Human Ear Could Be Next Biometric System

narramissic writes "A team of researchers at the University of Southampton, UK, has received funding from the UK's Engineering and Physical Sciences Research Council to learn whether otoacoustic emissions (OAE), the ear-generated sounds that emanate from within the spiral-shaped cochlea in the inner ear, can be used as a viable biometric technology like fingerprints and IRIS recognition. According to a report in New Scientist, someday instead of asking for passwords or pin numbers, a call center or bank would simply use a device on their telephone to produce a brief series of clicks in the recipient's ear to confirm the person is who they say they are." Try faking that with gummy bears.

Re:Foots

[K.+S.+Kyosuke]

Why go to extremes (ears, feet) when you can follow the golden middle road? Oh, wait...

Gummy bear in my ear!

It won't come out! STICKY!!! Thanks timothy.

Re:Gummy bear in my ear!

[Red+Flayer]

It won't come out! STICKY!!! Thanks timothy.

Use a straightened fishhook, the barb will make the gummy bear easy to remove. Just be sure to wait until the gummy bear is warm and soft. And insert the hook very gently. And stick the hook through a cork first, to limit the depth it can penetrate -- measure by sticking the hook into the ear until it hits the gummy bear, then add 1/4 inch (about 1/2 cm). THIS IS VERY IMPORTANT. The length of hook sticking out of the cork should be distance to gummy bear in ear canal + 1/4 inch.

If the hook pulls out of the gummy bear, put a piece of ice in the ear, wait until it melts, then try again.

Or so I've heard (muffled, of course).

Re:Gummy bear in my ear!

[thomasdz]

Ow ow... great now I have a fish hook AND a gummy bear in my ear.
Let's see what I can do now... ummmm... I guess I need to find a river/lake/sea/ocean that has fish that like gummy bears...then while trying to eat the bear, they get caught on the hook and voila... I pull them all out.
(five days later)
I have a fish stuck in my ear now
Well... at least I can understand what everyone's saying in whatever language they're saying it in.
sigh...

Re:Gummy bear in my ear!

[Hatta]

And stick the hook through a cork first, to limit the depth it can penetrate -- measure by sticking the hook into the ear until it hits the gummy bear, then add 1/4 inch (about 1/2 cm).

So in order to make a safety device to prevent you from sticking the hook to far in the ear, you need to stick the hook into the ear. Personally, I'd use something else to measure.

Re:Gummy bear in my ear!

HONK HONK! I'm a truck! :)

BEEP BEEP! I'm a jeep ^_^

TOOT TOOT! I just farted lol

Re:Gummy bear in my ear!

[Red+Flayer]

So in order to make a safety device to prevent you from sticking the hook to far in the ear, you need to stick the hook into the ear. Personally, I'd use something else to measure.

You're wasting your time. The gummy bear protects the ear drum -- as long as you don't push the hook through the gummy bear when measuring, you're not going to damage the important parts of your ear.

Note to self: DO NOT PUSH FISHHOOK THROUGH REMAINING EARDUM.

Re:Gummy bear in my ear!

Personally, I'd use something else to measure.

Which is exactly how you could measure incorrectly. If you have qualms about sticking a hook in your ear up to the gummy bear, then you shouldn't use the method at all. Personally, I'd be much more worried about the universality of 1/4 inch being a safe addition.

Re:Gummy bear in my ear!

[Red+Flayer]

Personally, I'd be much more worried about the universality of 1/4 inch being a safe addition.

Then take a sibling of the gummy bear in question, and measure its smallest width. That is the amount you should add.

Re:Gummy bear in my ear!

[dudpixel]

and when you're finished doing that, ANSWER THE PHONE for goodness sake!!!

Re:Foots

LMFTFY Feet are better than ears No thanks needed!

Biometrics are great

[flaming+error]

... when used as identification rather than authentication.

Re:Biometrics are great

[sexconker]

Authentication requires identification.

Biometrics are useless as identification since, as we have seen, they are easily spoofed.

Biometrics are shit for everything.

Re:Biometrics are great

I don't understand. If you have something that uniquely IDENTIFIES you (eg: Biometric ear click thing), then why can't that be used for authentication? Nobody else has my unique ear click pattern, I might as well use it to get into my bank account.

Re:Biometrics are great

[Whalou]

Because if someone cuts off your head, they end up with your 'unique ear click pattern'. The technet article talks about a case where thieves cut someone's finger to steal his biometrically 'protected' car.

Re:Biometrics are great

[flaming+error]

> Biometrics are useless as identification since, as we have seen, they are easily spoofed.
You're exactly missing the point - any self-respecting system must expect fraudulent impersonation.

We can all present ourselves to Slashdot as Cmdr Taco, but come password time most of us would be thwarted. If the password went away in favor of a fingerprint (or earprint), as soon as somebody lifts it and posts it, we can all be Cmdr Taco. Until he changes his fingerprints.

But if his fingerprints were just a substitute nickname/login id, even after they are posted online we'd still have to crack the secret to convince the system we're the real enchilada.

Re:Biometrics are great

[CarpetShark]

Biometrics are great when used as [link to microsoft.com, labeled identification rather than authentication]

Microsoft.com is great, when used for ridicule, rather than authority.

Re:Biometrics are great

[Znork]

Because while most biometrics provide a specific identity with at least some kind of reliability, they do not prove that the person wanting to get authenticated as being that identity actually _is_ that identity.

See, you may be the only person in the world whose ear makes that specific click pattern. But anyone in the world can carry a device that makes that exact click pattern as well.

Same with fingerprints or DNA; it's your DNA, it most often can't be confused with anyone elses DNA, but you leave it everywhere and anyone can present it for inspection. Same with fingerprints. They describe you, but they're not a secret only you know.

PIN codes and passwords are better for authentication, as hopefully you don't leave them around on everything you touch. They can also be varied between different systems, so if one is compromised it doesn't mean they're all compromised. When someone copies your biometrics they know it'll be the same everywhere, you can't revoke it you can't change it, and to anyone who thinks identity and authentication is the same thing, the person carrying your means of identification will essentially be you.

Re:Biometrics are great

[perryizgr8]

that is the best article ever to differentiate between identity and authenticity. i thought i would post the link but you beat me to it.

Re:Biometrics are great

[relguj9]

I disagree, biometrics are great for both.

They are particularly good when used as an additional, hassle free, authentication factor. ex. Please enter your PIN, now touch the screen here (to verify fingerprint). Or, please tell me your social security number and hold the phone to your ear while we play this tone (to verify ear response). Or, please enter your password, now look into this camera (for retinal scan).

I agree biometrics are also great for identification, particularly with phones + this ear ID. For instance, when someone calls 911 they could immediately do an ear response to ID them. Biometric caller ID, you can identify who is calling you regardless of the number. Perfect for screening calls from that ousted sister in law or annoying aunt.

