Forgot your password?
typodupeerror

The Future of Crime - Biometric Spoofing? 134

Posted by Zonk
from the bioawesome dept.
AxisPower9 writes "What we often watch in films and television - circumventing biometric security access - is turning from science-fiction to reality. Bori Toth, biometric research and advisory lead at Deloitte & Touche, warned that biometric spoofing is a growing concern. From the article: 'We are leaving our prints everywhere so the chance of someone lifting them and copying them is real. Currently it's only researchers that are doing spoofing and copying. It's not a mainstream activity--but it will be. Many people are trying to regard biometrics as secret but they aren't. Our faces and irises are visible and our voices are being recorded. Fingerprints and DNA are left everywhere we go and it's been proved that these are real threats.'"
This discussion has been archived. No new comments can be posted.

The Future of Crime - Biometric Spoofing?

Comments Filter:
  • Immutable, too. (Score:5, Insightful)

    by Poromenos1 (830658) on Friday July 21, 2006 @09:00AM (#15755925) Homepage
    When your fingerprints have been compromised (not very hard to do) you can't change them. For this reason, I don't think biometrics is a viable solution. A long passphrase is much better, in my opinion.
  • Yep ... which is exactly what people who know anything about information security have been saying for a while.

    People think that biometrics is some sort of magic bullet, because for years they've seen retina scans and fingerprint scanners on TV in all sorts of "high security" situations. But in reality, a fingerprint scan is probably not that much better than a good password -- it's certainly better than a shitty password, and in combination with a password it's probably better, but alone it's terrible.

    The fact that you can't change your fingerprints is a real problem if they start to use biometric systems for authentication. Particularly since there are biometric-ID systems used by children: in my area, they're currently testing and preparing to roll out a school-lunch system that uses fingerprints (it's a debit system -- no more stolen lunch money, and no way to tell who's on the subsidized lunch program or not). When you start using biometrics that young, you have a long time for them to possibly get compromised and spoofed.

    The fingerprints you have, you own for life: so any system has to be built on the assumption that they will be compromised. In particular, future systems should be built knowing that people are going to come in who've already had all 10 fingerprints compromised already. The solution isn't to just come up with more biometric identifiers to use as secrets, the solution is to not use them as secrets at all.
  • by hagbard5235 (152810) on Friday July 21, 2006 @09:45AM (#15756253)
    Identification is not authentication.

    Biometrics are fine identifiers. They are unique and immutable.

    Identification is not authentication. Not even close. Just because someone presents an identifier does not mean they are the authorized thing represented by that identifiers. By their very nature, identifiers are promiscous.

  • by lordsid (629982) on Friday July 21, 2006 @10:22AM (#15756542)
    The perfect crime is not a crime that is "solved" with someone else blamed. It's a crime that no one ever realizes was committed.
  • by Anonymous Coward on Friday July 21, 2006 @12:36PM (#15757785)
    People keep saying this, but it is just plain wrong. In order for something to be useful for authentication, it must not have been compromised. This fact is obvious. What is not so obvious is the implications of this. Any practical form of authentication must be able to be changed to establish that is not compromised. "Something you know" and "something you have" are suitable because those somethings can be readily changed as needed. "Something you are" does not have this property and so is useless for authenticaion.

    But biometrics are useful for security. They can be used in the same manner as usernames, namely to establish the purported identity of an individual which will then be authenticated by items such as passwords, or smart ids. Biometrics are suitable for this because, just like usernames, it is good security practice to try to keep them secret but bad security practice to assume that they are secret.
  • I'd comfortably bet that most security professionals have rejected this concept. "Something you are" is really just a slight variation of "something you have" and there isn't anything in particular that makes them any better to make it worth differentiating.


    The distinction is important because "something you are" things cannot be changed, whereas "something you have" is an external object that could be replaced if compromised or lost.

    The distinction is especially important now, as the world is erroneously trying to substitute an 'are' thing (fingerprints) in place of a 'have' thing (RSA token) for the sake of convenience.

"Maintain an awareness for contribution -- to your schedule, your project, our company." -- A Group of Employees

Working...