Biometrics is the key to defeating Bitcoin hackers!

[Rawted]

In my opinion, biometric technologies like apples touch ID is the solution to Bitcoin hackers on major exchanges. Imagine Coinbase or Bitpay had a user enabled feature that requires your fingerprint in order to confirm any Bitcoin transactions.

Then, a hacker would need to get into your account, defeat two factor authentication... and have acess to your fingerprint to confirm any transaction requests.

Obviously, this could be a user enabled feature that conspiracy theorists or people looking to just be anonymous could opt out of.

If Apple were to open up its touch ID to third parties, this would be the best offering. But for the meanwhile, can't a website like coinbase allow you to buy a third-party fingerprint scanner?

as others have said biometrics is not easy.
1. not everyone has/wants a fingerprint scanner.
2. if i cut my thump and it left a scar, the thumbprint wont match the one on the exchanges database
3. a trojan horse could sniff the data input of a USB port to copy the persons thump print and then use it later.. much like keyloggers sniff usb keyboards.
4. the actual lesson to learn is to teach people not to use exchanges as long term bank accounts.

1. Units are cheap nowadays, can even take a hit on the manufacturing end and make up for it on final MSRp of the kits or the software side of things.
2. That's not how they would work. They work off of patterns, not whole scan matching.
3. Multiple points of security. No one piece of biometric data would be able to unlock the kingdom.
4. Agreed

[1714855981]

1714855981

[1714855981]

1714855981

[1714855981]

1714855981

[1714855981]

1714855981

[hellscabane]

I already spoke to some of the devs, they quickly proved me wrong that biometrics are viable. They said for instance, that fingerprints are not the same throughout the whole life, they change and are are not as accurate all the time. I also tried saying ok what about a DNA scan, proved me wrong again.

DNA scanning is even more far-fetched, but could be fun. Imagine licking or spitting into something before you could send your Bitcoins  . I'm sure there'll be fingerprint Bitcoin apps at some point.

Altho DNA is unique (all 13 pairs) but its not guaranteed to stay the same.

Are you sating peoples DNA changes?

I think I read somewhere that throughout a person's life, he has many mutations in his DNA.

Yes, a person experiences minute changes to his/her DNA throughout the course of life. Environmental mutagens, various forms of radiation, etc. Our bodies have mechanisms that do a very good job of preventing changes in our DNA, but just like the human experience, it too is imperfect.

[virtualmaster]

Devices with fingerprint scanner authentication are developed by good technicians but by a bad concept designer.
It is overseen that by authenticating with a fingerprint scanner you don't need the proper finger just the proper fingerprint.
And if a handy or laptop is stolen then mostly will have his owners fingerprint also which he uses maybe by the entrance of his house also.
If he would have password authentication and his password is stolen then he can change his password but he cannot change his finger or his fingerprint.

[OnkelPaul]

I'd much prefer a simple hardware security token plus easy-to-remember transformation rule, for example "swap first and third digit, add 3 to the fourth digit (mod 10)".
The token would spit out a new 6-or-8-digit number each minute, and the transformation rule must be used to find the actual password.
That way, to gain access someone must steal the token and also know the transformation rule. That's not impossible to do, but is much more difficult to achive stealthily than acquiring a fingerprint from some appropriate surface.

Of course, this is just the authentication part - you also need to have a reasonably tamper-proof computer and operating system, and the whole system must make sure that MITM attacks won't work.

Onkel Paul

(I can't help thinking of "Minority Report" whenever someone mentions iris scans...)

[Aswan]

In my opinion, biometric technologies like apples touch ID is the solution to Bitcoin hackers on major exchanges. Imagine Coinbase or Bitpay had a user enabled feature that requires your fingerprint in order to confirm any Bitcoin transactions.

Then, a hacker would need to get into your account, defeat two factor authentication... and have acess to your fingerprint to confirm any transaction requests.

Obviously, this could be a user enabled feature that conspiracy theorists or people looking to just be anonymous could opt out of.

If Apple were to open up its touch ID to third parties, this would be the best offering. But for the meanwhile, can't a website like coinbase allow you to buy a third-party fingerprint scanner?

The German "Chaos Compute Club" once replicated the finger prints of a well known German politician by simply taken them from a glass of water he used. They then published a usable version of the fingerprint with their magazine so everyone could use it to use that dudes finger prints.

There is even a tutorial about how to do that stuff and it's so easy. It's just not save and can be manipulated so easily.

[Rawted]

Devices with fingerprint scanner authentication are developed by good technicians but by a bad concept designer.
It is overseen that by authenticating with a fingerprint scanner you don't need the proper finger just the proper fingerprint.
And if a handy or laptop is stolen then mostly will have his owners fingerprint also which he uses maybe by the entrance of his house also.
If he would have password authentication and his password is stolen then he can change his password but he cannot change his finger or his fingerprint.

This wouldn't be an issue. There's basically two types of scanning used, optical and ccd. Using ccd, the scan actually measures the patterns of contrasting light and dark spots of the ridges and compares them to past scans. The light used wouldn't reflect off a fingerprint's oil pattern the same way it would an actual flesh digit with ridges and valleys.

