Biometrics are the username. Too many Hollywood films seem to have led people to think otherwise.
Biometrics not a magic infosec bullet for web banking, warns GCHQ bloke
Around the world, banks are implementing biometric authentication systems for their customers as fraud cases increase – but experts warn biometrics should not be treated like a silver bullet for ID woes. Earlier this year, HSBC announced the launch of Voice ID for its customers in the UK, alongside fingerprint authentication, …
COMMENTS
-
Friday 18th March 2016 16:45 GMT Anonymous Coward
Biometrics are very popular among the technically less-educated
I can't blame them, because who wants to live with remembering 15-20 different passwords for all the online services you use. However, the idea that just because somebody must be me because they can transmit my iris scan is just terrifying.
-
Friday 18th March 2016 18:30 GMT SuccessCase
Re: Biometrics are very popular among the technically less-educated
It's a good point, but still I'm willing to bet the proportion of those who consider themselves "technically well educated" and who also like to demonstrate "superior" knowledge by decrying biometrics (even for e.g. smaller financial transactions) but then blithely enter a pin code without checking if there is a security camera trained on the POS terminal, is greater than 90%.
Which I think illustrates the point it's all about risk management, not absolute security (which is a Chimera) and biometrics is probably currently, practically speaking, more secure than PIN entry whilst being one hell of a lot more convenient. One day, the techniques for and practice of lifting fingerprints to commit card fraud might be common enough that us security pragmatists pragmatically evolve a new pragmatic solution. But even where finger print scanning tech is concerned, the need for that change is certainly not today.
-
Sunday 20th March 2016 10:40 GMT Jeffrey Nonken
Re: Biometrics are very popular among the technically less-educated
15-20 online accounts? Is that all? Let's see...
Bank
CC
Phone
Internet
Cable
Email
Utilities
DMV
IRS
Insurance
WiFi
Home computer
That's 10 right there. Some could be combined, some may have multiples. The banks probably include cards whose PINs you must choose and remember. Now, what else...
Amazon
EBay
Paypal
Netflix
Hulu
Redbox
Twitter
Facebook
Google
Apple
Starbucks
Work email
Work computer
Work WiFi
Skype
Any typical person might have some or all of those. Now let's add a few that I also have...
Steam
Yahoo
Newegg
Tigerdirect
Hosting service (Eapps)
Dating site
Tumblr
Cypress Semiconductor
Texas instruments
Digikey
Work phone system
Work server admin logon
Work development server logon
Root for above
Killing Floor dedicated server
USPS
UPS
Fandango
Logitech Harmony
Dropbox
XDA
The Register
Slashdot
Techdirt
Reddit
Wikipedia
Wikia
Tvtropes
IMDB
IMFDB
WordPress
Teamviewer
Firefox
Glyde
Freedompop
Franchise tax board
Daily Steals
...That's just a few of the top of my head, and doesn't count old accounts nor the fact that in some cases I have multiple accounts. Nor that my wife and I sometimes have separate accounts but know each other's information.
I use Keepass. Of course, I also have an elaborate password I have to remember.
-
-
Friday 18th March 2016 17:52 GMT Anonymous Coward
Tiresome..
I'm getting a bit tired of the "do not use biometrics because you cannot change them" meme because it's far from universally applicable, but gets trotted out every time someone talks about it. Well, big fat yawn.
The only time that is an issue with biometrics is if they are used in a big database, which is what you should never do with biometrics in the first place, hence my intense dislike of the HSBC voice print idea (but as HSBC is a bank I wouldn't trust with a wet flannel let alone my money that's not a real problem - anyway, that's off topic). You use biometrics exactly BECAUSE they don't change otherwise there would be no point.
Biometrics are best used as a means to salt a password has before it is submitted (usually as a hash), so PIN "1234" plus biometrics of Bob don't give you the same hash as PIN 1234 plus biometrics of Alice. This means that biometrics are best stored as a local hash, not as full data in some distant database.
This is also why I don't like voice control systems such as Siri and its Google equivalent - it's like giving the ECHELON people the best voice print they could possibly obtain: locally recorded, possibly repeated for clarity (if Siri doesn't work) and in high quality rather than within the normal phone frequency band.
I don't think I'm spectacularly paranoid, but I do believe that prevention is better than mopping up the mess afterwards. Biometrics are a good factor, especially when used in combination with others provided they are used intelligently.
