Slashdot Mirror

← Back to Stories (view on slashdot.org)

Biometrics: Prepare to be Scanned

Posted by michael on from the scanned-in-the-place-where-you-live dept.

npistentis writes "From an article in the Economist: It has been a long time coming. But after years of false starts, security systems based on biometrics--human characteristics such as faces, hand shapes and fingerprints--are finally taking off. Proponents have long argued that because biometrics cannot be forgotten, like a password, or lost or stolen, like a key or an identity card, they are an ideal way to control access to computer networks, airport service-areas and bank vaults. But biometrics have not yet spread beyond such niche markets, for two main reasons. The first is the unease they can inspire among users. Many people would prefer not to have to submit their eyes for scanning in order to withdraw money from a cash dispenser. The second reason is cost: biometric systems are expensive compared with other security measures, such as passwords and personal identification numbers. So while biometrics may provide extra security, the costs currently outweigh the benefits in most cases."

8 of 284 comments (clear)

  1. The main problem in my eyes... by matticus · · Score: 5, Insightful

    The main problem in my eyes is the fact that a biometric system turns a fingerprint or retina scan into a string of ones and zeros. If the software is cracked to reveal this string, then the person who belongs to the fingerprint is *permanently* compromised. You can't change fingerprints like you can passwords.

  2. Is it worth the cost? by Isopropyl · · Score: 5, Insightful
    The trouble is, it is not clear that these identity-verification systems are worth the cost and trouble of introducing them. All 19 of the September 11th hijackers entered the United States using valid visas, on their own passports, for example. Verifying their identities using biometric visas would have made no difference.

    I find it hard to justify the cost of using biometrics, at least in this airport example. The airlines in are in decline, the government has just bailed them out with a couple billion, and revenues are still falling. Does the TSA really need to scan my finger before I step onto a plane? Like the quote says, biometrics wouldn't have made a difference on 9/11.

  3. False claim by G3ckoG33k · · Score: 5, Insightful

    The two main reasons being unease and cost?! That is wrong. The simple truth is poor performance. So far, no system has been able to match faces better than 60-80% in real life tests. That is still far too poor to be really useful for police work and other, similar purpose.

  4. this cannot be rushed by saiha · · Score: 5, Insightful

    Whether you consider this a good thing or not, if and when it is implemented we need to remember that just like anyother form of security, the weak link will still be the human factor.

    Even if you have the best biometric system, but it is not monitored for tampering (and its database) regularly, who is to say a malicious person didn't add or change a users information. And because biometrics are supposed to be so good, who will the people in charge believe, someone saying they are john smith the computer tech, or the computer that reported them being as being some criminal?

  5. Re:minority report by rknop · · Score: 5, Insightful

    but realistically, the government would never spend the insane amount of money to install cameras all over the public area of America, especially not high-tech eye-scanning ones.

    Agreed. But don't estimate the money-spending abilities of corporate marketing departments as they attempt to identify and target consumers. (Which, by and large, was what was scanning whatshisname in Minority Report.)

    If you're not happy being paranoid about marketing departments, consider that once the cameras are there, it's real easy for whatever random government organization to use PATRIOT IX to get that data without a warrant, but with a gag order that prevents your being told they got the data.

    -Rob

  6. Biometric passphrases by Anonymous Coward · · Score: 5, Insightful

    That article was more or less product placement. Biometric passwords, while looking very cool in sci-fi flicks, have the following misfeatures:

    1. The "password" can't be changed. If compromised, it's compromised for life.
    2. You only have two thumbs and two eyes, and then you have to re-use your "passwords". Do you want your employer to have access to your bank account? Would your current employer want your last employer to have your access code to their building?
    3. They are not secret. Especially so with thumbprints: every time you grab a glass or a doorknob you leave your "password" written all over it.

    I would say these are the real reasons no one else than gadgeteer type bosses would ever consider using biometric passphrases.

  7. Can't be stolen? Are they on crack? by raxxerax · · Score: 5, Insightful

    How long until someone sets up a phony ATM to capture retinal patterns? And unlike passwords, your retinal pattern is not something you can change as needed.

    Don't get me wrong, biometrics has its place but that place is part of a multi-factor security system. I predict that we will eventually see ATMs that require a card, password and biometrics. Three factors: something you have, something you know and something you are.

    Biometrics by itself is useless for security.

  8. Common misconception by Coventry · · Score: 5, Insightful

    Your idea has problems for several reasons:

    - biometric data is not stored as a simple image. It's not stored as a compressed image, or a md5 of the image. It is most often stored as a series one-way-hash values, each of which is derived from some characteristic inherint in the scan. Someone could steal this data, but creating the original image is near impossible, like breaking a 100 kilobyte rsa key.
    - biometric data is stored in a different format by every manufacturer. There is no standard - heck, they can barely get a standard API for how to interface with the hardware and drivers (www.bioapi.org), let alone agree on a standard format. Thus, if visa were to start using scanners, and your fingerprint scan were stolen, only visa systems would be affected.
    - most authentication systems (other than the implied example of logging onto a computer) use multiple pieces of information, usualy two or more of the following type:
    - something remembered ( a password or pin)
    - something kept (a security card, a credit card)
    - somethign intrinsic (a biometric)

    Now, how useful is that fingerprint scan if the visa card it's associated with is not in the theif's hands? How useful is it if you cancel your card and get a new one?

    - if someone did manage to steal an image of your fingerprint or retina, it won't do much good: systems these days are able to tell the difference between a dead/living finger, a photo, and even a plastic mold (many systems look for temperature of what is scanned, and can even look for capilary blood flow).

    - if someone gets access to a computer system where they can use the information stolen and bypass the scanning device, well, you have much bigger problems: such a breakin would probably compromise things to the point where they can simulate a positive authentication from the driver/hardware, for any user.

    - (this one only applies to fingerprints): you have ten fingers, use a different one. For eyes, switch eyes.

    Having said all of that, please realize that biometrics are intended to enhance security by adding another layer to the authentication systems in place, not to replace them. A bankcard+pin+fingerprint is more secure than a bankcard+pin.

    Anytime you hear/read the mass media promoting the death fo passwords via biometrics, realize that either A) the reporter doesn't get it or B) they have talked to a marketing person at one of the manufacturers who is (most likely in my experience) pandering to the media in an attempt to grow the market and get sales, despite the falsehoods involved.

    By the same token, anyone who tells you a password by itself is secure, is also wrong.

    --
    man is machine