Popular Biometric Security = Bad For The Masses

I saw this the other day and said to myself, “Now THERE’S a good alternative to biometrics for high security applications!”.

And here we go. Security rant on.

Grocery shopping in a bad future.

If you go to a grocery store that is trying to make you think that paying for your milk and peanut butter by placing your thumb on a reader is a good thing, please keep reading. The problem with these biometric security mechanisms isn’t that they’re insecure. The also problem is not what Hollywood would have us believe – that retinal scans can be compromised by cutting someones eye out and holding it in front of the sensor (ridiculous). The problem is a personal one. The problem actually lies in how good the security of these devices really are. If I’m getting off on a tangent, let me bring it back a little. Your fingerprint or retinal pattern is indeed capable of identifying you, and only you, out of the six billion other people on the planet. The problem is that the information *representing* your fingerprint or retina is probably stored as an algorithm somewhere. Stored as 0’s and 1’s, just like any other data file. Encrypted or not, it doesn’t matter. Now here’s the point of my rant… stored data can be compromised. Compromised and stolen. Stolen and decrypted. So now there’s a theif out there that has something *way* better than a credit card number that can be cancelled. They’ve got YOU. They have something that indelibly represents you and only you. Something that cannot be cancelled or re-ordered. Your most precious representation of your individualism has been compromised.

Typical product of a retinal scan.

Security rant off.

If this line of discussion interests you, I highly suggest you head over to Bruce Schneier’s site and start reading. Bruce has written some of the most prolific dissertations on modern security that are in print today. Highly recommended and encouraged reading.

So the reason I thought that this was such a good idea, is because it’s:

A) not a hard coded security algorithm like your fingerprint or retina are, and

B) common methods of compromise – like looking over someone’s shoulder while they type – won’t work.

Only the most exotic methods of compromise – like van Eck phreaking or TEMPEST – would remain viable… and that is a good thing, as most people don’t know how to build an eckbox.

So anyway, just remember not to let anyone scan your retina or thumbprint into a database, please… it’s bad for all of us.

Leave a Reply