[virtualmaster]

This wouldn't be an issue. There's basically two types of scanning used, optical and ccd. Using ccd, the scan actually measures the patterns of contrasting light and dark spots of the ridges and compares them to past scans. The light used wouldn't reflect off a fingerprint's oil pattern the same way it would an actual flesh digit with ridges and valleys.

That wouldn't be proper for womans as they use hand-creams. 

[Rawted]

This wouldn't be an issue. There's basically two types of scanning used, optical and ccd. Using ccd, the scan actually measures the patterns of contrasting light and dark spots of the ridges and compares them to past scans. The light used wouldn't reflect off a fingerprint's oil pattern the same way it would an actual flesh digit with ridges and valleys.

That wouldn't be proper for womans as they use hand-creams. 

Sorry for that not being clear, I meant the version we would use would base the pass/fail upon the light bounced off the actual flesh ridges of a human's fingers.

[Elwar]

I have an old device that is a mini computer that requires a fingerprint scan to activate. It plugs in to your USB and uses your computer's network and monitor/keyboard without giving access to the contents of the device.

The company went out of business and the device is only compatible with old OSes. That would be ideal.

[virtualmaster]

This wouldn't be an issue. There's basically two types of scanning used, optical and ccd. Using ccd, the scan actually measures the patterns of contrasting light and dark spots of the ridges and compares them to past scans. The light used wouldn't reflect off a fingerprint's oil pattern the same way it would an actual flesh digit with ridges and valleys.

That wouldn't be proper for womans as they use hand-creams. 

Sorry for that not being clear, I meant the version we would use would base the pass/fail upon the light bounced off the actual flesh ridges of a human's fingers.

And what is the difference between a simple fingerprint and a scanned image of a finger where the gaps between the ridges are filled with an opaque hand-cream and they are no valleys ?

[ChuckBuck]

I like the idea of Biometrics as a 2 FA or 3 FA method, but what happens if a person has no hands or fingers or had it amputated!   

Guess iris scanning is the next evolution.

Next thing we'll be pricking ourselves to give blood DNA to authenticate!   

[RodeoX]

I'm not sure the technology is there yet. As an experiment I set up a fignerprint reader on my Linux ThinkPad. It was way easier than entering my long password each time.
Once completed, I got bored and decided to try defeating it. Five minutes later I was in.

I used clear tape to lift a print that I had blown graphite dust onto. No super glue smoke needed, just old school. I then stuck the tape to some white paper and warped it around any finger to be read. It opened first try.  

[Rawted]

This wouldn't be an issue. There's basically two types of scanning used, optical and ccd. Using ccd, the scan actually measures the patterns of contrasting light and dark spots of the ridges and compares them to past scans. The light used wouldn't reflect off a fingerprint's oil pattern the same way it would an actual flesh digit with ridges and valleys.

That wouldn't be proper for womans as they use hand-creams. 

Sorry for that not being clear, I meant the version we would use would base the pass/fail upon the light bounced off the actual flesh ridges of a human's fingers.

And what is the difference between a simple fingerprint and a scanned image of a finger where the gaps between the ridges are filled with an opaque hand-cream and they are no valleys ?

Well lotion gets absorbed by the skin, it doesn't sit on top of it. I am positive it's not a problem like you're making it out to be. One could always wipe off their finger...

[Rawted]

I like the idea of Biometrics as a 2 FA or 3 FA method, but what happens if a person has no hands or fingers or had it amputated!   

Guess iris scanning is the next evolution.

Next thing we'll be pricking ourselves to give blood DNA to authenticate!   

Amputees would use a different level device. They would move right into retinal/voice/laser dna scans. Someone with glaucoma would use fingerprint/voice/laser dna. That's the beauty of it, it's customizable to the user.

[Rawted]

I'm not sure the technology is there yet. As an experiment I set up a fignerprint reader on my Linux ThinkPad. It was way easier than entering my long password each time.
Once completed, I got bored and decided to try defeating it. Five minutes later I was in.

I used clear tape to lift a print that I had blown graphite dust onto. No super glue smoke needed, just old school. I then stuck the tape to some white paper and warped it around any finger to be read. It opened first try.  

More than likely, this was an optical scanner. A few posts back i detailed CCD scanning, which would be far more accurate and less 'hackable'. Again, the goal is to combine multiple points of authentication and not leave it to a single point of entry.

[RodeoX]

I'm not sure the technology is there yet. As an experiment I set up a fignerprint reader on my Linux ThinkPad. It was way easier than entering my long password each time.
Once completed, I got bored and decided to try defeating it. Five minutes later I was in.

I used clear tape to lift a print that I had blown graphite dust onto. No super glue smoke needed, just old school. I then stuck the tape to some white paper and warped it around any finger to be read. It opened first try.  

More than likely, this was an optical scanner. A few posts back i detailed CCD scanning, which would be far more accurate and less 'hackable'. Again, the goal is to combine multiple points of authentication and not leave it to a single point of entry.

It was indeed an optical scanner. I know much better biometric devices exist, such as eye scans or scans of the vasculature of the palm. But I can't help thinking that there is a $10 countermeasure out there somewhere.
And I totally agree that layered security it the best practice.

[Aswan]

It won't ever work since the password will be written down in plain text on your finger instead of being on your mind, it's therefore less save.