Slashdot Mirror
Chaos Computer Club Claims It Can Reproduce Fingerprints From People's Photos
An anonymous reader writes Chaos Computer Club, Europe's largest association of hackers, claims it can reproduce your fingerprints from a couple of photos that show your fingers. At the 31st annual Chaos Computer Club convention in Hamburg, Germany, Jan Krissler, also known by his alias "Starbug," explained how he copied the thumbprint of German Defense Minister Ursula von der Leyen. Because these fingerprints can be used for biometric authentication, Starbug believes that after his talk, "politicians will presumably wear gloves when talking in public."
Even better than gummi bears.
It's trivial to get fingerprints of a politician. If, say, China doesn't lift the fingerprints off of every presidential candidate's glass at a fundraiser I'll eat my shoe. This really is nothing special.
If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
If their fingerprints are found at a crime scene, everybody assumes something fishy is going on. If someone accesses their accounts, they can expect to be indemnified without even having to raise a complaint. It's the nobodies who need to worry about biometrics. Your fingerprint opened the door to your employer's warehouse before it was cleared out? Good luck explaining that away. Your identity was stolen and your accounts are empty? Good luck getting any of it back.
Despite some of the biggest names in security lauding the advantages of biometric authentication, it's pretty flawed by design. If your fingerprints, facial structure, etc. are ever compromised, they become useless. Unlike a password or a cert, you cannot simply revoke who you are. So once the cat is out of the bag, you simply cannot use it again. Not to mention the fact that it could be fairly trivial to obtain fingerprints or other biometric data of a target.
Gummi bears are a medium to reproduce fingerprints (and a delicious snack). This is a method to capture fingerprint images. Two completely different things.
Just because you sold your soul to the devil that needn't make you a teetotaler. --The Devil and Daniel Webster
TFA has no details, so there is no way to evaluate the credibility of the claim.
If you running a security system that only uses fingerprints you are a fool.
In a security area it should also at least be protected by a code/pattern + prints + tag/card/key, when each piece is scanned/entered and image/photo of the person wanting access is displayed to your security personnel who can then either approve/deny access.
Biometics alone is insufficient as is very easy to pick up prints, even retinal scanners can be fooled with enough tech, A 4 way security system is better but not foolproof, there is no such thing as 100% secure but you can make is so difficult as to deter most people.
And if you're protecting your tablet/laptop with only a fingerprint you need to change immediately a pattern/code/pin is far more secure, fingerprints have been dupable for years with little/no skill/tech, in fact its been shown that you can pull a print off a laptop/tablet keyboard/touchscreen to use to break into the device.
Well, actually they can change.... I'm pretty sure my right retina is considerably different today than it was before 2010, when I had radiation and laser treatment for a tumor. Likewise, people can burn their fingers, altering the fingerprints with scar tissue.
Certs are certainly the way to go. What is needed is a way to be able to carry them on you at all times (implant perhaps?), while being able to update it and offer up public information on demand. The downside of this is a loss of anonymity. We already have paranoid people who rant about RFID tracking using our money.
Not useless, just not sufficient.
Your house key will work in hundreds of locks, but it's easier to pick the lock than track down exactly which house key might work on the house you want to break into. The reason that biometrics are useful is that they provide a second condition that has to be met for authentication, not because they provide the only one. If you give employees RFID cards and pair it with iris scanning, you're going to have moderately secure door security. It can get a lot better by adding other controls, for example introducing human checks into the system or an employee PIN.
Most businesses don't even have a second check for door security. I wish people would quit confusing a method of authentication with the idea that any single method is sufficient.
B) Eliminate all the stupid users. This is frowned upon by society.
The problem isn't how to identify people. The problem is that we think that we need to identify people all the time. Tracking and identification is an obsession that's obviously rooted in paranoia. When was the last time you actually needed to prove to a stranger who you are and it wasn't just to satisfy an arbitrary requirement? When did you last perform full identification when a proof of ownership or proof of age had sufficed? Posting as AC because that's what I do, but also to make a point.
... authentication is that even if all of the security measures associated with storing and authenticating your fingerprint were utterly unbreachable, your fingerprints can still be taken without your consent, while if you do not want someone accessing data that is guarded by a a secure password, however, then barring vulnerabilities in the security facilities associated with it (which would apply equally to fingerprint security as well anyways), then that information can only be obtained by you voluntarily surrendering it.
