5

Lately, biometrics are being used for identity verification everywhere. e-Visas, Passports and even bank transactions (UUIDAI Aadhar system in India is now being used for identity verification, micro-payments, e.t.c.). I still can't understand how it can ever be secure. Here are some ways one could potentially hack the system:

  1. A hacked 'biometric scanning' device can be used by say, a merchant who accepts micro-payments. Usually, the scanner itself encrypts the fingerprint data but the hacked one need not. So, since the merchant has his biometric data, he can authorise the payments as many times as he wants without user's consent.

  2. The usual argument of how the biometric data is immutable unlike resetting text passwords.

  3. Actually, there is no need for a hacked scanner. One could obtain biometric data through fingerprints left literally everywhere a person is. Then fake passports can be forged by creating a smart chip with that data. I'm not sure how smartchips encrypt data. Is a common encryption technique used with different keys for each chip used? So the server stores the public key of this key and checks against it? I've also read that smartchips perform some kind of computing? What is being computed?

How is the authentication systems secured from such attacks?

Zend Mastiff
  • 79
  • 1
  • 3
  • You've actually asked a number of questions not related to fingerprints, but about the systems around them. So, the questions about merchant terminals are unrelated to smart chips. That makes this question difficult to answer. Can you remove the smart chip portion of the question and clarify how #2 is an attack? – schroeder Dec 31 '16 at 08:59
  • I dont put much trust in fingerprint scanners. They are convenient to use, and surely better than to input your code or pattern on your phone in a public place where others may be watching you. but once someone gets access to how your actual thumb looks they dont need anything fancy, just need to create a reasonable replica that can fool a scanner and they are in. And you can't just change your fingerprints after they are revealed, unlike a security token. So I would say use it, but dont expect good security in the long run. Just use it for gaining access to data that has low expiration date. – Marek Andreansky Dec 31 '16 at 12:06
  • Fingerprints are not secure and already have been faked very easly. Fingerprints are the "easy" authentication method. You can lock your siblings out of your phone but you cannot protect any sort of currency (or anything else valuable) with this – BlueWizard Dec 31 '16 at 17:01

1 Answers1

2

Biometric is not very secure for authentication, but it can be secure enough for identity verification for many applications when there is a trusted witness when the biometric is taken. Biometric is also useful to detect duplicates. For biometric payment, the trusted witness is essentially the merchant. For identity verification, the trusted witness is usually a government employee. Note that four identity verification, the main problem is detecting duplicates and recording biometric effectively prevents the same person being issued multiple identity cards.

Using fingerprint for payment is a calculated business risk vs convenience trade-off. I don't know about the details of the fingerprint banking you're referring to, but I'd guess that merchants that accepts biometric authentication bears the responsibility of ensuring that their customers don't do weird things (like using false fingers) on the payment machine. If the customer or bank claims that a transaction is unauthorized, the merchant would be considered responsible for unauthorized transaction that is issued using their machine and/or merchant account. Many legitimate merchants considers the risk of abusive reversal to be fairly low when considering the transaction limit and additional business they receive due to offering the option. Merchants that facilitates fraud, either intentionally or by negligence, will have to refund any payment, and will be investigated by the bank's fraud team if they detect abnormal pattern of reversals and may become blacklisted.

Risk and security wise, this is not very different than a hand drawn signature, where merchant is supposed to compare the signature visually with the signature on the back of the card. Fraudulent merchant can use a modified machine to record the card number and signature during transaction.

Smartchips used in bank cards and identity cards are essentially very small, low power computer with a secure computation and a storage area that cannot be read out of the card without destroying the chip. The secure storage contains a private key and a card program running in the chip uses public key cryptography to generate a cryptographic signature of the transactions. The cryptographic signature is a very large number regarding a data that cannot be calculated without the knowledge of the private key and would become invalid if any part of the data is changed. In a chip-only transaction (e.g. PayWave, PayPass), the card signs low value transactions without the user needing to authenticate with the card, in a chip-and-pin transaction, the user must input a pin number matching the pin stored in the card before the card signs the transaction.

Because of the much improved security due to the use of cryptographic signature, transactions involving cryptographic chip usually don't put the liability of unauthorized transaction on the merchant. Instead, it becomes the issuer's and customer's responsibility to keep their card safe.

Chip-and-fingerprint can be implemented as a more convenient alternative to chip-and-pin, while being much more secure than chip-less swipe-and-drawn-signature transaction.

In conclusion, yes, fingerprint is not very secure. But when the more secure alternative like chip-and-pin is considered too inconvenient by the target market which readily switch to cash, it is still a security improvement compared to staying with swipe-and-drawn-signature. Note that banks and merchants don't care about the security of your card, if they can offset having to take the burden of the fraud liability with increased transaction volume and faster payment processing.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
  • Thank you, perfect answer! I would like to add that while i agree swipe-only cards are less secure, they can be disabled or replaced if stolen. But biometrics are permanent. The only course of action would be to disable myself from that payments system (That fraudulent merchant can be banned of course). Since, the payments system is primary intended for micro-transactions, the trade-off is maybe acceptable. But i personally believe biometrics shouldn't not be handled by untrusted third parties. – Zend Mastiff Jan 02 '17 at 18:14
  • @ZendMastiff: Note that for the purpose of identity verification and detecting duplicate records, the security of the system doesn't actually derive from the secrecy of your fingerprint, but rather from the fact that a trusted party (e.g. merchant, government employee) had observed that you produced your fingerprint on the machine. Under that scenario, practically it isn't really the biggest of an issue if your fingerprint is actually non replaceable and non secret. – Lie Ryan Jan 16 '18 at 11:33