Fingerprint Purchasing Technology Ensures Buyer Has a Pulse

An anonymous reader writes "A small U.S. university has come up with a novel solution to reduce the possibility of using a dead person's hand to get past a fingerprint scanner through the use of hemoglobin detection. The device quickly checks the fingerprint and hemoglobin 'non-intrusively' to verify the identity and whether the individual is alive. This field of research is called Biocryptology and seeks to ensure that biometric security devices can't be easily bypassed."

How about O2?

[Comrade+Ogilvy]

Checking for oxygenation level might be possible. Does not have to be a very accurate reading.

Re:How about O2?

[ColdWetDog]

Probably the same thing. Use a garden variety pulse oximeter which measures the IR spectrum of hemoglobin molecules. Oxygenated ones have a slightly different spectrum than deoxygenated molecules.

Sounds like a PITA to remove the remote possibility of being Beuhler'd. But it probably got a patent.

Re:How about O2?

[ColdWetDog]

Achkkk. Phphhht. Read TFA. The school in question didn't even develop the technology, they're just beta testing it.

Such news!

Next up....

Well, I got nothing.

Re:How about O2?

[kelemvor4]

Next up....

Well, I got nothing.

Just like TFA. I say you submit it!

Re:How about O2?

[gandhi_2]

Passwords, someone complains you can just beat people with wrenches.

Biometrics, someone complains you can just cut off a body part.

Biometrics with life detection, someone complains the system can't detect if the persons family is being held hostage....

Re:How about O2?

No, unless you actually clamp the finger so you can control all the light hitting it, telling hemoglobin oxygen levels by color is overwhelmed by skin color or by anything that calluses the fingers, such as playing guitar, or that keeps them abraded, such as dishwashing. In fact, doing fingerprints on stay-at-home parents with many children presents its own issues.

A pulse is easier to detect by movement, but is still useless against the "gummy worm" fake fingerprint attack, documented over a decade ago at http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/. There is still no fingerprint technology that reliably detects this attack.

Re:How about O2?

[X0563511]

Erm, no? HIPAA talks about medical records. If all you're doing is keeping a particular biometric, that would not fall under HIPAA.

Re:How about O2?

[Githaron]

It is a lot harder to drag a hostage to a door without being obvious than it is pull a dead hand/finger out of your coat when no one is looking.

Re:How about O2?

[Nihilanth]

For the last bit, this is probably a desired feature. You'd -want- the device to be able to detect if you're under duress.

Re:How about O2?

[Anubis350]

Gives the attacker motive to kill someone with CO poisoning then, it will be read as oxygenation (CN can have a similar effect - also it means anyone going through such a coded lock may not be allowed to have painted fingernails, not that that's such a big deal)

Re:How about O2?

[FrankSchwab]

A pulse is easier to detect by movement, but is still useless against the "gummy worm" fake fingerprint attack, documented over a decade ago at http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/. There is still no fingerprint technology that reliably detects this attack.

Well, I beg to differ on that particular point. The technology to reliably detect that published attack has been (and is being) shipped in a major OEM's Enterprise level laptops for several years. Call your salesman if you'd like to know if yours has it.

Unfortunately, not all OEMs that include fingerprint sensors choose to include antispoof features. Most consumer grade laptops, for example, don't. So when you go buy that $300 special down at Best Buy, don't go crowing that you can build a spoof for it - Matsumoto's paper will give you a direct recipe and procedure for doing that, and you may be successful. BTW, should you wish to attempt it yourself, there are easier materials to use than Gummi bears. A pulse sensor is a plausible way to prevent this attack (unless, of course, you're using live Gummi's, which would be inhumane).

Spoofing of biometrics is a well-known problem, but that doesn't mean there isn't advancement in the state of the art (on both sides). Heck, it's even the subject of a major motion picture (Tom Cruise in a bit of a stinker, "Minority Report"). There will always be attacks possible - the question is whether the attack on the biometric is really the easiest way into whatever's being protected. If you have my laptop and are trying to break into my system, wouldn't it be easier to simply image the hard drive rather than etching PCBs to make molds for the Gummi bear spoof? At some point in time, the $5 wrench is easier to employ than the necessary spoof building technology, and that's what we're aiming for.

Re:How about O2?

Who said anything about dragging? Just ask politely, and don't forget to mention that you have a direct communication line to people holding a 12 gauge shotgun to their kid's forehead. People are surprisingly cooperative when you press the right button. Or in other words, threaten to pull the right trigger...

Seems the only solution is not to have secrets or possessions worth guarding with security systems. But it's probably still too soon for our society to accept that...

Re:How about O2?

[Bearhouse]

Duress code...

http://en.wikipedia.org/wiki/Duress_code

Re:How about O2?

[SalaSSin]

Maybe you should tell us your passwords, then we can help you remember them!

Re:How about O2?

[durrr]

And skinning a finger to translucency and using your own as a backing, or artificially pumping a blood equivalent fluid through a dead finger is impossible!

Re:How about O2?

[Macgrrl]

Isn't it hunter2? I thought that was the default password for the internets.

Re:How about O2?

[pclminion]

That'll get shot down because it'll violate HIPAA regulations. Collecting medical data without sufficient privacy safeguards.

The ignorance is astounding. HIPAA only applies to medical professionals (and even then, only those who conduct business electronically, which in practice means everyone, but in theory, some backwoods doctor with a paper-only record keeping system, accepting only cash for payment, and no land line could POSSIBLY skirt the law)

There is no law in the United States which generally prohibits storage and processing of medical information. It does not apply to you or to a company making security devices.

Re:How about O2?

[girlintraining]

For the last bit, this is probably a desired feature. You'd -want- the device to be able to detect if you're under duress.

You assume that the device would be rigged to do something to help you in that event. "Warning: Elevated blood pressure detected. Access to secure area denied." (a few seconds later) *BANG!* "Okay, bring me the next one, Terrorist Bob."

Never assume security is there to help you.

Re:How about O2?

[dkf]

Duress code...

How does that save the family held hostage? Or the poor sap with a gun pointed to his head?

Re:How about O2?

[mrmeval]

I have a quote about this I'd stated ... a score ago?

"The problem with biometrics is keeping the body parts alive." --mrmeval

And you can quote me. :-P

Re:How about O2?

[gandhi_2]

...and them someone complains that the duress detection could be fooled by using a mix of mild narcotics.

My point is people will soon be here to bitch about how all the work you are doing is SOOO stupid.

And now you can read some examples without even leaving this browser tab!

Re:How about O2?

[flyneye]

But, if I paste the fingerprint on a shaved section of a little dogs ass, then, not only have I hacked my way in, I have MADE everyone using the lock after me, touch a little dogs ass.
Filthy technology, go wash your hands.

Re:How about O2?

[penix1]

There is no law in the United States which generally prohibits storage and processing of medical information. It does not apply to you or to a company making security devices.

You know, that is the funny thing about laws.... They can and often do change. I believe all biometrics stored electronically should have the protections of HIPPA. So much can be learned from them that if they fall into the wrong hands can be just as devastating as if a hospital released all your files. Things like this scanner that can detect hemoglobin states is one example of the technology going in a scary direction. What's next, one that detects blood sugar level or cholesterol levels?

Re:How about O2?

[a_hanso]

Is there such a thing as an emergency PIN/password? I.e. a secondary password that lets you in just the same, but quietly alerts authorities that you are being coerced? There is an urban legend that says ATM PINs entered backwards do this, but they're just that -- legends.

Re:How about O2?

[Bryansix]

That's not really the point of biometrics. You should technically still use a password. Its something you know, something you have, something you are. The biometric passes the third test but a secure facility would still require the other two. In addition biometric can't be given out. Passwords tend to make the rounds. Of course the most common use of biometrics are in timeclocks to make sure the person is actually present at work.

Re:How about O2?

[firecode]

Some brain EEG measuring techniques might be able to detect this.

Re:How about O2?

[RockDoctor]

Some brain EEG measuring techniques might be able to detect this.

Fuck that shit. Too complex, too delicate.

Skin resistance using contacts built into the fingerprint-reader ; microphone for breathing rate (arrange the wall-mounted reader so that you've got to have your mouth in a certain place, where the microphone is, for signal-to-noise ratio improvement. Say, use two fingerprint readers metre apart, to be operated simultaneously ; put microphone in wall 0.75m above the midpoint of the two fingerprint sensors). Fuck it ; put a breathalyser in there too, why not? They're cheap enough to put in the hands of cops by the thousand. Or an iris scanner, for "Wow" factor?

I don't believe all the hype of polygraph salesmen (hell, there's only one country where the courts actually believe them), but for a binary discrimination of [unstressed | refer to security officer], those two measures should be sufficient.

Will you be allowing people to be carrying stuff into or out of your secure area? Really?

Gun to the Head

[rodrigoandrade]

Does the device only check for pulse or does it also compare to the person's normal blood pressure (which was obtained upon registration into the system) to make sure the person being authenticated isn't being coerced into granting access to unauthorized personnel/burglars, etc???

Re:Gun to the Head

[ColdWetDog]

One would hope the cashier would notice. After all, the assailant can only point the gun in one direction.

Ee's not dead! Ee's just pining for the fjords!

Re:Gun to the Head

[X0563511]

Blood pressure is a wildly varying metric.

Try it. Measure your blood pressure at various points of the day over a week.

I'd also be interested how one might reliably check blood pressure with access to only a finger.

Re:Gun to the Head

[Hotawa+Hawk-eye]

If this device is being used at a location where a human cashier is working, just get the cashier to look at the thumb pad while the person is pressing their thumb against it. If the employee sees a thumb being held in another set of fingers, or sees a thumb whose tip shows signs of being surgically stitched onto a stub, he or she presses the "Hold transaction" button on the register and asks for ID or calls the police as appropriate. The additional check would be needed for locations where there is no human cashier involved, say at a gas station's self-service pump (where the cashier is in the central kiosk monitoring all the pumps for problems and processing cash transactions.)

Re:Gun to the Head

If someone's using a severed hand to pay for gas, I think your gas station might have bigger problems.

Re:Gun to the Head

[Macgrrl]

I know that when in hospital recently my pulse was monitored by a finger sensor that simply clipped on. So they can measure some degree of blood pressure variation from a finger.

Re:Gun to the Head

[Time_Ngler]

... sees a thumb whose tip shows signs of being surgically stitched onto a stub

What if the customer is wearing fingerless gloves? He could hide the surgical stitch underneath the glove, but the end of the thumb would still be exposed and readable by the machine.

IANAL

[masao]

How will lawyers use it?

Biometric Authentication is a bad idea.

Here's a good reason why: What happens when someone manages to steal your password? You change it. What happens when someone managed to recreate your DNA or other biological identifier used for authentication? Good luck getting new DNA or fingerprints.

Re:Biometric Authentication is a bad idea.

[fredrated]

Sounds like the basis for a start-up!

Re:Biometric Authentication is a bad idea.

[Nemyst]

If someone manages to recreate your DNA and then recreate an adult hand from that, I'd say A) you have bigger problems than authentication and B) we've gone way past current technological levels.

Re:Biometric Authentication is a bad idea.

[PolygamousRanchKid+]

If someone manages to recreate your DNA and then recreate an adult hand from that, I'd say

C) the art of masturbation will probe new dimensions . . .

Re:Biometric Authentication is a bad idea.

[mark-t]

An adult hand with even the same DNA as another would still not necessarily have the same fingerprints. Although the precise process by which they are formed is subject to some debate, it is generally agreed that fingerprints are formed by some combination of environmental factors in the womb between roughly the 10th and 17th week of development. Even identical twins, with identical DNA, have distinct fingerprints.

Re:Biometric Authentication is a bad idea.

[Joe_Dragon]

just sit on top of the microwave to change your DNA or go for a swim in the Spent fuel pool

Re:Biometric Authentication is a bad idea.

[Hatta]

It's easier than that. Dust for fingerprints and have a 3d printer make a mold for fingers with those fingerprints. Grab a stray hair follicle, and amplify a bunch of DNA using standard protocols. Mix the DNA into some gelatin and pour it into the mold. Run some tubing through the mold hooked up to a perstaltic pump to simulate the pulse.

This is all achievable with current technology.

Re:Biometric Authentication is a bad idea.

[JigJag]

that's why biometrics should be used for the *username* part of authentication and not for the *password* part.

When presented in front of a login screen, swiping your finger should say: "I know now that you are JigJag. Please enter your password: "

Re:Biometric Authentication is a bad idea.

[DriedClexler]

One word: retroviral engineering.

Re:Biometric Authentication is a bad idea.

[eth1]

Here's a good reason why: What happens when someone manages to steal your password? You change it. What happens when someone managed to recreate your DNA or other biological identifier used for authentication? Good luck getting new DNA or fingerprints.

A fingerprint is also something convenient that most people have with them at all times that can be used as a second factor for authentication.

If a PIN/password is good enough, than PIN/password+print would be better in virtually all cases.
Same for a credit card with no additional checks vs. a card+print

Re:Biometric Authentication is a bad idea.

Apparently you'd have to swim pretty deep.

Re:Biometric Authentication is a bad idea.

[Bryansix]

Brings a whole new meaning to the "Stranger".

Re:Biometric Authentication is a bad idea.

[davester666]

Google is already working ways to track you through your genetic mutations!

Protects against zombies

[bab72]

And it also protects you data during the zombie apocalypse!

Not checking pulse

[crow]

The title is wrong. This is not checking for a pulse. If it were, then people with artificial heart pumps like Dick Cheney wouldn't be able to use it. They are alive, but do not have a pulse.

That said, I could see something like this checking for a pulse. This brings up the interesting problem of how to handle biometric checks for people who don't have those biometrics. Not everyone has fingers. Not everyone has eyes. Not everyone has a pulse. Maybe you don't care about that, as you don't have any of them among your target users, but what happens when that changes? You need a plan to handle that.

Re:Not checking pulse

[CanHasDIY]

...people... like Dick Cheney... are alive...

That seems debatable.

Re:Not checking pulse

[Ol+Biscuitbarrel]

What I couldn't figure out was the emphasis on shopping; I thought these applications were for security. Cutting someone's hand off to make purchases seems a bit extreme.

Re:Not checking pulse

[dgatwood]

What I couldn't figure out was the emphasis on shopping; I thought these applications were for security. Cutting someone's hand off to make purchases seems a bit extreme.

You obviously haven't been to an American toy store on Black Friday.

Re:Not checking pulse

[GodfatherofSoul]

Wait, are you sure he received an implant and didn't just demand it from some 3rd world orphan to pay off a family debt?

Re:Not checking pulse

[Macgrrl]

I would speculate that Cheney does have a pulse, even if it is triggered mechanically, as a pulse is the rhythmic pumping of blood around the circulatory system to oxygenate the organs and extremities.

It might be very rapid and fairly flat (or slow and big), but it would still be there and measurable.

Re:Not checking pulse

[crow]

My understanding is that he didn't (another poster pointed out that he has since received a heart transplant). I'm under the impression that the artificial heart in question produced a steady flow, more like a fan than a traditional pump. Technically, there would undoubtedly be some variation or vibration that could be considered a pulse, but it's the sort of thing that would be within the noise level of a normal pulse, not something likely to be detected. It would also likely be the case that other movements in the body would obscure it to the point of irrelevance, as well.

Re:Not checking pulse

[crow]

My point isn't that this isn't an interesting technology. It's that we need to be careful in designing systems to watch out for the edge cases. As long as there's a plan in place for handling them, everything is fine.

And of course you see this sort of comment on Slashdot. I work as a software engineer. If I ignored a case that was only a ten in a million case (0.001%), I would be flooded with field issues. In the real world, you can test for the common cases, but you have to design for the tricky ones.

Re:Not checking pulse

[Bryansix]

The LVAD doesn't give you a pulse. It uses archimedes screws. However, usually it just assists your heart. In some cases though the patients heart dies off and this is the only thing keeping them alive at which point they lose their pulse.

Re:Not checking pulse

[davester666]

Kill the vampires and/or zombies?

Re:Not checking pulse

[girlinatrainingbra]

re This is not checking for a pulse.
.
Look at the application for the patent assigned to the company involved. The patent details say that it measures the change in oxygenation levels which varies slightly as each heartbeat pumps more blood through the vascular system. Here are some details. (it doesn't measure blood pressure, like some people were guessing above, it measures hemoglobin oxygenation/deoxygenation levels).
.
It measures "Pulse Oximetry" which measures the ratio of oxygenated vs. deoxygenated hemoglobin in the blood by measuring infrared absorption at two wavelengths, wavelengths $\lambda_1$=630 nm and \$lambda_2$=940 nm. [LaTeX mods inserted by moi] Here's the relevant information from their patent application at line 82, the preferred embodiment of the invention in http://www.faqs.org/patents/app/20120119089 : DESCRIPTION OF A PREFERRED EMBODIMENT OF THE INVENTION [0082] Basically, the invention is based on the transmission properties of quasi-coherent pulsed near-infrared radiation on human epithelial tissue and its absorption by oxidised and deoxidised haemoglobin (25). It is also based on the reflection of near-ultraviolet (24) and pulsed UV-A (23) radiation on human epithelial tissue.

The presence of a "pulsatile" or time-varying signal will indicate the presence of a pulse and will also indicate the heart-rate and the oxygen saturation level of the blood. Using different wavelengths would allow for the measurement of CO_2 levels or of CO (carbon monoxide) levels also. This type of measurement is routinely done on neonates (newborns), intraoperatively, and in the post-surgical unit on patients coming out of anesthesia. I just studied some of it when I went on my hospital shadowing visits with my mom the doctor (!).

Almost worthless

[codepigeon]

I actually read the article; what a useless waste of a web page.

There is only one paragraph that mentions anything about the technology, and that is the paragraph in the summary here.
The rest reads like filler material and pimping the advantages of investing/working in the upper midwest.

Lame. I was hoping for more details.

Re:Almost worthless

[plover]

I talked to Alan about this a month ago. It's RF based detection of dermal layer blood vessels, not fingerprints. Living tissue is required for the hemoglobins to move.

That said, his interest is in the financial application of the technology. He's trying to replace the credit card, not simply to produce a hard to forge biometric device.

Re:Almost worthless

[dgatwood]

A replacement for credit cards that is even less secure than the current ones doesn't sound like a good idea to me.

If this is just checking for the presence of capillaries, I can't think of any reason that it couldn't trivially be fooled by a slight tweak to the gummy bear trick in which you stick the glue pattern print onto a shaved elbow instead of a gummy bear.

If, on the other hand, this is trying to determine who you are based on the pattern of blood vessels, I suspect that the methodology is just plain doomed to fail. What makes fingerprints a good method of identification is that they are relatively static. By contrast, the blood vessels in your skin change significantly over the course of your life, particularly in your fingertips. Every time you get a paper cut, new capillaries form. Imagine having to update your biometric profile every time you get a paper cut or a solder burn. :-)

Re:Almost worthless

[FrankSchwab]

I don't know Alan, but looking at pictures of the device at http://www.hanscan.com/en/hsc-ac-it2 I'd guess that it's a Fingerprint cards RF-based placement scanner (http://www.fingerprints.com/Products/Sensors/FPC1011F.aspx) with an IR pulse detector (for example, http://pulsesensor.myshopify.com/pages/open-hardware), wrapped by a bunch of simple software apps for time-and-attendance, low-value shopping, etc.

Frankly, everyone in the business is trying to replace credit cards; how else can you envision getting 3% of every transaction made, anywhere, without having to do more than lift a finger now and then?

And there are a lot of people trying to do it:
http://www.paywithisis.com/
http://www.marketwire.com/press-release/lenovo-nok-nok-labs-paypal-validity-lead-open-industry-alliance-revolutionize-online-1755467.htm
http://www.inquisitr.com/490728/authentec-iphone-6-fingerprint-detection-and-apple-release-date-rumors/

I wish him luck.

Arms Race?

When will the public realize that all of these biometric systems are defeatable? You're just adding another layer of data that can also be faked. You know what can't easily be faked or spoofed? Sufficiently strong public-key cryptography. So let's get it over with and start assigning giant private keys to everyone on the planet and dealing with the infrastructure issues and loss/replacement stuff (similar to passports today, I imagine). Then it's easy to authenticate anyone: they just sign data with their private key and that can't be faked. The standards could be open, we could have multiple implementations of hardware/software signing devices to use during transactions. Some of them would suck and get compromised, resulting in waves of people having to revoke their keys and apply for replacements. We have time to work the system out and come up with something that's sane in practice.

Does it check to see if he has a gun to head?

[boddhisatva]

This kind of stuff is good marketing. Useless, but that hasn't stopped anyone from blowing money so far.

Re:Does it check to see if he has a gun to head?

[Lost+Race]

Useless? I'd rather have a gun to my head than my hand cut off.

Re:Does it check to see if he has a gun to head?

[boddhisatva]

Once they're in, you're dead weight. And speaking of dead...remember that gun to your head?

Too late to matter

[RicardoKAlmeida]

Now convince criminals that your disembodied fingers won't work. There will always be skeptics. Don't worry, your missing fingers won't do the job for them.

Meanwhile....

[M0j0_j0j0]

Company Korporov Kopinc. announces new device to keep pulse on a dead body hand, the company says this device can bring the real deal on "another world" handshakes.

yeah, right

[cellocgw]

Show me a biometric test that can't be spoofed for 10% the cost of the test hardware. Go ahead, I dare ya.
Fake retinas and fake fingerprints took, what, a couple weeks to show up after their respective scanners went into production? Why should any other sort of bio-scanner/detector be any different?

Re:yeah, right

[nedlohs]

Because no one has ever gotten past a guard by wearing a uniform and carrying a large box. Or by bribing them. Or by threatening them or their family (we are talking about chopping people's fingers off to use in a fingerprint scanner). Or by faking an ID. And so on.

I already know how to crack that lock

[paiute]

Hey, pal! Does this smell like chloroform to you?

Gummy bear attack

[femtobyte]

Does this device offer the least bit of protection against the "gummy bear attack" (i.e. a thin molded replica fingerprint, formed from, e.g., etched gelatin, over a living finger)? If not, then it's pretty useless (because lugging around a whole dead body or even severed finger is already riskier/harder than a simple replacement mold).

Re:Gummy bear attack

[FrankSchwab]

Possibly. My experience is with fingerprint swipe sensors, not fingerprint placement sensors, and with those the gummi bear mold has to be fairly thick to survive a swipe over the sensor. The thickness tends to block the light from such optical sensor, and so the attempt is detected and blocked. With a placement sensor, the gummi bear mold could probably be made thinner; I don't know if it can be made thin enough.

Re:Gummy bear attack

[Rich0]

As long as you don't have a Gummy bear that has the right IR absorbtion profile, yes it will defeat it.

However, I can't imagine that if you're going to the trouble to reproduce fingerprints or activate latent ones that you couldn't do it using a material that has the right IR spectrum. Most likely they're just transmitting light and measuring relative absorbance at a few wavelengths, and it should be easy to make a plastic film that passes for blood in this test.

Re:Gummy bear attack

[femtobyte]

I haven't put a gummy bear on a spectrometer to check, but my naive guess is that plain gelatin (which is basically boiled-down skin and connective tissue bits anyway) would already have a very similar transmission profile to skin (e.g. fairly transparent with no strong/distinctive spectral features), so you wouldn't even need to search for fancier materials. Not that a little materials research would likely be a major deterrent to an attacker who is already willing to *murder and hack off body parts* to defeat your system.

Re:Gummy bear attack

[KiloByte]

And if a thin layer of unblooded skin would block the scan, it would also make it fail when cold or for people with circulation problems. Or, if the skin is sweaty, dirty, etc.

So a gummy bear mold comes well within required tolerances.

Re:Gummy bear attack

[Rich0]

Likely the case, but you'd still need to emulate the absorption spectra of oxygenated hemoglobin (to whatever resolution it is actually measured at - which isn't likely to be terribly accurate in a cheap and compact device). Again, probably just a piece of plastic with the right characteristics somewhere in the light path.

Re:Gummy bear attack

[femtobyte]

No, you don't need to "emulate the absorption spectra of oxygenated hemoglobin" --- the whole idea of the "gummy bear attack" is to put a thin fingerprint-replica cover, with material properties extremely similar to a layer of skin, over your real live finger (which provides the color, pulse, temperature, conductivity, elasticity, etc. of a living human, and can be used in plain sight of a security guard monitoring the scanner). A thin gelatin layer is likely to be very difficult to distinguish from a slightly thick-skinned (e.g. callused) real human finger, since gelatin is basically made from the same materials as human connective tissue.

Re:Gummy bear attack

[Rich0]

Oh, gotcha. That would obviously work.

I think the header to this article has a typo

[luke.a.steiger]

I believe the implied, and correct, is: "Fingerprint Purchasing Technology Ensures Buyer Has an IMPULSE"

10 years old

[EmperorOfCanada]

I read about this at least 10 years ago when some Japanese ATMs were going with fingerprints. They looked at the blood flowing through the skin to make sure they were looking at a live finger and also not just a faked fingerprint on a live finger.

Are they adding a pulse oximeter?

[rwyoder]

The article was delightfully free of actual info, but I assume they are just adding this: http://en.wikipedia.org/wiki/Pulse_oximetry

Slashvertisement without research

[stonecypher]

Yeah, the more expensive fingerprint readers have done this since the late 1980s. They can also tell if a retina was in a removed eye, et cetera.

Old idea

[drdread66]

Whoop-de-doo. There are several outfits that have done something similar over the years, including companies that have tens of thousands of fingerprint devices out on the street already. I would be somewhat surprised if the tech covered in this article is not already patented by Lumidigm or somebody like them.

"Liveness checks" have been a part of fingerprint tech for many years now, ever since the famous "ghosting" attack on the early L-1 and Cross Match sensors. Whoever wrote the article didn't do their homework if they think this is actually "news."

Sure

[ThatsNotPudding]

One would *never* be able to simulate a pulse in a dead finger.

/s

So they're finally going to deliver?

[jandrese]

I remember when fingerprint scanners first started getting widespread use people asked about "what if someone lifts my fingerprint, or worse, cuts off my finger?" and the manufacturers all said "Don't worry, it only works on live fingers." Then people tried it and discovered that yes, you can lift someone's fingerprint duplicate it, and the scanner is more than happy to take it. Luckily the latter has not proven popular (I don't know of any case of someone having a body part severed to defeat a biometric lock), but the former put a huge black eye on the concept of fingerprint scanners as security. Your average person leaves fingerprints everywhere and you'll never know if someone has gone and lifted them.

Re:So they're finally going to deliver?

[FrankSchwab]

Be enlightened:
http://www.bimmerfest.com/forums/archive/index.php/t-93096.html

Biometric security

[Arancaytar]

Because instead of taping your password to the screen or in your wallet, let's stamp it on everything you touch.

Easy to fool.

[angiasaa]

It can's detect silicone fingerprints. The cool thing about these, is that you don't have to cut off someones thumb and distracting a salesgirl while you press it to a scanner, you just act like nothing's wrong and thumb away.

I'm surprised anyone with even half a brain could have decided that a pulse was enough.
Guns can make people do amazing things, like placing their prints wherever the guy controlling the gun wants them placed.
You could engineer a pump to drive pulsed blood through the capillaries.
Heck, you could even heat the blood while you're pumping it. (This device does not detect temperature btw)

It is a solution, certainly, but wrought with a myriad of flaws. This ought to be a very long time to market I expect. Unless of course, they decide to give the job of redesigning the scanner to someone who's passed the fourth grade.

Re:Easy to fool.

[FrankSchwab]

You could engineer a pump to drive pulsed blood through the capillaries.
Heck, you could even heat the blood while you're pumping it. (This device does not detect temperature btw)

It is a solution, certainly, but wrought with a myriad of flaws. This ought to be a very long time to market I expect. Unless of course, they decide to give the job of redesigning the scanner to someone who's passed the fourth grade.

I didn't see it above, but this comment is the perfect place for the obligatory xkcd reference:
http://xkcd.com/538/

Re:Easy to fool.

[angiasaa]

Bwa haha! I should have seen the obvious connection before I submitted my comment or I'd have made the reference myself. But with good souls like yours, this world shall never lack in welcome sharp minded assistance. ;)

Re:The straw solution

[FrankSchwab]

Well, yes, they have. We build fingerprint swipe sensors where that attack is meaningless - the sensing surface is a single line that you "swipe" your finger across. Your suggested attack would, in the absolute worst case, cause the capture of a 50 micron tall line across the finger. Good luck getting that to match.

There are roughly a gajillion different designs of fingerprint sensors that have been built over the last 30 years. Many of them can be spoofed trivially (such as your attack), others are far more difficult. This particular one is probably spoofable, but the amount of work necessary to do so is probably significant enough that a $5 wrench would make for a more usable attack.

what about skimming?

[Joe_Dragon]

what about skimming?

Great

[dotar]

Linking biology to cryptography will just encourage criminals to either cut off my hand, or keep me alive just long enough to steal all my money.

Super + Jello or Latex

[tokencode]

Why can't you simply use misted cyanoacrylate to get a good impression of the desired print and mold customer latex gloves for yourself or use a gelatin impression on top of your finger with that person's finger/handprint?

Re:Super + Jello or Latex

[Time_Ngler]

Next to each machine will be an armed guard and a vat of acetone that the customer will be required to dip their hand into before performing the transaction.

:Super-Glue + Jello or Latex

[tokencode]

That should read Super-Glue

Won't always work with me.

[Barlo_Mung_42]

I have Raynaud's syndrome. There are times when it's cold and I've gone to the doctor's visit. They put the little gadget on my finger to take a reading and it doesn't work because the ends of my fingers are white. Will suck the first time I can't buy something because of this.

Dead Rights

[MaerD]

What about vampires, zombies, and other undead? How can this fit into a modern multi-vital society?

How differs from digitalpersona uareu c. 1997 ?

[TwineLogic]

The check-for-life feature is 15-20 years old.

It does measure Oxygen saturation to deduce pulse

[girlinatrainingbra]

It measures "Pulse Oximetry" which measures the ratio of oxygenated vs. deoxygenated hemoglobin in the blood by measuring infrared absorption at two wavelengths, wavelengths Î1=630 nm and Î2=940 nm. Here's the relevant information from their patent application at line 82, the preferred embodiment of the invention in http://www.faqs.org/patents/app/20120119089 : DESCRIPTION OF A PREFERRED EMBODIMENT OF THE INVENTION [0082] Basically, the invention is based on the transmission properties of quasi-coherent pulsed near-infrared radiation on human epithelial tissue and its absorption by oxidised and deoxidised haemoglobin (25). It is also based on the reflection of near-ultraviolet (24) and pulsed UV-A (23) radiation on human epithelial tissue.

The presence of a "pulsatile" or time-varying signal will indicate the presence of a pulse and will also indicate the heart-rate and the oxygen saturation level of the blood. Using different wavelengths would allow for the measurement of CO_2 levels or of CO (carbon monoxide) levels also. This type of measurement is routinely done on neonates (newborns), intraoperatively, and in the post-surgical unit on patients coming out of anesthesia. I just studied some of it when I went on my hospital shadowing visits with my mom the doctor (!).

Mythbusters

[caspy7]

...busted this one already
http://youtu.be/3Hji3kp_i9k?t=2m42s
(that's a finger print lock that's detecting signs of life)

Look at the patent application

[girlinatrainingbra]

re I was hoping for more details.
.
Look at the patent application for this assigned to the company involved. It measures the change in oxygenation levels which varies slightly as each heartbeat pumps more blood through the vascular system. Here are some details. (it doesn't measure blood pressure, like some people were guessing above, it measures hemoglobin oxygenation/deoxygenation levels).
.
It measures "Pulse Oximetry" which measures the ratio of oxygenated vs. deoxygenated hemoglobin in the blood by measuring infrared absorption at two wavelengths, wavelengths $\lambda_1$=630 nm and \$lambda_2$=940 nm. [LaTeX mods inserted by moi] Here's the relevant information from their patent application at line 82, the preferred embodiment of the invention in http://www.faqs.org/patents/app/20120119089 : DESCRIPTION OF A PREFERRED EMBODIMENT OF THE INVENTION [0082] Basically, the invention is based on the transmission properties of quasi-coherent pulsed near-infrared radiation on human epithelial tissue and its absorption by oxidised and deoxidised haemoglobin (25). It is also based on the reflection of near-ultraviolet (24) and pulsed UV-A (23) radiation on human epithelial tissue.

The presence of a "pulsatile" or time-varying signal will indicate the presence of a pulse and will also indicate the heart-rate and the oxygen saturation level of the blood. Using different wavelengths would allow for the measurement of CO_2 levels or of CO (carbon monoxide) levels also. This type of measurement is routinely done on neonates (newborns), intraoperatively, and in the post-surgical unit on patients coming out of anesthesia. I just studied some of it when I went on my hospital shadowing visits with my mom the doctor (!).

Re:Archimedes screw?

[Bryansix]

Thanks for trolling. http://www.popsci.com/science/article/2012-02/no-pulse-how-doctors-reinvented-human-heart?page=3

Re:It does measure Oxygen saturation to deduce pul

[Twylite]

At a glance the patent seems to be for a very specific approach to measuring pulse oximetry. The approach seems near identical to US patent 5737439 Anti-fraud biometric scanner that accurately detects blood flow. In any event the basic technique for using pulse oximetry for liveness testing is described in Sandstrom, "Liveness Detection in Fingerprint Recognition Systems", 2004 and Hill & Stoneham, "Practical applications of pulse oximetry", 2000. The use of two IR absorption measurements is not novel (see patent 5737439).

Re:It does measure Oxygen saturation to deduce pul

[girlinatrainingbra]

Re: The use of two IR absorption measurements is not novel (see patent 5737439).
;>)
correcto, they do in fact cite that particular patent in their own patent. Note the quote I included in my GP post also mentions the use of UV wavelengths too for measuring skin.