[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FD] Banknotes Misproduction security & biometric weakness
- From: Vulnerability Lab <research AT vulnerability-lab.com>
- Subject: Re: [FD] Banknotes Misproduction security & biometric weakness
- Date: Wed, 7 Feb 2018 12:22:14 +0100
- Arc-authentication-results: i=1; mx.google.com; spf=pass (google.com: domain of fulldisclosure-bounces AT seclists.org designates 2600:3c01::f03c:91ff:fe98:ff4e as permitted sender) smtp.mailfrom=fulldisclosure-bounces AT seclists.org
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-unsubscribe:list-id:precedence:subject:in-reply-to :mime-version:user-agent:date:message-id:references:to:from :delivered-to:arc-authentication-results; bh=j8ZCy+kwlGejjiuqV1zRQ4qVlABEWdJ1A3/7E+7kfLY=; b=TL3GRm3aKEDywNIGPvQSBrrZPAImc/iyPo4uoA6DGaFkRx8eE+yV6+fpwGj3LFrTeS YkorQdhhW5upJ2bGHauXv55q3bTeeJS+P/7skouPfS+xzYZ2CuHLLa9NulqxoffM1cYW 0VCKfxfH8Hlhx4/u+0PTGmSiiAMnrXuLjff17868AnoNgKjtwo+VzSH/FthVY8Trs94m GJiQNjoKXrgEpmL6/SQRQoKAmmg7lv2lPswUyRiWXS/acuYCkiVGUtZtDArIBCwEFJWL MeOwBorJDHygJVauL8C0ILZNylyomw13km1PF+3Nc5ZJlyVjyiM7obOv6mOq3Zy01PeJ me+w==
- Arc-seal: i=1; a=rsa-sha256; t=1518002687; cv=none; d=google.com; s=arc-20160816; b=OlijFOvQxSDv/26Y0sWQ5pckxBVX/sECErFmBtkWWOfG5IoKPqPNAkPoHWd38iYdi2 lN1RJ9jvg/Ixzducd0lQ98yUaD8/8i+UTttAhHHPN+e2B7NF09OZlYPYfo1peRIB8PO9 GSjVbJgIPsr1YqHsHuQGUo/iVVpPDCPJwLiq8WVGz4qZs78SzU481O/NrnJ/St2uWhV2 yNNWOuqSur/PVMKRe5AJiuspP9ITh7nECh0sAO86871gt//wmYB84AdYGW6KfUBtr++r u2kJFLOGJgWDukii04YkCIqQLPr5acyPjPs+S3E2cJfN+PZZoZ3YOSSvJ9PMrwqxmD4R i59w==
- Sender: "Fulldisclosure" <fulldisclosure-bounces AT seclists.org>
- To: fulldisclosure AT seclists.org
Am 31.01.2018 um 17:21 schrieb Vulnerability Lab:
> Hello Ben Tasker,
> sorry if the title of the issue did lead you to misunderstand the
> article. The currency is still secure.
> The title refers to the information used for the issue. In case it was
> misleading we will update it but you was the first who misunderstood
> the article by comments.
> "The weakness, the theory goes, is that someone could register a
> "fingerprint" in your system by using a banknote. This'd give them
> access whilst also meaning you didn't at least have a hash of their
> real fingerprint for forensics to find."
> This is correct. Also the problem that others can access with the same
> hologram into for exmaple the high protected area (mil & gov).
> "Another theory is that users might opt to use a banknote instead of
> their own fingerprint. I'm not quite sure what the likelihood of that
> is, in that it's not exactly convenient, and if you're concerned about
> privacy implications from a fingerprint scanner the best option is not
> to use it."
> What about, if the fingerprint of lenovo (bug disclosed parallel to
> us) is our european currency. Means the hardcoded fingerprints that
> published parallel is exactly what we refer to when we talk about a
> universal fingerprint. In the real life it is pretty easy to use it in
> large companies due to the registration and as well on entrance. Maybe
> you feel like the pratical interaction can not happen, we can confirm
> you from germany we was successful. The government disallowed us to
> register the fingerprint to the real system otherwise a compromise
> could not be excluded.
VULNERABILITY LABORATORY - RESEARCH TEAM
Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/