Saturday, March 19, 2005

Biometric passwords risk gravest form of identity theft

So, once fingerprints become a biometric key to your car or password to your computer, how long will it be before thieves steal the data, or worse, chop off somebody's finger to steal their stuff? Microsoft has taken the next step in that direction, Alistair Dabbs writes in the 3-17 IT Week, implementing new biometric password technologies on personal computer keyboards. The company, he reports:
has launched a keyboard that uses biometric data for authentication, the nattily named Optical Desktop Elite with Fingerprint Reader for Bluetooth. And it could spell doom for mankind. Well, sort of.

The manual states it is not intended for security purposes but for convenience. But what if you call in sick and a colleague needs a file from your machine? What if your hands get dirty? Will office workers have to become dirt-free obsessives like Howard Hughes?

Apple Computer introduced voice-pattern access into its operating system years ago but almost no one uses it. The reason? Unlike your voice, passwords still work when you have a bad cold.

Yet many people persist in believing that biometric access can be relied upon for security. Biometric data, I am told, is secure because it is "locked" to your body, while passwords can be acquired from you in underhand ways. The word "locked" is misleading, though. A determined hacker will always find a way, giving rise to some scary scenarios.

One scenario is taken from classic sci-fi. For biometric access to work, your fingerprint profile data has to be stored on a computer, where it can potentially be stolen or altered. In sci-fi stories, you then enter a Kafkaesque nightmare in which you are locked out of your own car, home and bank account. When you go to the police, your biometric records confirm that you are in fact Osama Bin Laden.

The other scenario is equally dramatic. If someone is desperate enough to steal your fingerprint, they may take violent steps to acquire an actual finger. Remember, we already live in an era in which muggers will stab you in the heart for a mobile phone.

Most worrying is the fact that biometric parameters are largely permanent. This is a limitation, not an advantage - if someone learns your password, you can change it, but you can't change your fingers if a criminal manages to replicate your fingerprint.

Thank you! I'm no IT expert, nor any Luddite, but I've been arguing till I'm blue in the face that these biometric technologies pose precisely that risk. After all, to the computers, your fingerprint is just a bunch of ones and zeroes, information just like your social security number or other private data that can be stored or stolen. The widespread shift to biometrics as unique identifiers risks catastrophe. Nobody in the Texas Department of Pubic Safety seems to care, though.

Really, because "biometric parameters" are permanent and unique, there's little useful security purpose for them that doesn't risk the gravest types of identity theft. Maintain a large database of biometric data, and thieves might break in and steal it, or hack your system. Even if biometric data is only put on an ID card, though, one risks the grim possibility of a severed finger being used as a password.

Can't this society foresee and avoid ANY bad idea or policy? Must we ALWAYS suffer the gravest catastrophes from boosterism and hype before anyone embraces rationality? How will Batman and the Boy Wonder get out of this one? Stay tuned.

Via Security Focus

No comments: