of course.
Really now, is that what you think?
He who knows best knows how little he knows. - Thomas Jefferson
Lets see.. I remember a very detailed Expose on these so called "borrowed ladders". Gee. You write a movie about it, and it takes almost 10 years for it to become a top news story on slashdot. I also remember an eye-scan in a movie using a plucked eye. Spaceballs used an unconscious guard's hand. As well as the "removed hand". Even scooby doo, Daphne used powder makeup to bring out the pattern of a thumbprint on a scanner to unlock something or other.
meh
Always carry a pocketfull of eyeballs and thumbs...and realize, at one point, those lil' orbs are going to accidentally fall out and you are going to be chasing those slipper rolling suckers all over the floor.
Where were you when the voynix came?
This adds further realism to Charlie's Angels.
Luck favors the prepared, darling.
For every one billion dollar solution, there is a five dollar way to counter it. The weak link is not even in database - although collecting biometric data from 300 million people will be a real pain. Forging data is like stealing passwords, and once stolen, users are even less likely to set a 'secure password' or change the biometric signatures. So much for the brave new world.
Rise in Eyeball Mugging and Drive-by Thumb Stealing Blamed on Biometric-scanning vidiPods
Anyone who relies on biometrics alone is asking for trouble.
Fingerprint: not secure
Fingerprint + password: more secure
Fingerprint + password + voice sample: even better.
There are harder biometrics to reproduce, like the thermal patterns of your face. For highly secure areas, multiple biometric keys, a memorized password, a voiceprint, plus a physical key/card would be ideal. And of course there's the good old-fashioned trustworthy security guard to make it even harder for the wrong person to get where they shouldn't be (assume you're restricting physical access).
120 characters for a sig? That's bloody useless.
I've just completed my brilliant plan to avoid having my fingerprints stolen. It took a lot of alcohol and a lot of paper towels to stop the bleeding, but now all of my fingertips have been severed. It sure beats wearing gloves all of the time and I can make up some elaborate story of how I lost my fingertips in combat to impress the ladies. It's foolproof!
Now if you'll excuse me, I'm feeling a little light-headed.
Our faces and irises are visible and our voices are being recorded.
http://www.theatlantic.com/doc/200209/mann
Iris scanner - a million bucks
Glasses with a picture of someone else's eyeballs - $5.00
Stickin' it to da man! - priceless.
Blood. A mix of your DNA plus biomarkers. Of course if you've seen the movie, perhaps that too can be spoofed.
In the end, there's no truly safe solution, except for multiple layers of passwords, biometrics, DNA samples, and the like, and even then, a determined foe will find a way to breach it. What Mankind can create, Mankind can subvert.
GetOuttaMySpace - The Anti-Social Network
Even when I was a little kid I had a low-tech method for copying fingerprints - I noticed that partially cooled hot glue was not that painful to stick my thumb into, and it retained most of the detail from my thumbprint. I never got around for developing a method for copying my thumbprint again so as to have a properly oriented image, but I wasn't that bent on committing a crime, either.
I predict security overall will actually get worse as time goes on, as guards rely blindly more and more on flawed technology and get less discerning because of it.
"Live as if you'll die tomorrow." Ridiculous. You could die later today.
If you don't choose the cheapest ones on the market, then things are not THAT bad. Some scanners will take into account factors such as skin humidity, temperature, etc. Thus you can't just 'copy/paste' the fingerprint; nor you can chop off the person's finger.
Take a look at the unique identifier generated by the biometric scanner, some generate a 600b 'digest' of the finger, others need several KB (hence more valuable data are stored).
I don't know about other types of biometric scanners.. I wonder, how voice scanners handle such cases; i.e. what makes it impossible to record one's voice and play it back? Perhaps they acquire some special unique features of the voice and then require the person to read a randomly generated string of characters? (so there's no way to conduct a replay attack)
The saddest poem
As many have already pointed out, the best security uses a combination of two of the above. This is so because each one of the above has an inherent weakness.
FATMOUSE + YOU = FATMOUSE
I took your advice and now I have cut off all my fingers on my left hand. Now I am stuck. how did you do the other hand? thanks for any help you can give.
