As someone once said, currently if an account gets cracked, you can change your password - but if your biometric details are cracked, you can't exactly change your fingers/eyes etc.
Claims that fingerprints can be cloned from pictures are being taken seriously by security experts, who argue that any possible hack underlines the fragility of the biometric technique. Hacker Jan "Starbug" Krisller cloned the thumbprint of the German Defence Minister Ursula von der Leyen after photographing her hand at a …
Yes. Well, it certainly shouldn't be taken as proof of identity - instead part of some greater whole. The general mantra is "something you have, something you know".
Biometrics are pretty simple for people and, as with many things in security, ease of use is inverse to strength of security.
...A fingerprint is a userid not a password....
No. If that were so, why not just type the ID in - it's cheaper and simpler.
The fingerprint is used as both an identification AND an authentication. It's much like a swipe-card pass, which has a name on it, but also gives the bearer the right to enter doors.
Sure, El Reg is a technology site, so the article focusses on "hacking" - getting into someone else's smartphone and so on. The ability to take a photo of someone's hands and then generate usable "fingerprints" has more problems than just giving someone access to those dodgy selfies you have.
What if I can make a pair of gloves with all ten fingerprints from someone else on them, and then go and commit a crime and leave "my" fingerprints for SoCO to find?
"What if I can make a pair of gloves with all ten fingerprints from someone else on them, and then go and commit a crime and leave "my" fingerprints for SoCO to find?"
But surely every police force has a sufficiently trained and funded CSI team who can analyse DNA from the slightest speck and match it within minutes through a national database which is so fast and efficient it even flashes up the mug shots of each sample it's matching against. Fingerprints are just so 200BC. It's about time something new was tried.
I know you were posting in jest, but even if that was true people leave their DNA all over the place. All you need to frame someone else is a bit of their that would be collected to combine with their fingerprints and you make them the leading suspect.
Especially if their DNA would not be expected at the crime scene but yours would be expected (if you committed a murder in your own home or car where your stooge would rightly claim he's never been)
"But surely every police force has a sufficiently trained and funded CSI team who can analyse DNA from the slightest speck and match it within minutes through a national database which is so fast and efficient it even flashes up the mug shots of each sample it's matching against."
Almost, which is why the smart crooks poison the scene by dropping items they have collect from random places. In the TV show the evil-doers had a "DNA-bomb" device to poison the evidence; how long before we see that in the real world?
...this should be the nail in the coffin of fingerprint authentication, at least of the cheap variety. What is the use if it is tuned to accept anything vaguely resembling the real print?
In the real world, we of course identify each other by "biometrics", but we take into account many factors: facial appearance, voice, height, gait... mostly unconsciously.
But the problem therein lies that between biometrics and authentication there needs to be a bit of 'blackbox' wizardry - and it is that is which will get cracked to copy/clone biometric details - hence the above story is that the 'reader' can easily be fooled into believing printed/etched copies.
"there needs to be a bit of 'blackbox' wizardry - and it is that is which will get cracked to copy/clone biometric details"
Surely the "blackbox" just holds a hash based on the biometrics presented. That won't stop the BB being hacked,but it ought to minimise copying/cloning of the "source data".
No - the 'blackbox' is the reader, if you like, and as long as the data presented to it fits, then it processes it - but as I stated in my first post is that once that happens you cannot change YOUR biometric data - so basically end up the creek without a paddle and no way to fix it.
With a hash/salt you need a password or two - if it gets cracked you can change them and create new hashes/salts - but what to do with fixed static data like fingerprints/retina scans when they get cloned?
"...this should be the nail in the coffin of fingerprint authentication, at least of the cheap variety."
You're far too optimistic. Simpler people are still stuck at the "but my mate here can't unlock my phone and I can! See? It's working!" stage, and there are no signs that would change anytime soon.
" Simpler people are still stuck at the "but my mate here can't unlock my phone and I can! See? It's working!" stage, and there are no signs that would change anytime soon."
But it depends what you're trying to protect, and how much resource the "attacker" is willing to deploy. Compared to the probable alternative of a four digit PIN, a fingerprint reader is potentially still more secure at protecting the average Joe's phone data against casual access (noting caveats about bypassing fingerprint readers). But if you're a "high net worth individual" (aka a rich b*****d), with sensitive financial data on the device then you'd be a fool to rely on your fingerprint.
"if you're a "high net worth individual" (aka a rich b*****d), with sensitive financial data on the device then you'd be a fool to rely on your fingerprint."
I would say that if you're a high net worth individual, you'd be a fool to have sensitive financial information on the device at all, regardless of how it's protected, as highlighted in this XKCD cartoon.
"but my mate here can't unlock my phone and I can! See? It's working!"
This is all most people are really worried about. If I'm worried about keeping it safe from the police or other more determined attacker I'll use a PIN, too.
The proper implementation is a print for all unlocks, with an additional PIN required after a certain user settable timeout. The paranoid can set the timeout to 0, those who only care about keeping it away from their technically clueless spouse can disable it, I'd choose 30-60 minutes so it wouldn't be too annoying but if the cops arrested me by the time I was booked and they wanted to peruse the evidence the window of opportunity to hack my fingerprint will have passed.
...In a sane world
...this should be the nail in the coffin of fingerprint authentication, at least of the cheap variety. What is the use if it is tuned to accept anything vaguely resembling the real print?...
A bit of explanation.
1 - Manual fingerprint authentication is done by an expert comparing all aspects of a fingerprint. This is a skilled job which takes a bit of time. Its effectiveness depends on the expert's skill and experience.
Automatic 'biometric' fingerprint recognition is done with a pattern matching algorithm (originally invented in the UK at RSRE for use in radar signal analysis) which identifies a few 'salient' points and matches these. With limited processing power and the need to avoid false negatives these matches may be quite poor and still 'pass'.
2 - There is indeed a question mark hanging over the whole of fingerprint identification. It has simply been asserted to be true that no two fingerprints are the same. But no one knows if this is true, or how good fingerprint experts are at distinguishing similar prints. It is just assumed that they are infallible and fingerprints are all unique, because that supports the justice system...
The fingerprint creation technique is well known, the only new addition is using a hi-res camera.
A cynic might say that this is Apple's level of innovation. Yes, its very cool, but is it pushing the state of the art?
Either way, thumbs up for security-bods.
Oh wait, better not...
Anyone doubting this is not up on the state of the art. There is a commercial machine/robot developed for the US military that uses a camera to fingerprint people from ten+ feet away. (If you can find it on Google I'll be impressed though - I've just searched for half an hour for it to no avail)
It barks orders from a friendly looking robot face to put your hands up for scanning, and left right and front photos, by high res camera.
So this is real.
I've even done it myself, though not with any success - I got the print, I just didn't have a sensible way to extract the visible pattern into a black and white one suitable for the scanners.
How is this news? There are accounts of how to forge fingerprints that go back to the time fingerprinting was still to be widely adopted as an identification technique by Scotland Yard.
Better yet, there's one account I've read from the dawn of the previous century of how to make a rubber stamp of someone's fingerprints using ... photography. Admittedly, it was wet chemical photography, which as any fule kno is a dead and forgotten art akin to Alchemy.
I remember back in the late seventies reading an account of a US sheriff having forged a fingerprint to get a conviction using Scotch tape to transfer a print from one place to another. another "well, duh!" moment for the press and criminal scientists. Any kid left alone with a reel of shiny-type Scotch tape will discover the print-lifting capabilities of the product in about a minute.
And I would have thought anyone who had used an old-style carbon fusion photocopier would have spent some time thinking about how it could be used to lift prints from the glass.
Austin Freeman's story 'The Red Thumb Mark' (available on Gutenberg - it's jolly good) was published in 1907 and revolves around a faked thumbprint left at a crime scene. Why are people still trying to use basic fingerprints as identification evidenc in 2014?
Just about any biometric other than DNA can be faked with enough effort. For private individuals it's probably not worth the hassle, but when it's GCHQ/NSA/CIA/KGB/the Chinese involved faking the biometrics to access foreign government networks (or even their own government networks) then money's no object.
I'm waiting for the next big thing in biometrics - the discovery that the pattern of one's "rusty sheriff's badge" (as Stephen Fry referred to it on QI) is unique. There's a whole new meaning to the idea of dropping your trousers for immigration checks.
"Just about any biometric other than DNA can be faked..."
DNA doesn't need to be faked - we all leave it everywhere we touch, glasses we drink from etc. So it wouldn't be much to use someone else's DNA deliberately - in fact DNA technology is just about getting scary, as it's regarded as so foolproof that if YOUR DNA was found at a crime scene (albeit planted), there is no way out.
"Just about any biometric other than DNA can be faked"
Problem is, modern DNA testing isn't that reliable:
Tl:dr: 10 to 13 points is the normally accepted baseline for identity, but that has been called into question.
IRL: it's often impossible to use DNA found at the scene to get more than 9 matching points.
So most courts say 'Good enough.', even though it's only narrowed the match to dozens, even hundreds of individuals.
(Just get an 'expert' to testify, "Totally Accurate!", and the jury accepts that.)
Still Tl;dr: DNA evidence that is used as infallible, actually doesn't prove the accused did it.
Fingerprints aren't completely useless. They are not, however, and never have been, secure.
The fingerprint is your username. Probably shown at the top of every forum you visit, attached to every one of your posts and maybe even part of your public URL (e.g. Facebook vanity URL's). Also probably related to your name, or your well-known aliases. In schools and companies, your username is - well - your name. Your email username is almost always the first part of your email (before the @).
The fingerprint, however, is NOT your password and never should be. That's just stupid.
With just the username, you can't do anything interesting. With the password too, you can do it all. The fingerprint/username is a convenience - "this is who I intend to try to authenticate as". But without the secret password, or whatever, you can't actually do anything interesting.
Which is why I laugh at all the people I see who use fingerprint readers for library access systems, access control in schools, and even fingerprint readers on their laptops. IT IS NOT AUTHENTICATION. It's a username-shortcut.
I actually have an old USB fingerprint reader. It's a scanner. I kid you not. It's a miniature black and white scanner with a clear rubberised surface the size of a finger to scan. All the hard work is done on the software end with finding edges etc. I could scan your finger and - short of some impressively expensive fingerprinting system in place - reproduce your fingerprint pretty easily (as pointed out, laser printer on balloons, or just a gummi bear pressed onto a laser-printed-and-acid-etched PCB to give it some depth). The stuff to do this is available from your local Maplin's for a handful of pounds, and will get you into most of these systems (except possibly the very top-end that aren't actually doing fingerprints at all, as pointed out in the article).
Fingerprints are not the password.
They are the username.
Explain this to your users and you'll have a much easier time of things.
P.S. I work in schools. Sometimes they're happy to have "username shortcuts" for the little'uns, e.g. to log into the library rather than the librarian having to memorise 1000 kids. But they aren't secure. The security comes from elsewhere.
"The stuff to do this is available from your local Maplin's for a handful of pounds, and will get you into most of these systems"
But the day to day use of fingerprints is not really about security is it? My bank don't use it as part of their 2FA, my employers don't use it as part of their 2FA, and I can't think of any instance that a fingerprint is acceptable, other than low threshold smartphone access control and the school uses you mention (where the risks of error or fraud are outweighed by the benefits of recording access, not replacing lost cards, not having pupils carrying cash etc).
I'm sure other readers will have experience of (eg) corporate IT that might use built in fingerprint readers, but I've worked reasonably widely and think I'm correct to say that's an absolute minority of companies.
If you accept fingerprint ID as a simple but not very secure access control for low value applications it isn't that bad, and probably no less robust than the sort of enterprise password policies that cause half the staff to write this months password on a post it fixed to the monitor.....
"But the day to day use of fingerprints is not really about security is it? My bank don't use it as part of their 2FA, my employers don't use it as part of their 2FA, and I can't think of any instance that a fingerprint is acceptable,"
Bloomberg - they have fingerprints as part of their 2FA process for Bloomberg Anywhere, and our security bods love the fact that they do, as it ticks their vendor security assessment boxes very nicely. Maybe a rethink will be in the offing
Ideal for all the fitness types also, combine the thing with a blood glucose reader and a DNA sampler and you have it taking a blood sample to access it. Incorrect blood sample and you don't get in. The blood glucose sample is just used as the marketing front :P
Other advantage with it having to take a blood sample to access is on a phone at least it'll stop people fiddling with the things all day long. Or am I just being a grumpy old git?!
