May 18, 2007 at 5:51 pm
Dave, I appreciate your concern regarding a fingerprint template being hacked. Regarding recreating a model of my fingerprint, it is not really practical. It would be a time consuming, difficult process. Not impossible, just not practical. In public facing applications what will the crook say – “excuse me while I slip on this fake finger to complete this transaction”. Once again I will refer to the biometric system that we work with, but a “Registration” template that would be stored in a database or Active Directory is different than a “Verification” template. So if someone broke into a database and stole my “Registration” template, it can’t be used as a basis for verification. And personally, I trust the safeguards in place with the systems we utilize that prevents “play-back” of a template that might be “sniffed” or picked up over a network (as I mentioned above). So for me the template isn’t much use to anyone. The template can’t be reverse engineered to create a graphical representation of your fingerprint. As you mentioned, I am more concerned with the goof balls that leave credit card numbers, SSN, etc unencrypted in their database (and LAPTOPS of all things). Maybe a more practical misuse would be if someone replaced my fingerprint template with their own template. Now they have access to my account as if they were me. But that would take some serious database security issues or insider fraud to have that happen. Also keep in mind that if someone walks into your bank and impersonates you and the bank lets them have money out of your account, it is the bank’s liability, not yours. In the end you are not out any money – maybe inconvenienced, but the bank still has to correct their mistake.
As Ed (above) alluded to, if a company thinks that just by installing a biometric verification system they can close their eyes and say “we’re secure” is fools gold. You still have to be proactive in you security – check your logs, etc. In some of the applications we develop, provisions are in place to allow for fingerprint audits. Meaning someone can request an “audit” to verify that the fingerprint templates on file for you are really yours. Also logs are kept regarding adding/updating and deleting fingerprint templates and even verification failures. The key is to review and question why a fingerprint template was replaced or deleted, etc. Why and for whom are we seeing an greater percentage of failed verifications?
As you can tell, I am convinced that biometrics is a viable and powerful solution regarding authentication and verification, but you have to be smart in its application and keep in perspective that no one solution is the perfect answer.
May 18, 2007 at 7:22 pm
Roger,
Thanks for the input and I appreciate someone with some experience in this area giving feedback. I'm not really convinced, but you raise some great points.
Viewing 2 posts - 16 through 16 (of 16 total)
You must be logged in to reply to this topic. Login to reply