File under 'M' for 'Manic ranting'
of chopping their fingers off. Better sell my shares in cigar cutter manufacturers!
I got to the chocolate box before you, that's why the hard ones have teeth marks.
lets see you have the "service tech" that comes in for X (GHod knows what all he might have in his tool box) You have the High Dollar Client that comes with his 6 year old daughter (who has Kali Nethunter installed on that sparkly purple phone of hers) any time you have a NOT ONE OF US in your site (down to somebody that works for your company but at a smaller/remote office) you need to be careful. And then you have the Victoria Secret exploit that can be used on most adult males. Its almost like some sites need to have Security/Secure IT LIVING ON SITE (think Monastery)
Didn't they already do this on CSI?
It all boils down to the triad of security: Something you know, something you have, something you are. It's GOOD practice to pick one from each group in your authentication process (or at least, as it's common, one of two groups, usually a token and a PIN). It's useless to pick more than one from each group.
All three would e.g. mean that you have a guard sitting there who compares your face to a book of "accepted" faces (something you are) while you hold your RFID card (something you have) against a scanner after punching in your PIN (something you know). That's about as good as it gets. Nothing you could do that ADDS to this could improve this part of your security. Using two of one group is useless. It's useless to require two different PINs. For the obvious reason, someone who can force you to hand over your first pin will also force the second one out of you. Equally it's useless to require two tokens. Where you can steal one, you can steal two.
You can of course improve by using better means to do either of the three groups. You could give the guard additional tools, use better encoding for the cards, use longer PINs. But you cannot improve by using two features from the same group.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I always think of security like the Miller-Rabin test for primality (which is really a test for a number being composite): it does not give an absolute assurance, but each time you test a given candidate again with a new challenge, you reduce the probability that the candidate is composite, and each test is orthogonal to the previous ones. You, the designer of the system requiring confidence that a big number is prime, get to select your confidence level by adjusting the number of tests applied.
So too, then, you, the designer of a security system requiring confidence that a given person is who they claim to be, get to select your confidence level by adjusting the number of factors required. A brass key gives a certain level of confidence. An iris/thumbprint/palmprint/voiceprint scan another. An RFID card another. A PIN/password another. Being recognized by a guard another. Each is orthogonal to the rest.
Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
It should actually be a quartet of security: something you know, something you have, who you are & where you are.
Where you are is interesting for banks for example, they know that it is not possible to have two ATM transactions in the same hour on the other side of the world.
"Something you are" is not easy to establish by machines.
Any biometric system needs a guard to check if you are not trying to fake it. For example with a finger print scanner's guard should:
- Clean the scanner. In case the latent finger print left on the device won't confuse it.
- Check the person fingers for fake prints, and medical scars.
- Physically take the person's finger and put it on the scanner (to make sure the person has no possibility to add the fake print to the finger between the check and the scan)
- Clean the scanner. To make sure the latent finger print will not be lifted from the scanner's smooth surface, when the guard is looking away.
The person with the finger, should wear gloves everywhere, except when using the scanner.
Soon we will be wearing, burkas, sun glasses and gloves to make sure our identities will not be lifted.
Actually no, this is why biometric authentication is still a huge success. It doesn't matter if it's possible to make a targeted attack against an individual, you could do that with a key too - get a nice high res photo of their house key, and you can get into their house.
The thing that matters is that by taking something like a phone, and giving it a fingerprint scanner, you move the number of people who "lock" their phone from 10% to 90%. No one ever sets a pass code, giving them a trivially easy way to lock their device with their finger changes that.
Basically, biometric authentication is only useless if your house key is useless too - which it clearly isn't. It's not perfect, but it's also not useless.
The where clause in your example does not work out as a valid authentication feature. It can be used as a flag to show that "there's something not right here", but it cannot answer one important question: Which transaction was genuine, the one in Paris or the one in Melbourne?
You can use various plausibility checks on top of it, depending on the actual application (e.g. in banking you can draw from the transaction patterns so far and flag suspicious transactions that differ greatly in target or amount) and these things are actually being done, but they have nothing to do with the basic authentication process.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
TFA says fingerprint authentication is still better than a PIN. I disagree: the fundamental problem with biometric authentication is that authentication credentials cannot be revoked once they are leaked.
It is of course best to use factors from different groups. Your theory takes a much stronger stance than that. I'm not sure your theory is correct.
I would say that a six-digit PIN is slightly more secure than a three-digit pin. Not twice as secure, but somewhat better. Agreed?
Two pins of three digits each is the same as a six-digit pin. Agreed?
Therefore, two three-digit pins is somewhat better than one three-digit pin.
Two from the same group are therefore somewhat better than just one, but not as good as two from different groups.
Minor quibble: using two of one group is not useless either, it is only less useful.
B) Eliminate all the stupid users. This is frowned upon by society.
That's interesting. I also had radiation and laser treatment in 2010 for a choroidal melanoma in my left eye. We are a pretty rare breed. Bigtroubleinlittleeyeball.blogspot.com
No. Biometric authentication won't replace all other methods of security anytime in the foreseeable future, nothing that requires serious security will rely on them alone. I have a hard time believing they ever could. If any serious company tries anytime in the next twenty years, you have my advice to place bets that it will be compromised in short order.
I keep seeing this idea that biometrics are flawed because you can't change them if someone's information is compromised, but that idea ignores the reality that biometrics are not and will likely never be used alone as significant security.
B) Eliminate all the stupid users. This is frowned upon by society.
Shame I'm out of mod points.
Fact is, even the government hasn't got a clue who you are, other than the fact that you've got a card from them with a photo and a name printed on it. You probably got that card by showing them some other card with a photo and a name printed on it. That card, you probably got because you convinced your electric company and the library that your name really WAS Bobba Fett. They probably didn't care too much as long as they got paid and the books came back.
If I have been able to see further than others, it is because I bought a pair of binoculars.
There are Dutch ATMs that solely authenticates on finger prints.
The problem of "security questions" most people will answer this with the truth, meaning it is "something everyone knows about you".
At best a security question could be treated as random passwords.
The biggest problem is all the companies that treat "security questions" as secure and used as the only way of authenticating a person on the phone line to reset his password and security token.
When I read the subject, I thought they could reproduce fingerprints based on people's photos instead of the photos of hands as mentioned later :P
http://popularbloggingtopics.c...
. That's about as good as it gets. Nothing you could do that ADDS to this could improve this part of your security. Using two of one group is useless. It's useless to require two different PINs. For the obvious reason, someone who can force you to hand over your first pin will also force the second one out of you.
This seems strange to me. Why is the use of 2 categories an improvement, but 2 from one category is not? It seems to me that the attacker who would coerce you to give up 2 "somethings you know" would just as easily force you to give up a "something you know" and a "something you have". But you're differentiating as if a mugger could only demand one type of thing.
Security is layered. Having multiple forms of "something you know" could be useful, just as having multiple "something you haves" could-- and in fact thats not unusual. Many people with smart cards are also going to have hardware tokens; they accomplish different things, and are useful in mitigating different threats.
It doesn't matter if it's possible to make a targeted attack against an individual, you could do that with a key too
If the shape of every key you had was publicly visible every time you went outside and in every photo you were in, they would probably be a lot less useful as well.
Attention whores and con artists claim things all the time.
Its actual news when they actually can (independantly) prove that they have any such ability.
Anyone want to invest in my BridgeCoins, they ARE THE COMING THING -- guaranteed 500% profits !!!!!
In the past month or so I've been taking a large number of closeup pictures for my employer's website, many of them featuring a hand holding something.
It's generally easier for me to use my own hands, but- call me paranoid- I noted that large parts of fingerprint were visible, and intentionally messed them about using the Photoshop clone tool et al for reasons of my own privacy.
Paranoia justified, apparently...
Security questions as typically implemented and used in practice are actually worse, since generally the answers to those questions are even weaker than typical passwords.
Mother's maiden name, pet's name, etc.
Of course someone could say their mother's maiden name was "zx81 Tamoxifen lion soap" but how many would give answers that aren't actually their mother's maiden name? And some places/services don't even allow such answers.
Two three-digit pins are not more secure than one six digit pin. Essentially, they ARE one six digit pin. If I can force you to hand over one pin, I can force you to hand over two, three or any number that you might have. If you write down one pin, you'll just as well write down two. Anything that compromises the first pin will nearly certainly compromise the other one.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
No, sorry. Usernames are not one of the authentication factors. They play a key role in authorization, and it's very common to get the whole spiel conflated, but there is a very important distinction: Usernames are probably something you know, but also something everyone else can know. They are not a secret. Authentication factors are distinguished by the fact that only the "right" person has them. Something you know is something YOU know (and nobody else). Something you have is something YOU have (and nobody else). And ... you get the idea.
Actually, adding a (publicly know-able) username to the fold does not add security. You have to see it from the attacker's point of view. When I can force you to hand over one thing you know, I can force you to hand over two things you know. If I add a token, it's not a given that you have to have that token with you all the time and hence if I grab you in the park during your time off I can maybe wrest your PIN from you but if you don't have your access card with you (being your time off, there's no need to do so), that second factor would keep me out.
Also the other examples you provide can be reduced to the triad:
Requiring answers to security questions, yet another thing you know, is often considered better still.
Same problem: If I can force you to answer correctly once, I can force you to answer correctly twice.
Iris scans can be faked as can fingerprints, but both together is harder to fake than either alone.
If I have access to you, I can force you to provide any part of your body the device requires.
Bribing one guard is easier than bribing two.
Granted, but the guard was just an example for better biometry than automated tools. Essentially the problem is still "something you are".
Checking that a browser supplies a cookie is a good thing, but checking that the IP and the cookie are paired correctly is better.
That has by itself little to do with the authentication process itself.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
What place doesn't allow such an answer and why is their CISO still in one piece?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Of course, as soon as you add brutal force to the attack spectrum, things get a bit harder to defend against. But still two of different categories will provide better (I don't say perfect, just better) protection against attacks in general. There are of course certain attacks you will not defend against.
Most of all, using two distinct authentication factors (of different groups) make it much harder to swipe them unnoticed, or at least not noticed until too late. If I can slip a trojan into your computer, anything from the "something you know" group goes out the window. Whether you have to enter one, two or ten passwords to access a resource doesn't matter. You will not notice it before it is too late. Likewise, if you're on vacation and I break into your home, whether you store one, two or ten different tokens there does not matter, provided I can find them all. Let's assume you don't play easter egg hunt with your tokens and, like most people, store your work related stuff in one place. And it's way too late to react when you return from your vacation 2 weeks later.
But in either scenario an authentication factor from the respective OTHER group would have protected the security.
Of course, if I nab you when you return from the office, put a knife to your throat and make you hand over your token along with your PIN, there is not really much that either provided. Well, except for the canard... unless I am unscrupulous enough to simply kill you just to buy some time.
But if THAT is justified by whatever is protected with the system, I hope that more than this is in place!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
> Two three-digit pins are not more secure than one six digit pin.
> Essentially, they ARE one six digit pin.
That was #2 of my three statements. You seem to have missed the other two.
a) Two three-digit PINS are the same as one six digit PIN.
b) One six-digit PIN is better than one 3-digit PIN.
c) Therefore, two 3-digit PINs is better than one 3-digit PIN.
If you have any confusion or disagreement let me know whether it's with a, b, or c.
Your constraint that security breeches can occur only by the principal being kidnapped and forced under torture to give up their password is also quite mistaken. That's what happens in movies. In real life, the attacker guesses the password. It's easier to guess to guess ONE 8-character password than than to guess TWO 8-character passwords. It's easier to fake out a fingerprint scanner than it is to fake out a fingerprint scanner AND a retina scan.
Note also that IF you are kidnapped by people willing to torture you, you can be forced to give up your password, your smart card, and your thumb.
Where you are is interesting for banks for example, they know that it is not possible to have two ATM transactions in the same hour on the other side of the world.
So AMEX blocked my card because they found it suspicious that I tried to buy a train ticket at Tokyo Narita Airport, 13 hours after having bought something at London Heathrow Airport...
If we're talking about protecting against unauthorized access in the real world, we do want a username and password combination because that's harder to guess than just a password. If I am running a website where I'm using a cookie as part of the authentication process, then yes, it is best to keep a database where I tie the cookie to an IP address because that makes it harder to hijack a session.
Over and over you are stuck on this idea that you're defending against a physical attack, which is quite nearly pointless. The attacker who takes family members hostage will bypass pretty much any security you can put in place.
If you're really wanting to discuss security against physical force, then you're not thinking big enough, why not discuss defending against the attacker with a gun pointed at your family member or a bomb in a school? Why not discuss defending against the attacking country with ICBM with nuclear warheads? Pick your action movie plot of choice, I'm willing to go down Diehard lane with you. I just need to make sure we're talking about the same thing.
B) Eliminate all the stupid users. This is frowned upon by society.
Interesting comment, can you point to any articles on the topic?
B) Eliminate all the stupid users. This is frowned upon by society.
