Quote:
Originally Posted by Steven Lyle Jordan
A proper biometric system...
|
Ah, yes, and there is the problem... assuming the system is proper. In most scenarios where people talk about biometrics, the 'authority' doesn't actually have control of the scanner.
I agree for things like an entrance to a secure facility, where the scanner is built into the wall with a security guard watching you scan your print/retina, etc., it's very difficult to trick. Modern scanners don't actually look at your fingerprints, they look at the blood vessels under the skin. They even know if the finger is dead, so you can't cut somebody's finger off and use it. Pretty close to impossible to defeat.
But people are talking about biometrics for consumers to use. They talk about scenarios like scanners built into laptops to be used to verify people for online transactions. How do you know it's actually the print reader sending you the data? Could it be software impersonating a print reader with a database of scans to send?
People are talking about biometrics at retail stores to verify credit cards. But today one of the most common card frauds is when the pin-pad is replaced with a fake. The same could happen with a retail reader.
Think of any scenario where the reader is not physical locked into place, monitored, and controlled by the authority, and you have a scenario where the reader might not actually be a biometric reader. It's a fake reader sending whatever data the fraudster has in a database.
And after the credit card company loses the millions of records it has on file (and this seems to happen all too regularly), then what? You can't just get a new card and put a new PIN on it. And what if you need to use your biometric for a company you don't fully trust? I use a different password in those cases, so I don't compromise my important ones.
Most people only have eight fingers and two thumbs for their lifetime. You run out pretty fast.