15

I recently visited Epcot Center and was surprised that they asked to scan one of my fingerprints before I entered the park, even though I already had my ticket in hand. I don't believe they require a specific finger. This seems to be a two-factor authentication method called Ticket Tag, which sounds very similar to what the TSA says about your body scans: "We don't store the scan, but you can use a 'less convenient' method if you want (most of the time)."

Am I right to worry? What are the most likely, and the worst-case, risks here?

Pedro
  • 251
  • 2
  • 4
  • 1
    Related thread in regards to the "worst case" scenario: [What are the implications of 5 million peoples fingerprints being stolen from the US Government?](https://security.stackexchange.com/q/100976/32746) – WhiteWinterWolf Jul 02 '16 at 10:33
  • 4
    Just give them a fingerprint you do not use to access your phone... Maybe the middle one? – Stone True Jul 02 '16 at 13:11
  • 2
    I wouldn't worry about it. If someone is targeting you there are far easier methods to get your fingerprints (which you leave on everything you touch) than compromising the theme park's database. – André Borie Jul 02 '16 at 13:42
  • 1
    @StoneTrue +1 Giving them the middle finger is the best thing one can do. Just make sure that you don't leave a fingerprint. ;) – Noir Jul 02 '16 at 15:28
  • I think you can elect to not use Ticket Tag, by simply refusing to show finger and ID. Ticket Tag / ID card is to factilitate re-entry, so you can pass out and still be able to pass in with the same ticket during the validity period and they want to know the ticket is not shared. You can politely ask them if you are required to provide finger if you want to just enter once and no re-entry. Of course, this are not available for multi-day tickets as the amusement park have opening and close times. – sebastian nielsen Jul 03 '16 at 11:55

4 Answers4

4

I'm afraid I do not have a good answer, but I do have some thoughts to consider that might help others to find a good answer.

You leave your fingerprint behind everywhere already. However if someone wants to get your fingerprint, they currently have to spend the time and energy to get physically close to you and find a spot where they can lift a good fingerprint off of something. This means it's more expensive to do it for a random person, and it means it cannot really be done on a massive scale.

Phones and other devices these days also have the helpful feature of reading your fingerprint. This increases the odds that someone can get access to a database of them somewhere, and decreases the relative risk of leaving a fingerprint at the theme park.

We seem to be moving towards a society where it's normal to use your fingerprint as identifier. "It's a username and not a password," people say, and in some way they are right. However it's slightly more than a username since it's not trivial (doable without any tools) to lift and reuse a fingerprint, like a username would be. This is why it's so popular as a fairly trusted identification method, like on your phone and as second factor of authentication.

This trend also means that, as fingerprint storage gets more common, they can be trusted less and less. The public perception should trend towards "everyone has a copy of my fingerprint already, who says it's still safe to use as authentication method?" This causes the fact that anyone has a copy to be less of an issue, since it will not be solely relied on.

Some existing answers mention that the fingerprint is probably stored as a code, not as a very accurate picture or representation of your fingerprint, and that different devices would encode it in different ways ("abc" vs. "123"). I think this is partially true: a derived code is usually used in authentication, making it more difficult to recover the original fingerprint. However I would expect it to be a deterministic and at least partially reversible process, where if you know the kind of fingerprint reader, you can reverse the derived code back into something resembling the fingerprint. Further, I'd expect the fingerprint reader industry to converge on the most effective way to read and encode one's fingerprint, removing the need to reverse engineer every fingerprint reader's method individually.

Summarizing:

  1. A database, like a theme park would have, is valuable if you mean to hack an individual at a lower cost and/or if you mean to do so at a greater scale.

  2. Your fingerprint is digitally read in more and more places. As these systems and databases become more frequent, they should become less trusted.

  3. Even though they probably don't store your original fingerprint (easily duplicated), the encoded version can probably be reverse engineered back into something resembling the original. Once done, this can be used for every fingerprint made with that device, or at the very least for everyone ever in the theme park.

Luc
  • 31,973
  • 8
  • 71
  • 135
3

Well, If you may believe what their policy says, you shouldn't be that worried. In fact, even if they'd store your fingerprints and their database would be leaked doesn't mean that everyone can copy your fingerprint in the wild.

Because a biometric device scans a part of your body (e.g finger) but the software used in that device must convert that image to a kind of string, or at least something interpretable for software. Maybe, device A stores your fingerprint as "abc", and device B as "123".

Yet, that doesn't mean it couldn't be a risk. Fingerprints are still used to identify YOU uniquely and in the future it's only going to be used more. When you travel through airports you give your fingerprint, when you unlock your phone,...

Also, they say that they don't store the actual fingerprint-image. So probably they make-up that string once the first time you enter the theme-park; and when you enter it again the device will again make the same string from the image, and check if it's already in the database. If it is, they have your unique theme-park-ID. Like the process done with hashed-passwords.

Worst case scenario would be that they store your fingerprint and secretly also make a picture of your face with a hidden camera, and they send it to the NSA so Big Brother already knows a bit more about you. But they probably already have the information that the theme park could offer about you, and more. So don't bother to much about that theme park. :)

What they could do, is with your fingerprint register e.g how much you visit the park or something related, and use that as marketing-strategy somehow.

And if someone really wants to have your fingerprint, they'd just follow you until you throw your StarBucks cup away, or touch a doorknob; to get your fingerprint from there.

