From: Gordon Mohr (gojomo@usa.net)
Date: Mon Jun 26 2000 - 12:07:40 PDT
Brian Atkins writes:
> Mark Day wrote:
> > "Dear system user: we had a hacker break in over the weekend and compromise
> > everyone's logins. Accordingly, we have scheduled plastic surgery for
> > everyone."
> That doesn't make any sense. Your password was being used by a hacker
> from "outside" to get access to the "inside" (server). Once they were
> able to use it you had to change it. But that obviously can't happen
> with biometric- they can't "use your iris" in a non-James-Bond world.
But what if they manage to get *all* the same digital measurements
of your iris (hand/voice/etc) that the server has?
There are several ways this could occur:
* A server which stores your scans gets compromised (and
if, say, your place of work and your bank both use the
same technology, a compromise of one could compromise
the other)
* Direct or covert measurement of you against your will
(eavesdropping on your voice; paying off your
optometrist or doctor to take measurements when you
least suspect, etc.)
* Man-in-the-middle observations of a suitable number
of biometric logins
Then, even if an attacker can't make a real-world simulacrum
of you, they can probably manage a "replay" of sorts of your
data into the network, from the login endpoint. (The original
article mentioned pocket PCs, PDAs, and cell phones as
terminals -- how hard could it possibly be to feed those
fake sensor data?)
- Gordon
This archive was generated by hypermail 2b29 : Mon Jun 26 2000 - 12:08:15 PDT