Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ready or Not, Biometrics Finally in Stores

Posted by Cliff on from the pay-with-your-thumb...or-someone-else's dept.

cancer4xmas writes: "It's very exciting to see USA Today's Technology front page saying, "Will that be cash, fingerprint or cellphone?" They're running a story on emerging biometric devices being the most fundamental change in personal finance since 1950, when the credit card was introduced. The concept is now being tested in some stores. Check out the full story." Now couple that tidbit with this morsel from wherley: "In a letter [scroll down a bit] to Bruce Schneier's Cryptogram newsletter, Ton van der Putte tells of a recent invitation from the BBC to comment on the addition of fingerprint biometrics to the British ID card. Using a digital camera and UV lamp he was able to make dummy fingerprints that fooled the readers - and in less time and less cost than similar experiments 10 years ago. He says: '...now the average do-it-yourselfer is able to achieve perfect results and requires only limited means and skills.'"

1 of 317 comments (clear)

  1. Re:Hardly anyone ever uses biometrics correctly by LostCluster · · Score: 5, Informative

    The age old test of "Something you know, something you have, something you are" security reenforces an extra point... challenging three times is always more secure than challenging once!

    ATMs are secured this way. You've gotta have your card, know your pin, and look somewhat like you for the camera. (Looking wrong doesn't yet deny the transaction... but is a great tool when it comes to figuring out the "Whodunit?" that comes up when ATM fraud is discovered.)

    In-store credit cards are slightly less secure. The card has to be present, and the person using the card has to perform the task of creating the proper signature that's on the card. (Again, a wrong signature might not always deny the transaction, but it creates a paper trail for later.) Some stores are advanced enough to also associate the security camera timecode to the transaction to create the visual trail as well, but that's not used as much as it could be as of yet.

    Internet or phone card transactions are weaker because there's no demand that either a card or person been seen. That's why those transactions are also more expensive to get processed... they're more likely to result in a write-off from a scam transaction. They are less secure, and that's an admission of it. Still, smart e-merchants can protect themselves by performing some secondary security like only shipping to addresses related to the card.

    Biometrics if used alone just the "somethng you are" test, but as we've seen it's going to be confused some of the time. Merging the fingerprint with a PIN number would at least get us to a two-test level of security... but the marketers of biometrics are insisting that their test alone is good enough. That's where they're seriously wrong, no test alone will ever be that good... that's why it's always best to double-check.