Become a fan of Slashdot on Facebook


Forgot your password?

Biometric Thumb Drives? 66

osopolar asks: "I work as a security analyst for a 10 billion dollar bank and we are currently looking for biometric thumb drives as emergency backup/recovery solutions for our local branches. We do not have IT people at every branch so the backup must be done by a branch manager, so the device needs to be easy to use. How would you backup information securely? What thumb drives do you recommend?"
This discussion has been archived. No new comments can be posted.

Biometric Thumb Drives?

Comments Filter:
  • by Anonymous Coward
    Think about it.
  • Now some's thumb drive will be missing...or they got lost in their pants in the washing machine?

    This just seems to spell trouble. I can only imagine some bank manager "now where did I put that thumb drive...."
    • Re:missing laptop (Score:3, Interesting)

      by 4D6963 ( 933028 )
      I can only imagine some bank manager "now where did I put that thumb drive...."

      It applies for alot of other small devices in other jobs. If you're an FBI agent and that you lost your security access card, if your some guard and you lost your keys, etc etc, it's just the same as if you're a bank manager who lost his thumb drive.

      You're just not supposed to lose that kind of stuff, period.

      • Re:missing laptop (Score:4, Insightful)

        by the eric conspiracy ( 20178 ) on Saturday May 13, 2006 @09:25PM (#15327445)
        That's why you uxe multifactor security.

        • Yeah, in a post below this one, I mentioned Realm System's USB personal servers, which offer two-factor authentication (or three if you want to add a password, which you apparently can, but that's probably not too necessary).
      • If an FBI agent (or anyone else with a proximity card for work, like most people have now) loses a card - even one without multifactor authentication - it can be rendered useless with a phone call. The card doesn't actually store any information, it just grants access to information.

        A thumb drive on the other hand, grants access to the information it stores, and this is a whole different ballgame. Suppose your particular thumb drive has a 1/1000 False Acceptance Rate, well someone just has to try and auth
    • by Ohreally_factor ( 593551 ) on Sunday May 14, 2006 @01:15AM (#15328168) Journal
      Well, see, this is what happens when you don't take an idea to the extreme. What your bank manager really needs is a drive actually implanted in his thumb, so he can't lose it, and keyed to him biometrically, so it wouldn't be quite so easy to nip off his thumb and steal the data.

      Although, if you had a USB port in your thumb, it would make it hard to type, so better make it a toe drive. Make sure your toe drive is bootable! I'm sure the creative minds here at slashdot can think of other more pedestrian uses for a toe drive.
      • I imagine such technology (we're now talking "bionics" here, not just biometric any more...) wouldn't come cheap; who's going to foot the bill for all these toe-drives? Bankers are notoriously tight (they'll fight tooth-and-toenail over the smallest of charges) and surely the bank's customers will feel their patronage is being trampled on just to pay for something that's "the banks' responsibility anyway..."

        Not to mention, we don't know where the branch managers stand on all this. Whoops, I guess I did m
  • upon further consideration of this topic, asking for advice, we need more specs. A quick search for biometric thumdrives didn't reveal anything bigger than 1 gig.
  • er... (Score:5, Insightful)

    by fiddlesticks ( 457600 ) on Saturday May 13, 2006 @09:11PM (#15327381) Homepage
    You work for a '10 billions dollar' business that can't afford enough IT staff in its branches and gets hardware recommendations from 'ask slashdot'?

    • Re:er... (Score:3, Funny)

      by Anonymous Coward
      I think it's obvious from his level of intelligence, and the fact that it's slashdot, means he works for Paypal.
    • It could be true... many large IT Departments, particularly at banks and government agencies are driven by security paranoia and are incapable of doing anything that hasn't been proven somewhere else.

      Places like this are why the phrase "Nobody ever got fired for buying IBM" exists.

      While asking /. is pretty retarded, its no more retarded than any other question here.
    • You work for a '10 billions dollar' business that can't afford enough IT staff in its branches and gets hardware recommendations from 'ask slashdot'?

