StarDestroyer.Net BBS

A lot of computerized systems these days are starting to use some form of biometric identification. Now biometrics is supposed to make us feel more secure. However I was wondering something. When a computer takes my finger print or a iris scan that data is stored as....data. Data is just data to a computer, suppose someone gets a hold of that data. Would they be able to digitally replicate my biometric signature ? For example lets in the future vital websites like banks let you sign on using biometric input, I happen had my finger scanned at a "friends" computer. In a phishing like move could he use the stored data to log in ?

Presumably the biometric scan data would be encrypted. I'm not certain, because I've never bothered to use those features - if you want drive security, just use full HDD encryption with a long, strong passphrase (free solutions like TrueCrypt work well). The biometric scanner is basically just a password that might be harder to break but also cannot change...and you always use a backup password anyway, just in case you get a cut on the finger you scan or something else prevents using the scanner.

Biometric data is encrypted and the good systems take a big chunk of data to create the key the encryption.

Fingerprints can be reproduced with glue and can be taken from many surfaces you touch every day. But more to the point, yes, of course that data can be used to steal your identity, if it is handled insecurely. Unfortunately, data that should be kept secure under any circumstance is very often left unprotected. (E.g. Credit Card data, login credentials, etc. are "lost" all the time.) So yeah, there is a non-zero chance that your biometrical data will be stolen.

If someone steals your biometric data, can you change it?

Back when I had a work computer that used a biometric log-in you basically chose which finger to use for the scanner. If you needed to change it, well, most of us have nine more fingers to choose from.

Since it operates by scanning skin ridge data, presumably one could use some other patch of skin, provided the same patch was used consistently. So, to that extent, yes, one can change some forms of biometric data used for ID purposes by switching to a different finger.

Said finger also had to have a certain warmth to prove it was a live human being - this became an annoying feature when doing field work in cold weather.

Yeah but then I'm just going to steal your other finger prints, too. And none of the commercially available scanners can differentiate between a real finger and a finger with a fake print on it. Meassuring skin warmth or heart beat are pretty stupid ideas, since they assume the only way to fake a finger print is to cut of the finger. Well, using a "secret" that you can't change ever and that you imprint on all kinds of objects outside your control is retarded, anyways. So I guess you can't expect too much.
And that's not even counting really moronic and dangerous ideas like putting your finger prints on electronic passports that communicate via RFID. Someone being able to take your unchangeable "password" by having an RFID scanner and walking past you at a 100 feet distance? What could possibly go wrong?

@Skgoa: Didn't Mythbusters fool a fingerprint scanner by doing pretty easy things?

Yes they did open a door with a licked piece of paper with the victim's fingerprint printed on. The PC was fooled by slightly harder methods, but nothing esoteric.

Now, faking a iris scan is theoretically harder, unless the scanner is cheap crap and you can use a printed 50 dpi photo of the eye instead.

Retinal scans should be the best, as there is no easy way to fool the things, not even using fucking amputated eyes (unless they are amputated on the spot, that is).

Would they be able to digitally replicate my biometric signature ? For example lets in the future vital websites like banks let you sign on using biometric input, I happen had my finger scanned at a "friends" computer. In a phishing like move could he use the stored data to log in ?

In a real word, it's possible. The biometric signature is basically turned into a number by some software on your PC, that then uses this bigass number as a password to do stuff. All usual ways to steal passwords work more or less the same since biometric just adds a program between the PC and the user to get a password that is then used automatically as such to access to things. The safety of such depends from how good is the software working with digitalized biometric data. If it's done well (military-grade or better), this system is pretty much impregnable until it connects to the internet (to remain impregnable on the net it needs at least a serious VPN), but 100% perfection is rarely if ever guaranteed, and comes at a high cost not every company is willing to pay.
If it's used for vital stuff, it's basically guaranteed that top hackers and government agencies will fuck with it extensively for similar reasons (get data illegally).

Why you cannot use a normal user-typed password which would be easier? Likely because computing leaps made even 100+ char long password decryptable by brute force in a few hours. Humans cannot remember so long passwords on average.

Btw, the easiest way to steal passwords is by "listening" to wifi traffic from unprotected wifi (most hotspots don't use any encryption), so invest into good VPN services if you have to use such connections to do sensitive work.

P.s. consumer-grade stuff is designed to give the impression of safety (i.e. keeps infants and retards off your things but not much more). Most is either bug-ridden or has backdoors to allow technicians to fix things fucked up by stupid users.

Now biometrics is supposed to make us feel more secure.

Not really. It just makes things more convenient. Swipe your finger instead of typing in a password. It's the same thing. If your biometric data is compromised, switch to a different method or better yet, change how you handle secure information.

No security system that is accessible is impregnable. The best you can hope for is to make breaking such a massive undertaking that it is not worth the energy invested in it. Most thieves do not care about your porn collection if that's all you have on your computer (your computer itself is a different matter, but that's a different kind of can that may have worms). However, if you have banking information on it, someone might try if they know that information.

In a phishing like move could he use the stored data to log in ?

Yes, which is why a good bank will annoy you with various security measures like making your change your password every few months.

someone_else wrote:Why you cannot use a normal user-typed password which would be easier?

Because people forget passwords all the time. (as a IT admin, i have to undo lost passwords all the time).

Broomstick wrote:Back when I had a work computer that used a biometric log-in you basically chose which finger to use for the scanner. If you needed to change it, well, most of us have nine more fingers to choose from.

at work we have a Hand scan to clock on. it's a Lumber yard, so yes, some missing fingers. it wouldn't work with one guy who'd lost three fingers, so he has to use his left hand upside-down!

Personally i use a face scanner using the built-in webcam, it doubles as a security check, just check the pictures to see who logged on when.

The key for biometric security is making things difficult for a thief while not hindering (or even aiding) the authorized user. It is possible, say, to circumvent whatever biometric reader you have on your computer simply by making the computer boot from a thief's pendrive OS. However, that requires physical access, which is another difficulty.

The revolving issue to good security is good implementation. With good implementation

Personally i use a face scanner using the built-in webcam, it doubles as a security check, just check the pictures to see who logged on when.

If I may be excused a tangent, facial security is even worse than fingerprint-readers in terms of being fooled, as japanese cigarette vending machine makers are learning. Webcams are poor for security, unless they also read in the IR range and can tell the difference between a sheet of paper and a living face.As current laptop manufacturer's should know.

Personally, I always use a pass phrase, with lower and uppercase characters, special characters and numbers, along with two factor authentication. Only my mobile has the correct code sequence programmed in, so a lot of my relevant stuff online won't get cracked any time soon. My computer is also fully encrypted by FileVault 2 with a phrase I can remember that uses pretty much all the 128 bit encryption to its maximum.

I'm more concerned about companies like LinkedIn managing to fuck up their end of the security deal than I am of my end. No one is getting into my laptop data, but if people are hosting hundreds of thousands of passwords that aren't even salted, that makes me cast doubt on whether corporations take security as seriously at times.

Pendleton wrote:Personally, I always use a pass phrase, with lower and uppercase characters, special characters and numbers, along with two factor authentication. Only my mobile has the correct code sequence programmed in, so a lot of my relevant stuff online won't get cracked any time soon. My computer is also fully encrypted by FileVault 2 with a phrase I can remember that uses pretty much all the 128 bit encryption to its maximum.

Sounds like you take security fairly seriously. If I may ask, what sort of information do you have that makes you want to secure your computer so?

I'm more concerned about companies like LinkedIn managing to fuck up their end of the security deal than I am of my end. No one is getting into my laptop data, but if people are hosting hundreds of thousands of passwords that aren't even salted, that makes me cast doubt on whether corporations take security as seriously at times.

They only do if they get scared, and then they mostly do panic-actions than any serious ones. Panic-actions being measures that can be implemented quickly and look like a serious security measure, but are not. For a non-computer example, cameras. They do not increase security, they only increase surveillance (which CAN be used to improve security). Cameras do not stop people. Locked doors, guards, safeguards, etc do because they can prevent unauthorized access and make attempts to gain unauthorized access more difficult.
Another panic-measure for computers, is, say, encrypting the passwords when they are static on a HDD, but not when they are used in code or when the users give them.

Another tangent, if I may. My Thinkpad has a fingerprint reader, which is neat. What's more neat, is that I can use my fingerprint to start my computer, meaning that the BIOS has fingerprint software in it. What's less neat, is that if you power on the computer with just a power botton, it is possible to circumvent both fingerprint reading or password, thus making it a fairly worthless security measure. Lenovo's idea of preventing access isn't BIOS-tied computer-and-HDD lock (which is pretty strong security, as it means that you have to use BIOS-reset measures to just use the computer, nevermind the HDD), but replacing Win7's password screen with fingerprint reader. It makes login faster, not secure.

This is a panic-measure (or more accurately in this case, a marketing measure or someone simply not caring) and a typical example of badly implemented security, unless I've missed some option I can't find. It is obvious that a Thinkpad could use fingerprint data instead of just a regular password to securely lock the computer. Without it, you can't boot a foreign, pendrive OS and even if you could, you will need data recovery-level tech/knowledge to unlock the HDD. Meaning that this simple measure would make the computer much more secure. But appearently, relying on a booted up OS's user prompt is better.

