The Future of Crime - Biometric Spoofing? 134
AxisPower9 writes "What we often watch in films and television - circumventing biometric security access - is turning from science-fiction to reality. Bori Toth, biometric research and advisory lead at Deloitte & Touche, warned that biometric spoofing is a growing concern. From the article: 'We are leaving our prints everywhere so the chance of someone lifting them and copying them is real. Currently it's only researchers that are doing spoofing and copying. It's not a mainstream activity--but it will be. Many people are trying to regard biometrics as secret but they aren't. Our faces and irises are visible and our voices are being recorded. Fingerprints and DNA are left everywhere we go and it's been proved that these are real threats.'"
Spoofing biometrics? (Score:1)
Oh wait. You can...
CRAP!
Re:Spoofing biometrics? (Score:2)
Brainwave scans (Score:1)
And in some, too subtle be be picked up anywhere [wikipedia.org]. (See: Nonexistent [thefreedictionary.com])
Re:Spoofing biometrics? (Score:2, Informative)
Take it from me, I record a lot of EEG, they are not easy to record or work with. The artifact that you get from even an eye blink is enough to skew the data. Let alone someone moving other parts of the body. Granted, I don't work on using EEG as a method of identifying individuals but I have my doubts that you could get unique signature from every individual or ask people to hold s
Re:Spoofing biometrics? (Score:2)
Who watches the watchers? (Score:1)
Immutable, too. (Score:5, Insightful)
Re:Immutable, too. (Score:2)
Re:Immutable, too. (Score:2)
The only actual advantage a biometric tag adds to the setup is that you wont forget it at home, but then again, that's rather irrelevant from a security aspect.
Of course, magstripe readers dont offer as much 'job security' to the s
Re:Immutable, too. (Score:2)
Can I use it in my proprietary signature, or is that one of those "bad freedoms"?
Re:Immutable, too. (Score:1)
A long passphrase is much better, in my opinion.
Until the Alzheimer's sets in... or you have one too many at a party the night before... get a concussion...
Better write it on a Post-It Note... then again, better not [slashdot.org].
Re:Immutable, too. (Score:2)
Sure it is - but only so far as it enhances existing security. Using it to replace existing technologies might be a mistake, but using it to supplement them surely isn't.
Re:Immutable, too. (Score:1)
While I wouldn't consider myself handicapped (I still type much faster than most people), there are some definate accessibility concerns for some of these things that I have not seen addressed...
File under "Told you so" (Score:5, Insightful)
People think that biometrics is some sort of magic bullet, because for years they've seen retina scans and fingerprint scanners on TV in all sorts of "high security" situations. But in reality, a fingerprint scan is probably not that much better than a good password -- it's certainly better than a shitty password, and in combination with a password it's probably better, but alone it's terrible.
The fact that you can't change your fingerprints is a real problem if they start to use biometric systems for authentication. Particularly since there are biometric-ID systems used by children: in my area, they're currently testing and preparing to roll out a school-lunch system that uses fingerprints (it's a debit system -- no more stolen lunch money, and no way to tell who's on the subsidized lunch program or not). When you start using biometrics that young, you have a long time for them to possibly get compromised and spoofed.
The fingerprints you have, you own for life: so any system has to be built on the assumption that they will be compromised. In particular, future systems should be built knowing that people are going to come in who've already had all 10 fingerprints compromised already. The solution isn't to just come up with more biometric identifiers to use as secrets, the solution is to not use them as secrets at all.
Same old adage... (Score:2, Redundant)
- Something you know (a password, an answer to a question that requires private knowledge, a PIN number),
- Something you have (an RFID card, a secureID token, a bank card)
- Something you are (fingerprint, DNA, retina, brain wave)
Any *one* of these metrics is too easy to bypass. Any system that requires security should use *at least* two of these factors for authentication (eg, banks use a card + a PIN). Being
Re:Same old adage... (Score:2)
Re:Same old adage... (Score:2)
Re:Same old adage... (Score:2)
All it took was a acanned image of a fingerprint, a reletivly decent photo printer, some thin poster board or an manila folder and some sort of powderless latex glove. Yes, even as far back as '98, i could copy fingeprints enough to make it apear somone else was in a room. This new fingerprinted glove would carry the heat of a warm living finger and has already been used
Re:File under "Told you so" (Score:2)
Re:File under "Told you so" (Score:2)
Biometric scanning should be used for nothing more than a quick & automated method of stating, not proving, identity. Biometric data is not secret - just like a name is not secret. Both can still be used as low-security identifiers though. Simply because I state that I am "George W. Bush" or "Tom Cruise" does not make it so.
