Sign Your Name Online With A Mouse

← Back to Stories (view on slashdot.org)

Sign Your Name Online With A Mouse

Posted by simoniker on Monday September 1, 2003 @12:44PM from the signing-mickey-mouse-frowned-upon dept.

icke writes "Soon, the way you use your mouse could help prove who you are. According to a BBC News article, scientists have found a way for people to sign their name online using a mouse instead of a pen. The technology, based on the research from Queen Mary College, University of London by Peter McOwan, 'uses a neural network to pick out the unique features of the way that someone uses a mouse.'"

20 of 236 comments (clear)

Min score:

Reason:

Sort:

This would be easy to fake by Megor1 · 2003-09-01 12:45 · Score: 5, Insightful

You could just record the mouse movements with some macro software and then play it back whenever it asks for their signature.

--
Everyone that disagrees with me is a paid shill
1. Re:This would be easy to fake by krymsin01 · 2003-09-01 12:54 · Score: 4, Insightful
  
  Well, I suppose it'd be trivial to check an see if one of the last couple hundred times you signed your name is am exact match (something I think only a macro, and not a human, could do), and if so, reject it.
  
  --
  stuff
2. Re:This would be easy to fake by G4from128k · 2003-09-01 13:17 · Score: 4, Insightful
  
  Obviously if someonce can log the mouse motions with an accurate timestamp, then they can replicate the signature. But then EVERY computer-connected biometric ID system is potentially susceptable to interception/replay of the biometric key signal.
  
  In the case of this system, an arms race between the forger/loggers and the ID systems company would then ensue. The first countermeasure to mouse-loggers would be rejection of identical traces (as others have suggested). To this forgers would add statistical noise to the trace. The ID company would then need to create a more sophisticated statistical test that rejects traces that did not vary enough while staying within the statistical bounds of the 20 training samples that the systems asks for. An SVD on some transform of the sample signatures would help uncover both the strongest and weakest modes of variation. Signatures that did not match on the main pattern and did not vary sufficiently in expected way would be rejected. This would prevent either direct play-back or a simplistic addition of noise to the mouse trace.
  
  The presence of both a predicable static pattern (the "average" signature) and modes of variation (because people don't actually sign their name identically to the nanometer/nanosecond) makes this biometric key better than other more invariant biometric features that can be copied.
  
  --
  Two wrongs don't make a right, but three lefts do.
3. Re:This would be easy to fake by s88 · 2003-09-01 14:09 · Score: 4, Insightful
  
  " If the software is smart, it will look for perfect reproductions which no human would be capable of and give an error if it detects one."
  
  Why do you not assume that the macro software could be "smart" and simply add some white noise to the playback?
4. Re:This would be easy to fake by c0dedude · 2003-09-01 14:44 · Score: 3, Insightful
  
  And if the human is smart, it will design software that embeds flaws.
  
  --
  Since when has this country used intellectual elite as a pejorative term?
5. Re:This would be easy to fake by jackb_guppy · 2003-09-01 15:14 · Score: 4, Insightful
  
  Which then leads:
  
  Why do people sign electronic pads at stores when they use credit cards?
  
  You have just placed your last protection of who you are in a computer system that you have no control over.
  
  Real dumb.
Question by AnimeFreak · 2003-09-01 12:46 · Score: 4, Insightful

Would a signature created with a mouse be legally-binding?
Your John Handcock is not secure by Dancin_Santa · 2003-09-01 12:46 · Score: 5, Insightful

While it may be a huge flourish that impresses the ladies, your signature is not as secure as it would seem. Forgeries are easy to make by skilled criminals.

Use a cryptographic key to sign. You'll be glad you did.
1. Re:Your John Handcock is not secure by OmnipotentEntity · 2003-09-01 13:17 · Score: 5, Insightful
  
  The added fact that most skilled forgeries are identified by the depth of the pit in the paper (ie how hard you press down at certain points, you can imitate a shape but if you imitate it you're not doing it naturally and that shows in the patterns of heavy vs. light inking), and not by the shape of the writing, that makes the mouse signature doubly insecure. Any idiot can trace a pattern of pixels if they see it a few times.
  
  ___________
  
  --
  "Build a man a fire warm him for a day, set a man on fire and warm him for the rest of his life."
Move to a new mouse? by jpsowin · 2003-09-01 12:47 · Score: 3, Insightful

And what happens when you change to a different type of mouse? My change to wireless optical was quite a change which took some getting used to, and I'm sure it didn't "sign" the way I used to. Or whatever. :)
... even easier with a pen mouse. by OzPixel · 2003-09-01 12:48 · Score: 4, Insightful

My girlfriend had a pen-shaped mouse for a while, (wrist problems), and I'd imagine signing would be much more "natural" with one of those. Neat idea, though ...

David.
right.... by hawkbug · 2003-09-01 12:55 · Score: 4, Insightful

Because I always use a mouse the same way, this will work great.... Not. I have many different computers, all with different types of mice and software. Trackballs, eraser-head laptops, trackpad laptops, and don't even get me started about different operating systems and the software they use. This is not going to work for many reasons, and I hope business realize this sooner than later.
Another odd idea that'll never work by Rosco+P.+Coltrane · 2003-09-01 12:57 · Score: 4, Insightful

"It's another way of indicating that you as an individual are sitting there on the end of the line."

Easy to fake with a mouse movement recorder.

Oh and what about people who use a trackball? does the smart biometric layer apply to those hand movements?

And the other obvious question : wouldn't it be easier to simply teach people why they should use properly formed passwords that are not "mom", "dad", "john1" or "s00persekrit"?

In short, yet another far-fetched solution to solve a non-problem.

--
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Similar biometrics don't work by thepacketmaster · 2003-09-01 12:58 · Score: 5, Insightful

After recently studying for the CISSP, I learned a great deal about biometrics. The most accurate biometrics include things like iris scans, palm scans, retina scans, etc. These are so accurate because they measure characteristics that are totally unique to individuals. Signature dynamics and keystroke dynamics are some of the most ineffective biometrics around. A big problem is they can be faked. While the article states that early trials are 99% accurate, it doesn't detail how many people have actually tried this system. (A test group of 10 wouldn't be very good.) It also doesn't mention if they tried to fake it out. The real world is a harsh place on biometrics.

--
--
Luck is just skill you didn't know you had.
pretty darn useless... by Lumpy · 2003-09-01 13:12 · Score: 3, Insightful

So the "signature" is tied to a specific pointing device...

so your signature is invalid if you use a laptop with a trackpoint,touchpad, or use a track ball or a tablet and a pen, etc.....

Neat idea, 100% useless in the real world.

Now if you can get a reliable identifier (How about something as simple as a ibutton ring (www.ibutton.com) and quit trying to invent the unique personal identifier that so far is only out DNA (no, no dna testers on our computers than you.)

Identification has always been tied to a unique card, number, whatever given out by a group or agency. Why not stick with the same thing just update it with current off the shelf technology that already works?

www.ibutton.com I use it to log into my computers at home, unlock my doors and even start my harley....

--
Do not look at laser with remaining good eye.
roll ball mouses by wmaker · 2003-09-01 13:13 · Score: 2, Insightful

what about the mice that are controlled with your thumb, you know the ball that you move. i doubt it would work well with one of those mice

--

What is slashdot?
Doesn't sound promising by jtheory · 2003-09-01 15:42 · Score: 2, Insightful

A forger would have a hard time copying the variations in speed that the actual person uses even if the forger traces the same path or tries to "get good" at the signature.

The problem is that the actual person may also have a really tough time reproducing the same speeds, patterns, etc. in their signature.

This is why handwriting analysis/comparison is almost always inadmissable in court -- it's too variable.

The reasons for this are especially apparent when you look at the handwriting of people like myself whose fine motor control (like many guys) is not so "fine"... I can type quickly, but my signature varies *widely* each time I sign my name. The slant of the letters in my handwriting, type of loops, etc. also varies depending on my mood, the pen and writing surface, my posture, etc.

My real point here is that there's certainly a future in some kind of online "signature", but I'm guessing we'll end up with a system based more on asynchronous crypto as opposed to some kind of biometrics like this.

Normal hard-copy signatures aren't particularly secure -- no one pretends they are. That's why most of the time the cashier doesn't compare the signatures (in more automated systems like many gas stations, and online, they CAN'T). That's also why we have Notary Publics in the US who will certify that you were the one who marked the paper. The advantage of hard-copy signatures is that they're tough to scam safely, in bulk.

I suspect that most online signature methods *WILL* be comparitively easy to scam in bulk, simply because this is the internet, and it's all just data.

--
There are only 10 types of people: those who understand decimal, those who don't, and, uh, 8 other types I forget.
Re:That's the point though.. by whereiswaldo · 2003-09-01 18:09 · Score: 4, Insightful

Interesting, but there's a big problem with using a mouse to write a signature: moving from machine to machine. The ergonomics are totally different between machines, for one thing. Plus, different brands of mouse. What about mice with the thumb-rollerball? Or notebook touchpads? Or optical mice vs. crappy old mice with crud stuck in the rollers?
Teaching about passwords is "easier"? by ianscot · 2003-09-02 03:31 · Score: 2, Insightful

And the other obvious question : wouldn't it be easier to simply teach people why they should use properly formed passwords that are not "mom", "dad", "john1" or "s00persekrit"?
Hmm. Why don't we ask the couple of generations of IT people who've tried to teach people this very lesson? Maybe they have something to say about that one. I could start with our call center: their number one call every month for the last five years has been "Please reset my password" despite several "education" campaigns.
People don't use "bad" passwords because they're uneducated nitwits, they do it because there are so many dang systems asking for passwords that they'd be driven crazy by the exercise of keeping them all straight otherwise. Either that or they'd have to write 'em all down, which kind of defeats the purpose, yes?
This motion signatures thing probably isn't the solution -- but hey, at least it does try to build on a model users know. Existing ID and authentication methods do sort of suck, so it's not like this is a solution without a problem.

--
"Fundamentalism" isn't about divine morality. It's about human authority.
All digital security is just an arms race by LilJC · 2003-09-02 03:53 · Score: 2, Insightful

Defense: Check mouse movements
Offense: Record and playback
Defense: Check for exact replica
Offense: Add slight differences
Defense: Check slight differences for consistency with original behavior
Offense: Analyze movement to make differences consistent with recorded macro
This sort of thing goes on and on - reminds me of using a sharpie to circumvent the null data track on copyrighted CD's.
The bottomline is that there is no real security. Even the number of bits in encryption has to be bumped as processors speed up to try to keep them from being crackable in a timely manner. Suppose encrypted credit card transcactions are being logged by someone, with only the last 3 months being kept on file. If there's a huge breakthrough with a diamond superconductor processor, the attacker can assume that most of the credit cards logged in the last few months haven't expired, crack them fairly quickly (even at a day per card), and go on a shopping spree.
The only way to never be behind in an arms race is to never start one, unfortunately this means no steps can be taken for security.
Perhaps a better answer is to start with a system already a few steps ahead of the "offense" from the word go, discouraging attempts to circumvent it. Of course this tends to be costly to develop and (with computers) processor intensive to use.

--

The only thing more dangerous than a file named -rf is renaming it -rf\ /