Slashdot Mirror

← Back to Stories (view on slashdot.org)

Face To Face With the 'Human Barcode'

Posted by timothy on from the back-to-back-sacroiliac dept.

silentbrad writes with this excerpt from the Financial Post: "Fast-evolving biometric technologies are promising to deliver the most convenient, secure connection possible between you and your bank account — using your body itself in place of all of those wallets and purses stuffed with cash, change and plastic cards. Biometrics is the science of humans' physiological or behaviourial characteristics and it's being used to develop technology that recognizes and matches unique patterns in human fingerprints, faces and eyes and even sweat glands and buttock pressure. Its applications in the financial realm are a potentially huge time and effort saver, but that's just a beginning for the technology's usefulness. ... [BIOPTid Inc.]'s One Touch cube, set to be on the market within a year, is an external device that users can hook up to their computers and mobile electronics to replace passwords for Internet logins and banking. The cube reads a personal sweat gland barcode to verify identity from the moisture on a user's fingertip. ... 'Biometrics is something that's used by governments, it's used by "Big Brother" to keep an eye on us and we want to change that,' says [BIOPTid chief Scott McNulty] 'We think biometrics is something that can be actually used by the people and it becomes their technology that they use to protect themselves.'"

22 of 111 comments (clear)

  1. but you can change a password by Anonymous Coward · · Score: 5, Insightful

    Once a biometric has been compromised (e.g., someone obtains a copy of your fingerprints), you're stuffed.

    1. Re:but you can change a password by gweihir · · Score: 2

      Not totally. If the biometric fingerprint is verified under controlled conditions (i.e. a competent person supervising it), it remains useful after compromise. That does only apply to the big-brother scenario though. But even then, this has very high verification cost and negates the claimed advantages.

      Otherwise: Biometrics is snake-oil. Without the usual human greed (paired stupidity on customer side), nobody would even be talking about it anymore, as it is completely unsuitable to lower costs as unsupervised verification is insecure because of the theft problem. It has sort-of a "SciFi" feeling to it, but that is the sum of its real advantages.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:but you can change a password by Dishevel · · Score: 2

      Geeks do not follow the instructions on the side of the box.
      They research it on Google then watch a youtube video on how to hack the hamburger helper and customize it for hardcore vegans or how make it code monkey friendly. Then they put their own twist on it and upload the video of their "Hamburger Helper Hack" to youtube and post about it on their blog.

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    3. Re:but you can change a password by Marillion · · Score: 2

      There's that. There other issue is that every biometric system requires the computer to make a judgment call. A facial recognition system has to guess it's you within a [insert-threshold-here] degree of confidence. That confidence level will never be 100%. A password and physical tokens are the only mechanisms that inherently have absolute yes/no thresholds. Before you start challenging this, I'm not considering the "spoofability" of any of these methods. Of course, physical tokens can be stollen or lost, passwords can be shoulder surfed or guessed. Biometrics have been repeatedly demonstrated to be quite spoofable.

      --
      This is a boring sig
    4. Re:but you can change a password by Immerman · · Score: 2

      It depends on the security system - in a highly secure environment where guards or even just an alert receptionist is justified, biometrics do in fact offer a significant additional layer of security. It's only when used on their own that they fail spectacularly.

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
  2. "Protect themselves?" by hotdiggity · · Score: 5, Insightful
    “Biometrics is something that’s used by governments, it’s used by ‘Big Brother’ to keep an eye on us and we want to change that,” says Mr. McNulty. “We think biometrics is something that can be actually used by the people and it becomes their technology that they use to protect themselves.”

    ...

    The best way for me to protect myself with biometrics...is to keep the details of my biometrics out of any government or private company's database, thank you very much.

  3. Brain-damaged by Anonymous Coward · · Score: 3, Interesting

    Let's see. Easy to fake. Impossible to revoke. Ripe for abuse. No duress password. How is this going to protect anybody or anything? At some point, convenience trumping everything else is going to lead to a lot of INconvenient situations.

    1. Re:Brain-damaged by gweihir · · Score: 2

      No way in hell. And I just had some other company representative claim the same thing here a few weeks ago. After careful examination, this claim turned out to be bogus, but it looked good on the surface. I almost felt sorry for the guy, making such claims in front of an audience of skeptic security experts is not a path to happiness.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:Brain-damaged by Joce640k · · Score: 3, Insightful

      Let's see. Easy to fake. Impossible to revoke. Ripe for abuse. No duress password. How is this going to protect anybody or anything? At some point, convenience trumping everything else is going to lead to a lot of INconvenient situations.

      You forgot one: We leave copies of them behind us wherever we go (DNA, fingerprints...).

      --
      No sig today...
    3. Re:Brain-damaged by arth1 · · Score: 2

      Let's see. Easy to fake. Impossible to revoke. Ripe for abuse. No duress password.

      And not static either - there are examples of people's fingerprints or retina pattern changing, and medical conditions can occur that makes taking samples impossible. Even DNA isn't necessarily good enough, as identical twins and other clones may share the DNA, while someone having received genetic treatment might not.

      So there has to be a backup way to authenticate, in which case the backup way can be more useful to use in the first place.

    4. Re:Brain-damaged by 19thNervousBreakdown · · Score: 3, Insightful

      Almost though, right? Because honestly, it's an insane claim. Your sensors are measuring an image, we can make very convincing images. Make your sensor fancy, have it measure heat. We can generate heat to incredibly precise degrees faster than you can blink. Heartbeat, capacitance, translucency, these are all child's play once we know what you're looking at. Since your sensors are almost surely of lower resolution than we're capable of reproducing, the key is the algorithm.

      Now this? Sweat glands? We can make Blu-Rays, but you don't think we can spoof a sweat gland to the precision that you're measuring it? Please.

      My ears will perk up in interest if or when a biometrics company claims that they're measuring an effect we're unable to reproduce. Create a biometric system that authenticates based on the subjective experience of consciousness. Now that's biometrics.

      --
      <xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>
    5. Re:Brain-damaged by hoggoth · · Score: 2

      Its called the Turing Test.

      You are in the desert, you see a tortoise lying on his back in the hot sun. You recognize his plight but do nothing to help. Why?

      --
      - For the complete works of Shakespeare: cat /dev/random (may take some time)
    6. Re:Brain-damaged by Carnildo · · Score: 2

      If you can read the sensor's output, and inject your own input, you can defeat any system. A keyboard is a sensor too, and just as vulnerable to what you've described.

      Biometrics are more vulnerable to this than passwords are, in two ways:

      1) You can enter a password into a remote terminal and have it be verified against a central database without ever transmitting the password in either direction (see challenge-based authentication protocols). You can't do this with biometrics: verification consists of comparing the measure against the database entry and determining that the two match to within the desired degree of precision, and this requires transmitting the measured values to the database.

      2) The average user does not leave their password on every surface they touch. In order to inject a password into a compromised reader, the attacker needs to record it from a compromised reader. Biometrics can be obtained through any number of methods that don't involve a compromised reader.

      --
      "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
  4. Failure? by theJML · · Score: 4, Interesting

    We have fingerprint readers here. Sometimes, they don't recognize my finger. It's still my finger, but there's nothing i can do to convince it it's me, so I'm stuck and can't do my job until it decides to let me in. Face recognition is the same way. There's no way I can change my face, or alter my fingerprint to make it work, so I basically am just screwed. If there's any chance of that with this, there's no way I want it.

    --
    -=JML=-
  5. biometrics will be broken ... by RichMan · · Score: 3, Insightful

    Scan the eyeball it has a deep 3d structure that is unique: opps,
    Researchers create synthetic iris that can defeat eye-scanning security systems:
    http://www.theverge.com/2012/7/26/3188518/synthetic-iris-scanning-security.

    See all the ways to cheat on drug piss tests ....

    If it is a system, it can be hacked. No system should ever take validation as 100% proof.

    'We think biometrics is something that can be actually used by the people and it becomes their technology that they use to protect themselves.'"
    This from the banking system that brought us 4 digit PIN codes that were considered perfect validation. *sigh*

  6. Biometric System I'd Like to See by Greyfox · · Score: 3, Funny

    I'd like to see a biometric system that forces you to perform a little dance in order to authenticate. That would be pretty funny.

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  7. oops, someone wrote a clueless article again by slashmydots · · Score: 5, Insightful

    I guess yet another author has fallen victim to not knowing what the hell they're talking about again. Our technology isn't good enough to do true biometrics. Any system like he outlined is a glorified fingerprint scanner. It's not a magical device that "senses" your finger. Any biometric device takes some set of 0's and 1's and compares it to other 0's and 1's and if they match to a certain degree, it's approved. That means any of them can be faked to be close enough or hacked to approve wrong data.

    Fingerprints are an image file compared to another image file. Iris scans are an image file taken by a camera and compared to another image file. Face recognition is the same. All three of those are infinitely more fake-able than a password.

    To get my money now, you have to get it out of my wallet. Good luck. To fake my face, they need to take a picture of my face. That's a bit easier. To fake my fingerprints, they need to get a hold of my fingerprints and I definitely leave those in more places than my wallet. You may recall that the Mythbusters made a laser printed fingerprint on a $100 laser printer, licked it, and got past a top of the line $1000+ fingerprint reader. To fake my iris, they need a closeup of my face, also not so difficult. There really isn't any biometric data that's good enough right now to be used in financial transactions short of a DNA sequence and I'm not giving them a DNA sample and waiting weeks to buy a bagel.

    1. Re:oops, someone wrote a clueless article again by SirGarlon · · Score: 3, Insightful

      If you follow the tech industry long enough, all the hype gets recycled and comes back in slightly regurgitated form later. For example, "thin clients" (the Next Big Thing in 1997) and "cloud" (the Next Big Thing in 2007).

      Biometrics were all the rage in the late 1990s, when people were starting to recognize how problematic passwords could be. The enthusiasm died out quickly. Parent has outlined the main reasons why: they're easier to spoof than might first appear, and to use biometrics in authentication requires biometric data to be transmitted and stored (and therefore subject to compromise).

      I think face recognition technology is starting to change the tech industry, but not in a good way. It's not used for authentication. It's used for automated surveillance and tracking. *That* is the future of biometrics.

      --
      [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
  8. Identification != Authentication by Anonymous Coward · · Score: 5, Insightful

    Identification is the process by which the identity of a user is established, and authentication is the process by which a service confirms the claim of a user to use a specific identity by the use of credentials (usually a password or a certificate).

    All biometric systems only do identification. It's about time everyone gets what biometric really is: A FANCY USERNAME.

  9. Re:Place bunghole on reader by gweihir · · Score: 2

    Then, if you get a Hemorrhoid, figurative PITA will be added to the literal one because you cannot log-on anywhere anymore.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  10. Required reading by pesc · · Score: 2

    If you think biometrics is useful for unsupervised authentication, please read this:

    http://www.schneier.com/crypto-gram-9808.html#biometrics
    http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/

    Your fingerprints are not secrets.

    --

    )9TSS
  11. This Summary Reads Like A Press Release! by TheSpoom · · Score: 3, Insightful

    You know, I'm OK with the occasional bad link or poorly researched story, but could we avoid regurgitating obvious press releases from private companies? Look, editors, I really, really rarely complain about you guys, but we do expect at least a little bit of work in filtering and, you know, editing stories.

    --
    It's better to vote for what you want and not get it than to vote for what you don't want and get it.
    - E. Debs