Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Future of Crime - Biometric Spoofing?

Zonk posted more than 8 years ago | from the bioawesome dept.

134

AxisPower9 writes "What we often watch in films and television - circumventing biometric security access - is turning from science-fiction to reality. Bori Toth, biometric research and advisory lead at Deloitte & Touche, warned that biometric spoofing is a growing concern. From the article: 'We are leaving our prints everywhere so the chance of someone lifting them and copying them is real. Currently it's only researchers that are doing spoofing and copying. It's not a mainstream activity--but it will be. Many people are trying to regard biometrics as secret but they aren't. Our faces and irises are visible and our voices are being recorded. Fingerprints and DNA are left everywhere we go and it's been proved that these are real threats.'"

cancel ×

134 comments

Sorry! There are no comments related to the filter you selected.

Spoofing biometrics? (1)

Chas (5144) | more than 8 years ago | (#15755919)

Nah! You can't reconstruct that data from minutae!

Oh wait. You can...

CRAP!

Re:Spoofing biometrics? (1)

VernonNemitz (581327) | more than 8 years ago | (#15756247)

I recommend brainwave scans as the biometric of choice. Too subtle to be picked up everywhere, and therefore secure.

Brainwave scans (1)

Chas (5144) | more than 8 years ago | (#15756416)

I recommend brainwave scans as the biometric of choice. Too subtle to be picked up everywhere, and therefore secure.

And in some, too subtle be be picked up anywhere [wikipedia.org] . (See: Nonexistent [thefreedictionary.com] )

Re:Spoofing biometrics? (2, Informative)

milamber3 (173273) | more than 8 years ago | (#15756833)

I'm not sure if your comment was meant to be serious. If it was then you must not be someone who works with EEG recordings.

Take it from me, I record a lot of EEG, they are not easy to record or work with. The artifact that you get from even an eye blink is enough to skew the data. Let alone someone moving other parts of the body. Granted, I don't work on using EEG as a method of identifying individuals but I have my doubts that you could get unique signature from every individual or ask people to hold still long enough when they need to be "verified". No matter what kind of method you are using, I imagine something like a fast fourier transform, a change in someones state of mind will inevitable change the pattern of power frequency and possibly deny them access to their computer/work/whatever.

Last but not least the conductive gel that is generally used for the scalp electodes should be a concern, no one wants to have that on their head all the time.

Re:Spoofing biometrics? (1)

asdf 101 (703879) | more than 8 years ago | (#15756399)

True.. most importantly.. quis custodiet ipsos custodes!?

Who watches the watchers? (1)

Chas (5144) | more than 8 years ago | (#15756430)

Well, it's a dirty job, but I'll volunteer! ;-)

What the?! (0)

Anonymous Coward | more than 8 years ago | (#15755923)

Did OJ Simpson sponser this study?

Immutable, too. (5, Insightful)

Poromenos1 (830658) | more than 8 years ago | (#15755925)

When your fingerprints have been compromised (not very hard to do) you can't change them. For this reason, I don't think biometrics is a viable solution. A long passphrase is much better, in my opinion.

Re:Immutable, too. (1)

MrShaggy (683273) | more than 8 years ago | (#15755998)

Maybe a combination of both. You would need the fingerprints to access the password part of the security.

Re:Immutable, too. (1)

Znork (31774) | more than 8 years ago | (#15756332)

As the fingerprints will be trivially copied they add little or no security. You'd be more secure with a common magstripe card plus password system. The magstripe, at least, can only be skimmed when you use the card, while your biometrics are often 'skimmable' at any given moment.

The only actual advantage a biometric tag adds to the setup is that you wont forget it at home, but then again, that's rather irrelevant from a security aspect.

Of course, magstripe readers dont offer as much 'job security' to the scammers of the biometrics business, which appears to be the kind of security they're most concerned with.

Re:Immutable, too. (0)

Billosaur (927319) | more than 8 years ago | (#15756021)

A long passphrase is much better, in my opinion.

Until the Alzheimer's sets in... or you have one too many at a party the night before... get a concussion...

Better write it on a Post-It Note... then again, better not [slashdot.org] .

Re:Immutable, too. (1)

kjart (941720) | more than 8 years ago | (#15756050)

When your fingerprints have been compromised (not very hard to do) you can't change them. For this reason, I don't think biometrics is a viable solution. A long passphrase is much better, in my opinion.

Sure it is - but only so far as it enhances existing security. Using it to replace existing technologies might be a mistake, but using it to supplement them surely isn't.

Re:Immutable, too. (1)

JeanBaptiste (537955) | more than 8 years ago | (#15756090)

... I've had the ends of several of my fingers severed (many many years ago).

While I wouldn't consider myself handicapped (I still type much faster than most people), there are some definate accessibility concerns for some of these things that I have not seen addressed...

File under "Told you so" (5, Insightful)

Kadin2048 (468275) | more than 8 years ago | (#15756142)

Yep ... which is exactly what people who know anything about information security have been saying for a while.

People think that biometrics is some sort of magic bullet, because for years they've seen retina scans and fingerprint scanners on TV in all sorts of "high security" situations. But in reality, a fingerprint scan is probably not that much better than a good password -- it's certainly better than a shitty password, and in combination with a password it's probably better, but alone it's terrible.

The fact that you can't change your fingerprints is a real problem if they start to use biometric systems for authentication. Particularly since there are biometric-ID systems used by children: in my area, they're currently testing and preparing to roll out a school-lunch system that uses fingerprints (it's a debit system -- no more stolen lunch money, and no way to tell who's on the subsidized lunch program or not). When you start using biometrics that young, you have a long time for them to possibly get compromised and spoofed.

The fingerprints you have, you own for life: so any system has to be built on the assumption that they will be compromised. In particular, future systems should be built knowing that people are going to come in who've already had all 10 fingerprints compromised already. The solution isn't to just come up with more biometric identifiers to use as secrets, the solution is to not use them as secrets at all.

Same old adage... (1, Redundant)

brunes69 (86786) | more than 8 years ago | (#15756799)

People in security have known this for a long time. There are three types of identifiers -

- Something you know (a password, an answer to a question that requires private knowledge, a PIN number),

- Something you have (an RFID card, a secureID token, a bank card)

- Something you are (fingerprint, DNA, retina, brain wave)

Any *one* of these metrics is too easy to bypass. Any system that requires security should use *at least* two of these factors for authentication (eg, banks use a card + a PIN). Being able to just swipe your thumbprint to enter a secure area is bad. Having to swipe it *and* know the password is not as bad - if the thumbprint is compromised, they still need to know the password. If the password is compromised, they still need your thumbprint. Hopefully you will disocver that A is compromized and recitify it before B is compromised as well. If you had used all three types, you would have also had to lsoe your security token - something that should be noticed and replaceable quite quickly.

Re:Same old adage... (1)

KarmaMB84 (743001) | more than 8 years ago | (#15756952)

For one thing research is ongoing on ensuring the scanned print is coming off the *flesh* surface of a warm, live finger attached to a live human being.

Re:Same old adage... (1)

Wellspring (111524) | more than 8 years ago | (#15757068)

If you as a verifier can ensure the security of the reader hardware, then that's great. If not (for example, for devices sold/leased/loaned to retailers), then what you have is a vendor login and what is essentially a long passphrase. Because all you KNOW is that something claiming to be a biometric reader is logging into your verifier service and presenting a stream of digitized information.

Re:File under "Told you so" (1)

electroniceric (468976) | more than 8 years ago | (#15757027)

I've been giving some thought to this lately, and there's literally no indentifier that you can use on a long-term basis that does not lend itself to being captured or mimicked in some way. Fingerprints, retina, DNA, secure key, password, etc. What it really comes down to is verifying not only identity but location (which uniquely identifies you in a way that incorporates the dimension time, as you're only in one place at a time) and volition. I am this person, I am in this place, and I wish to initiate the thing that's being done. I think it would make sense to pay more attention to the latter two than to try to come up with ever more clever key-based identity checks.

Re:Immutable, too. (1)

vertinox (846076) | more than 8 years ago | (#15756330)

When your fingerprints have been compromised (not very hard to do) you can't change them

Ummm.... Yes you can. Although it requires an exacto knife, a hot iron, and a bottle of tequila.

But seriously, one of my friends bio-metric logon dongle they had for their computer wouldn't recognize one of my fingers after I had an accident with a hot light bulb. It burned my thumb print til it blistered and I removed the dead skin leaving only smooth raw skin exposed for a bit. Actually, it wasn't as much as an accident me being stupid.

But still... I noticed that the device couldn't read a smooth print. It grew back though.

Re:Immutable, too. (1)

hotdiggitydawg (881316) | more than 8 years ago | (#15756976)

Actually they are only immutable if you use your own in the first place. The obvious solution? Keep a healthy supply of other people's body parts in your freezer, and discard once compromised...

The Only Thing ..... (-1, Troll)

Anonymous Coward | more than 8 years ago | (#15755934)

The only thing that makes my life complete is when I turn your face into a toilet seat...

I'm gonna piss on you
drip
drip
drip
Pee on you piss on you piss on you

LOL @ #buttes, failures.

The only thing safe and secure... (1)

digitaldc (879047) | more than 8 years ago | (#15755947)

...are the thoughts in your own mind.

Well, that's what I used to think.

No, you can't moderate me as paranoid.

Of course.

Really now, is that what you think?

Re:The only thing safe and secure... (2, Funny)

Billosaur (927319) | more than 8 years ago | (#15755988)

...are the thoughts in your own mind.

That's what you think!!! (Pulls tin hat tighter around head)

Re:The only thing safe and secure... (1)

digitaldc (879047) | more than 8 years ago | (#15756029)

My tinfoil hat has three layers to ensure that I am extra-protected.

I still don't see why everyone is snickering at me when I go to the gym to workout?

Re:The only thing safe and secure... (1)

operagost (62405) | more than 8 years ago | (#15756181)

Didn't you notice that all the hipsters are wearing TITANIUM hats now? Tinfoil is so last week!

hmm.. (5, Interesting)

bigattichouse (527527) | more than 8 years ago | (#15755965)

Lets see.. I remember a very detailed Expose [imdb.com] on these so called "borrowed ladders". Gee. You write a movie about it, and it takes almost 10 years for it to become a top news story on slashdot. I also remember an eye-scan in a movie using a plucked eye. Spaceballs used an unconscious guard's hand. As well as the "removed hand". Even scooby doo, Daphne used powder makeup to bring out the pattern of a thumbprint on a scanner to unlock something or other.

I am prepared (5, Funny)

krell (896769) | more than 8 years ago | (#15755966)

Always carry a pocketfull of eyeballs and thumbs...and realize, at one point, those lil' orbs are going to accidentally fall out and you are going to be chasing those slipper rolling suckers all over the floor.

Re:I am prepared (1)

$RANDOMLUSER (804576) | more than 8 years ago | (#15756004)

> Always carry a pocketfull of eyeballs and thumbs...
At least that way you'll always be able to find your keys - just follow your nose.

Allright! (2, Funny)

Nijika (525558) | more than 8 years ago | (#15755983)

This adds further realism to Charlie's Angels.

$5 counter measure (1)

Larus (983617) | more than 8 years ago | (#15755994)

For every one billion dollar solution, there is a five dollar way to counter it. The weak link is not even in database - although collecting biometric data from 300 million people will be a real pain. Forging data is like stealing passwords, and once stolen, users are even less likely to set a 'secure password' or change the biometric signatures. So much for the brave new world.

Re:$5 counter measure (1)

pedalman (958492) | more than 8 years ago | (#15756360)

For every one billion dollar solution, there is a five dollar way to counter it. The weak link is not even in database - although collecting biometric data from 300 million people will be a real pain.
No, collecting biometric data from 300 million people would be the NSA's ultimate wet dream.

Re:$5 counter measure (1)

kdemetter (965669) | more than 8 years ago | (#15756419)

The scanned fingerprint could be used to gain access to other places , since you fingerprint would be the same.

So anyone with a biometric scanner could use your fingerprint against you . Or they could sell it .

Slashdot 2015 (3, Funny)

kkiller (945601) | more than 8 years ago | (#15755997)

Rise in Eyeball Mugging and Drive-by Thumb Stealing Blamed on Biometric-scanning vidiPods

Biometrics should be an *added* level of security (2, Interesting)

PFI_Optix (936301) | more than 8 years ago | (#15756005)

Anyone who relies on biometrics alone is asking for trouble.

Fingerprint: not secure
Fingerprint + password: more secure
Fingerprint + password + voice sample: even better.

There are harder biometrics to reproduce, like the thermal patterns of your face. For highly secure areas, multiple biometric keys, a memorized password, a voiceprint, plus a physical key/card would be ideal. And of course there's the good old-fashioned trustworthy security guard to make it even harder for the wrong person to get where they shouldn't be (assume you're restricting physical access).

Re:Biometrics should be an *added* level of securi (0)

Anonymous Coward | more than 8 years ago | (#15756676)

"There are harder biometrics to reproduce, like the thermal patterns of your face."

Hope you never have a fever.

Re:Biometrics should be an *added* level of securi (1)

PFI_Optix (936301) | more than 8 years ago | (#15756766)

Hope you're not going to work with a fever :p

So far as I know, the *patterns* don't change, just the temperature. Sufficiently intelligent software could compensate.

Re:Biometrics should be an *added* level of securi (0)

Anonymous Coward | more than 8 years ago | (#15756894)

I'm sure there are ways to change the pattern temporarily. Sunburn on your forehead only, like I have now, should change the pattern. I imagine a bruise on your cheek could change it too.

Re:Biometrics should be an *added* level of securi (1)

sckienle (588934) | more than 8 years ago | (#15756945)

Fingerprint + password + voice sample: even better

If you accept the concept of being able to spoof biometrics, finger and voice prints were mentioned as possible ones in the blurb, then this "even better" security is really falls back to the "simple" password security.

I would still prefer security I can modify and change easily rather than security that is part of me.

Beating the System (1)

organgtool (966989) | more than 8 years ago | (#15756009)

I've just completed my brilliant plan to avoid having my fingerprints stolen. It took a lot of alcohol and a lot of paper towels to stop the bleeding, but now all of my fingertips have been severed. It sure beats wearing gloves all of the time and I can make up some elaborate story of how I lost my fingertips in combat to impress the ladies. It's foolproof!

Now if you'll excuse me, I'm feeling a little light-headed.

Re:Beating the System (1)

PFI_Optix (936301) | more than 8 years ago | (#15756028)

I've heard that people in some lines of work lose their prints due to constant friction on their fingertips. If that's true, you could actually sand off your fingerprints.

It'd hurt, but it would be a lot less dangerous than the alternative...

Re:Beating the System (1)

Lunar_Lamp (976812) | more than 8 years ago | (#15756393)

Fingerprints grow back though, so you'd have to do it regularly.

done one hand, need help. (0)

Anonymous Coward | more than 8 years ago | (#15756080)

I took your advice and now I have cut off all my fingers on my left hand. Now I am stuck. how did you do the other hand? thanks for any help you can give.

Re: Our faces and irises are visible. (3, Funny)

tomhudson (43916) | more than 8 years ago | (#15756047)

Our faces and irises are visible and our voices are being recorded.

http://www.theatlantic.com/doc/200209/mann [theatlantic.com]

Iris scanner - a million bucks

Glasses with a picture of someone else's eyeballs - $5.00

Stickin' it to da man! - priceless.

The Gattaca Solution (3, Interesting)

Billosaur (927319) | more than 8 years ago | (#15756049)

Blood. A mix of your DNA plus biomarkers. Of course if you've seen the movie, perhaps that too can be spoofed.

In the end, there's no truly safe solution, except for multiple layers of passwords, biometrics, DNA samples, and the like, and even then, a determined foe will find a way to breach it. What Mankind can create, Mankind can subvert.

Re:The Gattaca Solution (2, Funny)

digitaldc (879047) | more than 8 years ago | (#15756084)

In the end, there's no truly safe solution, except for multiple layers of passwords, biometrics, DNA samples, and the like, and even then, a determined foe will find a way to breach it. What Mankind can create, Mankind can subvert.

Sorry, your identical human clone has already cleared out your bank account and stolen your wife as you read this.
Better luck next time!

Re:The Gattaca Solution (1, Funny)

Anonymous Coward | more than 8 years ago | (#15756214)

What Mankind can create, Mankind can subvert.

Clearly it's time to start having dolphins create secure systems for us.

Obvious to a kid (1)

Valacosa (863657) | more than 8 years ago | (#15756056)

Even when I was a little kid I had a low-tech method for copying fingerprints - I noticed that partially cooled hot glue was not that painful to stick my thumb into, and it retained most of the detail from my thumbprint. I never got around for developing a method for copying my thumbprint again so as to have a properly oriented image, but I wasn't that bent on committing a crime, either.

