The Future of Crime - Biometric Spoofing? 134
AxisPower9 writes "What we often watch in films and television - circumventing biometric security access - is turning from science-fiction to reality. Bori Toth, biometric research and advisory lead at Deloitte & Touche, warned that biometric spoofing is a growing concern. From the article: 'We are leaving our prints everywhere so the chance of someone lifting them and copying them is real. Currently it's only researchers that are doing spoofing and copying. It's not a mainstream activity--but it will be. Many people are trying to regard biometrics as secret but they aren't. Our faces and irises are visible and our voices are being recorded. Fingerprints and DNA are left everywhere we go and it's been proved that these are real threats.'"
Immutable, too. (Score:5, Insightful)
File under "Told you so" (Score:5, Insightful)
People think that biometrics is some sort of magic bullet, because for years they've seen retina scans and fingerprint scanners on TV in all sorts of "high security" situations. But in reality, a fingerprint scan is probably not that much better than a good password -- it's certainly better than a shitty password, and in combination with a password it's probably better, but alone it's terrible.
The fact that you can't change your fingerprints is a real problem if they start to use biometric systems for authentication. Particularly since there are biometric-ID systems used by children: in my area, they're currently testing and preparing to roll out a school-lunch system that uses fingerprints (it's a debit system -- no more stolen lunch money, and no way to tell who's on the subsidized lunch program or not). When you start using biometrics that young, you have a long time for them to possibly get compromised and spoofed.
The fingerprints you have, you own for life: so any system has to be built on the assumption that they will be compromised. In particular, future systems should be built knowing that people are going to come in who've already had all 10 fingerprints compromised already. The solution isn't to just come up with more biometric identifiers to use as secrets, the solution is to not use them as secrets at all.
OK kids... repeat after me... (Score:4, Insightful)
Biometrics are fine identifiers. They are unique and immutable.
Identification is not authentication. Not even close. Just because someone presents an identifier does not mean they are the authorized thing represented by that identifiers. By their very nature, identifiers are promiscous.
Re:The perfect crime (Score:4, Insightful)
Re:Three ways to authenticate yourself (Score:1, Insightful)
But biometrics are useful for security. They can be used in the same manner as usernames, namely to establish the purported identity of an individual which will then be authenticated by items such as passwords, or smart ids. Biometrics are suitable for this because, just like usernames, it is good security practice to try to keep them secret but bad security practice to assume that they are secret.
Re:Three ways to authenticate yourself (Score:2, Insightful)
The distinction is important because "something you are" things cannot be changed, whereas "something you have" is an external object that could be replaced if compromised or lost.
The distinction is especially important now, as the world is erroneously trying to substitute an 'are' thing (fingerprints) in place of a 'have' thing (RSA token) for the sake of convenience.