The datacenter that I spend a lot of time in for work uses these biometric hand scanners. I've been told that they measure the bone density of various bones within the hand. If that is how they work then I'd think it'd be a pretty tough thing to fake. Anybody know if that is how they actually work? How reliable they really are?
I could beat some of the early biometric thumb print scanners with a penile, pocket knife, and a couple of seconds. Wipe it clean, watch for some one to use it to log in, dust it with fine graphite, cover scanner with hand or shirt, press scan button.
The real question is what happens when the person does not have a finger print? I don't!
The state started scanning everyone's finger prints in to get a Drivers license. I used a belt sander and an 80 grit sanding belt. 3 minuets and No more finger prints! They are dead skin, they come off easy.
Oh well, I never liked the whole biometric thing. A 10 character randomly generated password using a combination of upper case, lower case, letters, numbers, and special character works just fine for now.
--
Are you truly paranoid if they are out to get you?
"Even when I was a little kid I had a low-tech method for copying fingerprints - I noticed that partially cooled hot glue was not that painful to stick my thumb into"
I know that there is a certain related painful and sticky situation you also got into that you'd rather not tell anyone about as well.
Where were you when the voynix came?
Yep ... which is exactly what people who know anything about information security have been saying for a while.
People think that biometrics is some sort of magic bullet, because for years they've seen retina scans and fingerprint scanners on TV in all sorts of "high security" situations. But in reality, a fingerprint scan is probably not that much better than a good password -- it's certainly better than a shitty password, and in combination with a password it's probably better, but alone it's terrible.
The fact that you can't change your fingerprints is a real problem if they start to use biometric systems for authentication. Particularly since there are biometric-ID systems used by children: in my area, they're currently testing and preparing to roll out a school-lunch system that uses fingerprints (it's a debit system -- no more stolen lunch money, and no way to tell who's on the subsidized lunch program or not). When you start using biometrics that young, you have a long time for them to possibly get compromised and spoofed.
The fingerprints you have, you own for life: so any system has to be built on the assumption that they will be compromised. In particular, future systems should be built knowing that people are going to come in who've already had all 10 fingerprints compromised already. The solution isn't to just come up with more biometric identifiers to use as secrets, the solution is to not use them as secrets at all.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
In demolition man they make it clear that biometric ID might have flaws.
I actually thought it was quite funny how they suggested he could simply rip off someones arm to "mug" them.
Fingerprints and DNA are left everywhere we go...
I'm not so sure I wanna know what it is you're doing that's leaving DNA everywhere... : p
This guy's the limit!
If fingerprint sensors were any good, the TLAs would be using them to protect classified data. Instead, companies that have such data have been told that they are not to use fingerprint scanners for that purpose.
Given what happened to this BMW owner, I would suggest that no one with any sense should use biometric security to protect anything that is valuable to thieves.
Now that we revel in our genius that allowed us to solve every criminal puzzle, it is easier than ever to create the perfect crime. In our hubris of being on the edge of technology, we forget that people learn to lie with what used to be "objective evidence".
What is the perfect crime? One that cannot be solved? No. The perfect crime is one that is actually solved but with a different culprit than you. It is perfect in that sense that it closes the case. As soon as someone is locked up, the case is dropped. You're safe. They got a culprit, you go free.
Perfect crime.
Now, as we all know, if from nothing else but CSI and all those other criminal detective shows that spring up left and right, we all leave a billion of traces wherever we go. Fingerprints, drops of sweat, rubbings of our clothing, shoeprints, spit, you name it. No matter what you do, you can't help but leave a trace. Now, it seems that prosecutors take for granted that we don't know that we do it.
For example, take a cigarette stub found at the scene of crime. They take it apart and find a DNA sample and use it as THE clue to find the delinquent. How hard is it, though, to pick up a stub (or a few of them from an ashtray) and place it carefully at the crime scene to be found? There is hardly anything easier than that. Yet this is (way too) often one of the cornerstones of prosecution, because "witnesses can lie, objective evidence cannot". Yet here you have the perfect example of lying evidence. Because the real offender crafted the scene to fit the intended outcome.
