Biometrics is the key to defeating Bitcoin hackers!

[DrBitcoin]

In my opinion, biometric technologies like apples touch ID is the solution to Bitcoin hackers on major exchanges. Imagine Coinbase or Bitpay had a user enabled feature that requires your fingerprint in order to confirm any Bitcoin transactions.

Then, a hacker would need to get into your account, defeat two factor authentication... and have acess to your fingerprint to confirm any transaction requests.

Obviously, this could be a user enabled feature that conspiracy theorists or people looking to just be anonymous could opt out of.

If Apple were to open up its touch ID to third parties, this would be the best offering. But for the meanwhile, can't a website like coinbase allow you to buy a third-party fingerprint scanner?

[1714868785]

1714868785

[1714868785]

1714868785

[1714868785]

1714868785

[1714868785]

1714868785

[bobalo]

Not everyone has a finger scanner...

[substratum]

This is no better than OTP 2FA; both are worthless if your machine is infected by man-in-the-browser (MitB) malware. If you haven't been following banking malware trends you may not be aware - thieves have been bypassing 2FA easily for quite some time. Transaction Integrity Verification (TIV) using an offline device is the only way to defeat theft by MitB malware.

[ArticMine]

Apple touch ID is a perfect example of Security Theatre  https://en.wikipedia.org/wiki/Security_theater, as was demonstrated by the Chaos Computer Club http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid. It is completely useless to secure against Bitcoin hackers who are more often than not far more competent than Apple in security.

[hilariousandco]

I think Biometrics would be a worthy two/third-factor authentication as long as they were implemented properly and safe.

[hellscabane]

You know, you may actually be onto something here. The problem is how to make this process seamless and safe. There are several major companies trying to incorporate biometrics with their security practices and it could behoove BTC if several major exchanges/applications incorporate it.

Once again though, the problem is making the process seamless and safe.

[Remember remember the 5th of November]

I already spoke to some of the devs, they quickly proved me wrong that biometrics are viable. They said for instance, that fingerprints are not the same throughout the whole life, they change and are are not as accurate all the time. I also tried saying ok what about a DNA scan, proved me wrong again.

[Yogafan00000]

The problem with biometrics is that once your scan data has been compromised by data thieves, you can't change any of it.

[hazek]

They key to defeat hackers are secure hardware wallets, you'd imagine we'd have one by now. I'm still waiting on Trezor to ship and am hopeful it will be everything it needs to be - we'll see. Any updates slush?

[hellscabane]

I already spoke to some of the devs, they quickly proved me wrong that biometrics are viable. They said for instance, that fingerprints are not the same throughout the whole life, they change and are are not as accurate all the time. I also tried saying ok what about a DNA scan, proved me wrong again.

This is the difficulty in making biometrics seamless and safe.

One of the biggest issues is that unimodal biometric systems lack robustness. On the other hand, strictly multimodal biometric systems are very robust but they lack the seamlessness of unimodal systems. There has been work done on creating an adaptive multimodal system which uses probabilities to account for changes that the human body encounters but the difficulty is in trusting the robustness of the probabilities and securities of multi-level gaming of the systems.

[seriouscoin]

Not to mention fingerprints are every easy to steal.... yeah....

We still dont have robust technology for this application yet. For ex: eye scanning is so damn slow.

[seriouscoin]

They key to defeat hackers are secure hardware wallets, you'd imagine we'd have one by now. I'm still waiting on Trezor to ship and am hopeful it will be everything it needs to be - we'll see. Any updates slush?

About Trezor.... when will they have it ready? i really cant wait

[hazek]

They key to defeat hackers are secure hardware wallets, you'd imagine we'd have one by now. I'm still waiting on Trezor to ship and am hopeful it will be everything it needs to be - we'll see. Any updates slush?

About Trezor.... when will they have it ready? i really cant wait

Would be nice to know, I agree.

[hilariousandco]

I already spoke to some of the devs, they quickly proved me wrong that biometrics are viable. They said for instance, that fingerprints are not the same throughout the whole life, they change and are are not as accurate all the time. I also tried saying ok what about a DNA scan, proved me wrong again.

DNA scanning is even more far-fetched, but could be fun. Imagine licking or spitting into something before you could send your Bitcoins  . I'm sure there'll be fingerprint Bitcoin apps at some point.

[seriouscoin]

I already spoke to some of the devs, they quickly proved me wrong that biometrics are viable. They said for instance, that fingerprints are not the same throughout the whole life, they change and are are not as accurate all the time. I also tried saying ok what about a DNA scan, proved me wrong again.

