Slashdot Mirror
Fun with Fingerprint Readers
Two pieces of news that came in today make a fun counterpoint to each other. First, a grocery chain is trying out a biometric checkout system. Bring your groceries, pay with a fingerprint. Unfortunately, a story in Bruce Schneier's monthly newsletter notes that fingerprint scanners can be fooled with a bit of gelatin.
This certainly doesn't mean that biometrics based on fingerprints should be ruled out.
Just as you need both a username and a password to log in to any computer system, a combination of a fingerprint and password, or fingerprint and pin should be used for any reasonable authentication.
Combined with decent access controls (this person may only do X at Y time) and a complete audit of actions, fingerprint biometrics can fit nicely into an extremely secure environment.
I'd certainly rather use my finger than my RSA number keychain!
If a credit card database is compromised, you lose integrity of the card. This means someone else can use the card to impersonate you. But it's a number. You don't really care, since you can get another number and revoke the compromised one.
On the other hand, if a biometric database is compromised, you lose the integrity of a part of your body. This means someone can now use tricks like the gelatin one outlined here to impersonate you. But you can't get another body. You can't revoke the compromised data.
In general, biometrics are more accurate for authentication, but their failure modes are much more severe.
Were these experiments performed for Starfleet? His presentation logo looks like the Starfleet logo.
Miko O'Sullivan
Let's leave out, for now, the fact that it's not possible to verify this claim at all: there's no way to test all living people and compare their prints. This is troubling, but a bit of a red herring.
More troubling is the way fingerprinting is practiced. There's a case in Philly right now where a federal judge has prohibited the prosecution from testifying that two fingerprints "match." From this article: The answers, respectively, are "no," "no one knows," and "no."
I'm home sick and I don't feel like doing more research on this right now. The above links and Google will help if you want to look at it more.
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
How to fake retinal scans using mirrored contacts and laser etching. Story on next year's Slashdot.
that won't beat retinal scans which also check for blood flow...
Yes, they are two different concepts, but you're sort of implying that being able to escape liability isn't important or desirable (from a social, not an individual, standpoint). I think I rather dissagree with this.
Heck, let's take the easy witness protection program that someone else mentioned in this sub thread. Assuming that my biometrics are on file with a bunch of different businesses, agencies, etc. How is it then possible to change my name and dissapear? As long as cash remains a viable option then there's the cash only solution, but cash becomes less and less viable every day, though hardly anyone notices. Public prejudice ("who would need/have such a large amount of cash but a criminal?" and other such drivel) are as much at fault as anything else.
Bottom line is: there is, I believe, value to being able to shed one's identity, and biometrics is completely at odds with that.
Behold the Power of Cheese!
You raise interesting points. While there is a need for things like a witness protection program, what is making the system work is that systems have too many fingerprints in store, and there is a finite, highly probable chance that other people share your biometric - it's just that they don't know it. Comparing the minutiae points of two fingerprint samples might give a certain percentage match, but not 100% - A lot of other people (most systems default to 1 in 10000 false acceptance rate) will have a similar fingerprint given a large enough population in a business database. It is also computationally infeasible (most likely) to run a match against all fingerprints in the system once you have a large enough database (of course, this argument falls down with enough computing power and time).
In any event, as you yourself agree cash is always available as a last resort. And if you truly need a witness protection program I expect the Government will have enough resources to change or wipe your records from at least the databases that matter. Hopefully together with the new ID you'll move far away enough that you won't need to frequent the same businesses you were before (and a nice hello to globalization issues here).
Yes, I realize there will be problems, but nothing irresoluble with good will and a little bit of effort.
Think of the advantages on the other hand - Joe Shmoe is behind his child support payments and has skipped state - well, guess what - now you have a good chance of finding that deadbeat and getting him back on plan... And so on for any other number of crimes.
Look at it this other way. Shedding your ID right now is most likely illegal in some way (note, I said likely - there might be cases and forms in which it xan be done legally). And difficult. But it can be done. And people can still track you, with difficulty, but it can be done. This is merely one of those technologies that will make the former harder and the latter easier, but both will still be possible.
-JackAsh
I've experimented with a popular fingerprint reader.
If the previous person to use the reader had greasy or sweaty hands, and they don't intentionally wipe or smear the plate you can fake their print easily.
Either hold your palm closely over the plate, or breath gently over the reader. Enough to create enough warmth to simulate a finger.
With a little practice I could do it over and over. Quite fun giving a demo to security people!