[LINK] ArsTechnica: 'Crawl the Web with your fingers'

Kim Holburn kim at holburn.net
Wed Oct 11 17:31:46 AEST 2006 

The problems with biometric authentication:
1) You can't easily change your password (Minority report anyone?)
2) Mercedes and Malaysia?  I read this story a while ago about an  
owner of a new Mercedes with a fingerprint scanner who got car- 
jacked.  The robbers, when they discovered the car wouldn't work  
without it's owner's fingerprint, removed said fingerprint (and  
finger as I recall).

I have seen a report recently of a finger scanner (can't remember  
references) which takes an image of the patterns of blood flowing  
through the blood vessels in the finger pad which over-comes the dead  
finger and gummi bear work-around.  The paybytouch system sounds like  
it wouldn't cope with a dead finger attack.


On 2006 Oct 10, at 6:27 PM, Roger Clarke wrote:

> [Notes in the middle;  concerns and questions at the end]
>
> http://arstechnica.com/news.ars/post/20061009-7941.html
>
> Crawl the Web with your fingers
> 10/9/2006 4:15:37 PM, by Nate Anderson
>
> If you have a fingerprint scanner hooked up (or built in) to your  
> PC, you've probably thought to yourself, "Self, if this scanner can  
> give me access to my own computer, why can't it log me into  
> websites?" Now it can, thanks to the new TrueMe service from Pay By  
> Touch, one of those firms that has already helped to bring  
> biometric identification into the supermarket.


> [Can anyone explain to me how a person who gifts their fingerprint  
> template to a company isn't at risk of masquerade by that company  
> or any person who gains access to the template?  Passwords are  
> risky unless they are hashed, but using your thumbprint appears to  
> me to be *extremely* risky.
>
> [For more on the topic, see:
> http://www.anu.edu.au/people/Roger.Clarke/DV/BiomThreats.html#Masq
>
> [If my serious concern about this mechanism is justified, then why  
> is ArsTechnica damaging its considerable reputation by publishing  
> such an unsceptical, promotional report?]
>
> [Media Release of 9 October 2006 at:
> http://paybytouch.com/news/pr_10-09-06.html
>
> [The only information it provides about the most vital aspect of  
> the system is "The TrueMe authentication servers then decrypt and  
> process the information, authenticate the user ...".  That tells us  
> nothing about the nature of the data that the server acquires.]
>
> [The company's Privacy statement is a masterpiece of brevity at least:
> http://paybytouch.com/whatis/privacy.html
>
> [The sole information of relevance here is:
> "It's not a fingerprint
> The Pay By Touch system does not use fingerprints. Rather, the  
> reader collects a series of data points, unique to each individual,  
> which cannot be re-engineered into a fingerprint."
>
> [That completely avoids the key question: can an artefact be  
> produced from the template that is capable of being used for  
> masquerade?]

--
Kim Holburn
IT Network & Security Consultant
Ph: +61 2 61258620 M: +61 417820641  F: +61 2 6230 6121
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request
Cacert Root Cert: http://www.cacert.org/cacert.crt
Aust. Spam Act: To stop receiving mail from me: reply and let me know.
Use ISO 8601 dates [YYYY-MM-DD] http://www.saqqara.demon.co.uk/ 
datefmt.htm

Democracy imposed from without is the severest form of tyranny.
                           -- Lloyd Biggle, Jr. Analog, Apr 1961

More information about the Link mailing list