Slashdot Mirror
Chaos Computer Club Claims It Can Reproduce Fingerprints From People's Photos
An anonymous reader writes Chaos Computer Club, Europe's largest association of hackers, claims it can reproduce your fingerprints from a couple of photos that show your fingers. At the 31st annual Chaos Computer Club convention in Hamburg, Germany, Jan Krissler, also known by his alias "Starbug," explained how he copied the thumbprint of German Defense Minister Ursula von der Leyen. Because these fingerprints can be used for biometric authentication, Starbug believes that after his talk, "politicians will presumably wear gloves when talking in public."
Even better than gummi bears.
Not useless, just not sufficient.
Your house key will work in hundreds of locks, but it's easier to pick the lock than track down exactly which house key might work on the house you want to break into. The reason that biometrics are useful is that they provide a second condition that has to be met for authentication, not because they provide the only one. If you give employees RFID cards and pair it with iris scanning, you're going to have moderately secure door security. It can get a lot better by adding other controls, for example introducing human checks into the system or an employee PIN.
Most businesses don't even have a second check for door security. I wish people would quit confusing a method of authentication with the idea that any single method is sufficient.
B) Eliminate all the stupid users. This is frowned upon by society.
It all boils down to the triad of security: Something you know, something you have, something you are. It's GOOD practice to pick one from each group in your authentication process (or at least, as it's common, one of two groups, usually a token and a PIN). It's useless to pick more than one from each group.
All three would e.g. mean that you have a guard sitting there who compares your face to a book of "accepted" faces (something you are) while you hold your RFID card (something you have) against a scanner after punching in your PIN (something you know). That's about as good as it gets. Nothing you could do that ADDS to this could improve this part of your security. Using two of one group is useless. It's useless to require two different PINs. For the obvious reason, someone who can force you to hand over your first pin will also force the second one out of you. Equally it's useless to require two tokens. Where you can steal one, you can steal two.
You can of course improve by using better means to do either of the three groups. You could give the guard additional tools, use better encoding for the cards, use longer PINs. But you cannot improve by using two features from the same group.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It should actually be a quartet of security: something you know, something you have, who you are & where you are.
Where you are is interesting for banks for example, they know that it is not possible to have two ATM transactions in the same hour on the other side of the world.
"Something you are" is not easy to establish by machines.
Any biometric system needs a guard to check if you are not trying to fake it. For example with a finger print scanner's guard should:
- Clean the scanner. In case the latent finger print left on the device won't confuse it.
- Check the person fingers for fake prints, and medical scars.
- Physically take the person's finger and put it on the scanner (to make sure the person has no possibility to add the fake print to the finger between the check and the scan)
- Clean the scanner. To make sure the latent finger print will not be lifted from the scanner's smooth surface, when the guard is looking away.
The person with the finger, should wear gloves everywhere, except when using the scanner.
Soon we will be wearing, burkas, sun glasses and gloves to make sure our identities will not be lifted.