from the Anyone-run-this-by-Cellphone-Security? dept.
Looks like VISA credit card has developed a way of storing biometric data on our cellphones, then use that as an authenticator.
https://reclaimthenet.org/visa-applies-for-biometric-authentication-patent
What could possibly go wrong here?
I guess I am really leery of cellphone security and app resilience. Is it so complex that it's too finicky to use? Does it require a good internet connection to work? ( Can you hear me now? ), or maybe it's based on QR codes?
I have been wrestling with a fast-food burger app over login issues. I am quite jaded over trusting anything I have to log on to to get a fresh timeout permission. For this, all I am risking is the cost of a trip to the restaurant vs. the liklihood the coupon offer will still work when I present at the register. ( The Wendy's Story already discussed here ).
How much impact would a denial-of-service cause for you? How robust is this technology. I've already seen the most expensive cars shut down for the most trivial crap. That's why I drive an old one made before their design became enshittified.
Cut n paste snippets below.
Visa – one of the world's two biggest payments processors – appears to be moving into biometric data-based authentication, at least according to a patent it has applied for. And Visa claims that this would be fully privacy-friendly.
If Visa's patent – designed, according to the giant's filing, to provide "biometric templates for privacy preserving authentication" – is approved and implemented, the end result would be replacement of PINs with biometric identification.
The method would be used at ATMs, payment checkouts, and Visa made sure to note that the technology's use can be extended to unlocking apartments or letting people into venues like theaters, amusement parks, etc.
These latter, non-payment scenarios would allow Visa to monetize the patent via licensing to other companies.
The rationale for using such a system is said to be to improve security of user information in physical spaces.
The patent states that the system would work by customers enrolling into the program which means creating "a biometric template" on their device.
This data is encrypted and signed, and that signature, rather than the biometric information, is used by "access device" to verify the signature.
This, Visa said in the filing, is what preserves privacy, since the templates are stored on the user device rather than "in some giant database."
This appears to be the key point the company is trying to make with the proposed patent, and was careful to stress that security breaching of such databases results in "disastrous" consequences.
That's because the use of biometrics is at once safer than that of PINs and passwords, but also much riskier, given that unauthorized access provides those behind a hack to a large amount of personal information.
Related Stories
A lot of security myths have acquired lives of their own and taken as facts. Dr. Andy Farnell over at the Cyber Show's blog has posted an item about where passwords can still fit in as a part of general authentication despite what fleets of salesmen selling authentication gimmicks tell us.
Security models: password or tracker?
Indeed people do not discriminate two vastly different security models that should really be obvious with a moments thought. The question is, "who is the security for?"
Security schemes that ask that you carry around a device which is connected permanently to a network and uses a mechanism that is entirely opaque to you is a different kind of security. It is more than a mere access control. It is not security for you.
It may pass for "something you have" but also has a function to act as a location or close proximity biometric remote sensor for an observer elsewhere. It's a tracking device.
[...] Partly it's because we've been using passwords wrong for about the past 40 years. The new NIST document partially puts that right. It's also because there's a massive "security industry" that sells things - and you can't sell people the ability to think up a new password in their own head. Where's the profit in that?
Instead they'll tell you that you need a fangled security system of gadgets and retina scans, and that you're too stupid to be trusted with your own security. They are wrong. In most cases passwords are just fine if not better than alternatives, and in this post we're going to explain why.
Thus another theme of this essay is personal responsibility and the crux of the argument is that all security solutions which are not passwords solve problems that are not yours.
Like self-service checkouts at the supermarket that make customers into employees, they are a way of passing blame, liability, and work onto you in order to solve someone elses security problem. As Prof. Ross Anderson bluntly puts it;
"If Alice guards a system but Bob pays the cost of failure, you can expect trouble."
Cybersecurity has become more harmful than helpful in many cases and biometrics are more of a user name than a password despite the constant misuse as the latter.
Previously:
(2024) NIST Proposes Barring Some of the Most Nonsensical Password Rules
(2024) VISA and Biometric Authentication
(2023) A Fifth of Passwords Used by Federal Agency Cracked in Security Audit
(2020) Here's Yet Another Reason Why You Really Should Start Using Better Passwords
(Score: 5, Insightful) by drussell on Monday March 04 2024, @06:28PM (5 children)
People should me more leery about using biometric data for random authentication than the chance of a service outage!
You can change a password, you cannot change your fingerprint, or the look of the photo of your iris when it is scanned.
Once your biometric data is compromised, you're permanently fucked!
It is the one of the dumbest ideas ever, but since it seems all science-fiction-y and futuristic, all the ignorant people out there in the masses that don't know any better and can't think for themselves about consequences of actions are like "Hyuk, yuk! Duhhh... Derp! YEAH! Sign me UP!" 🙄
(Score: 5, Insightful) by DannyB on Monday March 04 2024, @06:58PM (1 child)
Don't use biometric data.
Imagine technology that would allow a PDA type device, including an authenticator, to be "tattooed" on your right (dominant) hand. That way you just wave your dominant hand in front of the payment terminal, and confirm by pressing a button on your hand. People without exception will love that they can use their dominant (right) hand for payments.
Now these would wear off and have to be re-applied. Naturally, it is going to be a cloud based subscription service.
It will be convenient. Then popular. Then it will be required.
Now imagine that if it were even possible in such a utopia that some people, especially teens, could not afford the subscription.
No problem!
You can get it subsidized if you are also willing to have a color animated advertising banner tattooed on your forehead whenever you get your authenticator tattoo/PDA refreshed. Good ol' advertising to the rescue!
Next, teens will compete to get the ads for the coolest things. Nobody wants a car insurance or laxative ad. Everyone wants an ad for the latest cool thing, coolest brands, or upcoming concert or event. Or an ad for some hip social media channel.
Next, some social media channels pay you to run a live feed on your forehead.
This won't be distracting at all. School teachers won't mind.
Poverty exists not because we cannot feed the poor, but because we cannot satisfy the rich.
(Score: 2) by Ox0000 on Tuesday March 05 2024, @02:05AM
Oh... I'll show them my hand [wikipedia.org] all right. In fact, I'll show them two [wikimedia.org]!
(Score: 4, Insightful) by pTamok on Monday March 04 2024, @08:35PM
You've already hit +5 Insightful, so I can't mod you higher. I can simply only agree.
(Score: 5, Insightful) by mcgrew on Tuesday March 05 2024, @12:02AM
They should also be leery of using their phone as a wallet! WTF? I'll not let anyone use my wallet, even in an emergency, but I'll let you use my phone. I'd be a fool to use my phone as a wallet.
It's a PHONE. Phone calls, texts, I'll read the paper or read a Kindle book on it in a waiting room, but using a phone as a wallet is brain dead stupid. The only identifiable data on my phone is my address book and Kindle books.
We not only don't have all the answers, we don't even have all of the questions.
(Score: 4, Interesting) by Beryllium Sphere (r) on Tuesday March 05 2024, @02:16AM
The photo on your driver's license is a biometric. It doesn't have to be kept secret.
Passwords have to be kept secret because it's the only way to guarantee who has them.
Biometric security comes from having a trustworthy authentication channel. My phone will not unlock from a picture of me, only from my actual face. But I don't have to keep my face secret.
(Score: 2, Insightful) by DannyB on Monday March 04 2024, @07:00PM
⠀
Poverty exists not because we cannot feed the poor, but because we cannot satisfy the rich.
(Score: 5, Insightful) by captain normal on Monday March 04 2024, @08:12PM (14 children)
Well....
"This, Visa said in the filing, is what preserves privacy, since the templates are stored on the user device rather than "in some giant database."
Seems to make it easy for the bad folk. Just take a pipe wrench and bash someone on the head, then use their device to drain their bank accounts, ring up all kinds of charges on their Visa accounts and fly off to anywhere.
The Musk/Trump interview appears to have been hacked, but not a DDOS hack...more like A Distributed Denial of Reality.
(Score: 5, Insightful) by pTamok on Monday March 04 2024, @08:30PM (8 children)
But...Americans really don't like socialism. Apparently, being free to exploit people with fewer resources than yourself is part of the American dream.
Oddly, some people are against UBI. The argument is, if people have their needs covered, they won't want to work. Billionaires don't seem to avoid getting extra income, even though the incentive for them not to work is far higher. Strange disconnect there.
(Score: 5, Insightful) by drussell on Monday March 04 2024, @09:39PM (4 children)
That is completely incorrect. Americans have been carefully conditioned to recoil at the term "socialist" and to always conflate it with extremist communism.
Americans love socialist policies! They just don't like them being CALLED socialism! 🙄
Socialist policies (even some, like "Social Security" for example, that sound socialist, right in the name) routinely poll in the 65-90% support across the entire population.
Most people there are simply too obtuse to realize that they actually support those things which they have been told and conditioned to hate.
It is absolutely absurd!!
(Score: 4, Interesting) by mcgrew on Tuesday March 05 2024, @12:11AM (3 children)
Indeed. I can't remember the fellow's name, but I read that there was a Republican Senator in the 1950s who said "Americans will accept socialism, just not by that name."
The world's two happiest countries, Finland and Sweden, IINM, are both socialist. We're pretty miserable here in the fascist USA. Most of us, anyway.
We not only don't have all the answers, we don't even have all of the questions.