DNA scanning is even more far-fetched, but could be fun. Imagine licking or spitting into something before you could send your Bitcoins  . I'm sure there'll be fingerprint Bitcoin apps at some point.

Altho DNA is unique (all 13 pairs) but its not guaranteed to stay the same.

[substratum]

The long and short of it is this: there's no method you can use to authenticate yourself to a remote website via an infected computer that man-in-the-browser malware can't hijack en-route and use in order to pretend to be you. Instead you need to validate the integrity of your transactions on a separate device. That's what Cronto does for banks and that's what Trezor does for Bitcoin wallets.

[hilariousandco]

I already spoke to some of the devs, they quickly proved me wrong that biometrics are viable. They said for instance, that fingerprints are not the same throughout the whole life, they change and are are not as accurate all the time. I also tried saying ok what about a DNA scan, proved me wrong again.

DNA scanning is even more far-fetched, but could be fun. Imagine licking or spitting into something before you could send your Bitcoins  . I'm sure there'll be fingerprint Bitcoin apps at some point.

Altho DNA is unique (all 13 pairs) but its not guaranteed to stay the same.

Are you saying peoples DNA changes?

[Remember remember the 5th of November]

I already spoke to some of the devs, they quickly proved me wrong that biometrics are viable. They said for instance, that fingerprints are not the same throughout the whole life, they change and are are not as accurate all the time. I also tried saying ok what about a DNA scan, proved me wrong again.

DNA scanning is even more far-fetched, but could be fun. Imagine licking or spitting into something before you could send your Bitcoins  . I'm sure there'll be fingerprint Bitcoin apps at some point.

Altho DNA is unique (all 13 pairs) but its not guaranteed to stay the same.

Are you sating peoples DNA changes?

I think I read somewhere that throughout a person's life, he has many mutations in his DNA.

[franky1]

In my opinion, biometric technologies like apples touch ID is the solution to Bitcoin hackers on major exchanges. Imagine Coinbase or Bitpay had a user enabled feature that requires your fingerprint in order to confirm any Bitcoin transactions.

Then, a hacker would need to get into your account, defeat two factor authentication... and have acess to your fingerprint to confirm any transaction requests.

Obviously, this could be a user enabled feature that conspiracy theorists or people looking to just be anonymous could opt out of.

If Apple were to open up its touch ID to third parties, this would be the best offering. But for the meanwhile, can't a website like coinbase allow you to buy a third-party fingerprint scanner?

as others have said biometrics is not easy.
1. not everyone has/wants a fingerprint scanner.
2. if i cut my thump and it left a scar, the thumbprint wont match the one on the exchanges database
3. a trojan horse could sniff the data input of a USB port to copy the persons thump print and then use it later.. much like keyloggers sniff usb keyboards.
4. the actual lesson to learn is to teach people not to use exchanges as long term bank accounts.

[Rawted]

I have been tinkering with this idea for quite some time. Multi tiered personal security appliances. Split into packages according to their security level (from basic to advanced). Can be used separately or combined together like Voltron to produce the ultimate personal security device.

The drafts for my idea have something like

level 1: fingerprint and/or voice
level 2: level 1 + retinal
level 3: level 2 + laser dna  (think http://www.ncbi.nlm.nih.gov/pubmed/8379664 but compact)

The amount of engineering to put this idea into production is way out of my league, however.

[Rawted]

In my opinion, biometric technologies like apples touch ID is the solution to Bitcoin hackers on major exchanges. Imagine Coinbase or Bitpay had a user enabled feature that requires your fingerprint in order to confirm any Bitcoin transactions.

Then, a hacker would need to get into your account, defeat two factor authentication... and have acess to your fingerprint to confirm any transaction requests.

Obviously, this could be a user enabled feature that conspiracy theorists or people looking to just be anonymous could opt out of.

If Apple were to open up its touch ID to third parties, this would be the best offering. But for the meanwhile, can't a website like coinbase allow you to buy a third-party fingerprint scanner?

as others have said biometrics is not easy.
1. not everyone has/wants a fingerprint scanner.
2. if i cut my thump and it left a scar, the thumbprint wont match the one on the exchanges database
3. a trojan horse could sniff the data input of a USB port to copy the persons thump print and then use it later.. much like keyloggers sniff usb keyboards.
4. the actual lesson to learn is to teach people not to use exchanges as long term bank accounts.

1. Units are cheap nowadays, can even take a hit on the manufacturing end and make up for it on final MSRp of the kits or the software side of things.
2. That's not how they would work. They work off of patterns, not whole scan matching.
3. Multiple points of security. No one piece of biometric data would be able to unlock the kingdom.
4. Agreed

[hellscabane]

I already spoke to some of the devs, they quickly proved me wrong that biometrics are viable. They said for instance, that fingerprints are not the same throughout the whole life, they change and are are not as accurate all the time. I also tried saying ok what about a DNA scan, proved me wrong again.

DNA scanning is even more far-fetched, but could be fun. Imagine licking or spitting into something before you could send your Bitcoins  . I'm sure there'll be fingerprint Bitcoin apps at some point.

Altho DNA is unique (all 13 pairs) but its not guaranteed to stay the same.

Are you sating peoples DNA changes?

I think I read somewhere that throughout a person's life, he has many mutations in his DNA.

Yes, a person experiences minute changes to his/her DNA throughout the course of life. Environmental mutagens, various forms of radiation, etc. Our bodies have mechanisms that do a very good job of preventing changes in our DNA, but just like the human experience, it too is imperfect.

[virtualmaster]

Devices with fingerprint scanner authentication are developed by good technicians but by a bad concept designer.
It is overseen that by authenticating with a fingerprint scanner you don't need the proper finger just the proper fingerprint.
And if a handy or laptop is stolen then mostly will have his owners fingerprint also which he uses maybe by the entrance of his house also.
If he would have password authentication and his password is stolen then he can change his password but he cannot change his finger or his fingerprint.

[OnkelPaul]

I'd much prefer a simple hardware security token plus easy-to-remember transformation rule, for example "swap first and third digit, add 3 to the fourth digit (mod 10)".
The token would spit out a new 6-or-8-digit number each minute, and the transformation rule must be used to find the actual password.
That way, to gain access someone must steal the token and also know the transformation rule. That's not impossible to do, but is much more difficult to achive stealthily than acquiring a fingerprint from some appropriate surface.

Of course, this is just the authentication part - you also need to have a reasonably tamper-proof computer and operating system, and the whole system must make sure that MITM attacks won't work.

Onkel Paul

(I can't help thinking of "Minority Report" whenever someone mentions iris scans...)

[Aswan]

In my opinion, biometric technologies like apples touch ID is the solution to Bitcoin hackers on major exchanges. Imagine Coinbase or Bitpay had a user enabled feature that requires your fingerprint in order to confirm any Bitcoin transactions.

Then, a hacker would need to get into your account, defeat two factor authentication... and have acess to your fingerprint to confirm any transaction requests.

Obviously, this could be a user enabled feature that conspiracy theorists or people looking to just be anonymous could opt out of.

If Apple were to open up its touch ID to third parties, this would be the best offering. But for the meanwhile, can't a website like coinbase allow you to buy a third-party fingerprint scanner?

The German "Chaos Compute Club" once replicated the finger prints of a well known German politician by simply taken them from a glass of water he used. They then published a usable version of the fingerprint with their magazine so everyone could use it to use that dudes finger prints.

There is even a tutorial about how to do that stuff and it's so easy. It's just not save and can be manipulated so easily.

[Rawted]

Devices with fingerprint scanner authentication are developed by good technicians but by a bad concept designer.
It is overseen that by authenticating with a fingerprint scanner you don't need the proper finger just the proper fingerprint.
And if a handy or laptop is stolen then mostly will have his owners fingerprint also which he uses maybe by the entrance of his house also.
If he would have password authentication and his password is stolen then he can change his password but he cannot change his finger or his fingerprint.

This wouldn't be an issue. There's basically two types of scanning used, optical and ccd. Using ccd, the scan actually measures the patterns of contrasting light and dark spots of the ridges and compares them to past scans. The light used wouldn't reflect off a fingerprint's oil pattern the same way it would an actual flesh digit with ridges and valleys.

[virtualmaster]

This wouldn't be an issue. There's basically two types of scanning used, optical and ccd. Using ccd, the scan actually measures the patterns of contrasting light and dark spots of the ridges and compares them to past scans. The light used wouldn't reflect off a fingerprint's oil pattern the same way it would an actual flesh digit with ridges and valleys.

That wouldn't be proper for womans as they use hand-creams. 

[Rawted]

This wouldn't be an issue. There's basically two types of scanning used, optical and ccd. Using ccd, the scan actually measures the patterns of contrasting light and dark spots of the ridges and compares them to past scans. The light used wouldn't reflect off a fingerprint's oil pattern the same way it would an actual flesh digit with ridges and valleys.

That wouldn't be proper for womans as they use hand-creams. 

