[extropy-chat] RFID smartcard passports and driver's licenses

[Samantha Atkins]

On Apr 9, 2005, at 10:13 PM, Mike Lorrey wrote:

> Personal biometrics that stand a chance of being left lying around are
> insecure keys. You leave your DNA all over the place, and your
> fingerprints remain on everything you touch. Retina scans seem the only
> really secure biometric, save the risk that someone is likely to gouge
> out your eyeball to get your key (or forcibly scan you while under
> restraints, physical or drug induced).
>

I would not use them for keys others may use.  I would require that 
sensitive personal data be controlled by the person it is about and 
only released to others in a controlled way and in chosen amounts when 
the device is actually on the person whose biometrics it is coded to.   
The data device could only be accessed and told to release information 
by the person whose biometrics matched its internal coding.  A private 
pass phrase on top of this should make the device fairly immune to 
successful cracking even if someone with a good enough lab had your 
biometrics and the skill to fake them to the device.  At the very least 
such a device is immune to casual information stealing and identity 
theft which is where my initial comments on the subject started from.

> Beyond this, the risk is that you have to trust any piece of equipment
> that demands to scan you. This is vulnerable to man-in-the-middle
> attacks similar to the fake-ATM scam, where you would see some kiosk
> providing some product or service you wanted (stamps, ATM, subway
> passes, concert/theater/airline/sports tickets, candy or other food
> vending, etc) that would demand your retina scan and a scan of one of
> your payment cards for something real.

The only equipment scanning you is on your person and owned by you and 
is not broadcasting that information.  So such an attack is not 
germane.

- samantha