This scenario is only if a proprietary database is used to store the fingerprint templates AND you know the algorithm used for generation and/or matching. Vendors are very wary about giving away the "secret sauce". You might as well ask for the Coca Cola formula. If your Fingerprint template data is stored in your credential database (Such as AD, NT4 SAM, eDir, etc), things are a bit different. And if you've busted the OS's security, all bets are off anyway.
> -----Original Message----- > From: Keith T. Morgan [mailto:[EMAIL PROTECTED]] > Sent: Friday, March 29, 2002 11:51 AM > To: [EMAIL PROTECTED]; Daniel Ferguson; > [EMAIL PROTECTED] > Subject: RE: Physical Access Control > > > Some firms we've been working with for biometrics (Facial > Recognition) have taken into account protection of the back-end > systems that house the information (ie: fingerprint points, > facial images etc..). And yes, you are correct. If they're > using biometrics, the first target might be the database storing > the biometric information. Break that, and suddenly you're the > CEO. This points back to DoD's concept of "defense in depth." > Layers upon layers. :) > > > > -----Original Message----- > > From: Kevin Brown [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, March 28, 2002 10:18 PM > > To: Daniel Ferguson; [EMAIL PROTECTED] > > Subject: RE: Physical Access Control > > > > > > No offense, but I think you've been watching too many spy movies. ;-) > > Realizing the millions invested in biometrics, someone has already > > considered this. Better biometric systems actually take into > > consideration > > things such as pulse, blood pressure, or body temperature. > > > > The bigger concern with biometrics is not the capturing of > > the biological > > data, but rather with how that information is stored on the > > computer. See, > > even though a fingerprint is very unique, the uniqueness of > > the fingerprint > > is not necessarily captured by the computer. If the > > biometric software only > > stores a dozen key points of reference, than cracking that > > becomes trivial. > > > > Also, if the database that the "digital fingerprint" is > > stored in is not > > well secured, it may be easy to capture and replicate that > > information. > > > > Of course, this is all hypothetical. I don't know of anyone actually > > exploiting these types of vulnerabilities. > > > > Think of it this way. If you don't mind a little cliché, a > > chain is only as > > strong as its weakest link. Your fingerprint is the > > strongest link in the > > biometric chain, so attack a different link. > > > > I'd be curious to hear from any folks on this list who work > > with biometrics > > to explain in better detail how these issues are addressed. These are > > concerns that were brought up to me at one time by another security > > professional. I'd be curious to hear someone help sort fact > > from fiction. > > > > Brownfox > > > > > > -----Original Message----- > > From: Daniel Ferguson [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, March 28, 2002 2:32 PM > > To: [EMAIL PROTECTED] > > Subject: RE: Physical Access Control > > > > > > fingerprint access control, i cant help you much on where to find the > > products im afraid.... but i have to say the idea of > > fingerprint control > > frightens me. If people break into your building and demand > > entry to a room, > > instead of the employee handing over for instance... a swipe card, the > > attackers simply have to chop off the finger. I know what id > > rather hand > > over... :) > > > >
