Slashdot Mirror
Chaos Computer Club Claims It Can Reproduce Fingerprints From People's Photos
An anonymous reader writes Chaos Computer Club, Europe's largest association of hackers, claims it can reproduce your fingerprints from a couple of photos that show your fingers. At the 31st annual Chaos Computer Club convention in Hamburg, Germany, Jan Krissler, also known by his alias "Starbug," explained how he copied the thumbprint of German Defense Minister Ursula von der Leyen. Because these fingerprints can be used for biometric authentication, Starbug believes that after his talk, "politicians will presumably wear gloves when talking in public."
Even better than gummi bears.
It's trivial to get fingerprints of a politician. If, say, China doesn't lift the fingerprints off of every presidential candidate's glass at a fundraiser I'll eat my shoe. This really is nothing special.
If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
Despite some of the biggest names in security lauding the advantages of biometric authentication, it's pretty flawed by design. If your fingerprints, facial structure, etc. are ever compromised, they become useless. Unlike a password or a cert, you cannot simply revoke who you are. So once the cat is out of the bag, you simply cannot use it again. Not to mention the fact that it could be fairly trivial to obtain fingerprints or other biometric data of a target.
TFA has no details, so there is no way to evaluate the credibility of the claim.
If you running a security system that only uses fingerprints you are a fool.
In a security area it should also at least be protected by a code/pattern + prints + tag/card/key, when each piece is scanned/entered and image/photo of the person wanting access is displayed to your security personnel who can then either approve/deny access.
Biometics alone is insufficient as is very easy to pick up prints, even retinal scanners can be fooled with enough tech, A 4 way security system is better but not foolproof, there is no such thing as 100% secure but you can make is so difficult as to deter most people.
And if you're protecting your tablet/laptop with only a fingerprint you need to change immediately a pattern/code/pin is far more secure, fingerprints have been dupable for years with little/no skill/tech, in fact its been shown that you can pull a print off a laptop/tablet keyboard/touchscreen to use to break into the device.
Not useless, just not sufficient.
Your house key will work in hundreds of locks, but it's easier to pick the lock than track down exactly which house key might work on the house you want to break into. The reason that biometrics are useful is that they provide a second condition that has to be met for authentication, not because they provide the only one. If you give employees RFID cards and pair it with iris scanning, you're going to have moderately secure door security. It can get a lot better by adding other controls, for example introducing human checks into the system or an employee PIN.
Most businesses don't even have a second check for door security. I wish people would quit confusing a method of authentication with the idea that any single method is sufficient.
B) Eliminate all the stupid users. This is frowned upon by society.
The problem isn't how to identify people. The problem is that we think that we need to identify people all the time. Tracking and identification is an obsession that's obviously rooted in paranoia. When was the last time you actually needed to prove to a stranger who you are and it wasn't just to satisfy an arbitrary requirement? When did you last perform full identification when a proof of ownership or proof of age had sufficed? Posting as AC because that's what I do, but also to make a point.
... authentication is that even if all of the security measures associated with storing and authenticating your fingerprint were utterly unbreachable, your fingerprints can still be taken without your consent, while if you do not want someone accessing data that is guarded by a a secure password, however, then barring vulnerabilities in the security facilities associated with it (which would apply equally to fingerprint security as well anyways), then that information can only be obtained by you voluntarily surrendering it.
File under 'M' for 'Manic ranting'
It all boils down to the triad of security: Something you know, something you have, something you are. It's GOOD practice to pick one from each group in your authentication process (or at least, as it's common, one of two groups, usually a token and a PIN). It's useless to pick more than one from each group.
All three would e.g. mean that you have a guard sitting there who compares your face to a book of "accepted" faces (something you are) while you hold your RFID card (something you have) against a scanner after punching in your PIN (something you know). That's about as good as it gets. Nothing you could do that ADDS to this could improve this part of your security. Using two of one group is useless. It's useless to require two different PINs. For the obvious reason, someone who can force you to hand over your first pin will also force the second one out of you. Equally it's useless to require two tokens. Where you can steal one, you can steal two.
You can of course improve by using better means to do either of the three groups. You could give the guard additional tools, use better encoding for the cards, use longer PINs. But you cannot improve by using two features from the same group.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I always think of security like the Miller-Rabin test for primality (which is really a test for a number being composite): it does not give an absolute assurance, but each time you test a given candidate again with a new challenge, you reduce the probability that the candidate is composite, and each test is orthogonal to the previous ones. You, the designer of the system requiring confidence that a big number is prime, get to select your confidence level by adjusting the number of tests applied.
So too, then, you, the designer of a security system requiring confidence that a given person is who they claim to be, get to select your confidence level by adjusting the number of factors required. A brass key gives a certain level of confidence. An iris/thumbprint/palmprint/voiceprint scan another. An RFID card another. A PIN/password another. Being recognized by a guard another. Each is orthogonal to the rest.
Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
It should actually be a quartet of security: something you know, something you have, who you are & where you are.
Where you are is interesting for banks for example, they know that it is not possible to have two ATM transactions in the same hour on the other side of the world.
"Something you are" is not easy to establish by machines.
Any biometric system needs a guard to check if you are not trying to fake it. For example with a finger print scanner's guard should:
- Clean the scanner. In case the latent finger print left on the device won't confuse it.
- Check the person fingers for fake prints, and medical scars.
- Physically take the person's finger and put it on the scanner (to make sure the person has no possibility to add the fake print to the finger between the check and the scan)
- Clean the scanner. To make sure the latent finger print will not be lifted from the scanner's smooth surface, when the guard is looking away.
The person with the finger, should wear gloves everywhere, except when using the scanner.
Soon we will be wearing, burkas, sun glasses and gloves to make sure our identities will not be lifted.
It is of course best to use factors from different groups. Your theory takes a much stronger stance than that. I'm not sure your theory is correct.
I would say that a six-digit PIN is slightly more secure than a three-digit pin. Not twice as secure, but somewhat better. Agreed?
Two pins of three digits each is the same as a six-digit pin. Agreed?
Therefore, two three-digit pins is somewhat better than one three-digit pin.
Two from the same group are therefore somewhat better than just one, but not as good as two from different groups.
Minor quibble: using two of one group is not useless either, it is only less useful.
B) Eliminate all the stupid users. This is frowned upon by society.