Schneier on Security
A blog covering security and security technology.
« Ireland Does Away with Electronic Voting |
| Preparing for Cyberwar »
April 30, 2009
A Sad Tale of Biometrics Gone Wrong
From The Daily WTF:
Johnny was what you might call a "gym rat." In incredible shape from almost-daily gym visits, a tight Lycra tank top, iPod strapped to his sizable bicep, underneath which was a large black tribal tattoo. He scanned his finger on his way out, but the turnstile wouldn't budge.
"Uh, just a second," the receptionist furiously typed and clicked, while Johnny removed one of his earbuds out and stared. "I'll just have to manually override it..." but it was useless. There was no manual override option. Somehow, it was never considered that the scanner would malfunction. After several seconds of searching and having Johnny try to scan his finger again, the receptionist instructed him just to jump over the turnstile.
It was later discovered that the system required a "sign in" and a "sign out," and if a member was recognized as someone else when attempting to sign out, the system rejected the input, and the turnstile remained locked in position. This was not good.
The scene repeated itself several times that day. Worse, the fingerprint scanner at the exit was getting kind of disgusting. Dozens of sweaty fingerprints required the scanner to be cleaned hourly, and even after it was freshly cleaned, it sometimes still couldn't read fingerprints right. The latticed patterns on the barbell grips would leave indented patterns temporarily on the members' fingers, there could be small cuts or folds on fingertips just from carrying weights or scrapes on the concrete coming out of the pool, fingers were wrinkly after a long swim, or sometimes the system just misidentified the person for no apparent reason.
Me on biometrics.
Posted on April 30, 2009 at 6:19 AM
• 66 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Using the Daily WTF as a news source? Really?
If it tells about a real-world security mis-feature - why not?
Seems only fair, anyway, since the article links to another post on this blog.
The Daily WTF is awesome, I highly recommend it.
Having worked extensively with fingerprint readers, I can say that this is probably one of the worst applications I've seen of using them. They'd have done better using iris recognition. Or even better a card reader. Not having an override is inexcusable though. If he was being seen by the system as one of the other gym users then they have their FAR turned up way too high. Probably was adjusted up to help the system read prints in the first place.
"... the turnstile wouldn't budge. ... There was no manual override option."
In the event of a fire, please line up in an orderly fashion and swipe out the turnstile one at a time.
Surely this is an OHS issue?
I am reminded of the $70,000 retina scanner in use at a SCIF at HQ USAFE which was eventually ordered to be disabled by a general who was sick of hung over intelligence brass with bloodshot eyes not being able to get through.
Our tax dollars at work once again...
Surely this is all worth it to prevent unauthorized people from gaining access to something as valuable as a weight room.
Let's keep some perspective, people!
"bloodshot eyes not being able to get through"
a) Was it a retinal scanner or an iris scanner?
b) I'm surprised that eyes being bloodshot would have an effect on either of those types of scanner (but particularly the more common iris scanner... I suppose retinal veins might be more susceptible to detectable inflammation, but it shouldn't change their pattern, all the same.)
Really simply put, I have Macular degeneration and my retinal pattern changes almost monthly. Especially with a series of eight injections of Avastin over the last year. Retinal scans would do me no good.
From a different aspect, they implemented biometrics in around 2001 for access to the new gym at my college. It amazed me how many kids were ok with giving up their fingerprints(privacy) to use the gym. It seemed a bit much to just control access to a gym?
I think the real question is why the hell there need to that much security at a gym exit?
In order to keep terrorists out of our sacred gyms, all gyms must maintain a fingerprint watch list.
Happens all the time in our parking garage. The gate system takes so long to register a signal that the next driver believes that their transponder has triggered the gate again, when in fact they are actually driving through on the previous driver's trigger.
When the second driver attempts to exit the gate won't open because the system doesn't "think" they ever entered.
Maybe one of those smell detectors would have worked better.
I've never been to a gym where members have to sign out.
Then again, I haven't been to a gym in a while. :-(
Daily WTF stories are user-submitted.
User experiences don't necessarily have to be traditional news sources.
The system probably touts its ability to track the elapsed time of gym visitors. There might be some additional benefit in preventing someone from hiding in gym after it closed.
@Scott: It was a retina scanner. This was the late 1980s.
German beer is a lot stronger than post-Prohibition American beer, most of which is still made at "near beer" alcohol volumes of no more than 3.3%. German beer also comes in full pint bottles as opposed to the American 12oz.
The exchange rate in the late 80s was such that good German beer could be bought for $7 a case. Bloodshot eyes were quite common in those days. ;-7
Nothing new, really. When my father was drafted to fight in the Korean War, they couldn't take his fingerprints. You see, he worked as a postman at the time, before automated mail sorting, and simply handling so much paper wore his prints smooth.
If the story is true, here is my guess at an explanation:
1. The sign-in is to make sure only paying members get in.
2. The sign-out is to make sure no person is left behind when they lock up at night or because members pay by the hour (Thus the sign out stops the clock ticking on their bill).
3. Biometrics were chosen because any cards or keys would conflict with the need for people to be naked in the shower and almost naked in the pool.
There is always an override, but the user didn't have access or knowledge. A fire alarm would have dropped power to the turnstile or otherwise disabled it.
A horrible application of this technology, and old school hand geometry reader would work better, but would not have the cool factor that the gym was after.
@ Scott K
I suppose retinal veins might be more susceptible to detectable inflammation, but it shouldn't change their pattern, all the same.
Maybe the inflammation makes retinal veins that were just below the scanner's visibility threshold visible.
How long before someone realizes that fingerprint scanners are a potential Swine Flu transmission vector?
When entering the United States every visitor has to have their fingerprints scanned. Touching a surface that has been touched by countless other visitors is a surefire way of transmitting any virus that might be lurking.
My local school just installed a fingerprint payment system for meals. Schoolkids are not known for their personal hygene and regular hand washing. Another brilliant way of spreading the flu virus.
I still think "finger vein" or "palm vein" authenticators are cool; I wish the technology would expand so it could be cheap enough to afford in more applications.
Fewer problems with the biometric being stolen, (you don't leave samples behind on everything you touch, and if a thief chops off the finger/hand, it quits working.) and it is more resistant to the ID damage that caused so much trouble in this instance. (scratches on fingers, etc. There is even a "touchless" system, which I think would be fantastic for hospitals, with HIPAA and germ contamination making things complicated)
For best security, it should be combined with "know" or "have", but as far as biometric elements are concerned, it looks like an excellent technology.
This is an old article on it, and it's been around even longer than that.
I just wish it would get cheaper, so I could use it myself.
You must have posted while I was typing; School cafeterias! Good answer. Small schoolkids lose keys/lunch passes all the time, but a touchless authenticator would be a great idea there, and again, two-factor wouldn't be necessary because you're not protecting the crown jewels.
On the other hand, the argument could be made that "what better training could there be for children keeping track of important keys/objects/PINs/secrets than something that gives them access to their food" Darn that Devil's Advocate.
The story is long on hyperbole, short on any real criticism of biometrics.
It starts with a comment
"No more forgetting your ID number and having the receptionist look it up"
So the manual override was part of the old system. Stupid not to include it with the new system. Can't really call that a fault of biometrics. All controls need some kind of fail safe analysis and options.
I also cringed at this comment:
"the fingerprint scanner at the exit was getting kind of disgusting"
The whole gym concept is kind of disgusting. Everyone sweating on the same benches and handles. What's different about a fingerprint scan? Moreover, they also have a touchscreen option. Same problem, no?
Again, not a fault of biometrics.
The inability to read a print is a problem. The fact that stuff in a gym is covered in sweat...normal.
I think the real problem is that those implementing the system failed (or neglected) to account for the fact that all biometrics have an error rate. False positives and false negatives are part of any biometric based authentication, and to decrease one means to increase the other. Particularly as this implementation appears to use biometrics to both identify as well as authenticate (i.e., the fingerprint is compared to all users to identify one, not just one user to authenticate it), which increases the potential for error.
This probably part of the reason passwords remain popular, despite security concerns. It is an exact science, and incidents are simple to correct.
> The story is long on hyperbole, short on any real criticism of biometrics.
Probably you don't count that the fingerprint reader gets unreliable as it is covered by cumulative oily fingerprints, but I think the following are pretty clear problems with using fingerprint biometrics:
1) Fingerprints change after soaking in water
2) Fingerprints change when scraped on cement
3) Fingerprints change after being waffle-pressed by weight bars
4) You can compensate for the above problems some by dialing down the sensitivity, but that produces false matches.
In short, the "after" measurements don't match the "before." No match, no workable system.
@ Ricky Bobby,
Yes "worn fingerprints" are quite an issue with the "manual trades".
Data entry operators, brickies, plumbers, electricians, mechanics, fitters, warehouse staff, cooks, fishermen, truck drivers and another hundred or so "trades" have all shown to be quite effective at removing the ridges and creating new furrows or making interesting non linear changes to fingerprints.
Suffice it to say it's just those "white collar" workers that mainly don't suffer from the problem, however teiddle your fingers enough an who knows 8)
"I think the following are pretty clear problems with using fingerprint biometrics"
yes, i agree there are flaws to every control but i don't see that as the focus of the criticism.
bruce is raining on the biometrics parade by giving examples of failure when really should be focusing the critique on people who do things like implement fingerprint systems for gym access.
blaming the driver of a car, for example, when they drive it into a lake makes more sense to me than saying it is a sad tale of automobiles gone wrong.
ooops, forgot to finish the thought...
the should have been "when they drive it into a lake and expect it to float"
Sounds like the Gym's management ran into a very good salesman.
Don't count on it. Those white color jobs require accessing a blackberry, iphone, or something else more so then they would with data entry!
The Amphicar would be upset with you.
"The Amphicar would be upset with you"
there is probably someone out there right now designing a "gym print" reader that uses sweaty, bloated skin to authenticate members who is saying "this story is awesome material for my marketing plan"
I have Xeroderma on my hands, last time I tried to enroll at a fingerprint reader, it couldn't read my pattern. I was assigned a proximity card with a PIN.
My employer has installed a fingerprint scanner for the punchclock at work. I work in the foodservice industry and wash my hands dozens of times per day, and also frequently get cuts and scrapes on my fingertips. There have been days when I spent 20 minutes trying to clock out at the end of my shift because the scanner did not recognize my fingerprint.
The feed looks normal to me. What's wrong with it?
@Elisabeth C: "My employer has installed a fingerprint scanner for the punchclock at work. I work in the foodservice industry and wash my hands dozens of times per day, and also frequently get cuts and scrapes on my fingertips. There have been days when I spent 20 minutes trying to clock out at the end of my shift because the scanner did not recognize my fingerprint."
I'm curious, when you put your finger on the scanner, does it know who it is trying to authenticate, or does it use the fingerprint alone to identify and authenticate you?
In other words, do you tell it who you are (perhaps through a card or ID) before you put your finger on the scanner?
Oh yeah, something like this would fail almost immediately at the rock climbing gym I go to. Amazing how badly a good climb can fuck up your hands.
> HJohn - does it use the fingerprint alone to identify and authenticate you?
IIRC, facial scanning has the same problem, only moreso. It's decently good at authentication, but it's worse than useless at identification from anything but a very small pool.
Minor spelling pedantry: that muscle that holds up your ipod is a biceps (and that glass disk on the front of your camera is a lens). There's no such thing as a "bicep" (or a "len").
I used 3 different progs to get them,but rss was unreachable.Same thing with two apps in my iphone.Something to do with feedburner i guess or i hope something i m wrong.
I work for a company that sells biometric timekeeping devices such as ElisabethC describes. I don't know what system her employer bought, but the terminals my employer sells, uses cards or PINs to identify the employees, and biometrics to authenticate that they are who they say they are. These systems are popular in industries with many poorly supervised low level employees and high turnover rates.
Fingerprints can change, especially in certain work environments such as food service or cleaning. If you attempt to use the fingerprints themselves to identify the employees, you have to dial the sensitivity up so high that people don't match their own prior prints. But if you dial the sensitivity down too far, then all the fingers start to look alike. The sensitivity is adjustable, so the employer can find a sweet spot where ElisabethC and her compatriots don't have that trouble, but where they cannot punch each other in and out.
If ElisabethC is having that sort of trouble, someone needs to adjust that terminal. What she describes is a failure, but any system will fail if you don't set it up correctly! This is not rocket science.
@Chris .... that much security is needed to keep people *in* the gym.
Perhaps instead of a finger print scan they could have a bicep scan. "Sorry mate, you didn't pass the scan to get out, back to the weights room for you !"
And yeah, the rfid card system works fine at our gym. It reads the card while still in your bag and lets people out without the need to swipe. Anything more makes me think they were caught by a smart salesman.
Kudos to you for pointing this out.
