back to article Biometrics: Better than your mother's maiden name. Good luck changing your body if your info is stolen

Identity theft has hit record levels in the UK – the vast majority of incidents are online. The UK's largest cross-sector fraud sharing databases, Cifas recently logged 174,523 incidents finding eight out of 10 took place online. Far from targeting the usual haunts of bank and credit card services, fraudsters have shifted to …

COMMENTS

This topic is closed for new posts.
  1. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      It's Pearson

      Used to be Edexcel

      I think that says it all really. With very few exceptions, all exam software is horrendous!

    2. Mayday
      Unhappy

      "Full palm print"

      "Requires that you provide a full palm print"

      It's actually a palm vein scan, not a palm print. Still it is uniquely identifiable information.

      Trouble is in my line of work I'm obliged to do regular (all too bloody regular) certification exams to remain "relevant". I don't have any other choice other than to be unemployed. It's not like I can refuse the scan or do an exam elsewhere, just like those who got their data stolen from Equifax can choose to not ever have the credit history verified.

      1. Anonymous Coward
        Anonymous Coward

        Re: "Full palm print"

        > It's not like I can refuse the scan

        Under the GDPR you do have that right, all you need is the resources and determination to get it enforced.

    3. Cederic Silver badge

      re:CISSP

      So basically in order to take the exam you have to do something that should automatically fail it?

  2. tiggity Silver badge

    Breakable systems

    Are a fact of life.

    There's already software that can be trained on a small amount of speech audio recording and will do a great job of mimicking someones speech so the super advanced speech recog bank system mentioned is on borrowed time

    Passport and driving licence details are easily grabbable - e.g. many a young looking person has to flash one or other of those as ID for access to a pub / club

    Biometrics are stupid - as article said, if images / videos of people exist then possible to subvert biometrics. I managed to open OHs device (at their request as they were not present and needed some content on it emailng to them & it was not configured for remote access) and had no pin fallback - this involved defeating fingerprint ID system (lots of OH prints around the house to give me raw material to work with).

    All you can do is put up decent barriers to your system being broken - and as ever there's the sweet spot of not too much security else people give up using your system as it's too difficult

    1. JohnFen

      Re: Breakable systems

      "Biometrics are stupid"

      Well, it's not that they're "stupid" as such, it's that they're further toward the "convenient" end of the security vs convenience tradeoff. Marketing hype right now is promoting them as more secure, but marketing hype has never been know for its honesty or factual accuracy.

  3. Vinyl-Junkie
    Coat

    To summarise the summary of the summary...

    ...people are a problem!

    (C) Douglas Adams

  4. Jay Lenovo
    Coat

    Thirty pieces of silver

    Some systems I believe tried using one's soul for verification.

    Turns out, too many people have willingly sold this information to the dark web to take much trust in it...

  5. Mage Silver badge

    US Verification

    The way they use Social Security numbers and birthdates is madness. Esp, the Police in USA and JUST using birthdate/area/name and not the unique driver's licence number or something else unique. Not just identity theft (The stupid way Social Security numbers are used) but OFFICIAL identity confusion on fines.

    1. Adam 1

      Re: US Verification

      Three facts: Date of birth + gender + post/zip code get a surprisingly unique profile. I don't have the figures on hand, but it is enough to uniquely fingerprint a single person in well north of 80% of occasions.

      So you heard it here first. Want privacy, be an identical twin....

      1. Allan George Dyer

        Re: US Verification

        @Adam 1 - "Date of birth + gender + post/zip ... uniquely fingerprint a single person in well north of 80% of occasions"

        So it's an Identification system that fails 20% of the time. Meh, I suppose it's good enough for targetting ads and vilification.

        It isn't an Authentication system.

        It isn't even sufficient Identification for "beyond reasonable doubt" that should be required for a criminal conviction.

        1. Adam 1

          Re: US Verification

          @allan, the salient point is that seemingly non identifying attributes in combination can build up a profile that is anything but anonymous. I'm not really sure why you bring up authentication or reasonable doubt testing. But I guess if somehow police knew your date of birth, gender and suburb but absolutely nothing else about you, they would only catch you 80% of the time.

    2. Tikimon
      Facepalm

      Re: US Verification

      Social Security Cards in the US have said different things on the front across the bottom edge. The progression is very informative.

      First, nothing.

      Later, "For social security purposes - Not for identification"

      Later, "For social security and tax purposes - Not for identification"

      Now? Blank. Your SSN is your National ID number!

      It's also tailor-made to be your "primary key" in the myriad of databases storing info about you. Joy.

  6. Mage Silver badge
    Facepalm

    Biometrics

    They can only be used as the NAME part of a log in. NEVER EVER the password part of a log in. Because you can't change them.