O'Niel
  • 2,740
  • 3
  • 17
  • 28
  • "And if someone really wants to have your fingerprint, they'd just follow you until you throw your StarBucks cup away, or touch a doorknob; to get your fingerprint from there."... I think you are talking about targeted attacks, otherwise this would be extremely impractical on a large scale. – A. Darwin Jul 02 '16 at 12:06
  • @A.Darwin Yes, I'm talking about targeted attacks. – O'Niel Jul 02 '16 at 12:15
  • 2
    -1. Your answer does not address any realistic concerns and sounds like you're secretly laughing at these paranoid weirdos. Sure, the theme park certainly doesn't conspire with the NSA and send pictures of everyone together with fingerprints to big brother. And sure, if someone really wants *my* specific fingerprint, they'd wipe a doorknob somewhere. But similarly, if someone really wanted to spy on me they'd ask people I interact with about me and my life, and they wouldn't need Facebook -- however Facebook makes it a whole lot easier to do this on as massive scale. – Luc Jul 03 '16 at 10:13
  • @Luc Who says they ain't 'conspiring' with the NSA? Why'd the NSA even bother to 'conspire'? Do you think they can't just get a quick warrant for a theme-park? This is a realistic concern, the NSA/GCHQ/FE are doing bulk-surveillance under the moto: "Collect-it-all", if you don't see that every information you give out is a wanted thing for the NSA. You should inform yourself about surveillance nowadays. – O'Niel Jul 03 '16 at 12:10
0

Well, if you use your fingerprint alone to unlock some highly secure device, this example should seriously worry you. It is harmless only if:

  • they do not voluntarily store a full image of client fingerprints
  • they have not been targeted by an attacker that steals them
  • what they store cannot be used to build an image back

But you should also know that each time you drink a beer in a pub without wearing gloves, you are leaving a copy of your fingerprints on the glass. Ok, it is hard to use, but not much harder than stealing fingerprints from governmental databases.

IMHO, that means that you should never rely on a fingerprint alone to unlock a highly secure system. The fingerprint securely identify a single human being, no problem here. But it is hard to revoke your own fingerprint if it is compromised, and it should already be known to your government (maybe you can trust it) and many of its agents (are they all trustworthy?) that for their normal work can access to those databases.

Biometric can be a way to actively secure multi way identification: something you know (a password) and something you are (fingerprint). It is fully secured when combined with something that can control that you are actually giving a fingerprint (a security officer for example). But relying on it to unlock an electronic device is very convenient, but not that secure.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
-1

I cannot believe so many people tell you "no worries mate, there are other ways for someone to target you"

The problem here is UNTARGETED ATTACKS. Someone getting your fingerprint digital hash and using it BECAUSE IT WAS IN A LEAKED DATABASE NOT BECAUSE THEY TARGETED YOU. I am sure what the theme park is doing is illegal in my country. I am not sure where you live though. It is definitively immoral and useless.

schroeder
  • 123,438
  • 55
  • 284
  • 319
yoyo_fun
  • 183
  • 7
  • What country are you from? – Pedro Jul 03 '16 at 00:22
  • Romania. You ?? – yoyo_fun Jul 03 '16 at 00:24
  • I have the impression that the theme park considers that the fingerprint is a relatively public information, like an IP address would be for instance, allowing to identify an individual, and is not a secret information (you already leave multiple fingerprints on nearly anything you touch). Following this logic, the issue would rather be on "security" systems which consider the fingerprint as a reliable secret for authentication purposes, which proved many times to be flawed despite all technical improvements. – WhiteWinterWolf Jul 03 '16 at 09:28
  • Maybe you should also read my reply, about why even your fingerprints leaked out of a database ain't that catastrophic, not more catastrophic than a password hashes leaked. 1) It's hashed, that's secured; remember? 2) 'Bruteforcing' that hash would be extremely difficult, because you don't know how the finger-print image is interpreted by the biometric device. - Which point of the image, which nerves do they look at,... - – O'Niel Jul 03 '16 at 11:37
  • @O'Niel how do hou know thet do not also store the actual fingerpribt 'just in case someone offers good money for a fingerprint database'. You do not know that. And password hashes have been leaked from HUGE companies and passwords were reconstructed from hashes. Do you believe a theme park will invest in such good security ? Even if they would it is possible to reconstruct fingerprints with newer algorithms in a few years. I think everything is wrong with giving your fingerprint anywhere. – yoyo_fun Jul 03 '16 at 12:40
  • It's a theme-park, not a mafia. In their policy they say they don't store fingerprints; so they won't be storing it themselves in case a kind of criminal organisation offers them money. Maybe the NSA or whoever stores it, but themselves not. And yeah, passwords have been recovered from hashes, that's my whole point. Recovering passwords is a lot easier than recovering fingerprints, so a password-database breach is worse than a fingerprint-database breach. And you give your fingerprint away all the time. – O'Niel Jul 03 '16 at 12:46
  • The fact that they say in their policy means absolutely nothing. Some employee may store it in his external hdd. The fact that nsa may store it is not relieving. Passwords are easier to recover now but in 5 years it would probably be no difference in recovering a password and a fingerprint. – yoyo_fun Jul 03 '16 at 12:52
  • You fail to talk about the risks of the 'fingerprint hash' being 'leaked'. What's the risk? – schroeder Jul 03 '16 at 17:49
  • I talked a lot about the risk of fingerprint hash being leaked. I said that in the future the reconstruction of the fingerprint will be possible. – yoyo_fun Jul 03 '16 at 18:42
  • You cannot change your fingerprint as you can change your passwords and this is a big problem. – yoyo_fun Jul 03 '16 at 18:43