Palm Vein Scan

f0rgiv3nf0rgiv3n Connection OverlordMember Posts: 598 ■■■■□□□□□□
At the testing center I went to for the CISSP exam they did a Palm Vein scan and it sort of intrigued me. I was curious why this isn't in the CBK, is it something that's just too new? Anyone know anything about Palm Vein scanning for biometrics? Pros and cons? accuracy?

Reading on Wikipedia it says that vein scanning is something that's new and not widely adopted because it's not extremely accurate.

Hmm Pearson's site says the following:
false-acceptance rate of .00008 percent
source: http://www.pearsonvue.com/sponsors/palmvein/

Comments

  • veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5 Greenville, SC USAMember Posts: 5,735 ■■■■■■■■■■
    I remember reading about it back in 2009. I'm surprised it is not in the CKB.

    edit: They are collecting biometric data? That just doesn't seem right.
    Currently working on: Linux and Python
  • f0rgiv3nf0rgiv3n Connection Overlord Member Posts: 598 ■■■■□□□□□□
    Ok well, I just googled the CBK and palm vein and it came up with the official isc2 guide to CISSP book. It's a single paragraph. Funny that I never came across it in all of my studies :D
  • HumbeHumbe Member Posts: 202
    A bit of an overkill...

    LOL
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,669 Admin
    Pearson is now collecting biometric information? Because there is no Palm Scan Databases to compare their collected information to, I assume that it will be used to compare multiple testing visits to determine if different people are using the same testing candidate identity. On the other hand, Pearson might be doing nothing with the information other than collecting it for the sake of appearing to be more secure. One National Secuirty Letter later and all of that palm-print data goes right to the government.

    Ugh, I've got to take a break from listening to conspiracy-theory podcast. icon_shaking.gif
  • bobloblawbobloblaw Member Posts: 228
    I got palm scanned late last year when I took the CISSP, but only when I went to the head. Palm scanned out and in. Not initially.
  • f0rgiv3nf0rgiv3n Connection Overlord Member Posts: 598 ■■■■□□□□□□
    JDMurray wrote: »
    Pearson is now collecting biometric information?
    Ugh, I've got to take a break from listening to conspiracy-theory podcast. icon_shaking.gif

    Hahaha! No actually the way they do it is you enroll by providing them with two forms of identification as usual and they then grab your biometric info & pic. So i assume that is to tie your biometric info to your ID. Once that is complete it's only used to authenticate when going in/out of the testing room. As far as I know, that data is not kept permanently because everyone in the room had to enroll.
  • blueberriesblueberries Banned Posts: 138
    They can talk my face-palm-scan before I give up any bio-metrics on my person, willingly.
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    f0rgiv3n wrote: »
    So i assume that is to tie your biometric info to your ID. Once that is complete it's only used to authenticate when going in/out of the testing room. As far as I know, that data is not kept permanently because everyone in the room had to enroll.
    Ok. That makes a bit more sense. Given the privacy issues related to collecting that information, I would have the same apprehension as @blueberries.

    I suppose the speed of in/out bathroom breaks for something as long as the CISSP makes sense. Back in the old days, I remember it was an escot to the bathroom who checked that one else was in it. And they waited outside until you were done.
  • BizBoomBizBoom Registered Users Posts: 3 ■□□□□□□□□□
    well I took the test today and yep they have the palm scan tool being used to prior to taking the test. Also there was a few questions on the test about it. lol never have found any book with vein scanning questions so was surprised to see it in the test. of course I got it wrong lol
  • Anti Palm Vein ScanningAnti Palm Vein Scanning Registered Users Posts: 2 ■□□□□□□□□□
    I didn't want to give up my biometric data (a religious reason for me, which is recognized in California -- gotta love California for some things!). So, I met all the other ID requirements, but because they wouldn't make a religious exemption (and the phone call with ISC2 was recorded and posted at https://www.youtube.com/watch?v=J8nsEBgwIiA -- for just the audio since it was just a phone call -- the fun starts at about 4 min 38 sec into the recording), I eventually had to file a lawsuit to achieve a religious exemption.

    It is currently in Federal Court (ISC2 and NCS Pearson moved it there from California court), in the Southern District of California. I'm not a lawyer, but I strongly believe in protecting my (and your) rights NOT to have to submit to a palm vein scan! Additionally, I did some checking on ISC2's website, and it appears that they are shipping the biometric data overseas, and without audits or controls. If this is true, then no respecting CISSP would sign off on a proper privacy audit for test-takers, don't you agree? I'll post more here when there's new info in this case. In the meantime, especially if you're in California, feel free to write me if they try to force you to submit to a palm vein scan, which I contend is contrary to the Unruh Civil Rights Act in California.
  • ITSec14ITSec14 Member Posts: 399 ■■■□□□□□□□
    Next they will want DNA samples...
  • p@r0tuXus[email protected] Member Posts: 532 ■■■■□□□□□□
    Additionally, I did some checking on ISC2's website, and it appears that they are shipping the biometric data overseas, and without audits or controls.

    Can you provide a link to this information, please?
    Completed: ITIL-F, A+, S+, CCENT, CCNA R|S
    In Progress: Linux+/LPIC-1, Python, Bash
    Upcoming: eJPT, C|EH, CSA+, CCNA-Sec, PA-ACE
  • Anti Palm Vein ScanningAnti Palm Vein Scanning Registered Users Posts: 2 ■□□□□□□□□□
    The following info is at [FONT=Helvetica, Arial, sans-serif]https://www.isc2.org/privacy-policy.aspx starting about halfway down the page.

    When I asked ISC2 about any audit or proof that only partial palm vein scan info is being stored, and *if* it is being deleted after 5 years, they had no proof of anything.
    When I asked ISC2 to which "partners" or other companies in other countries this data is going, ISC2 refused to state this.

    So, we have unknown data, going to unknown and unaudited 3rd parties, who are *maybe* following a privacy policy? Methinks not
    I'm all that much happier that my practice of religion just avoids the whole sordid issue. I feel kind of bad for everyone else, though ... and this is for the CISSP exam? Is there a hidden camera somewhere, or is this some kind of a joke to see how gullible candidates are?

    Two side notes:
    - ISC2 and NCS Pearson (the test centers themselves) are very large companies, and also do testing for many groups, including nursing organizations, and the TSA ! (yes *that* TSA from airports!). So from a hacking perspective, collection of a huge pile of biometric data on critical infrastructure folks is risky and problematic venture. And shipping it all overseas, to South American or China or who-knows-where, with unknown audits or security there, compounds the problem exponentially. If a TSA or US Gov Security CISSP travels overseas, I can imagine data from one or more databases being used to identify them, and try to "compromise" them, overtly or covertly. Lots of spy vs. spy stuff, without getting all paranoid about that, but still ... (just trying to be aware and consider the possibilities)
    - ISC2's president has made statements about growing ISC2's business and revenue (not a bad goal for the company president, I'll admit). So, he's collecting this huge pile of biometric data, backed up my multiple IDs. And the privacy policy may be changed "at any time" by ISC2. What do you think would happen if ISC2 got a contract (think lots of new revenue and business) for ISC2 to manage the checkpoints for TSA personnel to be authenticated at their jobs? Or for hospitals and nurses to use this information as their ID cards? Major new business area? It can become a biometric single sign-on across industries, which I think is where they might be going. And by having the info overseas, there are no controls or audits on what information is really stored, or for how long, or used for what purposes. It also becomes increasingly problematic. If you wanted to get into that business, you'd first need a database of individuals, otherwise you're waiting 5+ years to try to amass all that data. Well, ISC2 and NCS Pearson are already collecting that data, so they may already be moving in this direction. I'm just saying -- what are the risks, and what data is truly private?
    [/FONT]
    Here's the Privacy Policy, starting about halfway down the webpage from[FONT=Helvetica, Arial, sans-serif] above:[/FONT]
    "As (ISC)² is an organization based in the United States your personal data will be collected and processed in the United States by (ISC)² and third parties acting on its behalf in accordance with and for the purposes set out in this Privacy Policy. If you do not wish your personal data to be handled in this way, please inform us using the contact details below.

    [h=2]Biometric Data[/h] Where permitted by law, (ISC)²'s examination vendor uses biometric data to authenticate those taking its exams. While neither (ISC)² nor its examination vendor retain raw biometric data, the examination vendor does retain, for a period of five years following the person's last contact with the vendor, data based upon an algorithm of the palm scan received when accessing an examination site. This assists (ISC)² in assuring the identify of those taking its exams and preventing fraud in the exam process. This data is destroyed after the five year period and is used for no other purpose."

