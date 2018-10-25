from the I'm-sure-they'll-delete-the-records-when-they're-no-longer-needed dept.
JPMorgan requires staff to hand over biometric data to access new headquarters New York bank is imposing eye and fingerprint scans amid heightened security concerns at corporate offices
JPMorgan Chase has told staff moving into the US bank's new multibillion-dollar Manhattan headquarters they must share their biometric data to access the building, overriding a prior plan for voluntary enrolment.
Employees who have started work at its 270 Park Avenue skyscraper since August have received emails saying biometric access is "required", according to a communication seen by the Financial Times. This allows people to scan their fingerprints or eye instead of ID badges to get through the lobby security gates.
[...] Dave Komendat, chief security officer at Corporate Security Advisors, said biometrics had been used for decades at higher-security areas, such as government installations and data centres, but putting them in commercial buildings for large numbers of people would be used at a new and larger scale.
https://www.ft.com/content/d5351d3d-d64f-4a90-a3da-d1ef8e8bea66
https://archive.ph/YCV85
[Ed. question: Would this be a deal breaker for any of you for joining or continuing to work at the company?]
(Score: 3, Interesting) by fen on Monday October 20, @09:51AM
I worked for a major bank at a satellite site. A lot of people had most of their team on the other coast. They faced an hour commute to sit alone in an office a scramble for quiet rooms. There was some talk about sharing ID cards to fulfill the return-to-work requirements.
(Score: 5, Insightful) by pkrasimirov on Monday October 20, @10:09AM (13 children)
Next title probably in line: "Millions of personal data, including biometrics, are stolen". Yeah, I can change my password, I cannot change my eyes. Funny clowns, when that happens they will react like surprised koalas, who could have thought that is even possible? Anyway, zero responsibility taken of course, "not-my-fault" is their strongest game.
(Score: 2, Interesting) by fen on Monday October 20, @10:13AM (3 children)
How do smartphones handle this? Apple talks about hardware separation--this is why you need to redo biometrics on a full phone restore. What are specific problems with fingerprints? Why do we only fingerprint suspected criminals?
(Score: 5, Insightful) by sneftel on Monday October 20, @12:08PM (1 child)
I can't speak for the police, but I suspect they rarely see crime scenes with eyeball prints all over everything.
(Score: 0) by Anonymous Coward on Monday October 20, @06:53PM
> I suspect they rarely see crime scenes with eyeball prints all over everything.
This may change in the future when HD security cameras improve(??) Then the crooks will all wear dark glasses and the cameras will be fitted with strobes....
Not something I'm looking forward to, but sort of seems inevitable.
(Score: 2) by DadaDoofy on Monday October 20, @06:49PM
What are specific problems with fingerprints?
The "problem" with fingerprints lies in cheap, poorly designed inaccurate fingerprint detection, not fingerprints themselves.
Why do we only fingerprint suspected criminals?
Not true. We also fingerprint people who apply for "positions of trust".
(Score: 3, Funny) by Anonymous Coward on Monday October 20, @10:27AM (3 children)
Koalas are never surprised. They are so stoned on eucalyptus oil that everything is like "yeah man, that's cool, I'm gonna go chew some leaves".
(Score: 4, Funny) by turgid on Monday October 20, @10:45AM (2 children)
Interesting. I have a tree in the garden. Maybe I'll try a leaf or two.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 3, Informative) by HiThere on Monday October 20, @01:07PM (1 child)
I believe Eucalyptus leaves are rather high in cyanide. There are reasons why just about only koalas eat them.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by turgid on Monday October 20, @01:16PM
What about Fisherman's Friends [fishermansfriend.com]?
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 5, Insightful) by sneftel on Monday October 20, @12:06PM (4 children)
Christ, this same mistake gets posted like clockwork under literally every story about biometrics. "What if the data gets stolen?? I can't change my [piece of anatomy]!"
This mistake stems from the analogy of passwords, which seek to provide secure authentication by means of secrets. There's a datum you know, and the service also knows the datum (or, at least, knows a hash of the thing) and you provide the datum in question to prove that you are the one and only person who knows that datum.