"However, as previously reported it’s unclear whether the fake thumbprint matches von der Leyen's actual digit."
And it's unlikely that they'll be able to check that. The correct approach would be to apply the same technique to x willing test subjects - obtaining their prints by the same method, and then using the acquired prints to access something protected by their real prints.
But presumably a test on x no-names, whether it's successful or otherwise, is less newsworthy than a non-test on someone more significant.
We've all seen the movie where a bad simply chops off the good guy's finger to use as ID to open the vault. Although usually done with less drama, taking biometric data is relative child play physically and for governments legally.
In the USA a court may not compel a person to divulge a password, because it's an intellect value. However, they can and do order people to provide biometric data all the time, for example, DUI breathalyzer tests. It's a strong legal precedent.
I assume the big push for biometric authentication is coming from Big Brother States that already have vast fingerprint data bases, and are working on others such as face scans.
A bullet proof encrypted password is the gold standard and should be.
Big brother states is right!
This from Widdlypaedia "The United Kingdom National DNA Database (NDNAD; officially the UK National Criminal Intelligence DNA Database) is a national DNA Database that was set up in 1995. As of the end of 2005, it carried the profiles of around 3.1 million people. In March 2012 the database contained an estimated 5,950,612 individuals. The database, which grows by 30,000 samples each month, is populated by samples recovered from crime scenes and taken from police suspects and, in England and Wales, anyone arrested and detained at a police station."
You can read more here: http://en.wikipedia.org/wiki/United_Kingdom_National_DNA_Database
So we have 10% of the population recorded more or less whose DNA is considered by the fuzz to be proof positive of who they are.
I can see the day when that is encoded onto your ID card and will be the first point of access for all Brits when dealing with anything official, if there is a question about the card you get a smack in the mouth and it's verified physically. I am guessing they are waiting for someone to come up with the DNA equivalent of a breathalyser before implementing it.
In a court in spite of what the fuzz would like to think, at best DNA can only be considered circumstantial evidence except possibly in cases of rape/sexual assault where it is proof of an act even if it may not be the act in question.
Secret password however should remain just that; secret and in your head where even cutting it off is not going to reveal the password. Yet!
Maybe it's time to re-invent the the Dick Tracy code ring!
"Secret password however should remain just that; secret and in your head where even cutting it off is not going to reveal the password. Yet!"
But like I said, what about people with bad memories? For them, a bulletproof password is one they can't remember. AFAIK, no one's invented a foolproof way to do "something you AND ONLY YOU know" that works even for people who have trouble remembering their own name.
If you have trouble remembering your own name, how are you going to remember that you even work for XYZ corp? and then when you've logged in, what is your job? what are you meant to be doing? and how do you do it? what do you click?
If you can't remember a password, you are very unlikely to be compitent enough to actually need a password for anything.
So in other words, "Goodbye. Game Over. Better Luck Next Life"? Because some people really ARE that bad. There's also the matter of information overload, since just about every site under the Sun demands a unique account with them, and SOP is to use a different password with each one. A password manager can be subverted or you just forget the password to the password manager.
Authentication is normally based on 'something you know', and not just 'something you have' such as a fingerprint or any other biometric.
Technically incorrect, unless you add "insecure" to the beginning of that quote. Also, I've always been told fingerprints don't count as "something you have", they're only "something you are", which is lousy security because it can't be changed. Slightly more secure authentication is based on both something you know, AND something you have. Also not just "something you are", such as the horribly insecure fingerprint, which as noted can be duplicated. The duplication can be in any of several ways, either pre (the print itself) or post (the digital "signature" of that print) processing. Just one of the above is, today, not really considered "secure". Or at least, not "secure enough".
It's obvious what's gone wrong here.
Some idiots have seen movies where Tom Cruise is a crack government agent and his fingerprints are necessary to access the nuclear missiles at the top secret military base.
So these idiots think, hey, fingerprints are supposed to be the best possible form of security and are only used to secure things that are SUPER important and valuable. Then they get all butthurt when it turns out that might not be the case, and they think they have to inform the world and hold conferences about it.
