Biometric data stolen from corporate lunch rooms system A US payment kiosk vendor has been stung by malware scum. Avanti Markets helps employers monetise the lunch-room and get rid of counter-service, going beyond a simple vending machine to cover the whole sandwiches-fruit-drinks-junk-food with one payment system. Last week, as first spotted by Brian Krebs, the company posted …
I've worked on biometrics.
Rule 1 is to NEVER, EVER even transport the raw data - you pre-process at the point of collection.
You hash and encrypt before transport, if possible salted, and salt the storage yet again. That way, only your local interpretation of the biometrics can ever leak, and that cannot be used to reconstruct the raw source data for use somewhere else. Anyone doing it differently should get hit with the maximum possible fines, something that will make new incoming EU privacy laws extra interesting.
That goes for fingers, eyes, face geometrics, rectal scans, gait analysis* - the works. Not mentioning voice prints because they're too easy to replicate to be of any use (natural variation alone already mandates significant forgiveness in what you accept, rendering it pointless).
* No, gait. Not goat. That's still "something you have" :)
If I've read the article and breach notice correctly, the malware was on the kiosks - and was therefore operating at the point of collection.
In that case it depends on how much the sensor does in firmware, but that still exposes recorded users on any platform that uses the same sensors (read: accepts the same data format) and which can be accessed electronically. *Not* good indeed.
" No, gait. Not goat. That's still "something you have" "
Considering that my SO and I tend to wrap arms about our shoulders whilst we walk, I can tell you now that if one is using gait as a biometric, your sense of security is subject to shoes. I have dress shoes, running shoes and sandals, as does SWMBO, and when we walk together, different shoes require that we do different things to match stride. Thus, our gaits are substantially altered by the shoes we wear. Furthermore, I'll be at some point getting foot surgery to correct structural damage done whilst I was a rather young figure skater. I will be required to *re* learn how to walk after that is done. I'll not mention the twenty something offspring of a friend of mine who has had not one but two knee reconstructions due to baseball accidents.
I can see (and use) biometrics as a convenient way to "locally" gain access to a secret (like payment data, unlock an iPhone) but I'd never consider shared device for biometrics input. I have no business in exposing any of that to 3rd party (business or hackers). I have some level of trust to the way iPhone handles fingerprint data (someone would have to lift my fingerprints and use them only on my "paired" device) but any centralized scheme is a no go. Especially when considered how little is known with regard to how this biometric data is handled (and the more complex the biometrics the more likely it's not done in hardware outside OS access). For this reason I don't plan on using it with any other system (like MS' Windows Hello). Also, frequency and circumstances of access (like when driving) are major factors to weigh in the compromise between security and convenience. Why would someone consider using biometrics for a vending machine (instead of a CC) is beyond me.
Biometrics follows “unique” features of individuals’ bodies and behaviors. It means that it could be well used when deployed for identification of individuals who may be conscious or unconscious, alive or dead. Due respect could be paid to biometrics in this sphere.
Being “unique” is different from being “secret”, however. It would be a misuse of biometrics if deployed for security of the identity authentication of individuals.
Confusing “Identification” with “Authentication”, we would be building a sandcastle in which people are trapped in a nefarious false sense of security. However gigantic and grandiose it may look, the sandcastle could melt away altogether when we have a heavy storm.
Video: Biometrics in Cyber Space - "below-one" factor authentication
https://youtu.be/wuhB5vxKYlg
I was working on a similar system for schools ten years ago - USB based fingerprint reader which was sending our software the full image, which would then hash and register (if it's the registration console) or verify (if it's the kiosk).
Thinking back I suppose there was a risk of children's fingerprints being stolen before they were old enough to even understand data security!
Thinking back I suppose there was a risk of children's fingerprints being stolen before they were old enough to even understand data security!
It's a system being pushed by the school my own children attend. Their justification is that children can't be bullied to hand over their dinner money and can't lose their "charge cards". Apparently the children don't really like the system because it "goes wrong" so often - they are convinced it actually makes the dinner queue slower.
Right from the start we weren't entirely happy with the company offering the machines, so our children (and a small handful of others) have never had their fingerprints registered. Looks like my default position of paranoia might have something going for it :-)
M.
The linked Avanti Markets Data Incident Notification is brimming with the usual corporate newspeak that means the exact opposite of what it purports to say.
"Avanti Markets deeply values the relationships we have with money of individuals who utilize kiosks supported by Avanti Markets."
"We treat all personal information in a confidential the cheapest possible manner and are proactive clearly incompetent in the careful handling of such information."
They're also setting up a hot line. Prediction: your call will be very important to them, and their menu options will have recently changed.
But don't worry about Avanti, though; they'll be fine. They're lawyered up ("We retained [...] outside legal counsel to assist"), and their TOS requires customers to use arbitration, which will pretend to listen to both sides and then rule in favor of the company. However, victims can look forward to some lame credit monitoring from the lowest bidder.
Biometrics are dumb, dangerous and dumb.
I know I wrote "dumb" twice, but that just reflects the depth of my feelings towards this dumb technology.
The idea is sound enough. It's every phase of the execution that has "fail" writ large upon it.
Passports that can be stolen from feet away without leaving one's pocket, Photo IDs that requires the owner adopt facial poses never worn in nature and to doff pop-bottle spectacles needed to avoid walking into walls and idiot biometrics stations. And fingerprints, which have been demonstrably fakable since about one year after they were first adopted as a means of identification.
Dumb.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