Re:Biometrics are great

[relguj9]

Meh, that's why biometrics are good for multifactor authentication.

It just makes it that much harder. You have to have a fake eyeball, fake fingerprint, fake testacles and his password.

In most cases, I think they are overly complicated for identification. I'm sure there are some places where they are good though.

Re:Biometrics are great

[flaming+error]

> good for multifactor authentication. It just makes it that much harder.

We call that "security through incovenience." Using non-secret information as a secret adds hassle, not security.

Re:Biometrics are great

[Jurily]

But if his fingerprints were just a substitute nickname/login id, even after they are posted online we'd still have to crack the secret to convince the system we're the real enchilada.

I'd argue against even that.

1. It creates too much correspondance with the real world.
2. If you use it everywhere, chances are you're lazy and have the same password as well... (Remember why the first worm was so successful? All it did was try PASSWORD=$USERNAME and PASSWORD="password".) So if they crack one of your accounts, they now have a reasonable attack vector everywhere else.
3. If an account with your fingerprint on it gets compromsed, what do you do? Cut that finger off and grow a new one? Even so, what do you do with all the other accounts you use with that same finger?

There are only two credible reasons to use biometrics I've encountered so far: the coolness factor, and nobody wants to tell the Big Boss he can't use his initials as password anymore.

Re:Biometrics are great

[relguj9]

Not necessarily. Any "security" can be broken, the more steps (or factors) there are, the more difficult and tedious it is to break.

The nice thing about some biometrics is that for the real user, it's not really inconvenient at all. As I said earlier, some examples would be "Enter your PIN, now touch the screen here", "Tell me your social security number then hold the phone to your ear" or "enter your password, now look into this camera".

All very simple and convenient for the user, I'd even go so far as to say that the biometric portion is more convenient for the user than the traditional verification part.

The additional factor just makes it that much harder for the potential perpetrator to break.

Is it breakable? Yes, of course, just about every form of authentication is breakable. Are there other stronger authentication methods? Yes, I believe there are.

The other questions to ask yourself are, "Is it more difficult to break without being inconvenient to the user?" I would say yes, it is by a good margin. It actually increases the level of difficulty for an automated system to bi-pass the security by an order of magnitude. You can brute force a password, good luck brute forcing the ear response, retinal signature or finger print.

Re:Biometrics are great

[FauxPasIII]

> I disagree, biometrics are great for both.

Any authenticating factor that cannot be changed in the event it is compromised is _not_ great.

Re:Biometrics are great

[relguj9]

Let me add with another example:

A common (and very lucrative) ATM scam with older ATM's (that don't include preventative security features and have dumb customers) is to install "skimmers" over top of the ATM card reader that will obtain track data every time a customer uses the ATM. The trick was they would also install a small camera next to the ATM to read the PIN entered.

They would later on just watch the video, make a copy of the card and withdraw a bunch of cash from your account (card writers are inexpensive and common). Simply adding a retinal scanner or finger print scanner would break this scam down entirely or make it an order of magnitude more difficult to pull off. Or some of them would just stand next to you and watch you enter your PIN.

http://banking.about.com/od/securityandsafety/a/skimmers.htm

The cost for the customer is very a minor inconvenience of looking into a camera or pressing a button, the reward is prevention of a large amount of cash being withdrawn from their account.

Most of these criminals aren't that complex. Adding things that are difficult to break simply and quickly (obtaining a PCB printer and creating a cast of a fingerprint or fake retinal scan aren't that simple) can really cut into the offenses.

Re:Biometrics are great

[relguj9]

It depends on the application.

Re:Biometrics are great

[I'm+not+really+here]

What about scars though? I've had 4 ear infections. Each time, my ear has changed shape, and everything sounds slightly different in that ear after the fact. Seems that I'd suddenly not be able to access my bank account?

Re:Biometrics are great

[geekoid]

Plus they are getting better. Instead of a place to set a finger, they ahve them now where it's a bar you run your finger over..it reads it like a mag strip. So no spoof based on previous prints. That was the biggest real world threat to fingerprint...I said biggest, not only.

Re:Biometrics are great

[unfasten]

I agree biometrics are also great for identification, particularly with phones + this ear ID. For instance, when someone calls 911 they could immediately do an ear response to ID them. Biometric caller ID, you can identify who is calling you regardless of the number. Perfect for screening calls from that ousted sister in law or annoying aunt.

Speakerphone, headset, holding away from ear.

Any of these would bypass the ID, and that's not even accounting for the possibility of creating fake responses (I don't mean identifying as someone else but just making it not identify you).

Re:Biometrics are great

[sexconker]

Card readers often don't need cameras most of the time, sadly, since your pin is actually on the fucking card (when it shouldn't be, when the banks say it isn't) in many cases.

Finger print readers will be installed over fingerprint readers, cameras will be installed over cameras, and probulators will be installed over probulators.

Authentication MUST be done with secret information.
Any biometric that can be unobtrusively obtained is essentially public information.

Re:Biometrics are great

[profplump]

Secrets aren't the only way to do security. In fact if you only use secrets you can only do "something you know" -- anything that might qualify as "something you have" is unlikely to be a secret. Traditional keys fall squarely into the non-secret category, but I think most people would accept that they provide some amount of security.

Likewise your username is necessary public information, but I doubt most people would prefer a system that takes a secret, checks it against every entry in the passwd DB, and allows access to whichever account(s) match -- requiring the correct information pair is more secure than requiring only the secret information.

--

You're also missing the benefit of varying interfaces. Let's say I come up with a hack to the PIN keypad that lets me hook up a computer and try every possible PIN in 90 seconds. If the PIN is the only information required for access I've now broken the system. But if I need a PIN and an access card -- even if all the access card has on it is my employee ID number -- an attacker would need to know my ID number, create a card AND execute the PIN attack. Certainly it's possible to create a suitable fake/cloned access card, but the vulnerabilities in the two systems are non-overlapping and therefore the combination of the two is more secure than either system independently.

Re:Biometrics are great

I agree that secrets are an important part of any security system. As you note they can be changed, which is a very important fact. But the rest of your rant is just bunk, and spreading lies about how bad biometrics are is unlikely to advance the cause against using them in place of secrets.

Neither PINs nor passwords prove you are who you say you are, just that you happen to know the same secret we expect that person to know. This is perfectly analogous to a series of ear clicks only proving that you can produce a series of ear clicks.

The relative secrecy of fingerprints/DNA versus secrets is also less clear cut than you make it out to be. Certainly you leave your secrets lying around in few places, but secrets are significantly easier to duplicate. Likewise secrets can possibly be guessed or obtained without physical proximity to the original subject, whereas fingerprints and DNA require an attacker to get close enough for collection.

Along the same lines, PINs and passwords are only a secret until you use them, at which point the system where you entered your password knows your password and could duplicate it, or anyone nearby may be able to observe it directly. Depending on the authentication type being used the remote system may also have a plain-text copy of your password, either permanently or transiently during authentication. Ear clicks would provide approximately the same level of secrecy -- only someone who initiated or spied on an authentication session would know your secret.

Just like fingerprints and ear clicks most people will use the same PIN/password for most of their accounts, so if any part of any system is compromised all the other systems are likewise compromised.

Re:Biometrics are great

[flaming+error]

> Traditional keys fall squarely into the non-secret category,
Why is that? Is the cut of my house key publicly available? Do my regular activities leave copies of it around town? Can someone call me on the phone and send a few clicks at my ear and deduce my key's pattern? Seems to me that a traditional key, like a password, is private; a secret that is just as secure as I keep it.

> Secrets aren't the only way to do security.
That's true. You could arm some of your best friends and sit them in front of each door of your house with instructions to only let you in. But if you're leaving guard duty to passive gadgets or non-sentient sensory-challenged electrical circuits, granting access based on publicly obtainable inputs is a bad idea.

Re:Biometrics are great

[John+Meacham]

A fingerprint cannot be compromised. A biometric identifier is not like a password. it is not meant to be secret. Think of your fingerprint as... well... like a public key cryptographic fingerprint really. Your public key fingerprint isn't secret. in fact, you generally want to distribute it as far and wide as possible. What makes it useful is that there is a corresponding private key that only you have that can be matched to said public key. A physical fingerprint is similar, everyone knows your fingerprint, but there is only one warm human body that is associated with it. Present the warm human body (your own) that matches the fingerprint on file and you gain access. So (and this applys to all biometrics).

'public key fingerprint' : 'private key' as 'physical fingerprint' : 'warm human body with said fingerprint'

This of course means that biometrics are only good for 'online' verification, meaning there is a trusted path between your body and whomever you are identifying with. this can be anything from a physically secure ATM, a security guard that applys the test, or whatever is appropriate for the application. The security of biometrics comes not from the secrecy of the fingerprint, but the security of the path from the human being biometrically tested to the verifyer. Hence, you cannot 'compromise a fingerprint'. You can break a particular system that uses biometrics for verification, perhaps with a gummy bear, but that just means you stop using that system, not that you shave off your fingerprints and get new ones.

PS. does anyone else enjoy the irony of using an abstract mathematical concept to explain a straightforward real world transaction? :)
 

Re:Biometrics are great

Ever do anything where you temporarily hand your key set to someone else? For instance, have you ever used valet parking? Or perhaps getting your car's oil changed at a while-you-wait vehicle service location like Minit-lube? Did you separate your car key from your house key? If not, then you handed your house key to somebody making a moderately low wage who could easily have gotten an imprint of your house key with a wad of plasticine. If you paid with a credit card that displayed a name, they might be able narrow down where you live as well. Your key is only as secret as you take care for it to be.

Re:Biometrics are great

[relguj9]

Card readers often don't need cameras most of the time, sadly, since your pin is actually on the fucking card (when it shouldn't be, when the banks say it isn't) in many cases.

Finger print readers will be installed over fingerprint readers, cameras will be installed over cameras, and probulators will be installed over probulators.

Authentication MUST be done with secret information. Any biometric that can be unobtrusively obtained is essentially public information.

I work in an industry where I would know, and you're 100% incorrect in PIN information EVER being stored on the card. It's not even possible since you can change your PIN even after the issue of your card and card readers do NOT write to the card. Compliance with Visa requires that the PIN be encrypted on the pin pad itself, whatever device it's connected to only deals with an encrypted PIN, the bank itself has to receive the encrypted PIN and verify it.

No, it is not public domain after being attained once. In the case of someone getting your information, it only matters if someone gets it right once. Once you change your PIN or whatever, then any other information surrounding you means nothing since the likelihood of them scamming the same person twice in the same way is slim to none and even if they did it is unlikely they'd store your information in a database somewhere, they'd get it all together and use it at once.

I mean, your explanation that stuff will be broken is the whole point. The harder it is and higher the barrier for entry, the less often it will happen. Any system can be broken. But I mean, in this example it's a hell of a lot easier to just make a copy of the card and go anywhere you damn well please and get money than it is to create an artificial eye to fake a camera, and it's a whole hell of a lot more obvious if someone is holding up a piece of paper or object to a camera.

To say biometrics are value less in authentication is ignorant and an overstatement. They are not strong as the ONLY form of authentication, but they are very strong in multifactor authentication due to added complexity on the part of the scammer and minimal added complexity on the part of the user.

Can the uses be improved on? Absolutely. As a crazy example off the top of my head, imagine a touch screen password entry device for a safe that requires you to enter your password with the correct fingers in the correct order with multiple re-use of characters. Good luck cracking that, you'd have to get a mold of each of their fingers and enter the password just right. Add onto this the simple task of cleaning off the touchpad after you're done, now where do you easily get the finger prints?

I think biometrics are crappy for internet and network related verification, but there's already what I believe to be more than good enough technology for that (token keychains that give you a random number that updates every X amount of time that only you and the bank know, essentially a key, plus the password).

I think they are good for multifactor on physical devices.

I'm done though, you can disagree all you want, I doubt the technology is going away. I severely doubt anyone will make it through this entire message anyways.

Re:Biometrics are great

[relguj9]

Well said sir.

I believe a lot of people here are jumping to the conclusion that biometrics sucks because it's not very useful at all for network verification. There are other things that work better there (key tokens).

When you're dealing with a physical device or, as a great example that you used, have a person monitoring the process they are just fine as part of a multifactor authentication.

Re:Biometrics are great

[relguj9]

Here is some more information about PIN's and standards:

http://en.wikipedia.org/wiki/PCI_DSS
http://en.wikipedia.org/wiki/PINpad

Re:Biometrics are great

[FauxPasIII]

> A fingerprint cannot be compromised.

The rest of your reasoning seems to flow from this initial assumption, and it's this assumption that I think is so dangerous about biometrics. (I grant that, if this were true, your reasoning holds)

There are different ways of analyzing your fingerprint and distilling that down to what is essentially a hash that can be compared against. A simple skin pattern shape analysis is the most familiar, but as every spy movie in the last three decades has shown that can be compromised as easily as posing as a cute waitress and getting your drinking glass away from you.

There are more advanced systems that use an analysis of the blood flow patterns through the fingertip to defeat that simple hack, but it's not at all outlandish to imagine a determined attacker creating a synthetic model that has close enough to the same properties to fool a print scanner.

A basic assumption I always try to start from when designing a security model is that there is _nothing_ that is impossible to compromise, there never will be, so just design your system to be as resistant and adaptable to that fact as you can. When viewed in that light, any and all biometric authentication systems have the fatal flaw that you cannot change your authentication token even if you know for certain that it's been compromised.

Re:Biometrics are great

But if his fingerprints were just a substitute nickname/login id, even after they are posted online we'd still have to crack the secret to convince the system we're the real enchilada.

I think you mean taco.

There is a really simple solution

[Colin+Smith]

Just embed a RFID chip under the skin.

 

Re:There is a really simple solution

[denis-The-menace]

You haven't seen the "Charlie Jade" series, have you.

Re:There is a really simple solution

[drinkypoo]

Is it still called trolling when you have a four-digit UID? (Just checking)

Re:There is a really simple solution

[thedonger]

Just embed a RFID chip under the skin.

My religious childhood in the early 1980s taught me that having a chip buried under my skin is really the mark of the beast.

Re:There is a really simple solution

[fuzzyfuzzyfungus]

It's funny, actually. Opposing general use of RFID is perhaps the only area where raving pinko-commie america-hating ACLU civil libertarians and raving christofascist ultranationalist satanic-black-helicopter conspiracists can come together in joyous harmony.

Re:There is a really simple solution

That's funny because whatever religious text that doctrine arises from certainly doesn't talk about a computer chip. You simply picked an interpretation that allows you to have an excuse for being technologically obtuse. Moron.

Re:There is a really simple solution

[thedonger]

For starters, you get the "Whoosh" award for being a humorless asshole. Second, had you ever been in an evangelical church - or at least paid attention when you were - they "warned" that the mark of the beast isn't necessarily "666" tattooed on you forehead.

Ass.

I have hearing aids...

... you insensitive clod!

ear wax

[greg_barton]

me + ear wax == suspected terrorist?

Re:ear wax

[dontmakemethink]

It gets better - the cochlea changes with time and exposure to loud sounds, ask any musician over 60. You + rock concert == not you anymore. There's temporary damage that heals, and long-term damage that doesn't. The cochlea can be damaged even without noticeable hearing loss. The brain constantly adapts to match the OAE's with the listener's preconceptions of the environment. You don't hear sound, your brain makes it up based on stimulus from the cochlea.

Still, there may be enough to go on from the lower-midrange frequencies which are more resilient.

Re:ear wax

[biobogonics]

me + ear wax == suspected terrorist?

No, it's another way of banning rock music. Loud music damages the cochlea and interferes with TEOAE's.
Musician == terrorist!

I'm waiting for my wife to spew coffee out of her nose when I tell her about this. She's a doctoral audiologist. :-).

Invest in Unilever

[Methlin]

Expect there to be a run on the Q-Tip market.

Re:

[DomNF15]

You're right, no faking with gummy bears - duplicating the ear-generated sounds will require slightly more sophisticated tape recorder technology...

why do we want this?

[dimachka]

what happened to good old fashioned fingerprints? Or are we going for enough security that I shouldn't be able to cut off their hand to access the system? But then, doesn't this just encourage me to cut off my adversary's head?

Re:why do we want this?

[Nursie]

It does seem an odd one.

There is a unit at Southampton ECS that investigates a lot of these things. When I was there they were interested in gait recognition, though from the people linked from the page there it seems like this is more in the realm of the electronics side than the computer vision side.

Even TFS gives a use for it - verify that the person on the other end of the phone is who they say they are. Though I'd be surprised if standard phones would give enough resolution to be able to accurately gauge the biometric. If it even is a useful or reliable biometric.

Re:why do we want this?

[PolygamousRanchKid+]

When I was there they were interested in gait recognition,

"Ah, Mr. John Cleese! Our system has recognized your Silly Walk. Your transaction may proceed.

Re:why do we want this?

[CastrTroy]

Everybody knows, to bypass the gait recognition, all you have to do is put rocks in your shoes.

Re:why do we want this?

[thedonger]

But then, doesn't this just encourage me to cut off my adversary's head?

I didn't RTFA, but I suspect this method requires the head to be alive. Now, if you can detach a head without killing the person you may get a pass on the murder charge and instead get a Nobel prize, but don't come crying to me when it doesn't pan out and you wind up in jail.

Re:why do we want this?

[geobeck]

But then, doesn't this just encourage me to cut off my adversary's head?

That's the reason some companies are looking at vascular scans as the biometric of choice. No blood flow = no valid reading. Then again, you could rig up a box that would pump warm blood through the severed hand, but a system like that would look kind of suspicious when you took it out of your backpack at the checkpoint.

Re:why do we want this?

[idontgno]

Well, the support apparatus would be slightly less suspicious than removing dismembered body parts from your backpack. Anyone in a position to become suspicious at said checkpoint probably won't wait to examine the plumbing before deciding the disembodied human hand is...suspicious...a bit.

Re:why do we want this?

[Znork]

verify that the person on the other end of the phone is who they say they are.

Of course, like all other biometrics it's worthless for that, as there's nothing preventing someone else from presenting a device that would emulate the same biometric. Biometrics are inherently not secret and thus cannot be used to authenticate an identity.

This one at least gets spread a bit less than DNA or fingerprints; you don't leave it on anything you touch, but if it's really so easily measured that you could use a phone for it it'd be trivial to replicate.

Still, I'm sure the biometrics crowd are just working their way up to suggesting colonic maps. To a certain mindset it seems like flashy sci-fi stuff must equal actual security, especially if they can't think of a way to subvert it offhand.

In the end, the old card number plus PIN code is much more secure than every expensive piece of flashy technology, simply because getting the PIN code out of a person is still harder than getting their DNA, fingerprint, facial features or inner ear shape. The very ease of presenting the information that makes biometrics so tempting is exactly what makes them unusable for authentication (which, of course, is why we'll eventually get to the colonic map, which at least requires shoving stuff up where you'll notice it. Until identity theft becomes popular among proctologists. Or until someone realizes they can tap into the sensors or copy the info from a database).

Re:why do we want this?

[John+Hasler]

> Still, I'm sure the biometrics crowd are just working their way up to suggesting colonic
> maps.

Well, at least that one isn't publically accessible (at least not for most people).

Re:why do we want this?

[geobeck]

Anyone in a position to become suspicious at said checkpoint probably won't wait to examine the plumbing before deciding the disembodied human hand is...suspicious...a bit.

...or notice that one of the guy's arms is substantially longer than the other.

I think that this is where a lot of the potential exploits fall down. Spy movies always show someone using a severed finger or plucked eyeball getting into a secure area that is never manned by an actual guard.

At the port where I work, the perimeter gates are manned 24/7, and any high-security areas that are not manned by security are in high-traffic areas and monitored by 24-hour video surveillance.

Could an unauthorized person get onto the terminal? Possibly. Could they do it undetected? Not very likely.

A common theme in this discussion is that biometrics shouldn't be used for authorization. If the intent is to use them alone, I agree. But there's nothing wrong with using them as part of a multi-level security plan.

Re:why do we want this?

Yes, but you'd be putting one certain individual in great peril.
What shall become of the goatse man's retirement savings!

FFS.

[fuzzyfuzzyfungus]

So, let me get this straight:

We are poised to make the same idiotic "Hey guys! Let's use biometrics for authentication!" mistake that we've made all the other times.

So, you can test the structure of somebody's ear by clicking at it and recording the result. Does this mean that you can infer the structure of someone's ear just by clicking at them and recording the result, thus allowing you to, with a dash of DSP, fake their ear structure on future tests? I'd want to be Very sure that that wasn't possible. A system where you can get somebody's Super Secret Biometric Secure Security ID just by calling them up and making funny noises would be even worse than the issues with fingerprints as authentication methods.

Re:FFS.

Also, they're going to face potential lawsuits over causing or "revealing" tinnitis.

I have been aware of my tinnitis since at least 3rd grade. I always knew that a silent night sounded like a non-stop symphony of cicadas, but I thought everyone heard that. Anyway, now I know that I can't hear it if I keep a constant white noise floor of at least 40-50db, since the primary frequencies I hear are up in the 10-15kHz range, at an equivalent level of about 20dB.

I can also avoid it by staying hydrated, but there are still things that can trigger me to focus on it even in "loud" areas. For example, I can go weeks without noticing it and then suddenly it becomes unbearable if I hear the right tones/clicks that cause me to notice it again.

If someone forces me to listen to use a system that triggers my tinnitis, I'm going to be very irritable for the next 6hrs to several days, and I might decide to break the device that triggered it.

Re:FFS.

[swilver]

Even if you can't infer it... I could call the bank, while at the same time calling you. If I relay their beeps and resulting sounds fast enough it might just work.

Re:FFS.

[home-electro.com]

Wow. Another fine example of how the most retarded and impossible to implement idea is a great way to obtain government grants.

Did these people consider how horrible are microphones in phones, and how noisy are phone lines? Ambient noise? Any sensible info that could (for the sake of argument) be extracted from the ear will be drowned in the noise.

Besides, have they looked how phones are constructed? Where is the ear and where is the microphone?

Re:FFS.

[bibliotek]

Now that my ears have been in the radiation port for head cancer treatment, I am fairly certain that my personal biometric has changed - what plans do they have to account for structures that have changed? Do we know that structures don't change over the lifetime, anyway?

Re:FFS.

[jsiren]

I know a few hearing aid users. I have been told by at least one that hearing aids tend to become loose over time as the ear stretches. I don't know how it would affect the acoustical properties of the ear.

Re:FFS.

[dontmakemethink]

Actually, they must be using relatively simple impulse response sampling, the same thing used to record impulse responses of acoustic spaces for use in convolution reverb units/plug-ins. Those can be very easily recorded and reproduced. Having something that fits in your ear and can't be visualy detected that can fool an in-ear detector would be very difficult. If it was worth going deaf to have a surgically implanted fake OAE response, maybe.

But as I mentioned above, OAE's change. This process could only produce positive results. A negative result would not confirm that the person is an imposter.

Re:FFS.

[ozphx]

Ah its ok, some places will put this in to make people feel important. You can con your PHB into having his Colonic Map tested "for security" heh, heh. Anybody else with a clue will stick with tried and tested methods.

Reminds me of my bank's shithouse new "TWO FACTOR!!" authentication scheme. They take something you know (password) and something everyone has (a code, SMS'd to your mobile phone). I mean for fuck's sake - its pretty much the equivalent of them taking out a full page ad in the paper. "Dear Phx, Your secret TWO FACTOR LOL SECURITY CODE is 36583!".

This is BankSA in Australia. My partner is with HSBC, and at least they give out a "real" (probably real-cheap-and-nasty) two-factor keyfob thingo.

Re:FFS.

[dudpixel]

This is exactly what i was thinking.

How can they record anything through the earpiece on the telephone? The microphone is on the other end!

Re:FFS.

[fractoid]

I always knew that a silent night sounded like a non-stop symphony of cicadas, but I thought everyone heard that.

They don't?

Seriously, when I was about 2 I told my mum that that noise was "the stars twinkling". She thought I meant crickets, but this noise is different, similar to the high pitched noise you sometimes get out of CRTs, but less constant.

Interestingly, the only time I remember it ever stopping completely was once during a power failure. It's not too irritating but it's definitely there if I focus on it.

Re:FFS.

[fractoid]

They take something you know (password) and something everyone has (a code, SMS'd to your mobile phone).

Um, they don't SMS the same code to everyone, you know?

Commonwealth Bank does something similar. They have your mobile number, and when you want to do key actions on NetBank they generate a random number and send it to you via SMS, then you then have to enter it into the web site within a couple of minutes. It just means that even if someone gets hold of your online banking user/pass, they also have to physically steal your phone in order to clean you out. It's not infallible but it's definitely better than nothing (or just a plain user/pass).

Re:FFS.

[ozphx]

SMS goes over the GSM control channel as plaintext. Hence the "everyone" has part.

PIN numbers, eh?

[the_humeister]

"A team of researchers at the University of Southampton, UK, has received funding from the UK's Engineering and Physical Sciences Research Council to learn whether otoacoustic emissions (OAE), the ear-generated sounds that emanate from within the spiral-shaped cochlea in the inner ear, can be used as a viable biometric technology like fingerprints and IRIS recognition. According to a report in New Scientist, someday instead of asking for passwords or pin numbers, a call center or bank would simply use a device on their telephone to produce a brief series of clicks in the recipient's ear to confirm the person is who they say they are."

Hmmm... I wonder if we'll get rice paddy workers interested in this. Or perhaps they're too accustomed to using their PIN numbers on the ATM machines.

Re:PIN numbers, eh?

[DriedClexler]

The automated ATM machines that use K's KDE destop environment, you mean?

Reservoir Dogs...

[mc1138]

Do we really need a bunch of thieves stealing ears to break into laptops and atms?

Issues with other possible biometric approaches

[Tetsujin]

Security researchers also considered using chemical analysis of subjects' genitals - but this idea was shot down when they realized that an attacker could synthesize the basic components and then ask your mom to perform some comparative taste-tests...

A series of clicks you say...

[hack++slash]

*ring* *ring*
"Hello?"
*click* *clickclickclick* *click* *clickclick* *click*
"What was that Flipper? Timmy's trapped on a raft and floating out to sea?"
"But what's that got to do with my bank balance?"

Re:A series of clicks you say...

[Kozz]

"Hello?"

"There are three flowers in a vase. The third one is green."

Wow, body acronyms

[ratnerstar]

What's up with "IRIS" in all CAPS? I see this pretty regularly. But iris isn't an acronym, it's just a part of your body. I guess "IRIS recognition" sounds more James Bond-y than plain old "iris recognition."

Re:Wow, body acronyms

[CompMD]

Its just someone trying to relive the glory days of SGI.

Re:Wow, body acronyms

[Hatta]

IRIS is an acronym for IRIS Recognition Is Sweet!

Re:Wow, body acronyms

I guess someone has been filling out too many IRS forms recently..

Re:Wow, body acronyms

Same reason you regularly see "Apple MAC", "PERL", "JAVA", "LINUX"...

Namely: People are dumb.

Dr Who wouldn't depend on Gummy Bears...

[argent]

Try faking that with gummy bears.

Any "Dr Who" fan knows you need to use Jelly Babies.

Re:Dr Who wouldn't depend on Gummy Bears...

[Dr_Barnowl]

The current doctor would use his "psychic paper", which seems to fool most things, even RFID readers...

This should work unless . . .

[UnknowingFool]

We run into Mike Tyson . . . Thanks! I'll be here all week. Try the veal.

Ears huh?

[nixdroid]

Sounds better than having your eyeball gouged out.

Rush limbaugh...

[Icegryphon]

Called and said it already works.

cochlear implants

[bugi]

Cochlear implants are subversive tools for the anarchist identity.

Re:cochlear implants

[Bieeanda]

Don't forget more traditional hearing aids.

Re:cochlear implants

[Dr_Barnowl]

Cochlear implants are perceived by some elements of the deaf community as a sinister means of destroying their culture.

Re:cochlear implants

[Fred_A]

Cochlear implants are perceived by some elements of the deaf community as a sinister means of destroying their culture.

Aren't they also lobbying for the blind to kill their dogs ?
(although I too have heard of this from multiple sources)

Re:cochlear implants

[ChelRenee]

Don't forget more traditional hearing aids.

Absolutely. That was my first thought when I read this article: I wear hearing-aids, which not only would interfere with the sounds coming through the phone (whether or not they ARE digital hearing aids). Plus, the fact that I've worn analog hearing-aids with constant circuit noise for 26 years, then digital hearing-aids for the past year, means that my cochlea and ear drum are already screwed. If they DID perform such identification testing on me, they'd find me no more or less of a terrorist than the next severely hearing-impaired person with my situation.

Re:cochlear implants

[bugi]

That's not really the same thing. Being deaf doesn't hamper one nearly so much as being blind.
Deaf culture is a distinct subculture. Is there an equivalent Blind culture?

Cochlear implants don't return hearing to "normal" levels so even for those it helps, the implant isn't likely to pull one out of Deaf culture. It may help one to better interface with with the Hearing, however.

Re:cochlear implants

[bugi]

Indeed, and you may note that cochlear implants are far more common among children of hearing parents and among those who lose their hearing as adults.

Well...

[akunkel]

that's not what I heard.

Re:Gummy bear in my ear! Access Denied...

[davidsyes]

So, if an entity wants to deny a person this form of biometrics, simply blast the ear and reduce or remove its ability to function as a biometric mechanism.

I guess if the eargoo is only intermittently useful, one could say the security efficacy could wax and wane...

CAUTION!

[inertia187]

Do not use otoacoustic emissions system on remaining good ear.

Sound from the ear?

[Kayden]

Can you hear me hear you now?

urine analysis

[MooseTick]

I would prefer a urine analysis test to this. I have to pee all the time and the ability to pee right at my wortstation would be welcome. My screensaver kicks in every 15 minutes though so it would keep me healthy by forcing me to drink my 8 glasses of water per day so I could stay logged in.

Mod parent up!

Truly the most informative thing I've read this week.

Re:Mod parent up!

[RichardJenkins]

And the most useful thing I've read on /. in years!

Why Is This Still A Problem?

[sexconker]

How fucking hard is it?

"My name is Bob, and I would like to access your services."

"Hello Bob, please prove you are Bob."

"Ok, here is my password."

"Thank you Bob, please wait while I check your authorizations. Ok Bob, you now have access."

So fucking simple.

If people can't be bothered to remember passwords, that's their problem.
If people choose shitty passwords, that's their problem.
If people get their shit snooped sniffed or keylogged, that's their problem.

We have methods of helping retarded users - such as enforcing decent passwords, requiring passwords to be changed, and requiring additional out-of-band passwords to prevent keyloggers and other snooping bullshit.

Regardless of what added layers you add, the key relies in making sure that the system and the user know something that no one else does.

Last I heard, they were logging our keystrokes via the sound of our typing, the em radiation, and the noise in our power lines.
Certificate Authorities are just centralized problems waiting to happen.
Public-key / private-key schemes are open to many of the same attacks as a password (a private key is a long password), as well as brute force attacks that can be run out-of-band without anyone being the wiser.

Keep the secret in your head.

Secure the secret on the other end. If you're using a typical password scheme, make sure that you're not using bog standard encryption routines that some bum can crack running JohnTheRipper once he grabs the hases. When your IT guy gets fired for playing WoW all day, change your encryption routines.

Re:Why Is This Still A Problem?

Make something idiot proof, and someone will invent a better idiot.

Re:Why Is This Still A Problem?

[swilver]

We have methods of helping retarded users - such as enforcing decent passwords, requiring passwords to be changed

I'm glad someone finally realized that "requiring passwords to be changed" is for retarded users. Nothing pisses me off more than to have to change my highly secure password because of some asinine policy.

Re:Why Is This Still A Problem?

[RichardJenkins]

If people can't be bothered to remember passwords, that's their problem.
If people choose shitty passwords, that's their problem.
If people get their shit snooped sniffed or keylogged, that's their problem.

Nope, it's everyone's problem. Banks lost allot of cash because of fraud (I mean the kind perpetrated by individuals to banks, not banks to everyone else) - it gets passed on to every customer.

I can't see how most of the rest of the post relates to the type of telephony scenario you begin talking about, but perhaps that explains the flamebait mod.

Re:Why Is This Still A Problem?

We have methods of helping retarded users - such as enforcing decent passwords, requiring passwords to be changed, and requiring additional out-of-band passwords to prevent keyloggers and other snooping bullshit.

Yeah, because retarded users have excellent memory and love memorizing new and meaningless things every now and then. And they will never write them down.

Actually, that's a pretty retarded policy. ONE very strong password is all you should enforce. If there is the slightest reason to believe it's compromised, enforce the change immediately. Otherwise, let it be.

Re:Why Is This Still A Problem?

[sexconker]

Yeah it's a retarded policy, and it exists because we have to cater to the retards.

Re:Why Is This Still A Problem?

[sexconker]

No, it's the problem of the person and the bank.
If some schlub loses his ATM card he's required to report it in order to not be responsible for fraudulent charges. Banks are insured, and any sizable theft is pursued.

I have free checking, free savings, credit cards with no fees that I have never and will never pay interest on, and CDs. Everything is backed by the FDIC. If some retard (let's take Sarah Palin as an example) gets he shit stolen, I don't lose a dime. The only fucking way it could affect me is in lower interest rates on my CDs and savings, but that shit is affected far more (orders of magnitude) by other things.

The only thing that could realistically happen is some former bank employee selling information. Under my scenario though, that shit won't be happening because once you terminate your employee you revoke their access and (if it's a person with knowledge of the encryption scheme) you change your crypt routines.

Telephony? WTF are you talking about?

Some problems with the NewScientist proposal

[Lonewolf666]

First, as some people have already posted, there is the problem of identity theft through recording the signal from the ear.
Second, will there be a sufficently clear signal? In a typical telephone receiver, the microphone is near the mouth of the speaker, not next to the ear. And telephone S/N ration is not that great to begin with.
Third, compression algorithms optimized for speech might or might not suppress the signal from the cochlea (think VOIP).

Overall, a typical case of sensationalist journalism that promotes products before the underlying problems are solved.

Re:Some problems with the NewScientist proposal

[gigne]

"In a typical telephone receiver, the microphone is near the mouth of the speaker, not next to the ear."

The article mentions using a separate high def mic embedded into the speaker of the phone. This means that we will all needs new handsets for this to work.

Your point about VOIP is valid, and was my first thought on the matter. A lot of large call centres these days use VOIP trunks between the building and the actual carrier. The quality is normally always extremely poor, and the filtering will almost certainly cut the useful portion out.

There are too many problems with this, and that is before we ask all manufacturers to add another mic

Re:Some problems with the NewScientist proposal

[eh2o]

Typically these signals are recorded with very fancy and very small microphones that are inserted into the ear canal by a licensed audiologist. But that is for research purposes, and MAYBE its possible to get something usable for a biometric ID without semi-invasive microphones...

Interestingly OAE is a binaural effect. It comes from the auditory cortex, not the ear, so you can literally put a sound into the right ear and record the emission out the left ear.

OAE is thought to be a reflex response connected with the ear's automatic gain compensation system. One theory is that people with a faster OAE response are more resistant to hearing damage (there is a population of individuals who have exceptionally small age-related hearing loss).

There is also spontaneous OAE, i.e., tinnitus, that can come and go according to various unknown factors including stress, etc.

Diablo

[baKanale]

Sweet! Now I can put all those ears I collected in Diablo to good use!

Re:Diablo

[dontmakemethink]

And Mr. Blonde can pass as a cop!

Not boomer-proof

[JeffTL]

There's one problem. The baby boomers, with their rock concert habits, are middle-aged now and many are starting to have some serious problems with presbyacusis. I am not an audiologist and don't know if this would alter the feedback this method is using, but I do know that once you get past 25-30 dB loss in material parts of the spectrum you often need a hearing aid for day-to-day life, which generally occludes the ear canal. So with increasing numbers of hard of hearing people, you're going to have to continue alternative means anyhow. Might be easier just to force your clients to get a new PIN every year or something.

General "Bloodbath" McGrath.

[snspdaarf]

"Don't let the ear frighten you, my dove."

So what do folks with Cochlear Implants do?

[pinakidion]

My son doesn't have them, but his ear canal is so narrow, no one in almost four years has even seen his eardrums. Maybe he can get a specially issued gummy bear...

Re:So what do folks with Cochlear Implants do?

[NeoSkandranon]

Gummi worms :)

Problem...

[Bootarn]

The article states that these so called OAE:s can be recognized using hyper-sensitive microphones. This is a bit of a problem since phones tend to have microphones of rather poor quality compared to those required.

Furthermore, since the method requires sensitive microphones, it can't be expected to work at all, since there are a lot of noises around us which can affect the authentication process. Not to mention the signal quality required. I don't see this working over a telephone in a foreseeable future.

Horsehit

[DynaSoar]

"...instead of asking for passwords or pin numbers, a call center or bank would simply use a device on their telephone to produce a brief series of clicks in the recipient's ear to confirm the person is who they say they are."

Complete bollocks. Phones doesn't have anywhere near the reproduction characteristics for the received click to be near the same as the original. The OAE response depends on the stimulus characteristics.

And they certainly don't have the ability to return the OAE signal as anything remotely like the original in terms of frequency response, and probably aren't even sensitive enough in terms of signal pick up to even detect it. So glad to know they got funded for something that anyone with experience in the field would have told them won't work.

Not new?

[dedazo]

I remember the Chilean government used to require that passport photos show the right ear clearly (although the last time I renewed the photo had to be a normal front shot). I always assumed this was because the ear structure is unique, a sort of fingerprint.

Won't work for everybody

[Locke2005]

Vincent Van Gogh might have a problem with this system...

Telephone: speaker != mic

[blackfrancis75]

I haven't read TFA, but how can this work? If they produce the clicks into the user's ear (telephone speaker) then how will they pick up the reverberations in the telephone reciever?
Surely unless they're loud enough to cause discomfort, the echos wouldn't travel far enough to be picked up at the phone mic?

I'm deeply offended!

[noidentity]

As a Ferengi, I'm deeply offended that you would use my member in such a way. How would YOU like to put your peni..oh, this will only be used on... humAn ears. Well, it seems we are on the winning side this time!

I can hear it now

I can hear it now.

Take this and stick it in your ear!

It changes

[Pushnell]

From the article:
"...changes in the acoustic emission with time are a sure indicator of changes in the physiological status of the peripheral auditory system. This property has been used as a sensitive indicator of changes caused by noise or therapy on a patient's ear."

So this method is sensitive to normal physiological changes within the inner ear. If I just came from a concert, can I still check my bank balance by phone? What if I spent a week at the lake? What if some lint from my pocket has found its way into my cell phone? Too many defeat scenarios for this to ever be a primary identifier.

No!

[Alarindris]

Sure, test the ear canal today, and it's anal probes tomorrow.

We must fight this tyranny!

The ear grows your entire life

[Sark666]

Wouldn't that change the sound?

Re:The ear grows your entire life

[lxs]

and won't ear hair muffle it?

This is a plao

[geekoid]

by the Ear Seekers. I know this day would come..sure, press you ear to the device, then nom nom, no more brain.

Rectal ID is Next

[TheMiddleRoad]

Seriously, all our orifices are unique. Why not rectal probes?

Re:Foots

[dontmakemethink]

and when the river runs red, take the dirt road?

Ok, let's use eardrums...just one problem...

[inject_hotmail.com]

If you are on the phone, how is it supposed to 'hear' your bio response? I don't know about any of you, but my ear doesn't produce a sound so loud that it could be heard by the mic of a phone, and there is no sound reception functionality in the earpiece of any phone. This also doesn't take into account telephonic compression, cellular data stream tomfuckery, background noise, blah blah...via telephone, ain't gonna happen.

Furthermore, in person, they'd have to jam something in my ear to measure its response (to overcome any ambient noise). How gross is that? Have you ever seen the crusty chunks of goo and other congealed humanoid fluids left on the earpiece of a public/someone else's phone...but this won't be outside goopiness..it'll be yes...yes...inside goopiness. Much more pleasant. Do you think they'll give you a nice clean new point ear-end every time? HAH! Once I went to the dentist and they made me put my mouth on the plastic "stage" so that my mouth would be in the right position for their x-ray machine. I asked if it was sterilized...the chick said "oh...yeah...don't worry about that." WTF! I could see five thousand score marks from the last snaggle-toothed Neanderthals so fortunate to grace the ray shooter before me.

