Paid Advertising
web application security lab

Biometrics Are A Pain

I ran into this article in a few different places, but in Malaysia a man had his car stolen and his finger chopped off with a machete so that the carjackers could start the biometrically secured car later.  Are biometrics really the answer?  Let’s figure out what the question is first.

The question is, what is the best way to secure something while keeping it still usable?  Well, the usability in biometrics are questionable (what if I don’t have fingers?) but let’s see what we are trying to secure first.  In this case, the car in question was worth $75k in resale.  I don’t know the man personally, but I would suggest that it’s not worth $75k to lose a finger if you were to ask him in retrospect.

Now computers are beginning to be outfitted with the same technology.  For instance the Apple has a blog post about adapting your laptop with fingerprint technology.  Although technically interesting, does it actually do what you want?  Are your files still secure, and is your finger secure?  Frankly, nothing I own is worth any of my body parts, but that’s just me.

The interesting part of biometrics, if you aren’t already familiar with them, is the crossover error rating (CER).  The CER on a fingerprint is 1:500, compared to a retinal scan which is closer to 1:10,000,000.  So in that stance it is not practical (although I’d rather loose a finger than my eye anyday).  That and the gummi bear attack make fingerprints a fairly substandard authentication technique compared to passwords.

Is it all worthwhile?  I think the concept of biometrics is interesting, but it lacks some pretty obvious safeguards, and if I can just chop someone’s finger off, why wouldn’t I, (assuming that the goal was worth it)?   But would it matter?  Let’s take the laptop idea for a second.  The fingerprint scanner does not encrypt the drive, and does not lock out the hardware.  Ripping out the drive, booting and rooting it will still give you access to the same information without actually requiring an actual finger.  Not a particularly good security device in that regard.  Sure, you could encrypt the drive, put volitile information on a car that will destruct if removed, etc… but who does that other than the guys at HavenCo?

Ultimately, I think I’ll just stick to passwords for now.  No need to remove body parts… just stick to rubber hose cryptanalysis on me - at least I can give up my password without any blood.

2 Responses to “Biometrics Are A Pain”

  1. phaithful Says:

    mmmm… gummy fingers….

  2. RSnake Says:

    I forgot to mention, even if you were to say that his finger was worth $75k, he didn’t end up with a $75k insurance policy, he ended up with no car AND no finger. It’s double the loss, equivalent to a $150k loss and zero gain. Sounds like a lose-lose situation to me.

    Jeremiah Grossman also pointed me to this article:

    Great, so now I lose my whole hand instead of my finger? I think what the world needs is a private parts Biometric. All the world would need is one story about one guy losing his equipment and no one would ever be fooled by this technology’s promise again.