On Wed, Jan 23, 2002 at 11:34:13AM -0500, Phillip H. Zakas wrote: > by biometric identification there are two approaches to pursue: > > 1. Replace the intended biometric data, stored in the authentication > database, of a known person with your own biometric data so that when <snip>
> 2. Sniff packets/signals over the wire during an authentication session <snip> There is a third: some poorly engineered biometric applications provide the necessary biometric data directly to the attacker: for example I have encountered a biometric screen saver product which works with a webcam. It only unlocks the screen when it recognises the correct person (and automatically locks the screen when the person leaves, a very nice feature). HOWEVER it displays a picture of the "owner" on the screen when in the locked state. Simply point the camera at the screen, wiggle a thin strip of paper in front of the eyes (it uses blinking as a liveness verification) and "open sesame". Anyone thinking about implementing a biometric system should read Bruce Schniers piece on the subject: http://www.counterpane.com/crypto-gram-9808.html#biometrics Sigh... If only technology worked in real life like it does in the movies. -Ryan -- Ryan T. McBride, CISSP - [EMAIL PROTECTED] Countersiege Systems Corporation - http://www.countersiege.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
