Slashdot Mirror
Biometric Face Recognition Exploit
clscott writes "A researcher
at the U. of Ottawa has developed an exploit to which most
biometric systems are probably vulnerable.
He developed an algorithm which allows a fairly high
quality image of a person to be regenerated from a
face recognition template. Three commercial face rec.
algorithms were tested and in all cases the image could
masquerade to the algorithm as the target person.
Here are links to a
talk
and a
paper.
Unfortunately, biometric templates are currently considered
to be non-identifiable, much like a password hash.
This means that
legislation gets passed to require
hundreds of millions of people to have their biometrics
encoded onto their passports. This kind of vulnerability
could mean that anyone who reads these documents has access
to the holders fingerprint, iris images, etc."
(P.S. Please no replies from humor-impaired folks.)
Personally I use BioPassword for authenticating my workstation using keystroke recognition, so I seem to be safe from the exploit as yet; holding an image up to a computer seems like it would require considerably less effort than attaching a PS2 device that typed at exactly the correct rate. Nonetheless, I wonder if this discovery will prompt the redesigning of the way user data is stored across the biometric spectrum, going as far as the oft considered-foolproof keystroke systems...
maybe i should extend my tin-foil hat to a tin-foil facemask and a pair of shiny gloves... that way they'll never recognise me!
...doesn't work worth a damn anyway. Other forms of biometric authentication are much more reliable.
I'm glad to know that someone legit found this out before it got into the hands of those evil terrorists . Seriously, it's great that these kinds of things are being discovered now. It just goes to show that no matter what, things can be hacked/bypassed/etc somehow.
Sometimes we give criminals to much credit. Again, if it's someone that can go through all three of those, they were going to get past the toughest of Indiana Jones hurdles.
Yell & scream & rant & rave... it's no use... you need a shaaaave ~ Bugs Bunny
am I undrstanding correctly that the systems return a score that reflects your % accuracy? Cool, so it's just a game of digital hot/cold. This sounds like a promising technology but honestly, how does the implementation get screwed up so badly.
-palewhitemale
The fallibility of biometric systems has been widely known since a scientific expose was released on the topic no less than five years ago.
You'll notice that the data is insecure so much as the database the biometric information is stored in is protected.
/. has sure been good at wasting my time with useless news lately.
All they're saying is that if they have access to that information, they can generate something that can authenticate against it. (DUH!)
The moral of the story is that if you don't want someone to pretend to be Bob's face, don't give anyone access to the database that has the information on what Bob's face looks like to the biometric scanners.
-- People who hate Windows use Linux. People who love UNIX use BSD.
So this means that spotty, streaky photo of me (or is it a dog .. a wombat maybe?) on the back of my CostCo membership card isn't safe! Just about anyone could march in the door, past their regorously trained staff and buy Boca Burgers for half off!
Someone showed me a fake driver's license made by a "novelty" company. The only distinguishable difference was a missing apostrophe in the text on the reverse. It had holograms and everything. Thoughtfully, the company stated, "This is only for amusement value, illegal to use as ID", etc. Yeah, that should cover it.
A feeling of having made the same mistake before: Deja Foobar
http://www.cs.wisc.edu/~ghost/
(btw, I don't work for Sun)
A Java Card would allow you to store information (in this case biometric data) in a way that the data could be used in some sort of transformation but the original data is protected.
Were biometric data to be included on Passports, I see no better way to store it than in a Java Card. Portions of the biometric data analysis could be offloaded onto the Java Card itself, until an acceptable and mutual balance of trust and distrust can be achieved between the biometric processing algorithms and the data on the Java Card. In this way the biometric data is never exposed directly to the outside world, so one need not worry about it getting leaked to the "bad guys" even if your passport were stolen.
I've been curious about these databases and how they work. They have to take the images and proces them, presumably into some sort of n-tuple. And then they database that.
But how will they handle changes? I mean, people will probably figure out how the recognition works, and learn how to trick it. If you know the scheme, it probably wouldn't be too hard.
If they have a giant database of these n-tuples, generated from photos, will they have to recrunch every photo in the db when they want to improve the system, or respond to holes that emerge? I guess they'll have a lot of computer power, so it's probably not too bad.
The thing that worries me about this stuff is the possibility that the crooks and terrorists will be able to defeat it trivially, but the average citizen will be tracked everywhere he or she goes.