-
Friday 18th March 2016 20:25 GMT Anonymous Coward
Re: Tiresome..
If they want our voice prints they have all the phone calls we've placed over the past decade (at least) as they've been capturing them all since 9/11. Believing that your voice something you can and should keep secure from the authorities is the height of folly. Nothing biometric can be kept away from them, because it has to be easy to collect to be useful in a device.
I know the US government has my fingerprints on file, since I previously had a security clearance and had to submit them (and was arrested a long time ago, but that predated TIA style collection of 'everything' and probably isn't even in my state's computer files) I assume they have my voice. They probably don't have my iris, but consider that when I renew my license I have to look into that little thing that tests my vision. I suppose theoretically it could make an iris image. Also I have a yearly checkup with my eye doctor, and they take very detailed pictures of the iris that show all the blood vessels inside. I doubt they have very good security, and probably use some standard system sold to eye doctors - bet the NSA could break into all of them pretty easily if they wanted.
No matter what someone comes up with, from elbow prints to DNA extracted from blood to microscopic X rays of my wrist bones, once it is done and used in some sort of device, that information is no longer under my sole control.
-
Friday 18th March 2016 22:00 GMT a_yank_lurker
Re: Tiresome..
The problem that biometrics has is they cannot be changed easily if at all. Mythbusters did an episode were they spoofed a fingerprint reader rather easily a few years ago. Passwords can be changed very easily and as often as you like (or forced to change them).
Biometrics are more akin to a username than a password. Someone who knows me probably can guess my username for many sites but my passwords not so easily. Biometrics are just harder to spoof/guess usernames.
-
Saturday 19th March 2016 05:20 GMT Charles 9
Re: Tiresome..
But some people have terrible memories for passwords. They couldn't even remember "correcthorsebatterystaple" to save their lives (meaning they can't recall something they KNOW). Plus they may be partial Luddites and against having an electronic device on their person (so there's nothing they HAVE). So how do you do security when the ONLY thing you can work with is something you ARE?
-
Saturday 19th March 2016 10:06 GMT Anonymous Coward
Re: Tiresome..
Mythbusters did an episode were they spoofed a fingerprint reader rather easily a few years ago.
Yes, but they did ONE episode with ONE set of evaluations and are unlikely to know about the whole market. Don't get me wrong, I love their shows but they are not covering the whole picture because some of this stuff is restricted access. Without a degree of insight, all cars are basically boxes with propulsion and 4 wheels, but that doesn't mean they're all alike. Actually, let me update that: to a politician, all cloud services look alike, but that doesn't mean they are (I'm trying to give up car analogies :) ).
I've been knee deep in this for several years, from police forensics to very high grade access control. As I indicated a while ago in a fairly lengthy post, the reliability of fingerprint readers depends on the techniques used inside the reader to scan your ridges and the post-scan analysis, and that is more than just a matter of resolution.
The ultimate decider here is not the reader, but how much you are prepared to spend. As demonstrated in another post I saw about ProtonMail, there is this weird expectation that despite paying next to nothing you get top quality. Logic dictates that if something is "free" and the company offering it is making a healthy profit regardless, you are paying in a different way and corners have been cut with vigour, and the world of biometrics is no different. It is up to you if you want to take that risk when it is about financial transactions or personal information.
For that last item I have a closing remark: I have lost count of the number of people who would "never use biometrics" for fear it would leak, yet these same people happily continue using Gmail and Facebook...
-
-
-
Friday 18th March 2016 22:03 GMT Justicesays
More recently
Banks have been looking at finger vein patterns instead of (or as well as) fingerprints.
This would be used to approve card transactions for instance.
The idea behind this is that you don't leave copies of your vein patterns behind on everything you touch, so it cant be easily copied...
They don't seem to have figured out that if this catches on people will be constantly sticking their fingers into devices specifically designed to capture this information , the security of which are unknown to the user.... At least if you stick your PIN into a compromised POS system you can get a new PIN. Good luck getting new fingers.
This of course applies to *any* biometric that would come into common use!
-
Saturday 19th March 2016 05:39 GMT Charles 9
Re: More recently
Well, you have EIGHT of them (plus your thumbs). Plus how do you go about reproducing a vein pattern that relies on having particular qualities of mass and so on in place as well. I would think the technology to create an artificial finger right down to the veins and bones is something beyond current medical science.
