Subscriber Discussion

Biometrics No Longer Secure?

Avatar
Ari Erenthal
Sep 24, 2015
Chesapeake & Midlantic

Yes, it's a bold claim to make, but apparently the Chinese now have 5.6 million Federal fingerprints. Which means that you probably shouldn't install biometric security at any governmental facility for at least a generation.

Remember: it doesn't matter if you invent an unpickable lock, if someone can easily steal the key.

(1)
(1)
JH
John Honovich
Sep 24, 2015
IPVM

How does this make biometrics not secure? Can someone use those fingerprints to try to gain access to facilities? If so, how does that work?

Avatar
Ari Erenthal
Sep 24, 2015
Chesapeake & Midlantic

While biometric antispoofing measures exist, it's my understanding that they haven't been widely implemented (the link says as much).

The most common biometric technology is fingerprint (because 1) speed, 2) accuracy, and 3) price), and the most common fingerprint reading technology is optical (again, because 1) speed, 2) accuracy, and 3) price). If you can build a latex mold of a finger, you can spoof an optical fingerprint reader unless you implemented one of the recommendations in the link above, and many readers don't (because it's 1) slower, 2) less accurate, and 3) more expensive).

GC
Greg Cortina
Sep 24, 2015

Ari calls it, but it won't slow anyone down because in most cases it just "convenience over security" for most places.

(1)
Avatar
Ari Erenthal
Sep 24, 2015
Chesapeake & Midlantic

Yup. It's more important to look secure than to be secure.

UM
Undisclosed Manufacturer #1
Sep 24, 2015

I think a bigger issue is if a contractor who's finger print was hacked enters China, they could be seen as a spy since they are on the list of US Government contractors with a security clearence. That could pose a problem for that individual.

(2)
Avatar
Brian Rhodes
Sep 24, 2015
IPVMU Certified

It's important that we don't lump 'biometrics' as a fancy synonym for fingerprints. Biometrics are a whole range of bio/physiological indicators including iris, vein scans, gait, heatbeats, eye twitches, germ clouds, palm prints, earlobe dimensions, and probably ten thousand more.

Even in the case of the 5.6 mil stolen prints, those template files only are valid on a specific type of fingerprint reader. Use a different reader that 'scans' a different dermal layer, and the chances are those stolen records are valuable are really remote.

Not to say that protection of data like this isn't a priority - it absolutely is! But to call biometrics 'un secure' as a result is too strong.

(2)
(1)
Avatar
Ari Erenthal
Sep 24, 2015
Chesapeake & Midlantic

Okay, true. But it does compromise the most commonly used form of biometric security.

U
Undisclosed #2
Sep 24, 2015
IPVMU Certified

But to call biometrics 'un secure' as a result is too strong.

Easy for you to say, since you can always give them the finger right back...

Avatar
Brian Rhodes
Sep 24, 2015
IPVMU Certified

It's true. I tried to destroy security. Only partially successful with a latex rubber finger.

U
Undisclosed #3
Sep 24, 2015

Fake fingers beat iPhone fingerprint readers - so any governement employee who travels with their iPhone can have their data compromised.

UM
Undisclosed Manufacturer #1
Sep 24, 2015

except Hillary, I noticed she uses a Blackberry.

(1)
MH
Mark Hahn
Sep 28, 2015

I haven't been able to find anywhere if image files of fingerprints were stolen, or minutae encoded with ISO 19794-x or similar scheme.

Anyone know?

(1)
UM
Undisclosed Manufacturer #4
Sep 28, 2015

The OPM statement used the word "fingerprints" to describe the information that was stolen.

"Of the 21.5 million individuals whose Social Security Numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million."

https://www.opm.gov/news/releases/2015/09/cyber-statement-923/

This would SUGGEST that the OPM was storing images. If it was just minutiae, you'd think that the OPM would go out of its way to make that clear.

(1)
New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions