Slashdot Mirror

← Back to Stories (view on slashdot.org)

Biometrics: Prepare to be Scanned

Posted by michael on from the scanned-in-the-place-where-you-live dept.

npistentis writes "From an article in the Economist: It has been a long time coming. But after years of false starts, security systems based on biometrics--human characteristics such as faces, hand shapes and fingerprints--are finally taking off. Proponents have long argued that because biometrics cannot be forgotten, like a password, or lost or stolen, like a key or an identity card, they are an ideal way to control access to computer networks, airport service-areas and bank vaults. But biometrics have not yet spread beyond such niche markets, for two main reasons. The first is the unease they can inspire among users. Many people would prefer not to have to submit their eyes for scanning in order to withdraw money from a cash dispenser. The second reason is cost: biometric systems are expensive compared with other security measures, such as passwords and personal identification numbers. So while biometrics may provide extra security, the costs currently outweigh the benefits in most cases."

12 of 284 comments (clear)

  1. right to be uneasy by mrfibbi · · Score: 3, Interesting

    i'm all in favor of it, but it still does bring my mind back to minority report. Some people have a right to be uneasy.

  2. Disabled people? by Anonymous Coward · · Score: 5, Interesting

    So what happens when someone who has lost one or both eyes tries to withdraw money from their bank account? Or when a burn victim passes through a face recognition checkpoint?

  3. Re:Fingers by altek · · Score: 3, Interesting

    There are safeguards to prevent this, such as methods to determine body heat and pulse being necessary for a positive ID.

    --
    THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE
  4. Re:The main problem in my eyes... by Clever+Pun · · Score: 3, Interesting

    The movie "Gattaca" comes to mind - people may well start SELLING their biometrics to others - sure, losing your hand is a bitch, but wouldn't you do it for ten million dollars? I honestly don't know if I could say 'no' to that, if I needed the money badly enough.

  5. body part security by 0111+1110 · · Score: 5, Interesting

    The problem with using body parts like fingers, retinas, or faces for access control security is that one's physical body can be coerced. No one can force me to reveal my secure password. I can choose to die rather than reveal it, and if I die, the protected data will die with me.

    A few scenarios come to mind. I'm walking in a city late at night near an ATM. A thief puts a gun to my head and tells me to go to my ATM and withdraw funds for him. I can refuse, but if he kills me he will get no money. With a fingerprint, retina, or facial scan, he can shoot me first and just drag my body to the ATM.

    Another scenario is private data on my computer that I want to be kept safe from everyone including governments. A government can physically coerce a citizen into using his fingerprint scanner to retrieve the data that they want. They can do nothing about a strong password, and, again, if they kill you they lose any chance of getting the data.

    Of course, this is where torture comes in, but I'd rather have the choice of being tortured or even dying to protect sensitive data. Biometrics take away that choice.

    Having said all this, voice print ID avoids many of these pitfalls. It seems the most promising since no one can physically force you to speak your password, and if you die the data remains protected.

    --
    Quite an experience to live in fear, isn't it? That's what it is to be a slave.
  6. The other reason by Coventry · · Score: 5, Interesting

    The economist article fails to mention the other major reason these systems have not taken off - comparability.

    Or, I should say, the Lack of it.

    Each fingerprint device on the market uses its own format for storing it's data - making each device incompatible. At first, this would seem to be an easily surmountable problem - but then you must realize that until recently, Every device on the market had its own API for development.

    Let me give you an example to illustrate this issue: company X has 2000 employees, and it goes to look at biometric systems - they are either faced with the choice of paying for very expensive equipment from 'long time players' in the industry - who would be around in 2-5 years when the devices start failing due to wear and tear - or choose from some of the 'upstarts', and risk being out in the cold if the company they choose isn't around in several years. a hardware switch down the line not only would incur the cost of re scanning everyone, but the application itself would need to be modified to work with the API for the new device.

    Enter the BioAPI (www.bioapi.org) - which proposed a standard api - now widely adopted. You may notice that the Bioapi page mentions it was founded in 1998. It has taken several years for this standard to come to the foreground and there are still roadblocks - not all manufacturers participate freely.
    As an example: one rather large manufacturer, Identix (www.identix.com) seems to have been stonewalling for years. Why would a manufacturer do such a thing against what is good for the industry? Because they were leading the industry. When you have all of the high end government contracts coming your way, a standard the opens the doors for the little guy is a Bad Thing for your business - or so they thought.
    Take a look at the members list on the bioapi site - identix is listed - then take a look at the supported devices list... not a single identix product.

    In 1999 I witnessed this stonewalling firsthand at a meeting in washinton DC. This meeting had manufacturers and interested parties from all over the globe in attendance, including representatives from the US military. The whole agenda for the meeting was how to promote/define standards so that the industry could grow.
    I had the unfortunate luck to be seated next to the Identix representative. He had apparently flown in just so he could stonewall - every opportunity he got, he grabbed the microphone and ranted about how we should let the free market dictate standards - that they would come about naturally in the free market (he loved the term free market).
    Meanwhile the rest of the group was discussing issues about how to resolve device inter operability - even so far as to discuss how data could be shared between devices. No concrete decisions were made at the meeting, but it did get people talking.

    Anyway, my whole point is, one of the major reasons the biometric security industry hasn't grown (as fast as has been predicted for the past 8 years) is because without standards no one wanted to invest in writing applications. It was just too risky.

    Note: I am flipping a coin as to wether to post this anonymously or not, since Identix could decide to try and silence this sort of talk...

    --
    man is machine
  7. Sanitation by Gothmolly · · Score: 5, Interesting

    is a big problem, partially real and partially imagined. The real issue is transmission of viruses and bacteria through body fluids - what if I have an eye infection when I peer into the retina scanner? What if I pick my nose, then scan my fingerprint? The imagined issue is the 'cootie factor', where you wont want to touch something that 1,000,000 other people touched (think toilet seat).
    Lastly, our new biometric overlords (The US Govt) will undoubtedly put 1,000,001 policies and procedures in place creating a huge barrier to market entry, unless of course you're the gov't approved contractor. None of which will be followed by the unscrupulous, thus continuing the tradition of fucking the honest and awarding (by default) the sketchy.

    --
    I want to delete my account but Slashdot doesn't allow it.
  8. Forget Biometrics by Ignis+Flatus · · Score: 3, Interesting

    All who are familiar with the ATM scams know why it is inherently insecure. The more likely scenario is that eventually you will all be tagged like cattle. GPS tracking will ensure security by monitoring to make sure you are never in two places at the same time, or making quantum leaps through space-time.

  9. Re:False claim by Coventry · · Score: 4, Interesting

    Facial recognition is only 1 of the technologies involved in biometrics... To claim that the whole industry has failed to grow because one Type of biometric does not function well is untrue.

    Besides that, your numbers are wrong... facial recognition systems can actually have failure rates higher than that under less than ideal ircumstances, and when put into use as identification, not verification systems.

    First, definitions, for those who didn't read the article:

    Identification: determin from a scan who someone is, searching over a list of possibilities.

    Authentication: determin with reasonable confidence that the user is who they claim they are.

    Authentication is much much easier to get right, since you can always ask for a rescan if you are unsure. Authentication systems are designed so that the device (hardware and software) return a confidence level - sometimes a percentage. It is up to the application developer to determin just how high a confidence level you want. If you set it too low, people with similar faces might be abel to authenticate for each other - borthers for example. If set to high, then slight (natural) variations in a person's face can cause rejections. Generaly, you must strike a balance between false positives and rejections. Such a compromise is acceptable, if you have other security measures in place (see note at end of post).

    Identification is much, much harder. First of all, it is very cpu intensive - one can model identification as a low-confidence-level authentication against every listed person in the database. If you have 40,000 people in the database, this can take awhile. Hashing doesn't help much, and is illadvised, since we are looking for a close match, not an exact. Biometric data isn't the kind where you can take the first 5 bytes and dump into hash buckets either - but I digress. So, how do you speed it up? You reduce the dataset by reducing the detail in the data you store for each person.

    Then you run into the problems with how these systems have been rolled out - using low resolution security cameras is not a good way to get an accurate scan of a person's face - especially when the people being scanned a re small enough (in relation to the scene) to be only 10s of pixels wide.

    So, now we know the technical difficulties - but why the bum rap, and why would a police force choose to roll something like this out anyway? This is several fold, but the main thing it comes down to is misconceptions about what these systems are doing, and badly written systems. Due to the limitations mentioned above, these systems can only provide possible matches, like 'Person X is a 20% match against Osama Bin Laden'. the system isn't claiming that the person IS Osama, only that the face appears somewhat similar. As such, the system is supposed to be used as a guide - if it picks someone out, that person deserves more attention - that attention could be a remote-controled security cam singling them oout for a better scan, or for officers in the area to walk over for a better look. Unfortunatly, just because that is how the system is supposed to work does not mean it is used that way - all too often these are rolled out as a way to 'increase security while retaining a minimal police/secuity force'. You get officers who think of a potential match as a authentication, and they send officers running down at high speed only to find it's not Osama... The next potential match they are more hesitent about, and so on, until they mistrust the system completely. Is the system doing anything wrong? No, its that the users don't understand what it is doing. Better training would help, but so would the people making the purchasing descisions understanding the technology, and staffing accordingly.

    In the sort of rollouts described above, facial recognition has a success rate of less than 30%, much lowe r than what you describe. With rates that low, people complain, and stories get published. Used properly, the data these sy

    --
    man is machine
  10. This is another case of... by slappyjack · · Score: 3, Interesting

    ...just becasue you HAVE the technology, and COULD use it... ...doesn't mean you necessarialy SHOULD.

    another creepy-ass thought
    Retinal scanners: Remember that Tom Cruise sci-fi flick where everyone was constantly getting retinally scanned wherever they went? You guys think DoubleClick are a bunch of scumbags now, just wait 'till they link up with RetinAll Marketing.

    Coming out of a big speaker in the near future:
    "Welcome to Blockbuster, Mr Slappyjack. You may be interested in the Jenna Jameson collection we have in the back room. We did notice you were looking at internet porn about her all day while your wife was out. We do not, however, have any Ass-Reaming-Mature-Tranny-Bukkake videos, which we know you enjoy. If you like we'd be glad to order one for you. Have a nice day."

    yeah. nice.

    Remember when we all thought RadioShack asking for our addresses just becasue we needed a couple of AA batteries was high annoyance? NOTHING compared to what the future holds.

    --
    s'wut i sed.
  11. All Together Now by Ringel · · Score: 5, Interesting

    Repeat after me....

    Biometrics are unique but not secret.

  12. Re:Fingers by Yorrike · · Score: 5, Interesting
    What about making a replica finger or eye that looks and feels like the real thing? Rest assured, if there's money to be made from creating such material, any technological shortcomings will be dealt with by the criminal world.

    And what about classical hacking using the binary data your biometric details will eventually become once scanned?

    Biometrics may sound futuristic and secure, but unlike a password or card, you can't replace your fingerprints or retina with a few keystokes, or have the bank send you a new one.

    --

    Looks can be deceiving. Or CAN they?