The Future of Crime - Biometric Spoofing?

AxisPower9 writes "What we often watch in films and television - circumventing biometric security access - is turning from science-fiction to reality. Bori Toth, biometric research and advisory lead at Deloitte & Touche, warned that biometric spoofing is a growing concern. From the article: 'We are leaving our prints everywhere so the chance of someone lifting them and copying them is real. Currently it's only researchers that are doing spoofing and copying. It's not a mainstream activity--but it will be. Many people are trying to regard biometrics as secret but they aren't. Our faces and irises are visible and our voices are being recorded. Fingerprints and DNA are left everywhere we go and it's been proved that these are real threats.'"

Immutable, too.

[Poromenos1]

When your fingerprints have been compromised (not very hard to do) you can't change them. For this reason, I don't think biometrics is a viable solution. A long passphrase is much better, in my opinion.

hmm..

[bigattichouse]

Lets see.. I remember a very detailed Expose on these so called "borrowed ladders". Gee. You write a movie about it, and it takes almost 10 years for it to become a top news story on slashdot. I also remember an eye-scan in a movie using a plucked eye. Spaceballs used an unconscious guard's hand. As well as the "removed hand". Even scooby doo, Daphne used powder makeup to bring out the pattern of a thumbprint on a scanner to unlock something or other.

I am prepared

[krell]

Always carry a pocketfull of eyeballs and thumbs...and realize, at one point, those lil' orbs are going to accidentally fall out and you are going to be chasing those slipper rolling suckers all over the floor.

Allright!

[Nijika]

This adds further realism to Charlie's Angels.

Re:The only thing safe and secure...

[Billosaur]

...are the thoughts in your own mind.

That's what you think!!! (Pulls tin hat tighter around head)

Slashdot 2015

[kkiller]

Rise in Eyeball Mugging and Drive-by Thumb Stealing Blamed on Biometric-scanning vidiPods

Biometrics should be an *added* level of security

[PFI_Optix]

Anyone who relies on biometrics alone is asking for trouble.

Fingerprint: not secure
Fingerprint + password: more secure
Fingerprint + password + voice sample: even better.

There are harder biometrics to reproduce, like the thermal patterns of your face. For highly secure areas, multiple biometric keys, a memorized password, a voiceprint, plus a physical key/card would be ideal. And of course there's the good old-fashioned trustworthy security guard to make it even harder for the wrong person to get where they shouldn't be (assume you're restricting physical access).

Re: Our faces and irises are visible.

[tomhudson]

Our faces and irises are visible and our voices are being recorded.

http://www.theatlantic.com/doc/200209/mann

Iris scanner - a million bucks

Glasses with a picture of someone else's eyeballs - $5.00

Stickin' it to da man! - priceless.

The Gattaca Solution

[Billosaur]

Blood. A mix of your DNA plus biomarkers. Of course if you've seen the movie, perhaps that too can be spoofed.

In the end, there's no truly safe solution, except for multiple layers of passwords, biometrics, DNA samples, and the like, and even then, a determined foe will find a way to breach it. What Mankind can create, Mankind can subvert.

Re:The Gattaca Solution

[digitaldc]

In the end, there's no truly safe solution, except for multiple layers of passwords, biometrics, DNA samples, and the like, and even then, a determined foe will find a way to breach it. What Mankind can create, Mankind can subvert.

Sorry, your identical human clone has already cleared out your bank account and stolen your wife as you read this.
Better luck next time!

Three ways to authenticate yourself

[inviolet]

There are three ways to authenticate yourself:

• something you are (fingerprints, irises, etc.)
• something you know (passphrase, mother's maiden name, etc.)
• something you have (key, RSA token, access card, etc.)

As many have already pointed out, the best security uses a combination of two of the above. This is so because each one of the above has an inherent weakness.

Re:Three ways to authenticate yourself

[99BottlesOfBeerInMyF]

something you are (fingerprints, irises, etc.)

All the credible books I've read mention this as a fallacy. Something you are is not a measurable property since it is impossible to make a copy of what a person is, fundamentally. Biometrics are simply something you have that is really hard to change. This is good in that others may have trouble changing their s to be yours, but bad in that once compromised, you're screwed for life.

Biometrics are not a good part of a secure authentication solution. They are convenient for very low security operations. The difficulty of changing them makes them useful as an additional authentication mechanism, under proper human supervision (which will probably never happen). In the way they are being applied and are ever likely to be applied, biometrics are liability and lead to false positives, sloppy authentication, and a false sense of security. Trying to characterize biometrics as a separate category from "something you have" is mostly an attempt to obfuscate what terrible "something you haves" they tend to be and to remove them from the formalized evaluations of "something you have" components. Largely this is because they are whiz-bang and nifty and sales guys can make a fortune selling them.

Re:Three ways to authenticate yourself

[inviolet]

I'd comfortably bet that most security professionals have rejected this concept. "Something you are" is really just a slight variation of "something you have" and there isn't anything in particular that makes them any better to make it worth differentiating.

The distinction is important because "something you are" things cannot be changed, whereas "something you have" is an external object that could be replaced if compromised or lost.

The distinction is especially important now, as the world is erroneously trying to substitute an 'are' thing (fingerprints) in place of a 'have' thing (RSA token) for the sake of convenience.

File under "Told you so"

[Kadin2048]

Yep ... which is exactly what people who know anything about information security have been saying for a while.

People think that biometrics is some sort of magic bullet, because for years they've seen retina scans and fingerprint scanners on TV in all sorts of "high security" situations. But in reality, a fingerprint scan is probably not that much better than a good password -- it's certainly better than a shitty password, and in combination with a password it's probably better, but alone it's terrible.

The fact that you can't change your fingerprints is a real problem if they start to use biometric systems for authentication. Particularly since there are biometric-ID systems used by children: in my area, they're currently testing and preparing to roll out a school-lunch system that uses fingerprints (it's a debit system -- no more stolen lunch money, and no way to tell who's on the subsidized lunch program or not). When you start using biometrics that young, you have a long time for them to possibly get compromised and spoofed.

The fingerprints you have, you own for life: so any system has to be built on the assumption that they will be compromised. In particular, future systems should be built knowing that people are going to come in who've already had all 10 fingerprints compromised already. The solution isn't to just come up with more biometric identifiers to use as secrets, the solution is to not use them as secrets at all.

The failure of thumb and iris biometrics.

[krell]

You'll see it, day after day. At Star Labs, everyone with proper clearance peers into the little iris-recognizing window and presses their thumb on the panel. They are them permitted into the building. Sitting on a bench near the entrance you'll find Edward Scissorhands and Scott "Cyclops" Summers, forlornly begging everyone who walks by and enters the building to for once, break security protocol and just let them in!

Change my passwor... er fingerprints?

[fish_in_the_c]

The biggest problem with biometrics is after it is compromised it cannot be changed.

sure you have 10 figures and 2 eyes, but when it comes too it you will never get ADDED security with a biometric only system.
biometric + password + keycard is the securest solution.

something you are, something you know, something you have

As the phrase goes in the banking security industry.
Those have always been the only 3 options for establishing 'trust' with an unknown entity.

OK kids... repeat after me...

[hagbard5235]

Identification is not authentication.

Biometrics are fine identifiers. They are unique and immutable.

Identification is not authentication. Not even close. Just because someone presents an identifier does not mean they are the authorized thing represented by that identifiers. By their very nature, identifiers are promiscous.

Carjackers have already removed a victim's finger

[dpbsmith]

This article says "A March 31, 2005 report in Malaysia's New Straits Times describes how a luxury car owner, Mr. Kumaran, was attacked by a gang of car thieves. His ordeal was apparently made worse because his S-Class Mercedes Benz was equipped with a biometric lock that prevented the car from being started without authentication by his finger or thumb print. At first the thieves had Mr. Kumaran start the car using his fingerprint. Then they took him, along with the car, to a chop-shop where they had hoped that the security system could be bypassed. When they decided that they couldn't override the security and that the fingerprint was required, they took Mr. Kumaran's left fingertip and dropped him off along the roadside where he was eventually able to find medical help."

I guess I'd prefer to have the bad guys to use a reasonable facsimile of my finger, retina, etc. than to have them use the real thing.

Earliest reference to biometric spoofing?

[Rob+the+Bold]

The earliest reference to biometric spoofing that I'm aware of was the book: "The Red Thumb Mark" by Austin R. Freeman. It was published in the early 20th century. The detective (Dr. Thorndyke) suspected that a bloody thumbprint left in a burgled safe was actually a plant to "finger" an innocent man. The mystery wasn't so much the identity of the crook -- which you guess correctly in the first few chapters -- but the means of making the spoof and the method of proving his crime.

The first edition I've seen is dated 1928, but I think it was initially published nearer to 1900. The idea has been around for a while.

Re:The perfect crime

[lordsid]

The perfect crime is not a crime that is "solved" with someone else blamed. It's a crime that no one ever realizes was committed.

Biometric spoofing will have a long history

[stormy_petral]

Data will use biometric spoofing to take over the Enterprise in 2367: http://en.wikipedia.org/wiki/Brothers_(TNG_episode ) So, this problem is apparently here to stay.

Re:Spoofing biometrics?

[milamber3]

I'm not sure if your comment was meant to be serious. If it was then you must not be someone who works with EEG recordings.

Take it from me, I record a lot of EEG, they are not easy to record or work with. The artifact that you get from even an eye blink is enough to skew the data. Let alone someone moving other parts of the body. Granted, I don't work on using EEG as a method of identifying individuals but I have my doubts that you could get unique signature from every individual or ask people to hold still long enough when they need to be "verified". No matter what kind of method you are using, I imagine something like a fast fourier transform, a change in someones state of mind will inevitable change the pattern of power frequency and possibly deny them access to their computer/work/whatever.

Last but not least the conductive gel that is generally used for the scalp electodes should be a concern, no one wants to have that on their head all the time.