Palm Vein Scan
At the testing center I went to for the CISSP exam they did a Palm Vein scan and it sort of intrigued me. I was curious why this isn't in the CBK, is it something that's just too new? Anyone know anything about Palm Vein scanning for biometrics? Pros and cons? accuracy?
Reading on Wikipedia it says that vein scanning is something that's new and not widely adopted because it's not extremely accurate.
Hmm Pearson's site says the following:
false-acceptance rate of .00008 percent
source: http://www.pearsonvue.com/sponsors/palmvein/
Reading on Wikipedia it says that vein scanning is something that's new and not widely adopted because it's not extremely accurate.
Hmm Pearson's site says the following:
false-acceptance rate of .00008 percent
source: http://www.pearsonvue.com/sponsors/palmvein/
Comments
edit: They are collecting biometric data? That just doesn't seem right.
LOL
Website: www.nxecurity.com
Ugh, I've got to take a break from listening to conspiracy-theory podcast.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
Hahaha! No actually the way they do it is you enroll by providing them with two forms of identification as usual and they then grab your biometric info & pic. So i assume that is to tie your biometric info to your ID. Once that is complete it's only used to authenticate when going in/out of the testing room. As far as I know, that data is not kept permanently because everyone in the room had to enroll.
I suppose the speed of in/out bathroom breaks for something as long as the CISSP makes sense. Back in the old days, I remember it was an escot to the bathroom who checked that one else was in it. And they waited outside until you were done.
It is currently in Federal Court (ISC2 and NCS Pearson moved it there from California court), in the Southern District of California. I'm not a lawyer, but I strongly believe in protecting my (and your) rights NOT to have to submit to a palm vein scan! Additionally, I did some checking on ISC2's website, and it appears that they are shipping the biometric data overseas, and without audits or controls. If this is true, then no respecting CISSP would sign off on a proper privacy audit for test-takers, don't you agree? I'll post more here when there's new info in this case. In the meantime, especially if you're in California, feel free to write me if they try to force you to submit to a palm vein scan, which I contend is contrary to the Unruh Civil Rights Act in California.
Can you provide a link to this information, please?
In Progress: Linux+/LPIC-1, Python, Bash
Upcoming: eJPT, C|EH, CSA+, CCNA-Sec, PA-ACE
When I asked ISC2 about any audit or proof that only partial palm vein scan info is being stored, and *if* it is being deleted after 5 years, they had no proof of anything.
When I asked ISC2 to which "partners" or other companies in other countries this data is going, ISC2 refused to state this.
So, we have unknown data, going to unknown and unaudited 3rd parties, who are *maybe* following a privacy policy? Methinks not
I'm all that much happier that my practice of religion just avoids the whole sordid issue. I feel kind of bad for everyone else, though ... and this is for the CISSP exam? Is there a hidden camera somewhere, or is this some kind of a joke to see how gullible candidates are?
Two side notes:
- ISC2 and NCS Pearson (the test centers themselves) are very large companies, and also do testing for many groups, including nursing organizations, and the TSA ! (yes *that* TSA from airports!). So from a hacking perspective, collection of a huge pile of biometric data on critical infrastructure folks is risky and problematic venture. And shipping it all overseas, to South American or China or who-knows-where, with unknown audits or security there, compounds the problem exponentially. If a TSA or US Gov Security CISSP travels overseas, I can imagine data from one or more databases being used to identify them, and try to "compromise" them, overtly or covertly. Lots of spy vs. spy stuff, without getting all paranoid about that, but still ... (just trying to be aware and consider the possibilities)
- ISC2's president has made statements about growing ISC2's business and revenue (not a bad goal for the company president, I'll admit). So, he's collecting this huge pile of biometric data, backed up my multiple IDs. And the privacy policy may be changed "at any time" by ISC2. What do you think would happen if ISC2 got a contract (think lots of new revenue and business) for ISC2 to manage the checkpoints for TSA personnel to be authenticated at their jobs? Or for hospitals and nurses to use this information as their ID cards? Major new business area? It can become a biometric single sign-on across industries, which I think is where they might be going. And by having the info overseas, there are no controls or audits on what information is really stored, or for how long, or used for what purposes. It also becomes increasingly problematic. If you wanted to get into that business, you'd first need a database of individuals, otherwise you're waiting 5+ years to try to amass all that data. Well, ISC2 and NCS Pearson are already collecting that data, so they may already be moving in this direction. I'm just saying -- what are the risks, and what data is truly private?
[/FONT]
Here's the Privacy Policy, starting about halfway down the webpage from[FONT=Helvetica, Arial, sans-serif] above:[/FONT]
"As (ISC)² is an organization based in the United States your personal data will be collected and processed in the United States by (ISC)² and third parties acting on its behalf in accordance with and for the purposes set out in this Privacy Policy. If you do not wish your personal data to be handled in this way, please inform us using the contact details below.
[h=2]Biometric Data[/h] Where permitted by law, (ISC)²'s examination vendor uses biometric data to authenticate those taking its exams. While neither (ISC)² nor its examination vendor retain raw biometric data, the examination vendor does retain, for a period of five years following the person's last contact with the vendor, data based upon an algorithm of the palm scan received when accessing an examination site. This assists (ISC)² in assuring the identify of those taking its exams and preventing fraud in the exam process. This data is destroyed after the five year period and is used for no other purpose."
Yeah.... right. I don't really believe that last part, and what *if* they suddenly say the data was "lost" or compromised? Or if they change their policy and ... "my bad" -- it's now being used for other purposes? What recourse do you really have? It's YOUR biometric, and you can't change your palm vein signature! Just a bad idea to be using biometrics as logins, imho. And what about *why* ISC2 claims that want your biometric? To reduce fraud from professional test takers across more than one test? How about showing some statistics on the prevalence of that problem, and the conviction rate? Otherwise, it's a "boogey man" non-problem with a conveniently problematic solution, and the "solution" (if palm vein scanning) is worse than the problem, in my opinion.
Your opinion?
Not all Pearson Vue testing centers I've been to in the UK are that secure either, with routers sitting on the reception desk and ethernet ports easily accessible. One in particular was run by a person who tried to reset my system by turning my monitor off and on again (after the browser based exam got a 404 error). I wouldn't trust these companies with my information.
Just recently, after studying to sit for the CISSP exam, I came across the requirement for a palm vein scan (as well as collecting alot of other information when you register). I felt uncomfortable with it as it didn't seem right (GIAC doesn't do this). So I emailed ICS2 and they said it was a requirement (unless you have a religious or medical reason not to). Decided to give up on CISSP, so now I'm now studying for CISM.
In the end, if a company is only hiring based on CISSP or CISM alone or some similar certification, it's not a place I would want to work for. The certification is just a nice to have; experience is worth more.
Current Studying : GPEN |GCNF|CISSP??
Current Reading : CISSP| CounterHack|Gray Hat Hacking
Completed 2019 : GCIH
Free Reading : History Books
I wouldn't have seen it otherwise.
Will be striking CISSP off my 2020 list now.
Thanks again
https://www.eff.org/deeplinks/2019/01/victory-illinois-supreme-court-protects-biometric-privacy
http://www.nprillinois.org/post/supreme-court-upholds-biometric-privacy-law#stream/0
Current Studying : GPEN |GCNF|CISSP??
Current Reading : CISSP| CounterHack|Gray Hat Hacking
Completed 2019 : GCIH
Free Reading : History Books
ISC has an alternative method - 3 specific pieces of ID - why can't we use it???
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray