Slashdot Mirror
Fun with Fingerprint Readers
Two pieces of news that came in today make a fun counterpoint to each other. First, a grocery chain is trying out a biometric checkout system. Bring your groceries, pay with a fingerprint. Unfortunately, a story in Bruce Schneier's monthly newsletter notes that fingerprint scanners can be fooled with a bit of gelatin.
Six of the seven slashdot editors are sitting around the flat one day when Katz rushes in and says, "Guess what guys, I've won a trip to see the Pope!" Everyone gets all excited and chants, "We finally get to ask him, we finally get to ask him."
The next day, they are standing in front of the Pope, Katz out in front of the other six. All the other six start pushing Katz and
saying, "Go ahead, Katz, ask him, ask him!"
The Pope looks at Katz and asks, "Do you have a question to ask me, young man?"
Katz looks up shyly and says, "Well, yes."
The Pope tells him to go ahead and ask. Katz asks, "Well, do....do they have nuns in Alaska?"
The Pope replies, "Well, yes, I'm sure we have nuns in Alaska."
The others all keep nudging Katz and chanting, "Ask him the rest, Jon, ask him the rest!"
The Pope asks Katz if there's more to his question, and Jon continues, "Well, uh, do they have, uh, black nuns in Alaska?"
To which the Pope replies, "Well, my son, I think there must be a few black nuns in Alaska, yes."
Still not satisfied, the others keep saying, "Ask him the last part, Katz, ask him the last part!"
The Pope asks Katz, "Is there still more to your question?"
To which Katz replies, "Well, uh, yeah.....are there, uh, are there any midget black nuns in Alaska?"
The startled Pope replies, "Well, no, my son, I really don't think there are any midget black nuns in Alaska."
At this, John Katz turns all kinds of colors, and the others start laughing, and yelling, "Katz screwed a penguin, Katz screwed a penguin!"
Why bother.
Can I buy the Gelatine at the Store and use it to falsely pay for my groceries? How convenient! :)
'mmmmmmmmm.... forbidden donut'
Could someone please explain the problem with biometrics for ID? I mean, I get the creeps when I think about companies storing biometric data, but I'm not sure why. Why should I be scared? This is a legitimate question. Please outline a scenario for misuse, or the downsides to using biometrics for identification.
Thanks.
If you fall off a building, go real limp, because maybe you'll look like a dummy and people will be like hey, free dummy
Fingerprints are too private. Any method used by the police is to private for a grocery store to have. As it is, only criminals have fingerprints on file, after a few years, they'll be trying to get EVERYONE on file.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
Gummy fingers can even fool sensors being watched by guards. Simply form the clear gelatin finger over your own. This lets you hide it as you press your own finger onto the sensor. After it lets you in, eat the evidence.
Would you eat gelatin that has been on a surface touched by who knows how many hands? If the guards didn't catch you some disease would.
I'd rather that someone be able to go through a fair amount of trouble and fool the device, because if they didn't, then they might have to resort to cutting off my finger. Give them an easier way, and one that leaves me digitally intact!
Any way you look at it, it's still more secure than credit card numbers. Then again, you can always cancel your credit card number. What would you do here, cancel that finger, and start using another? You can only do that for so long...
Kevin Fox
Bill Cosby... As a security consultant? Yikes.
Mod me if I'm wrong, but this still sounds like a fairly secure system. Right now, any old bum can steal a credit card and run down to Safeway. With this, people have to put in a little effort to card that bottle of JD. There will always be holes.
Wow, this is a much better solution than I've been using, and much less bloody.
Need Free Juniper/NetScreen Support? JuniperForum
Shoppers who enroll free of charge to use the finger image machine -- officially known as a biometric electronic financial transaction processing system...
The guy who thought this lovely system up and is trying to pass it off as secure must have had his finger in his colorectal biometric electronic scatological transaction processing system...
Score: -1, Filthy
you don't have to outrun the bear, just the slowest person in your group.
People were lifting latent fingerprints and using litography to create fake fingerprint readers a decade ago (although Im pretty sure they used some sort of plastic latex or silicone or something, makes a lot more sense than gelatin). On national TV no less, the nation being the Netherlands. Our major Airport was using a fingerprint system for VIPs to bypass the passport checks in those days, so it made a nice splash.
... fingerprints were tried and rejected a long time ago, why are we still seeing shit like this now?