BTW, is "kudos" singular or plural? And what's the plural if singular, or singular if plural?
I particularly liked the comment from "d. k. Allen." Though I have no way of verifying whether or not it's true, it passes the "smell test" (which is a little frightening in and of itself):
The nuclear plant where I used to work, discovered this drawback with biometrics in very much the same way. The employees got tired of the system rejecting their fingerprints, so they relaxed the system a bit... and it started letting anyone in that still had a pulse, or a finger. Took them the better part of a day to figure it out, then had to lock down and sort things out. They were back to the badge entry system the next day.
I've never been able to successfully have my fingerprints read with any fingerprint scanner I have ever tested or been subjected to. This includes the one the customs goons used when I visited the US.
This is a very unreliable biometric and if it ever becomes mainstream it will cause me no end of problems.
I note that although we have all "skirted around it" on this blog page it realy needs to be said (to stop the "quack medicine" and "snake oil" sellers amassing their illicit gains, although a good old "tarring and feathering and being run out on a rail" has more entertainment value 8)
Essentialy we have avoided pointing out the important little points about bio-metric systems that realy render them little more than a gimic for most practical authentication systems...
1, They don't work for a sufficient part of the population (ie 10% and up).
2, What is being measured can change sufficiently over a short period of time to render it effectivly useless at any sensitivity that makes it sufficiently secure.
3, For an authentication system to be of real use it must be possible for either party to covertly invoke / revoke parts of the process at any time without changing the system in any way external observers can detect.
There are many others but these should be sufficient.
On the first point, what is the point of trying to build a system around some inbuilt "token" that may not be available in a sufficient sample of the population for which it is aimed at?
Further it could be argued that the use of "finger print readers" and other bio-metrics such as "gait" (and most other bio-metrics) is illegal under "disability discrimination" legislation.
In general "society" does not like the idea of predudice on sex, race, physical or mental ability and we have fairly strong legislation against it in most "civilised societies".
And yes I am waiting to see a test case of an employee fired/discriminated against due to their lack, poor or non measurable bio-metrics.
All technology has to prove it's self against the "accepted norms of society" at the time of it's inception and later or be relegated to the "quaint ideas box" to gather dust (it is one of the reasons why certain invassive bio measurments frequently appear in cartoons and faux SciFi to get a cheep laugh).
As for point two, this is a real "Oh dear..." moment for any technology that is used for authentication.
For somebody to seriously sugest on this blog that a security technology has a "sweet spot" and that is unknown to any prospective implementer and you find it by the trial and error proccess of "adjust the sensitivity" as you go along... Just "does not get it" when it comes to security.
All that will ensure is that over time the security threshold will get lower and lower to the point where it is pointless and it just becomes another "stage prop" for "security theater".
It is the equivalent of saying "users have trouble with long passwords" therefore "we shorten the allowable password length untill the problems go away".
As we all (should) know people will forget etc their passwords so on the "adjust the sensitivity" argument the password will get shorter and shorter untill either it's a single letter, or be so unforgetable short to all users that it will become something like the users initials or date of birth or "last three" of their social security or payroll number, which can easily be found some other way.
So on to the third point, this is a little non obvious on first sight untill you mention the words "rubber hose" or more correctly "duress detection".
An essential part of any real world authentication system of any meaningfull security value is that it should have "built in" what are normaly considered undesirable in other security systems. This is "side channels" for transmitting other information covertly.
These are used to trigger "silent alarms" or warnings in a way that does not alert those applying the duress to a happless employee etc untill it is to late for the perps.
So ask yourself the question,
"how do you alter your Bio-id metric to say 'Yes it realy is me but there is a gun at my significant other / childs head'"...
With the "something you know" or "something you have" asspect it is fairly easy not so with the "something you are".
For instance a password is "something you know" add a "check" digit and it's done. With an ordinary "door key" the addition on the key ring of another pysically similar key is quite simple, one key causes the lock to send a signal to a human operator the other does not. Now do I use my left eye or my right eye how about hand, do I effect a limp... 99% of such silliness is going to be obvious to anybody who has watched you authenticate a couple of times before...
Bio-ID on it's own does not possess this covert ability and if you have to augment a Bio system in some way to get it you might as well design a different system as in the long run it will almost certainly be more robust not just from the security asspect but from many other asspects as well.