It's the same deal with a nonphysical attack. How is 8 letters username + 8 letters password harder or easier to crack than a 16 letters password? Even provided that both username and password WERE secret, which they usually are not, you don't gain security by splitting up a X-bit key into two keys Y and Z that have together a length of len(X). It is the same attack complexity. How are the two tokens "username" and "password" harder or easier to brute force than the one token "usernamepassword"?
The point is that the user name, the part that makes up the identity of the authorization process, is NOT part of the authentication. Your username identifies you. It does nothing else. It's not even secret, mostly because it CANNOT be under nearly all circumstances. As soon as other users have to interact with you in some way, they need some token to address you by. And while it is possible to come up with elaborate schemes how to keep that username secret, they all have some flaw at some point.
The username is also not something the server can use to verify anything because it is your claim, your proposition, rather than something it can verify. You claim that you are user abcd. That's basically what you say when you log in. You make a claim. That by itself does not add anything to security. It is just something you claim to be. You might have noticed that when you log in, your username is also not hidden in the input mask, unlike your password. Because it simply is not a security secret. It is just a claim. You claim to be that user.
To verify that this claim is genuine the server will want something from you that allows him to authenticate this claim. Your password. If you want to make that password longer, go ahead. Yes, that would actually increase security against brute force attacks (not against keylogging, but against brute force attempts). But adding further passwords does not add any security. Either I can brute force them all, in which case there is no gain from having more instead of longer passwords, or I can keylog them all, in which case it matters little whether I have to record one or seven passwords.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It isn't easier to crack, but people remember usernames easier, so you get people who will enter 16 characters instead of eight. The validating server can treat them as separate lookups or not without impacting the efficiency of brute force attacks. The advantage of using multiple entries is that you end up getting more characters that have to be guessed correctly, which is a compound effect, so adding a PIN or multiple choice question compounds it further and isn't pointless at all.
Say you are trying to brute force my slashdot password and it's eight characters. That's 7213895789838336* possible combinations you have to work through to target one user, but I'm user 166417, which means you'd be 166417 times more likely (at least) to get illicit access if I weren't using a separate username.
Now, if my username were hidden and combined with the password entry and had to be eight characters, you'd have 52040292466647269602037015248896 potential combinations, which is obviously harder to crack, but you'd sacrifice functionality for that trade off and 7213895789838336 is a reasonable number of permutations for the level of security required. In reality, I'm not limited to eight characters so the real number is even higher.
Now, you have a valid point if you say that 16 characters would be a better length for passwords, but if you required that, there would be far fewer people who would sign in and make comments which would degrade the value of the whole system.
* - I know there is additional math that can be done here, not limited to but certainly including the tendency of people to use words and pseudo words in their passwords. I've read the manuals and brute force cracking articles too but I'm not getting paid to figure it out so my motivation to get a more accurate number is low.
B) Eliminate all the stupid users. This is frowned upon by society.
Still, for an attacker adding a second "what you know" part doesn't change the game. Look at it from an attacker's point of view. When he can browbeat you into handing over your credentials, it matters not whether he has to listen to one word or two. When he can trick you into handing them over (e.g. via keylogger), it matters not whether it's one word or two.
And even if he has to employ brute force it matters little, for however complicated it may be to brute force two words m and n letters long, it is just as easy or hard to brute force a word m+n letters long.
As for remembering, is it harder to remember "username" and "password" or "usernamepassword"? It's the same. You just don't press return in between them.
For all practical reasons the amount of "passwords" you have does not matter. Their total length does, at least when it comes to a brute force attack, but whether you split that length up in 1, 2 or n-1 "passwords" matters not.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Logically? No. But in practice, I support both approaches and yes, for no obvious logical reason, it makes a huge difference.
B) Eliminate all the stupid users. This is frowned upon by society.
Of course someone could say their mother's maiden name was "zx81 Tamoxifen lion soap" but how many would give answers that aren't actually their mother's maiden name? And some places/services don't even allow such answers.
Of course, giving obscure answers can be problematic as well. Do you need to change security settings? Forgot your obscure answer? Didn't store it as securely as the password cause you didn't think you'd need it? Congratulations, you're locked out of changing your settings.
For a real world example, adding 2-way authentication to EA's Origin accounts requires answering the security question. Can't remember it? You can't add additional security to your account. There's complaints on their forums about this. Only way to reset the security question is through customer service, which is apparently difficult to reach.
My sig will be released in 2015 third quarter. Rating pending.