[LINK] ArsTechnica: 'Crawl the Web with your fingers'

Roger Clarke Roger.Clarke at xamax.com.au
Tue Oct 10 18:27:07 AEST 2006 

[Notes in the middle;  concerns and questions at the end]

http://arstechnica.com/news.ars/post/20061009-7941.html

Crawl the Web with your fingers
10/9/2006 4:15:37 PM, by Nate Anderson

If you have a fingerprint scanner hooked up (or built in) to your PC, 
you've probably thought to yourself, "Self, if this scanner can give 
me access to my own computer, why can't it log me into websites?" Now 
it can, thanks to the new TrueMe service from Pay By Touch, one of 
those firms that has already helped to bring biometric identification 
into the supermarket.

The new service, announced today, uses certified fingerprint scanners 
to replace username/password combinations on the Web. "With TrueMe, a 
simple touch of the finger gives Chief Security Officers the security 
they demand while giving users the simplicity they desire," said Jon 
Siegal, a Pay By Touch VP. "TrueMe satisfies both needs without the 
hassle of multiple User IDs and passwords."

The scanners must be certified because encryption of the fingerprint 
is done inside the sensor. When a user swipes a finger, the 
recognition data is compressed and encrypted, then sent to a TrueMe 
server, which handles authentication. If the user is allowed to visit 
the website or resource in question, the server sends the verified 
identity directly to the site.

["compressed" presumably means that a 'template' is extracted;
  "encrypted" presumably means that the server is able to decrypt it;
  "hashed" is not mentioned;
  so the server presumably has access to the template;
  commonly, templates can be used to effect masquerade]

Given the way that crooks have attacked traditional two-factor 
authentication systems, will fingerprints prove to be more secure? 
Hopefully. The TrueMe system also records the device ID of the 
fingerprint scanner used in the authentication attempt, potentially 
making it easier to spot fraud and to track down malicious users. We 
imagine that the technology could also be used by businesses to 
restrict employee access to sensitive internal websites to certain 
company-supplied PCs, though Pay By Touch says nothing about the way 
that the ID check will be used.

While Pay To Touch shows its own branded scanner on its site, the 
ones built into Lenovo T60 and X60 machines will also work. TrueMe 
isn't free; there's a yearly fee to use the service, which is 
currently targeted at business users.


[Can anyone explain to me how a person who gifts their fingerprint 
template to a company isn't at risk of masquerade by that company or 
any person who gains access to the template?  Passwords are risky 
unless they are hashed, but using your thumbprint appears to me to be 
*extremely* risky.

[For more on the topic, see:
http://www.anu.edu.au/people/Roger.Clarke/DV/BiomThreats.html#Masq

[If my serious concern about this mechanism is justified, then why is 
ArsTechnica damaging its considerable reputation by publishing such 
an unsceptical, promotional report?]

[Media Release of 9 October 2006 at:
http://paybytouch.com/news/pr_10-09-06.html

[The only information it provides about the most vital aspect of the 
system is "The TrueMe authentication servers then decrypt and process 
the information, authenticate the user ...".  That tells us nothing 
about the nature of the data that the server acquires.]

[The company's Privacy statement is a masterpiece of brevity at least:
http://paybytouch.com/whatis/privacy.html

[The sole information of relevance here is:
"It's not a fingerprint
The Pay By Touch system does not use fingerprints. Rather, the reader 
collects a series of data points, unique to each individual, which 
cannot be re-engineered into a fingerprint."

[That completely avoids the key question: can an artefact be produced 
from the template that is capable of being used for masquerade?]

-- 
Roger Clarke                  http://www.anu.edu.au/people/Roger.Clarke/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in Info Science & Eng  Australian National University
Visiting Professor in the eCommerce Program      University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW

More information about the Link mailing list