biometrics
Ryan McBride
mcbride at countersiege.com
Wed Jan 23 18:33:03 EST 2002
On Wed, Jan 23, 2002 at 11:34:13AM -0500, Phillip H. Zakas wrote:
> by biometric identification there are two approaches to pursue:
>
> 1. Replace the intended biometric data, stored in the authentication
> database, of a known person with your own biometric data so that when
<snip>
> 2. Sniff packets/signals over the wire during an authentication session
<snip>
There is a third: some poorly engineered biometric applications
provide the necessary biometric data directly to the attacker: for
example I have encountered a biometric screen saver product which
works with a webcam. It only unlocks the screen when it recognises the
correct person (and automatically locks the screen when the person
leaves, a very nice feature). HOWEVER it displays a picture of the
"owner" on the screen when in the locked state. Simply point the
camera at the screen, wiggle a thin strip of paper in front of the
eyes (it uses blinking as a liveness verification) and "open sesame".
Anyone thinking about implementing a biometric system should read
Bruce Schniers piece on the subject:
http://www.counterpane.com/crypto-gram-9808.html#biometrics
Sigh... If only technology worked in real life like it does in the
movies.
-Ryan
--
Ryan T. McBride, CISSP - mcbride at countersiege.com
Countersiege Systems Corporation - http://www.countersiege.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list