Slashdot Mirror
Your Fingerprint Buys Groceries in Seattle
lildogie writes: "The Seattle Post-Intelligencer reports that a Thriftway grocery store is installing fingerprint scanners that they will use to identify customers." Each customer's payment method (credit, debit) is then automatically applied at checkout. Haven't they seen Charlie's Angels?
but if you thought those MVP/VIC/etc... cards were bad about providing tacking info, this is a nightmare
XML is like violence. If it doesn't solve the problem, use more.
I design software for biometric systems and although I don't know where they are installed at, the US Gov. is our largest client. *NO* current systems verify a third dimensional component. The neural network that IDs the print is fed many parameters. Amongst them is color (as you stated), thumbprint temperature,ambient and outdoor temperature (because the human extremity body-temperature is so dependent upon the environment), plus many more features from the actual 2-Dimensional image. There is no 3-D component.
You might argue that the angling of the scanning lasers adds a third dimensional component (a shadow) to the 2D image, but this is still something that could be duplicated given an image.
A very basic components analysis of the Neural Network will show that the thumb temperature is an ineffective means of classifieing the print, yet where I work, marketing insists that we continue to use this. That is why we have tried to increase the temperature importance by also including ambient temperatures, but mostly, the temperature is useless as a classification feature.
As far as taping a photocopy of somebody's fingerprint to the scanner this won;t work. Our scanners are color images, and the light from the photocopier has to come in at the same angle as the lasers. Using a pane of glass, a red light angled in the right direction, and a camera, we have been able to create photos that pass for fingerprints ~97% of the time. The percentage would be slightly increased if you kept the image in your pocket (body-heat) until placing it on the thumbprint scanner. This number approaches the number of false-negatives that you get with any thumbscanner.
Using biometric information creates a *real* problem for identity theft. Bruce Schneier points this out in his second book. If the advanced criminals can't reproduce your thumbprint, then they might as well intercept your biometric going from the scanner to the computer and reproduce that on all subsequent machines.
This is something that I will definitely opt out of in the future. Using a pseudo-random key generator on a cel-phone and having it transmit the key would be more accurate than a biometric.
Bringing irony to the Slash-masses
Part of the problem with current credit cards, and with this system as well is, as the parent said, the 18 year-old clerks. I'm speaking from experience, as a 17 year-old clerk at a clothing store that does lots of sales with credit cards. I realize that credit fraud occurs commonly, yet I don't do anything about it. I rarely check signatures and only ask for photo id if the CC says to. There's no reason for me to do otherwise. No penalities from the cards are directly passed on to the cashiers. If some accountability was placed on me, like a 50 dollar fine for each stolen CC I allowed to be used you can bet I would be checking alot more signatures.
Another part of the problem is lack of consumer awareness. You would be amazed at the number of people that don't even bother to sign the back of their cards. We're supposed to ask for id in that case, but when you've got a line of 15 customers, waiting for someone to dig their license out isn't the greatest idea.
To solve the problem, I think credit cards should come with a mandatory PIN number, one which isn't stored on the card (so theives can't crack the card). In addition, some responsibility is due for the cashiers. If my cash drawer is 5 dollars under (or over) what it should be, I get written up. Why not do this for cards not used by their owners?
Maybe I am unclear on this, but I use the same debit card 95% of the time at the Kroger I visit for my groceries. Do they have to agree to something saying they won't just use my unique cc number to track my purchases? And even still, is it technically against the rules to grep the data from the card for my name that is encoded on the strip and use that to track my purchases?
Furthermore, most stores have the "happy consumer tracking" card that many of us keep on our keychain, and to complicate the "tracking" argument further, the fingerprint thing is completely optional, as all of the methods I mentioned are today--
JUST USE CASH PEOPLE!!!!!
El Karma: excelente(principalmente la suma de moderación hecha a los comentarios de los usuarios)
Amazed that a man would live so long, the London head-office naturally sent for the old man.
But they found nobody: turns out that the guy died some 30 years before. As he was illiterate, he endorsed his pension cheques with his thumbprint. When he died, the family "forgot" to notify the company, and they still cashed the cheques with his thumb, which was neatly mummified right after they cut it off...
Any biometric system worth its salt uses significant "liveness" checks to prove that not only is the fingerprint a match (or % likelihood thereof), but it is actually attached to a real person (and is not a fake appendage).
These include temperature measurements, electric field (around the body) measurements, etc. This is where the real innovation around this field will take place over the next few years - accuracy (of fingerprint recognition) is already pretty good.
Unfortunately this opens up the possibility of simply taping a photocopy of somebody else's thumbprint onto my own thumb.
No, it doesn't, because you're BUYING GROCERIES.
It doesn't have to be impenetrable. There are easier, and less detectable, ways to fraudulently buy groceries. You think nobody on line behind you is going to notice you walking around with a photocopy of a fingerprint TAPED to your THUMB?
The supermarket is not your lab, Dr. Biscuit.
The uniqueness of fingerprints is important when considering criminal convictions where there's little or no other direct evidence besides latent prints, but it's not a big concern here.
A far easier attack here is to swap out the record in the database. If it doesn't have good auditing, it would be trivial to swap in somebody else's prints, make a large purchase of easily fenced goods, then swap the original prints back in without detection.
You could probably even just add additional prints as an additional purchaser. But that's risky since those prints could then be used by investigators.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
You are right, dishonesty doesn't have a correlation to age. When you have a situation where the employee can steal an hour or two's wages easily, and unprovably, then its going to happen. I worked the register at a pharmacy back in the day. Everyone there was dishonest. Inventory, cash out of the register, accepting cash payments and never ringing the items up all occurred.
You definetly don't want your money handled by people who make minimum wage, but you can't afford to pay for trustworthy employees.
Privacy issues asside, cutting down on the amount of money that is handled cuts down on theft, which "theoretically" cuts down on store prices.
Note the theoretical, as the costs of pressing CDs has falled to almost nothing, but you don't see the costs of CDs falling with it.
Captain_Frisk out.
Nice try :)
I understand it allright, and I understand what I or anyone else could do messing with those databases. Now, I'm not the kind of person who would do such a thing - but I know what technology does to people who does not understand that it is not infallible.
The technology does not scare me one bit. What scares me, is knowing that *people* will be using the technology.
...and I'll have 20 pulse generators built. Just cram the outlet hoses into the main arteries, snap the return hose around the sloppy end of the digit, and turn the pump/warmer on.
Give me a month and I'll work out a way to keep the hand lifelike and realistic for a couple of days, and tug the right tendon to extend the finger, so you can have the whole hand poking out of the sleeve for a quick scan, even with people watching.
Any physical key can be stolen, including a body part. If you doubt criminals would go to these lengths, you haven't looked at how an auto-theft ring is run.
They have the same thing here in Texas in a few select Krogers. Everyone I hear says it's pretty neat. I think you have to enter a pin number though, so you can't just grab someone's thumb and get free food. They have self-checkout lanes as well.
Walk up, scan your groceries, place your thumb, enter a PIN, walk out.
Cashless society? Heh, it's not even plastic anymore...
You're both wrong. While this is not to say dishonesty doesn't exist at all age levels, as any decent sociologist will tell you youth (particularly in the 15-24 year old age bracket) are more prone to criminal behavior. Crime rates drop off dramatically after that.
cutting down on the amount of money that is handled cuts down on theft
Admittedly, this comes from someone who has never worked in a grocery store, but don't most stores keep a pretty close eye on cash register draw balances? Seems to me it would be much easier to make off with store merchandise than cash out of your drawer. Which, if true, means this won't have a major impact on employee theft.
Is sharing your fingerprint with their "partners" because you didn't know you had to opt out before you were born.
The less people who have access to biometric information from which they can infer genetic information that they could then use to discriminate against me, the better.
"I'm sorry sir, but our partner Thriftway provided us with information that indicates that you have a genetic predisposition to liver cancer; we are going to have to deny you medical insurance."
The two big problems with this are the likelihood of misidentification and the fact that you can't just get a new fingerprint if somebody gains the ability to buy stuff with yours. (I feel the tracking problem is less severe because people are already tracking us with credit/debit card numbers and the world hasn't ended)
The identification problem is a very hard. As our pal Schneier likes to point out, a system that answers the question "is this person who they say they are" with impressive accuracy isn't necessarily any good at answering the question "who is this person". The accuracy drops fast as the number of people in the system increases. But don't throw out this system just yet. Is the base accuracy high enough, or can we keep the population low enough for the error rate to be acceptable? When Phil in L.A. is scanned at the supermarket, do we really need to consider Joe in N.Y. as a possible match(*)? Can we weed out more people with other checks before the fingerprint match is performed? I don't know the error rate of the best fingerprint matchers, but I need to know that, and the population size, and do the math if I'm going to reject a fingerprint id system on grounds of the misidentification risk.
The other big problem is devastating to your ability to use a biometric id system, but not to anything else. A stored reading can be marked as compromised in the system so an attacker can't use it any more. You won't be able to use it either, but you haven't lost anything you had before the system was put in place (unless some pea-brain decides that this shall be the only way to pay). You haven't even lost everything you gained when the system was implemented. You now have a choice to dictate that only a debit card + a finger print is enough to make a puchase with your account, which is safer than the credit card alone, although no more convenient.
Please, truly consider the benefits and liabilities of any new system and the system it replaces. At the very least, it'll make for more stimulating discussion than an endless stream of "this is bound to fail catastrophically" posts.
* And when Joe travels to L.A., we know where he is because we tracked his ticket purchase ;->
Fuck the system? Nah, you might catch something.
I recently fell victim to check fraud, someone stole a checkbook and wrote $1300 in checks to grocery stores in Seattle. A few of the checks were to Thriftway. Assclowns obviously never checked the id of the person writing checks in any of the stores. Bah.
"America, I smoke marijuana every chance I get."
You think on-line transations get expensive after they become mainstream? That strikes me as odd. Credit card rates that should be have been criminialized were in place long before the net went mainstream. In fact, it's not unreasonable to suspect that exact issue might have been one of the big reasons e-commerce didn't fly. It was starting out the gate with a tax going to the card companies, and for what, money handling? Isn't the government supposed to provide the currency.
According to the Constitution that's how it was supposed to go.
Net banking fees emerged AFTER it went mainstream?
Sorry, that's factually incorrect.
Who said there would be no fraud in 'net banking?
ATM's were also known to not be the most secure item when they were invented, but they are only as secure as you are [duh].
Fraud is a considerable thing to deal with for a bank - many times the person who was defrauded demands not to pay and the bank does as their customers want. Getting your ATM card stolen by someone you know can cost you a lot of money - sometimes up to ten times more than you lost if you try to push on with the investigation. A bank isn't the police, and the police can do little in these situations even when there IS a picture. In the end more is lost that what was stolen in the first place.
Fingerprint technology could bring those fees down, but we will need to see it work.
But where is the Fee? It's basically the same as that sticker in your car that pays the toll or the barcode on your keychain that charges gas to your credit or debit card.
Adding fees would destroy such a flimsy top-level service and force it into the hands of Mastercard or Visa which only get paid when you use it anyway.
Fees? It's your money - learn where to shop it around.
Get your Unix fortune now!