Vein Patterns to Verify Identity

JonN writes "Fujitsu Ltd. will start selling a biometric security device next month that relies on vein patterns in the hand to verify a user's identity, it said today. The palm-vein detector contains a camera that takes a picture of the palm of a user's hand. The image is then matched against a database as a means of verification. The camera works in the near-infrared range so veins present under the skin are visible, and a proprietary algorithm is used to help confirm identity. The system takes into account identifying features such as the number of veins, their position and the points at which they cross."

Re:Anybody else see "Demolition Man"?

[plover]

Well, to an infrared vein scanner that works entirely by imaging the heat given off by your circulating blood, a severed hand will be every bit as valid as one made of wood.

Not that I expect the bad guys to be smart enough to know this up front (so we might still be losing a few hands to some idiots) but the entire technology functions as a liveness detector.

Interesting take on biometrics

[mveloso]

Realistically speaking, how much is it worth to you to secure your company's assets? At retail locations, conventional wisdom says "give the dude the money, because it's not worth it."

Would you lose a body part?

I think the answer would be "Heck No!"

What would the court say? Isn't using biometric security putting life and limb of the employees in jeopardy?

That would be an interesting case for a judge and jury.

What if the pattern changes?

[Hannah+E.+Davis]

Since I switched from biology to computer science before learning anything about human anatomy or the circulatory system, there's a fairly good chance that I'm going to sound incredibly stupid here... but... what happens if you cut yourself really badly and the body basically has to rewire a few of those veins? Will you be locked out of the system?

Also, since the camera is presumably looking at the heat coming from the veins, would this mean that if you lost circulation to your hand for whatever reason (extreme cold, medical condition, etc.), that would also cause the device to reject you?

Talk to the picture of the hand.

[mikeophile]

Really now, how difficult can it be to fool one of these. It seems all it would take is:

1. Remove the IR filter from a 3 megapixel or higher digital camera.

2. Photograph the hand with and without a low pass IR filter.

3. Print a mirror image of the first photo on an acetate sheet.

4. Take the same print and print the other side with IR visible inkjet ink from the second photo.

5. Fool scanner.

6. Profit?

Re:Obvious question

[plover]

It's much better than fingerprint readers. For example, it's known that people who work in certain jobs (such as pineapple farming) actually have their fingerprints removed by the acids and the abrasion.

The device works by looking at the infrared radiation emitted by your warm blood in relationship to the relatively cool epidermis. Unless the layer of tough skin is also a thermal insulator, it'll probably be able to read them just fine. The thing they aren't advertising is it probably won't work when the ambient temperature is above 98.6 degrees Fahrenheit.

But if you RTFA, you'd see that their false rejection rates are 0.01%, or one in 10,000 incorrect rejections. That's pretty damned impressive for a biometric system.

Re:Anybody else see "Demolition Man"?

[Felinoid]

3 answers.
1. The tubes for the computer were designed to be used this way. The hand is intended to pump blood and once it loses pressure it colapses and becomes fairly disfunctional.
2. A pump designed to handle pumping water into a hand is pritty complicated technology. At this point your better off using some sort of electronic bypass system like the devices used to trick slot machines into giving you a "win"
Maybe a heat patern "copy" using a heat emitter fake hand. Then you need only scan the original to have a key that works forever.

3. The results won't be the same. The water will leak heat more than blood will and heat up the surrounding tissue. The sensor will get a blur and probably give a negitive.

Re:Modern medicine is based on the idea of samenes

[mcmonkey]

I haven't done the research, but I doubt this is any more "repeatable" than fingerprints, or for that matter DNA.

You're not the only one. Who says fingerprints aren't "repeatable"?

Fingerprints as legal evidence are basically 'grandfathered' in--they're accepted because they're accepted. If you tried to introduce fingerprinting as a new technology--and had to prove each was unique and that you could make a positive ID based on this--you'd never get it in front of a jury.

Re:Anybody else see "Demolition Man"?

[QuantumG]

With a password you can actually deny an agressor access. They'd have to torture you until you gave it up. For opening a door or something pointless like that you'd give up your password in a heartbeat, but let me tell you about a little system called deniable cryptography. Suppose you work for the NSA. You're given a laptop on which you are required to encrypt any work which is deemed sensitive (and seeing this is the NSA, let's just say that everything is sensitive). You are instructed to encrypt documents of different security grades under different passwords. No system is prescribed for the grading of documents, you're just told you should use at least three.

So now what happens when the bad guys grab your laptop and take out the rubber hose? I say you won't tell them a single password. How can I say so with such certainty? Well suppose after being beaten for an hour you decide to give up the least sensitive material on the laptop. In fact, this isn't even NSA material, it's just some emails you received from your girlfriend. So you give them your first password, say 'tulip'. The bad guys run to their cryptoanalyst guys and give over the password. They discover that it does indeed provide them with something intelligible. But they don't find anything of value, as you intended. Looking at the remaining space on the harddrive they notice that there is a heck of a lot left, so they send their low brow associates back to get another password from you.

After another hour of torture you might give up another password. And after another hour you might give up another password. But every time you give up a password you're just guarenteeing more extensive torture. Every time you give up a password the cryptoanalyst guys say there is more data on the disk. When you get to the end of your list of passwords you're really screwed because as far as the cryptoanalysts are concerned, all the free space on your disk is potentially more top quality intelligence. It is impossible for you to convince your captors that they have all the passwords for the laptop. So you will eventually die in their hands or, worse yet, the torture will go on indefinitely.

In summary, deniable encryption ensures that it isn't in your interest to give up a single password. You're better off claiming that it was some dude's laptop you stole on the way to where you got jumped.

Anedocte...

[hummassa]

I have once worked for a firm that serviced a (privately-owned) high school where the primary mean of identification (for entering the premises, for instance) was that hand-measurement biometric tool. They had a serious problem because, well, between 13 and 18 the kids hands measurements varied wildly. They solved it by overlapping after confirmation the reference measurement data with the last measured data. This way, if the (natural) variation was below the "this is a different person" parameter, there is no cumulative variation (and they expected their students to show up at least once a month :)

Re:Obvious question

[smchris]

I suppose it wouldn't fly to have someone press a nipple to the computer, but the hand doesn't seem ideal. A little Japanese class bias? Nobody who works with his hands uses a computer? What about sports? Motorcycle road rash? Kitchen knife? Hand tool? Just about anything that could run a cut across that vein pattern.

Re:Anybody else see "Demolition Man"?

[Xiaran]

Sometimes that is whats down and sometimes the site prefered the pin being almost the same. It actually depended on the site. Or software was very configurable to deal with a wide range of sites(we have grade 1 security military site down to local shops and in the middle large corporates).

The most common policy I encountered was that the duress one number greater than the actual PIN(which lead to some interesting bugs involving accidentally overwriting duress PINS :) ). The reason for this policy was generally twofold.

a. When you are under duress you may not be able to recall your duress PIN as you are understress and its probably something you dont think about too much. b. Security guards are generally not the brightest cabs on the rank.

The second one is very true. Not slagging all security guards... Ive met some very nice ones(generally the retired military or police who are bored and want to go back to work... even if its a cushy sitting around a guard room all day gig). Most tho are there cause they were too stupid to join the police.

Re:Anybody else see "Demolition Man"?

[iabervon]

Knowing that, why wouldn't you just give up all the passwords at once? This would put you in exactly the position you'd be in if there was only one password; you don't have anything further to give them, and there's more randomness on the disk.

Actually, the smart thing would be to have a hard drive full of boring documents, and have a hidden directory full of porn, with all the important stuff steganographically added, encrypted, to the porn. That way your captors will have a reasonable explanation of every bit on the disk from the start, and you can just say that you don't take secret documents out of the office.

Re:Anybody see 1984 or Manchurian Canidate?

[Mozk]

First of all, I'm sure the NSA has some sort of policy where its employees must be single and/or pass a test that ensures their commitment to the country and not their family. Second, I highly doubt that they keep their passwords on little sticky notes.