Author Topic: Used biometrics for security, now I need to replace my body parts...  (Read 6813 times)

LowWaterMark

  • Administrator
  • Newbie
  • *****
  • Posts: 15
  • Security Guy
    • View Profile
Everyone says "passwords are bad."  They are insecure by design because in order to be secure, they must be complex.  If they are complex, almost no one can remember them.  So, people either dumb-down their passwords, or, record them insecurely somewhere. ("Post-it note under the keyboard" sound familiar?)

So, I decided to use biometrics in my security app.  With the latest devices having built-in fingerprint scanners, I figured that would be the idle tool.  After a long development process, I perfected my fingerprint ID system, with biometric information stored in a database on the backend authentication server.

All tests and initial implementation went great.  It worked!  People authenticate with just a touch of a finger.  So, we went live across the board.

What could possibly go wrong?

Hackers cracked their way into the server and stole the database.  That's what could and did go wrong.

The bad guys made off with 80000 customer records, which included all the digitized fingerprint scans.  And, since I made ten separate accounts while testing, the hackers have all my fingerprints.  Since I'll never have any other fingers, and therefore no new or different fingerprints, I am basically screwed - forever.

At least with passwords, if the database was stolen, I could pick new passwords in the future.  With fingerprints, I only got 10 chances to keep them secure.  And now those are gone.

Biometrics - an idea that sounds so good on the surface, but, should never be used in the real world.
Forum and website security consultant

LowWaterMark

  • Administrator
  • Newbie
  • *****
  • Posts: 15
  • Security Guy
    • View Profile
Re: Used biometrics for security, now I need to replace my body parts...
« Reply #1 on: June 12, 2014, 10:57:57 PM »
Thank you to all who said they would "send me new fingers"   :P

This problem is one made solely by technical people.  People who think they know what the heck they are doing, but, are the same type who think like this.  "Let's provide people with the ability to control all their "ABC devices" via their smart phone.  Security?  Who needs security?  Who would ever try to unlock your car, fire up your home AC, delete your door lock security, shutdown your refrigerator" or anything else without actually being you?

What could possibly go wrong in hooking your entire life up to the Internet?

No one would ever abuse that... would they?
Forum and website security consultant