Why biometrics suck, the Office of Personnel Management edition


The nation-state hackers who stole 5.6 million+ records of US government employees (cough China cough) also took 5.6 million+ fingerprints. But it's no problem: those people can just get new fingerprints and revoke their old ones right? Read the rest

Help EFF and Muckrock find out how your biometrics are being tracked

Mike from Muckrock sez, "Police departments are increasingly tracking your face, your fingerprints, your tattoos -- and even your DNA. The Electronic Frontier Foundation and MuckRock are working to uncover how local agencies are tracking you and bring some much-needed transparency to the murky world of biometric surveillance through a free public records audit. Read the rest

Mobile ad

St Louis police offer to fingerprint all the children in #Ferguson

The free fingerprinting kits are part of the long-running national push to fingerprint children in the name of public safety, and are a new tone-deaf low from the region's cops. Read the rest

Vein-scanning payment system

Lund University engineering student Fredrik Leifland is testing a prototype biometric payment system based on vein matching, scanning and analyzing the blood vessels in the surface of the hand. (Lund University) Read the rest

NSA facial recognition: combining national ID cards, Internet intercepts, and commercial facial databases for millions of people

A newly released set of slides from the Snowden leaks reveals that the NSA is harvesting millions of facial images from the Web for use in facial recognition algorithms through a program called "Identity Intelligence." James Risen and Laura Poitras's NYT piece shows that the NSA is linking these facial images with other biometrics, identity data, and "behavioral" data including "travel, financial, behaviors, social network."

The NSA's goal -- in which it has been moderately successful -- is to match images from disparate databases, including databases of intercepted videoconferences (in February 2014, another Snowden publication revealed that NSA partner GCHQ had intercepted millions of Yahoo video chat stills), images captured by airports of fliers, and hacked national identity card databases from other countries. According to the article, the NSA is trying to hack the national ID card databases of "Pakistan, Saudi Arabia and Iran."

This news is likely to be rhetorically useful to campaigners against national ID cards in countries like the UK, where the issue has been hotly debated for years (my own Member of Parliament, Meg Hillier, was the architect of one such programme, and she, along with other advocates for national ID cards, dismissed fears of this sort of use as paranoid ravings).

The development of the's NSA facial recognition technology has been accompanied by a mounting imperative to hack into, or otherwise gain access to, other databases of facial images. For example, the NSA buys facial images from Google's Pittpatt division, while another program scours mass email interceptions for images that appear to be passport photos. Read the rest

UK kids have the right to opt out of school fingerprinting (even if their parents are OK with it)

New provisions of the UK Protection of Freedom Act 2012 went into effect this September, which strictly limits the gathering of biometric information from children. Under the law, kids have the right to opt out of biometric collection (including fingerprinting, which is in widespread use in UK schools). Kids have this right even if their parents or school insist upon their submission to biometric collection. Needless to say, schools have done pretty much nothing to accommodate this legal right, and as Jon Baines points out, this is a great teachable moment for privacy conscious kids (in that they could teach their educators that privacy is worth something, even if you're just a kid). Read the rest

Iphone fingerprint hacker on the limits of biometrics for security

Jan "Starbug" Krissler, the Chaos Computer Club researcher who broke the fingerprint reader security on the new Iphone, had given a long interview to Zeit Online explaining his process and his thoughts on biometrics in general. The CCC's Alex Antener was good enough to translate the interview for us; I've included some of the most interesting bits after the jump. Read the rest

Mobile ad

Chaos Computer Club claims it can unlock Iphones with fake fingers/cloned fingerprints

The Chaos Computer Club's biometric hacking team has announced a successful attack on Apple's Iphone biometric fingerprint lock, using a variation on the traditional fingerprint-cloning technique. CCC's Starbug summarizes: "As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints." Read the rest

Why fingerprints make lousy authentication tokens

An "expert" quoted in the Independent predicts that thieves will amputate their victims' fingertips in order to bypass the biometric locks on the new Iphones. I'm not particularly worried about this vulnerability (if you're willing to cut off someone's fingertip to unlock his phone, you're probably also willing to torture him into giving up his PIN), though I remember reading stories of carjackers who amputated their victims' fingertips in order to make off with their biometrically protected cars.

More interesting is the prediction that phone thieves will lift their victims' fingerprints and use them to bypass the readers. As German Interior Minister Wolfgang Schauble discovered, you leak your fingerprints all the time, and once your fingerprint has been compromised, you can't change it. (Schauble was pushing for biometric identity cards; playful Chaos Computer Club hackers lifted his fingerprints off a water-glass after a debate and published 10,000 copies of them on acetate as a magazine insert).

This is the paradox of biometric authentication. The biometric characteristics of your retinas, fingerprints, hand geometry, gait, and DNA are actually pretty easy to come by without your knowledge or consent. Unless you never venture into public without a clean-room bunny-suit, mirrorshades, and sharp gravel in your shoes, you're not going to be able to stop dedicate strangers from capturing these measurements. And as with Schauble's fingerprints, you can't revoke your DNA and replace it with new DNA once a ripoff artist has used it to clean out your bank-account or break into your workplace. Read the rest

MD used "silicone fingers" to trick biometric time clock on colleagues' behalf

Brazilian doctor Thaune Nunes Ferreira, 29, was arrested for fraud for allegedly covering up her colleagues' absence from work by using prosthetic fingers to sign them in on a biometric time clock at the hospital near Sao Paulo. According to the BBC, "police said she had six silicone fingers with her at the time of her arrest, three of which have already been identified as bearing the fingerprints of co-workers." Ferreira's attorney claims "she was forced into the fraud as she faced losing her job." (BBC News) Read the rest