(Score: 0, Troll) by crafoo on Tuesday March 05 2024, @03:42AM (2 children)
Finland and Sweden are not real countries. They exist solely at the pleasure and convenience of the real world powers. They are allowed to exist because the USA and to some extent, the EU, says they can. I would say that the "happiness" of these countries (and you should really look into those studies and how the metrics are defined) are happy because they're mostly an ethno-state who has outsourced all of their nasty functions to third world slavers.
(Score: 3, Funny) by Anonymous Coward on Tuesday March 05 2024, @03:56AM
It's been a while since you've been outside, hasn't it?
(Score: 1, Informative) by Anonymous Coward on Tuesday March 05 2024, @10:26AM
Thank you for allowing us to exist. Sweden an ethno-state? You have not been here anytime during the last 30 years or so have you? It's starting to look fairly olive and dark in the skin colour.
(Score: 2) by mcgrew on Tuesday March 05 2024, @12:07AM
UBI will come, but not yet. I won't see it. When unemployment reaches a certain point as a result of mechanization, it will be necessary and stopping it will be impossible.
We not only don't have all the answers, we don't even have all of the questions.
(Score: 1, Redundant) by crafoo on Tuesday March 05 2024, @03:47AM (1 child)
on the topic of UBI, why are you desperately yearning for your enslavement? don't you think the powers handing out your UBI will have some things to say about how you live your life? who you report to and how often, maybe a blood and urine sample or two to be sure you're spending it right?
(Score: 1, Insightful) by Anonymous Coward on Tuesday March 05 2024, @03:54AM
I beg your pardon‽‽‽
Have you considered today's state of things?
(Score: 5, Informative) by RS3 on Monday March 04 2024, @09:04PM (3 children)
A couple of years ago a friend of mine tumbled down an embankment and wound up unconscious. Turned out he had underlying medical problems.
Anyway, he got taken to ER and they unlocked his phone using his thumb. He was livid when he found out, and of course changed to a number sequence instead.
So many things seem like good ideas at first glance. I tell everyone I know and come across: do not trust phones or phone numbers as some kind of security thing. Craziness.
(Score: 3, Interesting) by Beryllium Sphere (r) on Tuesday March 05 2024, @02:23AM (2 children)
Isn't that a story about the need for the principle of least privilege?
If I'm unconscious I want the EMTs or ER personnel to know what medications I'm on, which I'm allergic to, and any chronic conditions I have. Fortunately my phone's OS offers a way for someone with physical access to get that and other information. It doesn't let them into the phone overall.
(Score: 2) by RS3 on Tuesday March 05 2024, @03:34AM
Which phone OS?
It's a great idea, but there are many scenarios where your phone is damaged/destroyed, lost, etc. For people with conditions, medications, allergies, etc., there exist medical alert / ID bracelets that allow medical personnel to get the pertinent information, medical history, etc. I had a younger brother who had medical problems and wore one.
(Score: 3, Interesting) by gnuman on Tuesday March 05 2024, @01:49PM
There is this Emergency Info page on Android that is accessible from locked phone. You can fill out things, like your blood type, emergency contact, etc. without need to unlock the phone. Unlocking the phone actually makes accessing this information more difficult.
(Score: 2) by gnuman on Tuesday March 05 2024, @02:11PM
s/phone/wallet/
and you can do same thing with a pipe wrench. Heck, even without a wallet, you can do similar things with a pipe wrench. So I don't understand this outrage here.
(Score: 5, Interesting) by Anonymous Coward on Monday March 04 2024, @09:20PM (1 child)
Close friend went to board a flight, using the smart-phone boarding pass so common now. But the scanner/reader at that gate was broken. Luckily, they had a paper printout of their boarding pass and got right on. Everyone in line without paper had to go find a kiosk (outside security at this airport), wait in line, get a paper boarding pass, re-enter security. If they were lucky they made the flight.
(Score: 5, Insightful) by turgid on Monday March 04 2024, @09:59PM
For this very reason I always take a paper print-out of my boarding pass. They're harder to drop on the ground and smash too.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 3, Insightful) by SomeRandomGeek on Tuesday March 05 2024, @04:59PM
On the one hand, I have no idea what VISA is attempting to patent, since everything described in the article has been pretty standard stuff for at least a decade. On the other hand, I don't understand all the hate from the community for VISA trying to have better authentication of payment methods. There seem to be a lot of comments of the form "I can imagine a scenario where they really fuck it up and it is a disaster." But those comments all assume that VISA will do something really stupid which is not actually described in the article.
The article does not say that VISA intends to require their customers use biometrics.
The article does not say that VISA intends to continue to require customers to use biometrics even after that those customers biometrics have been compromised.
The article does not say that VISA intends to store unhashed biometrics that hackers can then steal.
In case you haven't been paying attention, currently credit cards are basically unauthenticated. The information seen by every low wage employee of every vendor who processes the card is enough to steal that card. Even a poor biometrics implementation would reduce credit card fraud.