Slashdot Mirror
Fingerprints Replace Credit Cards in Seattle
prostoalex writes "According to CNET News.com, Thriftway introduced biometric systems in its Seattle stores as far back as 2002. The customer would have to be identified first and submit his own fingerprints, as well as register credit cards with the grocery store. But then a Pay By Touch system became quite popular among the store regulars. According to CNET, "one man even drove 400 miles to use the technology". The store also reports 0% of such transactions being fraudulent."
The store also reports 0% of such transactions being fraudulent."
I don't think anybody's going to let you buy stuff with a severed finger.
What it could also mean is that most people don't reconcile their statements at the end of the month, and that the people who use this system are even more likely not to bother, because they trust it more.
Or not.
But give it time, someone will figure out how to scam it.
Here in we've been using a similar system for unique biometric identification of customers for years. It works a bit like this:
1) Walk into stor
2) Say 'Hello Ifan' to Ifan, the shopkeeper
3) Ifan says 'Hello ' back if he knows you
4) Say '2 grenade launchers, one baboon, and a pint of guinness please, my good man'
5) Ifan produces the above, charges your account, takes payment later. Nice and easy. And if you don't pay....
6) Chop!
Picture of a fingerprint, how could you "print" it out, complete with ridges? Laytex, or maybe silicone would be nice, something I could glue to my fingertips, temporarily. Also, what are the oldest fingerprints available, that would show up in a search? I'd like to be a 170 yr old, 90 yrs dead suspect, or, supposing celebrity fingerprints are available, George W. Bush himself!
And then for when I get caught, fingerprints with an embedded "Fuck You Pigs" logo that would show up on the fingerprint card....
Credit cards are trivial to track anyway, so no immediate extra privacy implications as long as the data isn't retained for too long.
This way, if someone steals your card info and puts their own fingerprint info on it (or onto the back-end database, or whatever), there is an immediate method to start tracking them.
Of course, there are ways to defeat fingerprint scanners, see Schneier for a starting point.
I therefore think that the danger here isn't in the fingerprinting itself, which is just another way of tracking usage. It is that cost/risk of fraud will be passed on from the banks to the consumer (or possibly stores).
Someone may have more experience with this than I do, but this is a bit scary. Has anyone else read the book "Stealing the Network". It goes into some detail on the subject of synthetic fingerprints and just how easy they are to make at home. The book is at home and I am at work or I would post the links that they have as refereneces. I can see the usefulness of the fingerprint perhaps replacing the signature or pin number, but the whole credit card!!! I don't know about you guys but when I realize that I left my credit card sitting around in a public place I freak out. I guess I am going to have to wear gloves from now on, or carry around a bottle of cleaning solution everywhere I go.
Someone with more experience please comment, especially if you have the links from that book, I am curious to read up.
Thanks
Crawl This - http://darkry.net/test/test.php
Do they actually REPLACE credit cards?
"Pay over the internet with your fingerprint now!"
Damn hackers, intercepted my finger print. Could I block my account and get a new fingerprint, please?
News story about the poor bankrupt grocery...
"The store also used to report 0% of such transactions being fraudulent before the story was posted to Slashdot. Then the number of frauds by using "stolen fingerprints" skyrocketed."
Anagram("United States of America") == "Dine out, taste a Mac, fries"
1) Have sales of gummy bears experienced a dramatic surge in the area?
and...
2) Can I choose which finger to give them for my biometrics?
But this is not surprising concidering the cost of a home finger print scanner of only 39$.
This technology would be a field day for law enforcement. Any and all crimes that happen in that area where they find a fingerprint but it's not in their database... the first thing they'll do is call up Safeway.
Fingerprint systems like this seem to work as well or better than most forms of ID. Most security on credit card purchases I've made has been limited to comparing my signature on the receipt to the one on my card, which can be forged pretty easily. They don't ask for picture ID any more on credit cards. A lot of them don't even keep my card long enough to check the signature, and automatic chargers like gas pumps will take your credit card without any cross-check. In that sense, using an account activated by your fingerprint is probably an improvement.
:)
Yes, there are concerns about the government tracking you through your fingerprints, but they could do that through your credit cards now anyway, so I'm curious what the difference would be. Besides, we're more at risk from all the commercial entities who have access to our electronic transactions. Unlike the government, they routinely do all sorts of things with the information they collect on our purchasing habits.
Here's my main concern: What if someone manages to impersonate you and establishes an electronic account that ties your financial information to their fingerprint. Someone could wreak havoc in a fairly short time if biometric systems are trusted blindly.
Then again, if the scammer impersonates a person with huge debts, maybe they'd get stuck with them.
Biometrics may be a miracle cure or snake oil. As with any potentially useful technology, which it becomes will depend on the implementation.
TLR
A man no more knows his destiny than a tea leaf knows the history of the East India Company
just check:n ?language=en
http://www.ccc.de/biometrie/fingerabdruck_kopiere
I guess the barcode-on-the-forehead project didn't go so well.
If someone gets an electronic imprint of your credit card number, you call VISA and get a new number.
If someone gets an electronic imprint of your finger print, you'll be chasing down fraudulent purchases FOR THE REST OF YOUR LIFE because you CAN'T change your finger print.
Ticketmaster, 5 years later, "I'm sorry sir, but you *DID* buy 10 first-row superbowl tickets. Our computer says you did it over the internet and we have your finger-print scan on file to prove it."
RUN, don't walk, when someone in a store asks for a scan of your finger-print.
Sam
From an article (reg req'd) on identity theft:
True story? Who knows, but the moral of it is not to put all your faith in technology, and never underestimate criminals. Some may not be very bright, but that's more than made up for by their cunning.
But he would drive 400 miles,
And he would drive 400 more,
Just to be the man who drove 800 miles
To be a big lo-ser.
(apologies to the Proclaimers)
Right, everyone knows Thriftway is just a front for secret government projects. Watch out for seven-11, too. Your Slim-Jim preferences are being logged into the anti-terrorist database. And don't even THINK about buying gas there. Then they'll KNOW about your ties to Al-Qaeda.
Disclaimer: all tongue-in-cheek; no attack on parent
Gummy fingers can even fool sensors being watched by guards. Simply form the clear gelatin finger over your own. This lets you hide it as you press your own finger onto the sensor. After it lets you in, eat the evidence.
The five second rule doesn't apply here.
You must be pretty brave to eat something that just touched something that everybody else has touched and probably has some amount of everything else they had touched on it.
I would be wary even putting my finger on there nevermind eating off of it.
Yes, but a fake skin replica that fits tightly over your real finger can fool any machine any time. It has warmth, it has blood flowing under it, and it has the right pattern. Remember, what you have, what you know, and something you are. But nowadays that last one is becoming just a weaker version of something you have, because you can never trade it out if it gets copied.
- Times I have already given the government my finger prints:
- First Grade: They came in and took everyone's prints.
- Grade 11: Once again, came and took our prints. It wasn't mandatory.
- 2002: Took my prints when I recieved a concealed handgun permit.
For me, I'm not worried about giving my prints. The man already has my prints. I'm just worrying about someone chopping off my finger and going to thriftway to buy groceries!Pretty Pictures!
The only finnicky part is getting your fingerprint pattern key (the raw info is not sent, it gets crunched down by the scanner,) into the database on somebody ELSE's account. HE will be the one stuck with the bill.
You can then run the scam the same way.
Actually it takes less balls to do it because either it works and your laughing or it doesn't and your mutter something about a new scar on your fingerprint to a clerk.
You don't have to worry about getting caught because you're going to have created a false positive (doubling the key) rather than replacing a real record.
Your fingerprint is essentially worthless for security when you've got access to a scanner and to the system.
The trust-worthyness of the original scanner and scannee is the key. The more paranoid you need to be, the more data points you pick, and the more tightly you control the access to the system.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
I recall a review of some new biometric-enabled mice that came out, and the trivial way to trick them - cup your hand over the sensor, and breathe softly on it.
The existing oils will pick up the water vapor to form the pattern of the last finger on it, and the heat of the breath triggered the sensor to read it.
What amused me the most was I went to tell my boss at the time how these researchers had found such a simple way to break it, and he said "Oh... I just bought one of those yesterday." Heh.
does everything have to be an evil conspiracy? Is it not possible that bio-metric devices could be used for pure good? Do you really think the gov't needs your fingerprint to track your credit card purchases?
I mod down so you can mod up. Your welcome.
...because you CAN'T change your finger print.
Hrmf! Telling me I can't change my finger prints?
*revs up the workbench sander*
I'll show you! ARRRGGHHASDFWDasdfsdaf12~!!!
sea i cntoo chadnfge my ow ow ow fignr prnits ow ow
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
When will people learn that identity factors are not the same as authentication factors?!?!
A Fingerprint is something you are
It would be a whole different story (and different pros/cons) if this was about a store requiring a fingerprint bio in place of a signature (something you do) on a Credit Card transaction.
The biggest deal here (not mentioned very much in these
That makes their DB such a huge target
Who would ever capture the CC info and then try to make fraudulent purchases at a grocery store anyway? They'll go for the high-end merchandise instead, using a totally different transaction service.
And let me guess, each customer signs an agreement (without reading it- legal jargon, bah!) stating that you release the company from any liability of storing your CC info!
Remember: Anytime biometrics are used singulary (without another form of authentication) it is for convenience and NEVER Security.
I remember hearing how gelitan gummy can be used to fool a fingerprint reader. I thought it was kind of cool. If someone questions you, just eat the evidence. read the story here
There's no place like ~/
I know several people who have season passes to Disney World... when you enter the parks, there is a fingerprint reader for season pass holders.
I've borrowed 3 different season passes before and never had a problem getting past the scanner, it just isn't reliable.
I bet a warm hotdog would work too.