Biometric technologies and their security

Discussion in 'privacy general' started by Minimalist, Jul 5, 2017.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,563
    Location:
    Slovenia
    http://www.information-age.com/biometric-technologies-security-123467159/
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,563
    Location:
    Slovenia
    https://www.pri.org/stories/2017-09-02/how-make-biometric-technology-more-secure
     
  3. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,094
    Biometrics: How to coerce the people into abandoning secure password based authentication for an insecure method that can easily be broken by the authorities while at the same time increasing the potential for surveillance.
     
  4. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,376
    Location:
    UK
    A rather salutary reminder why biometrics are a really bad authentication idea for the user (not, I trust because the particular circumstances would apply to you, but because it shows how coercion can weaken biometric protection easily), is being reported here:

    https://www.theguardian.com/world/2...fter-wife-discovers-husbands-affair-midflight

    A woman used her sleeping husband's fingerprint to open his smartphone, on which she discovered evidence of infidelity.

    More generally, this form of authentication is not treated as compelled speech as pins (possibly) are.
     
  5. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,867
    Biometrics being outside of 5th amendment would be enough for me. I do use fingerprint for my smartphone but that is like a bathroom door lock. Just keeping prying eyes away from my stuff, but no illusion it would be secure against any Gov actor.
     
  6. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,376
    Location:
    UK
    There's also the non-repudiation aspect of biometrics, and the likelihood of them trying to transfer risks of financial fraud directly on to you in cases of financial institutions. Just say No.

    On a parallel note, I am "amused" to see that Estonia has frozen their electronic ID cards because they are suffering a fundamental security flaw that could be exploited by bad actors. Actually, this is responsible on the part of the authorities.

    The reason for the amusement was that I vividly recall the reaction of the UK government at the time they were considering imposing ID cards (and worse, the National Identity Register) on an unsuspecting public - against my advice and pretty much every expert's feedback on the things. At the time (2005-2007), the officials and politicians were barefacedly assuring everyone that they were completely secure and safe, and that the NIR couldn't possibly be hacked, even though it was going to be accessible by pretty much all govt. departments.... laughable, but they still said it. It was only repealed by a change in politics, although that party went to the Dark Side with the Investigatory Powers Act.
     
  7. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,094
    @deBoetie I strongly believe the purpose of implementing biometric authentication is two fold because inherent in it's use is,
    1) The non repudiation aspect you mentioned.
    2) The ability to retrieve the authentication from an individual without their consent.
     
  8. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,867
    deBoetie and RockLobster,

    I understand your biometric observations/comments. I proceeded with use of them on my Smartphone but those biometrics will NOT allow access to my bank or real name email accounts. I never store my login passwords and my bank and email are ONLY accessed via U2F even after the login credentials. The fingerprint biometric only opens the phone to enter what I need. While I won't bet my life on it, my Pixel XL running Oreo, is not supposed to ever transmit the fingerprint data and its supposed to be encrypted ONLY locally on the device. Whether or not that is fully true is untested by me, but their stated policy is that they have NO access to my fingerprint data outside of the device itself. At the "State and Federal" level my fingerprints are completely on record anyway. I carry a weapon daily and my licensing requires annual background examinations including fingerprints by the Feds and all local LE. Just how it is in my world.

    Lastly, you likely have seen the news regarding access to the phone carried by the Murderer of those in the Texas church. They will shortly gain access to the phone anyway, so biometrics in the end will not have changed the outcome at all if they were used instead of only a password. So at the "state level" these password approaches on a smartphone at best simply slow them down a week or two. On a Linux LUKS volume its a completely different story.
     
  9. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,376
    Location:
    UK
    @Palancar - you're lucky having a bank that's supporting U2F, they seem so intent on smartphone apps and so on. One of my big bugbears at the moment is the terrifically bad Paypal situation - extremely disappointing since they were a founder member of Fido.

    It sounds in any case like what you're doing is prudent opsec, which is all that's possible with these devices, and keeping stuff you care about well away from them. As you say, it's not possible to verify that the fingerprint hash or whatever they do with it stays local; sorry to say, I don't trust that unless I could see a complete open-source hardware and software implementation which could be plugged in. So that just leaves you with opsec.

    LE moaning about locked phones strikes me as pretty absurd - it may mean they have to do some regular police work in what is an after-the-fact investigation which is very unlikely to change anything even when they have all the phone info. It's the golden age of surveillance, they'll know where he's been and who he's called in any event. And I can't see any bad guys who have planned an operation leaving anything of value on the things anyway.
     
  10. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,867
    Couple of things:

    I am always amazed that "bad guys" have absolutely everything on the very phone that they use while in the commission of their crimes. Planning, associates, everything just sitting there spoonfeeding LE with the followup steps. A grade school student would know better, but not the majority of them.

    I never checked Paypal with regard to U2F, but if they don't its a shame. I generate a virtual credit card and provide that as my link to Paypal for my account. Only Paypal has that virtual number and only the merchant "paypal" can use that account number. It is dead for any other merchant #, if Paypal gets hacked or has a bad employee the card number is useless on the open market.
     
Loading...