That airport also funded development of an iris scanner they are using at the moment BTW, which is now being licensed to IBM and some others
Macgyver did this with a glass and some candle wax :)
(B) + (D) + (B) + (D) = (K) + (&)
Bruce quotes research showing that you *can* fake fingerprints. Something that the vendors claim is impossible.
However, the kroeger system falls back to the old "bring something, know something" mode which makes it much more secure.
Sure someone can duplicate my fingerprint (how easy that would be to both do and hide when checking out is another point, but let's assume that it's reasonable to lift a latent print, make a mold and check through without the clerk noticing), but they still must know my pin.
This is no worse than the current system of debit cards with mag stripes on the back that are trivial to duplicate with not much more equipment.
It is, however, much more convenient.
Assuming I can change my pin to be something other than my telephone number, I'd use this system.
Never believe someone who tells you its impossible to crack.
"His more interesting experiment involves latent fingerprints. He takes a fingerprint left on a piece of glass, enhances it with a cyanoacrylate adhesive, and then photographs it with a digital camera. Using PhotoShop, he improves the contrast and prints the fingerprint onto a transparency sheet. Then, he takes a photo-sensitive printed-circuit board (PCB) and uses the fingerprint transparency to etch the fingerprint into the copper, making it three-dimensional"
Bah! Too much work - I just wanna shape shift ala Mystique!
Women in particular appreciate SecureTouch, he said, because they don't have to bring in their purses
Yes - leave those purses out in the car so the guy stealing your stereo can get your credit cards too.
Kroger customer Mary Smith said she has a daughter in Katy who wants nothing to do with the finger image method of payment. She told her mother that it is "a way to get into your identity."
It's funny, Smith said, "you'd think it would be the old fart who'd be afraid."
This is funny because she doesn't appear to realize that her daughters fear is based on having more knowledge about technology and is justified fear. She is thinking "I'm not old- I'm cool and cutting edge." and that vanity is letting her opt in to a system where one day her checking account will be cleaned out by a bunch of tweakers who got her fingerprints off her car door and bought all the sudafed they could carry. Smart enough to build a meth lab - smart enough to make gelatin fingers.
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
tsutomu@mlab.jks.ynu.ac.jp
someone is going to find a whole shitload of emails tomorrow morning
The process involved etching the finger print onto copper?
Finger prints seem to be at least more secure then credit cards. A semi professional with a CC writer can turn out a hundred fake cards with real numbers burned on them in less then 30 minutes.
Seems like it takes quite a while to create a fake finger tip and theres a lot more chance for error. While I pry wouldnt soley rely on fingerprint scanners for something high security, for buying groceries, if this were offered in my area, Id sign up in a second.
The last user will have left a latent print on the reader.
Used to be, you could just shine a flashlight into the reader and get enough contrast out of the previous user's print to satisfy some readers.
There have been improvements since, and it would never have fooled a live finger detector anyway. But it's a good example of low-tech bypassing of high-tech security.
Fingerprint scanners can be fooled with gelatin, but I heard on the radio this morning (BBC Radio 1) that George Bush wants to use them to control access to the United States. If it was my country, I'd rather a more secure method of access control was being looked into. Before this article, I wasn't aware of any problems with fingerprint scanners. As for using them to pay, I know they can be used for saying either: (1) Yes this person is who they say they are, or (2) No this person is not who they say they are, but thought that it wasn't feasible to use the fingerprint to look up an individual in a database.
Follow me
How can you care about the risk of someone faking your finger print when most financial transactions are verified with a signature?
Hacker Media
This certainly doesn't mean that biometrics based on fingerprints should be ruled out.
Just as you need both a username and a password to log in to any computer system, a combination of a fingerprint and password, or fingerprint and pin should be used for any reasonable authentication.
Combined with decent access controls (this person may only do X at Y time) and a complete audit of actions, fingerprint biometrics can fit nicely into an extremely secure environment.
I'd certainly rather use my finger than my RSA number keychain!
I'm heading for Krogers and buying me a life time supply of caffine and HoHo's!
Never answer an anonymous letter. - Yogi Berra
On system is easy to fool but when you use more than one it becomes less likely. Finger + Voice or Even adding a retina scan Then all you have to worry about are mature clones.. ;)
Or how about your finger and a pin number? then you don't need to carry a card and even if someone has a fake finger they need your current pin??
EA David Gardner -"... but the consumers have proven that actually what they want is fun."
NOTE: Locations will be based on best deals, and include E-Coupons and such, as well as projected route
Painless, quick, and efficient. That's how grocery stores should operate. Forget fingerprint scanners. Eliminate the long checkout lines, crowded aisles, and rude people.
Were these experiments performed for Starfleet? His presentation logo looks like the Starfleet logo.
Miko O'Sullivan
quick, chop off his fingers, they violate the DMCA!
;)
The Truth: There is no string:)
I was really hopeing that people would trade in stolen thumbs and such, but now that they can just make gummy replicas we won't see any cool underground trade in amuptated digits. :(
The way a biometric database *Should* work is to take some data points from the image and then create a hashfrom the data points. This should be done for the same reason you should NOT store passwords, but rather their hash. The other reason for hashing the data is that is going to be much smaller and quicker to search. OTOH drives are cheap and...
Kroger became interested in the finger image machine three years ago, when the state of Texas began its own pilot program with the intention of eliminating food stamp fraud. It came out with a finger image version of the "Lone Star Card" used by food stamp recipients. The state approached Kroger and asked if it would participate in the pilot program.
After a budget cut, the state abandoned the program, but Kroger -- the largest supermarket chain in the U.S. -- continued to explore the system.
Is it me or did they abandon a cost-saving program because they had budget cuts? What horrible short-term thinking.
m
A ton of people are posting that this - combined w/a pin is super secure.
I've got one question.
How long do you think you will last when that guy cutting off your finger is yelling at you to tell him the pin?
I'm guessing for the average joe it will be measured in seconds. (Especially as the media and powers that be preach this constant message of 'just hand over whatever they want - don't fight back')
.
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
The Houston Chronical link is also a big brother site, they have been known for years to track users (specially working with the texas police etc, and tracking various ppl who read sensitive articles). Every single page you get from them is hashed and properly indexed to the user by various methods and a unique ID is associated with the user. This information is then dispatched to the Houston federal building, where the information is collected by various state and federal law agencies. In particular, they are known to make 'bait' like news stories, and then sit and wait for ppl to read them, and observe the reading habits. (Eg: They ran a story about Valdmir's Lolita, then collected info on the ppl who read the story, after that, anyone who've been to that page more than 3 times was invistagated and their computers searched). Very fishy bunch, almost as bad as AOLTIMECNNWANKER.
They give a brief mention to Kroger in the linked article as well..
=-=-=-=-=-=-=-=-=
Oh bother.
The article states the cashier -- after learning automatically from the computer that the check owner was enrolled in SecureTouch -- would become suspicious that the thief had not opted to use the quicker fingerprinting method of check cashing.
sounds like disaster to me, once you're in the system the cashier gets suspicious once you don't use the finger print method. What if you don't want it out of your checking account but want to buy your milk with the 5 bucks your buddy owed you....
ahh, the egg in the basket..
"Women in particular appreciate SecureTouch, he said, because they don't have to bring in their purses."
So they leave it in plan sight in the car, so they can come back to a broken window and and a missing purse. (not to mention all of those unmentionalbes inside the purse)
Let's leave out, for now, the fact that it's not possible to verify this claim at all: there's no way to test all living people and compare their prints. This is troubling, but a bit of a red herring.
More troubling is the way fingerprinting is practiced. There's a case in Philly right now where a federal judge has prohibited the prosecution from testifying that two fingerprints "match." From this article: The answers, respectively, are "no," "no one knows," and "no."
I'm home sick and I don't feel like doing more research on this right now. The above links and Google will help if you want to look at it more.
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
is it more insecure then credit cards or cash both can be fooled. I wonder how many clerks can be fooled with a stolen credit card?
"All I can tell the "lesser of two evils" folks is that if they keep voting for evil, they'll keep getting evil."-Lp.org
Once this guy makes eyeballs out of jell-o, and fools a retina scanner, I'll shake his hand!
In the US he might be sued for reverse engineering practices by the security companies.
I wonder if I get a higher credit limit on my thumb than any of the other digits.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Ban gelatin.
What?
No going in and squezing the vegetables?
No trying to put boxes of condoms in old ladies troleys?
No sneeking a peek at the cashiers boobs?
What's the fun of that???
In most cases cashiers request an ID whenever you are using your CC. Very few exceptions (gas stations, very small purchases at small stores etc.)
Will it matter whether I place my Butterfinger or my Buttfinger onto that thingie? What did the lady behind me in that queue say? (seem to get wax in my ears - lemme see, I'll pry it out...)
Use The Source, Luke!
The best line from the article is as follows:
I can see security being interviewed afterwards... "Well, ya, they are all a little eccentric, and I did see him sucking his thumb after scanning it, but I never thought anything about it. They're all a little... strange, if you know what I mean."
I haven't lost my mind!
It is backed up on disk...somewhere...
2)What if someone has no hands... You can sign with your teeth, or feet... but you can't give a thumbprint with your toes!
OK.. enough rambling..
Steve
I understand that security needs to be tight when it comes to money, but I think that although this guy brings up some interesting points, I think that this method of purchase is more secure than most of our purchases done today. Cash can be stolen, so can credit cards, and people can forge your checks. So what's the big deal with the capability to duplicated fingerprints. I think it would be much harder to get a clear fingerprint from someone without their knowing than to pickpocket them and steal their wallet. The only problem I can see with this is that you can't just go and have your fingerprints changed (unless you have a lot of money), so this would be more permanent. I think that adding a 6 digit pin would fix this problem.
How to fake retinal scans using mirrored contacts and laser etching. Story on next year's Slashdot.
>> within a minute of pulling in, I pull out with my groceries... never left the car!
In that case, why not just stay at home while your car drives itself?
Maybe they don't need Men anymore? To turn them on with those Secure Touches?
Another tasty solution to beating facial recognition?
Screw the drive up, have the store deliver. Cheaper and more environmentally friendly overall.
This is assuming of I want my fridge talking to the grocery store. (Not bloody likely!)
And then, of course your health insurance company will want this data. "Oh no, Mr. Johnson...you can't order those HoHo's. Your last physical showed you 15 lbs overweight. Here's some tofu and rice cakes instead"
See also this +5 thread regarding the limitations of biometrics, featuring another Bruce Schneirism. (Does Slashdot love Bruce or what?)
I'm a Security Consultant and I'm currently working on purchasing and installing some Biometrics authentication system at my company. This probably makes me biased towards Bio, but at the same time, it also means I've been studying and contemplating the issue for some time now.
Biometrics, like any other system, has it's flaws. Schneier himself points out in a previous article "Biometrics is a unique identifier, not a secret". And now it doesn't even appear to be a unique identifier. So what gives?
What gives is that it's quite possibly the best system around, at least when compared to all the others. What are your alternatives? Passwords? Digital Certificates? Smart (dumb) cards? SecureID tokens? None of these are as unique to a user as a Biometric is. As a matter of fact, NONE of these are unique to a user - Certs are unique to the computer or card they reside on, the cards and tokens are physical objects that anyone can have, and finally your password everyone knows because you wrote it on a Post-It(TM) note on your monitor (or under the keyboard or tape dispenser).
Now, that doesn't mean you can blindly put a Biometrics system in place and call it a day. Installing a setting up Biometrics requires thought, consideration and risk analysis.
To answer some of the fears, no, most Biometrics databases don't give you anything when compromised. Why? Because they don't store the biometric. They merely store minutiae from the sample. These can be loosely defined as a series of data points illustrating some of the salient features of the biometric registered. If it's your fingerprint, the database merely contains a bunch of vectors illustrating where the most important ridges and forks and such are on your print. THIS INFORMATION IS NOT ENOUGH TO RECOVER THE PRINT. It's encryption, it's processing (the database might be encrypted, though). While you could potentially create a Biometric from the minutiae (assuming you understood the data format and what it describes) that fooled the algorigthm the minutiae were sampled from, your "faked" fingerprint would not fool a different algorithm.
Regarding anonymity, it will still exist. Nobody will stop you from going to the ATM and picking up cash before you head to the store to get the Goatse man's greatest gaps volume 16.
Anonymity needs to exist, but so does liability and responsibility. That ever-necessary anonymity will continue to exist, and you will probably be able to get it just as well as you can now. The difference is you will not be able to erase yourself and get away from your previous responsibilities/liabilities. The two are different concepts.
As for the "identification" issue with Biometrics, allow me to illustrate one simple point - most commercial Biometric fingerprint systems have a false acceptance rate of 1 in 100000 at most. Any decently sized organization compiling Biometric data will probably register a heck of a lot more. Identifying a user in a big population from a random biometric sampling is a data processing nightmare - that's why that whole Visionics video-camera-at-stadium thing sucked so bad. Biometrics however are really good for saying "My name is John Doe, and here's a fingerprint (or two) to prove it". Or, at a company case "my userid is jdoe and here's my fingerprint to prove it".
This problem is the identification (finding user in a population) versus authentication (verifying a claimed ID) problem, and it's much discussed in Biometric literature. God knows I've had to preach this one out about 600 times in the past few months when meeting with different departments.
So it really comes down to implementation, and alternatives. You can have your money tied to a credit card number, and when someone finds the receipt you threw away they can impersonate you at Amazon.com until the next bill arrives. Or, you can have it tied to you card, but need a fingerprint to access the card. The idea is enhancing, not necessarily replacing.
As a lot of you have heard, authentication/verification systems usually work with something you know (password, pin), something you have (token, smart card, mag card) or something you are (biometric). The best systems use all of the above.
Even then you still need to figure out your risk scenario. For your average office building with access controls at doors and other entry points a system asking for "userid" and "biometric" will probably be good enough. If you're running a DoD installation with nuclear weapons, I expect a system with ID check, Smartcard, 10 fingerprints, retina scan and password will be necessary (I hope).
Finally to address this cool gelatin crack - this is neat stuff. I'm glad to see that people are coming up with potential attacks - it makes the developers of this stuff work even harder to create systems that can't be fooled. The latest capacitive sensors I've seen might not even be fooled by this - they claim they read the second or third layer of skin, not the external one. But even if it does fool them, it won't in a few months.
Remember, biometrics are not your enemy - if anything they help keep your privacy stronger by providing better control of who gets to pretend to be you (imagine your PGP keys being protected by a passphrase AND a fingerprint or two). There will always be issues with this or any other system - I just can't think of one that will be better than a properly implemented Biometric system.
-Jack Ash
Legislation proposed banning Gummy Bears as DMCA circumvention devices.
For any transaction where something ther than hard cash is accepted (and I am using transaction is a broad sense here, such as being able to enter a secured area for exampleas well as making a purchase), it is necessary to authenitcate the client, be it with a credit card number, signature, photo id, fingerprint, retinal scan, facial scan, DNA test, some other mechanism or a combination.
In all such transactions:
- Authentication is necessary. (ie the transaction requires at least one of these mechanisms).
- All the authentication methods are vulnerable - no security mechansim is perfect.
- All of these could be subverted by to invade your privacy.
However, if you can't use cash for your transaction or you prefer not to for the convenience, you've got to live with the authentication tradeoffs.
As pointed out, authentication is necessary for many transactions - there is no escaping this fact. So the best questions when evaluating the technology is RELATIVE to its alternatives.
So fingerprint readers can be spoofed easily (assuming you can get a copy of the finger you want to copy, which is not necessarily easy). Well credit cards numbers can be obtained and used fradulently; signatures can be forged.
None of these mechanisms are fundamentally good or bad. However, I believe having alternatives IS good for two reasons:
1. It provides competition between different authentication mechanisms so that people get a choice in what security/convenience tradoff they want to make.
2. Having multiple authentication mechanisms automatically increases the diversity of the authentication infrastructure which means that it is harder for an organisation to subvert because they need to coordinate your identity across multiple systems rather than having a single one.
In the scenario described (and many previous articles on the same subject at Slashdot), these new systems augment rather than replace existing ones. As long as this continues to be the case, I am more than happy for these mechanisms to exists and compete.
Except what he did is not reverse engineering.
So I just signed up for a project next year using PDAs and biomentrics from ST Microelectronics. Anyone used their fingerpring reco kit? Is it any good?
"The new wave is not value-added; it's garbage-subtracted" - Esther Dyson, Dec 1994
We used to have a fingerprint scanner to access work, and it was pretty good for the most part. The most annoying things were that some people's finger's took several attempts to ID, and if you did anything that abraded your fingers, this also stopped it ID-ing. Since it was just a finger scanner/touchpad box mounted externally and an embedded 68k inside to drive it, it would probably be interesting to build using a cheap scanner.
It was a standard joke that you had to return your fingers when you finished working.
Xix.
"Everything is adjustable, provided you have the right tools"
So I was wrong to laugh my ass off when hollywood spy types glued false "finger prints" to their digits... I have the good grace to admit that!
But what about retinal scanners?
If Arnie is locked out of a secret military compound trying saving the "presidents"/"a friend's"/"his own" "daughter"/"wife"/"pet cockerspaniel" and he comes up against a retinal scanner...
Well then he's still gonna have to handle that the good ol' fashion way...
By ripping out the "Drug Lord's"/"Mafia Boss's"/"Buddy gone bad's" eye ball!
It's comforting to know that some things will never change.
:)
I don't understand why the credit card companies,
banks and so on go to so much effort to make
things secure and do such a bad job. I seems
obvious to me that the method that would work
the best is to equip each register with a
reasonable digital camara, and take a picture
of each person using a credit card and file it
on a computer with some sort of id number (maybe
the auth number from the CC company) I would think
this would cut down fraud quit a bit, and probaby
increase convictions, and be much harder to get
around that all these high-tech, but fairly
non-secure and not impossible to fool systems.
How many forgers, CC theives, and such would
really want their picture on file with the stolen
credit card number?
We would still have mail-order and internet type
fraud, but this would cut down on most of the
other frauds.
The first $10 gelatin trick requires you to have the original finger.
"Hey, let me use your finger so I can copy it and steal stuff with your prints!"
The second method that allows latent prints to be used requires more work. Still, if you have a laser printer, I'd estimate it runs only $50-100. And the costs of the trick can probably be reduced quite a bit.
As to the security issues: Prints alone = bad. Prints + PIN = Somewhat bad. But most crooks prolly aren't going to be that desperate.
It is probably best to use fingerprints as a method of correcting for the deficiencies of credit cards. i.e. verifying that the person with the card is indeed the owner.
It's probably most useful if fingerprint scanners can ever be made economical for the home user - Person makes a CC purchase online, pushes their thumb on a reader, and the image of their thumb gets hashed and sent to the CC company for verification. As a result, a CC thief has to steal the user's fingerprint in addition to their CC #. Theft of a fingerprint no longer means you've permanently lost its usefulness, as it's only used in conjunction with other methods. Your only problem is that the next time around the thief only needs to yoink your CC # - But I have a feeling repeat strikes of CC theft almost never happen.
retrorocket.o not found, launch anyway?
So now someone is sitting in the parking lot, obtaining your fingerprint.
Granted, this is just another form of identity theft. So how much longer before there is an uproar about the convenience of biometrics resulting in identity thefts.
Has anyone seen Kroger's disclaimer and privacy policy?
Now I'll have to replace the all the fingerprint scanners in my secret island fortress! Damn those meddling kids^H^H^H^Hscientists!
using namespace slashdot;
troll::post();
That explains why my posts are modded up all the time. ;) "Sara" is a very masculine name. Please.. If anything, geek-guys want to mod females UP in the hope that more will come to slashdot.
-Sara
that won't beat retinal scans which also check for blood flow...
how about devising a reliable voice recognition system? My guess is that even if forced to speak "Open Sesame" at a sensor, the stress in one's voice might still be detected...
I'm a little bit confused
squeezing the vegetables ?
which old ladies ?
which books ?
What I hate the most is that you can go to a supermarket and you have your shopping list in your head
(sorry am not hearing well
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
Given that it is evidently trivial to dupe a fingerprint in gelatin...
How many people already have their prints on file? No...not just criminals. People who have been arrested, but not convicted. Members of the military, police, child care workers. Children of paranoid parents, etc, etc, ad infinitum. All 'respectable' persons. Clear prints, already in electronic format, ready to be stolen/hacked/duplicated and used.
Think about THAT when the vote comes up for biometric entry into the country.
All the 'kid registration' over the last few years has been a desensitization to this point.
What alternatives are there to support people without hands or fingers? I would hope that people without limbs wouldn't be looked down upon.
Mullet Man was way ahead of Tsutomu. He duplicated finger prints using pool cue chalk and candle wax.
After working with biometric readers for quite some time, I wont mention names, but the most "awarded" biometric reader in the world can be tricked by simply blowing on it. Yes, blow warm moist air on it. The heat/moisture of the breath and the "residue" of the previously scanned finger tricks the reader in to thinking its a "live" finger. So faking the last user of the reader is a piece of cake. I've tested this thoroughly, lots of fingers, lots of people, works a treat.
Several people have pointed out the issue of key revocation (you'll find it very hard to type).
But what's worse in *this* particular case is the demonstration that latent finger prints can near-trivially be developed into a fingerprint glove that fools the device. Just picture it... A would-be thieve would watch you in the supermarket, picking up a bottle of Coke, put it back because you do prefer Mountain Dew after all. He picks up that bottle by the neck, pays for it with cash. From there on he could plunder your credit card.
