Explain how biometric systems are vulnerable to the five gen

Explain how biometric systems are vulnerable to the five generic attacks on authentication systems.

a. Clone or borrow credential

b. Sniff credential

c. Trial and error guessing

d. Denial of service

e. Retrieve from backup

Solution

a. Clone or borrow credential: It is not impossible to take our biometric signature and use it independent of us. There are facial recognization systems and cameras everywhere. They can use that information to appear as the original user. Also there are finger print readers that work at a distance. Such readers can accumulate the data and clone the user\'s biometric information for their own use.

b. Sniff credential: Biometric data is same as any data in digital format. They can be stolen, modified and used for some third party\'s benefit. The credentials can be sniffed far more easily because of everyday exposure from cameras, etc.

c. Trial and error guessing: Suppose access requires finger print. And the attacker has access to the names of all the people in the building. The attacker may obtain the finger prints of all the people and try them hoping to be lucky. Unlike passwords, the finger prints are exposed everywhere and they can\'t be modified.

d. Denial of service: This attack can also affect biometric systems. And infact these can affect biometric systems very rapidly. Unlike other data, matching a finger print or a face or other biometric data requires lot more computational power. So, flooding the system with lots of malicious biometric data can easily cripple the system.

e. Retrieve from backup: After all biometric data is stored simply as electronic data in form of bits. So, it is possible that the attacker may be able to retrieve some biometric information of the users from the backups and then use those to launch the attack. Unlike techniques such as passwords or digital signatures, biometric information such as finger print of a person can\'t be changed. So, access to the data in the backup can mean prolonged access rights in the future for the attacker.