I don't even want to imagine how many people are in prison, innocently, because they've been framed, and the prosecutors fell for the ploy.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Well if it wasn't enough to worry about already. Social securty numbers...addresses...birthdays...Now that hooker you were with anonymously can use your DNA to steal your identity! At least if you were dumb enough to leave the wallet on the counter while you were rinsing off hooker spit you could change your credit cards and such...can't really change your DNA...at least not without some radiation and rather dire consequences.
The only change I can believe in is what I find in my couch cushions.
You'll see it, day after day. At Star Labs, everyone with proper clearance peers into the little iris-recognizing window and presses their thumb on the panel. They are them permitted into the building. Sitting on a bench near the entrance you'll find Edward Scissorhands and Scott "Cyclops" Summers, forlornly begging everyone who walks by and enters the building to for once, break security protocol and just let them in!
Where were you when the voynix came?
In college I had a ceramics/wheel-thrown pottery prof who told a great story about fingerprints. He was a Raku(sp?) artist, which is a clay base that has a lot of sand in it... your pieces are more glass than stone. Additionally, you reduction fire it so your glazes come out with streaks of metal.. theres also some neat stuff with crackle and wood chip carbon filling the cracks. ANYWAY... think about it, this guy was doing his graduate work in an art medium that require him to have his fingers brushing against what amounts to sandpaper every day for several months. He was pulled over for speeding, and for one reason or another ended up going "downtown" to get printed (probably for being vocal about certain "pork related" professions - this was the 1960's). One minor problem, the Raku had filed off all his prints (temporarily). After much interogation, and a night in jail, he was able to get a hold of his major professor to clear up the matter the next day. They assumed he was some sort of fugative.
meh
To save everyone (everyone being a minority of /.'ers who RTFA) some time, the article itself is short and only vaguely points out that we leave biometric footprints everywhere we go. We're constantly audio/video recorded by both government and private industry cameras, leaving our fingerprints all over, and depositing our DNA on everything.
The long story short, as many will point out, is that biometrics are not a replacement for multi-factor authentication. However, it should be noted that the technology is improving, and eventually would not be a poor choice for a reliable "N-th" factor addition to physical security. Small gains are being made frequently in the reduction of false positives and negatives, "live finger" recognition (or real face, or actual voice, etc), and costs.
Additionally, anyone who is expecting this to be completely optional 10 years from now deludes himself. To say such a thing would be to become the person who believed computers would never become an integral part of everyday life, nor would credit cards ever really take off. You may be able to live without these things in your personal life, but the constantly shrinking and interconnected world cannot.
These technologies will be adapted by companies involved with such simple tasks as grocery shopping and other retailers. An interesting example? I was with my girlfriend at a Crate n' Barrel, and they require fingerprint login at their Point of Sale terminals. After asking why, the clerk told me that it prevents employees from logging in as other employees (through employee PIN) and giving massive discounts to friends. I'd say that's a pretty smart application of biometrics in this case.
Enjoy the Biometric revolution folks! It's happening right now!
The biggest problem with biometrics is after it is compromised it cannot be changed.
sure you have 10 figures and 2 eyes, but when it comes too it you will never get ADDED security with a biometric only system.
biometric + password + keycard is the securest solution.
something you are, something you know, something you have
As the phrase goes in the banking security industry.
Those have always been the only 3 options for establishing 'trust' with an unknown entity.
âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
Identification is not authentication.
Biometrics are fine identifiers. They are unique and immutable.
Identification is not authentication. Not even close. Just because someone presents an identifier does not mean they are the authorized thing represented by that identifiers. By their very nature, identifiers are promiscous.
Lenina Huxley: That is correct, money is out-moded. All transactions are through code.
John Spartan: All right, so he can't buy food or a place to stay for the night. And, it would be a waste of time to mug somebody. Unless he rips off somebody's hand, and let's hope he doesn't figure that one out.
"You're everywhere. You're omnivorous."
All of these at once:
* A little piece of hair, saliva, blood sample (for DNA)
* A finderprint scan, but it must have a warm pulse
* An eyeball scan
* A voice print
That might do it. Throw in a univeral ID chip too. Analyze it all in under 5 seconds, and you're into the ATM booth...
And in some, too subtle be be picked up anywhere. (See: Nonexistent)
Chas - The one, the only.
THANK GOD!!!
Well, it's a dirty job, but I'll volunteer! ;-)
Chas - The one, the only.
THANK GOD!!!
This article says "A March 31, 2005 report in Malaysia's New Straits Times describes how a luxury car owner, Mr. Kumaran, was attacked by a gang of car thieves. His ordeal was apparently made worse because his S-Class Mercedes Benz was equipped with a biometric lock that prevented the car from being started without authentication by his finger or thumb print. At first the thieves had Mr. Kumaran start the car using his fingerprint. Then they took him, along with the car, to a chop-shop where they had hoped that the security system could be bypassed. When they decided that they couldn't override the security and that the fingerprint was required, they took Mr. Kumaran's left fingertip and dropped him off along the roadside where he was eventually able to find medical help."
I guess I'd prefer to have the bad guys to use a reasonable facsimile of my finger, retina, etc. than to have them use the real thing.
"How to Do Nothing," kids activities, back in print!
It's just like any other security technology, nothing special. I never understood why people hold biometric data in such high regard as a security measure. Though it's true the average person probably can't spoof your data it's rarely the average person that wants to. I'm sure if the technology becomes more popular there were be the usual war between hackers and spoofers and the security industry. To its credit I find it more likely that my roomate could guess a password than spoof my fingerprint, though that could easily change in the future.
Haiku for you!
Don't get me wrong, I'm not pro-people my any stretch of the imagination, except when it comes to security. Sure people are lying, crooked, cheating, thieves, but they're still a lot smarter than computers. The question needs to be are we turning our information and lives over to the security of an algorithm, or to a person? The bank teller used to know your name, and that worked, then we needed photo ID's, then we need biometric ID's, smartcards, magnetic cards, backed and controlled complicated computer systems (outsourced to India), and know our money is less secure.
I'm designing a development lab for some programmers. They work on a closed system, not in any way connected to the outside world or internet. It exists on a highly secured base. It is guarded by guys with big guns. Only about 10 people need access to the room. They wanted PKI and smartcard verification for login. Uh, dudes, you'd be better off just telling the guys with the guns to shoot anyone he doesn't know and keeping the door locked.
Sometimes, simple is better, and every once in a while, people are more capable than the machines they work on.
The first edition I've seen is dated 1928, but I think it was initially published nearer to 1900. The idea has been around for a while.
I am not a crackpot.
Honestly, there will never be a truly perfect authentication solution. Fingertips can be taken just as easily as passwords.
Even retinal scans are permutable. So I think you have to consider biometrics as a single factor in multi-factor authentication. If looked at as another layer in your defenses and not a defense in and of iteslf, then it becomes useful.
(%i1) factor(777353);
(%o1) 777353
Yep, and I just picked up a copy of Gattaca for $5 yesterday...
Coincidence?
It almost implies that if something is science-fiction it will become reality. It is more the other way around. If something is done, somebody will have written about it in SF.
As of yet there is no Positroic brain. There is no HAL 9000. I am sure a multitde of SF things can be found that have not and never will be invented.
This will be no different then 'predicting' the future in any other way. Do enough predictions and some will fit. Do them more generic and it will come out even more.
Now that I think about it, that is how the patenting system now works.
Don't fight for your country, if your country does not fight for you.
"There are harder biometrics to reproduce, like the thermal patterns of your face."
Hope you never have a fever.
If you put the security by biometrics, it mean that anyone that *REALLY* wants to break in will need.... you!
Are you right sure you want to expose yourself to such a threat ?
Need eye identification ? ow tempting is that to take the eye of the person ?
I won't risk myself on this, I prefer a usb key containing an RSA key or so and a good password....
Hope you're not going to work with a fever :p
So far as I know, the *patterns* don't change, just the temperature. Sufficiently intelligent software could compensate.
120 characters for a sig? That's bloody useless.
