Slashdot Mirror
Fingerprints Replace Credit Cards in Seattle
prostoalex writes "According to CNET News.com, Thriftway introduced biometric systems in its Seattle stores as far back as 2002. The customer would have to be identified first and submit his own fingerprints, as well as register credit cards with the grocery store. But then a Pay By Touch system became quite popular among the store regulars. According to CNET, "one man even drove 400 miles to use the technology". The store also reports 0% of such transactions being fraudulent."
I guess this is the future... I just hope such info won't be crosschecked for national security's sake.
Trolling using another account since 2005.
Geek
The store also reports 0% of such transactions being fraudulent."
I don't think anybody's going to let you buy stuff with a severed finger.
What it could also mean is that most people don't reconcile their statements at the end of the month, and that the people who use this system are even more likely not to bother, because they trust it more.
Or not.
But give it time, someone will figure out how to scam it.
Here in we've been using a similar system for unique biometric identification of customers for years. It works a bit like this:
1) Walk into stor
2) Say 'Hello Ifan' to Ifan, the shopkeeper
3) Ifan says 'Hello ' back if he knows you
4) Say '2 grenade launchers, one baboon, and a pint of guinness please, my good man'
5) Ifan produces the above, charges your account, takes payment later. Nice and easy. And if you don't pay....
6) Chop!
How is this a really good thing?
How well does it work on someone that does a lot of physical activity (woodworking/metalworking) who might not have very good ridge detail?
Is this susceptible to Gummy Bears?
Picture of a fingerprint, how could you "print" it out, complete with ridges? Laytex, or maybe silicone would be nice, something I could glue to my fingertips, temporarily. Also, what are the oldest fingerprints available, that would show up in a search? I'd like to be a 170 yr old, 90 yrs dead suspect, or, supposing celebrity fingerprints are available, George W. Bush himself!
And then for when I get caught, fingerprints with an embedded "Fuck You Pigs" logo that would show up on the fingerprint card....
Credit cards are trivial to track anyway, so no immediate extra privacy implications as long as the data isn't retained for too long.
This way, if someone steals your card info and puts their own fingerprint info on it (or onto the back-end database, or whatever), there is an immediate method to start tracking them.
Of course, there are ways to defeat fingerprint scanners, see Schneier for a starting point.
I therefore think that the danger here isn't in the fingerprinting itself, which is just another way of tracking usage. It is that cost/risk of fraud will be passed on from the banks to the consumer (or possibly stores).
to say thumbs up to privacy invasion!
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
You already give them your fingerprints at the customs, so I guess they exactly know where you are at every moment you buy something...
Now, if they want to arrest you, they will remove all your priveleges remotely so that next time you want to buy something you'll be retained by the caissier until the police comes.
</tinfoil>
Trolling using another account since 2005.
Someone may have more experience with this than I do, but this is a bit scary. Has anyone else read the book "Stealing the Network". It goes into some detail on the subject of synthetic fingerprints and just how easy they are to make at home. The book is at home and I am at work or I would post the links that they have as refereneces. I can see the usefulness of the fingerprint perhaps replacing the signature or pin number, but the whole credit card!!! I don't know about you guys but when I realize that I left my credit card sitting around in a public place I freak out. I guess I am going to have to wear gloves from now on, or carry around a bottle of cleaning solution everywhere I go.
Someone with more experience please comment, especially if you have the links from that book, I am curious to read up.
Thanks
Crawl This - http://darkry.net/test/test.php
Do they actually REPLACE credit cards?
"Pay over the internet with your fingerprint now!"
Damn hackers, intercepted my finger print. Could I block my account and get a new fingerprint, please?
News story about the poor bankrupt grocery...
"The store also used to report 0% of such transactions being fraudulent before the story was posted to Slashdot. Then the number of frauds by using "stolen fingerprints" skyrocketed."
Anagram("United States of America") == "Dine out, taste a Mac, fries"
1) Have sales of gummy bears experienced a dramatic surge in the area?
and...
2) Can I choose which finger to give them for my biometrics?
But this is not surprising concidering the cost of a home finger print scanner of only 39$.
This technology would be a field day for law enforcement. Any and all crimes that happen in that area where they find a fingerprint but it's not in their database... the first thing they'll do is call up Safeway.
Fingerprint systems like this seem to work as well or better than most forms of ID. Most security on credit card purchases I've made has been limited to comparing my signature on the receipt to the one on my card, which can be forged pretty easily. They don't ask for picture ID any more on credit cards. A lot of them don't even keep my card long enough to check the signature, and automatic chargers like gas pumps will take your credit card without any cross-check. In that sense, using an account activated by your fingerprint is probably an improvement.
:)
Yes, there are concerns about the government tracking you through your fingerprints, but they could do that through your credit cards now anyway, so I'm curious what the difference would be. Besides, we're more at risk from all the commercial entities who have access to our electronic transactions. Unlike the government, they routinely do all sorts of things with the information they collect on our purchasing habits.
Here's my main concern: What if someone manages to impersonate you and establishes an electronic account that ties your financial information to their fingerprint. Someone could wreak havoc in a fairly short time if biometric systems are trusted blindly.
Then again, if the scammer impersonates a person with huge debts, maybe they'd get stuck with them.
Biometrics may be a miracle cure or snake oil. As with any potentially useful technology, which it becomes will depend on the implementation.
TLR
A man no more knows his destiny than a tea leaf knows the history of the East India Company
Bear with my bad SF for a moment. Western civilization seems to be converging to the point where citizens will have no choice, but will depend upon a handful of mega-corporations for their sustenance, while at the same time having to give not only their time and energy, but also their identity in return. By this time, privacy will have been successfully abolished and its last traces outlawed. Every adoption of RFIDs, DRM technology - as well as every merger between huge corporate actors is pushing the world nearer to a dystopic future.
Not a flamebait, just feeling the need to vent. Mod me a fool and placate me, please.
just check:n ?language=en
http://www.ccc.de/biometrie/fingerabdruck_kopiere
I guess the barcode-on-the-forehead project didn't go so well.
A person with good slight of hand talent could easily use the gummi bear trick.
I also wonder if they allow this to very age for purchase of alcohol and tobacco.
"Plans are for fools! Oglethorpe, the plutonian (Aqua Teen Hunger Force)
If someone gets an electronic imprint of your credit card number, you call VISA and get a new number.
If someone gets an electronic imprint of your finger print, you'll be chasing down fraudulent purchases FOR THE REST OF YOUR LIFE because you CAN'T change your finger print.
Ticketmaster, 5 years later, "I'm sorry sir, but you *DID* buy 10 first-row superbowl tickets. Our computer says you did it over the internet and we have your finger-print scan on file to prove it."
RUN, don't walk, when someone in a store asks for a scan of your finger-print.
Sam
Amazon: "I'm sorry sir, you *DID* buy 20 copies of the first season of STAR TREK: ENTERPRISE. We have your finger-print scan in our computer to prove it."
If you are using a finger-print scanner to make ANY purchase, get ready to spend the rest of your life tracking down fraudulent purchases.
Sam
A fingerprint check might be secure and convenient. But what guarantees that the fingerprint, and the ID of its owner, will be used only in that authorized transaction? We have copyright control over our personal info. But our rights to restrict distribution are not explicit in law. The Congress must pass a law making such personal info copyrights clear and current. We need at least the same protections we give to copyrighted corporate info, like songs and music. Or corporations will own all our info, too.
--
make install -not war
... when try pry them from my cold dead fingers.
I think that there is confusion over the distinction between "Identification" and "Authorization".
A good secure transaction would require both.
For example: To withdraw money from an ATM, you have the bank card (identification) and the PIN (authorization).
So.... I think a distinct likeness like DNA or fingerprint would make a reasonable form of identification, I do not think it is reasonable as a form of authorization.
IMO, a monetary transaction which involves a fingerprint will still require the user to enter a pin number for authorization.
Just my 2p worth.
-- The universe began. Life started on a billion worlds...
-- Except on one where stupidity was there first.
From an article (reg req'd) on identity theft:
True story? Who knows, but the moral of it is not to put all your faith in technology, and never underestimate criminals. Some may not be very bright, but that's more than made up for by their cunning.
But he would drive 400 miles,
And he would drive 400 more,
Just to be the man who drove 800 miles
To be a big lo-ser.
(apologies to the Proclaimers)
Those exist, but they're more expensive. The problem is that a dead finger should be used immediately, because after a short time, the fingerprint kind of fades and becomes very difficult for a reader to recognize it.
/. readers know that there's absolutely NO 100% secure system. Such thing doesn't exist, the goal isn't to render fraud completely impossible, but to reduce it as much as we can. Fooling a fingerprint reader + magnetic card + signature, etc is simply harder than doing the same on non-biometric systems. Other advantage is agility and simplicity, on some systems, you might authenticate just by placing a finger on a reader, instead of using maybe more annoying solutions, and in such a case you might gain some security (a lot in fact, just not 100%) but you also gain in simplicity for the users.
Anyway the real point here is that biometrics, specially fingerprint recognition is a very good and mature solution, which can be used for lots of things. Of course it could be fooled eventually by someone with enough determination and resources, but I would think that
There are no magic cures, the real problem with biometry is not that it doesn't work 100% perfectly but to make people aware of the fact that while it's more secure, it *could* eventually be fooled, and contingencies have to be considered too, just like with any system.
"Luck is my middle name," said Rincewind, indistinctly. "Mind you, my first name is Bad." -- Terry Pratchett
Right, everyone knows Thriftway is just a front for secret government projects. Watch out for seven-11, too. Your Slim-Jim preferences are being logged into the anti-terrorist database. And don't even THINK about buying gas there. Then they'll KNOW about your ties to Al-Qaeda.
Disclaimer: all tongue-in-cheek; no attack on parent
Exactly.
As I said before, never put all your faith in ANY system, you can tighten security with technology, and fingerprint recognition does that fairly well, but of course nothing is 100% secure. You have to consider contingencies.
"Luck is my middle name," said Rincewind, indistinctly. "Mind you, my first name is Bad." -- Terry Pratchett
Gummy fingers can even fool sensors being watched by guards. Simply form the clear gelatin finger over your own. This lets you hide it as you press your own finger onto the sensor. After it lets you in, eat the evidence.
The five second rule doesn't apply here.
You must be pretty brave to eat something that just touched something that everybody else has touched and probably has some amount of everything else they had touched on it.
I would be wary even putting my finger on there nevermind eating off of it.
Yes, because will all know how much more secure a little plastic card is.
Seriously, did you just make that up hoping no one would notice that you don't know what you are talking about?
I think the point of the parent was not that a little plastic card is more secure, but rather that a card is not permanent.
If a credit card gets stolen... you get a new card (with new numbers). If your fingerprint gets stolen... do you get new fingerprints???
It's when cash is no longer accepted that I leave the country.
Yes, but a fake skin replica that fits tightly over your real finger can fool any machine any time. It has warmth, it has blood flowing under it, and it has the right pattern. Remember, what you have, what you know, and something you are. But nowadays that last one is becoming just a weaker version of something you have, because you can never trade it out if it gets copied.
In a couple episodes of CSI, the perpetrator made rubber hands that had fingerprints from a live person. (Admittedly, his own, but that's a plot complication I don't feel like explaining.)
Extend that concept to rubber-mold gloves.
tasks(723) drafts(105) languages(484) examples(29106)
The store also reports 0% of such transactions being fraudulent.
OK, so a voluntary system that requires you to submit your fingerprint and no criminals have tried it out, even for malicious purposes? That's incredible! I hardly think that this counts as an endorsement of this technology. If it were to become more widespread it might be worthwhile for the "bad guys" to come up with ways to defeat it, but as it is they will just go down the road to the place that uses the good old credit cards they can get out of a stolen wallet.
THIS SPACE FOR RENT
I ask because at the science museum in London, there is an area where you can experiment with several computer based activities and save the results using your finger print. I had to try several fingers before I found one which wasn't incorrectly identified as someone else's.
I would guess that the technology used in this situation is not as accurate as that which would be used for credit cards but still it is still a rather worrying thought that someone else's fingerprint could be mistakenly thought to be mine by a creid card system.
I wish to remain anomalous
The only finnicky part is getting your fingerprint pattern key (the raw info is not sent, it gets crunched down by the scanner,) into the database on somebody ELSE's account. HE will be the one stuck with the bill.
You can then run the scam the same way.
Actually it takes less balls to do it because either it works and your laughing or it doesn't and your mutter something about a new scar on your fingerprint to a clerk.
You don't have to worry about getting caught because you're going to have created a false positive (doubling the key) rather than replacing a real record.
Your fingerprint is essentially worthless for security when you've got access to a scanner and to the system.
The trust-worthyness of the original scanner and scannee is the key. The more paranoid you need to be, the more data points you pick, and the more tightly you control the access to the system.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
I recall a review of some new biometric-enabled mice that came out, and the trivial way to trick them - cup your hand over the sensor, and breathe softly on it.
The existing oils will pick up the water vapor to form the pattern of the last finger on it, and the heat of the breath triggered the sensor to read it.
What amused me the most was I went to tell my boss at the time how these researchers had found such a simple way to break it, and he said "Oh... I just bought one of those yesterday." Heh.
Especially as in TX, where they require (I believe the right) THUMB print only. One is not allowed to use other fingers for authentication.
Yeah, right.
does everything have to be an evil conspiracy? Is it not possible that bio-metric devices could be used for pure good? Do you really think the gov't needs your fingerprint to track your credit card purchases?
I mod down so you can mod up. Your welcome.
...because you CAN'T change your finger print.
Hrmf! Telling me I can't change my finger prints?
*revs up the workbench sander*
I'll show you! ARRRGGHHASDFWDasdfsdaf12~!!!
sea i cntoo chadnfge my ow ow ow fignr prnits ow ow
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
When will people learn that identity factors are not the same as authentication factors?!?!
A Fingerprint is something you are
It would be a whole different story (and different pros/cons) if this was about a store requiring a fingerprint bio in place of a signature (something you do) on a Credit Card transaction.
The biggest deal here (not mentioned very much in these
That makes their DB such a huge target
Who would ever capture the CC info and then try to make fraudulent purchases at a grocery store anyway? They'll go for the high-end merchandise instead, using a totally different transaction service.
And let me guess, each customer signs an agreement (without reading it- legal jargon, bah!) stating that you release the company from any liability of storing your CC info!
Remember: Anytime biometrics are used singulary (without another form of authentication) it is for convenience and NEVER Security.
Yesterday I fixed my ripped shower curtain with seam sealer glue and I got some on my thumb when I pinched the edges together. Right now, I can't feel anything with the tip of my thumb because it's covered with extremely strong glue. If all purchasing eventually goes by fingerprint, then I assume folks like me will occasionally not be able to purchase anything! Maybe that's a good thing. Seriously... I can't get this stuff off!!!
I remember hearing how gelitan gummy can be used to fool a fingerprint reader. I thought it was kind of cool. If someone questions you, just eat the evidence. read the story here
There's no place like ~/
It is hardly an unreasonable assumption to say that you leave fingerprints everywhere, when you can see the obvious ones (glass, smooth metals, etc.).
Beware he who would deny you access to information, for in his heart he dreams himself your master. -Anonymous
No, I hate the "pigs" because they let thier power go to their head. You do realize that cops are just the bullies from HS...and now realizing they suddenly have to actually do work but have no real skills, they sign up to be cops. They get accepted because they have just high enough a score to pass thier little test, but not too high that would have them thinking for themselves. Yes, I know of someone turned down b/c they scored too high. They want someone with an average of a 6th grade education.
I hate them because twice now I've been pulled over for a cop wanting to make a DUI or just ticket someone. The first case I went to court to fight it; the state pled me down to a bad muffler. In the second case the cop had NO proof whatsoever (claimed i was doing 55 in a 25...except there are huge speed humps every 250 feet that would have ripped my car's underside off). He said he could technically ticket me anyway, based SOLEY on 'his knowledge and experience' that lead him to believe i was going that fast (never mind that he was much younger then me...). A third time I was harrassed by cops for supposedly breaking into a store and robbing it...in the end, it turned out they spelled the last name of the real person wrong. But 'applogies are against dept. rules.' Bite me.
I know several people who have season passes to Disney World... when you enter the parks, there is a fingerprint reader for season pass holders.
I've borrowed 3 different season passes before and never had a problem getting past the scanner, it just isn't reliable.
I bet a warm hotdog would work too.
I'd be more concerned about my fingerprint data being stolen. I can get a new credit card if one is compromised.
I thought it was bad when almost everybody volunteered to get a grocery store club card and surrender their privacy for a reduction in the newly jacked up prices. Finger print biometrics at the grocery store? What's next? Am I going to be forced to give a DNA sample to buy Mt Dew and Fritos?
>> My ultraviolent Linux switch video.
No, the eye was used for "secure" installations like a prison. The "code" was a chip in everyone's hands (think RFID implant), and was used for routine transactions.
Thats why i pay with cash.
---- Booth was a patriot ----
Then they developed the new ignitions that require a key with a transponder chip. (I think this was a demand by auto insurance companies.) So, as a result, instead of stealing cars, thieves are now carjacking people in order to get the car with the key in it, with the resulting increase in danger to the owner. Doesn't matter to the insurer as they are only liable for injuries in the case of an auto accident, not for robbery, unless you have supplemental medical coverage as part of your auto policy, which I suspect most people don't.
If this sort of thing becomes popular, it could trigger thieves cutting people's fingers and stripping the fingerprints. I am reminded of a horrid example in the movie "Fighting Back" where a thief wanted to steal a ring from some woman, but she couldn't get it off her finger. So he used a pair of tin snips and cut her finger off. Can't very well damage the ring, can we?
The lessons of history teach us - if they teach us anything - that nobody learns the lessons that history teaches us.
Has anyone ever heard of the drug called bextra [valdecoxib (val deh COCK sib)]? It's an arthritis drug. It also has the side effect of making your skin so smooth that you stop making finger prints. I may take awhile for the drug to have this effect, but it sounds interesting.
Old people have nothing to worry about.
Grandma could you get the phone. Oh, it's a telemarketer. Do whatever you have to so they go away.
That is, of course, the flip side of the coin. Digitally encoded biometric data that cannot be changed (fingerprint, retinal scan, etc) but can be fed to a computer in some manner or another can be used to falsify your identity. At a cashier's lane, this is kind of difficult to do, as you are under scrutiny. Online, or any place you can use it where you are not under scrutiny, or any delivery method that can be made transparent even when observed will break this kind of authentication scheme, with no way to undo the damage once its done (think DeCSS except with your entire life at stake).
I had actually thought about the theft of biometric data previously (past few weeks), but apparently forgot it when writing. Credit card numbers are changable. Fingerprints, not so much so. Such stores would need both files on hand to do proper authentication, and frankly, I just do not trust any computer system to be 100% unbreakable at all times
I had my eBay password compromised when an online service I was using to snipe bids was hit with the Slammer Worm. I was lucky. A lot of people who trusted Windows IIS servers became victims of identity theft and had big credit card bills and a lot of hassle to straighten out the mess and get on with their lives in the wake of Slammer and similar Windows security exploits.
>> My ultraviolent Linux switch video.