I predict security overall will actually get worse as time goes on, as guards rely blindly more and more on flawed technology and get less discerning because of it.

American Pie 2 (0, Offtopic)

krell (896769) | more than 8 years ago | (#15756126)

"Even when I was a little kid I had a low-tech method for copying fingerprints - I noticed that partially cooled hot glue was not that painful to stick my thumb into"

I know that there is a certain related painful and sticky situation you also got into that you'd rather not tell anyone about as well.

Depends on the biometric scanner (1)

gr8dude (832945) | more than 8 years ago | (#15756068)

If you don't choose the cheapest ones on the market, then things are not THAT bad. Some scanners will take into account factors such as skin humidity, temperature, etc. Thus you can't just 'copy/paste' the fingerprint; nor you can chop off the person's finger.

Take a look at the unique identifier generated by the biometric scanner, some generate a 600b 'digest' of the finger, others need several KB (hence more valuable data are stored).

I don't know about other types of biometric scanners.. I wonder, how voice scanners handle such cases; i.e. what makes it impossible to record one's voice and play it back? Perhaps they acquire some special unique features of the voice and then require the person to read a randomly generated string of characters? (so there's no way to conduct a replay attack)

Somehow, I can't see voice recognition working... (1)

Panaqqa (927615) | more than 8 years ago | (#15757083)

I mean really. My voice changes all the time, sometimes quite often. I smoke and in the morning, my voice is quite deep. If I get a sinus cold or the flu, my enunciation is different. If I am under a lot of stress, it changes again - a fact some commercial lie detectors claim to be able to detect. So I'm not sure voice recognition would fly.

Iris patterns? You've heard of the infamous double swipe, sometimes accomplished by a card scanner device placed over the top of the legitimate one. How long before criminals are collecting your iris patterns using a fake eyepiece over the top of the real one? Fingerprints? Did you know that, either through accident or genetics, about 2% of people leave no usuable fingerprints? Life can get very difficult already for these people, without the added problem of "access denied".

For biometrics to truly work, it will need to be a combination of things, as previously suggested, plus a PIN or password. Which combination it will turn out to be, who can say?

Three ways to authenticate yourself (3, Informative)

inviolet (797804) | more than 8 years ago | (#15756073)

There are three ways to authenticate yourself:

  • something you are (fingerprints, irises, etc.)
  • something you know (passphrase, mother's maiden name, etc.)
  • something you have (key, RSA token, access card, etc.)

As many have already pointed out, the best security uses a combination of two of the above. This is so because each one of the above has an inherent weakness.

Re:Three ways to authenticate yourself (1)

Ruvim (889012) | more than 8 years ago | (#15756711)

It is becoming apparent that "something you are" part is quickly merging with "something you have" part as it is becoming easier to "steal" biometric properties. That, or just plain cut a hand/poke an eye scenario comes to mind.

Re:Three ways to authenticate yourself (1)

Ruvim (889012) | more than 8 years ago | (#15756823)

Could use brain-wave authentification, which is kinda hard to read out unless you allow to, and use encryption on the reciever side, so even if someone steals the sample against which activity is mesured, he can't re-produce activity signature itself.

Biometric hand scanners (1)

Iphtashu Fitz (263795) | more than 8 years ago | (#15756082)

The datacenter that I spend a lot of time in for work uses these [flickr.com] biometric hand scanners. I've been told that they measure the bone density of various bones within the hand. If that is how they work then I'd think it'd be a pretty tough thing to fake. Anybody know if that is how they actually work? How reliable they really are?

Re:Biometric hand scanners (1)

jo42 (227475) | more than 8 years ago | (#15756162)

Do they check to see if the hand is still alive? As in attached to a human body?

Re:Biometric hand scanners (1)

drewzhrodague (606182) | more than 8 years ago | (#15756254)

The datacenter that I spend a lot of time in for work uses these biometric hand scanners.

Eeeew, hand scanner! One of my colos had those installed. I asked them nicely, and they gave me a proximity card instead. With people spending so much time fixing machines, there's no telling what these people do -- pick their nose, scratch their ass, do whatever icky things you can imagine in the can, and then put their nasty greasy hands on those things. Look more closely at the flickr image (or please post a higher res version!) -- you'll notice slime from other people's hands on the scanner. Are you sure you want to touch that?

Re:Biometric hand scanners (0)

Anonymous Coward | more than 8 years ago | (#15756662)

How do you open doors/use public terminals/operate in the real world? Unless your putting your fingers straight in your mouth whats the problem, just wash your hands before you eat. Everything you touch has probably been touched by somebody else at some point.

Re:Biometric hand scanners (0)

Anonymous Coward | more than 8 years ago | (#15757031)

Are you sure you want to touch that?

I often go "ick!" when at the supermarket and need the use of a trolley. Putting my greasy mitts on the greasy mitts of a million other people. Then there are buses and trains, etc...

But here is the killer.... what is the point in washing your hands at a public toilet, when you have to open the door to get out and lots of dirty fuckers have not washed their hands and then also had to touch the same door handle to get out? There are also the taps themselves. Your dirty hands, along with a million others, touch the tap head, dirty the tap head, are cleaned and then touch the dirty tap head again!

Thankfully, I am noticing in Sydney Australia, that it is becoming more common now in new public buildings to have NO door to the entrance of restrooms and NO tap handles (in favour of proximity sensors for the taps).

