back to article Fingerprint tech makes ATMs super secure, say banks. Crims: Bring it on, suckers

Cybercriminals are hawking their claimed ability to exploit newly introduced biometric-based ATM authentication technologies. Many banks view biometric-based technologies such as fingerprint recognition to be one of the most promising additions to current authentication methods, if not a complete replacement to chip and PIN. …

  1. Lee D Silver badge

    “Thus, if your data is compromised once, it won’t be safe to use that authentication method again. That is why it is extremely important to keep such data secure and transmit it in a secure way.”

    Or not use it as authentication ANYWHERE. Because you're assuming perfect security into perpetuity for your system to work. It won't.

    Fingerprints ARE NOT authentication. They are identity. It's entirely different and if Kaspersky and ATM manufacturer's haven't sussed this yet, they need to be removed from ever selling in the entire market pronto.

    1. Aodhhan
      FAIL

      2 factor (multifactor) Authentication... To clear things up.

      Authentication: is the act of confirming the truth of an attribute of a single piece of data (a datum) claimed true by an entity.

      Identity: is the act of stating or otherwise indicating a claim purportedly attesting to a person or thing's identity, authentication is the process of actually confirming that identity.

      So, the article is correct. Because it didn't talk about a fingerprint or iris itself, it referred to the method of authentication; in this case which uses fingerprints or iris, etc.

      Don't read into something just to make a point.

  2. Dr. Mouse

    2-factor authentication

    Cards currently rely on 2 factor authentication. They require something you have (the card) and something you know (the PIN).

    If you replace the PIN with biometrics, you no longer have such a system. They would require that you have 2 things, and need not know anything*. This is a weakening of security, full stop.

    1. yoganmahew

      Re: 2-factor authentication

      Absolutely. It's bad enough that I had to replace my mother and shoot my dog. Now I'll have to get a finger graft.

      I did always want 11 fingers, though, so maybe it's worth it.

      1. Anonymous Coward
        Anonymous Coward

        Re: 2-factor authentication

        It's bad enough that I had to replace my mother and shoot my dog

        Hahaha, I need to file that comment somewhere for any security seminar. Fantastic :).

      2. Dr. Mouse

        Re: 2-factor authentication

        Absolutely. It's bad enough that I had to replace my mother and shoot my dog. Now I'll have to get a finger graft.

        This is the type of comment the acronym ROFLMAO was invented for!

  3. Mage Silver badge

    Rats!

    My new biometric system uses a pet rat. If the information is stolen then you replace the rat and register the new one with the bank.

    Makes more sense than human biometrics. Rats can also be trained to be loyal and bite a thief or even fitted with an NFC collar that kills it if it's stolen from you.

    1. Mark 85

      Re: Rats!

      Add to that since rats normally only live about 2+ years, that information has a built in expire date.

  4. Hollerithevo

    A new market: disposable finger stalls

    I see being able to buy little slip-on finger cover guaranteed to have a unique* fingerprint on each one If your identify is compromised, discard and use another! And you can keep it by the post-it note with your old passwords.

    *ha ha ha ha ha

  5. Filippo Silver badge

    Oh, yes, let's replace my shared secret with another shared secret, except that I actually leave copies of this one everywhere I go, and cannot change it ever.

    How is it possible that people who are supposed to work in security are thinking this is a good idea?

    How the fuck is it possible for a person to say "if this is compromised even once, you're screwed forever... so we must try really hard not to have it compromised", and still get called a "security expert"?

  6. Anonymous Coward
    Anonymous Coward

    «the introduction of much harder (but not impossible) to clone chip-and-pin payment cards»

    I've yet to see a successful demonstration of actual chip-and-pin cloning, rather than those vague FUD statements.

    Gluing a second chip on the top of the original, as was shown here on ElReg in a panicky article once, does not count as cloning.

  7. The_Idiot

    Thus, if your data is compromised once, it won’t be safe to use that authentication method again.

    When. As in _when_ your data is compromised. Not 'if'. And the 'when' won't take long.

    A non-revocable credential, whether for identification or verification, is (in my view, at least), a really, really, like, _really_ bad idea. And I'd bet good money, without even looking, there's a whole bunch of folks here posting things which say much the same thing. Which doesn't stop the bloody daft idea coming back up in various shapes and forms time and time again. Can I cry now?

  8. Anonymous Coward
    Anonymous Coward

    Yawn..

    Here we go again. Which part of TWO factor says that changing a one factor that a user can change with a one factor that they cannot change and can be easily obtained is *BETTER*?

    You can ADD a biometric factor, so you end up with something you know and something you are. The latter could also be in the form of an IQ test, but the resolution at room temperature is a tad on the low side.

    Nitwits. Let me guess, they're trying to sell biometric solutions? How about implementing an open standard 2FA instead such as FIDO U2F? It's something you HAVE, OK, but if you combine that with something you KNOW you're in a much better position than a password or PIN code alone - that is unless some idiots leaks your secret, but that gives you at least ONE compromise instead of everything that depends on you giving it the finger.

    1. Lars Silver badge
      Joke

      Re: Yawn..

      My solution is to keep the max of what I can draw low enough not to make a larger problem. So far without any need for it, except once when I was unable to draw what I wanted, of course. But then, the optimist I am, sometimes, I came to the conclusion that she wasn't worth it anyway.

      This is a bit lie understanding the first law of betting, which is, never bet for more than you can afford to lose.

      Poor Cameron, why did nobody educate him. Looking at you, Eton College.

      Icon not totally accurate.

  9. G R Goslin

    I for one....

    will be pleased when they replace the old ATM's. At least the new screens will not be burnt out and faded to near illegibility.

  10. Anonymous Coward
    Anonymous Coward

    Liveness Detection Anyone?

    Fingerprints aren't private - we leave them at every coffee shop, door knob and restaurant. Fingerprints are statistically unique however, which makes them very useful to use to verify an individual's identity. They shouldn't be used alone however, for some of the reasons listed above. Combined with proper liveness detection capabilities fingerprints can be trusted as originating from the proper source, and not replayed or faked.

    Without liveness detection, someone with access to your fingerprint or its template could potentially cause issues. However, with liveness detection a fraudster not only needs to fake the fingerprint, but also the fact that it came from a living human being. If four digit PINs have a 1-10,000 chance of being "guessed" and a 100% chance of being shared, I'll take the fingerprint sensor.

  11. a_yank_lurker

    True 2 FA

    True 2 FA has to rely on two different bits of information that are not likely to be closely related and ideally not generated by the same person. And they must be changeable when needed. Fingerprints and other biometric stuff are not changeable at all.

  12. Anonymous Coward
    Anonymous Coward

    I've got ten digits - if one is compromised, there are nine others waiting

  13. Ian Michael Gumby
    Boffin

    Three factor authentication?

    So you have chip and pin...

    Now lets add either one of the following:

    So sort of authenticator like Google's authenticator that is synced to your account so that you need the physical card, your 4 digit pin and then the 6 digit code from the authentication app. So you can use your bank atm, if you have your phone or PC with you...

    The other would be just having the bank sms you a text w a 6 digit code that you have to then type in... you set up a phone number associated with the card so the crooks would have a harder time breaking the system.

    Note: this wouldn't work well at the stores or restaurants because it adds to the time it takes to pay. (think longer queues at the checkout counters....)

  14. Jin

    Biometrics are treats for criminals

    Criminals can given chances to use either the fingerprint data or the User's PIN as shown in

    https://youtu.be/5e2oHZccMe4

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like