The Future of Crime - Biometric Spoofing?

AxisPower9 writes "What we often watch in films and television - circumventing biometric security access - is turning from science-fiction to reality. Bori Toth, biometric research and advisory lead at Deloitte & Touche, warned that biometric spoofing is a growing concern. From the article: 'We are leaving our prints everywhere so the chance of someone lifting them and copying them is real. Currently it's only researchers that are doing spoofing and copying. It's not a mainstream activity--but it will be. Many people are trying to regard biometrics as secret but they aren't. Our faces and irises are visible and our voices are being recorded. Fingerprints and DNA are left everywhere we go and it's been proved that these are real threats.'"

hmm..

[bigattichouse]

Lets see.. I remember a very detailed Expose [imdb.com] on these so called "borrowed ladders". Gee. You write a movie about it, and it takes almost 10 years for it to become a top news story on slashdot. I also remember an eye-scan in a movie using a plucked eye. Spaceballs used an unconscious guard's hand. As well as the "removed hand". Even scooby doo, Daphne used powder makeup to bring out the pattern of a thumbprint on a scanner to unlock something or other.

Biometrics should be an *added* level of security

[PFI_Optix]

Anyone who relies on biometrics alone is asking for trouble.

Fingerprint: not secure
Fingerprint + password: more secure
Fingerprint + password + voice sample: even better.

There are harder biometrics to reproduce, like the thermal patterns of your face. For highly secure areas, multiple biometric keys, a memorized password, a voiceprint, plus a physical key/card would be ideal. And of course there's the good old-fashioned trustworthy security guard to make it even harder for the wrong person to get where they shouldn't be (assume you're restricting physical access).

The Gattaca Solution

[Billosaur]

Blood. A mix of your DNA plus biomarkers. Of course if you've seen the movie, perhaps that too can be spoofed.

In the end, there's no truly safe solution, except for multiple layers of passwords, biometrics, DNA samples, and the like, and even then, a determined foe will find a way to breach it. What Mankind can create, Mankind can subvert.

Change my passwor... er fingerprints?

[fish_in_the_c]

The biggest problem with biometrics is after it is compromised it cannot be changed.

sure you have 10 figures and 2 eyes, but when it comes too it you will never get ADDED security with a biometric only system.
biometric + password + keycard is the securest solution.

something you are, something you know, something you have

As the phrase goes in the banking security industry.
Those have always been the only 3 options for establishing 'trust' with an unknown entity.

Carjackers have already removed a victim's finger

[dpbsmith]

This article [assaabloyfuturelab.com] says "A March 31, 2005 report in Malaysia's New Straits Times describes how a luxury car owner, Mr. Kumaran, was attacked by a gang of car thieves. His ordeal was apparently made worse because his S-Class Mercedes Benz was equipped with a biometric lock that prevented the car from being started without authentication by his finger or thumb print. At first the thieves had Mr. Kumaran start the car using his fingerprint. Then they took him, along with the car, to a chop-shop where they had hoped that the security system could be bypassed. When they decided that they couldn't override the security and that the fingerprint was required, they took Mr. Kumaran's left fingertip and dropped him off along the roadside where he was eventually able to find medical help."

I guess I'd prefer to have the bad guys to use a reasonable facsimile of my finger, retina, etc. than to have them use the real thing.

Earliest reference to biometric spoofing?

[Rob the Bold]

The earliest reference to biometric spoofing that I'm aware of was the book: "The Red Thumb Mark" by Austin R. Freeman. It was published in the early 20th century. The detective (Dr. Thorndyke) suspected that a bloody thumbprint left in a burgled safe was actually a plant to "finger" an innocent man. The mystery wasn't so much the identity of the crook -- which you guess correctly in the first few chapters -- but the means of making the spoof and the method of proving his crime.

The first edition I've seen is dated 1928, but I think it was initially published nearer to 1900. The idea has been around for a while.

Re:Three ways to authenticate yourself

[99BottlesOfBeerInMyF]

something you are (fingerprints, irises, etc.)

All the credible books I've read mention this as a fallacy. Something you are is not a measurable property since it is impossible to make a copy of what a person is, fundamentally. Biometrics are simply something you have that is really hard to change. This is good in that others may have trouble changing their s to be yours, but bad in that once compromised, you're screwed for life.

Biometrics are not a good part of a secure authentication solution. They are convenient for very low security operations. The difficulty of changing them makes them useful as an additional authentication mechanism, under proper human supervision (which will probably never happen). In the way they are being applied and are ever likely to be applied, biometrics are liability and lead to false positives, sloppy authentication, and a false sense of security. Trying to characterize biometrics as a separate category from "something you have" is mostly an attempt to obfuscate what terrible "something you haves" they tend to be and to remove them from the formalized evaluations of "something you have" components. Largely this is because they are whiz-bang and nifty and sales guys can make a fortune selling them.