Upload
owasprinaldi
View
51
Download
1
Tags:
Embed Size (px)
Citation preview
Cyber Vulnerabilities of Biometrics Bojan Simic CTO @ Hypr Corp. @bojansimic hypr.com
What’s this talk about?
Current methods of proving Am I who I say I am?
have failed miserably.
Our Authentication Failures
1. 123456 2. Password 3. 12345 4. 12345678 5. Qwerty
6. 123456789 7. 1234 8. baseball 9. dragon 10. football
11. 1234567 12. monkey 13. letmein 14. abc123 15. 111111
Top 15 Passwords of 2014
“2FA Systems Used by Banks Bypassed with Malware, Rogue Mobile Apps”
Biometrics to the Rescue
Not so fast...
• Man in the Middle Attacks (MITM) • Malware • Biometric Storage (Digital Lockers) • BYOD/Internet of Things
Biometrics the Wrong Way – Example 1
Malware Bypasses Client Side Verification
Biometrics the Wrong Way – Part 2
Man in the Middle Attacks – Biometric Storage
Do’s and Dont’s of Biometric Security
§ Do encrypt everything § Do device tracking § Do behavioral analysis § Do require 3-factor
security § Don’t do Client Side Verification § Don’t store biometric data in a
centralized repository § Don’t rely on passwords § Don’t do verification of template
data remotely
Do Don’t
Free tools for your consideration
§ Fast Identity Online (FIDO) alliance § Read it § Learn it § Love it § Open Web Application Security Project (OWASP) § Read the top 10 – Especially authentication § Join and participate § Dozens of free tools and documentation
§ Join pilot programs for new biometric tech
Thank You! Email - [email protected] Twitter - @bojansimic https://hypr.com