[geeks] Interesting article on fingerprint biometric systems

Dan Duncan dand at pcisys.net
Tue May 11 17:46:48 CDT 2004


On Tue, 11 May 2004, Sandwich Maker wrote:
> that sort of approach is good mnemonics but bad strategy - that means
> the black hats could guess your real code starting from the duress
> one, as long as they don't actually try the duress code -itself-.

Good luck.  They only get a limited number of failed attempts
before it locks out.

> and you have to be able to remember a code you don't actually use
> while under stress.

The duress code is usually derived from the real code.  Increment
or decrement one of the digits, transpose 2 digits, etc.  Yes,
sometimes they are entered accidentally and hilarity ensues.

> unless they use social engineering and just trick
> you.

That's why you have multiple methods of identification.  Unless
they can trick me into giving them my eye as well, my PIN and
badge won't help them much.  I'm always willing to give
an appropriate finger to interested parties, however.

> " > what makes them fall for the
> " > duress code over the real one?
> "
> " Why wouldn't they fall for the duress code?
>
> ummm because they're sneaky, underhanded, devious, and suspicious?
> and know the first code they're likely to get is the duress code?

One advantage of duress codes is not letting people know
you use them.

> " It appears to be a
> " valid code, and would appear to work at first.  By the time
> " the unauthorized party realizes it wasn't the correct code,
> " presumably they are surrounded by MPs with guns.
>
> unlikely at your average atm.  nice image though,

That was the DoD install, obviously.  For the ATM, a duress code
that seems to work but has a small limit (and perhaps even
shows a reduced balance but greater than the withdraw limit
so the person will keep visiting ATMs until the balance is
reached, thus increasing the chances of being caught on
tape) would be GREAT.  I'd pay extra for that service.

> they do get things right.  alas, it seems to be mostly where force is
> the unqualified solution.  as my friend remarked - listening to the
> hearings today - the dod is a -very-blunt- weapon.

You sign away certain guarantees when you work there.  For example,
the fire exits are not quite the same.

> yeah, but women get un-pregnant for any number of reasons, often
> before it shows.  and what difference does it make, until it impedes
> the job or requires leave?  the extra six-odd months pay is valuable,
> but tell me that many employers would not spend that time looking for
> excuses to terminate asap, if they knew.

Perhaps so.

> as for airliners squawking 7700 - none of the 9/11 did.  suppose the
> hijackers knew not to allow it?  or just killed the trained crew
> before they could squawk?  remember, all those guys went through
> -american- flight schools.  even if the squawk had had some sort of
> dead-man switch, they'd have known.

Perhaps a universal 7700 wasn't such a great idea.  Perhaps each
airline should have its own.

-DanD

-- 
#  Dan Duncan (kd4igw)  dand at pcisys.net  http://pcisys.net/~dand
# I believe I have no prejudices whatsoever. All I need to know is that a man
# is a member of the human race. That's bad enough for me.  -Mark Twain



More information about the geeks mailing list