      JACK: If X is less than the cost of a recall, we don't do one.
      BUSISNESS WOMAN: Are there a lot of these kinds of accidents?
      JACK: Oh, you wouldn't believe.
      BUSINESS WOMAN: ... Which... car company do you work for?
      JACK:A major one.

    • I have to assume that he is checking out other avenues, but asking /. is as good enough a place as any other to get leads that he will investigate further.

      I imagine he's asking 'has anyone else evaluated these things, and which ones did you find were the best?'.

      Alternatively, he's going to go suck up to his boss later with his "personal research on his own time".
    • This could be:

      Mc Donalds
      Jack in the Box
      Auntie Annie's
      any other retail coffee / soda / taco / burger shop / multimall kiosk operation
      some cash-yer-paycheck express storefront

      An operation / franchise having 10,000 branches, each with 20-30 employees, 90% of whom are fry chefs and janitors may not be one that maintains an IT staff at every outlet.

  • With your title (Score:5, Interesting)

    by Incongruity ( 70416 ) on Saturday May 13, 2006 @09:16PM (#15327401)
    Were I your employer, I'd be a bit concerned that you're asking slashdot this question....

    No offense really intended, but the question is too vague and too open-ended to really be answered well here and it's that lack of specificity that makes me worry a bit about your qualifications for the position you're in. By all means, please, bring in outside help for any situation that you need advice on -- for the sake of your employer and customers, but slashdot is not the best place for high-quality, industrial grade advice that you should hang your hat, job, and other people's money on. That having been said, what exactly are you trying to back up? How frequently does it need to be done? How quickly? How will restores be handled -- who will do them, when and why? What are the demands of the media? Does it need to be simply stored on site or will it be transported? How (mailing? courier?) Would a networked option work for backing up? If not, why not?

    That's just a start to the questions that are really unanswered (and need to be) for anyone to answer your question "How would you backup information securely?" It sounds like you think a thumb-drive will be an acceptable answer to you, but it's unclear why you've settled on that...What makes such a system better than a well scripted encryption scheme and commodity media (anything from CD-Rs to removable tape or hard disks?)

    Without knowing the specifics, any answer would be incomplete at best, shooting blind at worst...

    • by halcyon1234 ( 834388 ) <> on Saturday May 13, 2006 @09:43PM (#15327518) Journal
      but slashdot is not the best place for high-quality, industrial grade advice that you should hang your hat, job, and other people's money on.

      Phsaw! Ignore him. I'll get you a good deal on the thumb drives. They're 1GB ones, but they're bulk discounted because the label on the front (and Windows) misreports the size as 16MB. (Since G and 6 are so similar, the isolinear pro-recgonization dll don't properly link). To get the biometric security working, you just need to download additional drivers. I can't remember the website off hand, but it ends with .fl It adds on an additional level of security by co-hashing the thumbprint recogniztion with a non-alpha numerator string of indetermened length. For the best security, you should use a long number, and one that isn't known outside of the upper echelons of your company. Your expense account credit card number should do.

      Oh, and if your IT guys start spouting off nonsense about "remote access of datadrive contents", you can tell them what's really going on. The thumb drives (courtesy of the additional drivers) use sporatic cross-referenced data layer technology. Whenever the drive is connected to an internet-capable machine, it automatically hides parts of its data throughout the Internet for safe keeping. After all, if the thumbdrive gets lost, you don't want all the data to be gone, too? It's an additional security feature. (And your IT guys SHOULD know that, shouldn't they? I mean, they are supposed to be knowledged professionals. Unless they lied on their resumes. Better check that out...)

    • The question is an example of the Slashdot version of How do I build a forum?" []
    • And if you replied with specifications, and I were your employer, I would think about firing you. As a "security professional" you should realize social engineering is the number one method of entry in to systems. Do not be sucked in to answer any requests for specifics. Take the advice, go to consultant or trusted manufacture for specs.
  • by maggard ( 5579 ) <> on Saturday May 13, 2006 @09:45PM (#15327524) Homepage Journal
    Backup? A 10 Million, er, I mean, BILLION, dollar company?

    Yeah, thumb drives, there's an idea.

