Saturday, August 16, 2003

Hackers Claim New Fingerprint Biometric Attack

Damn, wish I was at the CCC. Ah well... the amount of work going into cracking biometrics is quite amazing, and kind of proves it has a long way to go. Unfortunately, IMHO, biometric systems still suffer from 2 major drawbacks -

1. they're useless against physical attacks - kidnap a person and force them to access something. Most people would cave in to being exploited this way.

2. access is tied to the person, unlike any existing system (i.e. passwords) which can be changed if necessary - this is important. If someone is able to "forge" another person's biometrics, then the only way around it is to replace the system. This seems kind of really, really dumb to me.

Also, as soon as you start to associate access logs with biometric data, "identity forgery" becomes inherent - if the system says Alice logged in and deleted everything, when it was actually Mallory impersonating her, then how do you prove it wasn't her? Video cameras, or alternative verification for logging, are an absolute must.

There's definitely still a lot of undiscovered ground in terms of biometrics, which is why traditional security, when properly applied is so strong, relatively - it's mature.

No comments: