Posted by
ryuzaki0
on from the what-about-contacts? dept.
prevost writes "Three bank machines using retina-scans were turned on in Texas yesterday. Cool because it's harder for me to lose my eyes than my ATM card. Scary because eyes're harder to replace after you're mugged. Read more about it "
Dead people's eyeballs? I don't think so
by
Anonymous Coward
·
· Score: 2
I don't think people will be stealing eyeballs. More likely people will be setting up fake temporary ATMs, with iris scanners, and when someone tries to withdraw money it will scan their iris but refuse to give them money claiming an error. This has been done before with regular ATM cash machines to capture PIN numbers (whilst 'swallowing' the cards).
The thieves can then go to a regular cash machine, pull out the camera, crocodile-clip the camera nodes to a lap-top, and play the scanned sequence back direct to the internal reader. They can then withdraw as much cash as they want.
Now here is the real problem with biometrics. With the fake regular ATMs, the banks and police can put out a warning and those that realise they have been duped can quickly cancel their cards and get new ones sent to them. So how exactly can someone do this with an eye pattern that will remain with them for life?
Re:We need this on the desktop
by
slim
·
· Score: 3
Hrm, the problem there is that an ATM can know (to some level of trustworthiness) that the data it's getting really is from an eye scanner. If the data's coming off the net, who knows - it might be coming off a hard disk, grabbed from a sniffer, or anywhere.... If your password gets compromised, you can change it.... how do you change your eyes?
As a side note, how do these things work with people who wear contacts sometimes and glasses other times. Would they not be able to wear contacts while using the ATM because it would mess up the iris scan? Anyone who knows something about this would be helpful, I don't want to look forward to a life where I have to take out my contacts every time I want to get money.
The iris pattern is processed and encoded into an IrisCode, which is stored in a database and used for recognition in any transaction when a live iris is presented for comparison. Eyeglasses and contact lenses are accommodated easily.
of course, this is specific to that company's implementation of iris recognition, but i suspect that it's all in the method. if you can algorithmically process an image of an iris into a representation that matches even after optical distortion, then you're set.
Everyone who's worried about getting mugged for their eyeballs -- do you have any idea how unlikely this is? Here's a breakdown:
The mugger must knock you out and steal your wallet. This risk is already present.
The mugger must not immediately leave the scene of the crime, even though he's already got whatever cash and credit cards you were carrying.
The mugger must now use his scalpel, forceps, grapefruit spoon, melon baller, or whatever else he's got handy to remove your eyeball from the socket and sever the optic nerve and muscles that hold it in place, all without puncturing the eyeball in the process (which would probably result in an unusable iris due to the influx of blood).
You must not wake up during any of this.
Because of the $300-per-day limit your bank undoubtedly has on ATM withdrawals, the mugger must now appear on security video at multiple ATM locations over several days holding a severed eyeball, or the whole endeavor is only mildly profitable given the risk. Additionally, the eyeball must maintain its appearance for quite some time with no hydration or blood supply. Formaldehyde may help here; I don't know.
Conclusion: scalpel gangs are not going to rule the streets anytime soon. I'd be more worried about the reliability of the hardware, and the fact that while you can change a PIN, you can't easily change your iris pattern.
Who's to say some criminal won't just sit by the ATM, and when you go to withdraw, he pulls a gun off-camera, and tells you to give him the $300 you just withdrew?
I mean, all we've done here is make the crime all the more violent and personal, with the added bonus of throwing your privacy out the window. I *like* anonymity. I don't care that there's a %0.01 chance that somebody might guess my pin and rip me off - that's what insurance is for. All I'm seeing is a bunch of greedy companies trying to keep the criminal element out... by compromising our privacy and anonymity.
Iris scanning for ATMs aims at solving a symptom (reliable access to cash) to a problem (cash itself).
What we need is a reliable anonymous electronic payment system. I think Mondex is close to this (although I don't know too much about it myself). Something where you can charge an electronic card up with cash units from your credit card in the comfort of your own home would give you:
1/ Greater security, since you're not getting a large quantity of cash at an obvious crime target (static ATM). 2/ You don't need to carry so much anonymous money , since you can recharge at your leisure.
Differentiating between anonymous money and verified money is important. Verified money (with a good verification system) is difficult to steal (a signature on a credit card slip is verified but it's not a good system). Anonymous money is necessary for your privacy, but is more attractive to criminals. The convertion point where you exchange verified -> anonymous money carries the greatest security risk and the sooner it is removed from public places the better.
I'd think that biometrics would be a security risk
by
cpt+kangarooski
·
· Score: 3
Think about it - you've just eliminated the current ideal of compartmentalizing your proofs of identity (e.g. passwords, accounts, etc.) by having them all use a single key. Namely your eyeball, which will, sooner or later, not be all that useful once someone figures out how to spoof the scanner.
I'll stick with different passwords for everything important, thanks.
-- --
This and all my posts are in the public domain. I am a lawyer. I am not your lawyer, and this is not legal advice.
Actually, we need an open source directory service
by
cthonious
·
· Score: 2
Something like NDS, but it won't do it any good until all the server apps are directory enabled.
sendmail, imap, inn, nfs, lpd, apache... all this stuff needs to be directory enabled. This way one can log on once and have access to all the network resources that are directory-aware.
We do have Open LDAP but I find it a bitch to set up and use. Don't know much about the Open Group's DCE, it looks expensive.
I guess one could roll one's own (using PAM and such), but that is more work than most people care to do.
--
support gun control: take guns from cops
Iris scans not retina scans...
by
Ares
·
· Score: 2
Everyone seems to be pointing this out. Can't imagine why. Anyway, I doubt most people would want to subject themselves to a retina scan given the current state of the art. It requires the scanner to come into direct contact with the eye. Not exactly my idea of a good time.
Re:Iris scans not retina scans...
by
Duke+of+URL
·
· Score: 2
Is that true? You need to put your eye against the scanner? I would NEVER put my cornea up against anything else that other people may have toched in any fashion. The cornea (clear part over your iris) does not receive direct blood flow, thus it is more difficult to fight off infections which could be picked up from direct contact with the scanner.
Here's a link to a picutre of the anatomy of the eye
The person who sent in this link makes an excellent point... I wouldn't want to be mugged for my eyes. That's why I find it stupid to only have a single form of authentication. A PIN number or some other code should be used as well, to make eyes less attractive to would-be theives.
1. something you HAVE 2. something you ARE 3. something you KNOW
/me shrugs.:)
Fashion Models better ATM disable their accounts
by
Jon+Luckey
·
· Score: 2
An Iris is pretty huge. From what I can tell from the article, that the eyes are not very close to the scanner and must have a fair amount of variation in closeness to the camera.
I am sure that there are plenty of pretty high resolution photographs that show details of people's irises. For example, people on magazine covers. How difficult would it be to laser print one on an elastimer sheet, and distort the iris sections mechanically to simulate pupil contraction. A photocell here, a solinoid there, ia bit of circuitry, and boom, a photosenisitve facial fascimle.
Sure magazine could use photoshop or such to replace irises in pictures before publication, but what about the thousands of pictures already out there.
Irises are just too 'out-there' in plain sight. Its like walking around with your pin number tatooed on your face. Anyone with a telephoto camera could steal it.
--
-- 3 events that reshaped the world in the 20th century: WW1, WW2, and WWW
Do these machines have instructions in Braille?
by
fishbowl
·
· Score: 2
How do they get around the A.D.A.? (There are Americans without eyes...)
-- -fb
Everything not expressly forbidden is now mandatory.
Desktop biometrics - dangerous unless done right
by
XNormal
·
· Score: 5
Using biometrics on your desktop for securing network logins is tempting but it is also very dangerous - there must be a secure path from the reader to the verifier. In the case of an ATM it is physically secured inside the ATM strongbox. On a network it would have to be a combination of cryptographic authentication and a tamper-resistant reader (no such thing as tamperproof).
Without this it would be ridiculously easy to sniff your iris/finger/hand/face/voice print over the network and impersonate you.
The embedded cryptographic engine inside the tamper resistant reader would use a challenge-response algorithm to enable the server to ensure that:
1. The scan comes from a real scanner 2. The scan has been performed in the last few seconds.
Without this, it is useless.
--
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
Another privacy concern...
by
MAXOMENOS
·
· Score: 4
The inventor of this technology assures us that photographs of irises will not be distributed outside of the bank. But as we know, accidents (and outright negligence, and occasional criminal behavior) do happen.
It's easy to replace a stolen ATM card, and maybe even to get your ATM number changed. But what if your iris image gets stolen?? Once that cat is out of the bag, how can the bank ever trust your eyes again, and how can you ever prove that it wasn't you who withdrew $700 in Jamaica?
At the very least, they should incorporate a PIN number with this, to ensure that fraud doesn't occur. Even if they have your eyes, they can't get your money without a PIN. In my mind this would be the best solution all around: no card to lose, your eyes become immensely less valuable for a mugger, and if your iris photo is stolen, it only increases their chances of stealing your money to one in ten thousand. I'm not saying iris checking with PIN is crimeproof, but iris checking with no PIN is a rotten idea.
Actually...it's *iris* scanning...
by
dschuetz
·
· Score: 3
I hate to be picky, but these machines scan the details of your iris (the color in your eyes around the pupil), not the retina (which requires, IIRC, bright light and a close-in lens).
Other-n-that, pretty darned cool. Though I'd still like to have a code of some sort (might be nice to have an "emergency" code that'd provide money, but call the cops, too...or something like that...)
one of the cool things about iris scan technology is that it (can be configured so that it) rejects 'fake' id material like a photograph of an iris, some kind of model of an eye, or even a dead guy's eyeball.
the human pupil naturally oscillates and responds to changes in light level; a particularly secure iris recognition system could make use of this by, for example, providing a variable light source over the course of a few seconds to ensure that the iris is 'live' and not somehow simulated.
this is similar to the capabilities of that desktop face-recognition software that was going around a couple years ago - you could put it in a mode where it asked you to blink or smile or something during the recognition process. a bit less convenient but a bit more secure.
Even worse than scalpel muggings.
by
the_tsi
·
· Score: 2
What's MORE frightening is that five years from now everyone will be getting email chain letters that talk about some guy who goes to a party, gets a drink, and wakes up in a bathtub full of ice without his eyeballs.
-Chris
Backup system would be needed as well
by
Kaa
·
· Score: 3
The standard problem with the biometric systems: what happens if your body changes? What if I got conjuctivitis (eye inflammation)? or something happened to my brow and I have to have my eye bandaged? or I developed a temporary light sensitivity and have to wear a patch today? What about colored contact lenses?
The idea is good, but I'd like to have an alternative system available as well.
Kaa
--
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
a whole new reason for kidnapping
by
avdp
·
· Score: 3
Everybody has been talking about the possibilities of getting one's eyeballs ripped out of their face... Well, regardless or whether or not that would work (and it seems it wouldn't), I see an even greater danger than that! Kidnapping! Plain and simple!
here is the scenario i am imagining...
you're walking somewhere, not suspecting anything bad.
a stranger comes next to you, tell you he has a gun, to be real quite. maybe he's holding you with a smile on his face, you know - like two friends or something.
walks to an ATM, tells you to look at the machine
widthraw cash
either kills you, or just run
Think about it! at least with a card or a pin, if you don't carry the card with you, there is nothing the criminal can do. And if you do carry it with you(I suspect most of us do), at least you have the option not to give the pin. or give a wrong pin, or something! With the eye thing, you can't leaves your eyes home, and you can't lie. Seems like a criminals' perfect situation.
The number of passwords that a busy Net user (like me) has to remember is getting silly. I have a system for passwords which works most of the time, but I'd much rather get rid of the silly things.
What we need, and which may well happen within a few years, is a system like this for the desktop. It might work something like this: you'd run an iris scan server on each machine on the network. When authenication is required, the remote host connects to your iris scan server which gets the little camera mounted on your monitor to ID you using your iris pattern and send the data back just like a password.
quit worrying about being mugged for your eyes
by
Merk
·
· Score: 3
Just the other week I happened to be looking through the Sept. 1997 "Proceedings of the IEEE", which was a special issue on Automated Biometric Systems.
