It's Pearson
Used to be Edexcel
I think that says it all really. With very few exceptions, all exam software is horrendous!
Identity theft has hit record levels in the UK – the vast majority of incidents are online. The UK's largest cross-sector fraud sharing databases, Cifas recently logged 174,523 incidents finding eight out of 10 took place online. Far from targeting the usual haunts of bank and credit card services, fraudsters have shifted to …
This post has been deleted by its author
"Requires that you provide a full palm print"
It's actually a palm vein scan, not a palm print. Still it is uniquely identifiable information.
Trouble is in my line of work I'm obliged to do regular (all too bloody regular) certification exams to remain "relevant". I don't have any other choice other than to be unemployed. It's not like I can refuse the scan or do an exam elsewhere, just like those who got their data stolen from Equifax can choose to not ever have the credit history verified.
Are a fact of life.
There's already software that can be trained on a small amount of speech audio recording and will do a great job of mimicking someones speech so the super advanced speech recog bank system mentioned is on borrowed time
Passport and driving licence details are easily grabbable - e.g. many a young looking person has to flash one or other of those as ID for access to a pub / club
Biometrics are stupid - as article said, if images / videos of people exist then possible to subvert biometrics. I managed to open OHs device (at their request as they were not present and needed some content on it emailng to them & it was not configured for remote access) and had no pin fallback - this involved defeating fingerprint ID system (lots of OH prints around the house to give me raw material to work with).
All you can do is put up decent barriers to your system being broken - and as ever there's the sweet spot of not too much security else people give up using your system as it's too difficult
"Biometrics are stupid"
Well, it's not that they're "stupid" as such, it's that they're further toward the "convenient" end of the security vs convenience tradeoff. Marketing hype right now is promoting them as more secure, but marketing hype has never been know for its honesty or factual accuracy.
The way they use Social Security numbers and birthdates is madness. Esp, the Police in USA and JUST using birthdate/area/name and not the unique driver's licence number or something else unique. Not just identity theft (The stupid way Social Security numbers are used) but OFFICIAL identity confusion on fines.
Three facts: Date of birth + gender + post/zip code get a surprisingly unique profile. I don't have the figures on hand, but it is enough to uniquely fingerprint a single person in well north of 80% of occasions.
So you heard it here first. Want privacy, be an identical twin....
@Adam 1 - "Date of birth + gender + post/zip ... uniquely fingerprint a single person in well north of 80% of occasions"
So it's an Identification system that fails 20% of the time. Meh, I suppose it's good enough for targetting ads and vilification.
It isn't an Authentication system.
It isn't even sufficient Identification for "beyond reasonable doubt" that should be required for a criminal conviction.
@allan, the salient point is that seemingly non identifying attributes in combination can build up a profile that is anything but anonymous. I'm not really sure why you bring up authentication or reasonable doubt testing. But I guess if somehow police knew your date of birth, gender and suburb but absolutely nothing else about you, they would only catch you 80% of the time.
Social Security Cards in the US have said different things on the front across the bottom edge. The progression is very informative.
First, nothing.
Later, "For social security purposes - Not for identification"
Later, "For social security and tax purposes - Not for identification"
Now? Blank. Your SSN is your National ID number!
It's also tailor-made to be your "primary key" in the myriad of databases storing info about you. Joy.
"Good luck changing your body..."
I came here to post: Biometrics are your USERNAME, *NOT* your PASSWORD!!
It was my intention to ask those assembled if this common sense conclusion had yet been chiselled into the fixed body of knowledge that is 'Duh-obvious IT Security 101' ? Apparently not.
As a very wise person recently noted, "IDIOTS."
As a side note, if we chose a different bodily appendage to apply to the scanner, a part of the anatomy that is normally kept out of public view, then it might work as a Password. But then we'd have to clean the scanners after each use.
"Biometrics are your USERNAME, *NOT* your PASSWORD!!"
Hmm. I have more than a dozen different e-mail addresses which are used as Usernames to log into different sites. I have many more made-up Usernames for other sites which then link back to some of those e-mail addresses.
I only have the usual eight fingers and two thumbs and one face (no digital accidents so far).
I don't want to assert the same Identity at multiple sites. ZoOm seems a backward step to me.
I don't understand much about crypto, so have no real opinions on how to secure ID, but I'm wondering if what Estonia is doing with giving people chipped ID cards and readers as part of the ID process (I assume it also requires a password, too) would work? I've read that people there can vote, pay taxes, etc., using these cards which, apparently, are considered a secure form of ID. That might be one thing to help with the ID problem.
Paris because this is a baffling problem to solve well.
Biometrics are basically permanent and can not be changed so they are only good as username or equivalent. Questions like mother's maiden name can be guessed if you assume (mostly correct) the person actually answered correctly. But if a person use a set fictitious answers to these questions that would not be obvious where they come from, they are much harder to guess. For example using 'von Francois' for mother's maiden when it is 'Smith' and 'von Francios' is not a close relative's name like an in-law.
problems with biometrics:
a) scarring [obvious] or other debilitation
b) beards vs no beards
c) fingerprints can be faked with some ingenuity, some superglue, and some tape
d) not sure about retinas, but in how many movies has a stolen eyeball or special contact lense been used to fake that? [I have to wonder how realistic either of those is]
other than a DNA scan [which doesn't work between identical twins, as they have identical DNA] what else could there be? that is, without going the "whole body MRI" approach.
I suspect we'll all be 'chipped' before biometrics becomes practical for every day use at a point of sale machine or ATM.
Most Biometric systems use the concept and store a Biometric template and not the actual biometric. This is done for a number of reasons (the biometric changes as you grow for example). This also means that the Biometric itself (fingerprint, eye scan, etc) is not actually stored. Which means any compromise of the system doesn't provide the data needed to do a future match.
Additionally each Biometric sample is different every time. You read your fingerprint twice and these are two unique different samples, even though both samples are from the same finger. Most Biometric systems will store a hash of each sample so they can easily determine if a sample was 'replayed' or seen before.
So in general the theft of your biometric is not as simple as capturing your fingerprint, voice, eyescan and replaying this. Biometrics are not infallible, but are far better than other options available, particularly if initial enrollment is done in a face to face situation (like a drivers license or US Customs entry point).
MFA can be phished and/or man in the middled, KBA can be learned easily with very small amount of detective work. Estonia's smartcard solution is very strong, but expensive for hardware and doesn't work well on mobile devices. Apple's implementation of both TouchID and FaceID is done properly on the most recent devices (6S or later) because of it's use of a secure element (which in concept is similar to the protection that the Estonia solution provides).
2FA is supposed to help with the problem that your privates will be swiped if anyone steals or guesses your password. However, it brings on bigger problems, IMHO, such as lock-outs, without any breach at all, in case something happens to your second factor/token. That problem is independent of using something insecure such as SMS.
For something work-related 2FA is probably fine in most cases. If my phone/token gets lost or borked or whatever while I am traveling, but I can call a sysadmin/security admin who knows me and recognizes my voice and resets/reconfigures the 2nd factor so that I can access what I need with a different phone (or without 2FA until I get back from the trip), the problem can be mitigated. I am not sure many organizations have protocols/procedures for that, but it is possible.
I would not use 2FA with something like GMail, however. If something happens to my phone I do not, for the life of me, understand what the process to convince Google, in a reasonable amount of time at least, that it is really me and not some impostor who wants to reset the 2nd factor might be.
2FA by SMS is stupid not only because SMS is insecure, but because it simply does not work. I travel with a different SMS/phone number and messages sent to my normal number simply won't reach me (calls will). Not a problem, unless/until I need those messages to access essential services...
I still haven't figured out how I would deal with online credit card payments - those "Verified by Visa" and similar mechanisms - while on the road. Somehow I managed to avoid that until now. I suppose I can bring the "domestic" SIM with me and swap it in temporarily and pay for the incoming SMS, so it may be doable, albeit quite inconvenient/costly.
Ironically, I assume that in a pinch I can convince the credit card company to reset the second factor on the basis of KBA over the phone. This means that the 2FA is only as secure as KBA, anyway.
People get damaged. So if you rely on fingerprints, don't hit your finger with a hammer. (Oh, and whorls indicate higher likelihood of cancer than waves.) Facial recognition? Try not to have an operation on your face (I know from personal experience it is quite painful, but better than having skin cancer on your nose). Iris recognition? Avoid sties or black eyes or any infection causing the eyelid to be permanently shut. Voice recognition? Your state of mental health can be determined from the range of frequencies you use. Hand geometry? there is a correlation between the d2:d4 ratio and sexuality (fancy going to a country where homosexuality is punishable by death or traumatic amputation?)
Biometrics are measurements of the body, and lots of diseases can be diagnosed from the eyes (not just glaucoma, jaundice or cataracts). People get damaged, so there must always be a non-biometric work-around for essential systems. Who are you prepared to trust not only with the measurements of your body, but with all the medical diagnostic and statistical correlations that go with them? (DHS officers, please form an orderly queue ...)
The actual/measured false rejection rates in the Aadhaar scheme have been publicized - reportedly 6% for fingerprints and 8.5% for iris scan. Those who were falsely rejected need to be rescued somehow.
If passwords are to be used as an alternative to the biometrics (as a fallback means), the overall security would be lower than the password-only authentication. It would mean that the huge amount of money spent for biometrics had contributed only to ruining the security. What an irony!
Whatever system, we all know that it is only the $$$ impact that will changes things, and nothing else! For example, the entire fraudulent activity of card-not-present (CNP) scenarios is supported by the insurance industry. That "were all insured, so don't worry" is supported and paid for by us all! It’s called APR rates.
As many experienced security professionals on this this board know, there is no perfect security, and good enough will do when everybody pays toward the 5% (nominal %) fraudulent activity.
So when will change come? When online fraud and loss exceeds that which underwriters are prepared to cover...? No! They just put premiums up, it's business! And that’s all it is folks, business - nothing to do with security. That is where many security professional get in a knot, including myself.
Biometrics, I sense there will be a sting in the tail! And consumers will be the ones to pay for it.
This was a well-researched, well-thought-out article. Indeed, the hope is with biometrics. But, as well-stated, this current crop (legacy biometrics) is not good enough. Regardless of the method, with legacy biometrics there is either a security risk or a significant convenience factor that will not allow them to be effective.
However, AI-developed/driven applications are solving many problems and are just entering the market. This is not a blatant plug, but an invitation to see for yourself: we've been delivering a 100% software face authentication biometric that is far more secure, and very easy to use and manage for IT.
ZoOm 3D Face Login is currently being used in banking, transportation and government and is either supplementing legacy login methods or replacing them outright - including passwords. It is virtually unspoofable and the encrypted biometric data cannot be borrowed or stolen for use anywhere outside of the process.
Please judge for yourself, but it appears we have a universally-usable, highly-secure biometric that won't put anyone's identities at risk.