I could list quite a few other reasons why Bio-metrics are not a good idea for authentication or other purposes but you are probably falling asleep by now ;)
@chris, "Surely this is all worth it to prevent unauthorized people from gaining access to something as valuable as a weight room."
Even better: something as valuable as trying to get out.
Kudos from the Greek. singular noun in Britain often plural in US
(I am constantly amazed at how they continue to let us use their language when they see what we do to it.)
Plural? I'd vote for Kudoi
Clive, you have to consider the context where the device is being used. What are the consequences of a false positive? And what are the consequences of a false negative? Let's imagine how this plays out.
Suppose the device is 90 percent accurate, 10 percent of the employees are cheating, and there are 100 employees working every day. Assuming the very existence of the device doesn't change anyone's behavior (big assumption), then the first day you deploy it, 81 honest employees will badge in without trouble, 9 honest employees will be false positives, 9 dishonest employees will be true positives, and 1 cheater will be missed. The supervisor is called down to the clock 18 times that day. On half of those occasions they discipline someone, and the other half they grumble about the nuisance and enter the override code.
Once you purge most of the cheaters, the alarms are mostly false positives. But that doesn't mean it's a compelte failure. Cheating isn't random - the cheaters are humans who analyze their risk of getting caught, and this device has increased that risk. They know this.
Ideally your supervisors pay at least SOME attention to who is clocking in, and they would eventually notice the cheaters anyway. But this technology helps them spot this stuff sooner. It should also help flush out dishonest supervisors, or light a fire under lazy ones.
If the device allows you to schedule and pay 100 workers and get 99 of them to actually come to work, when you used to only get 90, maybe you can reduce payroll costs by only scheduling 91 workers to come in for that shift. That's a win, even if one person is still cheating.
Bruce, you've been had. The Daily WTF is fiction.
OK, there can be quite a few reasons to keep track of people going in and out.
Even people not having pockets to put ID cards in.
But I don't buy that excuse. If the overall security doesn't include the changing rooms, so gym members have some assurance their property is safe, people will go somewhere else. And it's a lot easier, if you really need to track individuals inside that ring, because you have a much smaller pool of biometrics to identify.
It's a long time since I've been to anywhere like a gym. There are events held in sports halls all over the UK. Here's a little problem: how do you secure changing rooms, without blocking access for a bunch of folk going to a concert, or a computer fair, or whatever.
It's my experience that everybody goes through the same entrance, and down the same long corridor.
And a particular example of where biometrics might be really useful: tanning salons. They seem to have become so automated--coin-in-the-slot sunbeds--that foolish customers are commonly badly sunburned. That's something that could be safer with biometrics.
I'm willing to bet that this happened at 24 Hour Fitness. I consulted on the project and explained the birthday problem to them and how it applied to their situation and that collisions were inevitable. The literally laughed at me. I offered to show them the math and they told me they wouldn't believe me anyhow.
Rather than deal with the realities that I brought up they brought in a vendor that told them what they wanted to hear. I went to one meeting, asked some hard questions, and was never invited back.
> Here's a little problem: how do you secure changing rooms, without blocking access for a bunch of folk going to a concert, or a computer fair, or whatever.
The fundamental problem with change room lockers is putting them in a location where a thief gets unmonitored access for long periods of time. So instead you do what I persuaded my local gym to do, when they were on the verge of buying a ludicrously overcomplicated electronic locker system (of the same type as the golf lockers whose hacking had been reported on this blog!)
Namely, you move the lockers out of the change room, into the highest visibility area (in the case of a gym, generally either the circuit room or reception area.) Then they will be constantly monitored by dozens of hulking brutes armed with steel cudgels -- more than a few of whom are surprisingly sharp-eyed and security conscious. At that point, you get perfectly adequate security from cheap chipboard boxes secured with a $15 cam-lock.
There is a small issue, with what to do with your change of clothes whilst showering (your phone and wallet can of course stay in the locker until you are ready to go.) That is resolved by simply having hooks or benches that are visible from the shower stalls. The prospect of being pursued by a naked angry hulk on 'roid rage seems to deter even the most desperate thieves!
> you have to consider the context where the device is being used.
True enough, but far too many people simply do not understand the mathematical properties of these devices to put them into context. Most biometric devices have FAR and FRR (false acceptance rate and false rejection rate) sufficiently high that you need to do some real mathematical analysis to see if it's a good idea in your application -- even for low security applications like gym entry. The analysis that's usually performed is "ooh, high tech, it must be secure!"