They mention that it is possible to tell whether the eye is alive or not:
Another interesting aspect of the iris from a biometric point of view has to do with its moment-to-moment dynamics. Due to the complex interplay of the iris' muscles, the diameter of the pupil is in a constant state of small oscillation. Potentially, this movement could be monitored to make sure that a live specimen is being evaluated. Further, since the iris reacts very quickly to changes in impinging illumination (e.g., on the order of hundreds of milliseconds for contraction), monitoring the reaction to a controlled illuminant could provide similar evidence. In contrast, upon morbidity, the iris contracts and hardens, facts that may have ramifications for its use in forensics.
This article even mentions Never Say Never Again as a way iris recognition came to popular attention. My guess is that people who have worked on iris recognition are familliar with its use in movies and books and have tried to overcome potential deficiencies that have been suggested there.
So if these guys did their homework you won't have to worry about being mugged for your eyes.
You thought the Pentium III Id was invasive...
by
RiverRat
·
· Score: 2
At least it tracked just a computer around the Internet. This tracks you! Not an employee who checked out the company laptop after you or your brother who borrowed it. Also, this is like having one user id and password for all your accounts. When someone figures out how to spoof it, look out. Melissa is a warning about monoculture systems. Bio-diversity and techo-diversity make for more robust systems.
Nationwide Building Society have been running trials of Iris scanning for around 18 months. Biggest problem is the cost of the machines, as the cameras are about 15k GBP...
People have been very willing to accept the technology as it's non-intrusive, and secure.
Bright light.... make it stop
by
tykeal
·
· Score: 2
An iris scan, not a retina scan, so for this to work, we've got to stick our eye up against some camera, while we have a really bright light shone directly into it so that it can check our iris?
Sounds to me like that would hurt, a lot. Don't mind me, I'm just light sensitive.
Then again, what about people that have cataracts? Are they not going to be able to use those ATM's or are they still going to have to carry around a card and remember a PIN? Dear me, what's the next step to get around this, DNA scanners? Sounds like Gataga now *shiver*
Course to use a DNA scanner we'd be needing some source of DNA... they would probably want blood. There is now way that I'm walking up to a machine to get my finger pricked just so I can take money out. I'd rather carry a card and remember a PIN.
-tykeal- Just cause I wanna
Open standard for iris scanning?
by
Tech+Knight
·
· Score: 2
Is this technology based on any open standards like Interac? If several banks start implementing iris scanners, will people be able to use a different brand of bank machine? And if so - doesn't that make the whole thing even more insecure?;)
Slashdot Mirror
I don't think people will be stealing eyeballs. More likely people will be setting up fake temporary ATMs, with iris scanners, and when someone tries to withdraw money it will scan their iris but refuse to give them money claiming an error. This has been done before with regular ATM cash machines to capture PIN numbers (whilst 'swallowing' the cards).
The thieves can then go to a regular cash machine, pull out the camera, crocodile-clip the camera nodes to a lap-top, and play the scanned sequence back direct to the internal reader. They can then withdraw as much cash as they want.
Now here is the real problem with biometrics. With the fake regular ATMs, the banks and police can put out a warning and those that realise they have been duped can quickly cancel their cards and get new ones sent to them. So how exactly can someone do this with an eye pattern that will remain with them for life?
Hrm, the problem there is that an ATM can know (to some level of trustworthiness) that the data it's getting really is from an eye scanner.
If the data's coming off the net, who knows - it might be coming off a hard disk, grabbed from a sniffer, or anywhere....
If your password gets compromised, you can change it.... how do you change your eyes?
--
As a side note, how do these things work with people who wear contacts sometimes and glasses other times. Would they not be able to wear contacts while using the ATM because it would mess up the iris scan? Anyone who knows something about this would be helpful, I don't want to look forward to a life where I have to take out my contacts every time I want to get money.
My Slashdot account is old enough to drink...
- The mugger must knock you out and steal your wallet. This risk is already present.
- The mugger must not immediately leave the scene of the crime, even though he's already got whatever cash and credit cards you were carrying.
- The mugger must now use his scalpel, forceps, grapefruit spoon, melon baller, or whatever else he's got handy to remove your eyeball from the socket and sever the optic nerve and muscles that hold it in place, all without puncturing the eyeball in the process (which would probably result in an unusable iris due to the influx of blood).
