Biometrics — How do you Stop Jean Reno?

We do not take the risk of biometrics seriously and I blame the film Mission Impossible.
There is a sentence you weren’t expecting to read today.
We’ve all seen the first Mission Impossible film. It’s awesome. Jean Reno. Exploding fish tanks. Jean Reno. Exploding helicopters. Jean Reno. Some guy… Tom something. Jean Reno. But it was noted for the scene where the team have to break into an impenetrable computer. They could get past the lasers, floor sensors and passwords. But the iris scanners. The fingerprint scanners. They were unbreakable. A line of defence no one can crack.
The trouble with Hollywood is they specialise in things which are good for dramatic story telling but not accurate. It was great to see that Tom bloke dangling from a rope while the excellent Jean Reno was pestered by a rat. But in real life they’ve have just said “tish” and “fibble” to the biometrics and walked in with not a care in the world. The iris and fingerprint scanners presenting no more of a hurdle than a poor quality password. A photocopy of a finger and a grape with some biro lines would have sufficed.
I’m a techie with over 17 years experience. I spend my days working with computer networks, users and security. Crucially when people I know get hacked, have their identity stolen or find viruses and other assorted nasties on their computer they come running to me. Once we pick apart what happens I always find out how it happened. Often you find security tends to be based on an illusion. If you’ve ever seen a locksmith pick your front door lock you’ll know what I mean. We think those locks on our doors which protect our homes and families are “secure”. Right up until you see a locksmith open the door in 15 seconds. Then you go through a series of wild facial expressions and nervous ticks before realising everything you thought about security it wrong. It’s like that when you get hacked. “But… password… fingerprint… Whhhaaatttttt?!?”
So let’s aim to get a “healthy paranoia”.
Start by saying this over and over again. No system is secure.
No system is secure.
Say it. Again and again. Make it your mantra with technology. Don’t believe me. Do a simple Google search for “Famous Hacks”. Or look at this. It details a flaw in the way computers communicate over the Internet which was there for years. Not days. Not weeks. Years. Every month big vendors release updates most of which are for security vulnerabilities. It might annoy you when your machine wants to do updates but do them. You have no idea what security holes they are plugging. Once you look into what these updates protect you against you find it’s like opening Schrodinger’s Box. You expect to see a cat but instead find a deformed, hybrid of feline and diarrhetic shit which fires tuberculotic sputum into your face before running off and attacking your kids.
So yeah… no system is safe.
Now we accept that we can look at biometrics themselves. A biometric, be it fingerprint, iris scan or scrotal scrap is essentially a password. But it is a password you cannot change. Think about this. If someone gets your PIN you change it. If someone gets your Facebook password, you change it. If someone got your fingerprint or iris scan (or found a way to fool the scanners into thinking it’s you) then how would you change it? Burn your fingerprints off? Jab a screwdriver in your eye?
Which raises the other point… if biometrics are so wonderfully secure then what would happen if you burnt your fingers, cut them so you had a deep scar or suffered an eye injury? How would you get into your device? “Oh, it’s alright Dave. You set up a passcode when you setup the biometrics.”
Then it has all the inherent flaws of a passcode, doesn’t it?
Therefore… say after me…
I do solemnly declare I will never use biometrics for security.
Good.
So what do you do? What can we do that isn’t an illusion? What would stop the magnificent Jean Reno in his tracks?
A crucial thing you have to do is use two-step authentication. This is a wonderful system which is not perfect (nothing is) but it’s managed to keep an awful lot of bank accounts secure in a world full of ATMs.
To get cash from an ATM you don’t turn up, put in a name and a password. Instead you need to insert a bank card and enter a PIN. It is two step. Something physical and some form of knowledge. If you get the card you still need the PIN. If you get the PIN you still need the card. Getting both is difficult (but not impossible). Two Step or Two Factor Authentication does this very thing. When you log into a service it asks for your password. It then sends a text message with a code to your mobile phone. You have to enter the password, and the code from the mobile. Therefore to hack the system you need the password AND the phone. It makes it more difficult. Not impossible but more difficult.
If you do this, and you should, then a word of warning. Make sure you know what to do if you lose your phone or am going abroad and can’t get text messages. There are measures you can take should this happen but be aware of what they are (and think about the risks associated with them) before you do it. Google use a system where you can print off and store somewhere safe some access codes. This works quite well. So long as you don’t put them with your laptop and a copy of your password.
Also, use strong passwords and use a password manager. Last Pass gets a high rating and they handled a hack on their system excellently and kept their users informed and provided wonderful advice.
Stay safe out there people… and repeat after me…
I will not use biometrics for security.
Now, let’s go and watch a film with Jean Reno in it.