Slashdot Mirror
Using Face Recognition Instead of a PIN Number
coondoggie writes "Face recognition as a unique biometric is growing slowly in certain corporate and consumer applications, but researchers at the University of Houston (UH) are trying to make the technology far more ubiquitous and secure: they want it to replace the dozens of personal identification numbers (PIN), passwords and credit card numbers everyone uses every day.
University researchers developed the URxD face recognition software that uses a three-dimensional snapshot of a person's face to create a unique biometric identifier."
This is stupid for a couple of reasons. The first is that biometrics suck and are usually almost trivial to subvert. See the $10 fake finger, for an example. What do you do if somebody hacks your credentials as well? Have facial re-constructive surgery? But even if you had very good biometrics that were hard to fake, it still less secure than having separate credentials to access everything.
Why is this? Well for the sake of argument, let's suppose it costs £50 to create a duplicate of my chip and pin card that will work in any cash point. I have four such cards in my wallet so the cost of duplicating them all is £200. In order for the biometric to replace my cards completely and be equally secure, it has to cost more than £200 to fake.
The problem is that the unified security mechanism rarely costs more to subvert then all the IDs it replaced. This doesn't just apply to bank-cards it also applies to national ID cards and any centralisation of security.
The fundamental principle here is that centralising security often reduces security. This is something to keep in mind when you're consolidating servers.
Simon
Its an interesting concept. I will agree with that.
Essentially, it uses your face to access your information in a database, which could include bank, credit card, medical, or pretty much anything else desired.
However, all a person then needs to commit fraud is to capture these scans and feed it back to the software...
Ill keep my zero liability credit cards and my 4 and 6 digit pin numbers thank you.
If sharing a song makes you a pirate, what do I have to share to be a ninja?
I hope this system includes some method to check whether the rest of the person apart from the face is present.
Some poor Malaysian fellow has already lost a finger. I'd hate to have my head stolen just to access my bank account.
Ripping an new rectum in the fabric of spacetime.
But the fact that every single one of them has different stupid restrictions. I try to limit myself to two common passwords where possible. one is fairly short, one is quite long.
Recently I needed a new password for a site. I tried the short one. "your password must be at least X characters". fine, whatever, that's why I use my long one,"your password is too long", so a new, made-up one "your password must contain at least one number". WTF?
Can we not at least agree some standard on this? Like many people I end up having to write this new mangled password down, totally defeating its security.
I do not see, from a code POV, why it matters that the password is less than X characters. Between 5 and 10 characters? WHY? what is wrong with between 5 and 50 characters? or 5 and 100 characters?
Most people can remember a sentence pretty easily, especially a favourite catchphrase or movie quote, remembering "tuesdaypass442" is not so easy, and thus they get written down. I understand the need for minimum pass lengths, but capping the max so low, and so close to the min, is just madness. Give us flexibility in passwords, not some dubious new expensive tech to do the same job.
DRM-free indie games for the PC and Mac: Positech Games
Or people looking really alike, I mean, how precise is this thing? What about make up? Trip to the beach? Getting your hair done? Shaving accident?
They are trying to solve a problem (I hate pin codes) by making it to a worse problem. Way to go...
I disagree, I think "welcome to the real world" is easier to remember than "mypasswrd1". sentences evoke memories, visual and auditory, which random lumps of characters or artificially squashed single words do not.
DRM-free indie games for the PC and Mac: Positech Games
Because it requires them to shave.
"Please stuck your head in the scanner for face recognition."
*grumble*
"Your face was not recognized, please rub your face with the towel provided and try agiain."
*damn*
"We failed to recognized your face after several trials. We'll now shave your face for a better recognition result. To avoid you moving your head while shaving is in progress, we'll lock your head firmly now."
*shaver pop out*
"NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO"
these guys didn't watch "Mission: impossible"?
Stop it! I swear, if I see one more of these redundant pleonasms on my LCD display, I'm going to explode!
"It's too bad that stupidity isn't painful." - Anton LaVey
Instead of using something that's secret and can be changed, they want to start using something that everyone can see, and is not changeable.
It's bogus. I can say this with certainty.
How do I know? Because the exact same maths apply to a different domain, and we'd already have seen developments there if this was true.
Decompilation uses exactly the same abstract mathematical concepts as shape recognition (of which facial recognition clearly is a subset). Just replace "vertices" with assembly-language instructions and the "shapes" to which they may belong with program structures (for / while loops, subroutines &c).
If there was anything in this facial recognition malarkey, somebody would have created a working decompiler by now. That's just a simple application of the law of averages; there are many more hackers out there than there are biometrics researchers. And there's a huge application for a decompiler: the ability to decompile a program which originally was written in, say, Visual BASIC into C++ will mean that programmers can collaborate on a project without having to have a language in common (and, incidentally, it will also mean that Freedoms One and Three can be taken by force like Freedoms Zero and Two). So far, nobody has created such a thing.
It's snake oil, pure and simple.
Plus, I kind of like the extra security layer that I get by having different PINs for all my cards and different paswords for all my online accounts. If someone discovers, say, my Halifax PIN, they'll have to steal my Halifax card. But if they catch me on a day when I'm not carrying that one and steal my Lloyds TSB card or my Abbey National card instead, the Halifax PIN is useless to them (and while I'm sorting out blocking the stolen card, I can change the compromised PIN). Likewise, if someone discovers my Yahoo! Messenger password, they can't impersonate me on Slashdot.
Je fume. Tu fumes. Nous fûmes!
wttrw
w2trw
w2trwrld
yes, you are right, welcome to the real world is easy to remember. and now it will evoke the memory of w2trwrld, which is between 5-10 letters and contain one digit, and thus will be accepted as strong on 90% of the passworded applications out there.
The reason why it is a bad idea to use your face as a password is that everyone can see your freakin' face. Why not just write your password in black marker on your forehead?
That's secure right?
How we know is more important than what we know.
...what about twins?
- You have to consciously enter a PIN to give it away - unless you're fooled by a complete rebuild of an ATM, you're not likely to enter this particular number anywhere else; but you show your face to everyone in the street, making it trivial to get several photographs of it and even do a 3D reconstruction if desired.
- You can enter a number at a keypad even if severely impaired and under pretty unfriendly conditions (outside ATM in heavy rain, when you're wearing gloves and are a little under the effect of both a cold and cold medicine, say). It's a pretty fool-proof, accessible way of entering a small amount of data. Facial recognition, on the other hand, requires - unless there have been vast advances - very good lighting, a clear image of the face not obscured by sunglasses, intensive make-up or bruises, and no vast changes in hair style or beard growth.
- Image recognition is cost intensive, energy intensive and computationally expensive; a keypad of the highest level, secure and proof against vandalism will cost what? A couple of hundred bucks at most? To get facial recognition you need light sources that don't interfere with the cameras, the cameras themselves, complex software behind them and - also very important - you need large amounts of data on the facial features. Granted, it might be easy to compress them to a couple of hundred kb's if you're willing to sacrifice some accuracy, but compare that with the four or five byte you need to store a PIN!
- Problem of false negatives and false positives: when I enter a PIN I can usually get it right on the first try; I usually only run into problems when I confuse it with the PIN from another card. Entering it wrongly has happened maybe once or twice in my life, as far as I remember. Now, what are the chances that the facial recognition software will correctly identify me 99.99999% of the time? And how big is the risk that it might mistake another person for me?
- Another thing: right now I can hand my credit card to my brother, tell him to pick me up a little cash from an ATM and give him my PIN and card. Will there be provisions made for you to authorize other people, like your spouse? How many? For how long?
I think it's strange that so many people seem to think just because something is newer it is automatically better than the old technology / method / tool. Don't get me wrong, I love progress - but increasing the failure points of a known and working (if not perfect) system seems like a strange idea to me...-- Language is a virus from outer space.
Surely the degree of accuracy to which you would have to measure the face to make it unique would imply that a good case of acne would be enough to deny access to your accounts.
...
Or better still, a broken nose ? Imagine having to go explain to the bank that you needed to change your pin because you were drunk and got into a fight at a pub ? There goes your chance at getting a homeloan
Servlet v2.4 container in a single 161KB jar file ? Try Winstone
What would you use at an ATM machine other than a PIN number?
8 of 13 people found this answer helpful. Did you?
I guess you'd have to have your biometrics updated every few years as you age. More often if you smoke, drink heavily, sun bath, etc... those things age you faster.
I prefer Flambe as apposed flamebait.
The next person who makes an acronym joke, I'm going to fire a SAM-Missile like TCP/IP protocol attack on. I'm serious, you're going to need a DC Comics superhero or the skills of an FPS shooter main character to survive this one. First, your FAT table will go, then your NIC card, then all your OSS software, and for the final coupe de gras, I'll translate all your code to the COBOL language.
Yeah, you'll be FUBAR beyond all recognition.
Pulp Audio Weekly - Geek News and Reviews
Where it will be used is in fraud scoring. The Alliance and leicester trialled small webcam like devices on ATMs but for some reason took them out of service. Recognition is useful, but it will not be used to block transactions, it will mostly likely be used to raise a score on a fraud profile for a transaction.