It doesn't matter which type of security you have, usually it gets compromised because of these 2 things:
Administration and the human being. It's too difficult to manage a 2000 or even 200 member authentication database. The simplest administration is just not done because it is tedious or takes too much time. For example: single time sign on, a user can only be logged in once anywhere or time constrained logons, there is no reason an office employee to login in the middle of the night on the other hand, the graveyard shiftworkers in the factory don't need to come in at 12am and it's not necessary for any employee to be logged in longer than 10 hours (except if you work in the IT department)
But those limits are not being set or used while they were in every single security system before I was even born. Why: it's too tedious work on the side of the department manager or supervisor, it's too much work and administration to let it be done by IT-persons and it's too boring, expensive and sensitive to let it be done by a low-wage computer operator. Automation still needs input from workers or integration between one or more closed source systems.
On the other hand, you have the human being that lets everyone into the building, security guards that think you work there because they've seen you before, meeting rooms filled with all-open network connections and a bunch of people that write down their password on a sticky note, even if it's as simple as their husband's name, brand of monitor or keyboard or something else.
I am a security administrator and I am very picky. I ask everyone that comes in to swipe their badge, I rip off all sticky notes with anything that looks like a password and I reset the password everytime I get to know someone's password because they yelled it throughout the office. People get angry at me, I know, but it's their own fault. Nobody is an administrator on the computers I gave them, the site coordinators have only administrator access to limited options and if possible, I enable the encryption modes on devices.
I myself have unlimited administrator access and walk around the hallways without a badge showing. I test physical security and although it's not my responsability, it's inherently broken because nobody gives a damn. We have to follow Sarbanes-Oxley according to the law and we have implemented it all too well, audits happen every 1, 3 and 6 months by respectively internal, external, governmental audit bureau's but although implemented in our financial systems and it comes out good every single time, I can still manipulate the systems without anyone noticing. When I get out, there is no audit trail, there is no replay, log or anything that can track it back to me, but the values have been changed in the database.
Custom electronics and digital signage for your business: www.evcircuits.com
I realize everyone says that biometrics isnt a secure authenticator by itself, but wouldnt you say a retinal scan would be a bit harder to copy than a key? I would think biometrics are just as reliable as an rfid card or a key right now, but much more convenient. I think thats the ultimate issue here, is convenience, because its easy to lose a key, but how often do you misplace your eyeballs??
- Something you know (a password, an answer to a question that requires private knowledge, a PIN number),
- Something you have (an RFID card, a secureID token, a bank card)
- Something you are (fingerprint, DNA, retina, brain wave)
Any *one* of these metrics is too easy to bypass. Any system that requires security should use *at least* two of these factors for authentication (eg, banks use a card + a PIN). Being able to just swipe your thumbprint to enter a secure area is bad. Having to swipe it *and* know the password is not as bad - if the thumbprint is compromised, they still need to know the password. If the password is compromised, they still need your thumbprint. Hopefully you will disocver that A is compromized and recitify it before B is compromised as well. If you had used all three types, you would have also had to lsoe your security token - something that should be noticed and replaceable quite quickly.
Data will use biometric spoofing to take over the Enterprise in 2367: http://en.wikipedia.org/wiki/Brothers_(TNG_episode )
So, this problem is apparently here to stay.
If we link this story together with the president's veto of the Stem Cell Research and Clinton's Clipper program we begin to see the trend.
They (NSA/CIA/etc) have already developed stem cell research to the point that they can make biometric fakes of anyone. Obviously they want to push for extensive use of biometrics while keeping this ACE in their pockets. In the future we will no longer be using complex things like 1024 or longer keys to encrypt messages. We will be using biometric keys which now they can very easily break.
Biometrics can be uber-secure and virtually impossible to crack or spoof, but no one with an incentive to generate consulting income will figure out how ... or even imply that it is possible. D&T just wants to create FUD, then charge obscene rates to advise you that the more money you pay them, the better off you will be.
I'm sure there are ways to change the pattern temporarily. Sunburn on your forehead only, like I have now, should change the pattern. I imagine a bruise on your cheek could change it too.
Fingerprint + password + voice sample: even better
If you accept the concept of being able to spoof biometrics, finger and voice prints were mentioned as possible ones in the blurb, then this "even better" security is really falls back to the "simple" password security.
I would still prefer security I can modify and change easily rather than security that is part of me.
I don't see things in black and white; I see the gray. Heck, I actually see in color, which makes things more difficult
fingerprint == username
something else == password
Your username is easily seen, easily copied, and not kept secret, it's just convenient to use something that's hard to lose (i.e. your fingerprint) for it. I might even want to have a copy of my fingerprint on a keyring or something that I can give to someone who I'm authorising to act on my behalf.
The password part should be something you can change if someone gets ahold of it. Possibly even an actual password, or PIN number, or whatever.
Unfortunately, at places like my local grocery store, they're using fingerprints as combination username and password -- one swipe and you've paid. This is a Really Bad Idea in my book. I mean, all someone has to do is follow you to a restaurant, pretend to be a bus boy, grab the glass you were using, and transfer a fingerprint to a piece of Saran wrap, wrap it around their finger, and buy out the grocery store on your credit card.
- "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
I mean really. My voice changes all the time, sometimes quite often. I smoke and in the morning, my voice is quite deep. If I get a sinus cold or the flu, my enunciation is different. If I am under a lot of stress, it changes again - a fact some commercial lie detectors claim to be able to detect. So I'm not sure voice recognition would fly.
Iris patterns? You've heard of the infamous double swipe, sometimes accomplished by a card scanner device placed over the top of the legitimate one. How long before criminals are collecting your iris patterns using a fake eyepiece over the top of the real one? Fingerprints? Did you know that, either through accident or genetics, about 2% of people leave no usuable fingerprints? Life can get very difficult already for these people, without the added problem of "access denied".
For biometrics to truly work, it will need to be a combination of things, as previously suggested, plus a PIN or password. Which combination it will turn out to be, who can say?
Someone get one of those fingerprint eraser things from Men In Black in here, STAT.
One other thing that never seems to get discussed in these biometrics debates is the issue concerning what comes out of the devices. The scanner (fingerprint,iris,whatever..) has to output something, a hash of the analog input. Now if that isn't also crypo'ed in a secure manner (and I suspect that in many cases it isn't) then someone grabbing the output from the device can turn around an mimic the device and assume identities at will. This would be the biometric equivalent of what we've seen with ATMs (false fronts capturing data and using it later). As devices become more ubiquitous this will become more serious unless manufactures take security seriously ... but they won't if history is any indication.
I've always thought the folowing would be a good system:
."
For high security stuff, verifying identity for loans etc:
- You talk to the bank, tell them you want the loan, etc.
- Bank calls government and says "hey, we need you to verify that this guy is
- Government gives bank a transaction number, which they give to you.
- Government buildings (post office, police station) have biometric scanner monitored by a cop.
- Cop makes sure you're not carrying a severed finger or something.
- You enter your confirmation number and your password. Cop does the same.
- Machine sends a hash of your fingerprint and password to government, who compares it with the hash they have on file.
This system wouldn't work well for regular transactions like buying groceries, but for that we could introduce a second password. if that gets compromised, you just go through the first process to change that password. An even more complicated process if your main pass gets stolen.
This eliminates the following concerns:
1) Somebody spoofs your fingerprints. He still needs your password to do anything, and that cop will totally kick his ass.
2) Somebody hacks the database. All the have is the hash. They could fake the output of the device, but they'd need to pay off the on-duty cop, or steal his data too.
Did I miss anything?
As a republican I feel it my responsibity to manufacture criminals. People need punished!
Anyone remember the movie "Sneakers"?
Ahead of its time...
Private parts fingerprinting! I am pretty sure the lines on a scrotal bag, or in a vulva lips are unique just as fingerprints. And unless you're too promiscous, I don't see anyone leaving impressions of those parts everywhere. The only thing I need to solve before I apply for a patent is the ergonomics. Hey Guys, get ready to see me next year on the cover of Time Magazine as the man of the year!
Your ad could be here!
We get all the way to philip dick once we have "Fake Biometric Spoofing" designed to look like real biometric spoofing to biometric spoofing detectors.
This is why you should cover your mouth when sneezing or coughing. In a world of tomorrow you could end up logging into every computer in the office with one mis-placed sneeze.
:D
:D.
:>.
:|.
Also taking the piss, will become a common hacker passtime
Are hairdressers secret DNA theifs of tomorrow!
