>From: Tyler Durden <[EMAIL PROTECTED]> >Sent: Oct 12, 2004 1:43 PM >To: [EMAIL PROTECTED] >Cc: [EMAIL PROTECTED] >Subject: Re: Cash, Credit -- or Prints?
... >Very interesting question. I'd bet almost any amount of money that it's >fairly trivial to simply alligator-clip-out the fingerprint's file from >almost any of the cheaper devices. Hell, I'd bet that's true even of more >expensive "secure" devices as well. I don't think the readers store an image of the fingerprint, just some information to make it easy to verify a match. I don't think you could reconstruct a fingerprint from that information, though you could presumably reconstruct a fingerprint image that would fool the detector. >From what I've seen, the whole field of biometrics needs a lot of work on >characterizing the attacks and defenses against them, and coming up with reasonable >ways to verify that a reader resists some attack. I think individual vendors often >have some ideas about this (though I gather their defenses are often disabled to keep >the false reject rate acceptably low), but there doesn't seem to be a clean process >for determining how skilled an attacker needs to be to, say, scan my finger once, and >produce either a fake finger or a machine for projecting a fake fingerprint into the >reader. Anyone know whether some kind of standard for this exists? >-TD --John
