Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fun with Fingerprint Readers

Posted by michael on from the black-forest-or-haribo dept.

Two pieces of news that came in today make a fun counterpoint to each other. First, a grocery chain is trying out a biometric checkout system. Bring your groceries, pay with a fingerprint. Unfortunately, a story in Bruce Schneier's monthly newsletter notes that fingerprint scanners can be fooled with a bit of gelatin.

16 of 298 comments (clear)

  1. OLD news by Anonymous Coward · · Score: 2, Interesting

    People were lifting latent fingerprints and using litography to create fake fingerprint readers a decade ago (although Im pretty sure they used some sort of plastic latex or silicone or something, makes a lot more sense than gelatin). On national TV no less, the nation being the Netherlands. Our major Airport was using a fingerprint system for VIPs to bypass the passport checks in those days, so it made a nice splash.

    That airport also funded development of an iris scanner they are using at the moment BTW, which is now being licensed to IBM and some others ... fingerprints were tried and rejected a long time ago, why are we still seeing shit like this now?

  2. weak is the system based on only a finger by jonbrewer · · Score: 4, Interesting

    This certainly doesn't mean that biometrics based on fingerprints should be ruled out.

    Just as you need both a username and a password to log in to any computer system, a combination of a fingerprint and password, or fingerprint and pin should be used for any reasonable authentication.

    Combined with decent access controls (this person may only do X at Y time) and a complete audit of actions, fingerprint biometrics can fit nicely into an extremely secure environment.

    I'd certainly rather use my finger than my RSA number keychain!

  3. Re:Biometrics by gclef · · Score: 5, Interesting

    If a credit card database is compromised, you lose integrity of the card. This means someone else can use the card to impersonate you. But it's a number. You don't really care, since you can get another number and revoke the compromised one.

    On the other hand, if a biometric database is compromised, you lose the integrity of a part of your body. This means someone can now use tricks like the gelatin one outlined here to impersonate you. But you can't get another body. You can't revoke the compromised data.

    In general, biometrics are more accurate for authentication, but their failure modes are much more severe.

  4. Forget payment systems. I want drive up service! by BenJeremy · · Score: 2, Interesting
    OK, I've worked for years with automotive telematics/AutoPC systems, and here's what I want:

    • Household system handles menus and inventory, identifies the need to get groceries.
    • Using Bluetooth or WiFi, tells car what it needs, and the locations that the goods can be picked up
      NOTE: Locations will be based on best deals, and include E-Coupons and such, as well as projected route
    • Later, on the way home, I'm given choices of places to stop. I choose one, and the groceries are ordered and ready for pickup
    • I stop, the groceries are loaded into my trunk.
    • Using e-tags, the car determines that I got all the stuff I selected
    • within a minute of pulling in, I pull out with my groceries... never left the car!
    • I arrive home. The E-Tags also indicate to the home what I've purchased and updates the inventory


    Painless, quick, and efficient. That's how grocery stores should operate. Forget fingerprint scanners. Eliminate the long checkout lines, crowded aisles, and rude people.

  5. Starfleet??? by mikosullivan · · Score: 3, Interesting

    Were these experiments performed for Starfleet? His presentation logo looks like the Starfleet logo.

    --
    Miko O'Sullivan
  6. Problems with fingerprinting by legLess · · Score: 5, Interesting
    There's much debate about whether fingerprints are the primary keys to human identity. Law enforcement has based over 100 years of work on the premise that no two humans, anywhere, ever, have the same fingerprints. Some people say this is hogwash.

    Let's leave out, for now, the fact that it's not possible to verify this claim at all: there's no way to test all living people and compare their prints. This is troubling, but a bit of a red herring.

    More troubling is the way fingerprinting is practiced. There's a case in Philly right now where a federal judge has prohibited the prosecution from testifying that two fingerprints "match." From this article:
    But in 1993, a Supreme Court decision required judges to take a more active role in deciding what scientific evidence to admit. In the case of fingerprints, the so-called "Daubert" guidelines would lead to questions such as: Has the practice of fingerprint identification been adequately tested? What's the error rate? Are there standards and controls?
    The answers, respectively, are "no," "no one knows," and "no."

    I'm home sick and I don't feel like doing more research on this right now. The above links and Google will help if you want to look at it more.
    --
    This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
  7. It's good he's Japanese by aaandre · · Score: 2, Interesting

    In the US he might be sued for reverse engineering practices by the security companies.

  8. Re:Signatures by Beryllium+Sphere(tm) · · Score: 2, Interesting

    >How can you care about the risk of someone faking your finger print when most financial transactions are verified with a signature?

    That is an insightful question.

    It points to how to implement a reasonably good fingerprint system.

    "Most financial transactions" require both a signature and a revocable token. If your checkbook or credit card is stolen you call up the bank and report it, and then you're off the hook (theoretically) when someone forges your signature.

    A good system would need to combine the fingerprint either with a revocable token (e.g. thumbprint your Mastercard) or with a PIN.

    Your grocery store may already have stuck you with a frequent shopper card, required to get their best prices. Combining one of those with a fingerprint scanner and a good revocation policy might work.

  9. Next up... by Wise+Dragon · · Score: 3, Interesting

    How to fake retinal scans using mirrored contacts and laser etching. Story on next year's Slashdot.

  10. However... by bani · · Score: 3, Interesting

    that won't beat retinal scans which also check for blood flow...

  11. Tests Ive done with biometric readers by Anonymous Coward · · Score: 2, Interesting

    After working with biometric readers for quite some time, I wont mention names, but the most "awarded" biometric reader in the world can be tricked by simply blowing on it. Yes, blow warm moist air on it. The heat/moisture of the breath and the "residue" of the previously scanned finger tricks the reader in to thinking its a "live" finger. So faking the last user of the reader is a piece of cake. I've tested this thoroughly, lots of fingers, lots of people, works a treat.

  12. Re:One response pro-biometrics by kabir · · Score: 3, Interesting
    Anonymity needs to exist, but so does liability and responsibility. That ever-necessary anonymity will continue to exist, and you will probably be able to get it just as well as you can now. The difference is you will not be able to erase yourself and get away from your previous responsibilities/liabilities. The two are different concepts.

    Yes, they are two different concepts, but you're sort of implying that being able to escape liability isn't important or desirable (from a social, not an individual, standpoint). I think I rather dissagree with this.

    Heck, let's take the easy witness protection program that someone else mentioned in this sub thread. Assuming that my biometrics are on file with a bunch of different businesses, agencies, etc. How is it then possible to change my name and dissapear? As long as cash remains a viable option then there's the cash only solution, but cash becomes less and less viable every day, though hardly anyone notices. Public prejudice ("who would need/have such a large amount of cash but a criminal?" and other such drivel) are as much at fault as anything else.

    Bottom line is: there is, I believe, value to being able to shed one's identity, and biometrics is completely at odds with that.
    --
    Behold the Power of Cheese!
  13. Volunteers for finger dontation test? "No"... by wherley · · Score: 2, Interesting

    a recent email response from a rep for the Authentec line of fingerprint scanners regarding use of their scanner via a "stolen" finger:
    ... "I checked into your question regarding the fingerprint scanner. The fingerprint scanner requires a live layer of skin to work. A finger that has been cut off will still be "live" for a certain period of time and will therefore work in the scanner. The actual time frame has not been determined as no one has volunteered to be a test subject." ...

  14. Re:More than $10... by Anonymous Coward · · Score: 1, Interesting

    But most crooks prolly aren't going to be that desperate

    It depends on how much money is involved. In airports, people would actually work in teams to steam your ATM card & your pin number. The also did this for phone cards. Chances are, if you attempt to throw another mild hurdle at them, like needing a figure print, they will get that two.

    If these people are serious they could make fake driver license and pass them off. Evidently from this article, it is easier to fake a fingerprint than it is a driver license(at least in the State of Virginia).

  15. Re:One response pro-biometrics by JackAsh · · Score: 3, Interesting

    You raise interesting points. While there is a need for things like a witness protection program, what is making the system work is that systems have too many fingerprints in store, and there is a finite, highly probable chance that other people share your biometric - it's just that they don't know it. Comparing the minutiae points of two fingerprint samples might give a certain percentage match, but not 100% - A lot of other people (most systems default to 1 in 10000 false acceptance rate) will have a similar fingerprint given a large enough population in a business database. It is also computationally infeasible (most likely) to run a match against all fingerprints in the system once you have a large enough database (of course, this argument falls down with enough computing power and time).

    In any event, as you yourself agree cash is always available as a last resort. And if you truly need a witness protection program I expect the Government will have enough resources to change or wipe your records from at least the databases that matter. Hopefully together with the new ID you'll move far away enough that you won't need to frequent the same businesses you were before (and a nice hello to globalization issues here).

    Yes, I realize there will be problems, but nothing irresoluble with good will and a little bit of effort.

    Think of the advantages on the other hand - Joe Shmoe is behind his child support payments and has skipped state - well, guess what - now you have a good chance of finding that deadbeat and getting him back on plan... And so on for any other number of crimes.

    Look at it this other way. Shedding your ID right now is most likely illegal in some way (note, I said likely - there might be cases and forms in which it xan be done legally). And difficult. But it can be done. And people can still track you, with difficulty, but it can be done. This is merely one of those technologies that will make the former harder and the latter easier, but both will still be possible.

    -JackAsh

  16. Far easier to fake than you think.... by tandoor · · Score: 5, Interesting

    I've experimented with a popular fingerprint reader.

    If the previous person to use the reader had greasy or sweaty hands, and they don't intentionally wipe or smear the plate you can fake their print easily.

    Either hold your palm closely over the plate, or breath gently over the reader. Enough to create enough warmth to simulate a finger.

    With a little practice I could do it over and over. Quite fun giving a demo to security people!