We know that cybercriminals are attacking our networks and computers every day, but the next thing they come hunting for might be your eyes.
Some passwords for critical systems are gradually being replaced with biometric identifiers like fingerprints and iris scans, which supposedly offer a safer way to log in. Biometric information can't be stolen in a phishing attack, for instance, because the markers are unique (and physically attached) to each user. It's a foolproof system, right?
Ha.
It turns out that fingerprints and iris scans can be hacked just like a password, with a clever bit of reverse-engineering.
When biometric data is entered into a computer, the system doesn't store the actual fingerprint or iris scan. It records a digital template that serves as a trimmed-down representation of the biometric information. When a user goes to log in, his or her characteristics are matched against those templates, and the match is given a similarity score. If it's high enough, the user is let inside.
Last year, researchers at the University of Bologna in Italy were able to reconstruct a fingerprint from the digital template stored in a computer. They were so successful that they were able to build gummy finger versions of the prints that could be pressed up against a reader and used to fool the computer into letting them into someone else's account.
Iris scans shouldn't be susceptible to reverse-engineering, because the human iris is far more complex than a fingerprint and offers extremely low false positives in a scan. It's possible that your fingerprint comes close enough to matching mine, but the chances that your iris could be confused for someone else's are incredibly slim.
No comments:
Post a Comment