Ready or Not, Biometrics Finally in Stores

cancer4xmas writes: "It's very exciting to see USA Today's Technology front page saying, "Will that be cash, fingerprint or cellphone?" They're running a story on emerging biometric devices being the most fundamental change in personal finance since 1950, when the credit card was introduced. The concept is now being tested in some stores. Check out the full story." Now couple that tidbit with this morsel from wherley: "In a letter [scroll down a bit] to Bruce Schneier's Cryptogram newsletter, Ton van der Putte tells of a recent invitation from the BBC to comment on the addition of fingerprint biometrics to the British ID card. Using a digital camera and UV lamp he was able to make dummy fingerprints that fooled the readers - and in less time and less cost than similar experiments 10 years ago. He says: '...now the average do-it-yourselfer is able to achieve perfect results and requires only limited means and skills.'"

Ouch

[MikeXpop]

I remember I read awhile ago in some magazine how BMW had the technology to use biometrics in place of keys. The reason they didn't was that someone brought up this idea.

Carjacker + knife + need for your finger = not a pretty scene.

That's kind of kept me off of Biometrics for awhile. Now where'd my tin foil hat go...

Re:Ouch

[Uma+Thurman]

Why go through all that trouble when it's just much easier to keep pressing your thumb on the panel, getting the rejection, until the 16 year old at the register gets sick of you holding up the line and hits the bypass key on the register?

These things are going to be so flakey. Even something as simple as a mag-stripe reader on a credit card sometimes takes 10 swipes to read on one reader, and just 1 on another.

Re:Ouch

[orthogonal]

In the systems (I am not sure if it is only in advanced systems), there is a requirement for actual sweat to run into the machine

I hope Joey Slowy, the illiterate and not-so-bright thief with the crack habit and the carving knife, is fully apprised of the safeguards in place to prevent him from using my severd thumb, before it occurs to him that my thumb is the answer to his temporary lack of his preferred illegal intoxicant.

Be so good as to travel to the local homeless encampment, interrupt his crack-induced reveries, and inform him so, will you?

Voluntary good. Mandatory bad.

[Fux+the+Penguin]

The system in this article is voluntary, and that's great. So long as it's only volutary, I'm all for this.

One potential problem becomes what's "voluntary" soon becomes mandatory. We might as well learn from history. Two specific examples from US history:

(1) The Social Security Number was ~never~ supposed to be used as any kind of central identification number. Now, no one knows who I am without it. I would gladly dump my social security "promises of benefits" to not have a social security number.

(2) To get a driver's license in the state I moved to, I had to give a thumbprint. I've never had fingerprints taken before in my life.

Are we safer as a result? All I know is that now my identity can be more easily tracked by central governmental organizations and those with sufficent access privileges, despite my wishes.

Technology is a tool, not a solution. Just like a hammer, it can be used for much good, but it's easy for those in power to convert it into something pretty sinister. If it's all the same, I'll keep my ATM card. It's a lot easier to change my bank account number than my fingerprint or eyeball.

Biometrics replace cards or signatures?

[nanowyatt]

Using a credit card typically requires a signature to match against the one on the card's back. Using an ATM/debit card requires a numerical code to match with the bank's records. Are biometrics really a good replacement for the card, or would they be a better replacement for the signature or ATM code? As there will be a secondary piece of ID anyway, why tie up the fingerprint with all the bank info, when the print could be just tied to the ID?

Re:God, please, stop...

[Zebbers]

those were awesome counterarguments from an unbiased industry insider

Stealing my finger doesn't bother me...

[YrWrstNtmr]

But rather stealing the representation of my finger.

When the credit card db gets hacked (and it's happened several times), you just have to cancel it and get issued a new card.
When the fingerprint db gets hacked, they can't issue me a new finger.

A fleshcolored, spit wetted, rubber sleeve over a finger, with a copy of someone elses finger would work quite well, and be undectable by the minimally interested checkout line clerk.

Theyre everywhere!

[cybercuzco]

If all you need is a fingerprint, then everyone will be wearing gloves soon. We leave fingerprints everywhere! New crime of the future: Person gets your fingerprint of a glass or a door or some other public place and racks up a mint. Say what you will about credit cards, at least you dont leave yoru credit card number, expiration date and billing address on every surface you touch. Theres something to be said about slightly insecure systems. The less secure something is the less easy it is to steal, since people are more suspicious of insecure systems then they are of supposedly "secure" systems. I can see a day where your credit card number is quantum encrypted on a microchip implanted in yoru skull. And the ability to dispute charges will no longer exist of course, because the system is unbreakable! Except for the short, easily memorizable password needed to unlock the quantum encryption. We can seethis already with identity theft. Now that youre identifiable by a number (instead of in person, as in the old days) anyone with access to that number is you, and everyone believes that its you, because the system is supposed to be secure.