    No, wait, gotta sex it up....

    Thumb Drives with Biometrics!


    Honey, yer wastin' yours & everyone ele's time with this DOA idea.

    Encryption? At the source. Not some lame-ass "biometric" solution grafted onto a thumb drive, if some crazy Pacific Rim factory has pumped out such an inane idea yet . Then who gives a rats ass, your 1 GB, or 2 GB, or whatever, is properly encrypted. But if that's your local branch's disaster recovery strategy well, I'm scared.

    For the sake of all of our investments please post your employer, so we can all move our funds to some other 10 billion dollar business that has legitmate disaster recovery strategies.

    Hey Cliff, was there REALLY nothing better in the "Ask Slashdot" queue?!

    • The best thing you can do is to bring in a "security analyst" that is a CISA(Certified Information Security Analyst). I know a guy who has this cert and he says that there are a lot of banks out there that don't take security seriously(scary, I know). Given the "cost of failure" in this situation, I wouldn't try some harebrained scheme I saw in the movies. I'd just want it done right so I could sleep at night.

      I know you're already a kind of "consultant"(i.e: the person with all the answers) but it may
  • Other Suggestion (Score:5, Insightful)

    by Vandilizer ( 201798 ) on Saturday May 13, 2006 @10:18PM (#15327642)
    Fist off asking slashdot is a fantasist idea you might get an off the wall idea as it to follow or just some good general advice. Being vague might just be a problem with and NDA. Paying some one or going only with in your own department you are only going to get what is familiar, which is not the best answer.

    Now as for the biometric key drives in personally research they do not provide enough protection to secure such data.

    What I would suggest is just a portable USB hard drive. With all the data encrypted using a key generated from the unique serial numbers on the computer and an additional random generated number stored on a key such as this one ( []) or just any public key, each branch could also have one key with the privet key to decrypt the data in case they need to recover it locked in a vault preferably requiring at lest 2 different people to access this key since (if you are in a bank as you say this should not be that hard to arrange) they would never need this key unless they were doing a recovery and you could also key one at a central site incase of an unforeseen events or not, but I suspect if they ever loses theirs you would just replace the entire set (though you would have a much bigger problem on your hands I would think).

    Seeing as there small key has 4kb of storage using a large key with AES (probably SHA-512 or again what ever tickles you) would keep your data pretty safe or at lest the government would think so.

    The only other thing I would recommend in keeping 2 backups in 2 completely different locations, people do walk off with stuff, or more politely they misplace things.

    Hope this helps or gives you some ideas, I am just babbling a little from things I have done. Post if you have a question or want to strike up a conversation.

  • Bad Idea (Score:5, Insightful)

    by miyako ( 632510 ) <> on Saturday May 13, 2006 @10:26PM (#15327672) Homepage Journal
    I have to agree with some of the other posters, this biometric thumb drive idea just smells horribly of a poorly thought out plan that is destined to fail catastrophically when your company either makes it into a money sink that never works out properly, or a poor implementation leads to sensitive data being stolen.
    There are a number of reasons that it just seems like a strange a bad idea to me, but here are some of the most obvious things that pop into my head:
    Firstly, thumb drives seem to be just now getting up into the 2GB range. I'm sure you could find larger ones if you looked, but the largest drive I was able to find with a google search for "thumb drive biometric authentication" was 2GB - and that devices wasn't exactly secure, since the biometric authentication could be overridden by a password. Now, the thing about it is, what sort of data do you have only 2GB of that is so vital as to require it's own backup system? Furthermore, what data do you have that is so vital that it requires it's own special backup system with biometric authentication, and is not vital enough that you aren't already hosting it on some machine with a RAID and nightly backups to tape. Most data that people need to back up now days tends to be stored in a database, which are going to log the hell out of everything, plus have multiple backups- onsite and off site. The idea of some 10 billion dollar banking institution having all of their local branches running their systems on a local access database, and a bank manager backing up the database file to a thumb drive every night would be frightening if it wasn't so absurd.
    The second big thing that jumps out at me is the fact that biometrics really aren't all that secure. Many finger/thumb print recognition systems can be defeated with a gummibear; and I've never seen any sort of thumb drive with a built in retinal scanner.
  • by binaryspiral ( 784263 ) on Saturday May 13, 2006 @10:39PM (#15327719)
    Why is your bank even keeping data at its branches?

    Get your $10,000,000,000 company to establish multiple redundant secure datacenters that the branches connect to using point to point connections along with strong encryption. No Internet connectivity... just centralized data storage in multiple places. I wouldn't even dream of allowing a branch manager access to infrastructure or data storage, six letters popped into my head... OMFG NO!

    When a tornado comes along and wipes a branch office off the map - wtf is a thumbdrive going to be useful when the manager's thumb is nowhere to be found?

    Your company rolls in a trailer with teller machines and Satellite feeds for data connections to the data center - and your customers' information is still safe in the central location and accessible the next day, even while they're still trying to ID the manager's corpse.
    • Well, there is the ledger data which is undoubtably on one ore more Big Iron systems. But there are also letters, emails, spredsheats, whatever, on desktops. They are likely being backed up now, and the peons can get their files back, eventually... Possibly not until they send someone out to reimage a system. Having stuff accessable in 5 minutes vs 24 hours can be a big deal.

      My thinking here would be to enforce a policy of "save files on the server", that way the desktops are disposable and irrelevent. But
      • Desktops should be citrix or some other virtual desktop - that's doable and more reliable that forcing people to save to the server... when there is nothing local to save to.

        Restores are easily done when the files and backups reside in the same central location - poof it's back. Obviously offsite and redundant locations is a must.

        Laptop users also shouldn't be carrying any customer information without some heavy duty protection and on-the-fly encryption. Mobile users are only safe if they're trained in how
  • Check this from sandisk: isk_Cruzer_Profile_USBFlash_Drive.aspx [] They look cool, though never used one, nor do I know if they are good.
  • Where to start... (Score:5, Informative)

    by Zadaz ( 950521 ) on Sunday May 14, 2006 @12:03AM (#15327950)
    I'm going to get modded down as "redundant" but this whole thing feels like such an overwhelmingly bad idea I can't think straight.

    1) To answer you question: Trek [] makes one that doesn't require external drivers. But it's only up to 512k and USB 1.1, and I can't find any indication to see if it actually encrypts the info. (My bet: no)

    2) What kind of "security analyst for a 10 billion dollar bank" are you, and can you be put in a room with the rest of us who are answering this question that we might have a chance to kill you, take your salary and put an untrained monkey in your job?

    3) Or are you just being clever and trolling for answers to a stupid idea your VP had?

    If it's the last one:

    Why Biometric? Biometrics are awful security. Terrible terrible terrible. The only advantage they have is, when it actually works, it works and a person doesn't have to think about it. And that's one of it's problems: People should be thinking about security. After that, it's less reliable than passwords (which have a 100% pass/fail reliability) and the whole issue of not being able to change your biometrics. If someone figures out how to fake my thumb, my whole life is fucking over. I can't get new thumbs. (or a new face or whatever). And the other stuff that's been talked about ad nauseam.

    Biometric thumb drives are even worse because it anyone who wants what's "protected" on it just has to steal the thing. Given physical access to the device, it's trivial to circumvent the biometrics.

    What information at individual branches is important that needs to be backed up? And why the hell isn't it being done already, and off site? Seriously. You're a "10 billion dollar bank" You should have private data lines between your branches and central computers.

    And lastly, under what circumstances would you want backups done by unskilled people? I mean C'mon. Are you telling me that you don't know that these guys are the weakest link in your security anyway?

    A better security idea would be to automate your backups through your private lines and disable all access to removable media drives in your whole company. Why you'd allow someone to be able to connect a USB drive to a computer that has access to information that needs to be protected makes my nerve endings hurt.

    • I think what you said about biometrics can't be said enough.

      I can't tell you how many times I've heard lately about biometrics and how they're going to be the "next big thing," and how they're "so secure." A few times, I've even heard the dreaded P-word come up. The one you never hear from anyone who knows what they're talking about in regards to system security: "perfect."

      People think because they use their thumb-print to access their computer, that somehow it's impossible for anyone without their thumb to
      • It just never seems to occur to people that to a computer, a thumb is just a bunch of numbers.

        It doesn't occur because a lot of people simply don't understand that computers boil everything down to a bunch of numbers.

        I had the most terrible trouble explaining this exact scenario to someone when I was on placement - that it was all a bunch of numbers. The person I was explaining it to was absolutely convinced that I was wrong, and that what was sent down the wire was "a picture", not a bunch of numbers. Th
  • Not too long ago. It was a used one from a small local bank in my rural area, they had upgraded and this guy had it in a shop for some mods to be done for the new owner (I tried to buy it but the new owner thought it was too cool, wanted to keep it for a home mega server or something). It had 12 scsi drives and 4 processors, IIRC PPs, but I might be wrong on that, forget now..anyway, a nifty looking mega tower. I wanted it for..well because it was dang cool, that's why! Figured I'd slap a good vid and sound
  • The guys at Realm Systems have a line of small usb servers (a bit wider than an ipod nano) that have a gig or so of flash memory, a PowerPC processor, and fire up a desktop on your machine when you plug them into a USB port. They are running an embedded Linux distribution and use a biometric thumbprint scanner to authenticate their users. Each device can be administered by a management router box in your bank's network.

    Check them out! Their web site is
  • Okay, banks deal with money and businesses. Businesses being their main source of profit. How is it that a bank can see it as okay to not have an IT infrastructure that, at the very least, has a steady backup regimine?!?!? The answer is not finding some new gadget that'll let the branch manager wing it. The answer is to either have IT personnel available for such matters or to train existing personnel to do the job correctly. Backup is no insignificant endeavor and shouldn't be treated as such. What bank is this? I a) want their business and b) don't want to give them mine.
  • PLEASE tell us what bank you work for so that I will know to never use them. Asking SLASHDOT how to create a security policy?

    That's like asking a rioting mob how to reach enlightenment.

    I use my local credit union.

    • I wouldn't worry about it so much. Assuming that it's the same guy as this: []

      He appears to be based in Peru, so presumably it's peruvian branches that he's talking about. Even then, from the way he writes, I think this is a case of a somewhat youthful slashdotter getting delusions of grandeur.
    • Interestingly, if the bank only has $10B in holdings, well, it's not very big at all. That's 1) less than 50,000 typical mortgages, and 2) less than Yale University's endowment.

      Another comparison, Westpac bank, one of Australia's "Big 4" (bear in mind, 20 million people versus 260 million in the US) regularly posts $2B in annual profits, and has assets of $260B.

  • Oh God..... (Score:4, Funny)

    by Anonymous Coward on Sunday May 14, 2006 @02:11AM (#15328335)

    "I work as a security analyst for a 10 billion dollar bank .... How would you backup information securely?"

    *heads to google*

    *pulls up information on finance sector*

    *attempts to cross-reference all companie market caps between $8B and $12B with list of bank accounts in file cabinet*

    *cancels all matches*

    *orders credit watch service for credit report*

    *shakes head, weeps gently*

    *suddenly realizes, not all banks are publically traded*

    *mutters obscenities*

    *cancels all accounts just to be safe, renounces materialism, heads to mountain cabin in woods*

    *later, is eaten by wolves*

  • by sane? ( 179855 ) on Sunday May 14, 2006 @03:06AM (#15328439)
    I won't bother to do the usual /. thing of calling you an idiot for looking at this solution, on the basis of your one paragraph summary. You know more of the details than me.

    I have sitting in front of me a fingerprint USB flash drive from Adata. Cheap. Comes in capacities up to 2GB. Study in a plastic sort of way, it would take abuse. Perhaps most interesting there are no drivers to install, when you plug it in it runs the autorun code which does the fingerprint check and then runs up a tray icon with access to a number of utilities (eg email client) which are stored on the disk. Only takes up 7Mb of the space, the rest of which is available to you. Windows only however. No fingerprint, no access to any of the files.