    IDIOTS.

    1. JeffyPoooh
      Pint

      Re: Biometrics

      "Good luck changing your body..."

      I came here to post: Biometrics are your USERNAME, *NOT* your PASSWORD!!

      It was my intention to ask those assembled if this common sense conclusion had yet been chiselled into the fixed body of knowledge that is 'Duh-obvious IT Security 101' ? Apparently not.

      As a very wise person recently noted, "IDIOTS."

      As a side note, if we chose a different bodily appendage to apply to the scanner, a part of the anatomy that is normally kept out of public view, then it might work as a Password. But then we'd have to clean the scanners after each use.

      1. Twanky

        Re: Biometrics

        "Biometrics are your USERNAME, *NOT* your PASSWORD!!"

        Hmm. I have more than a dozen different e-mail addresses which are used as Usernames to log into different sites. I have many more made-up Usernames for other sites which then link back to some of those e-mail addresses.

        I only have the usual eight fingers and two thumbs and one face (no digital accidents so far).

        I don't want to assert the same Identity at multiple sites. ZoOm seems a backward step to me.

  7. ma1010
    Paris Hilton

    Wonder if Estonia's solution would work?

    I don't understand much about crypto, so have no real opinions on how to secure ID, but I'm wondering if what Estonia is doing with giving people chipped ID cards and readers as part of the ID process (I assume it also requires a password, too) would work? I've read that people there can vote, pay taxes, etc., using these cards which, apparently, are considered a secure form of ID. That might be one thing to help with the ID problem.

    Paris because this is a baffling problem to solve well.

    1. earl grey
      Facepalm

      Re: Wonder if Estonia's solution would work?

      It's all good until it's broken and then it's crap like everything else. They have to originally base is on something and that's probably more of a problem.

  8. a_yank_lurker

    Biometrics vs Maiden Name

    Biometrics are basically permanent and can not be changed so they are only good as username or equivalent. Questions like mother's maiden name can be guessed if you assume (mostly correct) the person actually answered correctly. But if a person use a set fictitious answers to these questions that would not be obvious where they come from, they are much harder to guess. For example using 'von Francois' for mother's maiden when it is 'Smith' and 'von Francios' is not a close relative's name like an in-law.

    1. bombastic bob Silver badge
      Devil

      Re: Biometrics vs Maiden Name

      problems with biometrics:

      a) scarring [obvious] or other debilitation

      b) beards vs no beards

      c) fingerprints can be faked with some ingenuity, some superglue, and some tape

      d) not sure about retinas, but in how many movies has a stolen eyeball or special contact lense been used to fake that? [I have to wonder how realistic either of those is]

      other than a DNA scan [which doesn't work between identical twins, as they have identical DNA] what else could there be? that is, without going the "whole body MRI" approach.

      I suspect we'll all be 'chipped' before biometrics becomes practical for every day use at a point of sale machine or ATM.

  9. PhilipN Silver badge

    History's first hacker

    Ali Baba sneakily finding out that "Open Sesame" was the password.

    And spawning a thousand atrocious pantomimes.

    Bastard!

  10. Anon Ymous 42

    Biometrics are better than alternatives

    Most Biometric systems use the concept and store a Biometric template and not the actual biometric. This is done for a number of reasons (the biometric changes as you grow for example). This also means that the Biometric itself (fingerprint, eye scan, etc) is not actually stored. Which means any compromise of the system doesn't provide the data needed to do a future match.

    Additionally each Biometric sample is different every time. You read your fingerprint twice and these are two unique different samples, even though both samples are from the same finger. Most Biometric systems will store a hash of each sample so they can easily determine if a sample was 'replayed' or seen before.

    So in general the theft of your biometric is not as simple as capturing your fingerprint, voice, eyescan and replaying this. Biometrics are not infallible, but are far better than other options available, particularly if initial enrollment is done in a face to face situation (like a drivers license or US Customs entry point).

    MFA can be phished and/or man in the middled, KBA can be learned easily with very small amount of detective work. Estonia's smartcard solution is very strong, but expensive for hardware and doesn't work well on mobile devices. Apple's implementation of both TouchID and FaceID is done properly on the most recent devices (6S or later) because of it's use of a secure element (which in concept is similar to the protection that the Estonia solution provides).

  11. Lucky2BHere

    There is a solution - and in use today

    Please see zoomlogin.com.

  12. T. F. M. Reader

    2FA solves some problems, brings others

    2FA is supposed to help with the problem that your privates will be swiped if anyone steals or guesses your password. However, it brings on bigger problems, IMHO, such as lock-outs, without any breach at all, in case something happens to your second factor/token. That problem is independent of using something insecure such as SMS.

    For something work-related 2FA is probably fine in most cases. If my phone/token gets lost or borked or whatever while I am traveling, but I can call a sysadmin/security admin who knows me and recognizes my voice and resets/reconfigures the 2nd factor so that I can access what I need with a different phone (or without 2FA until I get back from the trip), the problem can be mitigated. I am not sure many organizations have protocols/procedures for that, but it is possible.

    I would not use 2FA with something like GMail, however. If something happens to my phone I do not, for the life of me, understand what the process to convince Google, in a reasonable amount of time at least, that it is really me and not some impostor who wants to reset the 2nd factor might be.

    2FA by SMS is stupid not only because SMS is insecure, but because it simply does not work. I travel with a different SMS/phone number and messages sent to my normal number simply won't reach me (calls will). Not a problem, unless/until I need those messages to access essential services...

    I still haven't figured out how I would deal with online credit card payments - those "Verified by Visa" and similar mechanisms - while on the road. Somehow I managed to avoid that until now. I suppose I can bring the "domestic" SIM with me and swap it in temporarily and pay for the incoming SMS, so it may be doable, albeit quite inconvenient/costly.

    Ironically, I assume that in a pinch I can convince the credit card company to reset the second factor on the basis of KBA over the phone. This means that the 2FA is only as secure as KBA, anyway.

  13. Anonymous Coward
    Anonymous Coward

    Communism is the answer

    If there is no private property, there is nothing to steal.

    Why haven't we tried that? I mean, what could *possibly* go wrong? >:)

  14. Eclectic Man Silver badge

    Problems with biometrics

    People get damaged. So if you rely on fingerprints, don't hit your finger with a hammer. (Oh, and whorls indicate higher likelihood of cancer than waves.) Facial recognition? Try not to have an operation on your face (I know from personal experience it is quite painful, but better than having skin cancer on your nose). Iris recognition? Avoid sties or black eyes or any infection causing the eyelid to be permanently shut. Voice recognition? Your state of mental health can be determined from the range of frequencies you use. Hand geometry? there is a correlation between the d2:d4 ratio and sexuality (fancy going to a country where homosexuality is punishable by death or traumatic amputation?)

    Biometrics are measurements of the body, and lots of diseases can be diagnosed from the eyes (not just glaucoma, jaundice or cataracts). People get damaged, so there must always be a non-biometric work-around for essential systems. Who are you prepared to trust not only with the measurements of your body, but with all the medical diagnostic and statistical correlations that go with them? (DHS officers, please form an orderly queue ...)

  15. Jin

    The Issue of False Rejection

    The actual/measured false rejection rates in the Aadhaar scheme have been publicized - reportedly 6% for fingerprints and 8.5% for iris scan. Those who were falsely rejected need to be rescued somehow.

    If passwords are to be used as an alternative to the biometrics (as a fallback means), the overall security would be lower than the password-only authentication. It would mean that the huge amount of money spent for biometrics had contributed only to ruining the security. What an irony!

  16. ade328

    It's Business folks, not Security...

    Whatever system, we all know that it is only the $$$ impact that will changes things, and nothing else! For example, the entire fraudulent activity of card-not-present (CNP) scenarios is supported by the insurance industry. That "were all insured, so don't worry" is supported and paid for by us all! It’s called APR rates.

    As many experienced security professionals on this this board know, there is no perfect security, and good enough will do when everybody pays toward the 5% (nominal %) fraudulent activity.

    So when will change come? When online fraud and loss exceeds that which underwriters are prepared to cover...? No! They just put premiums up, it's business! And that’s all it is folks, business - nothing to do with security. That is where many security professional get in a knot, including myself.

    Biometrics, I sense there will be a sting in the tail! And consumers will be the ones to pay for it.

  17. Lucky2BHere

    Biometrics are entering a new era

    This was a well-researched, well-thought-out article. Indeed, the hope is with biometrics. But, as well-stated, this current crop (legacy biometrics) is not good enough. Regardless of the method, with legacy biometrics there is either a security risk or a significant convenience factor that will not allow them to be effective.

    However, AI-developed/driven applications are solving many problems and are just entering the market. This is not a blatant plug, but an invitation to see for yourself: we've been delivering a 100% software face authentication biometric that is far more secure, and very easy to use and manage for IT.

    ZoOm 3D Face Login is currently being used in banking, transportation and government and is either supplementing legacy login methods or replacing them outright - including passwords. It is virtually unspoofable and the encrypted biometric data cannot be borrowed or stolen for use anywhere outside of the process.

    Please judge for yourself, but it appears we have a universally-usable, highly-secure biometric that won't put anyone's identities at risk.

This topic is closed for new posts.