Slashdot Mirror

← Back to Stories (view on slashdot.org)

Biometrics: Prepare to be Scanned

Posted by michael on from the scanned-in-the-place-where-you-live dept.

npistentis writes "From an article in the Economist: It has been a long time coming. But after years of false starts, security systems based on biometrics--human characteristics such as faces, hand shapes and fingerprints--are finally taking off. Proponents have long argued that because biometrics cannot be forgotten, like a password, or lost or stolen, like a key or an identity card, they are an ideal way to control access to computer networks, airport service-areas and bank vaults. But biometrics have not yet spread beyond such niche markets, for two main reasons. The first is the unease they can inspire among users. Many people would prefer not to have to submit their eyes for scanning in order to withdraw money from a cash dispenser. The second reason is cost: biometric systems are expensive compared with other security measures, such as passwords and personal identification numbers. So while biometrics may provide extra security, the costs currently outweigh the benefits in most cases."

6 of 284 comments (clear)

  1. Disabled people? by Anonymous Coward · · Score: 5, Interesting

    So what happens when someone who has lost one or both eyes tries to withdraw money from their bank account? Or when a burn victim passes through a face recognition checkpoint?

  2. body part security by 0111+1110 · · Score: 5, Interesting

    The problem with using body parts like fingers, retinas, or faces for access control security is that one's physical body can be coerced. No one can force me to reveal my secure password. I can choose to die rather than reveal it, and if I die, the protected data will die with me.

    A few scenarios come to mind. I'm walking in a city late at night near an ATM. A thief puts a gun to my head and tells me to go to my ATM and withdraw funds for him. I can refuse, but if he kills me he will get no money. With a fingerprint, retina, or facial scan, he can shoot me first and just drag my body to the ATM.

    Another scenario is private data on my computer that I want to be kept safe from everyone including governments. A government can physically coerce a citizen into using his fingerprint scanner to retrieve the data that they want. They can do nothing about a strong password, and, again, if they kill you they lose any chance of getting the data.

    Of course, this is where torture comes in, but I'd rather have the choice of being tortured or even dying to protect sensitive data. Biometrics take away that choice.

    Having said all this, voice print ID avoids many of these pitfalls. It seems the most promising since no one can physically force you to speak your password, and if you die the data remains protected.

    --
    Quite an experience to live in fear, isn't it? That's what it is to be a slave.
  3. The other reason by Coventry · · Score: 5, Interesting

    The economist article fails to mention the other major reason these systems have not taken off - comparability.

    Or, I should say, the Lack of it.

    Each fingerprint device on the market uses its own format for storing it's data - making each device incompatible. At first, this would seem to be an easily surmountable problem - but then you must realize that until recently, Every device on the market had its own API for development.

    Let me give you an example to illustrate this issue: company X has 2000 employees, and it goes to look at biometric systems - they are either faced with the choice of paying for very expensive equipment from 'long time players' in the industry - who would be around in 2-5 years when the devices start failing due to wear and tear - or choose from some of the 'upstarts', and risk being out in the cold if the company they choose isn't around in several years. a hardware switch down the line not only would incur the cost of re scanning everyone, but the application itself would need to be modified to work with the API for the new device.

    Enter the BioAPI (www.bioapi.org) - which proposed a standard api - now widely adopted. You may notice that the Bioapi page mentions it was founded in 1998. It has taken several years for this standard to come to the foreground and there are still roadblocks - not all manufacturers participate freely.
    As an example: one rather large manufacturer, Identix (www.identix.com) seems to have been stonewalling for years. Why would a manufacturer do such a thing against what is good for the industry? Because they were leading the industry. When you have all of the high end government contracts coming your way, a standard the opens the doors for the little guy is a Bad Thing for your business - or so they thought.
    Take a look at the members list on the bioapi site - identix is listed - then take a look at the supported devices list... not a single identix product.

    In 1999 I witnessed this stonewalling firsthand at a meeting in washinton DC. This meeting had manufacturers and interested parties from all over the globe in attendance, including representatives from the US military. The whole agenda for the meeting was how to promote/define standards so that the industry could grow.
    I had the unfortunate luck to be seated next to the Identix representative. He had apparently flown in just so he could stonewall - every opportunity he got, he grabbed the microphone and ranted about how we should let the free market dictate standards - that they would come about naturally in the free market (he loved the term free market).
    Meanwhile the rest of the group was discussing issues about how to resolve device inter operability - even so far as to discuss how data could be shared between devices. No concrete decisions were made at the meeting, but it did get people talking.

    Anyway, my whole point is, one of the major reasons the biometric security industry hasn't grown (as fast as has been predicted for the past 8 years) is because without standards no one wanted to invest in writing applications. It was just too risky.

    Note: I am flipping a coin as to wether to post this anonymously or not, since Identix could decide to try and silence this sort of talk...

    --
    man is machine
  4. Sanitation by Gothmolly · · Score: 5, Interesting

    is a big problem, partially real and partially imagined. The real issue is transmission of viruses and bacteria through body fluids - what if I have an eye infection when I peer into the retina scanner? What if I pick my nose, then scan my fingerprint? The imagined issue is the 'cootie factor', where you wont want to touch something that 1,000,000 other people touched (think toilet seat).
    Lastly, our new biometric overlords (The US Govt) will undoubtedly put 1,000,001 policies and procedures in place creating a huge barrier to market entry, unless of course you're the gov't approved contractor. None of which will be followed by the unscrupulous, thus continuing the tradition of fucking the honest and awarding (by default) the sketchy.

    --
    I want to delete my account but Slashdot doesn't allow it.
  5. All Together Now by Ringel · · Score: 5, Interesting

    Repeat after me....

    Biometrics are unique but not secret.

  6. Re:Fingers by Yorrike · · Score: 5, Interesting
    What about making a replica finger or eye that looks and feels like the real thing? Rest assured, if there's money to be made from creating such material, any technological shortcomings will be dealt with by the criminal world.

    And what about classical hacking using the binary data your biometric details will eventually become once scanned?

    Biometrics may sound futuristic and secure, but unlike a password or card, you can't replace your fingerprints or retina with a few keystokes, or have the bank send you a new one.

    --

    Looks can be deceiving. Or CAN they?