But biometrics aren't about secrecy. Nobody tries to keep their eyes secret. They post pictures of them publicly, in fact. Biometrics only work because of trusted hardware. The thing which says "this is so-and-so's eyeball", or equivalently "this user has an eyeball which looks like such-and-such", is a hardened and attested device which is trusted to only provide true information about the eyeball presented to it, including verifying that the thing being presented to it is an actual human eyeball. Trusted computer hardware is difficult to get right, but people have been working on that problem for the better part of a century and at this point they're really quite good at it.
Think of it as the difference between an old-style (pre-chip) credit card reader and a coin acceptor. It's trivial to copy the magstrip of a credit card, and the credit card reader would have no idea; the secrets are the only thing special about the credit card. But all nickels look the same. The security of a coin acceptor comes from the physical difficulty of copying coins. As long as the vending machine is sure the coin acceptor hasn't been tampered with, it can trust that the signal that a nickel was inserted represents an actual nickel having been inserted.
So when you say "I can't change my eyes", consider first whether you can copy your eyes.
(Score: 4, Informative) by pkrasimirov on Monday October 20, @12:41PM
A machine can copy my eyes, more specifically all information it deems sufficient to identify them among others. Whether it will store that information, or a hash of it, or a secure hash of it for future comparison, is not in my control or knowledge. You can argue it's okay because it's not really my eyes but the laws in EU disagree.
(Score: 4, Insightful) by VLM on Monday October 20, @01:26PM
Technically its very easy to fool those machines.
Its a risk reward thing where you're supposed to have an armed guard standing there making sure people are not holding up a picture of someone's eye or wearing a rubber glove with a picture of fingerprints on it. It doesn't cost much to distract the guard.
The real purpose as usual with these people, is a mix of security theater and ritual humiliation.
With a side dish of "oh it makes people mad so 3% of our employees leave? Thats cool we were expecting 5% layoffs this year so now we only have to "work" for an additional 2%"
My experience is with secured data center doors quite a few years ago; they were mostly for show. They also well out of alignment FAST with heavy use so just turn down the sensitivity dial until anyone's hand works all the time. Also they were ungodly filthy. You'd want to wash your hands after touching the hand scanner but couldn't; this is very "post-covid" making everyone touch everyone else eww gross.
(Score: 3, Interesting) by VLM on Monday October 20, @01:39PM
"That 24x7 human touch to guard the machines is expensive, lets just buy a scanner and hook it up directly to the door lock on every entrance to save money. If we had to hire a guard to guard the scanner we'd have just hired a guard to guard the door LOL"
(Score: 2) by krishnoid on Monday October 20, @02:27PM
Apple is proof that the technology is quite advanced and has accounted for multiple considerations. Of course, it's probably not what they're using [youtu.be].
(Score: 3, Interesting) by looorg on Monday October 20, @11:19AM (2 children)
It sounds scary and over the top. But then I have already done it. I had my fingerprints on my work ID for at least the last two or three jobs I have had. They have photo, fingerprints and some biometrical data such as height on them. It's also the same on my national ID card and drivers license. I got a new ID card just a month ago. I got that one so I guess it wasn't a deal breaker. What are on American ID cards and drivers licenses if you have such an issue with this? Is it just a photo and a name?
I guess it's faster to scan your finger at the entry gate then to bring up a card and swipe. But not by much. After all they want you to have your corporate card visible and you need easy access to it to scan it at doors, the printer, elevators etc. So the time save is probably minimal. I guess the solve the issue of card-sharing. But unless they can prove that is a big problem I am wondering what kind of problem they are really solving. Did they have a large problem with that? Did they have a lot of people enter the building that didn't belong there? After all will this stop people with guns from entering the building for a massive work shooting spree in the lobby?
So I guess it was then. Did they not have an ID system? Which is why the gunman managed to enter the building and ride elevators and such before going on a rampage? Perhaps they should have just had more armed guards in the lobby? Which sounds like a horrible idea. But then they are a bank don't they have like an armed guard in the bank to make people feel all secure and such? I don't know, I never been to a bank in America, so this is all just taken from movies -- where there is always some retired cop in the bank and he gets shot first.
