Slashdot Mirror
Ready or Not, Biometrics Finally in Stores
cancer4xmas writes: "It's very exciting to see USA Today's Technology front page saying, "Will that be cash, fingerprint or cellphone?" They're running a story on emerging biometric devices being the most fundamental change in personal finance since 1950, when the credit card was introduced. The concept is now being tested in some stores. Check out the full story." Now couple that tidbit with this morsel from wherley: "In a letter [scroll down a bit] to Bruce Schneier's Cryptogram newsletter, Ton van der Putte tells of a recent invitation from the BBC to comment on the addition of fingerprint biometrics to the British ID card. Using a digital camera and UV lamp he was able to make dummy fingerprints that fooled the readers - and in less time and less cost than similar experiments 10 years ago. He says: '...now the average do-it-yourselfer is able to achieve perfect results and requires only limited means and skills.'"
I remember I read awhile ago in some magazine how BMW had the technology to use biometrics in place of keys. The reason they didn't was that someone brought up this idea.
Carjacker + knife + need for your finger = not a pretty scene.
That's kind of kept me off of Biometrics for awhile. Now where'd my tin foil hat go...
Etiquette is etiquette. He kills his mother but he can't wear grey trousers.
The system in this article is voluntary, and that's great. So long as it's only volutary, I'm all for this.
One potential problem becomes what's "voluntary" soon becomes mandatory. We might as well learn from history. Two specific examples from US history:
(1) The Social Security Number was ~never~ supposed to be used as any kind of central identification number. Now, no one knows who I am without it. I would gladly dump my social security "promises of benefits" to not have a social security number.
(2) To get a driver's license in the state I moved to, I had to give a thumbprint. I've never had fingerprints taken before in my life.
Are we safer as a result? All I know is that now my identity can be more easily tracked by central governmental organizations and those with sufficent access privileges, despite my wishes.
Technology is a tool, not a solution. Just like a hammer, it can be used for much good, but it's easy for those in power to convert it into something pretty sinister. If it's all the same, I'll keep my ATM card. It's a lot easier to change my bank account number than my fingerprint or eyeball.
Since that bloke showed how to use gelatine to fool a fingerprint machine, how long before jello becomes a controlled substance?
Engineering is the art of compromise.
I've thought about this for awhile, and I am thinking:
Why don't people just cut off their fingers and trade them as a commodity? Each finger is access to a different system...
For instance, if I work for a bank, but I want to get a vacation cheap, I just trade a finger with my buddy who works for some airline. He does what he wants with my bank, and I get the plane tickets I need to get away from this country.
The only problem is, if I want 10 things at once, how do I access the system without any fingers?
Maybe they should sell voice-recognition software with it.
Talk about giving someone the finger, geesh.
Karma Whoring for Fun and Profit.
Using a credit card typically requires a signature to match against the one on the card's back. Using an ATM/debit card requires a numerical code to match with the bank's records. Are biometrics really a good replacement for the card, or would they be a better replacement for the signature or ATM code? As there will be a secondary piece of ID anyway, why tie up the fingerprint with all the bank info, when the print could be just tied to the ID?
Intellectuals! Liberals! Peacemongers! IDIOTS!!!
Well, quite a long while I would think. I would imagine that the teenage checkout person at the supermarket would scream bloody murder at the sight of you using a severed finger, getting blood all over the biometric scanner. I can see it now:
"Paper or plast-- AAAAHHHHHHHH!"
Not exactly the most effective scam to try.
I was with a group that evaluated biometric authentication as a primary systems. The primary flaw that was pointed out that no one seems to really talk about is, what if someone compromises the key server? In a traditional authentication system, you simply change your keys. Since in a biometric system the keys are based off of the human body, not only has this compromised system been comletely destroyed, but potentially ALL biometric systems used by the same individuals is now compromised until the day they die.
That was a pretty big problem.
We decided on using biometrics as a 3rd or 4th level of authentication (to verify that someone using all of the other levels of authentication are who they say they are to a reasonable level of accuracy).
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
Credit cards are getting harder too, with smartchips and strategically placed strips of thin metal inside. To fake one requires much more sophisticated equipment than five years ago.
Save Sam and Max!
those were awesome counterarguments from an unbiased industry insider
I don't know why all of these so-called "security experts" keep on advocating biometrics with little or no understanding of their real properties, much less how they should be properly used. Biometrics can be used as unique identifiers, but biometrics are not secrets. They can provide a unique identifier in an already trusted environment, but alone they cannot be used for authentication, which is what so many of these "experts" are ready to do. If I steal your fingerprint using any of the simple yet effective techniques (none of which require me to cut off your finger) described by Ton van der Putte, it can't be un-stolen, and nobody will be able to give you a "replacement" fingerprint.
A quote that iluustrates this naivete from the USA Today article: "Biometrics is one way to really identify the customer you're dealing with," he [Steve Vallance] says. What a foolish, naive statement. Alone, biometrics cannot really identify anybody.
I really can't do any better than point people out to an article in yet another issue of Crypto-Gram, which first came out five years ago: Biometrics: Truths and Fictions.
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
A better system might require several biometric techniques together to reach an identification.(hand shape and finger prints would go together nicely)
This article mentions the Asian woman fingerprint problem about 3/4 of the way down, but doesn't mention a source for this claim.
But rather stealing the representation of my finger.
When the credit card db gets hacked (and it's happened several times), you just have to cancel it and get issued a new card.
When the fingerprint db gets hacked, they can't issue me a new finger.
A fleshcolored, spit wetted, rubber sleeve over a finger, with a copy of someone elses finger would work quite well, and be undectable by the minimally interested checkout line clerk.
If all you need is a fingerprint, then everyone will be wearing gloves soon. We leave fingerprints everywhere! New crime of the future: Person gets your fingerprint of a glass or a door or some other public place and racks up a mint. Say what you will about credit cards, at least you dont leave yoru credit card number, expiration date and billing address on every surface you touch. Theres something to be said about slightly insecure systems. The less secure something is the less easy it is to steal, since people are more suspicious of insecure systems then they are of supposedly "secure" systems. I can see a day where your credit card number is quantum encrypted on a microchip implanted in yoru skull. And the ability to dispute charges will no longer exist of course, because the system is unbreakable! Except for the short, easily memorizable password needed to unlock the quantum encryption. We can seethis already with identity theft. Now that youre identifiable by a number (instead of in person, as in the old days) anyone with access to that number is you, and everyone believes that its you, because the system is supposed to be secure.
http://www.schneier.com/crypto-gram-9808.html#biom etrics
Biometrics are seductive: you are your key. Your voiceprint unlocks the door of your house. Your retinal scan lets you in the corporate offices. Your thumbprint logs you on to your computer. Unfortunately, the reality of biometrics isn't that simple.
Biometrics are the oldest form of identification. Dogs have distinctive barks. Cats spray. Humans recognise each other's faces. On the telephone, your voice identifies you as the person on the line. On a paper contract, your signature identifies you as the person who signed it. Your photograph identifies you as the person who owns a particular passport.
What makes biometrics useful for many of these applications is that they can be stored in a database. Alice's voice only works as a biometric identification on the telephone if you already know who she is; if she is a stranger, it doesn't help. It's the same with Alice's handwriting; you can recognize it only if you already know it. To solve this problem, banks keep signature cards on file. Alice signs her name on a card, and it is stored in the bank (the bank needs to maintain its secure perimeter in order for this to work right). When Alice signs a check, the bank verifies Alice's signature against the stored signature to ensure that the check is valid.
There are a bunch of different biometrics. I've mentioned handwriting, voiceprints, and face recognition. There are also hand geometry, fingerprints, retinal scans, DNA, typing patterns, signature geometry (not just the look of the signature, but the pen pressure, signature speed, etc.), and others. The technologies behind some of them are more reliable than others, and they'll all improve.
"Improve" means two different things. First, it means that the system will not incorrectly identify an impostor as Alice. The whole point of the biometric is to prove that Alice is Alice, so if an impostor can successfully fool the system it isn't working very well. This is called a false positive. Second, "improve" means that the system will not incorrectly identify Alice as an impostor. Again, the point of the biometric is to prove that Alice is Alice, and if Alice can't convince the system that she is her then it's not working very well, either. This is called a false negative. In general, you can tune a biometric system to err on the side of a false positive or a false negative.
Biometrics are great because they are really hard to forge: it's hard to put a false fingerprint on your finger, or make your retina look like someone else's. Some people can mimic others' voices, and Hollywood can make people's faces look like someone else, but these are specialized or expensive skills. When you see someone sign his name, you generally know it is him and not someone else.
Biometrics are lousy because they are so easy to forge: it's easy to steal a biometric after the measurement is taken. In all of the applications discussed above, the verifier needs to verify not only that the biometric is accurate but that it has been input correctly. Imagine a remote system that uses face recognition as a biometric. "In order to gain authorization, take a Polaroid picture of yourself and mail it in. We'll compare the picture with the one we have in file." What are the attacks here?
Easy. To masquerade as Alice, take a Polaroid picture of her when she's not looking. Then, at some later date, use it to fool the system. This attack works because while it is hard to make your face look like Alice's, it's easy to get a picture of Alice's face. And since the system does not verify that the picture is of your face, only that it matches the picture of Alice's face on file, we can fool it.
Similarly, we can fool a signature biometric using a photocopier or a fax machine. It's hard to forge the vice-president's signature on a letter giving you a promotion, but it's easy to cut his signature out of another letter, paste it on the letter giving you a promotion, and then p
You don't need to fake a credit card, just nab one and it's all yours until the owner reports it missing! Merchants don't bother checking to see whether or not the card is yours, even if your PHOTO is on it, much less your signature!
Preface: I am posting AC and not naming any names here.
In the mid-to-late 1990s, when the phrase "identity theft" had first entered the lexicon but before the media discovered how well they could capture audiences with its mere mention, I worked with a card issuer on a so-called "secure card" test program. The idea was twofold: merchants were getting complacent in terms of trying to verify that the person presenting the card was actually the cardholder, and credit card fraud was an increasing problem.
The proposed solution to both dilemmas was to issue cards with the cardholder's PHOTOGRAPH on the FRONT of the card. We'd indemnify cardholders against any fraudulent purchases (as opposed to beyond the first $50.. it was a novel idea back then) for any bogus transaction made with one of these photocards. Cashiers weren't bothering to check the back for a signature, but surely they'd see if the photo on the front matched the person making the purchase, right? LOL.
Existing cardholders were allowed to volunteer for the test program by responding to an insert in their bill. Along with the application, they had to send in a photocopy of their drivers' license, and a small color photograph of themselves which was easily identifiable as the same person in the drivers license photo. About 10,000 such cards were eventually issued, with surveys included and sent as a follow-up to see what the cardholders encountered. During the test period, here are a few interesting things we found.
1... Merchants weren't checking the photo, even though it was right there as a 1.5" x 1.5" image on the front left side of the card.
Many cardholders reported no problem giving their spouse the card to use, where the photo wasn't even the same sex as the person making the purchase.
There were a lot of folks surprised that cashiers didn't even notice the photograph.
There were a lot MORE folks surprised that cashiers noticed the photograph but paid it no attention. For example, female customer would use card issued to JOHN DOE with a picture of a man on the card, no questions asked by merchant.
2... Merchants who did check the photo were overly attentive.
People who had changed hairstyles, dyed their hair, grown or shaved facial hair since the photo had been taken, or even gained or lost weight were having their cards refused because the photo wasn't a "perfect" match.
If a card was not outright refused due to appearance changes, a store manager was often called by the cashier, or some other delay was introduced into the purchase, inconveniencing both the cardholder and the merchant.
3... Some of the merchant services reps around the country were issued temporary expense cards with someone else's name and photograph on them (intentionally, as part of the test).
These cards were set to return a "Call" response on transaction attempts, which tells the merchant they need to call the card issuer to get special instructions before accepting the card.
Many merchants ignored the response and ran the transaction through as a "Force" process without bothering to see if there was a problem with the card. In live circumstances this would have resulted in a chargeback to the merchant with no recourse.
Merchants who did call were instructed to check the ID of the customer against the name and photo on the card. In nearly half of these cases, the merchants wound up doing a Force anyway (another chargeback). The reps were told to try and explain it away - "Oh that's my boyfriend's card" etc - and it worked pretty well.
4... Though this obviously is not the party line... Credit cards are as good as cash but provide next to zero security. Ask yourself when was the last time you tried making a purchase on plastic a
Why stop with the steady stream of articles that point out the real shortcomings of biometrics? So you can keep your job? Sorry, but that's a pretty selfish reason that only works for you, your boss, and a handful of investors.
As Bruce Schneier pointed out years ago, biometrics are a double edged sword. Biometrics are hard to forge (I am deliberately ignoring the $0.50 gelatin trick that fools fingerprint readers since I assume someone will repair that particular shortcoming,) and look to the implementations of the systems for the weaknesses instead. Yes, they are hard to forge. But once the data is turned into bits, it's pathetically easy to copy. And you can't put the genie back in the bottle it once it's gone!
It comes down to "who do you trust?" Do you really trust the department store or the bank to not keep a copy of your biometric identification? What's to keep an unscrupulous merchant from intercepting a copy of your raw biometric data, and saving a copy?
I see signature capture pads all over the place these days. I categorically refuse to use them because I have no confidence that my signature won't be captured and replayed by the wrong person. You can't tell me that a "secure" system will prevent this, because I can't tell a secure system by looking at one. The promise of Open Source is no guarantee, either. Even if it had a picture of a penguin on the outside, a spiffy GNU-y logo, and OSF and SourceForge brand stickers on it, how do I know it's really "IdentifyMe_2.0" and not some hacked-up demo being run by Vinnie the Chiseler? People believe that when they walk into a Home Despot that Home Despot doesn't keep a permanent record of their signature. Of course they keep it; it's actually required by law to retain the audit copy for 36 months (42 in Illinois.)
There are also plenty of known cases of fraudulent ATM machines that read your card, accept your PIN, spit out "TEMPORARILY UNABLE TO DISPENSE CASH", and report both your card and PIN to the machine's owner. How is a user supposed to be able to authenticate the biometric device is genuine; that it's not a sham, running a copy for a thief?
How will this change with fingerprinting, hand geometry, retinal scans, or whatever the biometric system of the week may be? It won't; it can't. And since the systems can never be trusted to not "steal" or retain copies of identification for future playback, the systems should never be used in the first place. Using them even one time will put your irreplaceable data in a system it may never escape from.
Biometrics are a technology that should not ever be mainstreamed. They might work fine for a secure military facility, but once they're out in the general populous for any length of time, the protections they represent are gone.
John
Last night in the checkout I was behind a very nervous man who got what he claimed was -HIS- ATM PIN wrong 14 times! It was quite obvious that he was using somebody else's card, he eventually got it but I watched him try several permutations of someone's birthday. After he left I asked the clerk what she thought and she was totally clueless, she said she deals with people who forget their PIN numbers all day long. I asked if the store had a policy to check their state ID against the card they were trying to use if it's obviously fraudulent, and she said she's only interested in keeping the line moving.
Now you know one reason identity theft is so easy, store clerks are letting people try PIN numbers willy-nilly until they get the right one. There should be a 'five times' law, after which they cut your card up.
"Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails