The question is why people let their identity taken or archived.@90nOn Sat, Feb 3, 2018 at 3:36 AM, InterN0T via Fulldisclosure <fulldisclosure AT seclists.org> wrote:Exactly how many people are using these banknotes for "fake fingerprints" with their phone?The reason why you use your own fingerprint, and not a standardized hologram fingerprint from a Euro bank note, is so that only your fingerprint can unlock your phone for example.This whole advisory seems like one big troll.For example this:--5. [Truncated] An agent could for example save data variables in the biometric sign of the banknote to exfiltrate information.Note: Yeah they could also embed secret information anywhere else in the bank note, for example the micro-text, UV text, or probably even INSIDE the bank note.--A lot of fingerprint readers are pretty bad and imperfect by design too.Mythbusters Fingerprint Bypass:Note: Look at the end where they used a photocopy on a piece of paper to bypass that particular lock.German Fingerprint Hack:https://www.theguardian.com/
technology/2014/dec/30/hacker- fakes-german-ministers- fingerprints-using-photos-of- her-handsMaster Fingerprints Hack:https://www.express.co.uk/ life-style/science-technology/ 791055/smartphone-fingerprint- scanner-hacked-criminals-scan- dataHot Glue Fingerprint Mold:General flaws about fingerprints:-------- Original Message --------On February 2, 2018 7:56 PM, Ben Tasker <ben AT bentasker.co.uk> wrote:>There's some detail in the Vulnerability magazine link, reproducing here so> there's a record>> We discovered an anomaly in the hologram section of the new printed 20€ &> 50€ banknotes. The security sign on the banknotes are produced with a> transparent film. In the middle of the new hologram of the 20 & 50€> banknotes is a picture of a women and different fingerprint-like> structures. At the moment we noted the problem, we used a microscope to> look closer.>> After an internal discussion, that the security sign could maybe used for> biometrics authentication processes, we tested the hologram for usage on> different fingerprinter-scanners like asus pro laptop, eikon, samsung> galaxy S7/8 and the apple iphone v11. All mechanisms could be bypassed> using the hologram of the banknotes to fake a fingerprint which is accepted> by the fingerprint-scanner system. After that, the attacker is able to> relogin with the universal hologram.>> Finally, we were able to bypass the the biometric identification process of> the different devices. No system is able to identify, that the hologram is> not a real fingerprint. At the end, we figured out in the testing process> that the holograms can be used to add via write and auth via read. There> are now muliple problems in connection to the security issue.>1. Fingerprint - Reader & Writer (Mobile Devices)>> The end user devices like phones with fingerprinter sensors of> manufacturers like samsung, apple, huawei & co are permanently vulnerable> to this new type of attack. The sensor does not approve the reflection of> the hologram in the read and write mode. It interprets the security signs> as features of a real fingerprint. Thus results in an easy bypass using any> 20€ or 50€ banknotes after registration. To use an attacker only requires> to use his finger behind the hologram to bypass the fingerpulse check of> the idevice. All other mechanism are not accurate approving the content> during the sensor check.>>>2. Biometric Security in Europe> Each time the EZB produces more of the affected banknotes, the biometric> security in all over europe countries is generally weakened. In the near> future the EZB plans to inetrgate the holograms to any banknote (5€, 10€,> 100€ & Co.). This would be a crazy incident for all biometric systems using> a fingertip to authenticate because of any person is by now able to perform> those typ of attacks against an environment or service.>>>3. Fake fingerprints to go> Any person that has access to a system could use a hologram of a european> banknote to fake his fingerprint. Even the once which do not have the> expertise to fake it because in case of a publication, the government would> have to reckon with it.>>>4. Universal fingerprint as key> One time a hologram is written to a database, any attacker could use> another hologram of the same banknote series to bypass the security> mechanism to finally get access to the environment. Also administrators or> moderators are able to setup a universal fingerprint key to any dbms for> further entrance.>>>5. Save content in biometric signs or read data> The problematic could be used by security agencies to save data in the> biometric sign or to use them to get access to protected environments. An> agent could for example save data variables in the biometric sign of the> banknote to exfiltrate information.>>>6. Information in the hologram> In the special case of a fingerprint entry is generated by mathematical> variables with plain information, the content can be saved as plain-text> information to extract the binary information. The binary information of> the hologram fingerprint can then be decyphered by using different unknown> one-time pad keys. So the data of the fingerprint is translated to binary> code with a fingerprint device (open source) in plain-text. The plain-text> is then used to identify chiffre inside the security sign hologram.>>7. Save your Privacy>> At that point people can as well use the hologram to authenticate for a> system or to a mobile device. In case of a user do not want to save his> personal fingerprint to any untrusted device. Then they can by now use the> hologram to save a fingerprint to authenticate the full anonym way.>>8. Bypassing the biometric security with the help of banknotes>> Spread Exposition Exploitation Detection> LOW MODERATE MODERATE EASY>> Problem Description & Causes> Reference 1 has proved the biometric security of European bills for> counterfeiting a fingerprint in a PoC.>> Possible threat scenarios>>9. Avoiding person-related biometric backup in mobile devices, such as the> Apple iPhone, u.v.m.>>10. If necessary Falsification of the biometric identifiers of identity> documents. Fake ID documents can be sold on the black market with a one
> time registered fingerprint. The number of copies and persons is irrelevant.
>11. Generate Awareness among Manufacturers and Users of Smart Meter> Biometrics.>>12. Educate data feeders so that fingers are free of foreign matter (e.g.,> glue, or the like) and checked.
>13. Organizational measures>
> a) Review of existing biometric profiles on devices
> b) Modify process of identification of biometrics
> c) Check the biometric data for duplications in IT systems and databases
> My comments:
> The title is fairly misleading (or I've misunderstood the article). I
> assumed this was actually some sort of weakness in the production of the
> banknotes themselves (perhaps ineffective anti-counterfeiting measures...),
> but it seems to be more that there's an embossed "fingerprint" which
> various biometric readers will actually believe to be a real fingerprint
> (and having your finger behind it will sort the pulse detection issues)
> The weakness, the theory goes, is that someone could register a
> "fingerprint" in your system by using a banknote. This'd give them access
> whilst also meaning you didn't at least have a hash of their real
> fingerprint for forensics to find.
> Another theory is that users might opt to use a banknote instead of their
> own fingerprint. I'm not quite sure what the likelihood of that is, in that
> it's not exactly convenient, and if you're concerned about privacy
> implications from a fingerprint scanner the best option is not to use it.
> What it does show (which is already known), is that commodity fingerprint
> scanners remain easily fooled. So much so, that an "acceptable"
> non-fingerprint is being accidentally mass produced and will soon be in the
> pockets of millions of people.
> On Tue, Jan 30, 2018 at 2:18 PM, Jeffrey Walton noloader AT gmail.com wrote:
>>On Tue, Jan 30, 2018 at 4:08 AM, Vulnerability Lab
>>>Banknotes Misproduction security & biometric weakness
>>>Technical Details & Description:
>>>In the last months we reviewed the new 20€ & 50€ Banknotes of the
>>> European Central Bank. One of our core team researchers identified
>>> that for the security sign of the holograms are different components in
>>> usage. The security signs are build by the European Central
>>> Bank with several high profile elements in the signs to ensure, that the
>>> banknotes has a serious level of protection again fraud or
>>> fake money. After processing some time to identify an impact, we were
>>> finally able to identify the following security problematic ...
>>>The details seem to be missing from the announcement and the website.
>>Sent through the Full Disclosure mailing list
>> Web Archives & RSS: http://seclists.org/
>Ben Tasker>>>Sent through the Full Disclosure mailing list> Web Archives & RSS: http://seclists.org/
fulldisclosure/>______________________________ _________________Sent through the Full Disclosure mailing listWeb Archives & RSS: http://seclists.org/ fulldisclosure/