Thursday, November 14, 2013

Biometrics:Reality Check

I saw this article on Biometrics today. The article starts with a fairly practical discussion regarding using biometrics (fingerprint scans, retina scans...) to identify people. It then moves into the (to me) uncomfortable territory of using biometrics to replace passwords. The idea is that you can scan your fingerprint, or retina or..., and that will be sufficient to identify you as you to your computer, your car, the store, ... No more passwords to remember. How wonderful would that be?

I cringed a bit at that. I cringed even more after reading one comment in particular. It started out as a sales pitch for the iPhone; talking about how great and secure the biometric features are in the new one. A few eye-rolls later and I get to this part...

"Hackers and thieves want you to think biometrics are not secure. Don't be fooled. Hackers love cracking passwords, and they do it all the time. But a password married to a biometric authentication makes it far more difficult for them, and they will do or say anything to try to keep people from adopting these new layers of security. Every PC and tablet should function in the same way to put an end to most remote hacking."

I'm thinking people are learning too much about security from the movies. You frequently see the "Hacker" pull out some little gizmo, or run some program that interfaces with the password challenge, and proceeds in a matter of a few seconds to discover the password one character at a time.

It doesn't work like that.

In most modern systems, your password is stored as an encrypted entry in a password database, which is only readable by a very few system accounts (the super admin, the backup system,...). When you enter your password, assuming the application developers are not idiots, the password is passed from your computer through a secure channel to the authentication system. It runs the encryption algorithm on the password, and passes it to the password query system. Which compares it against the entry int he database, if they match, it returns a "yes" and you are granted access, if they don't match, it returns a "no" and you are not granted access.

To remotely guess your password, the "Hacker" has to try a password, then another, then another... until he manages to stumble on the right one. That could take hours, days, years (unless you use a really bad password). Most good systems now will detect bad password attempts and will alert when multiple bad attempts occur in a short time frame.

To get around this, the "Hacker" could steal the Password database, then he can run a program on his local computer to rapidly try guesses. If your password is shorter than twelve characters, or is a dictionary word, or two words put together, or one or two words with an number somewhere, and he has some reasonably powerful computing resources, he stands a far chance of getting it within a week. If your password exceeds 12 characters and is reasonably random, it could take years. (As computers become more powerful, this time will grow shorter, and your password will have to be longer). But, to steal the password database, he has to obtain admin access to the system. If he has full access to the system, does he even need to waste his time figuring out your password?

Most modern "Hackers" aren't interested in your password. That is just a means to an end. What they really want is your bank account, credit card information, something that allows them to obtain money. IT is a business, and like any other business, the goal is profit. Spending weeks trying to guess your password so they can steal hundred bucks is not efficient. Being smart businessmen, then look prefer to work smarter, not harder.

So they employ social engineering. They get you to go to a web page what looks like your bank's web page, and enter your username and password. Or they get you download and run a program that scours your hard drive for banking information, or that records your keyboard activity. It's less work.

So what is biometrics really going to do for this? Not very much in most cases. Most biometrics systems can be gamed (collect a fingerprint and copy it onto latex, gelatin...). Biometrics fail in some circumstances (I remember a bank that put fingerprint readers into their ATM's in a cola mining town, the coal dust gummed them up, and the fingerprints of half the clientele were 'sanded' off by work and thus virtually unreadable.

Then there are the unanswered questions that really make me nervous.

Like, do I really want to risk having some nut cut off my hand or gouge out my eyeball, so he can get into my bank account? Many of the scanners actually have mechanisms to prevent this strategy from working, But will the stupid criminal know that?

Of greater concern, what happens if a "hacker" gets hold of the biometric database? If they get the password database, you can change your password (so long as you are notified), and that is the end of it. If they have your fingerprint, or your retina, how exactly are you going to change that?


1 comment: