Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fun with Fingerprint Readers

Posted by michael on from the black-forest-or-haribo dept.

Two pieces of news that came in today make a fun counterpoint to each other. First, a grocery chain is trying out a biometric checkout system. Bring your groceries, pay with a fingerprint. Unfortunately, a story in Bruce Schneier's monthly newsletter notes that fingerprint scanners can be fooled with a bit of gelatin.

4 of 298 comments (clear)

  1. weak is the system based on only a finger by jonbrewer · · Score: 4, Interesting

    This certainly doesn't mean that biometrics based on fingerprints should be ruled out.

    Just as you need both a username and a password to log in to any computer system, a combination of a fingerprint and password, or fingerprint and pin should be used for any reasonable authentication.

    Combined with decent access controls (this person may only do X at Y time) and a complete audit of actions, fingerprint biometrics can fit nicely into an extremely secure environment.

    I'd certainly rather use my finger than my RSA number keychain!

  2. Re:Biometrics by gclef · · Score: 5, Interesting

    If a credit card database is compromised, you lose integrity of the card. This means someone else can use the card to impersonate you. But it's a number. You don't really care, since you can get another number and revoke the compromised one.

    On the other hand, if a biometric database is compromised, you lose the integrity of a part of your body. This means someone can now use tricks like the gelatin one outlined here to impersonate you. But you can't get another body. You can't revoke the compromised data.

    In general, biometrics are more accurate for authentication, but their failure modes are much more severe.

  3. Problems with fingerprinting by legLess · · Score: 5, Interesting
    There's much debate about whether fingerprints are the primary keys to human identity. Law enforcement has based over 100 years of work on the premise that no two humans, anywhere, ever, have the same fingerprints. Some people say this is hogwash.

    Let's leave out, for now, the fact that it's not possible to verify this claim at all: there's no way to test all living people and compare their prints. This is troubling, but a bit of a red herring.

    More troubling is the way fingerprinting is practiced. There's a case in Philly right now where a federal judge has prohibited the prosecution from testifying that two fingerprints "match." From this article:
    But in 1993, a Supreme Court decision required judges to take a more active role in deciding what scientific evidence to admit. In the case of fingerprints, the so-called "Daubert" guidelines would lead to questions such as: Has the practice of fingerprint identification been adequately tested? What's the error rate? Are there standards and controls?
    The answers, respectively, are "no," "no one knows," and "no."

    I'm home sick and I don't feel like doing more research on this right now. The above links and Google will help if you want to look at it more.
    --
    This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
  4. Far easier to fake than you think.... by tandoor · · Score: 5, Interesting

    I've experimented with a popular fingerprint reader.

    If the previous person to use the reader had greasy or sweaty hands, and they don't intentionally wipe or smear the plate you can fake their print easily.

    Either hold your palm closely over the plate, or breath gently over the reader. Enough to create enough warmth to simulate a finger.

    With a little practice I could do it over and over. Quite fun giving a demo to security people!