Saturday, July 29, 2006
Lifting Fingerprints - Easy as Pie
"A caveat included in Microsoft's PC Authentication device, Fingerprint Reader, prompted Finnish security researcher Mikko Kiviharju to search for security flaws in the software, and thereby stumble onto the fact that hackers can steal users' fingerprints, as the images scanned are not encrypted. Microsoft sells the software as a means for users to avoid the rigmarole of typing usernames and passwords for access to various sites, with the warning that it should not be used to protect sensitive data.
The attacker can use a mix of both hardware and software called "sniffer" technologies to steal the fingerprints, which are of very good quality, says Kiviharju, who works with the Finnish Defense Forces. Though the hacker can access your system through a "replay attack", which entails the replay of your fingerprint scan to the computer, this type of attack is complex, as it requires the use of a second system to be physically connected to the one under attack.
The question raised in the security world is why Microsoft chose not to encrypt the scanned
I've been slamming fingerprints (biometrics) as security mechanisms already. A good security mechanism has to be modifiable if it comprimised.