Anyone else try to open the doors in the most un-natural way possible? Grabbing an odd place, using your foot, opening with a paper towel, etc? Flush the toilets with toilet paper and then throwing it in the flushing toilet at the last moment, then wishing you'd kept it to open the cubicle door and having to get another piece?

It does not help your paranoia when you see some sick fuckers write on the toilet walls in shit, and the glory-holes which are sometimes complete with pubic hairs stuck to shit around them. GOD - DAMN.

Re:Biometric hand scanners (0)

Anonymous Coward | more than 8 years ago | (#15756713)

I have used the same device. If your right-hand is your recorded "password", try taking your left hand, flip it over, and see if it fools the device. I could usually fool it with my left hand upside-down.

The device I used was a part of a dead-mans closet. It has two glass doors, you one entry and one exit. You are now locked in. You must authenticate or a guard will have to let you out. Authentication requires:

1. Hand Geometry bio metric device
2. You must weigh within 40 pounds of your last entry weight
3. Swipe your security card
4. Type in your PIN

5. If you fail 3 times, the closet-room-thing fills up with water and live sharks are introduced.

Just kidding on #5.

Re:Biometric hand scanners (1)

Ski_Bird (161318) | more than 8 years ago | (#15756941)

Well, they're very reliable. That's why they're the most common biometric access and time and attendance terminal on the planet. As far as bone density, no. It measures a 3d image of your hand and turns that image into a 9 byte number. Yes, NINE bytes. Those nine bytes represent your hand's uniqueness, not its image. It illuminates your hand with infrared against a predictive pattern platen from the top as well as a mirror across the hand for its height. IR is hardly able to measure bone density...

Re:Biometric hand scanners (0)

Anonymous Coward | more than 8 years ago | (#15756974)

I'm quite certain they merely detect "hand geometry". The lab I work in deals some with biometrics, and one of those scanners just came in the other day. Theres a mirror on the left side the points at an angle. I imagine it just bounces a laser in a spectrum we can't see. It seems like too much of a hunk of crap to measure bone density, among other things.

On another note, I personally am...... quite strictly left handed, and we discovered that there is a "handicapped mode" where you still scan a hand, but when you log in, it ignore the biometrics altogether, and authenticates solely on your ID number.

Similar scanners are used at my college to attend sporting events. Students run through a hand scanner to get in. As I mentioned though, I'm strictly left handed, so these scanners do not work for me, but I just tell the guard that I am handicapped, and he doesn't check anything at all, he just opens a separate entrance for me.

Hmmmm...

Old News (1)

Anon-Admin (443764) | more than 8 years ago | (#15756085)

I could beat some of the early biometric thumb print scanners with a penile, pocket knife, and a couple of seconds. Wipe it clean, watch for some one to use it to log in, dust it with fine graphite, cover scanner with hand or shirt, press scan button.

The real question is what happens when the person does not have a finger print? I don't!

The state started scanning everyone's finger prints in to get a Drivers license. I used a belt sander and an 80 grit sanding belt. 3 minuets and No more finger prints! They are dead skin, they come off easy.

Oh well, I never liked the whole biometric thing. A 10 character randomly generated password using a combination of upper case, lower case, letters, numbers, and special character works just fine for now.

--

Are you truly paranoid if they are out to get you?

Re:Old News (1)

inviolet (797804) | more than 8 years ago | (#15756133)

I could beat some of the early biometric thumb print scanners with a penile, pocket knife, and a couple of seconds.

So you're saying that your penis is about the same size as a typical thumb?

Next time you post information like this, you should probably do it anonymously. And, be careful with that pocket knife, or you may end up limited to pinky-print scanners. :)

Re:Old News (1)

Anon-Admin (443764) | more than 8 years ago | (#15756277)

Oops,

That is what I get for being in a hurry and just clicking ok through the spell checker.

lol, sorry it should read pencil

Grow some balls, people! (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#15756109)

This world has become so politically corerct that it's practically a crime to even label someone as a criminal. What we need is for government leaders, politicians, and law enforcement to grow some real balls and do their jobs. This total pussification of the world is leading us all down a horrible path.

Demolition man (1)

nuggz (69912) | more than 8 years ago | (#15756154)

In demolition man they make it clear that biometric ID might have flaws.

I actually thought it was quite funny how they suggested he could simply rip off someones arm to "mug" them.

DNA left everywhere? (1)

gEvil (beta) (945888) | more than 8 years ago | (#15756159)

Fingerprints and DNA are left everywhere we go...

I'm not so sure I wanna know what it is you're doing that's leaving DNA everywhere... : p

Re:DNA left everywhere? (1)

ChristW (18232) | more than 8 years ago | (#15756337)

I'm not so sure I wanna know what it is you're doing that's leaving DNA everywhere... : p


Dead skin cells? Hairs dropping off your body?

Re:DNA left everywhere? (0)

Anonymous Coward | more than 8 years ago | (#15756353)

Man, don't you watch any true crime shows on the Discovery/History/Learning/CourtTV channels?

They can get your DNA off of a drinking glass or a cigarette butt.

TLAs Won't Use Them (1)

ec_hack (247907) | more than 8 years ago | (#15756160)

If fingerprint sensors were any good, the TLAs would be using them to protect classified data. Instead, companies that have such data have been told that they are not to use fingerprint scanners for that purpose.

Don't use it for anything valuable (1)

badfish99 (826052) | more than 8 years ago | (#15756180)

Given what happened to this BMW owner [engadget.com] , I would suggest that no one with any sense should use biometric security to protect anything that is valuable to thieves.

Re:Don't use it for anything valuable (0)

Anonymous Coward | more than 8 years ago | (#15756322)

it was a Mercedes S-Class and it was brought up before
http://it.slashdot.org/comments.pl?sid=155452&cid= 13031660 [slashdot.org]

recylings great but in comments please, not that stories don't get duped too

The perfect crime (1)

Opportunist (166417) | more than 8 years ago | (#15756182)

Now that we revel in our genius that allowed us to solve every criminal puzzle, it is easier than ever to create the perfect crime. In our hubris of being on the edge of technology, we forget that people learn to lie with what used to be "objective evidence".

What is the perfect crime? One that cannot be solved? No. The perfect crime is one that is actually solved but with a different culprit than you. It is perfect in that sense that it closes the case. As soon as someone is locked up, the case is dropped. You're safe. They got a culprit, you go free.

Perfect crime.

Now, as we all know, if from nothing else but CSI and all those other criminal detective shows that spring up left and right, we all leave a billion of traces wherever we go. Fingerprints, drops of sweat, rubbings of our clothing, shoeprints, spit, you name it. No matter what you do, you can't help but leave a trace. Now, it seems that prosecutors take for granted that we don't know that we do it.

For example, take a cigarette stub found at the scene of crime. They take it apart and find a DNA sample and use it as THE clue to find the delinquent. How hard is it, though, to pick up a stub (or a few of them from an ashtray) and place it carefully at the crime scene to be found? There is hardly anything easier than that. Yet this is (way too) often one of the cornerstones of prosecution, because "witnesses can lie, objective evidence cannot". Yet here you have the perfect example of lying evidence. Because the real offender crafted the scene to fit the intended outcome.

I don't even want to imagine how many people are in prison, innocently, because they've been framed, and the prosecutors fell for the ploy.

Re:The perfect crime (1)

Lunar_Lamp (976812) | more than 8 years ago | (#15756515)

You're forgetting something. It is actually quite hard to do what you say, and not because you need to not leave a trace of yourself at the scene of the crime as well as leave a trace of someone else. You need to pick someone who was able to commit the crime (i.e. no alibi), and preferably if the crime is one such as assault or murder, someone with a motive. You also need to have no witnesses etc. Even if objective evidence is regarded as not being able to lie (and I would question this statement), it is still not as simple as you suggest to manufacture it to your own purposes as there needs to be, at the very least, lack of contradictory evidence.

Re:The perfect crime (1)

Opportunist (166417) | more than 8 years ago | (#15756792)

Murder is something you should do with careful preparation. That includes not only finding a victim but also a culprit, and then framing the latter.

Actually the way the police works plays into the murderers hands, because they need a quick success. The longer the trail chills, the lower the chance for success becomes. Also, they usually have a lot of pressure down their neck, so they have to present SOMEONE soon. And they usually grab the first suspect available. Just make sure the trails to him are strong enough to convince them so they stop digging.

Re:The perfect crime (4, Insightful)

lordsid (629982) | more than 8 years ago | (#15756542)

The perfect crime is not a crime that is "solved" with someone else blamed. It's a crime that no one ever realizes was committed.

Re:The perfect crime (1)

Valacosa (863657) | more than 8 years ago | (#15757013)

Rigged American^H^H^H^H^H^H^H^H Elections?

Be careful of where you leave your DNA... (1)

db32 (862117) | more than 8 years ago | (#15756186)

Well if it wasn't enough to worry about already. Social securty numbers...addresses...birthdays...Now that hooker you were with anonymously can use your DNA to steal your identity! At least if you were dumb enough to leave the wallet on the counter while you were rinsing off hooker spit you could change your credit cards and such...can't really change your DNA...at least not without some radiation and rather dire consequences.

The failure of thumb and iris biometrics. (2, Funny)

krell (896769) | more than 8 years ago | (#15756204)

You'll see it, day after day. At Star Labs, everyone with proper clearance peers into the little iris-recognizing window and presses their thumb on the panel. They are them permitted into the building. Sitting on a bench near the entrance you'll find Edward Scissorhands and Scott "Cyclops" Summers, forlornly begging everyone who walks by and enters the building to for once, break security protocol and just let them in!

Raku (1)

bigattichouse (527527) | more than 8 years ago | (#15756205)

In college I had a ceramics/wheel-thrown pottery prof who told a great story about fingerprints. He was a Raku(sp?) artist, which is a clay base that has a lot of sand in it... your pieces are more glass than stone. Additionally, you reduction fire it so your glazes come out with streaks of metal.. theres also some neat stuff with crackle and wood chip carbon filling the cracks. ANYWAY... think about it, this guy was doing his graduate work in an art medium that require him to have his fingers brushing against what amounts to sandpaper every day for several months. He was pulled over for speeding, and for one reason or another ended up going "downtown" to get printed (probably for being vocal about certain "pork related" professions - this was the 1960's). One minor problem, the Raku had filed off all his prints (temporarily). After much interogation, and a night in jail, he was able to get a hold of his major professor to clear up the matter the next day. They assumed he was some sort of fugative.

Weak article, takeaways stay the same (0)

Anonymous Coward | more than 8 years ago | (#15756209)

To save everyone (everyone being a minority of /.'ers who RTFA) some time, the article itself is short and only vaguely points out that we leave biometric footprints everywhere we go. We're constantly audio/video recorded by both government and private industry cameras, leaving our fingerprints all over, and depositing our DNA on everything.

The long story short, as many will point out, is that biometrics are not a replacement for multi-factor authentication. However, it should be noted that the technology is improving, and eventually would not be a poor choice for a reliable "N-th" factor addition to physical security. Small gains are being made frequently in the reduction of false positives and negatives, "live finger" recognition (or real face, or actual voice, etc), and costs.