In the absence of an overnight solution to the innumeracy that pervades our society, it seems best to simply continue to advise clients that most of these devices have high failure rates and are easy to fake, so should only be selected after an expert analysis.
All of the "you just have to find the sweet spot" posts also miss the fact that you have to do your adjusting on live data, i.e. on actual people who are trying to do real work or consume actual goods and services. Unless you're running a manual system of some kind in parallel (with lots of checkers and easy overrride ability) that means days or weeks of partially shutting down your operation while the sweet spot gets sorted.
Oddly enough, that's almost never included in the cost estimates.
At 24 Hr the problem was that because this was a customer facing app the client wanted a FRR that was so low as to make the FAR intolerably high. If you drive your FRR to zero then everybody gets in, especially if they only have to match against one of several million templates.
I use a fingerprint scanner to enter the facilities at the ISP colocation firm our company uses. I've been to the facility perhaps ten times. The fingerprint scanner has never worked for me when I first arrive. I can try it five times in a row with no luck. However, I've noticed that if I take my backpack and jacket off, wait 1-2 minutes, it works the very next time. (I always enter my ID# first to help it, so its not like its trying to find my fingerprint amidst some vast database.)
I've speculated that my finger changes in some way that returns different "results", due to blood pressure to the arm (backpack strap) and/or and higher body temperature (with coat/jacket on, coming in from the cold outside). I've also noticed the reader is sensitive to finger position; where precisely is the tip of your finger? I don't conciously mess with that but there may be something subconcious going on there. Anyway, for whatever reason, the technology sucks. This is an ISP who seems reasonably savvy and has been around over a decade so I wouldn't guess they're newbies at this.
Anyway, it can't be a coincidence that they have an intercom right next to the fingerprint scanner so you can escalate to a human when the fancy tech fails.
"However, I've noticed that if I take my backpack and jacket off, wait 1-2 minutes, it works the very next time."
If it's phsyiological it is due to two likley problems.
But first off it's not your coat unless it's very tight across the chest so don't get uncomfortable.
The problem is that your finger is probably a bit numb to you, yes?
If so it is most probably an uneaven swelling problem.
The strap of your back pack is cutting off the return of blood and or lymph from your arm at your collar bone.
This causes significant back preasure in a healthy young adult and ends up distorting at the point of least resistance which is your fingers.
As you get older you will notice this effect more and you will start to get "sausage finger" as my son calls it. Where the swelling is such that it gets into the joints as well and makes the fingers feel like they have turned to sausages 8)
The official term comes under odema and is a form of fluid retension.
Another cause that also is made worse by things like your backpack strap is gravity and lack of use/movment.
When walking or sitting down you are supposed to move your hand and your arm against gravity otherwise you get the same problem that supposadly causes long haul DVT in aircraft passengers ("supposadly" because it also happens more commanly in other methods of transportation like coaches, cars etc).
The solution is usually the same put on gloves in cold weather (you don't want to die of a heart attack do you). And move your hands (and arms) against gravity or physically above both your heart and shoulders.
This stops the return fluids that leak out from blood vessels etc pooling in your hands. Which helds stop the build up of small clots in your hands that can kill you by getting stuck in your lungs (PE's) your heart or brain (stroke)
Each year in Britain a significant number of strokes and heart attacks are caused by not wearing gloves and carrying a brief case etc. It happens anything upto 72 hours after not wearing gloves and usually in men over 40.
Experianced high altitude climbers are aware of the issues (or should be) as HAPE / HACE which you can google.
Having had bilateral multiple progressive PE's and ended up being on 15mg of rat poison daily and self injecting "sugars" (heprin and co), it is a subject I wish I had known more about.
Hint if you have for some reason had to sit immobile for some considerable period of time or spend a few hours over 8000ft without aclimatisation and develop what feels like a chest cold but cannot cough up muck and it does not respond to anti-biotics and importantly gives rise to shortness of breath on mild physical activity (climbing stairs or walking) go sit on your doctors head and don't be fobbed of untill they agree to a D-dimer test it could well save your life (I came close to lossing mine).
@ Roger, John Harrison,
As I said in my original post in two different ways,
"There are many others but these should be sufficient."
"I could list quite a few other reasons why Bio-metrics are not a good idea for authentication or other purposes but you are probably falling asleep by now ;)"
And in my experiance the maths is so far down the list of very real problems that invariably it is not reached untill well after other less problematical and usually lower cost solutions have been found (rfids for instance will solve better nearly all the gym and other related problems above more easily especialy when they have other value to the punter such as drinks machine billing)
And like John I'm only to aware of high tech blinkers, and lost a real high value job because of fnding fault with finger print readers.
The story is interesting for other security related reasons,
Some considerable time ago when I was around eight years old I had a liking for Edam cheese, around which is a soft red wax which has a softening (plastic) point at just below body temprature.
It was fun to play with and one thing I noticed that like oil based modeling clay if you pressed your finger in it made a very very good mould of your finger print.
Incidently it turns out I was not the first to notice this it was not until I was in my tweenties that I read the collected "sherlock holmes" stories in one of which he talks about wax fingers, so predated me by a hundred years ;)
Anyway what I liked about the red wax was it was easily reusable so was more fun than oil based clay. And importantly if you put it in the fridge it went as hard as candle wax, so if you put a drop of cleaning oil (WD40) on it and then quickly and firmly pressed in warm wax on the cold and left it in the fridge, with a little care and a bit more work you had a wax finger with real finger prints you could put in a match box and scare girls with (yup I was that eight year old that traumatised you with my rotting finger sorry).
I also slightly later found out how to make fake skin with "copydex" rubber solution glue after simply pealing some dried glue of my fingers which was great for making very realistic wounds and festering scars etc and further increased my popularity (sorry girls)
by the time I was ten I had put the two together and come up with fake finger skin gloves and a little chicken or pork fat to make fake finger prints on a drinking glass to show my friends (put your finger on the side of a glass with watter or other liquid in it and tip it slightly and you can very easily see your finger skin ridges etc in good releaf).
I also worked out how to lift real fingerprints and transfer them to other objects using scotch tape and whisky (a process I'm not going to describe for obvious reasons as I have never seen it described else where in open docs). I also discovered how to get Super Glue vapour to stick to invisable prints after noticing the "frosting effect" on the plastic packet the little tube came in that I used to rest it on when making models. But stoped doing it because the fumes via a candel not only choke you they have other strange effects and a friend I'd shown got taken to hospital after trying it at home (do not try it at home children it will kill or blind you).
Any way to cut a long story a bit shorter I ended up becoming a design engineer and in my early twenties ended up working for a company designing early fingerprint readers.
I was so under impressed by their security I told the older engineers about it, and was laughed at and belittled by them infront of my peers and was told I was "to stupid" to be able to break their wonderful designs. I was realy pissed and to get revenge I actually nagged the chief engineer until he watched me demo all the flaws I knew of. I expected him to tell the other engineers they were not so clever, instead my reward was a quick move sidwards to another place and then being booted out a few days later.
It's the kind of thing that burns oh so deep in your mind. Suffice it to say I went on to discredit the organisations finger print readers repetadly and all their other bio-metric systems whenever I could (they eventualy went broke and got taken over).
I even went on to work out how to "forge human DNA" so it could be used to contaminate a crime scene easily and very effectivly (the problem is actually in part of the then standard testing phase). I tried to talk to the developers of DNA finger printing systems and like the "old engineers" was told it was not possible or I was mistaken etc etc, yet when you pressed and said "have you tried it" the reply was "I don't need to because I know you are wrong". When I said "well I have and it's easy and it's possible for this reason" I got the "your killing the golden goose" response.
I even told Bruce about it in the early days of Cryptogram and he did not pick up on it. A while later an Australian researcher told ABC News about exactly the same thing and suddenly it was world wide news for a few days.
The interesting thing about this is every bio-metric system I have had a go at has failed misserably, every time to things I noticed and played with when I was a child, or did for other reasons as a child or young teen. None has involved the use of mathmatics or high level analysis, and worse the more high tec features they add to stop the attacks the more avenues of attack they open up. So to be honest most bio-metric systems are dead ducks before they hit the water...
I'll be honest though and say that the super glue incident with my friends eyes has stayed with me as has an incident where my eyes where damaged in a school metal work class and I've been to cautious to activly test and develop practical ways to beat eye related bio-metrics (I won't risk somebody else on principle especialy as I'm to scared of losing my own sight).
seems like a reasonable problem to me.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.