    Yeah.... right. I don't really believe that last part, and what *if* they suddenly say the data was "lost" or compromised? Or if they change their policy and ... "my bad" -- it's now being used for other purposes? What recourse do you really have? It's YOUR biometric, and you can't change your palm vein signature! Just a bad idea to be using biometrics as logins, imho. And what about *why* ISC2 claims that want your biometric? To reduce fraud from professional test takers across more than one test? How about showing some statistics on the prevalence of that problem, and the conviction rate? Otherwise, it's a "boogey man" non-problem with a conveniently problematic solution, and the "solution" (if palm vein scanning) is worse than the problem, in my opinion.

    Your opinion?
  • renoldsrenolds Registered Users Posts: 3 ■□□□□□□□□□
    Totally agree. It's not a good idea to provide so much PII information to a testing company. Tests for GIAC for instance don't require it. They take a photo and look at your passport to identify you.

    Not all Pearson Vue testing centers I've been to in the UK are that secure either, with routers sitting on the reception desk and ethernet ports easily accessible. One in particular was run by a person who tried to reset my system by turning my monitor off and on again (after the browser based exam got a 404 error). I wouldn't trust these companies with my information.

    Just recently, after studying to sit for the CISSP exam, I came across the requirement for a palm vein scan (as well as collecting alot of other information when you register). I felt uncomfortable with it as it didn't seem right (GIAC doesn't do this). So I emailed ICS2 and they said it was a requirement (unless you have a religious or medical reason not to). Decided to give up on CISSP, so now I'm now studying for CISM.

    In the end, if a company is only hiring based on CISSP or CISM alone or some similar certification, it's not a place I would want to work for. The certification is just a nice to have; experience is worth more.
  • stephens316stephens316 Senior Member Member Posts: 203 ■■■■□□□□□□
    I think everyone should ban together and file a class action lawsuit against them.
    ______________
    Current Studying : GPEN |GCNF|CISSP??
    Current Reading : CISSP| CounterHack|Gray Hat Hacking
    Completed 2019 : GCIH
    Free Reading : History Books
  • MontagueVandervortMontagueVandervort Senior Member Member Posts: 399 ■■■■■□□□□□
    Thanks for reviving this thread.

    I wouldn't have seen it otherwise.

    Will be striking CISSP off my 2020 list now.

    Thanks again
  • EANxEANx Member Posts: 1,078 ■■■■■■■■□□
    I think everyone should ban together and file a class action lawsuit against them.
    US courts require someone to have been harmed by the policy. I suspect you'll struggle to find someone who has been harmed, never mind a class of someones.
  • stephens316stephens316 Senior Member Member Posts: 203 ■■■■□□□□□□

    Illinois has one of the strongest biometric protection laws and recently made the news. Thus if IC2/CCSP is now requiring finger/hand prints for test taking this could be an issue if they aren’t doing prospered informed consent and protecting/using the data appropriately…

    https://www.eff.org/deeplinks/2019/01/victory-illinois-supreme-court-protects-biometric-privacy

    http://www.nprillinois.org/post/supreme-court-upholds-biometric-privacy-law#stream/0

    I live in Illinois, so i am taking  it as not giving consent for that and I will choose not take any breaks anyways.  An for the simple fact  that this is Pearsonvue collecting the Data not ISC2  not that it would matter  no you can't have my data

    Has anyone in in Illinois challenged this ?

    ______________
    Current Studying : GPEN |GCNF|CISSP??
    Current Reading : CISSP| CounterHack|Gray Hat Hacking
    Completed 2019 : GCIH
    Free Reading : History Books
  • QuisUtDeusQuisUtDeus CISSP, CISSP-ISSAP, CISM, CISA, ITILv3 Expert, RHCSA, Prince2 Foundation Member Posts: 24 ■■■□□□□□□□
    I have been to a testing centre (CISSP-ISSAP) on 29th Jan 2019 and no palm scan was done. They just took a face photo. I believe it is not legal to collect that kind of biometric data as the purpose of processing can be achieved in a less obtrusive manner (ID check + photo [and even the photo is questionable]).
Sign In or Register to comment.