Skip to main content

Microsoft Fingerprint Reader - The Fine Print


If you haven't noticed, somehow lately computer keyboards and laptops in the Windows PC world are sporting a little pad for reading fingerprints.

Notice the fine print at the bottom of this page, which I'll quote here in case it goes away:

Microsoft Fingerprint Reader
"The Fingerprint Reader should not be used for protecting sensitive data such as financial information, or for accessing corporate networks. We continue to recommend that you use a strong password for these types of activities."


Why do you suppose Microsoft and all those hardware makers would go to all the trouble to add a fingerprint reader to laptops and keyboards, and then advise you not to use it?

Probably because they know something that the average consumer probably doesn't: these devices can be spoofed.

It's only a matter of time before there are clear, step by step instructions available on the internet for lifting a fingerprint and applying it to a model finger for spoofing purposes. Heck, there might be some online now, and I just haven't seen it yet.

Biometric Devices and Fingerprint Spoofing

Faking fingerprint readers (or other biometric devices) - a collection of links and papers

Failure of fingerprint locking system in prison in 2005


If you think about these things for a minute, you would never touch one without wearing a glove. Where is the digital fingerprint stored? That's right, on the same rootkit infested Windows PC prone to worm and virus attack.

Will rootkits soon be intercepting the fingerprint data and adding that to your stolen profile information in that giant hacker database in the sky? You can bet they will, because you can be assured that not everybody read the fine print. These devices are so common on laptops now that there are undoubtedly some juicy bank accounts "protected" by the Microsoft Fingerprint Reader.

The bad guys will have your biometric data in a database long before the FBI gets it done, because the bad guys do all this stuff with the lowest possible overhead. They just add another routine to their worm / virus / trojan / rootkit package and it flows out to all the zombie pc systems on the net that day. Since their data flows are mostly encrypted now-a-days, it might already be happening and we just haven't proven it yet.

Friends don't let friends use fingerprint readers. At least not today, when they are so clearly pandering a false, and perhaps even criminally negligent, sense of security. The people selling these things ought to know better. Oh, that's right. They do know better. Hence the fine print.

--
NOTE:  Thanks to my good friend Joe S. in Tucson, Arizona for asking me, "would you touch one of these without a glove?"

Comments

Peter said…
The only people I've ever seen use these are tinkerers who are excited by the novelty. Usually they figure out how to get the PAM plugins in Linux to log them in. After a few short hours they get bored and turn it off.
Wow, that is scary. It's pretty shady (and yet not surprising) that Microsoft would even be selling this product knowing as they do that it is not an effective security device.
Anonymous said…
the device is very good and makes PC use faster and easier, NOT safer...anyway, if you let me access you PC - with or without the fingerprint reader :)) - I ca n get the stored passwords in no more than 2 hours; so I'd rather use the device because is way easier than remembering/typing numerous passwords all day long (I work in IT and I am not scared about my friends hacking my yahoo mail :)) ).
Wherever you really need security is very simple: you DO not use this device, which however is great (for its purpose).

Popular posts from this blog

Verified by Visa (Veriphied Phishing?)

If you have used a Visa card to make a purchase online lately you may have encountered a relatively new program, Verified by Visa . I've encountered it twice. The system is an interesting attempt by Visa to reduce online fraud and identity theft. It's a noble effort, but the user experience is unsettling, and the security implications are not exactly crystal clear. Here's what happened to me, both times the Verified by Visa system was activated. I was redirected away from the domain at which I was shopping, to a URL which was: not the domain where I was shopping, not the domain of the bank that issued my card not visa.com I've been telling people for years that if anything like that happens to you, close your web browser immediately and do not under any circumstances enter any personal information into the form, because this is a sure sign of a man in the middle or phishing scam. (Never mind that all the best phishing scams now-a-days look like the actual dom...

Virus Vulnerability for RFID (Radio Frequency ID tags)?

The breeding ground for the computer virus will be expanding continually and rapidly over the next decade as appliances, automobiles, and all manner of other things become equipped with wireless networking and miniature computers. Cell phone and similar networks may enable worms to leap between devices over long distances and other networks over short distances. Researchers have recently demonstrated that RFID tags may be vulnerable next. Articles on the topic: RFID worm created in the lab [NewScientist.com] Viruses leap to smart radio tags [BBC.co.uk] RFID tags could carry computer viruses [SecurityFocus.com] The details for the curious: RFID Viruses and Worms The AntiVirus paradigm that we [the IT community and industry] have foisted upon PC users is already breaking down under the strain of too many virus variants and too many non-technical PC users. The paradigm probably won't work at all for cell phones and the paradigm is completely broken for the typical RFID devic...

Splunk acquires Phantom Cyber

I hope it doesn't come across as too cynical, the observation that most acquisitions in the tech domain fail to produce anything useful and often as not wind up killing a promising upstart technology, even if only by accident. I have hope for this one, though. Splunk strikes me as a likely exception. This acquisition of fresh ideas and talent might breathe new life into a solid, if somewhat staid, security company. Splunk’s data analytics gets a security boost with $350 million acquisition of Phantom Cyber