    I've no idea how secure it really is against access, my bet is not very. However it might be possible to change the tray program to contain programmes of interest to you and a Truecrypt partition and driver software could be included for more security.

  • Do think of all your options. Since I don't know of any thumb drives that'd be useful, here's what I'd recommend:

    I suggest you set up a dedicated backup server at each site. It doesn't have to be much of a box -- it may even cost less than the thumbdrive. We used BackupPC [] to manage the backups -- it's entirely automated, and it can be configured to send out an email if a backup didn't complete successfully. It'll be doing mostly incremental backups. Keep the backups on a separate partition, so you can
    • Quick question ... you mentioned using OpenVPN to do the remote-to-central backups. Why not just use rsync? Seems like it would be easier than opening a VPN connection, mounting or otherwise connecting to the server, and then syncronizing the files to be backed up (which you'd need to use other utilities for anyway). With rsync, it's all done for you and the security is still there, since it's done over SSH. Keeping a remote mirror is as easy as one line in crontab (plus setting up the required certificates
  • Rather than using a thumb drive, I recommend you use a redundant system at the branch, either a full redundant cluster or a segregated backup server if you want to do it on a budget. Then do incremental backups over the internet either between branches or to a central repository. The amount of data generated by even a large bank branch over the course of the day will be relatively small and can be shipped over the net in minutes. (You'll of course want good security for your internet link, with an airgap
  • A machete or other knife big enough to chop the manager's finger off defeats the security totally, just chop off the thumb.

    That is even easier than squeezing a password out of the guy.
  • I assume you are wanting to backup data such as desktop mydocs from the branches on a daily basis. If so, I strongly recommend using remote backup services. If you are large enough you can purchase a license for your own inhouse remote backup services or if you only have a couple branches, you may want to outsource the services of a 3rd party. The data gets encrypted at the client side before it is transferred over the internet with Blowfish encryption. The host receives and stores only contains encrypt
  • by sjames ( 1099 ) on Sunday May 14, 2006 @04:38PM (#15330753) Homepage Journal

    One biometric thumb drive I tested had no actual security. The windows driver would ask it if it was authenticated and if no, would deny access. In Linux, it looked like a standard drive and 100% of the 'secured' data was trivially accessable with no authentication.

    Another I evaluated did only slightly better. When in the unauthenticated state, it would report 10 sectors capacity rather than 8000 (OK so far). When authenticated, it reported all 8000. However, I then tried accessing sectors 10-8000 using raw SCSI commands while unauthenticated, and it LET ME DO IT! The 'secured' data was 100% available with no authentication. In fairness, when I noted this, the manufacturer sent me a one off that did it right but I don't know if they ever put those changes into their production model.

    Yet another actually denied access to the blocks when unauthenticated, but when the admin recovery procedure was used, it only erased the partition table. So all I had to do was 'recover' admin access then write in a reasonable partition table. All of the old data was available.

    I never got around to cracking them open to see if I could bypass the drive emulation and dump the raw flash memory.

    There MIGHT be a few drives that actually ARE secure, but too many of them are toys.

    • Lets cut to the chase - these drives are not designed for corporate security. Biometrics are not up to that yet, for all the reasons that people have posted above.

      These "thumbprint" flash drives are for keeping snoopers from seeing what's on your thumb drive while being quicker and easier than a password system (nothing to remember). But mostly they're just a gimmick. Good for hiding pr0n from your mum, not much more..
  • I use a SanDisk Cruzer Profile, which has 512MB, and requires a fingerprint authentication. In addition to providing security against losing the device, it allows me to authenticate to my domain and several websites, etc.. that I have configured. Despite the obvious danger of losing the device, I have found very few drawbacks. The data can be synchronized to avoid data loss should I lose the device (or the authenticated finger), and it is much safer than losing my security badge or an RSA device...
  • Maybe you should try the BioSlimDisk. Sounds like what you would be looking for.

    Its does not require any software or drivers thus it really simple to use.

The IQ of the group is the lowest IQ of a member of the group divided by the number of people in the group.