Slashdot Mirror
Fingerprints Replace Credit Cards in Seattle
prostoalex writes "According to CNET News.com, Thriftway introduced biometric systems in its Seattle stores as far back as 2002. The customer would have to be identified first and submit his own fingerprints, as well as register credit cards with the grocery store. But then a Pay By Touch system became quite popular among the store regulars. According to CNET, "one man even drove 400 miles to use the technology". The store also reports 0% of such transactions being fraudulent."
Credit cards are trivial to track anyway, so no immediate extra privacy implications as long as the data isn't retained for too long.
This way, if someone steals your card info and puts their own fingerprint info on it (or onto the back-end database, or whatever), there is an immediate method to start tracking them.
Of course, there are ways to defeat fingerprint scanners, see Schneier for a starting point.
I therefore think that the danger here isn't in the fingerprinting itself, which is just another way of tracking usage. It is that cost/risk of fraud will be passed on from the banks to the consumer (or possibly stores).
You already give them your fingerprints at the customs, so I guess they exactly know where you are at every moment you buy something...
Now, if they want to arrest you, they will remove all your priveleges remotely so that next time you want to buy something you'll be retained by the caissier until the police comes.
</tinfoil>
Trolling using another account since 2005.
Do they actually REPLACE credit cards?
"Pay over the internet with your fingerprint now!"
Damn hackers, intercepted my finger print. Could I block my account and get a new fingerprint, please?
This technology would be a field day for law enforcement. Any and all crimes that happen in that area where they find a fingerprint but it's not in their database... the first thing they'll do is call up Safeway.
Fingerprint systems like this seem to work as well or better than most forms of ID. Most security on credit card purchases I've made has been limited to comparing my signature on the receipt to the one on my card, which can be forged pretty easily. They don't ask for picture ID any more on credit cards. A lot of them don't even keep my card long enough to check the signature, and automatic chargers like gas pumps will take your credit card without any cross-check. In that sense, using an account activated by your fingerprint is probably an improvement.
:)
Yes, there are concerns about the government tracking you through your fingerprints, but they could do that through your credit cards now anyway, so I'm curious what the difference would be. Besides, we're more at risk from all the commercial entities who have access to our electronic transactions. Unlike the government, they routinely do all sorts of things with the information they collect on our purchasing habits.
Here's my main concern: What if someone manages to impersonate you and establishes an electronic account that ties your financial information to their fingerprint. Someone could wreak havoc in a fairly short time if biometric systems are trusted blindly.
Then again, if the scammer impersonates a person with huge debts, maybe they'd get stuck with them.
Biometrics may be a miracle cure or snake oil. As with any potentially useful technology, which it becomes will depend on the implementation.
TLR
A man no more knows his destiny than a tea leaf knows the history of the East India Company
If someone gets an electronic imprint of your credit card number, you call VISA and get a new number.
If someone gets an electronic imprint of your finger print, you'll be chasing down fraudulent purchases FOR THE REST OF YOUR LIFE because you CAN'T change your finger print.
Ticketmaster, 5 years later, "I'm sorry sir, but you *DID* buy 10 first-row superbowl tickets. Our computer says you did it over the internet and we have your finger-print scan on file to prove it."
RUN, don't walk, when someone in a store asks for a scan of your finger-print.
Sam
People don't realize just how *dangerous* the fraud would be if this became widespread.
Take into account that we touch a LOT of things. Daily. You know those seedy, scammy ATM's? Wouldn't be very difficult to make one with a thumb reader to conceal an instant CCD-based scanner or something of the sort. All the machines check for is the pattern, and it would NOT be hard to fake this.
Rubber thumb overlay, anyone? The HEIGHT WOULD NOT MATTER, the machine would detect the right print no matter how long the grooves were. Sure, it won't work at a store, but it WILL work at an ATM.
But here's the worst part.
Once your print has been *breached*, you simply *can't get another one*. You're screwed.
Yes, safeguards can be put to minimize the use of overlays, but once again, only in official locations. Independently owned ATM's either won't ever be able to use this technology or will ruin it the very moment those prints are made public.
It would NOT be hard to rapidly prototype a piece of rubber (or some other, better, squishing polymer) based on a figureprint picture, let alone streamline the process to make dozens or even thousands more.
Of course, if it was purely for stores (and stay wary of those self-checkouts), maybe.... maybe.
I dunno, maybe I'm off my rocker here, I just came up with this counterargument instantly. The thought of someone with lots of stealing in mind coming up with a way to fake prints to use in unmanned scanner locations (let alone someone forcing someone else's thumb onto the scanner in a much scarrier mugging incident) is kind of scary.
Wait a second now...
Perhaps a bioelectric scanner that doesn't work (has to be tested with a variety of conductive materials, constantly, along with calluses...) unless a real live thumb is touching it still leaves you in danger of mugging (and setting it up so that the customer can't purchase unless they're calm would only lead to MUCH scarrier mugging incidents) but would stop fraud for the most part.
Yeah, still a long way to go before widespread use.
I think that there is confusion over the distinction between "Identification" and "Authorization".
A good secure transaction would require both.
For example: To withdraw money from an ATM, you have the bank card (identification) and the PIN (authorization).
So.... I think a distinct likeness like DNA or fingerprint would make a reasonable form of identification, I do not think it is reasonable as a form of authorization.
IMO, a monetary transaction which involves a fingerprint will still require the user to enter a pin number for authorization.
Just my 2p worth.
-- The universe began. Life started on a billion worlds...
-- Except on one where stupidity was there first.
Exactly.
As I said before, never put all your faith in ANY system, you can tighten security with technology, and fingerprint recognition does that fairly well, but of course nothing is 100% secure. You have to consider contingencies.
"Luck is my middle name," said Rincewind, indistinctly. "Mind you, my first name is Bad." -- Terry Pratchett
Yes, because will all know how much more secure a little plastic card is.
Seriously, did you just make that up hoping no one would notice that you don't know what you are talking about?
I think the point of the parent was not that a little plastic card is more secure, but rather that a card is not permanent.
If a credit card gets stolen... you get a new card (with new numbers). If your fingerprint gets stolen... do you get new fingerprints???
It's when cash is no longer accepted that I leave the country.
So to commit fraud, all you have to do is go to the subway and take fingerprints from some surface, isolate the thumbs, create cheap replica thumbs using high-technology (digicam, gummibears and photo-sensitive printed-circuit board) and try them out.
The only way to have this thing "secure" is to wear gloves all the time.
Actually the fraud is so obvious, I am really shocked that anybody is so stupid and believe that the system is secure. The police is taking fingerprints for over 100 years already and that's not a secret either.
Yes, but a fake skin replica that fits tightly over your real finger can fool any machine any time. It has warmth, it has blood flowing under it, and it has the right pattern. Remember, what you have, what you know, and something you are. But nowadays that last one is becoming just a weaker version of something you have, because you can never trade it out if it gets copied.
The store also reports 0% of such transactions being fraudulent.
OK, so a voluntary system that requires you to submit your fingerprint and no criminals have tried it out, even for malicious purposes? That's incredible! I hardly think that this counts as an endorsement of this technology. If it were to become more widespread it might be worthwhile for the "bad guys" to come up with ways to defeat it, but as it is they will just go down the road to the place that uses the good old credit cards they can get out of a stolen wallet.
THIS SPACE FOR RENT
I think a lot of these problems could be negated if you add a PIN number...
NGWave - Fast Sound Editor for Windows
does everything have to be an evil conspiracy? Is it not possible that bio-metric devices could be used for pure good? Do you really think the gov't needs your fingerprint to track your credit card purchases?
I mod down so you can mod up. Your welcome.
I'd be more concerned about my fingerprint data being stolen. I can get a new credit card if one is compromised.
I thought it was bad when almost everybody volunteered to get a grocery store club card and surrender their privacy for a reduction in the newly jacked up prices. Finger print biometrics at the grocery store? What's next? Am I going to be forced to give a DNA sample to buy Mt Dew and Fritos?
>> My ultraviolent Linux switch video.
Thats why i pay with cash.
---- Booth was a patriot ----
That is, of course, the flip side of the coin. Digitally encoded biometric data that cannot be changed (fingerprint, retinal scan, etc) but can be fed to a computer in some manner or another can be used to falsify your identity. At a cashier's lane, this is kind of difficult to do, as you are under scrutiny. Online, or any place you can use it where you are not under scrutiny, or any delivery method that can be made transparent even when observed will break this kind of authentication scheme, with no way to undo the damage once its done (think DeCSS except with your entire life at stake).
I had actually thought about the theft of biometric data previously (past few weeks), but apparently forgot it when writing. Credit card numbers are changable. Fingerprints, not so much so. Such stores would need both files on hand to do proper authentication, and frankly, I just do not trust any computer system to be 100% unbreakable at all times