This type of fraud profiling is becoming more important because the UK will be moving to Faster payments at the end of 2007 - where once banks had 3 days to run scanning products (for terrorist account activity and fraud) - they will only have a few minutes. The problem at the moment in the UK is that customers do a lot of electronic payments compared to USA - so many transactions will not have time for all the fraud checks.
so if someone who looks nothing like my description makes a transaction, then the score will increase on the account which can then implement further fraud checks in resulting transactions.
when I designed and built a fraud detection system for a UK mobile operator, we found that when a handset/number had fraud committed on it - it usually was usually picked up by lots of the fraud scanners and would stick out like a sore thumb. Each customer would have an associated fraud score and when it reached a certain point, the fraud team would get involved.
It's "coup de grâce" (with the little hat over the 'a' that I think the
You can't take the sky from me...
Yeah, and I'm used to using my PIN Number at my ATM Machine.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
You have to consciously enter a PIN to give it away - unless you're fooled by a complete rebuild of an ATM, you're not likely to enter this particular number anywhere else
It has happened over and over again. People use their ATM cards to enter indoor bank terminals (that's pretty common in Europe at least). Crooks have set up key pads and card copying devices instead of the card swipers, successfully copying thousands of cards together with pin code information. Also ATM machines have been successfully and repeatedly modified to copy the ATM cards inserted. A little camera mounted close to the ATM key pad recorded the PIN entered by unsuspecting victims.
but you show your face to everyone in the street, making it trivial to get several photographs of it and even do a 3D reconstruction if desired
If you know how to make such a 3D copy from a few random camera images, a lot of people would pay you wads of cash for that. There was until recently a 3D scanner lab operating at Stanford University (http://graphics.stanford.edu/projects/mich/), which used complicated equipment to achieve this task. Even there I'm not sure whether you can reproduce the detail required to pass biometric face verification.
Facial recognition, on the other hand, requires - unless there have been vast advances - very good lighting, a clear image of the face not obscured by sunglasses, intensive make-up or bruises, and no vast changes in hair style or beard growth
Every 1 hour foto shop clerk can tell you how to create consistent lighting for a mug shot. Believe me that biometric equipment makers either have figured this out by now or are going out of business shortly. Believe me, the face being unobscured by sunglasses will be happily provided by its rightful owner if he wants access to a room protected by a biometric verification system or to his money through a biometric ATM machine. Make up is virtually invisible if you work with infrared light - pretty much standard nowadays. If you have ever had any experience with biometric face verification you know that the mouth part of you face is not considered by face verification software because it changes too much - beards, body fat, movable jaws
Image recognition is cost intensive, energy intensive and computationally expensive; a keypad of the highest level, secure and proof against vandalism will cost what? A couple of hundred bucks at most?
I have no idea where you got that from. An infrared flash is vastly less energy intensive as the CRT display of must ATM machines in use today, same holds for LCD. The cost is as close to zero as you want it. As far as computational power is concerned: An Intel Celeron M running at 1.5 GHz does a high quality face comparison in well under a second. So your keypad may be cheaper in the short run. But you forgot about additional costs because people forget their PINs or leave notes with that info lying around where it can be seen by not so honest folks.
To get facial recognition you need light sources that don't interfere with the cameras
Every disposable camera maker has figured this out by now.
the cameras themselves
US$10 buys you decent OEM camera modules doing 640x480 at 30 fps
complex software behind them
Which you need to write once but this has been done already
you need large amounts of data on the facial features. Granted, it might be easy to compress them to a couple of hundred kb's if you're willing to sacrifice some accuracy
Have you every worked with any kind of biometric system before ???? Images of faces are condensed down to a few kB at the moment and yield fantastically low false acceptance and false rejection rates. Even if you compress your mug shot with JPEG, 20 kB can do the job quite well
Problem of false negatives and
The first is that biometrics suck and are usually almost trivial to subvert.
Okay sure, spend $50 on some sensor or $150 on sensor+lock and it will accept a fake finger. But that's not your average biometric installation.
What do you do if somebody hacks your credentials as well?
If the bad guy wants in, he won't try to reproduce your *face* to get in. This is just absurd.
The problem is that the unified security mechanism rarely costs more to subvert then all the IDs it replaced.
Except biometric installations aren't replacing many access control mechanisms with one. This just isn't happening right now. Later on when stupid people implement biometric authentication, it probably will. They'll probably buy the $50 biometric device too. **Good** biometric systems are expensive and the people paying for them want the best and they normally get it.
The fundamental principle here is that centralising security often reduces security.
As stated before, this is not what's happening in biometric installations. Yes, it's quite true with servers. But biometric installations and servers are not comparable.
Finally, biometrics is an excellent solution to some problems. As the technology continues to improve, it will only get better.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
The T is for Ten, not Technology