Sounds scary to me...
Bert Driehuis -- All I asked was a friggin' rotatin' chair. Throw me a bone here, people.
Gelatin is not effective to all fingerprint scanners. It's only effectived with optical fingerprint scanners. There are some fingerprint scanners that relies on your hands self-produced electricty (from acid from your sweat and even static electricity) to form an image of your fingerprint.
"Smith has exceptionally dry skin and has to rub her finger behind her ear or against the side of her nose before pressing it on the small SecureTouch window."
1. Present finger for scanning
2. Scan matches fingerprint to ID record
3. Checker's terminal displays photo of recognized person
4. Checker notices that the fingerwielder looks nothing like the registered fingerowner.
5. Fingerwielder flees.
Alternatively, you can require a PIN code to use in conjunction with the scan. This is what they did at High Tech Burrito when they tested a thumb-scan system in Berkeley.
Kevin Fox
a recent email response from a rep for the Authentec line of fingerprint scanners regarding use of their scanner via a "stolen" finger:
...
"I checked into your question regarding the fingerprint scanner. The
fingerprint scanner requires a live layer of skin to work. A finger that
has been cut off will still be "live" for a certain period of time and will
therefore work in the scanner. The actual time frame has not been
determined as no one has volunteered to be a test subject." ...
I saw a blurb, can't remember where or when, on TV about a system measured the density of the finger. They commented that this would prevent someone from using a removed finger, since it would have much less blood. I would guess that it would also work against gelitan fingers too.
Soon, everybody who's now cloning cell phones will be able to do this. So much for fingerprint-based biometrics.
...to get those extra repeat customer discounts? And here I thought all those soccer moms were just being lewd. ;-)
My local supermarket charges 5.99 for chicken unless you carry their wallet cookie, in which case you qualify for the super special 1.99 price. 1.99 just happens to be the pre-shopper-card price.
Next, they'll demand a fingerprint in order to qualify to buy food at non-extortionary prices.
Shaws, Stop and Shop, Kroger... You should rot in hell.
What would someone with a prosthetic arm do in this system? This person can have a password, credit card number, etc... But they wouldn't have a fingerprint, would they? I imagine any biometric system would be alienating people with some type of disability, medical condition, or some other condition brought on by other circumstances.
Can anyone think of a biometric system that ANYONE could use?
"... the advance of civilization is nothing but an exercise in the limiting of privacy" - Janov Pelorat
I've experimented with a popular fingerprint reader.
If the previous person to use the reader had greasy or sweaty hands, and they don't intentionally wipe or smear the plate you can fake their print easily.
Either hold your palm closely over the plate, or breath gently over the reader. Enough to create enough warmth to simulate a finger.
With a little practice I could do it over and over. Quite fun giving a demo to security people!
... that they don't use a semen test instead!
What an awful concept, you collect your groceries, walk up the the register... I'll let you figure the rest out.
The chances of my putting my eye against a retinal scanner, my fingerprints on some 2-bit companies files, or my DNA into some poorly secured database are ZERO.
That might prove harder than reading a password off a PostIt note stuck to a 3278 terminal.
Geting a usable print that isn't smudged in some respect is not that easy. Ask any AFIS operator. Getting the right finger from a glass is also hard if the glass was rotated in the least.
Its not likely to be done on casual contact.
It requires collusion or coercion.
That's no reason to give up on biometrics yet.
No temperature sensor on the unit? (I'm sure that the gummy bear wasn't the same temperature as the guy's finger. Yuck.)
And I can't forget my finger at home.
I still like a LONG biometric password (my fingerprint) for logging on.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
There was a post about this already on /. earlier where it was done in Seattle. Check it out here: http://slashdot.org/article.pl?sid=02/04/29/013322 2&mode=thread&tid=126
"PC Load Letter? What the $@#% does that mean?!"
German IT-magazine c't found the same weaknesses in fingerprint sensors a few month ago. They were able to fool the some sensors simply with wax. Costs even less and is even faster.
Gelatin Cartels and the underground Gelatin Mob. Yeah. It'll be so cool living in the future wearing gloves and sucking up your hair and skin-particles everywhere you go with your Personal V-Cleaner.
Good thing the researcher lives in Japan. He'd probably be arrested here (in the U.S.) for some sort of DMCA violation...
So, it's not enough to have multiple factor authentication (pin + fingerprint, for instance), it's also important to make sure EACH of the factors is hard to steal, or at least one of them is.