Addamantum to my previous post: please ignore rant on my Thinkpad's fingerprint-security thing. It turns out that I just needed to give a power-on password to make a BIOS-level security check.

Zixinus wrote: It is obvious that a Thinkpad could use fingerprint data instead of just a regular password to securely lock the computer. Without it, you can't boot a foreign, pendrive OS and even if you could, you will need data recovery-level tech/knowledge to unlock the HDD. Meaning that this simple measure would make the computer much more secure.

Though I agree with the rest of your post, I feel the need to reiterate that your fingerprint is much easier to be stolen than a password. Seriously, if I were to break into your home to get to your computer, I am going to find your fingerprint literally a thousand times, readily available to be copied.

Zixinus wrote: Sounds like you take security fairly seriously. If I may ask, what sort of information do you have that makes you want to secure your computer so?

Porn. Lots of it. 

Seriously, though. I sometimes have work files on that, although not top secret, I'd rather not have fall into strange hands. The rest of my reasoning is I just don't like the idea of someone having access to my personal data. If my laptop is stolen, I can always remote erase it when it calls home sneakily via the Guest account which is the only one accessible without password decryption. Short of icing the RAM shortly after I shutdown or log off to preserve the cipher key used, the only other way would be jacking into the computer as it is on while I'm logged in or if it's asleep. The pass phrase will be in memory still then and this exploit has been documented. 

I believe the Thinkpads used at work here and some HP laptops have fingerprint readers too, but they are never used for the reasons stated above. They do have SecureBoot though. 

Skgoa wrote:Though I agree with the rest of your post, I feel the need to reiterate that your fingerprint is much easier to be stolen than a password. Seriously, if I were to break into your home to get to your computer, I am going to find your fingerprint literally a thousand times, readily available to be copied.

Okaaay. And just how much of these are recoverable to anyone without very specialized expertise? Such as police forensics squad? There is a reason you need a team of trained agents to gather even a smidgen of proof on crime scene, you know.

I have reasonable experience in 'unlocking' computers for relatives who didn't knew what they were doing and forgot password, I have exactly zero expectation of being able to spoof fingerprint reader unless you were nice enough to put clear prints inked on white paper or something like that.

As for question in OP, I don't know how all biometrics programs store their data, but I'd imagine truly secure ones store just hash of biometric data, something that can't be used to recreate your signature unless in another program that uses same way of hashing. If it stores image, I guess it can be printed and help in spoofing.

Skgoa wrote:Though I agree with the rest of your post, I feel the need to reiterate that your fingerprint is much easier to be stolen than a password. Seriously, if I were to break into your home to get to your computer, I am going to find your fingerprint literally a thousand times, readily available to be copied.

Uh-huh... how are you going to distinguish my fingerprints from those of everyone else living in my home?

Also, I think you vastly overestimate how easy it is to recover a good print from most surfaces. Your best bet would probably be a fingerprint off a water glass or ceramic plate, not so much from my couch. Most of those "thousands" of copies will not be useful for your purpose.

I remember there being a Merc that had fingerprint recognition entry for the car itself, which also started it, a bit like the wireless keyless entry they have nowadays. Anyway, apparently they had to drop the system or tinker with it to work with live digits because some gangs, I believe, had figured out that taking a guy's hand off was as handy (pun intended) as stealing his keys.

Seriously, if I were to break into your home to get to your computer, I am going to find your fingerprint literally a thousand times, readily available to be copied.

True (to the extent that others have pointd out), however you will have to KNOW that I use fingerprint security AND know which finger I use. Unless you plan to steal data from me while you broke in, you are unlikely to have stolen something that has a good fingerprint. Plus, if you have stolen something from me, you likely have accidentally wiped the fingerprint in process of transport.

I believe the Thinkpads used at work here and some HP laptops have fingerprint readers too

Many Thinkpad models have fingerprint readers, yes.

Irbis wrote:

Skgoa wrote:Though I agree with the rest of your post, I feel the need to reiterate that your fingerprint is much easier to be stolen than a password. Seriously, if I were to break into your home to get to your computer, I am going to find your fingerprint literally a thousand times, readily available to be copied.

Okaaay. And just how much of these are recoverable to anyone without very specialized expertise? Such as police forensics squad? There is a reason you need a team of trained agents to gather even a smidgen of proof on crime scene, you know.