Additionally, anyone who is expecting this to be completely optional 10 years from now deludes himself. To say such a thing would be to become the person who believed computers would never become an integral part of everyday life, nor would credit cards ever really take off. You may be able to live without these things in your personal life, but the constantly shrinking and interconnected world cannot.

These technologies will be adapted by companies involved with such simple tasks as grocery shopping and other retailers. An interesting example? I was with my girlfriend at a Crate n' Barrel, and they require fingerprint login at their Point of Sale terminals. After asking why, the clerk told me that it prevents employees from logging in as other employees (through employee PIN) and giving massive discounts to friends. I'd say that's a pretty smart application of biometrics in this case.

Enjoy the Biometric revolution folks! It's happening right now!

Change my passwor... er fingerprints? (3, Interesting)

fish_in_the_c (577259) | more than 8 years ago | (#15756227)

The biggest problem with biometrics is after it is compromised it cannot be changed.

sure you have 10 figures and 2 eyes, but when it comes too it you will never get ADDED security with a biometric only system.
biometric + password + keycard is the securest solution.

something you are, something you know, something you have

As the phrase goes in the banking security industry.
Those have always been the only 3 options for establishing 'trust' with an unknown entity.

OK kids... repeat after me... (3, Insightful)

hagbard5235 (152810) | more than 8 years ago | (#15756253)

Identification is not authentication.

Biometrics are fine identifiers. They are unique and immutable.

Identification is not authentication. Not even close. Just because someone presents an identifier does not mean they are the authorized thing represented by that identifiers. By their very nature, identifiers are promiscous.

Obligatory Demolition Man quote (1)

novus ordo (843883) | more than 8 years ago | (#15756295)

Lenina Huxley: That is correct, money is out-moded. All transactions are through code.
John Spartan: All right, so he can't buy food or a place to stay for the night. And, it would be a waste of time to mug somebody. Unless he rips off somebody's hand, and let's hope he doesn't figure that one out.

DNA sample (1)

us7892 (655683) | more than 8 years ago | (#15756395)

All of these at once:
* A little piece of hair, saliva, blood sample (for DNA)
* A finderprint scan, but it must have a warm pulse
* An eyeball scan
* A voice print

That might do it. Throw in a univeral ID chip too. Analyze it all in under 5 seconds, and you're into the ATM booth...

Carjackers have already removed a victim's finger (2, Interesting)

dpbsmith (263124) | more than 8 years ago | (#15756452)

This article [assaabloyfuturelab.com] says "A March 31, 2005 report in Malaysia's New Straits Times describes how a luxury car owner, Mr. Kumaran, was attacked by a gang of car thieves. His ordeal was apparently made worse because his S-Class Mercedes Benz was equipped with a biometric lock that prevented the car from being started without authentication by his finger or thumb print. At first the thieves had Mr. Kumaran start the car using his fingerprint. Then they took him, along with the car, to a chop-shop where they had hoped that the security system could be bypassed. When they decided that they couldn't override the security and that the fingerprint was required, they took Mr. Kumaran's left fingertip and dropped him off along the roadside where he was eventually able to find medical help."

I guess I'd prefer to have the bad guys to use a reasonable facsimile of my finger, retina, etc. than to have them use the real thing.

nothing special (1)

spykemail (983593) | more than 8 years ago | (#15756478)

It's just like any other security technology, nothing special. I never understood why people hold biometric data in such high regard as a security measure. Though it's true the average person probably can't spoof your data it's rarely the average person that wants to. I'm sure if the technology becomes more popular there were be the usual war between hackers and spoofers and the security industry. To its credit I find it more likely that my roomate could guess a password than spoof my fingerprint, though that could easily change in the future.

People or computers? (1)

4solarisinfo (941037) | more than 8 years ago | (#15756495)

Don't get me wrong, I'm not pro-people my any stretch of the imagination, except when it comes to security. Sure people are lying, crooked, cheating, thieves, but they're still a lot smarter than computers. The question needs to be are we turning our information and lives over to the security of an algorithm, or to a person? The bank teller used to know your name, and that worked, then we needed photo ID's, then we need biometric ID's, smartcards, magnetic cards, backed and controlled complicated computer systems (outsourced to India), and know our money is less secure.

I'm designing a development lab for some programmers. They work on a closed system, not in any way connected to the outside world or internet. It exists on a highly secured base. It is guarded by guys with big guns. Only about 10 people need access to the room. They wanted PKI and smartcard verification for login. Uh, dudes, you'd be better off just telling the guys with the guns to shoot anyone he doesn't know and keeping the door locked.

Sometimes, simple is better, and every once in a while, people are more capable than the machines they work on.

Earliest reference to biometric spoofing? (2, Interesting)

Rob the Bold (788862) | more than 8 years ago | (#15756499)

The earliest reference to biometric spoofing that I'm aware of was the book: "The Red Thumb Mark" by Austin R. Freeman. It was published in the early 20th century. The detective (Dr. Thorndyke) suspected that a bloody thumbprint left in a burgled safe was actually a plant to "finger" an innocent man. The mystery wasn't so much the identity of the crook -- which you guess correctly in the first few chapters -- but the means of making the spoof and the method of proving his crime.

The first edition I've seen is dated 1928, but I think it was initially published nearer to 1900. The idea has been around for a while.

Viable Solution (1)

accurrent (985697) | more than 8 years ago | (#15756510)

Honestly, there will never be a truly perfect authentication solution. Fingertips can be taken just as easily as passwords.

All biometrics are permutable (1)

mclaincausey (777353) | more than 8 years ago | (#15756522)

Even retinal scans are permutable. So I think you have to consider biometrics as a single factor in multi-factor authentication. If looked at as another layer in your defenses and not a defense in and of iteslf, then it becomes useful.