That means authentication is not just about "what you know, what you are, and what you have", it's also about what others don't (or can't) have. A higher bar.
We discussed the same thing only a couple of weeks ago, see this article. Looks like a different grocery chain this time though...
Al.The Daily ACK - Eclectic posts by yet another hacker
One more reason to forget to write down what I spent at the store. Does anyone else think that all this convenience is leading to a point where people loose control over their money?
At least with my (duplicate) checks, I have a physical record of what I spent. With this, all you have is the receipt...and the hope that you remember to write it down.
Ed Wedig
Graphic design services
docbrown.net
What happens when someone creates a viable spoof of my biometric ID? (Thimbprint, retinal scan, whatever.) They can fake being me. So we include a PIN that I can change and I'm good again, right?
Think about the last time you went to the DMV. Is it staffed by high-paid security consultants? Or is it more likely to have employees who will see that your thumbprint matches and go ahead and give you the new license to replace the one you "lost"?
The "average Joe" will believe that thumbprints are authoritative and probably use that confirmation as sufficient evidence to reset your PIN for you, completely circumventing the system.
Don't believe me? I went to the post office recently. They have a policy that they won't accept credit cards that aren't signed. Mine has "See ID" written on the back, because I don't want anyone accepting it without checking an ID. Their policy, which the helpful employee showed me a copy of, said that in order to accept my ID he had to watch me sign it in his presence, then check my ID. Had I stolen the card and simply signed it in the parking lot before entering, he would have accepted it.
And the more "authoritative" the ID method is, the more likely someone will trust it. If a biometric only seems more secure than a plastic card with a mag strip, then we will have decreased actual security. So the real problem isn't "How do I keep someone from spoofing my biometrics?" It's "How do I keep a minimum-wage clerk from accepting the spoofed biometrics?"
Nope, no sig
Obviously, the next step is for Congress to outlaw gloves.
Unix is user friendly, it's just selective about who its friends are.
... could I use this same trick to put someone else's fingerprints on a gun?
I guess the fingerprints wouldn't be made out of the right stuff, but would it be likely to fool the police?
I propose we make the "bio-hackers" job a bit more difficult. a whole-body print is what is needed to deter these thieves. The only drawback that I can envision is lengthly cloaking and uncloaking process. Not to mention a cold scanner will probably keep out of the stores during the winter months.
In certain venues (such as the Gap and Victorias Secret) it will make waiting in line a bit more rewarding, while people will probably tend to avert their eyes in the local k-mart. Perhaps the blue-light crew can make a bit of money selling ad space on the ceiling.
Either that or we use retinal scans..... hard to clone eyeballs.
Don't anthropomorphize computers, they don't like it.
It has everything to do with one of the shortcomings of biometrics - a truly effective biometric system would make it impossible to separate the identification from the person identified.
When I got mugged in the Port Authority, I gave the guy my wallet, which allowed him to walk away with my identification. I also got to walk away. If the only way that mugger could get my ID was to blackmail or kidnap me, that's what he would have done; let's face it, a guy who sticks a gun into the face of a stranger and makes demands is obviously not benevolent.
Broaden your mind. The "real world" implications of technology do need to be considered, not just the wiring and production costs. If you refuse to see a problem, you are unlikely to fix it.
Oddly enough, I myself have had an eye gouged out. It feels pretty much like you'd expect.
The eyeball is retained in its orbit partly by the lids and related muscular tissues surrounding it, and partly by the optic nerve. The eyeball is squishy and compressible, though, and the tethering nervous connection is somewhat elastic, so you can pop the eyeball out and (assuming you don't overstretch the tether) it will pop back in without much trouble.
When my eye got gouged out, it popped right back in as soon as the thumb was removed from the socket. I was unable to see or to control the eye for five minutes or so, then it got better. There was very little pain (but that may have been masked by the overwhelming rage the incident provoked in me).
The white of my eye was pure red for a couple of weeks, and green slime continuously dripped from the socket for several days.
The nastiest part of the whole incident was that I lost a contact lens in the tussle (got an earring ripped through my earlobe, too) and the doctor had to pull my eyball out again too see if the contact was trapped behind it.
"You changed your name _to_ latrine?"
"Yeah, it used to be Shithouse."
"Good change. That's a *good* change!"
Nathan's blog
Except that you are not, you faker. Do you really have confused gender issues or are you just another Spork alias?