Two weeks ago, I wrote about the need for a security redesign that doesn’t sacrifice usability for security, otherwise users will continue to find shortcuts around the security protocols that allow quick and easy access to their systems. Unfortunately, these workarounds make the system less secure and more prone to exploitations from malicious attackers. These attacks can be as simple as brute-forcing a weak password or infiltrating a system that hasn’t updated with the latest security patches; very easy things for computer users to overlook or not be bothered by during the set-up or maintenance of their system.
So what is the solution? One of my friends raised biometric security systems with me the other day. I was pretty ecstatic, because I wrote my Masters dissertation on biometric security scanners, specifically fingerprint scanners, and the ease to which they can be spoofed. (Before you all rush to the comments, I am aware of how rockstar the conversations I have with my friends are, no need to let me know on that point).
The answer, I found, was that biometric security scanners can be spoofed very easily indeed. If you have a compliant authorised user providing you with their fingerprint of their own accord, you can create a high-quality synthetic fingerprint in an hour from nothing more than plaster cast and silicone gel. A quick trip to an art shop or a hardware supplier, and security systems become very vulnerable to attack. When authorised users refuse to provide you with their fingerprint, it is slightly more challenging to produce a fingerprint that will fool a biometric scanner; but not by much. In this scenario, an object the authorised user has touched is dusted for fingerprints, photographed and printed onto plastic. Products that can be easily found in hardware stores and art shops can then be used to create the synthetic prints using the same methodology as for compliant users.
So if switching to biometric security systems would stop remote-access cyber attacks from occurring, why are we still using alpha-numeric passwords that follow predictable patterns? The first reason is that it probably won’t stop malware and malicious computer exploitation. The second is that users will soon tire of the novelty of the new security protocols and find ways to circumvent it.
Lets deal with the second problem first. The way that the biometric scanners work is by taking a number of images of your fingerprint and merging them together to form an eigen-finger. This finger has certain reference points which all log-in attempts are compared against. If enough reference points match up, access it granted. However, if not enough reference points match, access will be denied. This means that legitimate users can become locked out of their accounts simply because they are not presenting their finger at the necessary angle, or because there is a smudge on the scanner reader. Imagine how frustrating that would become for an individual who needs to access their email account, submit a coursework for their class or gain access to the company database. Now imagine if you were to cut your finger while chopping onions or sorting through papers – your finger is now no longer identical to the data held on the system and you will be presenting an altered image to the fingerprint scanner. This image is unlikely to match up to the reference points and, so, access to your system will be denied. The same outcome will result if your finger is dirty or gets burned.
Secondly, I mentioned remote access earlier. The opportunities are decreased for a malicious unauthorised user, true, but they are also decreased for the legitimate user. If you are trying to access files from a remote location, you are usually asked for a password in order to verify that you have the authorisation to access those files. When verification changes to fingerprints, it isn’t quite so easy; your remote location had better have a fingerprint scanner handy, else you’ll swiftly be locked out. Hopefully you won’t make that realisation the night before an essay is due…
That’s all very well and good, you might think, but so long as it stops malicious attackers from gaining access to your system, it’s all good. You might be willing to sacrifice the usability for security, and might like the heightened security that biometrics offer your computer.
Unfortunately, unauthorised users will still gain administrator access. The reason for this is that the vast majority of computer exploitations are user-enabled. By this, I mean that the user plays some form of role in the deployment of malware on their system. It might be by clicking a compromised link, by visiting compromised websites or by downloading malicious email attachments. There are an infinite number of ways to trick users into letting unauthorised users in to their systems.
What I’m really trying to say is that there is no magic bullet that will defend your system from attack. The best defence that you can employ is an understanding of the threats that exist.
And a firewall. Get a firewall.