- You must not wake up during any of this.
- Because of the $300-per-day limit your bank undoubtedly has on ATM withdrawals, the mugger must now appear on security video at multiple ATM locations over several days holding a severed eyeball, or the whole endeavor is only mildly profitable given the risk. Additionally, the eyeball must maintain its appearance for quite some time with no hydration or blood supply. Formaldehyde may help here; I don't know.
Conclusion: scalpel gangs are not going to rule the streets anytime soon. I'd be more worried about the reliability of the hardware, and the fact that while you can change a PIN, you can't easily change your iris pattern.Dan Wineman
Think about it - you've just eliminated the current ideal of compartmentalizing your proofs of identity (e.g. passwords, accounts, etc.) by having them all use a single key. Namely your eyeball, which will, sooner or later, not be all that useful once someone figures out how to spoof the scanner.
I'll stick with different passwords for everything important, thanks.
-- This and all my posts are in the public domain. I am a lawyer. I am not your lawyer, and this is not legal advice.
Something like NDS, but it won't do it any good until all the server apps are directory enabled.
... all this stuff needs to be directory enabled. This way one can log on once and have access to all the network resources that are directory-aware.
sendmail, imap, inn, nfs, lpd, apache
We do have Open LDAP but I find it a bitch to set up and use. Don't know much about the Open Group's DCE, it looks expensive.
I guess one could roll one's own (using PAM and such), but that is more work than most people care to do.
support gun control: take guns from cops
Everyone seems to be pointing this out. Can't imagine why. Anyway, I doubt most people would want to subject themselves to a retina scan given the current state of the art. It requires the scanner to come into direct contact with the eye. Not exactly my idea of a good time.
The person who sent in this link makes an excellent point... I wouldn't want to be mugged for my eyes. That's why I find it stupid to only have a single form of authentication. A PIN number or some other code should be used as well, to make eyes less attractive to would-be theives.
:)
1. something you HAVE
2. something you ARE
3. something you KNOW
/me shrugs.
I am sure that there are plenty of pretty high resolution photographs that show details of people's irises. For example, people on magazine covers. How difficult would it be to laser print one on an elastimer sheet, and distort the iris sections mechanically to simulate pupil contraction. A photocell here, a solinoid there, ia bit of circuitry, and boom, a photosenisitve facial fascimle.
Sure magazine could use photoshop or such to replace irises in pictures before publication, but what about the thousands of pictures already out there.
Irises are just too 'out-there' in plain sight. Its like walking around with your pin number tatooed on your face. Anyone with a telephoto camera could steal it.
-- 3 events that reshaped the world in the 20th century: WW1, WW2, and WWW
How do they get around the A.D.A.? (There
are Americans without eyes...)
-fb Everything not expressly forbidden is now mandatory.
Using biometrics on your desktop for securing network logins is tempting but it is also very dangerous - there must be a secure path from the reader to the verifier. In the case of an ATM it is physically secured inside the ATM strongbox.
On a network it would have to be a combination of cryptographic authentication and a tamper-resistant reader (no such thing as tamperproof).
Without this it would be ridiculously easy to sniff your iris/finger/hand/face/voice print over the network and impersonate you.
The embedded cryptographic engine inside the tamper resistant reader would use a challenge-response algorithm to enable the server to ensure that:
1. The scan comes from a real scanner
2. The scan has been performed in the last few seconds.
Without this, it is useless.
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
The inventor of this technology assures us that photographs of irises will not be distributed outside of the bank. But as we know, accidents (and outright negligence, and occasional criminal behavior) do happen.
It's easy to replace a stolen ATM card, and maybe even to get your ATM number changed. But what if your iris image gets stolen?? Once that cat is out of the bag, how can the bank ever trust your eyes again, and how can you ever prove that it wasn't you who withdrew $700 in Jamaica?
At the very least, they should incorporate a PIN number with this, to ensure that fraud doesn't occur. Even if they have your eyes, they can't get your money without a PIN. In my mind this would be the best solution all around: no card to lose, your eyes become immensely less valuable for a mugger, and if your iris photo is stolen, it only increases their chances of stealing your money to one in ten thousand. I'm not saying iris checking with PIN is crimeproof, but iris checking with no PIN is a rotten idea.
Finding God in a Dog
I hate to be picky, but these machines scan the details of your iris (the color in your eyes around the pupil), not the retina (which requires, IIRC, bright light and a close-in lens).
Other-n-that, pretty darned cool. Though I'd still like to have a code of some sort (might be nice to have an "emergency" code that'd provide money, but call the cops, too...or something like that...)
the human pupil naturally oscillates and responds to changes in light level; a particularly secure iris recognition system could make use of this by, for example, providing a variable light source over the course of a few seconds to ensure that the iris is 'live' and not somehow simulated.
this is similar to the capabilities of that desktop face-recognition software that was going around a couple years ago - you could put it in a mode where it asked you to blink or smile or something during the recognition process. a bit less convenient but a bit more secure.
http://www.iriscan.com/ has some good information about iris scanning, particularly this page.
-- in china, chinese food is just called food.
What's MORE frightening is that five years from now everyone will be getting email chain letters that talk about some guy who goes to a party, gets a drink, and wakes up in a bathtub full of ice without his eyeballs.
-Chris
The standard problem with the biometric systems: what happens if your body changes? What if I got conjuctivitis (eye inflammation)? or something happened to my brow and I have to have my eye bandaged? or I developed a temporary light sensitivity and have to wear a patch today? What about colored contact lenses?
The idea is good, but I'd like to have an alternative system available as well.
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
here is the scenario i am imagining...
Think about it! at least with a card or a pin, if you don't carry the card with you, there is nothing the criminal can do. And if you do carry it with you(I suspect most of us do), at least you have the option not to give the pin. or give a wrong pin, or something! With the eye thing, you can't leaves your eyes home, and you can't lie. Seems like a criminals' perfect situation.
The number of passwords that a busy Net user (like me) has to remember is getting silly. I have a system for passwords which works most of the time, but I'd much rather get rid of the silly things.
What we need, and which may well happen within a few years, is a system like this for the desktop. It might work something like this: you'd run an iris scan server on each machine on the network. When authenication is required, the remote host connects to your iris scan server which gets the little camera mounted on your monitor to ID you using your iris pattern and send the data back just like a password.
Just the other week I happened to be looking through the Sept. 1997 "Proceedings of the IEEE", which was a special issue on Automated Biometric Systems.
They mention that it is possible to tell whether the eye is alive or not:
This article even mentions Never Say Never Again as a way iris recognition came to popular attention. My guess is that people who have worked on iris recognition are familliar with its use in movies and books and have tried to overcome potential deficiencies that have been suggested there.
So if these guys did their homework you won't have to worry about being mugged for your eyes.
At least it tracked just a computer around the Internet. This tracks you! Not an employee who checked out the company laptop after you or your brother who borrowed it. Also, this is like having one user id and password for all your accounts. When someone figures out how to spoof it, look out. Melissa is a warning about monoculture systems. Bio-diversity and techo-diversity make for more robust systems.
People have been very willing to accept the technology as it's non-intrusive, and secure.
The machine checks for a pulse in the eye...
For more information on this initiative, see the Nationwide's IRIS recognition info page.
Chiark.
An iris scan, not a retina scan, so for this to work, we've got to stick our eye up against some camera, while we have a really bright light shone directly into it so that it can check our iris?
Sounds to me like that would hurt, a lot. Don't mind me, I'm just light sensitive.
Then again, what about people that have cataracts? Are they not going to be able to use those ATM's or are they still going to have to carry around a card and remember a PIN? Dear me, what's the next step to get around this, DNA scanners? Sounds like Gataga now *shiver*
Course to use a DNA scanner we'd be needing some source of DNA... they would probably want blood. There is now way that I'm walking up to a machine to get my finger pricked just so I can take money out. I'd rather carry a card and remember a PIN.
-tykeal-
Just cause I wanna
Is this technology based on any open standards like Interac? If several banks start implementing iris scanners, will people be able to use a different brand of bank machine? And if so - doesn't that make the whole thing even more insecure? ;)
# Tech Knight #