The thing about biometrics is that thery're basically the ONLY authentication system that's ALWAYS on you, regardless of whether or not you have electronic accessories and/or a good memory (basic requirements for the two other branches of authentication).
-
Saturday 19th March 2016 09:08 GMT TeeCee
Re: More recently
The problem here is that to be usable and secure it doesn't have to be beyond current medical science. It has to be beyond medical science forever[1].
'Cos you can't bloody change it and thus, if it is ever compromised, you are completely fucked in perpetuity[2], that's why. Basing security on something that cannot be changed at the drop of a hat is insanity with gilt knobs on.
[1] And if you take that bet you are a tit.
[2] Maybe once broken, some things will be changed to a completely different system immediately. Most won't and quite a few never will be.
-
Saturday 19th March 2016 15:00 GMT Charles 9
Re: More recently
"The problem here is that to be usable and secure it doesn't have to be beyond current medical science. It has to be beyond medical science forever"
No, it only has to be beyond medical science until technology marches on and we develop a new authentication method and start switching to it, making the old stuff stale.
"Basing security on something that cannot be changed at the drop of a hat is insanity with gilt knobs on."
EXCEPT it's the ONLY thing that's practically guaranteed to be present all the time regardless of circumstances. People may have bad memories and may not carry a second factor with them. That's important because these kinds of people still need to be screened.
PS. And believe me, I have lost count of the number of people who go about their business without their ID cards or keys (and then start begging because of that lack).
-
-
-
Saturday 19th March 2016 10:32 GMT Anonymous Coward
Re: More recently
Banks have been looking at finger vein patterns instead of (or as well as) fingerprints.
This would be used to approve card transactions for instance.
The idea behind this is that you don't leave copies of your vein patterns behind on everything you touch, so it cant be easily copied...
That too is not exactly a new idea (and even that article called it "not new" :) ), but the problem with those readers is that they are complex and the signal processing after a read is so demanding that separate companies have sprung up in that sphere just for the backend software. This creates issues for, for instance, access control, because the users expect an instantaneous response and it already takes seconds for the reader itself to process its own reading, let alone do a lookup in a database. All of that takes power and computing resources.
Compare this to fingerprints which are relatively easy to scan (with varying degree of reliability), not too complex to process and relatively quick to match, and keep in mind that evidence from the security world suggests that banks will only ever seek to do the bare minimum required to escape liability in case something goes wrong.
Call me a cynic, but I can't see this really happening in the banking world.
-
-
-
Sunday 20th March 2016 16:13 GMT Anonymous Coward
Re: For Security, the biometrics should be using different body parts...
Use an area of the body that's got a better record of privacy for most people.
"Sit Here To Be Authorized."
You made me think of the Monsters vs Aliens clip..
-
Saturday 19th March 2016 22:55 GMT heyrick
Two thoughts...
Firstly, why are the banks making a big deal out of this fancy new way of authenticating ourselves when A, chip and PIN is protected by a lousy four digit PIN (come on, we're expected to know eleven digit phone numbers, can't they offer us the option to have a longer PIN if we want?) and B, we are expected to take it on trust that the little keypad connects to a proper secure device for the purposes of completing the transaction. I, personally, do not believe the so-called security one bit. There is no way to tell if the device isn't harvesting card numbers and PINs. In today's world of instant communications, it strikes me as odd that inserting your card can't open a secure connection to your bank, with the bank passing a special security phrase that can be shown on the LCD (an improbable passphrase of YOUR choosing known only to the bank such as "Duck! Duck! The turd is shiny giraffe!") so you know it is supposedly safe - this being an encrypted channel between the device itself and the bank. All the till will ever see is a yes/no response and some gibberish passing to and fro.
Secondly, I know Sneakers is an old film, but it is perhaps the best example in cinema of how to pwn voice based authentication systems. Do not forget that if this is done on a computer or smartphone it will likely require specific software (which is a whole other trust level - such as NatWest's constant demands for me to install Trusteer Rapport on my computers) and if it is done over the phone you'll be subject to the limitations of POTS, which may well mean that the authentication could be able to be fooled by a cassette tape recording of your voice.
So, sorry, call me cynical, but I'm wondering what this development is really intended to address. I'm wondering how it could be (ab)used to push more liability onto the end-user (who, helium balloons and singing aside, don't usually get the ability to change their voice...or other biometrics).
-