Mouse Scans Palms to Verify ID

p00kiethebear writes "'Fujitsu is eyeing a variation on the centuries-old art of palmistry as the latest biometric weapon against unauthorized access to computer systems and facilities. The company has developed a computer mouse that will scan the palm of the user and deliver not a look into the future but verify the identity of that person.', With a .5% error rate I wouldn't be surprised if we saw this in offices within the next few years."

Slashvertisement?

[Speare]

There've been thumb-reading mice for a while now. google: thumb biometric mouse This isn't news, it's another slashvertisement.

Yawn.

Re:Slashvertisement?

[Jeremiah+Cornelius]

Here's the good part.

The thing attaches to an ordinary PS/2-style mouse port. That's a secure channel!

So anybody who can land a trojan on the box, can easily capture the valid auth dialogue with the device...

It wouldn't be too tough to have a bogus "print" stored electrically, and rep[lay it either from the actual port, or read from a location in memory.

Re:Slashvertisement?

[Jeremiah+Cornelius]

Actually, now I think of it, there is a HUGE contact area on this thing! Must leave a great print on the reading surface! What an opportunity for capturing palm-prints for forging access.

Re:Slashvertisement?

[Idarubicin]

Must leave a great print on the reading surface! What an opportunity for capturing palm-prints for forging access.

Actually, that's one improvement that this system has over the easily-fooled fingerprint based systems. Since this system uses reflectance measurements from the palm that are affected by deep structures (veins), the palm print left on the mouse won't do a potential cracker any good.

That said, I suspect that the system really isn't worth the trouble. Other posters have noted that the mouse connects to an ordinary PS2 port, so there's an opportunity for a spoof right there. And the 0.5% error rate sounds good--but only if those are all false negatives. If the system is misidentifying users 0.5% of the time for a database of 700 users, then there will be a truly embarrassing failure rate in a corporation of, say, ten thousand users.

Re:Slashvertisement?

[boskone]

Best practices in security would dictate that this is just part of a strong authentication scheme. I would require users to still use login/password. The chances of the reader misreading and having someone's user/pass is very remote.

Theoritically, someone could record someone's palm print inline on the ps/2 port, and watch them type their user/pass, then come back later with the spoofing device containing the correct responses to hook inline to the ps/2 port again and log in as that person. But you're talking about a BIG operation to pull this off, plus a lot of chances of getting caught. (you have to physically access their computer twice, PLUS somehow get their user/pass).

I think it could have a use, but it will need to be integrated into NDS/AD elegantly for it to catch on in the enterprise. And it must be low hassle to implement.

Re:Slashvertisement?

[Idarubicin]

Of course, since we have physical access to the machine anyway, we might as well install a keystroke logger as well as record the authentication from the mouse...

I guess it comes back to what we already knew--as soon as someone has unfettered physical access to a machine, it's security is effectively compromised.

You want to limit access to a computer? Put it in an office. And lock the door. Know who has keys. Audit those keys.

Re:Slashvertisement?

"The chances of the reader misreading and having someone's user/pass is very remote." Read up on your Schneier. There are 3 types of security--something you have (smartcard), something you know (PIN), and something you are (biometric). The best security should use all 3, like NYSCEDII. And then you should plan on your Ultra Secure System(tm) being compromised. Because sooner or later, it will be. Posting anonymously because this is probably Redundant.

heh....

[bdowne01]

A lot of good that does from keeping someone from typing 'rm -rf *'. :)

Re:heh....

[IchBinEinPenguin]

Keyboard?
Who needs a keyboard with voice type and a 17-button mouse (with 3 scroll-wheels)

Wash your hands

[theefer]

Now you'll eventually have a reason to wash your hands : if you don't, you won't have access to the computer !

Mom's gonna be happy ...

Re:Wash your hands

[willum448]

Sorry mom, only one hand must be washed.

The Switch

[espionage_7]

Well I would just switch out the mouse with one of my own =)

Re:The Switch

[EvanED]

Then you wouldn't be autheticated and wouldn't be able to log on.

.5%?

.5% Error Rate means if 1 million people use it, 5000 are going to have errors. That makes it pretty significant. If that half a percent get locked out completlely or half a percent get can get onto other computers without being the right person, then there are still issues to be worked out before it's used widespread.

Re:.5%?

[The+Whinger]

Or it means that it gets it wrong 5000 times in 1 million. If it locked me out, and I retried and got in ... then there is no problem with a 0.5% error.

Why a mouse?

[Pyromage]

Why use a mouse? I mean, mouses are subject to so much wear and tear that the sensors and lenses have to be real beaten on. I don't see a reason not to have a palm-checking USB device instead.

Something just used for recognition would seem to be a bit more practical. Cheaper because size wouldn't be a significant factor, and also it'd be easier to lock down against theft.

But a mouse is just asking for trouble. Its got a .5% error rate when clean, but what about when six months old, sweaty, covered in coke, chips, and bodily fluids and has been used for 8 hours a day for the last half year?

A mouse is a bad idea.

Re:Why a mouse?

[Scrameustache]

what about when six months old, sweaty, covered in coke, chips, and bodily fluids

Jeez, I'd hate to shate a machine with you! :- )

Re:Why a mouse?

sweaty, covered in coke, chips, and bodily fluids and has been used for 8 hours a day for the last half year

Are we still talking about a mouse here?

Re:Why a mouse?

[Calvinhood]

Because using a mouse you can make the scanning process completely transparent to the user. Heck, hide it well enough, and they don't even have to know about it.

This could be useful because you now have a way to actually catch unauthorized people trying to get into your system instead of simply keeping them away. Consider this scenario: For whatever reason, Joe Evil manages to get to a computer that's logged on to a network that contains sensitive information. Gleefully, he sits down and uses the mouse to open up windows explorer and starts looking for a client list or something. Meanwhile, the mouse has detected that this person isn't authorized to be on the system, so it's notified security and also loaded a system image that contains totally bogus data for Joe to explore. Joe has no idea that he's accessing false data or that two hulking brutes from security are on their way to have a...discussion with him.

According to Fujitsu PR...

[jbbernar]

According to Fujitsu's PR, they're guessing that they can achieve a 5% equal error rate -- they actually identified all 700 correctly.

Of course, this tells us nothing about how easily fooled the system is. Considering the recent success of a Japanese researcher in breaking fingerprint systems, I wouldn't trust this for a second.

Re:According to Fujitsu PR...

[dattaway]

Just don't get a papercut. Your hands are now the key to get your work done. And don't use doorknobs. Don't want people duplicating your key.

I wouldn't be surprised

[uberstool]

If we saw people eating Jello in offices

Have they not heard of the birthday attack?

[JanMark]

In the article it states that Fujitsu conducted an experiment identifying a number of palms out of 700 palms and the system had an error rate of 0.5 percent.
It does not state what kind of errors were made. Failing to identify a palm or, confusing two palms. In the latter case, the error rate goes up dramatically with the number of palms in the database.

Why?

[gleffler]

When other 2-factor systems are much cheaper and more portable (think "This system doesn't have your palm, you can't use it"), why would someone WANT a biometric, palm-scanning whizbang mouse? RSA SecurID (keychain with a changing number, synchronized to a login controller) is a much better solution because it's got client software for many OSes, you can login to any machine that's set up properly just with the fob, and it doesn't freak people out like a palm-scanning mouse will, IMO.

Not used

[SlamMan]

Anybody think this'll actually get used very often? IN a wolrd that values simplicty of security, I doubt I'll ever work in a place that uses these. Not because I don't value security, but because I doubt the comapany would enough to employ these.

Re:I can see it now...

[Cyno01]

most biometric scanners can compensate for small temorary differences, if 95% of your hand still matches the file your ok, so small cuts are no big deal, if however you spilled acid on your hand or something, that'd be a different story

Issues with Practicality

[neurostar]

I personally am not in favor of biometric protection devices. Even if they are 100% effective and never make mistakes reading, I do not feel that they are a wise choice.

Bruce Schneider wrote a good column about biometrics here. I don't like the fact that some biometrics are very easy to steal. This means that once someone discovers your biometric "password" they can use it anywhere because you can't change your password.

So I personally would be wary about having too much faith in such a device. /p neurostar

Re:Issues with Practicality

[JoeBuck]

To paraphrase Schneider: if someone steals your palmprint (for example, by getting a print off a surface that you touched and making a duplicate good enough to fool the scanner), where do you go to be issued a new palm?

Biometrics are ok if they are only part of what you need to get into the system (e.g. the right fingerprint plus the right password).

Re:What good will this do?

[EvanED]

From my reading of the article, this'll be pretty much a replacement for the login passwords. So you don't have a valid print, you can't use keyboard shortcuts.

Fault tolerance?

[Dirtside]

Let's hope they don't try and use this for verifying your age on porn sites. "SCANNING... *BZZT* ERROR. PALMS TOO HAIRY TO SCAN." :)

Easy to fool?

[idiot900]

Dan's Data did an interesting review of fingerprint scanners. Apparently they (well, that particular one anyway) are remarkably easy to fool - using jelly.

Personally, I'm happy with passwords - you can change those...

the future

[JDizzy]

Gosh, why don't they just embed a smart card under the skin in or around the palm area. I mean, what is to prevent me from beating up the guy with the palm this mouse system wants to use, and then forcing his hand ont he mouse to circumvent the security system? Besides, who uses a mouse in VI anyways. Real men just yank and paste lines with YY/P commands. Oh wait, thats right... the drivers for this only work in Windoze!

the question is...

[carpe_noctem]

Will someone write an application for this mouse to read your palm? That would be a nice touch each morning when checking the 'ol inbox.

Re:the question is...

[silverhalide]

It'll be a good update to the popular "fortune" program!

Fortunes

[Devil's+BSD]

'The company has developed a computer mouse that will scan the palm of the user and deliver not a look into the future but verify the identity of that person.'
Well, if someone were to rewrite fortune for this, you would have a customized one every time you logged on!

Solving the wrong problem

As it stands, the system of using passwords to prove identity is the best-working piece of the whole security puzzle. I'm not defending passwords; they are crappy and easy to "engineer". My point is that the rest of the security situation is worse off than that.

Most of the security threats people have to worry about in the real world have to do with attacks that bypass authentication entirely (most buffer overflows), or that trick valid users into doing stupid things (most viruses), or that hijack the software valid users run into doing their bidding (most viruses and worms).

Go over all the high-profile security issues of the past year. How many of them would have been mitigated by using biometric authentication instead of passwords? Few, if any. I'll bet 99% of the Klez E-mail I get has its true origin in a valid, properly authenticated user.

Sounds inconvenient

[God!+Awful]

Hey Bob, can you show me how to use this new app? Oh wait, I guess you'll have to tell me how to use it. Actually, this sucks... let's just go to your computer.

I wonder if what they'll do about my laptop mouse.

-a

Re:I can see it now...

[Dark+Lord+Seth]

Then again, if you're as stupid as to spill some extremely aggresive acid on your hand, (most acids commonly available aren't aggresive enough to radically change things) not actually clean it off, endure agonizing pain in the process of letting it disfigure your hand, manage to hold a mouse with your disfigured hand and then finally wonder why it doesn't work, one shouldn't be allowed to use a computer to start with.

$5 cameras in "look-back" monitors

[peter303]

Almost all computer users look at monitors. So put thoses inexpensie LCD cameras in monitors and do a face scan. Less engineering than a mouse.

Eczema sufferers will love this (not)

[charlie]

Like a rather large number of people, I have atopic eczema. This means that patches of my skin get red, sore, and swollen, then subsequently dry out and turn flaky and opaque before falling off. It's unsightly, sometimes painful, and itches like hell -- but it's not infectious. Nor is it curable. (Spot the "opaque" bit. That's important, in the context of this gadget.) The only treatments we've got for it are palliative, and it can be triggered by stress, allergies, or other environmental. factors. Finally, just for fun, one of the commonest parts of the body to be affected is ... the palm of the hand.

So now a visible percentage of the population are now going to be intermittently locked out of their computers by a stress-related illness. Isn't technology great?

Re:Eczema sufferers will love this (not)

[ShooterNeo]

Dude, the whole purpose of biometrics is NOT to increase security (while it might stop password guessing as an attack there are tons of ways to get past it). Its to reduce tech support costs because people forgot their password. As long as you use a reasonably strong password you have JUST AS GOOD of security as biometric scanning.

How long before...

[mbogosian]

So how long before someone writes a linux driver for it?

i don't trust the 5% error rate

[lingqi]

probability will indicate this scheme will fail at the rate of about 1.2 times a year on average -- assuming 250 working days and you only authenticate once per day. however -- if this was really implemented, people will probabbly time out after 15 minutes / out to lunch / in meeting / whatever; so it will fsck up probabbly every month or so. i dunno -- just seem like passwords are so much more reliable.

Reliability of biometric testing

[_Spirit]

An article in c't (www.heise.de) a while back really opened my eyes as to how immature biometric testing still is. They managed to fool every system they tested (fingerprints and irisscan).

The companies selling this stuff are really pushing this as 'secure' and the way the media are raving about this, I imagine a lot of ppl are fooled by this.

Even when the system itself wouldn't be easily fooled I would hate to see what happens if people start bypassing this in hard/software. You would have to have physical protection of the hardware to avoid bypassing the scanner and have very ingenious software to make this secure.

Not really that secure...

[JohnnyCannuk]

See this Counterpane article from May.
Seems to me the sOme common gelatin trick would work here as well...you just need more of it.

Another issue that this may create - the chopping off of hands. Think about this...in the early 90's insurance companies tried to reduce their car theft losses by encouraging the use of car alarms and passive security measures (eg, only your key will unlock the steering column). The result...lower incidence of car theft..sort of. While noone now breaks into and steals a car parked on the street, the incidence of "car jacking" or the violent theft of a running car from the owner at gun point. More often than not this results in serious physical harm or evenb death to the car owner. That almost never happened in the "old days" before car alarms.....

So this may, for access to the right kind of data, encourage the kidnapping of perwsons, the "removal" of a hand, and the making or a "hand cast" as in the article (a whole hand print is much harder to come across than a single fingerprint)to use to circumvent this "cool" mouse...

So, be careful what you wish for....

Re:What good will this do?

[packeteer]

NO IT CANT... god you dont know ANYTHING... jesus christ why dont you actually READ the article before you post about it. how would you feel if you submitted a story like that and people such as YOURSELF started posting threadcrapping BULLSHIT like you just did.

0.5%

[Cryptnotic]

Is that 0.5% rate the "false positive" or "false negative" error rate? If it is a false positive rate, then that means 1 in 200 times, the wrong person will be allowed access. That is much worse than the false negative, i.e., 1 in 200 times the correct person will have his authentication fail.

1 in 200 error rate? That's not good!

[skoda]

[i]With a .5% error rate I wouldn't be surprised if we saw this in offices within the next few years[/i] A 1/2% error rate is a 1 in 200 error rate. That's not very good. That means you could walk through a large office and have a fair chance of being falsely recognized by the id system.

Remember the hoax about ID chips in palms?

[dpbsmith]

Remember that hoax a couple of years ago about a company that was going to implant ID chips in the palm of everyone's right hand, readable by the mouse to authenticate online purchases... ...intentionally recalling the passage in the Book of Revelations, "And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads: And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name?"

Question

[sharkey]

Will excessive hair growth interfere with the readings?

USB _good_?

[mmol_6453]

Well yeah.

Finally, there's a convenience involved in various devices on the USB tree not being able to communicate with each other without relaying through the computer.