On Thu, 14 Apr 2005, Mark Boltz wrote:

> Even the fingerprint readers that check pulse and temp can be foiled by
> the gummi bear attack. Or other variations on silicon tips. Only
> biometric fingerprint readers that can also check oxygenation, a la the
> sensor that hospitals use on patient fingertips, would be less prone to
> this approach.

That just begs for a new attack- it doesn't get around the base problem...

> Though arguably if you have biometrics, you can at least outrun the other
> guy, if not the bear himself.

No, that's not the point- biometrics are about protecting access to some
other mechanism, not about protecting access to the (now biometric)
authenticator. So, in this case, no biometrics mean you're winning the
race in protecting the authenticator from malice. You're less likely to
lose a finger in a car jacking if you *don't* have a biometric
authenticator in your vehicle.

The whole point (and why I think it's important to continue this thread a
bit past its due date) is that in the case of biometric authentication,
the authenticator is *probably* more important to the user than the thing
being protected- especially when the attack is a denial-of-service attack
(be it as a precursor to a new attack, or malice because the attacker
decides that if it won't work for them, it won't work for you either.).

Succinctly, attackers of authenticated systems tend to try to gain the
authenticator (password, token, finger, eyeball...) or its substitute.
The *problem* with systems that don't allow random attacks (passwords,) or
substitutes (poor hashing schemes) is that the logical attack is on the
legitimate authenticator or the point of authentication. In this case, it
may be cheaper/faster/better for the attacker to try to gain the
authenticator without all the extra baggage it comes attached to.

In this case, the thieves probably thought they could reprogram the car
once they got it somewhere that they had time to do so. Getting a finger
was quicker/easier than keeping the victim (note, that the story doesn't
mention if the severed finger was *successfully* used to authenticate to
the car- and note that that's probably much more important to the
insurance company than to the nine-fingered victim.)

Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
firewall-wizards mailing list