NO THANKS. Everyone else can use it. That shit ain't touchin' me.

Great

[shutdown+-p+now]

So, now, instead of just chopping off your finger, they'll cut off your head.

Or remove the inner ear, which is probably going to be much more messy, and just as fatal.

Just great.

Ear wax

[shentino]

'nuff said.

too bad

[ramul]

I dunno about how useful a biometric this would be considering how sensitive OAE's are to hearing loss.

If you have a conductive (external/middle ear) hearing loss emissions cannot be detected even if they are present. Also no emissions are seen with larger degrees(~>35dB) of sensorineural (inner ear) loss. A lot of older people have a small deterioration in hearing that they probably dont notice.

When will people realize biometrics are just wrong

Seriously. Using something that you can never change for security and authentication is idiotic. Sure you don't have to remember or cary anything with you but once a malicious person obtains your information it's game over. And obtaining that information will always be easy and as more and more places use it, it will become even more trivial to obtain.

And while I'm ranting... You can all suck my nutz because Slashdot sucks.

Wait A Minute.....

[IHC+Navistar]

""a call center or bank would simply use a device on their telephone to produce a brief series of clicks in the recipient's ear to confirm the person is who they say they are."" -----Not if Comcast's VOIP still sounds like shit.....

There is no biological trapdoor function

[dalhamir]

Unfortunately, just like any other biometric, any system capable of measuring the metric is also able to easily copy the signal. In this case, the otoacoustic emission can be modeled by a simple transfer function. you could probably reproduce the signal with $100 worth of hardware, a good mic and speaker would be the most expensive parts.

What about someone who is deaf?

[rhdv]

I know for certain that otoacoustic emissions are a method to detect that someone is deaf. It is used in the Netherlands and other countries to detect deaf or hard of hearing children when they are only a couple of weeks old. If there is hardly any emission there is a strong indication that the child has hearing problems. I assume that low levels of emissions will also make it hard to perform identification (SNR issues etc.).

I guess you will have the same problem with other biometric systems too. There will always be a small part of the population that misses the human body part that is used for a specific method of identification.

Anus-wrinkle ID

I think we're destined to go for the butt-print technology and anus-wrinkle IDs. They're more unique than fingerprints even!

why software if you can do this directly?

[freaker_TuC]

Sound is nothing more but waves, you could catch them in any "box" and capture the echo of it.

Some studios use their hallway as natural reverb for example, you could use a (modelable) box which would reflect the soundwaves to the sensor.

Since this system would be used by telephone, error correction needs to be built in too, every telephone has different frequencies and microphones, making the system prone to authentication spoofs. A telephone conversation/authentication over 4kHz would be for sure needing less data than 44.1kHz or anything around cd quality, making storage of spoofs lots easier ...

Interesting thing to play with as audio engineer ;)

Re:why software if you can do this directly?

[dalhamir]

well, I was assuming that different banks or whatever would use different clicks, or have 3 different clicks and play them in a different order each time for just a hint of sophistication.

Re:

[Fred_A]

You're right, no faking with gummy bears - duplicating the ear-generated sounds will require slightly more sophisticated tape recorder technology...

And I'd like to know where they get their super hi-fi phones. It's regularly hard enough to hear people on cell phones, never mind the echo from their inner ears...

I can't wait for the medical applications for remote echography ("Did you put the gel on ? Good, now press your phone firmly just above the navel" "Oooh It's a boy ! I'm mailing you the pictures").

Condenser microphones are not waterproof either ..

[freaker_TuC]

Condenser microphones (which are very sensitive for their purpose) aren't waterproof either; that's why blowing in such microphones could/would alter it useless, or as professional thief-catcher depending it's size...

If they are using it over the phone, they either have to use a custom phone set or be very good with their error correction to work together with all the existing ((low) budget) phone systems over the planet.

Otoacoustic Emissions

[sjames]

The clicks are NOT for measuring the shape of the ear canal. The human ear has an active feedback mechanism both to improve dynamic range and to aid in frequency discrimination.

When we hear something, the physical shape of the cochlea performs the analog equivalent of a Fourier transform along it's length. The position of a hair cell along the cochlea determines which frequency it is responsible for sensing. Then, to better discriminate between neighboring frequencies, the ear generates counter tones out of phase.

The biometric system in question supposedly measures the counter tones in relation to the input. Since there is a significant amount of neural circuitry involved in the process in the ear itself, the auditory nerve, and the brain, it might be unique enough for identification.

I can imagine a huge number of problems with this. For one, we know this will inevitably change with age. Nobody's ears are the same at 40 as they were when they were 20. Further, simply attending a loud concert will affect the ear's responses for days (or longer).

There was some work in the '70s (IIRC) in the Soviet Union where psychiatrists were able to actually listen in on patients auditory hallucinations. It seems that their ears responded to the hallucinations as if they were actual sounds and so actually generated a somewhat distorted version of what the patient thought he was hearing. If you're one of those people who can play back a song in your head, I wonder what that will do for the biometric measurement? Will at least some people have to be sure to think exactly the same thoughts as when they were first entered into the system?

Naturally, deaf people need not apply, even if they can hear through a cochlear implant. A hearing aid would block the measurement. Even the use of a hearing aid would change the feedback through habituation so simply removing the aid for the identification wouldn't necessarily help.

If the biometric system can model a person's auditory system adequately to identify them, then it can also be modeled well enough to fool a biometric system.

Like all biometric systems, anyone who measures it for 'authentication' will have what they need to duplicate it to steal your identity. The more widely it's used, the less useful it becomes.

Even worse, if this is used through a special telephone handset (as if everyone is going to buy an expensive new telephone 'just because'), that means the bank has no way of knowing that your phone is connected to a table full of sophisticated hardware that can replicate anyone's otoacoustic feedback. At least a fingerprint scanner presents SOME risk of being caught if you affix a gelatin mold of someone else's fingerprints to your fingertips.

Like all biometric systems, it has a limited usefulness for identification and zero usefulness for authentication. Almost none of the potential users of such a system will understand the limitations sufficiently.

Like all such systems, it's effectiveness at preventing unsophisticated abuses will cause users to rely too heavily on it and so practically roll out the red carpet for sophisticated abusers.

I still prefer...

[Mr.+Firewall]

... the good old, tried & true, Rectal Scan. Keeps the employees subdued and easier to control, you know.

Someone told me years ago that he'd seen a movie where they had to endure a rectal scan to get into a secured facility. Sadly, I don't remember the name of the movie. I'll bet that it's funnier than hell.