Researchers: Distorting biometrics enhances security

[IGBT]

Text

..I wonder how secure this is??..expect biometric ID's in your near future.

But those mathematical templates, if stolen, can be dangerous.

So researchers have developed ways to alter images in a defined, repeatable way, so that hackers who managed to crack a biometric database would be able to steal only the distortion -- not the true, original face or fingerprint.

 

[judasmachine]

or they could just cut off your thumb and take it to the ATM.

 

[Rainsford]

Wow, researchers managed to reinvent one way hashing, a principle that's been a staple of cryptography for decades. I sure am impressed. Surely applying SHA-256 or something to the numerical representation would have been too easy. :roll:

As for biometrics as security...it's a terrible, terrible, terrible, terrible idea by itself. Why? The major reason is that you can change your password, you can't change your fingerprint. Not to mention that biometric information is hardly secret, why bother hacking into a database (hashed or otherwise) when I can just follow you and grab your fingerprint off any of the thousands of surfaces you touch every day? Maybe I won't be able to steal tens of thousands at once, but it's a lot more valuable than a credit card number or password, because as I pointed out, it can't be changed.

A far more secure system would be a physical device and a 4 digit pin you remember. Really the ATM system is a great model to follow, and many companies sell tokens that work with central systems that provide far more security. You have a token that's difficult to duplicate combined with an easy to remember password that somebody would ALSO have to get somehow. And even if they get it, it's eays to change one or both of the required items.

Seriously, lots of colleges offer good security courses, there are lots of books on the topic. I suggest anyone who wants to invent a secure ID system should take a class or read a book first, it would save us a lot of piss poor security.

 

[judasmachine]

Originally posted by: Rainsford
Wow, researchers managed to reinvent one way hashing, a principle that's been a staple of cryptography for decades. I sure am impressed. Surely applying SHA-256 or something to the numerical representation would have been too easy. :roll:

As for biometrics as security...it's a terrible, terrible, terrible, terrible idea by itself. Why? The major reason is that you can change your password, you can't change your fingerprint. Not to mention that biometric information is hardly secret, why bother hacking into a database (hashed or otherwise) when I can just follow you and grab your fingerprint off any of the thousands of surfaces you touch every day? Maybe I won't be able to steal tens of thousands at once, but it's a lot more valuable than a credit card number or password, because as I pointed out, it can't be changed.

A far more secure system would be a physical device and a 4 digit pin you remember. Really the ATM system is a great model to follow, and many companies sell tokens that work with central systems that provide far more security. You have a token that's difficult to duplicate combined with an easy to remember password that somebody would ALSO have to get somehow. And even if they get it, it's eays to change one or both of the required items.

Seriously, lots of colleges offer good security courses, there are lots of books on the topic. I suggest anyone who wants to invent a secure ID system should take a class or read a book first, it would save us a lot of piss poor security.

alot easier than lobbin off thumbs too.

 

[Rainsford]

Originally posted by: judasmachine

Originally posted by: Rainsford
Wow, researchers managed to reinvent one way hashing, a principle that's been a staple of cryptography for decades. I sure am impressed. Surely applying SHA-256 or something to the numerical representation would have been too easy. :roll:

As for biometrics as security...it's a terrible, terrible, terrible, terrible idea by itself. Why? The major reason is that you can change your password, you can't change your fingerprint. Not to mention that biometric information is hardly secret, why bother hacking into a database (hashed or otherwise) when I can just follow you and grab your fingerprint off any of the thousands of surfaces you touch every day? Maybe I won't be able to steal tens of thousands at once, but it's a lot more valuable than a credit card number or password, because as I pointed out, it can't be changed.

A far more secure system would be a physical device and a 4 digit pin you remember. Really the ATM system is a great model to follow, and many companies sell tokens that work with central systems that provide far more security. You have a token that's difficult to duplicate combined with an easy to remember password that somebody would ALSO have to get somehow. And even if they get it, it's eays to change one or both of the required items.

Seriously, lots of colleges offer good security courses, there are lots of books on the topic. I suggest anyone who wants to invent a secure ID system should take a class or read a book first, it would save us a lot of piss poor security.

alot easier than lobbin off thumbs too.

What's a lot easier? The second system in general?

 

[judasmachine]

Originally posted by: Rainsford

Originally posted by: judasmachine

Originally posted by: Rainsford
Wow, researchers managed to reinvent one way hashing, a principle that's been a staple of cryptography for decades. I sure am impressed. Surely applying SHA-256 or something to the numerical representation would have been too easy. :roll:

As for biometrics as security...it's a terrible, terrible, terrible, terrible idea by itself. Why? The major reason is that you can change your password, you can't change your fingerprint. Not to mention that biometric information is hardly secret, why bother hacking into a database (hashed or otherwise) when I can just follow you and grab your fingerprint off any of the thousands of surfaces you touch every day? Maybe I won't be able to steal tens of thousands at once, but it's a lot more valuable than a credit card number or password, because as I pointed out, it can't be changed.

A far more secure system would be a physical device and a 4 digit pin you remember. Really the ATM system is a great model to follow, and many companies sell tokens that work with central systems that provide far more security. You have a token that's difficult to duplicate combined with an easy to remember password that somebody would ALSO have to get somehow. And even if they get it, it's eays to change one or both of the required items.

Seriously, lots of colleges offer good security courses, there are lots of books on the topic. I suggest anyone who wants to invent a secure ID system should take a class or read a book first, it would save us a lot of piss poor security.

alot easier than lobbin off thumbs too.

What's a lot easier? The second system in general?

oh sorry, i meant the following people around and picking up their cups, cigarette butts, etc. i'm just looking at it from the lowly criminal's POV.

 

[Moonbeam]

Eventually honest people may have to record every moment of their lives as evidence against framing. And the people who don't we will want to watch.

 

[Rainsford]

Originally posted by: judasmachine

Originally posted by: Rainsford

Originally posted by: judasmachine

Originally posted by: Rainsford
Wow, researchers managed to reinvent one way hashing, a principle that's been a staple of cryptography for decades. I sure am impressed. Surely applying SHA-256 or something to the numerical representation would have been too easy. :roll:

As for biometrics as security...it's a terrible, terrible, terrible, terrible idea by itself. Why? The major reason is that you can change your password, you can't change your fingerprint. Not to mention that biometric information is hardly secret, why bother hacking into a database (hashed or otherwise) when I can just follow you and grab your fingerprint off any of the thousands of surfaces you touch every day? Maybe I won't be able to steal tens of thousands at once, but it's a lot more valuable than a credit card number or password, because as I pointed out, it can't be changed.

A far more secure system would be a physical device and a 4 digit pin you remember. Really the ATM system is a great model to follow, and many companies sell tokens that work with central systems that provide far more security. You have a token that's difficult to duplicate combined with an easy to remember password that somebody would ALSO have to get somehow. And even if they get it, it's eays to change one or both of the required items.

Seriously, lots of colleges offer good security courses, there are lots of books on the topic. I suggest anyone who wants to invent a secure ID system should take a class or read a book first, it would save us a lot of piss poor security.

alot easier than lobbin off thumbs too.

What's a lot easier? The second system in general?

oh sorry, i meant the following people around and picking up their cups, cigarette butts, etc. i'm just looking at it from the lowly criminal's POV.

Oh, yeah, certainly. And from a fingerprint from one of those things, making a fake finger that can fool most scanners is surprisingly easy. One researcher has done it with "gummy bears" (well, gelatin, but close enough )

 

[Rainsford]

Originally posted by: Moonbeam
Eventually honest people may have to record every moment of their lives as evidence against framing. And the people who don't we will want to watch.

We already kind of have that mentality, or at least the start of it. Ever ask if you can not put your social security number down on a form that asks for it, but has no need of it? You get some funny looks.