Hacking smart cards and biometric security systems

BROWSE BY TAG Identity Management and Access Control,   Enterprise Identity and Access Management,   User Authentication Services,   Biometric Technology,   Security Token and Smart Card Technology,   Expert Archive: Identity Management and Access Control,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Management and Access Control Is Identity Management as a Service (IDaaS) a good idea? How to log in to multiple servers with federated single sign-on (SSO) How to confirm the receipt of an email with security protocols Learn about enterprise strategy for server virtualization single sign-on Employee information security awareness training for new IAM systems Can you combine RFID tag technology with GPS to track stolen goods? Is there a free enterprise-caliber password-management tool? Cryptosystem attacks that do not involve obtaining the decryption key Can any firm or organization get a digital signature certificate? Should the CTO have domain administrator access? Biometric Technology Group to shed light on secure identity management threats Biometrics project studies ways to combat bank fraud Apple iPhone app could boost two-factor Vein-reader biometric authentication for health care, financials Exploring authentication methods: How to develop secure systems Biometric authentication know-how: Devices, systems and implementation Pre-boot biometric user authentication tools and strategies To what exactly would a request for biometric data from an insurance provider pertain? Keystroke recognition aids online authentication at credit union What are the possible benefits of microchip implants and RFID tags for employees? Biometric Technology Research Security Token and Smart Card Technology First Data, RSA push tokenization for payment processing How to log in to multiple servers with federated single sign-on (SSO) Best Authentication Products Are 'strong authentication' methods strong enough for compliance? Risk management must include physical-logical security convergence RSA researcher Ari Juels: RFID tags may be easily hacked Portable security storage device could replace OTP devices Can you combine RFID tag technology with GPS to track stolen goods? Security token and smart card authentication Embedded smart card chips are open to hack attacks

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary biometric payment  (SearchSecurity.com) electro-optical fingerprint recognition  (SearchSecurity.com) false acceptance  (SearchSecurity.com) finger vein ID  (SearchSecurity.com) fingernail storage  (SearchSecurity.com) keystroke dynamics  (SearchSecurity.com) live capture  (SearchSecurity.com) multifactor authentication (MFA)  (SearchSecurity.com) password hardening  (SearchSecurity.com) ridge  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Biometrics can be fooled just like any other access management system: by being spoofed. A fingerprint can be duplicated using gelatin molds and then pressed against the scanner of a fingerprint reader, granting entry to a malicious user. Voice recognition systems have been defeated with voice recordings and face recognition systems bypassed with photographs of the legitimate user.

A particularly nasty way of getting past a fingerprint scanner would be to chop off the finger of somebody whose fingerprint is registered with the system. Gruesome, yes, but it has happened. Less brutal, but equally effective, would be to force the legitimate user at gunpoint to put their finger on the reader and then just pass them when the door opens, or the system activates. Either way, like stealing a good key, the intruder is taking advantage of the legitimate user's "credential," in this case their fingerprint, to gain access.

These sound like far-fetched scenarios and may seem harder crimes to commit than the standard hacker trick of dropping a Trojan on the desktop and stealing a user ID and password, but they can and do happen.

The other way to fool biometrics is by replaying their digital data. All biometric data -- whether photos of faces from face recognition systems, fingerprints from scanners or voice recordings -- is converted, at some point, into a digital format that can be stored on a computer system, a database or a portable storage device. When the user needs to log in again by showing their face, rubbing their fingerprint or speaking into a microphone, this information is converted into a digital format that can be compared with their digitized biometric data already stored in the system.

These scenarios are definitely more far-fetched than the borrowed fingerprint, gelatin or otherwise, but are things to consider when deploying biometric systems. Just as the system itself needs safeguarding, the data stores or databases holding digitized biometric information also need protection from malicious intruders.

Other technologies used with biometrics, such as smart cards, have other vulnerabilities that need to be considered. Smart cards look like, and are the size of, a credit card, but, unlike credit cards, carry an embedded microchip holding any number of pieces of data: customer information, medical records or financial information, and even sums of money. The card is either swiped through a device that reads it or is inserted into a reader. The user may then be required to enter a PIN number to get access to the system. However, these tiny microchips can only receive so much protection in something as small as a credit card. They are also sensitive to light and can be easily scraped or damaged. Researchers have found ways to steal the data on the microchip by tampering with the cards using light from camera flashbulbs and signals from radio devices.

In short, despite the vulnerabilities, combining these systems -- biometrics and smart cards -- protects systems through a multi-layered approach.

More Information