Re:File under "Told you so" (Score:2)
Re:Immutable, too. (Score:2)
Ummm.... Yes you can. Although it requires an exacto knife, a hot iron, and a bottle of tequila.
But seriously, one of my friends bio-metric logon dongle they had for their computer wouldn't recognize one of my fingers after I had an accident with a hot light bulb. It burned my thumb print til it blistered and I removed the dead skin leaving only smooth raw skin exposed for a bit. Actually, it wasn't as much as an acciden
Re:Immutable, too. (Score:2)
The only thing safe and secure... (Score:2)
Well, that's what I used to think.
No, you can't moderate me as paranoid.
Of course.
Really now, is that what you think?
Re:The only thing safe and secure... (Score:3, Funny)
That's what you think!!! (Pulls tin hat tighter around head)
Re:The only thing safe and secure... (Score:2)
I still don't see why everyone is snickering at me when I go to the gym to workout?
Re:The only thing safe and secure... (Score:1)
hmm.. (Score:5, Interesting)
I am prepared (Score:5, Funny)
Re:I am prepared (Score:2)
At least that way you'll always be able to find your keys - just follow your nose.
Allright! (Score:3, Funny)
$5 counter measure (Score:1)
Re:$5 counter measure (Score:1)
Re:$5 counter measure (Score:1)
So anyone with a biometric scanner could use your fingerprint against you . Or they could sell it .
Slashdot 2015 (Score:3, Funny)
Biometrics should be an *added* level of security (Score:3, Interesting)
Fingerprint: not secure
Fingerprint + password: more secure
Fingerprint + password + voice sample: even better.
There are harder biometrics to reproduce, like the thermal patterns of your face. For highly secure areas, multiple biometric keys, a memorized password, a voiceprint, plus a physical key/card would be ideal. And of course there's the good old-fashioned trustworthy security guard to make it even harder for the wrong person to get where they shouldn't be (assume you're restricting physical access).
Re:Biometrics should be an *added* level of securi (Score:2)
Fingerprint + password + voice sample: even better
If you accept the concept of being able to spoof biometrics, finger and voice prints were mentioned as possible ones in the blurb, then this "even better" security is really falls back to the "simple" password security.
I would still prefer security I can modify and change easily rather than security that is part of me.
Re:Biometrics should be an *added* level of securi (Score:2)
So far as I know, the *patterns* don't change, just the temperature. Sufficiently intelligent software could compensate.
Beating the System (Score:1)
Now if you'll excuse me, I'm feeling a little light-headed.
Re:Beating the System (Score:2)
It'd hurt, but it would be a lot less dangerous than the alternative...
Re:Beating the System (Score:1)
Re: Our faces and irises are visible. (Score:4, Funny)
Our faces and irises are visible and our voices are being recorded.
http://www.theatlantic.com/doc/200209/mann [theatlantic.com]
Iris scanner - a million bucks
Glasses with a picture of someone else's eyeballs - $5.00
Stickin' it to da man! - priceless.
The Gattaca Solution (Score:4, Interesting)
Blood. A mix of your DNA plus biomarkers. Of course if you've seen the movie, perhaps that too can be spoofed.
In the end, there's no truly safe solution, except for multiple layers of passwords, biometrics, DNA samples, and the like, and even then, a determined foe will find a way to breach it. What Mankind can create, Mankind can subvert.
Re:The Gattaca Solution (Score:3, Funny)
Sorry, your identical human clone has already cleared out your bank account and stolen your wife as you read this.
Better luck next time!
Re:The Gattaca Solution (Score:1, Funny)
Clearly it's time to start having dolphins create secure systems for us.
Stolen (Score:2)
Obvious to a kid (Score:2)
I predict security overall will actually get worse as time goes on, as guards rely blindly more and more on flawed tech
Depends on the biometric scanner (Score:1)
Take a look at the unique identifier generated by the biometric scanner, some generate a 600b 'digest' of the finger, others need several KB (hence more valuable data are stored).