Sorry for that not being clear, I meant the version we would use would base the pass/fail upon the light bounced off the actual flesh ridges of a human's fingers.

[Elwar]

I have an old device that is a mini computer that requires a fingerprint scan to activate. It plugs in to your USB and uses your computer's network and monitor/keyboard without giving access to the contents of the device.

The company went out of business and the device is only compatible with old OSes. That would be ideal.

[virtualmaster]

This wouldn't be an issue. There's basically two types of scanning used, optical and ccd. Using ccd, the scan actually measures the patterns of contrasting light and dark spots of the ridges and compares them to past scans. The light used wouldn't reflect off a fingerprint's oil pattern the same way it would an actual flesh digit with ridges and valleys.

That wouldn't be proper for womans as they use hand-creams. 

Sorry for that not being clear, I meant the version we would use would base the pass/fail upon the light bounced off the actual flesh ridges of a human's fingers.

And what is the difference between a simple fingerprint and a scanned image of a finger where the gaps between the ridges are filled with an opaque hand-cream and they are no valleys ?

[ChuckBuck]

I like the idea of Biometrics as a 2 FA or 3 FA method, but what happens if a person has no hands or fingers or had it amputated!   

Guess iris scanning is the next evolution.

Next thing we'll be pricking ourselves to give blood DNA to authenticate!   

[RodeoX]

I'm not sure the technology is there yet. As an experiment I set up a fignerprint reader on my Linux ThinkPad. It was way easier than entering my long password each time.
Once completed, I got bored and decided to try defeating it. Five minutes later I was in.

I used clear tape to lift a print that I had blown graphite dust onto. No super glue smoke needed, just old school. I then stuck the tape to some white paper and warped it around any finger to be read. It opened first try.  

[Rawted]

This wouldn't be an issue. There's basically two types of scanning used, optical and ccd. Using ccd, the scan actually measures the patterns of contrasting light and dark spots of the ridges and compares them to past scans. The light used wouldn't reflect off a fingerprint's oil pattern the same way it would an actual flesh digit with ridges and valleys.

That wouldn't be proper for womans as they use hand-creams. 

Sorry for that not being clear, I meant the version we would use would base the pass/fail upon the light bounced off the actual flesh ridges of a human's fingers.

And what is the difference between a simple fingerprint and a scanned image of a finger where the gaps between the ridges are filled with an opaque hand-cream and they are no valleys ?

Well lotion gets absorbed by the skin, it doesn't sit on top of it. I am positive it's not a problem like you're making it out to be. One could always wipe off their finger...

[Rawted]

I like the idea of Biometrics as a 2 FA or 3 FA method, but what happens if a person has no hands or fingers or had it amputated!   

Guess iris scanning is the next evolution.

Next thing we'll be pricking ourselves to give blood DNA to authenticate!   

Amputees would use a different level device. They would move right into retinal/voice/laser dna scans. Someone with glaucoma would use fingerprint/voice/laser dna. That's the beauty of it, it's customizable to the user.

[Rawted]

I'm not sure the technology is there yet. As an experiment I set up a fignerprint reader on my Linux ThinkPad. It was way easier than entering my long password each time.
Once completed, I got bored and decided to try defeating it. Five minutes later I was in.

I used clear tape to lift a print that I had blown graphite dust onto. No super glue smoke needed, just old school. I then stuck the tape to some white paper and warped it around any finger to be read. It opened first try.  

More than likely, this was an optical scanner. A few posts back i detailed CCD scanning, which would be far more accurate and less 'hackable'. Again, the goal is to combine multiple points of authentication and not leave it to a single point of entry.

[RodeoX]

I'm not sure the technology is there yet. As an experiment I set up a fignerprint reader on my Linux ThinkPad. It was way easier than entering my long password each time.
Once completed, I got bored and decided to try defeating it. Five minutes later I was in.

I used clear tape to lift a print that I had blown graphite dust onto. No super glue smoke needed, just old school. I then stuck the tape to some white paper and warped it around any finger to be read. It opened first try.  

More than likely, this was an optical scanner. A few posts back i detailed CCD scanning, which would be far more accurate and less 'hackable'. Again, the goal is to combine multiple points of authentication and not leave it to a single point of entry.

It was indeed an optical scanner. I know much better biometric devices exist, such as eye scans or scans of the vasculature of the palm. But I can't help thinking that there is a $10 countermeasure out there somewhere.
And I totally agree that layered security it the best practice.

[Aswan]

It won't ever work since the password will be written down in plain text on your finger instead of being on your mind, it's therefore less save.