They can clone dolly the sheep - so key dupiong is possible
Bottom line will end up using and going thru so much red tape, might as well just use your brain. though that said hypnosis is clearly doable upon that CPU and given the brain has some of the best biometric controls going. I'd say nothing is perfect. Easier to trust nobody and plan around security issues so that there moot.
Prospect though of in this hot weather logging in, locking your terminal and comming back from lunch having caught a bit of sun for the computer to refuse you access as you look different
BTW EVERY computer already has the ultimate security control built into them, have done since the very first computers. Its called the off switch.
So rather than leave your computer idling on the net working out when the globe will overheat, whilst adding to the problem - just turn it off. There secure computer. Cooler planet.
On a final note - when they can make a catflap that will only let your cat in thru biometric data. Then and only then would I consider it consumer usable. Until then I'll use a password and avoid some mugger having to pull my eye out, drain my blood and chop my finger of as he knows its a biometric laptop
We are leaving our prints everywhere so the chance of someone lifting them and copying them is real.
These days, we also have to worry about someone lifting and copyrighting our prints. And then suing us for infringement when we lift a glass of something.
And if we leave some hair or skin cells behind, we'll find that out DNA is patented and we're hauled into court for yet another violation.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Not spoofed, but stolen easily enough. Just collect somebody's razor from a shower, or their female sanitary napkins, or whatever. There's plenty of ways to get blood from a target.
I've even seen (deservedly) famous security people miss the point of biometrics because they're stuck thinking in terms of passwords.
Your facial geometry, voice print, fingerprint and so on are never expected to be secret and don't have to be secret. It makes sense to talk of a password being "compromised" and having to be revoked, because the value of a password is its secrecy. Keeping the password secret compensates for the fact that it can be reproduced by the millions and presented by anybody.
The fundamental assumption of passwords is that they're unique because they're secret. The fundamental assumption of biometrics is that they're unique because they're attached to you.
Attacks on biometric readers depend on breaking that assumption. Threat: photograph of iris, Countermeasure: security guard who will get curious if someone holds a photo up to the iris reader. Threat: severed finger, Countermeasure: security guard who gets curious when someone holds a bloody severed finger up to the reader. Security in a biometric system comes from accurate detection of live, non-coerced humans and not from secrecy. For heaven's sake, you don't keep your face secret but you still get people identifying you accurately based on it.
I'm sure it's been mentioned many times, but there is no perfect encryption. Today, people get their cards cloned every day by careless businesses that leave data lying around. I don't know about you, but I can't change my thumb print or my retina. (Minority report is still a ways off) Thumbprints can be captured with a digital camera from nearby without contact for example. You can't do that with a credit card in someone's wallet.
So, if you carry that programmable HP chip on you in lieu of an RFID and you use that in conjunction with biometrics. If your 'password' on the chip is ever compromised, it can be fixed. It could even be implanted.
Fingerprint + password + voice sample: even better.
"My voice is my passport. Verify me."
Most of the comments (and the article) are ignoring the current state of the art and future directions in finger biometrics (notice I didn't say fingerprint).
Until recent developments with biometric spoofing, biometric sensor companies were not focused on preventing spoof attacks, gummy fingers, and other forms of compromise. But now they are. The current generation of fingerprint sensors just being deployed now are much more difficult to spoof. The next generation will be close to impossible to fool because they are collecting and matching finger data below the surface of the skin.
This means that latex/gummy fingers can be detected, dead fingers can be detected, and people with difficult fingerprints (none fingerprints or individuals with low pitch fingerprints) can be uniquely identified.
Sub-dermal structures are not "left around" and 3 dimensional structures will be extremely challenging for even an advanced attacker to duplicate. At that point attackers will find other less challenging weaknesses in the security structure.
I continue to believe that the most useful application of biometrics is in unlocking a cryptographic credential in a USB device (or smart card) format. Two-factor, security, and convienience in one device.
Some references. Unfortunately many biometric sensor vendors are not willing to tout their anti-spoofing technologies for fear of being attacked.
Authentec's True Print technology
http://www.authentec.com/technology.cfm
Lumidigm's multispectral imaging (MSI)
http://www.lumidigm.com/antispoof.html