Companies that penetrate networks uninvited looking for vulnerabilities to create blog content should be prosecuted IMHO. This piece in particular sounds like a hit piece thinly vailed as a vulnerability disclosure.

“We thanked them for their co-operation”. Sounds kinda like extortion.

> Companies that penetrate networks uninvited looking for vulnerabilities to create blog content should be prosecuted IMHO.

Your comment could be rephrased as, "Companies who carelessly collect and store sensitive user data insecurely should not be closely scrutinized, and should be left alone to continue exposing innocent user data to malicious cyber criminals."

Looks a lot different when you look at it from that angle, right?

It's a crime, anything who tries to hack a large company without being invited would get seriously prosecuted,

but as the law practice says "If you have billions of USD, laws don't apply to you anymore".

way to shoot the messenger.

Are you serious?

It’s actually worse than that - AI powered phishing sites will also copy your device profile and mouse, gesture and keyboard signature and use this to get past common anti-fraud techniques like device fingerprinting and behavioural biometrics.

What does AI have to do with capturing inputs ?

Not just capturing, but training on captured inputs to replicate the fingerprint.

laughable

How about an actual rebuttal instead of smug dismissal? Let us in on the joke, genius.

If you want to replicate a fingerprint. Just get one image of one fingerprint.

If you want to create an average looking fingerprint, use an AI

I mean, the mere existence of said biometrics imply that they're inferrable and thus bad security, like basically all biometrics

I think this is one of those "the only thing that's worse is everything else" situations. Surely there are solutions, but I doubt there are solutions banks and payment processors would be interested in paying for, and at least the US government isn't particularly interested in compelling banks to do anything expensive.

basically everything that retains the same structure between two occurrences can be inferred. Only randomness cannot be inferred.

But true randomness is not useful for determining if you are who you say you are.

Even a password can be changed if there's a compromise. Biometrics are bad because they can be imitated, but not changed. A breach is permanent

good point, but that was left out of the earlier statement about inference. I suppose I should have inferred it however.

Yea, my bad I guess. I tend to think people mostly get that biometrics are, well, mostly immutable and that not being able to switch them up in response to a suspected breach is a huge inherent weakness. So the only defense I really get of them from anyone is that the effort for the user is minimized while the effort for the attacker is still fairly high. The problem with that is why I mention inferrability: The existence of a computer system that can authenticate via a biometric implies the existence of one that can capture and spoof it, and we don't have any reason to believe this involves, say, more of a cost disparity than cracking a password, let alone anything approaching a strong one-way function. If your face is your key, do you start hiding your face on the street so no one can steal it? Same thing for behaviorals

And yet, used extensively

When I call my bank they verify with my voice. There are further verification for meaningful actions but its still kind of crazy to be using "My Voice is my Password" this day in age.

Better than my bank, which tries to ask questions about my life from some lookup service that has incorrect information.

Especially since "My Voice is my Passport" was defeated in that movie with a tape recorder and technology at the time. It was never a good idea and even the movie didn't seem to think so.

Yet my bank just turned this on for me as well in 2024. Now I have to figure out how to disable it...and will it really be disabled?

I mean SSNs are the worst possible authentication mechanism and yet we still have to freak out every time they're leaked. Security practices are so utterly backwards everywhere that it's quite apparent no one powerful is incentivised to care even a little bit

what's the practical alternative?

Not pretending a GUID constitutes a security measure in the first place? It's just not the right tool for the job in any sense

Digital id card for every citizen? My id card can prove identity or sign a document and could for ~10 years. Estonia had it for over 20 years.

Just give it to everyone. Today, it can likely be embedded in a cell phone instead of separate physical card.

What do you mean? I don't know of any country except the US where SSN is used for authentication. In my country SSN is public information.

Wouldn't this just result in my digitalid getting lost in the next equifax breech?

Did your credit card get lost in the last one?

How would I know one way or the other if it had? I don't have the same number anymore.

pickpocket's paradise!

But it's not so scalable as online connected DB.

Agree - cross site tracking of devices without consent is going the way of the dodos. With respect to fraud prevention, being able to analyse device signatures along with identity and behavior on a per-site basis is the only reason we are enable to enjoy what’s left of the ‘open web’

“Worlds most accurate”: Source, fingerprintjs. Sounds legit.