Re: Spoofing fingerprint scanners - NEWBIE()

---

• From: Anne & Lynn Wheeler <lynn@xxxxxxxxxx>
• Date: Mon, 01 May 2006 13:25:48 -0600

---

Sebastian Gottschalk <seppi@xxxxxxxxx> writes:

Not actually. It's neither a reliable or efficient improvement over one
factor authentication and clearly doesn't reach two factor ~. Especially
due to error rates.

But "eye" is a good keyword. Iris scanning actually fulfills the
"something you are" factor mantra.

some number of atm operators have been looking at both fingerprint
scanning and iris scanning, in place of PIN for two-factor
authentication.

from three-factor authentication model
http://www.garlic.com/~lynn/subpubkey.html#3factor

* something you have
* something you know
* something you are

PIN is a shared-secret "something you know" in conjunction with the
card "something you have".
http://www.garlic.com/~lynn/subpubkey.html#secret

the issue is that shared-secret "something you know" paradigm has been
grossly overworked ... as a result there are some statistics that at
least 1/3rd of debit cards have PINs written on them. there is
assumption with multi-factor authentication regarding whether they
are subject to independent vulnerabilities and exploits. obviously
writting PIN on the card defeats any assumptions about multi-factor
independent vulnerability related to lost/stolen card.

the argument allowing a user to choose fingerprint ("something you
are") in lieu of PIN ("something you know") authentication ... is
whether it easier for a crook with a lost/stolen card to "lift" a PIN
written on the card and replay the PIN at a terminal ... vis-a-vis
"lifting" some possible fingerprint on the card and replay the
fingerprint at a terminal (even allowing a customer to choose a finger
that is least likely to have been used in handling their card).

misc. past posts mentioning fingerprint vulnerability vis-a-vis
debit cards that have PIN written on them:
http://www.garlic.com/~lynn/99.html#165 checks (was S/390 on PowerPC?)
http://www.garlic.com/~lynn/99.html#167 checks (was S/390 on PowerPC?)
http://www.garlic.com/~lynn/99.html#172 checks (was S/390 on PowerPC?)
http://www.garlic.com/~lynn/aadsm10.htm#biometrics biometrics
http://www.garlic.com/~lynn/aadsm10.htm#bio2 biometrics
http://www.garlic.com/~lynn/aadsm10.htm#bio3 biometrics (addenda)
http://www.garlic.com/~lynn/aadsm10.htm#bio6 biometrics
http://www.garlic.com/~lynn/aadsm15.htm#36 VS: On-line signature standards
http://www.garlic.com/~lynn/aadsm19.htm#5 Do You Need a Digital ID?
http://www.garlic.com/~lynn/aadsm19.htm#47 the limits of crypto and authentication
http://www.garlic.com/~lynn/aadsm20.htm#41 Another entry in the internet security hall of shame
http://www.garlic.com/~lynn/2002g.html#72 Biometrics not yet good enough?
http://www.garlic.com/~lynn/2002h.html#6 Biometric authentication for intranet websites?
http://www.garlic.com/~lynn/2002h.html#8 Biometric authentication for intranet websites?
http://www.garlic.com/~lynn/2002h.html#41 Biometric authentication for intranet websites?
http://www.garlic.com/~lynn/2002o.html#62 Certificate Authority: Industry vs. Government
http://www.garlic.com/~lynn/2002o.html#63 Certificate Authority: Industry vs. Government
http://www.garlic.com/~lynn/2002o.html#64 smartcard+fingerprint
http://www.garlic.com/~lynn/2002o.html#65 smartcard+fingerprint
http://www.garlic.com/~lynn/2002o.html#67 smartcard+fingerprint
http://www.garlic.com/~lynn/2003o.html#44 Biometrics
http://www.garlic.com/~lynn/2005g.html#54 Security via hardware?
http://www.garlic.com/~lynn/2005i.html#22 technical question about fingerprint usbkey
http://www.garlic.com/~lynn/2005i.html#25 technical question about fingerprint usbkey
http://www.garlic.com/~lynn/2005m.html#37 public key authentication
http://www.garlic.com/~lynn/2005o.html#1 The Chinese MD5 attack
http://www.garlic.com/~lynn/2005p.html#2 Innovative password security
http://www.garlic.com/~lynn/2005p.html#25 Hi-tech no panacea for ID theft woes
http://www.garlic.com/~lynn/2006d.html#31 Caller ID "spoofing"
http://www.garlic.com/~lynn/2006e.html#21 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#30 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#44 Does the Data Protection Act of 2005 Make Sense

other past posts about skimming exploits of magstripe plus PIN (or any
other relatively static authentication data that can be subject to
replay attack) ... also invalidating any assumptions about
multi-factor authentication independent vulnerabilitys/exploits/threats
http://www.garlic.com/~lynn/aadsm17.htm#13 A combined EMV and ID card
http://www.garlic.com/~lynn/aadsm17.htm#25 Single Identity. Was: PKI International Consortium
http://www.garlic.com/~lynn/aadsm17.htm#42 Article on passwords in Wired News
http://www.garlic.com/~lynn/aadsm18.htm#20 RPOW - Reusable Proofs of Work
http://www.garlic.com/~lynn/aadsm19.htm#5 Do You Need a Digital ID?
http://www.garlic.com/~lynn/aadsm20.htm#41 Another entry in the internet security hall of shame
http://www.garlic.com/~lynn/aadsm22.htm#20 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#23 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#29 Meccano Trojans coming to a desktop near you
http://www.garlic.com/~lynn/aadsm22.htm#33 Meccano Trojans coming to a desktop near you
http://www.garlic.com/~lynn/aadsm22.htm#34 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#39 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#40 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#45 Court rules email addresses are not signatures, and signs death warrant for Digital Signatures
http://www.garlic.com/~lynn/aadsm22.htm#47 Court rules email addresses are not signatures, and signs death warrant for Digital Signatures
http://www.garlic.com/~lynn/aadsm23.htm#2 News and Views - Mozo, Elliptics, eBay + fraud, naïve use of TLS and/or tokens
http://www.garlic.com/~lynn/2003o.html#37 Security of Oyster Cards
http://www.garlic.com/~lynn/2004g.html#45 command line switches [Re: [REALLY OT!] Overuse of symbolic constants]
http://www.garlic.com/~lynn/2004j.html#12 US fiscal policy (Was: Bob Bemer, Computer Pioneer,Father of ASCII,Invento
http://www.garlic.com/~lynn/2004j.html#13 US fiscal policy (Was: Bob Bemer, Computer Pioneer,Father of ASCII,Invento
http://www.garlic.com/~lynn/2004j.html#14 US fiscal policy (Was: Bob Bemer, Computer Pioneer,Father of ASCII,Invento
http://www.garlic.com/~lynn/2004j.html#35 A quote from Crypto-Gram
http://www.garlic.com/~lynn/2004j.html#39 Methods of payment
http://www.garlic.com/~lynn/2004j.html#44 Methods of payment
http://www.garlic.com/~lynn/2005o.html#17 Smart Cards?
http://www.garlic.com/~lynn/2005p.html#2 Innovative password security
http://www.garlic.com/~lynn/2005p.html#25 Hi-tech no panacea for ID theft woes
http://www.garlic.com/~lynn/2005q.html#11 Securing Private Key
http://www.garlic.com/~lynn/2005t.html#28 RSA SecurID product
http://www.garlic.com/~lynn/2005u.html#13 AMD to leave x86 behind?
http://www.garlic.com/~lynn/2006d.html#31 Caller ID "spoofing"
http://www.garlic.com/~lynn/2006d.html#41 Caller ID "spoofing"
http://www.garlic.com/~lynn/2006e.html#3 When *not* to sign an e-mail message?
http://www.garlic.com/~lynn/2006e.html#4 When *not* to sign an e-mail message?
http://www.garlic.com/~lynn/2006e.html#10 Caller ID "spoofing"
http://www.garlic.com/~lynn/2006e.html#21 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#24 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#30 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#44 Does the Data Protection Act of 2005 Make Sense
http://www.garlic.com/~lynn/2006g.html#38 Why are smart cards so dumb?
http://www.garlic.com/~lynn/2006h.html#13 Security
http://www.garlic.com/~lynn/2006h.html#15 Security
http://www.garlic.com/~lynn/2006h.html#33 The Pankian Metaphor

--
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/
.

---

• References:
  • Spoofing fingerprint scanners - NEWBIE()
    • From: shamilton72
  • Re: Spoofing fingerprint scanners - NEWBIE()
    • From: Sebastian Gottschalk
  • Re: Spoofing fingerprint scanners - NEWBIE()
    • From: Todd H.
  • Re: Spoofing fingerprint scanners - NEWBIE()
    • From: Sebastian Gottschalk

• Prev by Date: Question regarding using AES in CTR mode to encrypt UDP
• Next by Date: Re: Spoofing fingerprint scanners - NEWBIE()
• Previous by thread: Re: Spoofing fingerprint scanners - NEWBIE()
• Next by thread: Re: Spoofing fingerprint scanners - NEWBIE()
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Security procedure question ... Yes this is one of the better authentication solution, ... > security of the mobile device. ... So indirectly biometrics ... specifically not keeping the USB device conveniently at hand ... (Security-Basics) RE: Biometrics ... > Good point in bringing up potential security issues with biometrics. ... > compromised authentication does not allow access. ... Even then I would rule out fingerprint systems. ... (Security-Basics) RE: Biometrics ... Good point in bringing up potential security issues with biometrics. ... compromised authentication does not allow access. ... persons' fingerprint and successfully recreate it to log into a system ... (Security-Basics) Re: Trying to underdtand 2 factor authentication ... password can represent "something you know" technology. ... multi-factor authentication is considered more secure because the ... misc posts discussing "yes cards" exploit ... regardless of what pin is entered. ... (comp.security.misc) Re: Securing eRIC express ... stronger form of authentication? ... Thomas D. wrote: ... These cards are reachable through the internet, ... (Security-Basics)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)