I don't know about other types of biometric scanners.. I wonder, how voic
Three ways to authenticate yourself (Score:3, Informative)
As many have already pointed out, the best security uses a combination of two of the above. This is so because each one of the above has an inherent weakness.
Re:Three ways to authenticate yourself (Score:1)
Re:Three ways to authenticate yourself (Score:1)
Re:Three ways to authenticate yourself (Score:3, Interesting)
something you are (fingerprints, irises, etc.)
All the credible books I've read mention this as a fallacy. Something you are is not a measurable property since it is impossible to make a copy of what a person is, fundamentally. Biometrics are simply something you have that is really hard to change. This is good in that others may have trouble changing their s to be yours, but bad in that once compromised, you're screwed for life.
Biometrics are not a good part of a secure authentication solution. They are
Re:Three ways to authenticate yourself (Score:2)
I'd comfortably bet that most security professionals have rejected this concept. "Something you are" is really just a slight variation of "something you have" and there isn't anything in particular that makes them any better to make it worth differentiating.
Something you know does have a slight variation called something you do (the way you walk, the way your brain waves are, the way you sign your signature.) It remains to be seen whether some of the less known
Re:Three ways to authenticate yourself (Score:2, Insightful)
The distinction is important because "something you are" things cannot be changed, whereas "something you have" is an external object that could be replaced if compromised or lost.
The distinction is especially important now, as the world is erroneou
Biometric hand scanners (Score:2)
Re:Biometric hand scanners (Score:1)
Re:Biometric hand scanners (Score:2)
Eeeew, hand scanner! One of my colos had those installed. I asked them nicely, and they gave me a proximity card instead. With people spending so much time fixing machines, there's no telling what these people do -- pick their nose, scratch their ass, do whatever icky things you can imagine in the can, and then put their nasty greasy hands on those things. Look more closely at the flickr image (or please post a high
Re:Biometric hand scanners (Score:2)
This datacenter uses a combination of both hand scanners and proximity cards. At the security booth you swipe the card next to the hand scanner then scan your hand. There's also a mantrap at the entrance to the datacenter floor. You swipe the card to open the outer door, then once you're inside and the door closes you swipe again and scan your hand. Then the inner door lets you onto
Old News (Score:2)
The real question is what happens when the person does not have a finger print? I don't!
The state started scanning everyone's finger prints in to get a Drivers license. I used a belt sander and an 80 grit sanding belt. 3 minuets and No more finger prints! They
Re:Old News (Score:1)
So you're saying that your penis is about the same size as a typical thumb?
Next time you post information like this, you should probably do it anonymously. And, be careful with that pocket knife, or you may end up limited to pinky-print scanners.
Re:Old News (Score:2)
That is what I get for being in a hurry and just clicking ok through the spell checker.
lol, sorry it should read pencil
Demolition man (Score:2)
I actually thought it was quite funny how they suggested he could simply rip off someones arm to "mug" them.
DNA left everywhere? (Score:2)
I'm not so sure I wanna know what it is you're doing that's leaving DNA everywhere... : p
Re:DNA left everywhere? (Score:1)
Dead skin cells? Hairs dropping off your body?
TLAs Won't Use Them (Score:2)
Don't use it for anything valuable (Score:2)
The perfect crime (Score:2)
What is the perfect crime? One that cannot be solved? No. The perfect crime is one that is actually solved but with a different culprit than you. It is perfect in that sense that it closes the case. As soon as someone is locked up, the case is dropped.
Re:The perfect crime (Score:1)
Re:The perfect crime (Score:2)
Actually the way the police works plays into the murderers hands, because they need a quick success. The longer the trail chills, the lower the chance for success becomes. Also, they usually have a lot of pressure down their neck, so they have to present SOMEONE soon. And they usually grab the first suspect available. Just make sure the trails to him are strong
Re:The perfect crime (Score:4, Insightful)
Re:The perfect crime (Score:2)
Be careful of where you leave your DNA... (Score:2)
The failure of thumb and iris biometrics. (Score:2, Funny)
Raku (Score:2)
Change my passwor... er fingerprints? (Score:4, Interesting)
sure you have 10 figures and 2 eyes, but when it comes too it you will never get ADDED security with a biometric only system.
biometric + password + keycard is the securest solution.
something you are, something you know, something you have
As the phrase goes in the banking security industry.
Those have always been the only 3 options for establishing 'trust' with an unknown entity.
Re:Change my passwor... er fingerprints? (Score:2)
Did you know the standard for bank ot bank encryption of transaction
is des 8 and or 16
des symetric key exchanged before the transaction.
sad really but the cost of changing the infastructure isn't worth it to the bank and most customers would bach at the fees they'd change to do it right as well.
OK kids... repeat after me... (Score:4, Insightful)
Biometrics are fine identifiers. They are unique and immutable.
Identification is not authentication. Not even close. Just because someone presents an identifier does not mean they are the authorized thing represented by that identifiers. By their very nature, identifiers are promiscous.
Re:OK kids... repeat after me... (Score:2)
Not [bbc.co.uk] really [bbc.co.uk]
Obligatory Demolition Man quote (Score:2)
John Spartan: All right, so he can't buy food or a place to stay for the night. And, it would be a waste of time to mug somebody. Unless he rips off somebody's hand, and let's hope he doesn't figure that one out.
DNA sample (Score:2)
* A little piece of hair, saliva, blood sample (for DNA)
* A finderprint scan, but it must have a warm pulse
* An eyeball scan
* A voice print
That might do it. Throw in a univeral ID chip too. Analyze it all in under 5 seconds, and you're into the ATM booth...
Carjackers have already removed a victim's finger (Score:3, Interesting)
I guess I'd prefer to have the bad guys to use a reasonable facsimile of my finger, retina, etc. than to have them use the real thing.
nothing special (Score:2)
People or computers? (Score:1)
Earliest reference to biometric spoofing? (Score:3, Interesting)
The first edition I've seen is dated 1928, but I think it was initially published nearer to 1900. The idea has been around for a while.
Viable Solution (Score:1)
All biometrics are permutable (Score:2)
Gattaca (Score:2)
Coincidence?
Re: (Score:2)
An other problem is.... (Score:1)
Are you right sure you want to expose yourself to such a threat ?
Need eye identification ? ow tempting is that to take the eye of the person ?
I won't risk myself on this, I prefer a usb key containing an RSA key or so and a good password....
It's not the type of security, it's the admins (Score:2)
Administration and the human being. It's too difficult to manage a 2000 or even 200 member authentication database. The simplest administration is just not done because it is tedious or takes too much time. For example: single time sign on, a user can only be logged in once anywhere or time constrained logons, there is no reason an office employee to login in the middle of the night on the other hand, th
Question (Score:1)
Biometric spoofing will have a long history (Score:2, Funny)
If we're smart... (Score:2)
fingerprint == username
something else == password
Your username is easily seen, easily copied, and not kept secret, it's just convenient to use something that's hard to lose (i.e. your fingerprint) for it. I might even want to have a copy of my fingerprint on a keyring or something that I can give to someone who I'm authorising to act on my behalf.
The password part should be something you can change if someone gets ahold of it. Possibly even an actual pass
Security through Obscurity (Score:2)
Someone get one of those fingerprint eraser things from Men In Black in here, STAT.
An appropriate quote (Score:2)
Sneakers (Score:2)
Ahead of its time...
This is why (Score:2)
Also taking the piss, will become a common hacker passtime
Are hairdressers secret DNA theifs of tomorrow!
They can clone dolly the sheep - so key dupiong is possible
Bottom line will end up using and going thru so much red tape, might as well just use your brain. though that said hypnosis is clearly doable upon that CPU and gi
An even bigger worry ... (Score:2)
These days, we also have to worry about someone lifting and copyrighting our prints. And then suing us for infringement when we lift a glass of something.
And if we leave some hair or skin cells behind, we'll find that out DNA is patented and we're hauled into court for yet another violation.
Passwords have warped everybody's minds (Score:2)
Your facial geometry, voice print, fingerprint and so on are never expected to be secret and don't have to be secret. It makes sense to talk of a password being "compromised" and having to be revoked, because the value of a password is its secrecy. Keeping the password secret compensates for the fact that it can be reproduced by the millions and presented by anybody.
The fundam
Re:My proposed system. (Score:2)
This eliminates the following concerns: 1) Somebody spoofs your fingerprints. He still needs your password to do anything, and that cop will totally kick his ass.
If they already have to use a password, why bother with the biometric at all? It adds complication and a false sense of security. A human who sees 1000 false positives from the machine for every real attempt at fraud will soon stop looking for latex on fingers or even severed fingers. Because you need to use your fingerprint, they might be less