So they are focusing on what they consider to be the perceived benefits or positive aspects of it. Not the negative. Like can we keep this entire database of biometric data secure? Answer probably no.
It sounds a bit over the top for getting to the office. But I guess it's just the next step in "security". Just hope it doesn't escalate to wanting blood samples and such. There is a limit somewhere, but fingerprint and photo wasn't it.
(Score: 2) by VLM on Monday October 20, @01:31PM
Its not an individual case thing.
Imagine I was legally required to use the same password on every site on the internet for the ease and comfort of our local version of the KGB.
Its the same card to open or close an account at a bank, cash a check, request a deposit, enter a school district building, buy a beer if you look young, check out a library book with it, use my public gym, get a minor citation ticket from the police, etc.
Some of those places like the library and gym and bank prefer you bring their card or similar documents but are pretty chill if you walk up with a drivers license and a sob story about forgetting it at home.
Your DL in the USA is the simple, easily cloned, unchangeable root password to every account you have IRL.
(Score: 2) by quietus on Monday October 20, @01:44PM
I don't know about this particular case, but I can tell you that these buildings have some kind of cargo load bay(s) at the back or in a side street. If there is a security gate there, it's likely to be the kind that you can easily jump.
(Score: 2) by Dr Spin on Monday October 20, @12:02PM
Yes.
Warning: Opening your mouth may invalidate your brain!
(Score: 3, Informative) by turgid on Monday October 20, @12:03PM (2 children)
They already introduced WADU [businessinsider.com] to monitor their staff continuously. I think I'd rather starve to death than work there. They wouldn't have me anyway, I expect.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 2) by VLM on Monday October 20, @01:35PM (1 child)
It USED TO be a prestigious place to work. USED TO. They're running a selection program to select very "interesting" employees now.
Imagine spending your whole life competing to get into an ivy league school to become a well connected investment banker, maybe at JPM, and then getting there and being all "fuck this place".
(Score: 2) by turgid on Monday October 20, @01:55PM
I knew someone who used to work for JP Morgan in the UK. His head had trouble getting through the office door. He was always finished his work in super quick time because he never finished it plus he already knew how to do everything and couldn't be taught.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 3, Insightful) by SomeGuy on Monday October 20, @12:07PM
Just a reminder that biometrics are not real security. They are theater, put in place by idiots who believe everything they see in movies and wish to treat their employees like cattle/slaves.
Besides, everyone knows that glorious smart phones uniquely and reliably identify everyone. After all, everyone owns a smart phone, right? Just send a 2FU authentication request to their smart phone app whenever they want to access anything, throw some AI at it too while you are at it, and everything will be perfect, right?
(Score: 5, Informative) by Rosco P. Coltrane on Monday October 20, @12:19PM (3 children)
because my company uses Microsoft cloud services and I refused to let them upload my photo. They argued a bit, then they relented when the union rep came to chat with HR.
I'm pretty sure most of the company would walk out if they tried biometrics.
Also, biometrics are bad. You know why? Because when someone steals your biometric data, you can't change it. And yes, they will be stolen, just like passwords.
(Score: 2) by gnuman on Monday October 20, @02:34PM (2 children)
Except this is for building access ... they could have just used facial recognition instead here. Yes, if someone steals your head, I'm sure no one would notice and let you in the door, just like if someone stole your RFID key or similar. This is not about secrets. It's about ID, like you have photo in passport so that people/computers can compare the passport with your face.
It's incorrect to compare this to passwords. Passwords are meant to be secret. Your face is not. But I guess they could use DNA in the future, like Gattaca (sans the blood sample)
(Score: 4, Insightful) by Rosco P. Coltrane on Monday October 20, @02:48PM (1 child)
Biometrics for identification purposes are fine. The problem is, they're used for authentication.
(Score: 3, Insightful) by canopic jug on Monday October 20, @05:11PM
Indeed. Biometrics are the username, not the password. Attempting to use them in place of the latter weakens the system that is done to.
Money is not free speech. Elections should not be auctions.