Crime of the future – biometric spoofing


read more | digg story

Don’t assume that just because your fingerprints are unique, they can’t be copied, storied, or spoofed in your absence. We’re relying on more and more complex security and the best approaches are still the simplest ones: the one time pad is still the best point-to-point security system, effectively reducing the problem to one of physical security for the pads. Any system, like biometrics, that repeatedly uses the same set of data (like your fingerprints) is extremely vulnerable.

  1. #1 by Ira on July 21, 2006 - 10:01 pm

    Avi, the “one-time pad” requires previous physical contact between the parties who need to securely communicate (or a courier between them). If your pad is lost or stolen the finder or theif inherits your identiry for the purposes of communication with the other holder(s) of the matching pad. It is an obsolecent technique who’s best days have come and gone.

    IMHO, “public key” PKI techniques are probably as secure and also a heck of a lot more convenient since they allow secure communications between people who have had no previous contact. (I say “probably” because there is a theoretical possibility someone will come up with a fast technique for factoring very large numbers, though the experts say that is unlikely. A security system need not be totally bulletproof for it to be successfully used. For example, easily forged written signatures are still used on checks and relatively short passwords are used for secure transactions on the Internet. Billions of dollars are at stake using these methods which are not as secure as PKI.)

    As for biometrics as ID, there are certainly spoofing techniques that can compromise them. However, there are also techniques for defeating any known spoofing method. For example, advanced iris or retinal scan devices include a light flash that causes a live eye to react and that would detect use of a photo of your eye or retina. An advanced fingerprint reader would include motion and pressure to detect use of a rubber mold of a finger or a dead finger. Also note that a theif would have to have had previous physical contact with the victim to get the iris photo or the fingerprint. Biometric sensors can encrypt the sensor reading with time/date so a snoop intercepting the message would be detected if he tried to use it later.

  2. #2 by avi on July 21, 2006 - 10:17 pm

    Ira, I think your information isn’t quite correct. One Time Pads are used to encrypt other data, such as a passkey. They, themselves are not treated as the password. So stealing the pad doesn’t give you access, but it makes invalid access attempts easy to spot.

    Public Key systems fail in a number of scenarios, including where the plaintext can be found or inferred (which may be the case with biometrics, especially if you use it in a lot of different contexts, not all of them secure).

    The extra anti-spoofing technologies only give degrees of protection. But the more complex it gets, the more likely it is to be compromised without you even knowing it.

(will not be published)