What are fingerprint readers for?

Ok a slightly inflammatory question, but what I really mean is, just how secure are they, how much of your data can they really secure?

1. Is the reader itself accurate, not hackable, no false positives?

2. Is the software driver bug free and not hackable?

3. Can't you just boot up using a linux cd to get access to all your normal data?

4. Are internet passwords and other 'private' data kept securely in Firefox, IE or Chrome when protected by a fingerprint reader, or can you hack that by booting another OS as well?

Basically I have internet banking and am going to be traveling a lot with a laptop. I'm not sure I trust a fingerprint reader to keep any really important passwords safe if the laptop was stolen, and don't see the point in having one if it's just going to stop casual prying eyes...

 

You can't just boot into a linux CD to see it, it's encrypted. FF, IE, Chrome all encrypt their passwords on the disk as well so you don't have to worry about that at all.

The reader is pretty safe but it's not for keeping passwords, really. I don't know about the driver/ software itself being secure but I would assume so...

I don't believe you'll be getting false positives. You still need to match up the fingerprint to get in.

 

It's impossile to guarantee that any given fingerprint reader can not be fooled. In fact, it's very easy to fool most fingerprint readers.
Similarly, there can be false positives, but the chance is very low.

It's impossible to guarantee that the drivers are bug free. Following the general assumption that every software that surpasses a certain amount of complexity has bugs, one has to assume that there may very well be bugs in the driver. However, the fact that it's usually extremely easy to fool a fingerprint reader, as well as the fact that social engineering usually works very well should an attempt to fool a fingerprint reader fail unexpectedly, make it very unlikely that someone will exploit a bug in the fingerprint reader's driver since there are typically easier ways to crack a system (which is not a guarantee that no one will attempt to do so, of course).

This depends on what encryption mechanisms you are using for the harddisk, as well as on how good your security concept is. Please have a look at " Security is not a solution, it' a concept".

Given the fact that the passwords may be captured in various ways, of which some do not even require an attacker to get into your system at all, you cannot really say that anything can protect your passwords unless you have a good security concept (see answer to question 3). Furthermore, the same considerations apply as do for question 3.


-----

You might want to ask your financial institute what solutions they are offering that are based on a smartcard in combination with a class 3 card reader (has a built-in PIN pad and display to verify what you're about to approve by entering your PIN securely on the reader itself). Please also have a look at post#4823624 as well as the rest of that thread.

 

I know with the fingerprint reader on my old laptop you did not push your finger but in fact swipe it. I felt this was a much more secure method since it made it impossible to pull a print from the reader.

edit: I personally only used that for certain things. I have never bothered securing my computer from attacks that assumed someone HAD my laptop. Considering that I usually have desktop replacements that would be silly.

 

Thanks for the replies.

I'm looking at buying a VAIO and was wondering whether to include the finger print reader or not. It's only £30, but I have a feeling that it would just encourage me to become more lax with security in other ways. I know also that I'd waste loads of time trying to get it to work with linux.

I use truecrypt to encrypt external drives with important data, but I still don't keep any bank passwords written down there. I guess it would be fun to have the fingerprint reader operate the truecrypt volume, but then I'd just be transfering my trust from truecrypt to the fingerprint reader (and if it broke I'd be stuffed because I would have probably forgotten the password by then!)

As for banking, my main bank uses a card reader, but the savings accounts I have are far less secure. The annoying thing about traveling is that you need to have everything important on you at the same time! Card reader, card, account details etc...

hmmm...

I think I'll pass on it. I'm not sure it's going to add security where I need it.

Thanks again for the input! I'll go and check out those links.

 

If you're planning on installing linux... don't bother. IT's a pain in the .

 

I am using it at startup and windows. I have power-on password, HDD1, HDD2, HDD3 passwords and windows password. The passwords are hashed in the TPM chip, so I can swipe my finger 1x and all these passwords are filled automaticaly. Huge time saver.

 

@commander

Does that mean you have encrypted your entire hard drive? So even if harddrive is removed and place in different machine the data can't be accessed?

How easy is this to set up? Can it be set up on any laptop with a fingerprint reader or does it depend on the type of bios?

I guess a password at boot up would mean that even if the fingerprint reader didn't work in linux, at least you'd get that inital protection.

 

No, I have not. For this workflow, you need the fingerprint reader and the TPM chip on your motherboard. The TPM chip can store your passwords, so it can fill them for you. This is a hardware thing, so the OS is not involved, it doesn't matter if you run Linux, because all of this is happening before the OS is loaded. If you remove the harddrive, it is still ata password secured, you only have to fill the password manually. All of this you set in a BIOS, the windows thing is set by a utility (I use lenovo thinkvantage clientsecurity). I don't know if they support linux.

I think that seagate is doing an encrypted drive, which can also communicate with the TPM module, but I have never understand that technology that well to trust it.

But, you can bypass all of this passwords and write them manually (I think it is for cases the fingerprint reader is broken). All stuff I wrote here is based on my experience with Lenovo, I don't know if there are some differences on other manufacturers.

 

"initial protection?" That's an oxymoron which totally makes sense at all. It's exactly what you said you don't want: "I [...] don't see the point in having one [fingerprint reader, remark] if it's just going to stop casual prying eyes...". Please clarify.

 

people severely detached from reality

 

Gummi bears defeat fingerprint sensors

 

I've used some of the most precise biometric scanning equipment available to the US Department of Defense.

When I was getting my biometrics login credentials done the first time they had to go through four of my fingers before finding one that didn't already identify me as another DoD employee.

 

The fingerprint sensor has a convenience or secure swipe level when using trusted software. There's no workaround the secure level. The fingerprint software will register the left or right side of your fingertip, it doesn't have to be your fingerprint. If your right handed you want to register one of the fingers from your left hand, or if your left handed you register any fingers from your right hand, everybody knows this. Please don't link to any websites that explain how to bypass the fingerprint sensor.

 

i use my fingerprint reader to login to my forums like this one
but dont use it for online banking etc

 

Did everyone forget to say it's 'A marketing' icon..

$€{$€{@@@$ZOMDFG BUY THIS LAPTOP IT HAS A FINGERPRINT READER!?!?!3241£€$£$£2

I'm being serious too...

 

I have a Dell which has finger reader and TPM. Though I haven't figure out how the boot up ties with the finger reader. It is now only used under Windows as an replacement of entering password. How do you make the finger reader work with TPM ?

 

See if UPEK Protector Suite is something you can install and run on your laptop. It's usually mentioned and should be free if it's listed on your manufacturer's driver support website.

 

It is a BIOS thing I believe... Sorry I cannot help, since I have no DELL. Try the DELL forum here

 

This thread is about fingerprint readers and if someone is seriously thinking of using one they should be aware of any security issues regarding them. Here's another link: Aussie Kids Foil Finger Scanner With Gummi Bears - Slashdot

 

yes, it is working fine under windows. I was wondering how it interact with TPM pre-window stage. Not too keen on chasing after it, just curious.

 

TPM isn't just boot-up. It stores keys that can be accessed from within Windows if the drivers are installed and working: Trusted Platform Module - Wikipedia, the free encyclopedia

 

I know.

May be I try to say it in another way.

Is it possible to use the finger print reader such that my notebook would be locked until I swipe my finger, even before it goes to the partition loader stage ?

 

finger print reader can be bypassed (at the windows logon level)
the truecrypt bios password too (bios level)
and passwords via keyboard and virtual keyboard too
the password bank software like keepass and lastpass have weaknesses too so I would rather choose the least among them which is...kfkfkjfkjr


There is a better solution than the fingerprint reader like the hand vein scanner
but I propose for your traveling problem another very secure solution which is to combine securities and not replace securities one another (for instance the weakest of both fingerprint reader and windows logon and then your system is bypassed)

2 freewares : keepass and cryptainer
2 or more usb keys

on one usb key a secure volume created with cryptainer LE
inside the portable version of the freeware keepass with all the passwords and the winkee and floatingpanel plugins

a very strong master password for keepass
a simple password you can remember in order to open the cryptainer volume (in case you loose your usb key) or a fingerprint scan

on the second key : a backup of the cryptographic cryptainer volume containing keepass safetly at home that someone could send you in case you would loose your usb key

a third usb key if you want to had more security, containing the key files and the keepass database

the result :
+you will have to plug one or 2 usb keys in your laptop to access your passwords
+no password would be reachable from your laptop alone in case it was stolen (except in cold boot with access to the system memory)
+to access your passwords someone would have to bypass the fingerprint reader and have an access to your laptop in order to open keepass, know or bypass your small password, have your usb key(s)
+with your laptop alone someone would face some very strong passwords
+a very easy solution to use (1 or 2 usb plug depending on your choice, a fingerprint scan and a small password to typein or another fingerprint scan )
+ no stand alone security easy to bypass
+ each usb key alone is pretty much useless in case it is found
+ easy enough to allow you to reach your passwords in less than 30 seconds
+ no big master password to remember or not at all with a fingerprint scan



if you trust lastpass all this can be replaced with it (I don't)

some other solutions : PGP disk, lastpass, a removable hard drive inside the optical bay, etc...

 

Fingerprint scanner cannot be bypassed. Here's how it works:

HowStuffWorks "How Fingerprint Scanners Work"

..and this is what you're talking about:

 

I have a fingerprint scanner on mine too but you should have read the other post carefully
look at what mister mastumoto has to say
Gummi bears defeat fingerprint sensors ? The Register
But even without reading this you could have guessed that even with a pretty strong design the weakness appear pretty clearly : you don't control what fingers are put through the system.
same problem regarding internet security softwares, you don't control the user of the system or on a highway you don't control how the drivers acts etc.
Here the system react to a range of voltage (the relative voltage of two inputs) rather than a specific voltage which give enough room to be able to fool the system with a fake finger
interesting link by the way

 

The real point is: even though a mere 'gummi bear' can render your protection invalid, it is enough to keep your average honest person honest. No lock is truly built to prevent theft...

 

I agree. You should not be assuming your laptop will get stolen. Do not think "How can I stop someone who has stolen my laptop from accessing the data?" but rather "How can I stop someone from steeling my laptop?"

Yes, you can take those extra measures but start from the top... protect your laptop. The finger thingy will be plenty to keep family members/ prying girlfriends out.

 

I don't give up and I'm still looking for one

 

You're better off with a padlock then. No software is going to stop people from swiping your laptop.

 

found my padlock.
The only problem is that it 's heavier than the laptop itself and I will have to look for a laptop that can fit this lock
https://www.kryptonitelock.com/Outl...roductDetail.aspx?cid=1001&scid=1000&pid=1095

this lock and a 16384-bits encrypt disk should be enough
Is encryption really crackable? | ZDNet

 

Stick to the lock =p

 

Well the problem with the lock is what do you lock the laptop to?! Also you could still just remove the hard drive...

Don't worry guys, I'm not Ethan Hawke and don't need to be handcuffing my laptop to my arm (just asking for it to be chopped off!). Originally I just wanted to know how secure fingerprint readers were considered, as if they just replaced the windows logon then they are clearly just to stop curious eyes and nothing else. I know nothing about security but I remember a while back it took me a few seconds of googling to find out how to bypass my brother's password and play BF2 on his latest and greatest computer.

For my needs, a combination of good hefty passwords, maybe a usb key (I'm not sure I completely understood erig007's post but I'll have a reread and google the software mentioned) and a dose of sensibleness will do. My main bank account uses a card reader, other accounts are locked into that account, credit cards have extra passwords and in the past they've been pretty vigilant and stopped payments when I've tried to buy big purchases abroad...

You're right about the other side of the equation though; how to stop the theft of the laptop in the first place regardless of whether the thieves could access any important data. I've actually traveled around quite a bit and so far have never had anything of worth stolen from me. The main reason for this is that up until now, my main security philosophy has been: never carry anything of worth around with you. I've had people try to pickpocket me countless times, you can see them coming when you know how they operate, but I've never had anything on me worth nicking. The most impressive was a guy who managed to take my wristwatch off my belt while his friends were taking a photo of us... the watch was a cheap Chinese fake I bought for 50p. When I realised he'd taken it I actually found myself applauding him for his well honed pickpocketing technique!

This time however I'm going to be wandering about with a very expensive new laptop, so I feel a little more uneasy about it. I'll probably buy a kensington lock, but otherwise rely on common sense and decent travel insurance. I had a look at some alarms, but am not sure how I'd put them to effective use. I get the feeling they'd be ineffective in places they are actually needed, and superfluous and unecessary in places they'd might actually work....

If anyone has good tips on this side of the security, I'm all ears!

 

I don't know why you insist that I should have a look at that almost 10 yr. old article but I did. He's strictly talking about the optical design, which is outdated (obsolete). Look at the fingerprint sensor I attached, if you see two metal bars on top and bottom and the optical sensor in between this means it uses both optical and active capacitance method. You need to read more about capacitance fingerprint sensors. The secure level is very strict, it'll ask you to swipe your finger like five times before it registers your fingerprint. Yes there's always a way in. If you open up the laptop you have access to everything inside up to and including the fingerprint sensor.

 

not so obsolete as the principle is still valid (a pig skin is pretty similar to a human skin, one of the closest in fact and you can guess what comes next)

easy you make a big hole in the middle of the keyboard and put your lock in or fix an award winning torc ground anchor on your laptop and then lock your laptop to a tree

by the way the strongest locks I have found are the 19mm chain lock from pragmasis and almax (15 pounds per 3 feet). Only some angle grinder and some pneumatic croppers could defeat them

some nice concepts (sms kill switch)
http://www.trustedreviews.com/news/Lenovo-ThinkPads-Getting-MSM-Kill-Switch
https://www.youtube.com/watch?v=7FYVo0myRTo&feature=related

and the gps tracking system for laptop
http://www.zimbio.com/laptop+securi...A/Personal+Security+Identity+Theft+Expert+GPS
http://www.mylaptopgps.com/solution.php

 

Many laptops come with a little hole that you can place a lock through. I believe all macs do, for example. It's a very VERY simple security precaution. There are those thin metal ropes that you can put through those holes and they'd either need pliers to cut it or they'd have to tear out a large part of your laptop effectively breaking it.

 

yeah, I don't know if you ride a bike sometimes but these kind of cable don't protect even from small croppers more than a few seconds

https://www.youtube.com/watch?v=J7zb8YXrmIA

 

Bike thieves go in expecting to deal with chains. Someone looting a dorm or house might not be. If you're trying to get in and out as fast as possible you probably don't want to deal with the chain. It's a really simple precaution that can save your computer and information.

Also I use a kryptonite lock on my bike =p

 

unfortunately, i found a post of someone who got his bike stolen with the new forgetaboutit u lock from kryptonite in NYC

 

I have the chain lock. I also don't leave my locks for that long. The problem is that NO ONE tries to stop people here. I've seen a video where this guy sits on the street and "steels" his own bike with a huge saw for like... 6 hours. No one says anything. The cops pull up at one point and say "you can't be sitting on the street, move to the sidewalk."

But like I said, my bike is never alone for that long. My laptop never leaves my apartment, except for my CR48, which I never leave alone.

 

you right that's why an alarm system is way better than any strong chain lock because with a chain lock people do nothing thinking you lost your keys or something else, with an alarm going on it's hard for people to fake ignorance. Combining both system and a gps tracking device will be a good solution. I don't see people not care seeing someone using an angle grinder on a chain lock and an alarm going on at the same time unfortunately the time someone react and your laptop is gone. Even though your using your laptop, some black pepper in your face and your laptop is gone.
Here comes the tracking device
mylaptopgps are right on it regarding their solutions.

 

Unless I get mugged I won't be losing my CR48. Considering that it's either in my bag, which I keep on me, or in my room... I'm not worried.

My stay-at-home desktop replacement is in no danger.

But this is a bit off topic lol my only point is that encrypting your drive is a poor way to protect your laptop from being stolen, which is what you should really be worrying about if you think that it might happen.

 

This one's from last October: Aussie Kids Foil Finger Scanner With Gummi Bears - Slashdot