[HN Gopher] Hacker fakes German minister's fingerprints using ph...
___________________________________________________________________
Hacker fakes German minister's fingerprints using photos of her
hands (2014)
Author : deegles
Score : 30 points
Date : 2024-03-25 21:20 UTC (1 hours ago)
(HTM) web link (www.theguardian.com)
(TXT) w3m dump (www.theguardian.com)
| pcdoodle wrote:
| Makes me think of Steve Gibsons Security Now episode on the 4
| factors of security:
|
| 1: Something you know (Password)
|
| 2: Something you have (OTP)
|
| 3: Something you are (Bio)
|
| 4: Someone you know (3rd Party)
|
| In 2024, the last 2 seem a bit more challenging. With AI voice
| and biometric data being able to be lifted from internet media,
| there's some more to think about when designing these systems.
| These are fun challenges to think about. I'm glad Steve decided
| to break the 1000 podcast limit, I highly recommend checking it
| currently along with the archive.
| Detrytus wrote:
| Seems like it's 2024 and still nothing can beat a complex
| password saved in a password manager. With OTP as a good way of
| annoying users, and other ones being totally useless.
| stees wrote:
| definitely not, adding in a second factor such as fido u2f
| provides unique passwords per domain, which levels up
| security against phishing attacks!
| Detrytus wrote:
| The problem I have with hardware based authentication, such
| as Yubikey is that it's a physical thing that can be taken
| away from you (or just break, or get lost), which makes me
| nervous.
|
| Maybe it's stupid, but the scenario I always have in mind
| is one from "Bourne Identity" movie, with Jason Bourne
| found in the sea, with nothing on him, no wallet, no phone.
| And it's not far fetched scenario either: I travel a lot,
| internationally, so I always imagine being mugged, having
| my phone and wallet taken away from me. Being able to login
| to my accounts, and more importantly, access my money in
| the bank with nothing but a password stored in my brain is
| important to me.
| snakeyjake wrote:
| This has been taken to be fact for about a decade.
|
| Has anyone ever replicated this? CCC presenters have a tendency
| to, exaggerate, a little.
|
| The only presentation given on this topic, at CCC, demonstrated
| an attack against fingerprint readers where a fingerprint was
| reconstructed from imagery, cast into a physical fake finger, and
| then authenticated against itself. Not that a fingerprint was
| reconstructed from imagery and authenticated against a scan of
| the actual finger.
|
| I can totally botch a reconstruction of a fingerprint based on
| some blurry imagery such that it looks like the number six side
| of a die, load the reconstruction into a fingerprint reader, and
| then authenticate against a gelatin finger with an imprint of six
| pips on it but I cannot say that I have reconstructed THE
| fingerprint.
| Brian_K_White wrote:
| Even if it worked perfectly, this kind of thing is probably
| very time sensitive and short lived. Did it still work on the
| very next years model of phone?
|
| I think there are weaknesses all over the place still today,
| and wide variation between manufacturers and price points, but
| I assume the details change and get harder all the time, or at
| least change, making an example from 10 years ago of limited
| interest today, UNLESS the same thing also still worked today.
|
| Another aspect of that would be how the tools on both sides
| progress not just one side. A casual photograph from a common
| camera or phone from a reasonable distance today having a lot
| more information in it for instance. Or maybe other tools like
| fabricating a physical model from data by 3d printing etc,
| where the tools are both better and more readily available so
| the bar is lower even if the fundamental process is the same.
| That difference alone may make things go from possible to
| practical.
| autoexec wrote:
| I'm waiting for someone to start selling fake fingers and
| eyeballs that I can put on my keychain for any ignorant device,
| site, or service that requires biometrics. That way even though I
| can't reset my fingerprints or iris, I can easily throw away the
| compromised fake part and register the print/iris of a new one.
|
| Then I'll just need a set of masks for facial recognition...
| maybe a couple gloves with palm prints. Man, passwords are
| looking more manageable all the time.
| WinstonSmith84 wrote:
| Interesting but... this applies to well known people. As an
| average joe, I'm more concerned about petty theft than about
| being targeted by super smart criminals.
|
| As a matter of fact, my wallet was literally stolen 2 months ago,
| including bank cards. Interestingly, the thief didn't even try to
| use the bank cards at all (I blocked them right away, but always
| get a notification on my smartphone when a transaction is made or
| attempted to be made). The thief just cared about the cash...
___________________________________________________________________
(page generated 2024-03-25 23:00 UTC)