Cash, Credit -- or Prints?
John Kelsey
kelsey.j at ix.netcom.com
Tue Oct 12 13:10:10 PDT 2004
>From: Tyler Durden <camera_lumina at hotmail.com>
>Sent: Oct 12, 2004 1:43 PM
>To: franks at mcs.anl.gov
>Cc: cypherpunks at al-qaeda.net
>Subject: Re: Cash, Credit -- or Prints?
...
>Very interesting question. I'd bet almost any amount of money that it's
>fairly trivial to simply alligator-clip-out the fingerprint's file from
>almost any of the cheaper devices. Hell, I'd bet that's true even of more
>expensive "secure" devices as well.
I don't think the readers store an image of the fingerprint, just some information to make it easy to verify a match. I don't think you could reconstruct a fingerprint from that information, though you could presumably reconstruct a fingerprint image that would fool the detector.
>From what I've seen, the whole field of biometrics needs a lot of work on characterizing the attacks and defenses against them, and coming up with reasonable ways to verify that a reader resists some attack. I think individual vendors often have some ideas about this (though I gather their defenses are often disabled to keep the false reject rate acceptably low), but there doesn't seem to be a clean process for determining how skilled an attacker needs to be to, say, scan my finger once, and produce either a fake finger or a machine for projecting a fake fingerprint into the reader. Anyone know whether some kind of standard for this exists?
>-TD
--John
More information about the cypherpunks-legacy
mailing list