Cute. For the sake of the argument I'm going to ignore the obvious answer, i.e. the probable attacker being prepared and equiped to do the job, due to being either a) being paid to do (industrial) espionage or b) a member of a government agency. Forensics squads take much more from a crime scene than finger prints. They also know how to take evidence in a way that makes it usable in court and that doesn't contaminate the crime scene. The attacker only needs to obtain the finger print and use it. It's icredibly easy to do. There are tutorial videos on youtube, as you would have known, had you not just talked out of your ass without doing any research at all.

Irbis wrote:I have reasonable experience in 'unlocking' computers for relatives who didn't knew what they were doing and forgot password, I have exactly zero expectation of being able to spoof fingerprint reader unless you were nice enough to put clear prints inked on white paper or something like that.

How nice for you. What kind of argument are you making here? "I can't do it, so nobody can"? Anyways, what this shows is your lazyness and willful ignorance, since one simple google search would have told you everything you needed to know.

Broomstick wrote: Uh-huh... how are you going to distinguish my fingerprints from those of everyone else living in my home?

Nope. Why would I even need to? How many people live in your home? How many people touch e.g. your diary?

Broomstick wrote:Also, I think you vastly overestimate how easy it is to recover a good print from most surfaces.

Nope. That you belive that shows that you haven't done your research.

Broomstick wrote:Your best bet would probably be a fingerprint off a water glass or ceramic plate, not so much from my couch.

That's a black and white fallacy. I never claimed I could take fingerprints of a couch, I wouldn't even need to, as you point out yourself.

Broomstick wrote:Most of those "thousands" of copies will not be useful for your purpose.

That's a black and white fallacy, too. Even if it were true, I still only need at most ten usable finger prints per inhabitant, nobody cares about the thousands of unusable prints.

Zixinus wrote:

Seriously, if I were to break into your home to get to your computer, I am going to find your fingerprint literally a thousand times, readily available to be copied.

True (to the extent that others have pointd out), however you will have to KNOW that I use fingerprint security

Nope. I just have to credibly suspect that you do. Though I wonder if a "move finger over scanner" message at startup wouldn't give me a clue.

Zixinus wrote:AND know which finger I use.

Nope. I just use every print I find. It's not like trying ten times at the most is going to kill me.





I have a couple of youtube videos open in other tabs that were the very first results of the one search I made. I am not going to post them, though, because it literally took just ten seconds. Anyone who claims that fingerprints can't be taken by amateurs with household items was to lazy to make that ten second effort. Seriously, it's like you guys were claimed the sky is red. Take a fucking moment to look; no, it's clearly not. We shouldn't even BE on this tangent.

Skgoa wrote:

Broomstick wrote: Uh-huh... how are you going to distinguish my fingerprints from those of everyone else living in my home?

Nope. Why would I even need to? How many people live in your home? How many people touch e.g. your diary?

Not that many at present, but there have been times in my life I've lived in a household with a half dozen other people which, yes, might make untangling the proliferation of prints at least a speed bump.

Any, just for the record, I've never kept a diary. I've always shared books with everyone else in the house. I suppose you could find something I and I alone touch but I doubt it's quite as easy as you claim.

I have a couple of youtube videos open in other tabs that were the very first results of the one search I made. I am not going to post them, though, because it literally took just ten seconds. Anyone who claims that fingerprints can't be taken by amateurs with household items was to lazy to make that ten second effort.

Yeah, I've done amateur fingerprinting, big deal. I also know, from having done it, that lifting a really good print takes some practice. Is there a government spook out there who can walk into my house, spoof my prints, and ransack what little privacy I have left in this world? Yeah, probably. But there's a difference between the work of someone who makes it their daily profession and your alleged easy to waltz in, even amateurs can do this, scenario.

It only has to be easier than a password attack to make it useless security. And frankly, the 'fingerprint readers' installed on laptops as 'security' are really low end. It's just a gimmick, not a serious 'protect secrets' thing. You want that, you'll encrypt your information.

The weakest link in computer security I suspect is the people element, not the fingerprint scanners, password requirements, encryption, etc. All the security in the world does squat when someone leaves a sticky note with all the passwords listed in the edge of the monitor or otherwise circumvents security for their own convenience. Including failure to use security devices - the best lock in the world is useless if it's not engaged.

Biometric requirements enforce a certain level of "security". It's also useful for identifying whose using a terminal which may have applications beyond just security. It's not perfect, just useful in some circumstances.

The only real utility of consumer 'biometrics' is speed - it's faster to swipe your cheezit encrusted thumb over a cheapo sensor than typing 'summerglau69'. There are a lot of issues around successful use of even quality biometrics and I doubt most people would be interested if it didn't have the cachet of thirty years if scifi. Arguably good biometric user habits are even harder to cultivate than password habits.