• When will they ever learn...

    From Don Y@21:1/5 to All on Sun Nov 24 19:32:18 2024
    <https://www.theverge.com/2019/8/14/20805194/suprema-biostar-2-security-system-hack-breach-biometric-info-personal-data>

    "Dear Mr X.,
    Due to a recent cyber incident, here, the login credentials (authentication)
    on your account need to be updated. Could you please use a DIFFERENT finger, in the future? If you have already used all of them, may we suggest TOES?"

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jeff Layman@21:1/5 to Don Y on Mon Nov 25 08:05:57 2024
    On 25/11/2024 02:32, Don Y wrote:
    <https://www.theverge.com/2019/8/14/20805194/suprema-biostar-2-security-system-hack-breach-biometric-info-personal-data>

    "Dear Mr X.,
    Due to a recent cyber incident, here, the login credentials (authentication)
    on your account need to be updated. Could you please use a DIFFERENT finger, in the future? If you have already used all of them, may we suggest TOES?"

    That webpage article is more than 5 years old.

    Biometric security is still an issue. For example: <https://bluegoatcyber.com/blog/biometric-security-and-the-gummy-bear-attack/>

    --
    Jeff

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Don Y@21:1/5 to Jeff Layman on Mon Nov 25 01:22:47 2024
    On 11/25/2024 1:05 AM, Jeff Layman wrote:
    On 25/11/2024 02:32, Don Y wrote:
    <https://www.theverge.com/2019/8/14/20805194/suprema-biostar-2-security-system-hack-breach-biometric-info-personal-data>

    "Dear Mr X.,
         Due to a recent cyber incident, here, the login credentials
    (authentication)
    on your account need to be updated.  Could you please use a DIFFERENT finger,
    in the future?  If you have already used all of them, may we suggest TOES?"

    That webpage article is more than 5 years old.

    Yes. The fact that folks are still pursuing biometric authentication
    it the point.

    Biometric security is still an issue. For example: <https://bluegoatcyber.com/blog/biometric-security-and-the-gummy-bear-attack/>

    It's not the (spoofable) security that I was alluding to in my fictitious message, above.

    Rather, the fact that the user can't disavow a biometric sample.

    I can CHANGE a password. I can't change my fingerprints, retina scan,
    voice print, face, etc.

    So, once one of these is compromised, it is no longer usable.
    How many OTHER biometric signatures can you present? E.g., if
    "left thumbprint" is compromised (to access system X), then you move
    on to "right thumbprint" (for example).

    But, if right thumbprint has been compromised at some other system (Y),
    it, too, is suspect. So, you move on to left index finger...

    Eventually, you run out of signatures to use to uniquely identify yourself!

    Imagine the ultimate authenticator: your DNA. Once someone can compromise that, then what do you do -- become someone else? :>

    I.e., the folks in that database leak/theft have permanently lost the
    ability to use those biometric data as authenticators. Additionally,
    as they likely have identities tied to them (in the database), anyone
    who presents one of those authenticators knows WHO has access to the
    system in question.

    If my password is sdkfjwperu, then the fact that sdkfjwperu works as an authenticator on system X doesn't imply that *I* am a user of system X;
    only that <user_identifier> happens to be.

    Biometrics are a shortcut that is mostly downside with only short-term
    upside potential.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Liz Tuddenham@21:1/5 to Don Y on Mon Nov 25 10:29:28 2024
    Don Y <blockedofcourse@foo.invalid> wrote:

    [...]
    How many OTHER biometric signatures can you present? E.g., if
    "left thumbprint" is compromised (to access system X), then you move
    on to "right thumbprint" (for example).

    I seem to remember another option which was popular among office staff
    when photocopiers were first introduced. It resulted in a number of
    broken glass injuries that were awkward to explain. :-)


    --
    ~ Liz Tuddenham ~
    (Remove the ".invalid"s and add ".co.uk" to reply)
    www.poppyrecords.co.uk

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Don Y@21:1/5 to Liz Tuddenham on Mon Nov 25 05:41:52 2024
    On 11/25/2024 3:29 AM, Liz Tuddenham wrote:
    Don Y <blockedofcourse@foo.invalid> wrote:

    [...]
    How many OTHER biometric signatures can you present? E.g., if
    "left thumbprint" is compromised (to access system X), then you move
    on to "right thumbprint" (for example).

    I seem to remember another option which was popular among office staff
    when photocopiers were first introduced. It resulted in a number of
    broken glass injuries that were awkward to explain. :-)

    Yeah, I think the "scanner" required for such is likely too large to
    be an effective sensor in any product (and,, how "distinctive" is
    that feature, anyway??). Imagine it on your PHONE... or, as a door key!

    OTOH, we already see "fingerprint" scanning to be heading towards
    ubiquitous.

    Bank tellers use a palm scanner. (what happens when your SECOND palm
    is compromised??)

    Retinal scanners (grow a third eye??)

    At the very least, they need to start using MFA; it currently seems
    like the biometric is used to identify AND authenticate.

    [An organization I work with has a fingerprint-based time-clock...
    to prevent other employees from "punching in" for each other.
    Really? You've got ~30 employees; you can't NOTICE who was late to
    work (or absent) on a particular day???]

    So far (?), electronic signature tablets appear to just capture
    the signature (electronic ink). When will they start looking at
    motion dynamics?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Carlos E.R.@21:1/5 to Don Y on Mon Nov 25 14:06:46 2024
    On 2024-11-25 13:41, Don Y wrote:
    Bank tellers use a palm scanner.  (what happens when your SECOND palm
    is compromised??)

    What means compromised in this context?

    --
    Cheers, Carlos.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Don Y@21:1/5 to Don Y on Mon Nov 25 06:48:16 2024
    On 11/25/2024 6:33 AM, Don Y wrote:
    On 11/25/2024 6:06 AM, Carlos E.R. wrote:
    On 2024-11-25 13:41, Don Y wrote:
    Bank tellers use a palm scanner.  (what happens when your SECOND palm
    is compromised??)

    What means compromised in this context?

    Someone is able to extract/copy the data that uniquely identifies YOUR
    palm so they can fabricate a passable emulation of it and masquerade
    as you (to whatever is authenticating "you").

    Remember, the first thing you need is the "secret" that is being used
    as an authenticator (e.g., the uniqueness of your palm). Once you
    have that, it is just a technical/logistical problem to figure out
    how to introduce that to the mechanism doing the authenticating.

    E.g., when I (tele)phone home, the phone number that I am calling
    from, my voice, plus my responses to any challenges (though not
    naively obvious as such: "What is today's password?") is how I prove
    to the house that I should be allowed access to certain abilities
    that *others* should not be granted access.

    [If you show up at the front door, then your face -- not a photo of
    an authorized guest's head -- has to also match voice and challenges.]

    Someone attempting to gain such access would have to spoof my
    CID, voice AND the knowledge encoded in those challenges (What
    did you eat for breakfast, TODAY? What movie did you watch last
    night? etc. Data that an observer would find difficult to
    deduce or anticipate from prior habits ("He ALWAYS has pancakes
    for breakfast" "His mother's maiden name is..." "The name of his
    first school is...")

    E.g., when we set up 2FA at an institution (or a web site), we
    use silly answers to those stock questions as they are not
    easily guessable (or, researched, using on-line resources).

    Maiden name: 237 centauri
    First school: green eggs and ham
    Pet's name: (*&(*&

    After all, the authenticator is just looking for a string that you
    have previously supplied. It cares not if you are lying (unless
    you speak to, e.g., a credit agency where they want to verify
    data that they already have about you) so why confine your answers
    to a truth that an adversary might be able to guess/deduce?
    Answering truthfully is just a convenience for folks who
    don't want to remember those deceptions.

    If the token you use as an authenticator (password/phrase, fingerprint,
    voice print, etc. is STATIC, then keeping control over it becomes
    paramount. How do you prevent someone from surreptitiously photographing
    your face? recording your voice (from which it is relatively easy to
    recreate arbitrary dialog, on demand)? "lifting" your fingerprints off
    of a surface you've been observed as having touched?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Don Y@21:1/5 to Carlos E.R. on Mon Nov 25 06:33:16 2024
    On 11/25/2024 6:06 AM, Carlos E.R. wrote:
    On 2024-11-25 13:41, Don Y wrote:
    Bank tellers use a palm scanner.  (what happens when your SECOND palm
    is compromised??)