You think that's bad...

You don't need to fake a credit card, just nab one and it's all yours until the owner reports it missing! Merchants don't bother checking to see whether or not the card is yours, even if your PHOTO is on it, much less your signature!

Preface: I am posting AC and not naming any names here.

In the mid-to-late 1990s, when the phrase "identity theft" had first entered the lexicon but before the media discovered how well they could capture audiences with its mere mention, I worked with a card issuer on a so-called "secure card" test program. The idea was twofold: merchants were getting complacent in terms of trying to verify that the person presenting the card was actually the cardholder, and credit card fraud was an increasing problem.

The proposed solution to both dilemmas was to issue cards with the cardholder's PHOTOGRAPH on the FRONT of the card. We'd indemnify cardholders against any fraudulent purchases (as opposed to beyond the first $50.. it was a novel idea back then) for any bogus transaction made with one of these photocards. Cashiers weren't bothering to check the back for a signature, but surely they'd see if the photo on the front matched the person making the purchase, right? LOL.

Existing cardholders were allowed to volunteer for the test program by responding to an insert in their bill. Along with the application, they had to send in a photocopy of their drivers' license, and a small color photograph of themselves which was easily identifiable as the same person in the drivers license photo. About 10,000 such cards were eventually issued, with surveys included and sent as a follow-up to see what the cardholders encountered. During the test period, here are a few interesting things we found.

1... Merchants weren't checking the photo, even though it was right there as a 1.5" x 1.5" image on the front left side of the card.

Many cardholders reported no problem giving their spouse the card to use, where the photo wasn't even the same sex as the person making the purchase.

There were a lot of folks surprised that cashiers didn't even notice the photograph.

There were a lot MORE folks surprised that cashiers noticed the photograph but paid it no attention. For example, female customer would use card issued to JOHN DOE with a picture of a man on the card, no questions asked by merchant.

2... Merchants who did check the photo were overly attentive.

People who had changed hairstyles, dyed their hair, grown or shaved facial hair since the photo had been taken, or even gained or lost weight were having their cards refused because the photo wasn't a "perfect" match.

If a card was not outright refused due to appearance changes, a store manager was often called by the cashier, or some other delay was introduced into the purchase, inconveniencing both the cardholder and the merchant.

3... Some of the merchant services reps around the country were issued temporary expense cards with someone else's name and photograph on them (intentionally, as part of the test).

These cards were set to return a "Call" response on transaction attempts, which tells the merchant they need to call the card issuer to get special instructions before accepting the card.

Many merchants ignored the response and ran the transaction through as a "Force" process without bothering to see if there was a problem with the card. In live circumstances this would have resulted in a chargeback to the merchant with no recourse.

Merchants who did call were instructed to check the ID of the customer against the name and photo on the card. In nearly half of these cases, the merchants wound up doing a Force anyway (another chargeback). The reps were told to try and explain it away - "Oh that's my boyfriend's card" etc - and it worked pretty well.

4... Though this obviously is not the party line... Credit cards are as good as cash but provide next to zero security. Ask yourself when was the last time you tried making a purchase on plastic a

Re:Hardly anyone ever uses biometrics correctly

[dido]

Well, you're absolutely correct, but you've veered a bit from the mark. It seems that the advocates of biometric identification are not interested in using biometrics to augment existing security procedures, but to replace these procedures, and they seem to be gushing that biometric "authentication" is a silver bullet, or something very close to it. Few banks, and no military or intelligence agency in their right mind would be so foolish as to believe that. If you've taken the time to even read the article I linked to, you'd see that Schneier isn't advocating that we not use biometrics at all, but that we not treat them as keys. They have their uses, especially when combined with real keys and other authentication schemes, but to use them alone for authentication isn't generally a good idea.

Granted, sole biometric identification is better than some present identification methods, and could replace them in those areas, where the risk is not high enough to justify the use of more expensive and complex procedures, but does it give sufficient security for many of the domains to which it is being applied? I think not. Biometrics raise the bar a bit, but not high enough to be used on their own for many of the applications to which people want to put them to use.

By the way, you're highly out of date about Schneier's present views on security. If you've taken the time to read his many writings over the years, you'll see how much his attitude towards security has changed since the days of Applied Cryptography, where he naively talks about "protecting ourselves with mathematics." His most famous maxim is now "Security is a process, not a product," and he keeps constantly talking about how security is all about risk management, not risk avoidance. Exactly what you're saying, isn't it? Have a look at Secrets and Lies and the Crypto-Gram archive sometime.