**Guy snooping on a girl sunbathing**
Want to snoop on your neighbor?? Want to trespass?? Want to know if there are Aliens at Area 51???
GET YOUR OWN BIOMETRIC FACE MASTER TEMPLATE. Guaranteed to *FOOL* all Biometric Scanners. Get the *NEW* and *IMPROVED* BIOMETRIC FACE MASTER TEMPLATE from X10. It will even fool our OWN SECURITY CAMERA!!! Our NEW special offer, buy one BFMT and get PRE-APPROVED Bail for FREE (good for 5000 dollars) ORDER NOW!!!
Unfortunately, biometric templates are currently considered to be non-identifiable, much like a password hash. This means that legislation gets passed to require hundreds of millions of people to have their biometrics encoded onto their passports.
Those two statements seem to be contradictory. If biometric templates are considered to be "non-identifiable" (much like lie-detector tests are inadmissable in court due to unreliability), why would legislation be passed to require them to be used in passports? A United States passport is often considered the most reliable form of identification for a U.S. citizen. I don't see why the government would risk compromising the passport's reliability by incorporating into it a supposed "unreliable" technology.
Unlike all the *other* problems with biometrics, like false positives/false negatives/gelatin sheet spoofing, showing the camera a photograph, etc., this one seems like it should be easy to solve: don't store the biometric data, instead, treat it like a password and store a cryptographic hash of it instead.
How many of us actually HAVE passports anyways? Last time I checked, you didn't need a passport to fly within the US, to buy a car, to rent a movie...big deal I say.
As of 10/06/03, I hate COBOL developers.
I'm not sure if it's possible, since the face-recognition data probably has to be "fuzzy". But if there's any data that is exact, you could just hash that.
Software sucks. Open Source sucks less.
From TechTV
He will be in the position of being assumed guilty because everyone know that biometrics don't lie and are completely infallable. Thanks to legislation like the DMCA, no one will testify that the systems are, indeed, very easy to compromise. It'll be illegal to talk about those aspects of security. Not that the law has ever stopped the black hats...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
With this kind of technology (biometrics), the need for passport should be eliminated, right?
A machine should look into you eye and make sure you are genuine, eliminating the need for a passport.
New year Resolution: Don't change sig this year
Means you can't identify a fake, starting from scratch, that gives a valid match to the "template". Only, now, turns out that you can after all.
"Time Cube proves a 1 face god impossible, due to 4 corner face metamorphic human - baby, child, parent and grandparent faces."
"There is no teacher but the enemy."-Mazer Rackham
Anyone who has done work on computer vision would have guessed this to be so. What would interest me is in how it would be possible to exploit the algorithms, i.e., how bad of a picture can you get away with? Certain images that might not look anything like a face to you or me will quite possibly be able to fool the system.
The passport angle is probably a red herring though. The unreliability of photo identification is already known. Identity theft is simple and easy. Hell, here in New Mexico, we've already been the first state to accept 'Matricula Consular' cards as valid ID for driver's licenses. Matricula Consular cards, of course, are given out by Mexican embassies to undocumented Mexicans living in the US. By 'undocumented,' I mean illegal, of course. Check out the immigration reform site www.vdare.com for some more information on the subject.
While this is an interesting expolit, the sky isn't falling. Any and all biometric systems can be exploited, and in similar ways.
However, for this particular exploit to affect passport security and the like, the entire system would have to be automated, so that there would be no one to notice the perpetrator was holding a photo of someone else in front of his face as he walked by.
To guard against exploits like these in totally automated systems, the data that is fed into the matching system should be digitally signed, so that it is clear where the data is coming from
(e.g. a real fingerprint sensor, etc.).
Even so, a fake face or a fake finger can indeed spoof many biometric systems. Luckily, border crossings and airport security has humans in the loop to prevent these kind of exploits (or to accept bribes to allow them!).
There were so many different ways in
which you were required to provide absolute proof of your iden-
tity these days that life could easily become extremely tiresome
just from that factor alone, never mind the deeper existential
problems of trying to function as a coherent consciousness in an
epistemologically ambiguous physical universe. Just look at cash
point machines, for instance. Queues of people standing around
waiting to have their fingerprints read, their retinas scanned, bits
of skin scraped from the nape of the neck and undergoing instant
(or nearly instant - a good six or seven seconds in tedious
reality) genetic analysis, then having to answer trick questions
about members of their family they didn't even remember they
had, and about their recorded preferences for tablecloth colours.
And that was just to get a bit of spare cash for the weekend. If
you were trying to raise a loan for a jetcar, sign a missile treaty
or pay an entire restaurant bill things could get really trying.
Hence the Ident-i-Eeze. This encoded every single piece of
information about you, your body and your life into one all-
purpose machine-readable card that you could then carry around
in your wallet, and therefore represented technology's greatest
triumph to date over both itself and plain common sense.
Douglas Adams
Mostly Harmless
You don't understand what the article is talking about. When you enroll in a biometric system, the system itself -doesn't- match based on your picture, but on a 'template' which is created by taking your standard data and performing certain destructive operations to arrive to a much smaller 'template' which can still be used to identify you.
This is very similar to the one-way hashing that happens with unix passwords, only that in this case the hashing is 'lossier' so you have 'confidence scores' instead of a black/white answer.
The article shows that given this 'hashed' value you can recreate an image that has a good chance of not only being authenticated by the same system/algorithm (which already should be very hard, given the one-way nature of the templatization) =BUT= also by different systems!
It also is really interesting how if you have access to the 'confidence score' outputted by the recognizer, you can take arbitrary images and blending/averaging them again come up with an image that works.
This is definitely not useless news and will have quite some implications.
-- the cake is a lie
Make the cameras use x-ray backscattering (as in the earlier story today) of your face. Then in order to spoof the system, a printout of your picture (generated from the hash or not) would not work -- you'd have to build something that recreates your x-ray backscatter and show that to the camera. (I'm assuming that would be much more difficult, like making a sculpture out of meat or something -- anyone in the know wish to shoot down my theory?)
Of course, then there's the issue of getting x-rayed in the face every time you walk in the door...
"A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
A photo of the person held up to the facial recognition camera passes the test?
Personally I use BioPassword
Here's something i've wondered about situations like this..
So you're saying that out of fear that someone will get hold of your password, you've set up your computer to allow or reject your access based on the hard-to-mimick natural typing pattern that you use to enter the password.
What happens if you break your hand?
This isn't such a big deal for face recognition systems, because face recognition systems suck at identifying people anyway. Why? First a little tereminology:
With any biometric matcher you have to define a match "tolerance", which defines how close a pair of templates (usually one from a database and one from a livescan) have to be before they're considered to be a match. Set this tolerance too "loose" and you get lots of false positives (matches that shouldn't match), set it too "tight" and you get the opposite, false negatives. The tolerance setting where you get roughly the same number of errors each way is called the equal error point, and the error rate is called the equal error rate (abbreviated ERR for some unfathomable reason).
Well, all current face recognition systems have an ERR that is too high to be useful in nearly any situation, even when used for identity verification, as opposed to the much-harder problem of identification (verification: I say I'm Bill Gates, and the system agrees; identification: The system says I'm Bill Gates, not RMS or anyone else). It's possible that in the future this will change, of course.
However, this doesn't really matter because we already have ready access to an excellent and very widely available face recognition system: the Mark I eyeball. Millions of years of evolution have made people extremely good at identifying and matching human faces. What people aren't so good at (with notable exceptions) is matching a face against a database of thousands of faces they've seen only once, and *that* is something that face recognition systems can do extremely well. They may not be able to decide which faces are a "match", but they can do an excellent job of finding the *closest* faces, which can then be reviewed by the super-duper face-matching algorithm contained in the average person's head.
When automated face recognition is used in that sort of context, spoofs like this one are unlikely to be very useful; if you want to impersonate someone you'd better get a face that's good enough to fool another human. It's doable, certainly, but much harder. And holding a laptop screen in front of your face is likely to raise some suspicions.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
At least I don't have to cut someone's fingers off/eyes out/head off/etc. to get past these types of security measures any more.
Whew! What a relief.
too long; didn't read.
Yo mama's so ugly, she made the face recog system halt
Yo mama's so ugly, they use her face to stamp out gorilla cookies (Thanks Red Fox)
Yo mama's so ugly, you could hear the face recog cameras scream.
Yo mama's so ugly, when you brought her on the plane, they made you check your bag.
Yo mama's so ugly, she made Medusa's snakes turn to stone.
*_ducks and covers_*
Devices like this can NEVER be used for personal identification unless a one to one relationship between a face recognition template and the person can be mathematicaly proven.
Much like a hashing algorithm (and the pigeonhole principle) if two items can hash to the same spot, then the algorithm is broken; or in this instance two people look alike and the computer can't tell them apart.
This will keep algorithms guys busy for a while.
-ted
For instance, if she had a little less facial hair, my aunt's bouffant hairdo under a scarf might give her the same biometric as Osama bin Laden.
For some reason, I don't think biometric face scans would hold up in Hollywood (well, Los Angeles for that matter) very well. Having lived there, people's faces just seem to keep changing. And so do hair and eye colors. It's almost like a hobby for some people.
IAAL
How to reset a biometric system? Show it a picture of CowboyNeal.
If the template were "non-identifiable," there would be not way for me to identify who the template belongs to from the template. If you have the template, and you have jim standing there, you can say "yep, that's jim"
The claim is that, with just the template (and confidence feedback), you can work backwards and figure out what the person looks like.
under DMCA (what else)?
It is interesting that the US military just purchased 800 million plus worth of software licences from Redmond. I hope they are not planning on using MS spaghetti code for mission critical security aps that use pattern recogniton code.
Bin Laden might win the war. Especially if they install Windows media player anywhere in their networks!
OH THE SHAME I fell off the wagon and use sigs again!
This is a big problem. not. Just take the data and push it through a one-way hash (like the aforementioned password transformation) before encoding it on the card.
TMH
Breathe on the glass sensor to get the outline of the last person's print. Will fool many systems if the previous print was authorized. (Read this in the economist a couple of weeks ago...)
A bit OT, but thought others might find this interesting. Please don't let the DMCA dogs loose on me.
For the love of $DEITY, loose != not win!!!!!
I remember reading an article (possibly from here) about the challenges facial recognition systems faced, in particular comparing the facilities in the human brain. It had very interesting examples, for instance showing only a mouth and chin, but even with just that information, most people recognized it as Julia Roberts. They also altered a picture of Clinton and Gore but switched their mouths, something again that everyone notices but that a computer would have a very hard time picking up on. Finally, they also just had a grid of pictures, shrunk to 12x12 pixels, and even with that little data, your brain can easily discern who the pictures belong to. I'd like to look at that article again, would anybody know the link?
http://www.talknerdy.org
Every comment I have read has missed the point!
This is not an exploit designed to show that biometric systems can be fooled or that you could create some kind of fake image that would match an existing one.
The whole point is that this shows that biometric templates are privacy-sensitive. Previously it was thought that they could be stored and promulgated without interfering with anyone's privacy, because it was thought to be infeasible to start from the template and reconstruct personally identifiable information about the subject.
The new paper shows that this is not true; from the templates, you can reconstruct an identifiable picture of the individual. That means that, for example, if you had a bunch of templates of people who went in for an AIDS test, you could re-create pictures of the people who went in, adequate to recognize individuals.
This would therefore interfere with the privacy of those individuals. And that implies that templates need to be subject to the same kind of privacy restrictions as other forms of personally identifying information, a standard to which they have not traditionally been held.
And that's the point of the paper.
The algorithm they used is simple. They use the face recognition
system as "oracle" and present different images until the match
is achieved. The different images are not chosen at random, but
rather evolutionary. That is, a selection of images is presented,
and the best (highest score) is chosen. Recursively, new selections
are derived from the best image, and again presented to the oracle.
According to the article 24,000 images are necessary to achieve
convergence, when the initial images were specifically chosen to
NOT be visually similar to the "target" image.
Some oracles can't be questionned 24,000 times - eg at an airport
or an ATM machine. You might become arrested long before finished.
However, often press releases indicate which company designed the
software for a particular implentation of face recognition. You
can easily purchase other software of the same company (or find
an OEM product) and thus have the same (or very similar) oracle
on your desk at home. There you can do the 24,000 iterations to
get ahold of the "good" image and then proceed to remodel your
face or whatever way you intend to "present" the image to the
real face recognition system.
In my opinion, biometrics just doesn't work for security. Because
everyone is open to see the datasets.
Just look at those stupid press releases of Siemens/Infineon, who
make high-payed security engineers invent ATM cards with finger
print sensors. Owners finger print => money from ATM. Where does
owner leave his finger print, when handling the card? Couldn't be
on the very ATM card, possibly?
Acceptable security requires
a) something you have, and
b) something you know.
When the item you have is stolen, the thief lacks the information
you know. And vice-versa, when the secret is learned (eg shoulder
surfing at ATM), the item you have still misses to complete the
electronic robbery.
Biometrics is something you have, not something you know. That is
the key thing to learn here!
It can be copied, without your noticing, but that doesn't make it
category b). It still is something you have, because everybody has
access to it when he's physically near to you. You can't just shut
up to make it stay secret.
Therefore, biometrics won't (ever) work as long as it's coupled with
other category a) stuff. A biometric dataset can possibly replace a
physical token, but it can NOT replace a PIN code.
I'm happy that this is once again demonstrated, with press coverage.
Marc
Just check for thermal patterns, most CCD's used for image recognition can see near infra-red so just check to see if the image is a person with a pulse. A piece of paper isn't going to give off heat like a person does =)
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
A couple of decades ago Ottawa was the world's coldest capital city (I forget what it is now). The saying goes that come it's impossible to tell people apart, because everyone's wearing parkas. Now there's a challenge for facial recognition!
Ah, mention the DMCA and get modded up... You don't need to break the law to exploit this. You only need to make api calls to the public api of the recognition system. It's all spelled out in the article.
> In this way the biometric data is never exposed directly to the outside world, so one ..except of course, when the JavaCard can be used as an oracle by the attacker.
> need not worry about it getting leaked to the "bad guys" even if your passport were stolen.
Note that in the article they did not use any reference to the original image
or to the dataset that the face recognition software creates from it. They rather
chose 30 different (visually not related) images and then evolutionary selected
the best fit.
As soon as your JavaCard is going to be universal (and serve multiple purposes
with varying degree of security) it has to return a "score" (rather than a yes/no
decision). And nothing more than that very score is used by the attack, go figure.
To put this into a real world example: imagine you use an ATM JavaCard with face
recognition. Insert card, present your face into the cam lens, and enter how
much money you need. Now a computer nerd "finds" your card. He emulates an ATM
terminal to the card and presents a random face to the card. Recursively, he
optimizes it according to the article until he achieves a "good enough" score.
He prints that out on paper, and travels to Mexico - slowly, by car, doing a stop
at every damn biometrics-enabled ATM he can find. Heck, even the security cam
recordings provide no more evidence than a fake (still image) phantom photo of
YOU!
Marc
This is even easier to compromise than having a keycard or something, as the individual could at least hide it somewhere. They CAN'T hide their face without
Someone give the man some mod points.
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
I think all these comments are very interesting, and would like to invite those of you with a continuing interest in the subject to join the yahoo biometrics group.
Go to http:\\groups.yahoo.com\groups\biometrics
and follow the links to join. The listserv is open, you can select various email delivery options, and you can hide your email address if you choose.
Cheers
The yahoo biometrics group moderator
A useful password hash (at least one that isn't considered to be plain-text equivalent) is a cryptographic hash. A cryptographic hash is one thought to be np-hard.
...
For instance, take this simple hash:
uint32_t hash;
for (size_t i=0; i < str.length(); i++) {
hash += str[i];
}
Given an input of say, foobar, one would get a hash of 633. Now, if I start with an arbitrary password of say, google, I get a hash of 637.
Since I know that slight adjustments to the word, produce slight differences, I know that I can just start moving letters one space down the alphabet until I find a matching value.
Lets say I choose:
google -} 637
foogle -} 636
fnogle -} 635
fnngle -} 634
fnnfle -} 633 *bingo*
So know I've successfully "exploited" this password protection mechanism.. This is why it's referred to as plain-text equivalent.
A cryptographic hash though has the interesting proper that a small change results in a unpredictable different. For instance, in the same example you might get:
google -} 3453
foogle -} 234543
fnogle -} 234
fnngle -} 23425434
fnnfle -} 53424
There's no reason biometrics can't be cryptographically strong. It's just that the algorithms currently being aren't. That's no big news for anyone with even half a clue stick.
int func(int a);
func((b += 3, b));
"He developed an algorithm which allows a fairly high quality image of a person to be regenerated from a face recognition template..."
This kinda reminds me of the part in Space Quest III, where you gain access to the restricted area inside ScumSoft by holding up a xeroxed picture of the CEO's face to the facial recognition scanner.
If the password can't be changed, then the corollary is that biometrics are no good for authentication; however, they excel at providing a convenient method of tracking/auditing provided that one cares little for security.
If I were the marketing guy, I'd pitch it that we're all willing to trade convenience for security - forget about the privacy issues.
just like the humble blood clot... turboporsche@telus.net
Yes, there aren't any perfect systems. However, if your password or passkey is cracked, you invalidate the old password/passkey and get a new one. Consequence: You're screwed only while you don't notice that your password/passkey is cracked.
If your BioPassword is cracked, there's nothing you can do about it. Consequence: You're screwed for life.
As soon as your JavaCard is going to be universal (and serve multiple purposes with varying degree of security) it has to return a "score" (rather than a yes/no decision).
Eh? I understand the part about being able to use a score to slowly converge on a working template, but that's not the way any smartcard I've seen works.
I've never worked with a card that returned a score. The biometric template is instead used like a PIN, it either unlocks the card or not and the card determines that. When the card is unlocked it then authenticates in a traditional manner (usually a standard public key, RSA or whatever). In other words, the biometric template unlocks the private key. Note that no private data is ever read off the card, everything is done on-card.
When you're talking smartcards, it's not the client application that determines the security level. Normally it's the card that determines if you've passed all the security criteria. Hence smart card.
The ratio of people to cake is too big
An associate of mine runs a small factory in Japan where they make 3d-printers, much of the technology is from Texas-based DTM. Can't find their homepage, I think they might be owned or were by BFGoodrich. Many companies use their Sinterstation, which uses a laser to fuse nylon or metal powder deposited in thin layers inside the production bay.
The machines are I believe in the hundreds of thousands of dollars each but they are used to make prototypes like mobile phone shells, or molds as for experimental automotive parts.
Anyway nylon is easy, but they also have a rapidsteel process and the holy grail I understand is titanium, which would allow you to create surgical implants like joint replacements. As you can see in the link above, you can already pretty easily produce a 3d model of your skull from Cat-scan tomography. I've only seen plastic versions, though they might be more appropriate to trying to mimic x-ray backscatter from bone, and much cheaper than going through the trouble of making a mold, pouring metal, and finishing it. Hospitals are probably a lot easier to penetrate than these biometric systems. Come to think of it, you could skip the biometric penetration and just use anthropological techniques to build a face over the skull based on known data about skin depth at different parts of the skull. Painting surface features based on a pictures taken with a telephoto lens would also be cheap compared to the price tag mentioned in this thread for biometric analysis equipment.
I remember reading a paper about biometric identification using the iris. The bit I remember is that it is really easy to tell if the eye you're scanning is alive or not. For example, as part of the scanning process the machine just needs to go from dark to bright in a short time. If it does that and the pupil doesn't narrow then the eye isn't attached to a living body. I can't speak for other body parts, but it's unlikely anybody will pluck out your eyes and scan them.
Who's going to protect either MS or us?
As I understand it, X-Box was intended as a testbed for "Trustworthy Computing". A small bunch of dedicated fanatics cracked it.
How many million people are going to try to make a rep for themselves by trying to crack Palladium / TCPA, and will all of them be "good guys" who at least will let us who subscribe to BugTraq and Full Disclosure know where the security holes are?
Tech Public Policy stuff
I don't think this can be worked around in any way that winds up with a usable product.
Tech Public Policy stuff
For example, you probably a large supply of fingers (about ten), so it doesn't matter if a few get compromised.
try 8 fingers, thumbs r not fingers
'Hi, I'm from the government and I am here to help you...'
To err is human,
to really screw things up requires a government computer...
It is not a pure fingerprint reader anymore, it is a "living specimen" and fingerprint reader. Sure the old ones are still sold, but they are considered low end. If any real security is needed, the latest generation will detect living versus dead. The previous post mentions the same with iris readers. The same is true of retinal, hand geometry, and voice print (theoretically by multiple passes). The only one I'm not sure of is facial geometry, but I would assume that digital video from which its taken would clear up the issue of dead or alive ;-).
Lets see how long it takes to hack the new systems. It seems to me the real vulnerability is not in the recognition, but in the fact that the system is computerized and therefore hackable. And as we all bemoan with Biometrics, once comprimised, forever lost.
Do what I did - upgrade your humo[u]r to Region-Free!
sulli
RTFJ.
"maybe i should extend my tin-foil hat to a tin-foil facemask and a pair of shiny gloves... that way they'll never recognise me!"
That's true, they mightn't recognize you, but if you're planning to venture into public you had best practice your dance moves and your falsetto singing voice, Mr. Jackson.