[LINK] ArsTechnica: 'Crawl the Web with your fingers'
kim at holburn.net
Wed Oct 11 17:31:46 AEST 2006
The problems with biometric authentication:
1) You can't easily change your password (Minority report anyone?)
2) Mercedes and Malaysia? I read this story a while ago about an
owner of a new Mercedes with a fingerprint scanner who got car-
jacked. The robbers, when they discovered the car wouldn't work
without it's owner's fingerprint, removed said fingerprint (and
finger as I recall).
I have seen a report recently of a finger scanner (can't remember
references) which takes an image of the patterns of blood flowing
through the blood vessels in the finger pad which over-comes the dead
finger and gummi bear work-around. The paybytouch system sounds like
it wouldn't cope with a dead finger attack.
On 2006 Oct 10, at 6:27 PM, Roger Clarke wrote:
> [Notes in the middle; concerns and questions at the end]
> Crawl the Web with your fingers
> 10/9/2006 4:15:37 PM, by Nate Anderson
> If you have a fingerprint scanner hooked up (or built in) to your
> PC, you've probably thought to yourself, "Self, if this scanner can
> give me access to my own computer, why can't it log me into
> websites?" Now it can, thanks to the new TrueMe service from Pay By
> Touch, one of those firms that has already helped to bring
> biometric identification into the supermarket.
> [Can anyone explain to me how a person who gifts their fingerprint
> template to a company isn't at risk of masquerade by that company
> or any person who gains access to the template? Passwords are
> risky unless they are hashed, but using your thumbprint appears to
> me to be *extremely* risky.
> [For more on the topic, see:
> [If my serious concern about this mechanism is justified, then why
> is ArsTechnica damaging its considerable reputation by publishing
> such an unsceptical, promotional report?]
> [Media Release of 9 October 2006 at:
> [The only information it provides about the most vital aspect of
> the system is "The TrueMe authentication servers then decrypt and
> process the information, authenticate the user ...". That tells us
> nothing about the nature of the data that the server acquires.]
> [The company's Privacy statement is a masterpiece of brevity at least:
> [The sole information of relevance here is:
> "It's not a fingerprint
> The Pay By Touch system does not use fingerprints. Rather, the
> reader collects a series of data points, unique to each individual,
> which cannot be re-engineered into a fingerprint."
> [That completely avoids the key question: can an artefact be
> produced from the template that is capable of being used for
IT Network & Security Consultant
Ph: +61 2 61258620 M: +61 417820641 F: +61 2 6230 6121
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
Cacert Root Cert: http://www.cacert.org/cacert.crt
Aust. Spam Act: To stop receiving mail from me: reply and let me know.
Use ISO 8601 dates [YYYY-MM-DD] http://www.saqqara.demon.co.uk/
Democracy imposed from without is the severest form of tyranny.
-- Lloyd Biggle, Jr. Analog, Apr 1961
More information about the Link