Re: [CBS MarketWatch] A nose by any other name

Date view Thread view Subject view Author view

From: Gordon Mohr (
Date: Mon Jun 26 2000 - 12:07:40 PDT

Brian Atkins writes:
> Mark Day wrote:
> > "Dear system user: we had a hacker break in over the weekend and compromise
> > everyone's logins. Accordingly, we have scheduled plastic surgery for
> > everyone."

> That doesn't make any sense. Your password was being used by a hacker
> from "outside" to get access to the "inside" (server). Once they were
> able to use it you had to change it. But that obviously can't happen
> with biometric- they can't "use your iris" in a non-James-Bond world.

But what if they manage to get *all* the same digital measurements
of your iris (hand/voice/etc) that the server has?

There are several ways this could occur:
  * A server which stores your scans gets compromised (and
    if, say, your place of work and your bank both use the
    same technology, a compromise of one could compromise
    the other)
  * Direct or covert measurement of you against your will
    (eavesdropping on your voice; paying off your
    optometrist or doctor to take measurements when you
    least suspect, etc.)
  * Man-in-the-middle observations of a suitable number
    of biometric logins

Then, even if an attacker can't make a real-world simulacrum
of you, they can probably manage a "replay" of sorts of your
data into the network, from the login endpoint. (The original
article mentioned pocket PCs, PDAs, and cell phones as
terminals -- how hard could it possibly be to feed those
fake sensor data?)

- Gordon

Date view Thread view Subject view Author view

This archive was generated by hypermail 2b29 : Mon Jun 26 2000 - 12:08:15 PDT