Gattaca (1)

Guitarzan (57028) | more than 8 years ago | (#15756526)

Yep, and I just picked up a copy of Gattaca for $5 yesterday...

Coincidence?

Untrue what is being said (1)

houghi (78078) | more than 8 years ago | (#15756577)

What we often watch in films and television [...] is turning from science-fiction to reality.


It almost implies that if something is science-fiction it will become reality. It is more the other way around. If something is done, somebody will have written about it in SF.

As of yet there is no Positroic brain. There is no HAL 9000. I am sure a multitde of SF things can be found that have not and never will be invented.

This will be no different then 'predicting' the future in any other way. Do enough predictions and some will fit. Do them more generic and it will come out even more.

Now that I think about it, that is how the patenting system now works.

An other problem is.... (1)

pierreact (983133) | more than 8 years ago | (#15756758)

If you put the security by biometrics, it mean that anyone that *REALLY* wants to break in will need.... you!
Are you right sure you want to expose yourself to such a threat ?

Need eye identification ? ow tempting is that to take the eye of the person ?
I won't risk myself on this, I prefer a usb key containing an RSA key or so and a good password....

It's not the type of security, it's the admins (1)

guruevi (827432) | more than 8 years ago | (#15756775)

It doesn't matter which type of security you have, usually it gets compromised because of these 2 things:

Administration and the human being. It's too difficult to manage a 2000 or even 200 member authentication database. The simplest administration is just not done because it is tedious or takes too much time. For example: single time sign on, a user can only be logged in once anywhere or time constrained logons, there is no reason an office employee to login in the middle of the night on the other hand, the graveyard shiftworkers in the factory don't need to come in at 12am and it's not necessary for any employee to be logged in longer than 10 hours (except if you work in the IT department)

But those limits are not being set or used while they were in every single security system before I was even born. Why: it's too tedious work on the side of the department manager or supervisor, it's too much work and administration to let it be done by IT-persons and it's too boring, expensive and sensitive to let it be done by a low-wage computer operator. Automation still needs input from workers or integration between one or more closed source systems.

On the other hand, you have the human being that lets everyone into the building, security guards that think you work there because they've seen you before, meeting rooms filled with all-open network connections and a bunch of people that write down their password on a sticky note, even if it's as simple as their husband's name, brand of monitor or keyboard or something else.

I am a security administrator and I am very picky. I ask everyone that comes in to swipe their badge, I rip off all sticky notes with anything that looks like a password and I reset the password everytime I get to know someone's password because they yelled it throughout the office. People get angry at me, I know, but it's their own fault. Nobody is an administrator on the computers I gave them, the site coordinators have only administrator access to limited options and if possible, I enable the encryption modes on devices.

I myself have unlimited administrator access and walk around the hallways without a badge showing. I test physical security and although it's not my responsability, it's inherently broken because nobody gives a damn. We have to follow Sarbanes-Oxley according to the law and we have implemented it all too well, audits happen every 1, 3 and 6 months by respectively internal, external, governmental audit bureau's but although implemented in our financial systems and it comes out good every single time, I can still manipulate the systems without anyone noticing. When I get out, there is no audit trail, there is no replay, log or anything that can track it back to me, but the values have been changed in the database.

Question (1)

BBlinkk (985908) | more than 8 years ago | (#15756777)

I realize everyone says that biometrics isnt a secure authenticator by itself, but wouldnt you say a retinal scan would be a bit harder to copy than a key? I would think biometrics are just as reliable as an rfid card or a key right now, but much more convenient. I think thats the ultimate issue here, is convenience, because its easy to lose a key, but how often do you misplace your eyeballs??

Biometric spoofing will have a long history (2, Funny)

stormy_petral (978505) | more than 8 years ago | (#15756810)

Data will use biometric spoofing to take over the Enterprise in 2367: http://en.wikipedia.org/wiki/Brothers_(TNG_episode ) [wikipedia.org] So, this problem is apparently here to stay.

This puts the Stem Cell Research ban in perspectiv (1)

fjf33 (890896) | more than 8 years ago | (#15756837)


If we link this story together with the president's veto of the Stem Cell Research and Clinton's Clipper program we begin to see the trend.

They (NSA/CIA/etc) have already developed stem cell research to the point that they can make biometric fakes of anyone. Obviously they want to push for extensive use of biometrics while keeping this ACE in their pockets. In the future we will no longer be using complex things like 1024 or longer keys to encrypt messages. We will be using biometric keys which now they can very easily break.

Biometrics (0)

Anonymous Coward | more than 8 years ago | (#15756880)

Biometrics can be uber-secure and virtually impossible to crack or spoof, but no one with an incentive to generate consulting income will figure out how ... or even imply that it is possible. D&T just wants to create FUD, then charge obscene rates to advise you that the more money you pay them, the better off you will be.

If we're smart... (1)

mengel (13619) | more than 8 years ago | (#15757001)

... we'll use the following equivalence:
fingerprint == username
something else == password
Your username is easily seen, easily copied, and not kept secret, it's just convenient to use something that's hard to lose (i.e. your fingerprint) for it. I might even want to have a copy of my fingerprint on a keyring or something that I can give to someone who I'm authorising to act on my behalf.

The password part should be something you can change if someone gets ahold of it. Possibly even an actual password, or PIN number, or whatever.

Unfortunately, at places like my local grocery store, they're using fingerprints as combination username and password -- one swipe and you've paid. This is a Really Bad Idea in my book. I mean, all someone has to do is follow you to a restaurant, pretend to be a bus boy, grab the glass you were using, and transfer a fingerprint to a piece of Saran wrap, wrap it around their finger, and buy out the grocery store on your credit card.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?