Back in the real world, any normal adult can explain the point of the fingerprint sensor on the iPhone: it's so a pickpocket won't be able to access your vacation photos before you get a chance to remotely wipe your phone. And for that purpose it seems to be more convenient and secure and effective than a PIN code which people tend to not use anyway.
Maybe it's not a coincidence that Germans are trying so hard to alert the world about this. Do they understand the concept of fiction? Maybe they think Tom Cruise movies are documentaries.
>>Can the pickpocket use one of the fingerprints you left on your phone?
I think this would be practically impossible. Watch the original "hack" of the Apple sensor--even under ideal conditions with an ideal scan of the correct finger, it takes 3 tries to unlock the phone. You only get 5 tries.
If you were to lift a fingerprint from the phone itself, what are the odds that (1) it would be a finger that the phone was programmed to recognize, (2) there would be enough of the fingerprint to fill the entire sensor, (3) that the lift would give you enough quality and resolution to fool the sensor, and (4) you could do all of this in less than an hour, which is probably the worst-case amount of time I would need to notice that my phone is stolen and remotely wipe it?
I'm comfortable keeping sensitive information on my phone with those odds. And certainly more comfortable than when I used a PIN code to lock my phone. It's stupid easy to look over somebody's shoulder and see their code or unlock pattern. You might be able to figure it out just from the motion of their hand even if you weren't able to see the screen.
>If you were to lift a fingerprint from the phone itself, what are the odds that (1) it would be a finger that the phone was programmed to recognize, (2) there would be enough of the fingerprint to fill the entire sensor, (3) that the lift would give you enough quality and resolution to fool the sensor, and (4) you could do all of this in less than an hour, which is probably the worst-case amount of time I would need to notice that my phone is stolen and remotely wipe it?
Actually, you can tell from the finger print which finger it is. They could be at quite a distance - all they need to know is the finger you used. It is on there unless you use gloves ... do you not hold backspace a few times when you type passwords in public places - I do sometimes forget, but try to stick to it (type something, first x letters are good, then hold backspace to delete more than one character - as many as required to get to x letters - then type on) ?
I have fat fingers and do it accidentally as well ... I mistype my passphrase quite often ... a sentence full of silly typos.
"If you were to lift a fingerprint from the phone itself, what are the odds that (1) it would be a finger that the phone was programmed to recognize, (2) there would be enough of the fingerprint to fill the entire sensor, (3) that the lift would give you enough quality and resolution to fool the sensor, and (4) you could do all of this in less than an hour, which is probably the worst-case amount of time I would need to notice that my phone is stolen and remotely wipe it?"
(1) and (2). First place to look would be the sensor itself. Who actually wipes their print off the phone after using the sensor to unlock it?
(4) Two words: Faraday cage. No wipe signal gets through. Now you have all the time on the clock.
Every few years someone with nothing new to say drags this horse corpse out and flogs it one more time for some publicity.
Biometrics are useful in their place delivering speed, convenience and decent level of security - you can often guess a password or a PIN but try guessing a finger print; I've never seen a post-it with "this weeks retina" stuck on the notice board. Got it on my iPhone and love it's convenient security for signing stuff, elsewhere I use a pin or a sms code.
Using biometrics Is just part of the authentication mix, now move along nothing to see here.
I talked some friends out of putting a fingerprint lock on their front door a while back by showing them the Mythbusters episode where they took on biometric locks. The Mythbusters aren't exactly the most rigorous of pen testers so if they can beat the things I'm not about to use my fingerprints for security. Not to mention the fact that in the process they told the whole world how to beat fingerprint readers.
People seem to be missing the fact that security should be layered.
I like the fact that when I'm unlocking my phone on the plane, the person next to me can't look at the passcode as I'm just pushing my finger on it. (look at screen remember passcode - much easier than taking a photo and producing a balloon.
However I also like the fact that on a cold boot you need the whole pin, so having a fingerprint doesn't cut it all the time.
Given that for a lot of people they've gone from no passcode to finger, it's a step up.
If people are securing national secrets using fingerprints ONLY, then there's an issue.
Biting the hand that feeds IT © 1998–2019