Slashdot Mirror
Biometric Payment Arrives in a Store Near You
"A chain of Florida convenience stores has begun accepting fingerprints as payment, using a biometric system called Pay By Touch. The company is a Bay-area startup backed by $130 million in VC cash and the acquisition of BioPay, a Virginia-based biometrics firm that's already done $7 billion in European transactions. From the article: 'The company is a bit puzzled by customer privacy fears. After all, they say, how can using a unique fingerprint for identification be riskier to theft than a plastic card, key chain token, or account number? ...The fingerprint image recorded is not the same as those collected by the federal government or law enforcement.'"
how can using a unique fingerprint for identification be riskier to theft than a plastic card, key chain token, or account number?
Because you leave them on everything you touch?
Send email from the afterlife! Write your e-will at Dead Man's Switch.
From the article:
WTF? How can they say that? Don't they know how many times each day people lose their fingers? Not to mention the countless times people give each other the finger! (Done so a few times myself.)
Also:
I experienced this at Epcot... in Orlando. I don't know if it was in its experimental phase, but it introduced lots of confusion as people entered the park. And, it was not clear how or where it was used the rest of the time we were in the park -- if it was exclusively to prevent abuse, so be it, but it was an eerie experience at the gates.
I do wonder about the statement: (FTA)
How can that be? I know my prints are on file (Top Secret clearance, cool!), but I wonder how these prints would differ. Are they storing some kind of hash with no backup of the original scan or image? Weird, but doubtful.I think this is great technology as people get more comfortable with it. I would (and do) worry about how soon people get good at counterfeiting fingerprints. Thought I'd read a couple of articles on that very hack and that hacking fingerprints turned out not to be too very hard. Any resources on that?
Regardless, great point about it not being that much different (and quite a bit less likely to wander off) from keychain fobs, credit cards, etc.
Didn't Slashdot run a story a while back about a supermarket fingerprint pay
_ defeat_fingerprint_sensors/
system that was tried a year or so ago? It could be faked out REALLY easily
using a Gummibear.
I can't find the slashdot story - but check this out for example:
http://www.theregister.com/2002/05/16/gummi_bears
Does this new gizmo do something magical to avoid this rather easy attack?
Just google gummibear and fingerprint and you'll find a gazillion How To
articles.
If the biometrics guys are 'a bit puzzled by customer privacy fears" then
they are horribly ill-informed!
I can avoid leaving my credit card lying around for someone to steal - but
it's very hard indeed to avoid leaving my fingerprints in all sorts of
public places. If I could find out how to defeat their scanner so easily
with about 10 seconds of Googling - you can be very sure that the bad guys
will be lining up.
www.sjbaker.org
Fingers today only, next month, we charge an arm and a leg!
Officials from the Tampa police department respond to a rash of armed index finger amputations. Meat cleaver sales rise, while guitar sales plummet.
Film at 11:00.
I read this line too and it made me want to scream. "Company pledges" are worth exactly shit these days. "We pledge to protect your privacy and retain the right to alter this pledge at any time." "We pledge to never sell or distribute all of this personal information that we insist on gathering, really, unless we're bought out by another company that doesn't pledge this."
I don't want pledges. I don't want them to have this info, period. I don't want to receive marketing from them any more than I want it from third parties.
Now, if there was accountability behind these pledges, such as "We are bonded for a $10,000 per customer coverage to never leak any customer information" or "Under penalties of perjury with a minimum of five years prison time to be served by each member of the entire Board of Directors, we pledge to never sell or otherwise distribute any personal information collected by us. Furthermore, under threat of the same penalites we pledge to use this information only for verification of your account, and never for marketing purposes of any sort."
Those are some pledges that I'd be slightly more inclined to believe.
John
Some people's fingerprints can't be scanned by these machines... Last year I went to Florida and they have fingerprint machines at all the big theme parts and at the airport. None of these machines could pick up my prints... And every second time I used them I got rejected ... So this flawless technology is anything but... I do nothing special with my hands, so it must be one of those "from birth" things... But if you're unlucky like I am then don't expect to be paying with your fingers any time soon.
I am not looking forward to going back though American customs as I know the fingerprint machine will reject my prints and I'll get sent home or something crazy.
"After all, they say, how can using a unique fingerprint for identification be riskier to theft than a plastic card, key chain token, or account number?"
Just look at murder victims whose hands have been lopped off to hide their identities. It doesn't take much of a (morbid) leap of logic that someone could hold onto a thumb, and surrepticiously use it to withdraw someone's entire finances.
Just because you can mod me down, doesn't mean you're right. Shoes for industry!
But just watch...it could be USED by law enforcement in about ten seconds!
California has required you to give a scanned fingerprint for years just to get or renew your driver's license. I've always wondered how many divisions of law enforcement now have MY fingerprint in their dtatbase. When I asked the guy at the DMV, he said he didn't know, but was SURE that law enforcement could access their fingerprint database without ant warrants.1984 was 22 years ago. We're WAY past that privacy wise!
Mugger steals your finger, worse.
God spoke to me.
Iris scanners are not that expensive anymore, and I don't understand why thumb scanners are used anywhere outside of having a little usb toy attached to your computer. This confusion doubles when you consider it in situations where security is very important, like cash transactions.
finger-print scanners as payment. Check.
fuel from anything in 9 years. Check.
Now all we need hoverboards and Pepsi Perfect.
"I would say that 99 per cent of what my father has written about his own life is false." - L. Ron Hubbard Jr.
Scuttlemonkey wrote "An anonymous reader writes..." despite the fact that this is my journal entry, and says qo quite clearly at the top of the story: "Journal written by anaesthetica (596507) and posted by ScuttleMonkey on 14:12 Saturday 24 June 2006"
I mean, I may not stand out in a crowd, but this is just an unnecessary blow to my ego.
The Rise and Fall of Online Community
Cub Foods also uses it. You need to enter a 7 digit number along with your finger print. It really didn't seem easier than swiping a card and entering a four digit number, so I didn't go with it. They suggest using your phone number for the seven digit number. I imagine the number is needed to make the database lookup practical. I wonder what would happen if LOTS of people started using the same seven digit number "1234567"...
Which finger did they want on file, again? :eg:
The story on fingerprint scanners being fooled by play-doh? I can't find the bloody link anymore though.
It is important to know that these sensors are not optical in any way. They are using sensors similar to those from Authentec which use an RF scan to penetrate the first layer of skin. This eliminates problems with "too wet" and "too dry" fingers and also prevents spoofing by just about everything except cutting the finger off.
There are some systems that can be fooled much easier, but they are not being used by PayByTouch. Nor is anyone serious about using a fingerprint scanner anymore.
Microsoft sells an optically-based fingerprint scanner that can be fooled by latex molds, gummi bears and lots of other stuff.
is a fear of two-factor authentication. Really, the solution here is to keep the fancy fingerprint-system and to *combine* it with a PIN that can be changed readily by presenting a second form of photo ID. This way, if your fingerprints get compromised, your PIN is still unique and you can change it whenever you want. The fact that they're so insistent on "touch it and go without any work!" is the security downfall, and it's kind of sad when it would literally take an extra 10 seconds at most to input a 6-digit PIN with your other hand while your hand was being read by the reader.
Two (or three) factor authentication is really the way to go for any system that you care about. Apparently people aren't remembering this from Security 101.
Actually this is how all law enforcement data bases work. They find places where print ridges have certain kinds of discontinuities, bifurcations etc... then store the potions of these points relative to each other. Very few database matches rely on a complete match, nor are they actually comparing actual pictures of prints, but rather how many points in common line up. Since lifting prints often distorts the print or misses some areas, exact matches are really ever found, but the quality of the match goes up with the more points in common. I believe the standard is 5 points in common to be considered a match. A figure many feel is too low and has probably falsely identified many people -- especially when you are just trolling for matches in a database of millions, and no other evidence.
Point is, there is nothing to keep some future law enforcement under newly enacted laws from subpoena the database and converting it to troll for matches, with as mentioned before the high likelihood of false positives.
Congratulations! You are our One Millionth Customer to be accused of Homicide!
Letter To Iran
We use finger print readers where I work. This, of course, only applies to the system I'm familiar with, but I doubt the store one is that divergent. They don't store anything resembling an image, but rather a numerical encoding of a given number of key points. I get the impression the actual process involves some kind of hash number validation.
The reason that "the fingerprint image recorded is not the same as those collected by the federal government or law enforcement" may be chillingly pragmatic. We were told when implementing our system that if we stored fingerprint data up to government specs we would be required to provide that information to the government. As a result our company, and most others, store data below the threshold that will get them noticed by the feds.
The fingerprint validation itself is somewhat fluid. Most people don't press the reader the exact same way twice in a row, the finger distorts under different levels of pressure, reacts to environmental changes, and even the current health of the individual. This kind validation requires a level tolerance to be set.
Some individuals never seem to get a good read, the tolerance for such people needs to be loosened to get any kind of positive feedback. As a result, some of our employees could hoist a big toe on the reader and probably get a pass. I simply wouldn't trust these things not to mistake me for the granny with the bad fingerprints.