Biometric Payment Arrives in a Store Near You

"A chain of Florida convenience stores has begun accepting fingerprints as payment, using a biometric system called Pay By Touch. The company is a Bay-area startup backed by $130 million in VC cash and the acquisition of BioPay, a Virginia-based biometrics firm that's already done $7 billion in European transactions. From the article: 'The company is a bit puzzled by customer privacy fears. After all, they say, how can using a unique fingerprint for identification be riskier to theft than a plastic card, key chain token, or account number? ...The fingerprint image recorded is not the same as those collected by the federal government or law enforcement.'"

Uhh...

[Poromenos1]

how can using a unique fingerprint for identification be riskier to theft than a plastic card, key chain token, or account number?

Because you leave them on everything you touch?

Re:Uhh...

[MarkByers]

And you can't cancel (change) your fingerprint if someone finds out what it is.

Re:Uhh...

[eclectro]

And you can't cancel (change) your fingerprint if someone finds out what it is.

And you can't stop the production of gummy bears

I could probably travel the world on a single package of gummy bears and a set of prints lifted from the sides of soda cans, tossed in the trash outside the convenience store.

Just remember though, outlaw gummy bears, and only outlaws will have gummy bears.

Gummibears anyone?

[sbaker]

Didn't Slashdot run a story a while back about a supermarket fingerprint pay
system that was tried a year or so ago? It could be faked out REALLY easily
using a Gummibear.

I can't find the slashdot story - but check this out for example:

http://www.theregister.com/2002/05/16/gummi_bears_ defeat_fingerprint_sensors/

Does this new gizmo do something magical to avoid this rather easy attack?

Just google gummibear and fingerprint and you'll find a gazillion How To
articles.

If the biometrics guys are 'a bit puzzled by customer privacy fears" then
they are horribly ill-informed!

I can avoid leaving my credit card lying around for someone to steal - but
it's very hard indeed to avoid leaving my fingerprints in all sorts of
public places. If I could find out how to defeat their scanner so easily
with about 10 seconds of Googling - you can be very sure that the bad guys
will be lining up.

Re:Gummibears anyone?

[SubliminalVortex]

Touching a "gummy bear" in a way in which it wasn't intended is just plain wrong. Gummy bears are meant to be eaten not fondled.

Also, do you know how old that gummy bear is? You might be touching an under-aged gummy bear.

One might have a gummy bear fetish. (hrmpphph they are tasty.....)

The cost of shopping....

[SubliminalVortex]

Fingers today only, next month, we charge an arm and a leg!

In Other News

[Who235]

Officials from the Tampa police department respond to a rash of armed index finger amputations. Meat cleaver sales rise, while guitar sales plummet.

Film at 11:00.

Company pledges

[plover]

From TFA: The company pledges not to sell or rent personal information, or access to it.

I read this line too and it made me want to scream. "Company pledges" are worth exactly shit these days. "We pledge to protect your privacy and retain the right to alter this pledge at any time." "We pledge to never sell or distribute all of this personal information that we insist on gathering, really, unless we're bought out by another company that doesn't pledge this."

I don't want pledges. I don't want them to have this info, period. I don't want to receive marketing from them any more than I want it from third parties.

Now, if there was accountability behind these pledges, such as "We are bonded for a $10,000 per customer coverage to never leak any customer information" or "Under penalties of perjury with a minimum of five years prison time to be served by each member of the entire Board of Directors, we pledge to never sell or otherwise distribute any personal information collected by us. Furthermore, under threat of the same penalites we pledge to use this information only for verification of your account, and never for marketing purposes of any sort."

Those are some pledges that I'd be slightly more inclined to believe.

Re:Company pledges

[sbaker]

It's hard to imagine anything that's more personally sensitive than SWIFT banking transactions - and they gave those records up to the US government in no time flat!

These days you have to assume that any item of data you give to anyone is insecure from that point on.

Don't they watch murder shows?

[NeuroManson]

"After all, they say, how can using a unique fingerprint for identification be riskier to theft than a plastic card, key chain token, or account number?"

Just look at murder victims whose hands have been lopped off to hide their identities. It doesn't take much of a (morbid) leap of logic that someone could hold onto a thumb, and surrepticiously use it to withdraw someone's entire finances.

I'm not *that* anonymous

[anaesthetica]

Scuttlemonkey wrote "An anonymous reader writes..." despite the fact that this is my journal entry, and says qo quite clearly at the top of the story: "Journal written by anaesthetica (596507) and posted by ScuttleMonkey on 14:12 Saturday 24 June 2006"

I mean, I may not stand out in a crowd, but this is just an unnecessary blow to my ego.

Re:thoughts

[DrSkwid]

> "The company pledges not to sell or rent personal information, or access to it."

That should read "The current management of the company pledges not to sell or rent ...."

http://www.paybytouch.com/privacy_policy.html

Notification of Changes
If we make material changes to this policy, we will notify you here, by email, or by means of a notice on the Pay By Touch homepage so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we may disclose it. We will update our privacy policy from time to time.

Notice the OR, they can change their TOS any time and promise to change their TOS page accordingly.

Pay By Touch may share your personal information with companies that Pay By Touch contracts to privately and securely verify your identity, process your payments, cash your checks, and prevent fraudulent use of the Pay By Touch services.

We all know how secure third parties are.

"In some cases Pay By Touch may provide algorithm or sensor vendor partners who have entered into confidentiality agreements with Pay By Touch with anonymous biometric scans. These companies use the anonymous test scans only to develop, test, modify and improve the performance of their hardware and software products related to the Pay By Touch services. These test scans are not linked to any personally-identifiable identity or account information."

Er, they are fingerprints, how anonymous are fingerprints!

http://www.paybytouch.com/member_terms.html

THE PAY BY TOUCH SERVICE IS PROVIDED "AS IS" WITHOUT ANY WARRANTIES OR REPRESENTATIONS WHATEVER OF ANY KIND, WHETHER EXPRESS OR IMPLIED. Pay By Touch will not be liable or responsible for any damage or injury caused by your use of the Service.

Great, that's the feel good factor !

Modern Biometrics

[cdrguru]

It is important to know that these sensors are not optical in any way. They are using sensors similar to those from Authentec which use an RF scan to penetrate the first layer of skin. This eliminates problems with "too wet" and "too dry" fingers and also prevents spoofing by just about everything except cutting the finger off.

There are some systems that can be fooled much easier, but they are not being used by PayByTouch. Nor is anyone serious about using a fingerprint scanner anymore.

Microsoft sells an optically-based fingerprint scanner that can be fooled by latex molds, gummi bears and lots of other stuff.