    What means compromised in this context?

    Someone is able to extract/copy the data that uniquely identifies YOUR
    palm so they can fabricate a passable emulation of it and masquerade
    as you (to whatever is authenticating "you").

    Machine only sees what it is shown. So, it doesn't know that THIS
    palm-print doesn't "match" THIS face, voice, body shape, etc. -- the
    sorts of things that SHOULD be consistent with each other.

    This is why it is usually more reliable to use "personal recognition"
    as an authentication mechanism vs. some other "token". Claiming that
    you are someone that you are not is usually readily detected by someone
    who knows YOU or the party you claim to be.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Carlos E.R.@21:1/5 to Don Y on Tue Nov 26 13:57:51 2024
    On 2024-11-25 14:48, Don Y wrote:
    On 11/25/2024 6:33 AM, Don Y wrote:
    On 11/25/2024 6:06 AM, Carlos E.R. wrote:
    On 2024-11-25 13:41, Don Y wrote:
    Bank tellers use a palm scanner.  (what happens when your SECOND palm >>>> is compromised??)

    What means compromised in this context?

    Someone is able to extract/copy the data that uniquely identifies YOUR
    palm so they can fabricate a passable emulation of it and masquerade
    as you (to whatever is authenticating "you").

    Ok :-)

    ...

    ...

    --
    Cheers, Carlos.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Martin Rid@21:1/5 to Don Y on Tue Nov 26 10:33:48 2024
    Don Y <blockedofcourse@foo.invalid> Wrote in message:r
    <https://www.theverge.com/2019/8/14/20805194/suprema-biostar-2-security-system-hack-breach-biometric-info-personal-data>"Dear Mr X., Due to a recent cyber incident, here, the login credentials (authentication)on your account need to be updated.
    Could you please use a DIFFERENT finger,in the future? If you have already used all of them, may we suggest TOES?"

    Sorry, you cannot use your last ten fingers.

    Sounds like a new authentication policy.

    Cheers
    --


    ----Android NewsGroup Reader---- https://piaohong.s3-us-west-2.amazonaws.com/usenet/index.html

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From john larkin@21:1/5 to martin_riddle@verison.net on Tue Nov 26 10:53:04 2024
    On Tue, 26 Nov 2024 10:33:48 -0500 (EST), Martin Rid <martin_riddle@verison.net> wrote:

    Don Y <blockedofcourse@foo.invalid> Wrote in message:r
    <https://www.theverge.com/2019/8/14/20805194/suprema-biostar-2-security-system-hack-breach-biometric-info-personal-data>"Dear Mr X., Due to a recent cyber incident, here, the login credentials (authentication)on your account need to be updated.
    Could you please use a DIFFERENT finger,in the future? If you have already used all of them, may we suggest TOES?"

    Sorry, you cannot use your last ten fingers.

    Sounds like a new authentication policy.

    Cheers

    I only use two.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Don Y@21:1/5 to Martin Rid on Tue Nov 26 13:39:18 2024
    On 11/26/2024 8:33 AM, Martin Rid wrote:
    Don Y <blockedofcourse@foo.invalid> Wrote in message:r
    <https://www.theverge.com/2019/8/14/20805194/suprema-biostar-2-security-system-hack-breach-biometric-info-personal-data>"Dear Mr X., Due to a recent cyber incident, here, the login credentials (authentication)on your account need to be updated.
    Could you please use a DIFFERENT finger,in the future? If you have already used all of them, may we suggest TOES?"

    Sorry, you cannot use your last ten fingers.

    That;s the problem. There are infinitely many "passwords" and passphrases
    and physical tokens that one can apply as authenticators. If any ONE is compromised, you can freely adopt another, BETTER one. Once you run out
    of *supported* biometric features, you are no longer identifiable as YOU! (unless you can grow a NEW finger, etc.)

    Sounds like a new authentication policy.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)