Posted by
ryuzaki0
on from the what-about-contacts? dept.
prevost writes "Three bank machines using retina-scans were turned on in Texas yesterday. Cool because it's harder for me to lose my eyes than my ATM card. Scary because eyes're harder to replace after you're mugged. Read more about it "
Re:We need this on the desktop
by
slim
·
· Score: 3
Hrm, the problem there is that an ATM can know (to some level of trustworthiness) that the data it's getting really is from an eye scanner. If the data's coming off the net, who knows - it might be coming off a hard disk, grabbed from a sniffer, or anywhere.... If your password gets compromised, you can change it.... how do you change your eyes?
Everyone who's worried about getting mugged for their eyeballs -- do you have any idea how unlikely this is? Here's a breakdown:
The mugger must knock you out and steal your wallet. This risk is already present.
The mugger must not immediately leave the scene of the crime, even though he's already got whatever cash and credit cards you were carrying.
The mugger must now use his scalpel, forceps, grapefruit spoon, melon baller, or whatever else he's got handy to remove your eyeball from the socket and sever the optic nerve and muscles that hold it in place, all without puncturing the eyeball in the process (which would probably result in an unusable iris due to the influx of blood).
You must not wake up during any of this.
Because of the $300-per-day limit your bank undoubtedly has on ATM withdrawals, the mugger must now appear on security video at multiple ATM locations over several days holding a severed eyeball, or the whole endeavor is only mildly profitable given the risk. Additionally, the eyeball must maintain its appearance for quite some time with no hydration or blood supply. Formaldehyde may help here; I don't know.
Conclusion: scalpel gangs are not going to rule the streets anytime soon. I'd be more worried about the reliability of the hardware, and the fact that while you can change a PIN, you can't easily change your iris pattern.
Dan Wineman
I'd think that biometrics would be a security risk
by
cpt+kangarooski
·
· Score: 3
Think about it - you've just eliminated the current ideal of compartmentalizing your proofs of identity (e.g. passwords, accounts, etc.) by having them all use a single key. Namely your eyeball, which will, sooner or later, not be all that useful once someone figures out how to spoof the scanner.
I'll stick with different passwords for everything important, thanks.
-- --
This and all my posts are in the public domain. I am a lawyer. I am not your lawyer, and this is not legal advice.
The person who sent in this link makes an excellent point... I wouldn't want to be mugged for my eyes. That's why I find it stupid to only have a single form of authentication. A PIN number or some other code should be used as well, to make eyes less attractive to would-be theives.
1. something you HAVE 2. something you ARE 3. something you KNOW
/me shrugs.:)
Desktop biometrics - dangerous unless done right
by
XNormal
·
· Score: 5
Using biometrics on your desktop for securing network logins is tempting but it is also very dangerous - there must be a secure path from the reader to the verifier. In the case of an ATM it is physically secured inside the ATM strongbox. On a network it would have to be a combination of cryptographic authentication and a tamper-resistant reader (no such thing as tamperproof).
Without this it would be ridiculously easy to sniff your iris/finger/hand/face/voice print over the network and impersonate you.
The embedded cryptographic engine inside the tamper resistant reader would use a challenge-response algorithm to enable the server to ensure that:
1. The scan comes from a real scanner 2. The scan has been performed in the last few seconds.
Without this, it is useless.
--
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
Another privacy concern...
by
MAXOMENOS
·
· Score: 4
The inventor of this technology assures us that photographs of irises will not be distributed outside of the bank. But as we know, accidents (and outright negligence, and occasional criminal behavior) do happen.
It's easy to replace a stolen ATM card, and maybe even to get your ATM number changed. But what if your iris image gets stolen?? Once that cat is out of the bag, how can the bank ever trust your eyes again, and how can you ever prove that it wasn't you who withdrew $700 in Jamaica?
At the very least, they should incorporate a PIN number with this, to ensure that fraud doesn't occur. Even if they have your eyes, they can't get your money without a PIN. In my mind this would be the best solution all around: no card to lose, your eyes become immensely less valuable for a mugger, and if your iris photo is stolen, it only increases their chances of stealing your money to one in ten thousand. I'm not saying iris checking with PIN is crimeproof, but iris checking with no PIN is a rotten idea.
Actually...it's *iris* scanning...
by
dschuetz
·
· Score: 3
I hate to be picky, but these machines scan the details of your iris (the color in your eyes around the pupil), not the retina (which requires, IIRC, bright light and a close-in lens).
Other-n-that, pretty darned cool. Though I'd still like to have a code of some sort (might be nice to have an "emergency" code that'd provide money, but call the cops, too...or something like that...)
one of the cool things about iris scan technology is that it (can be configured so that it) rejects 'fake' id material like a photograph of an iris, some kind of model of an eye, or even a dead guy's eyeball.
the human pupil naturally oscillates and responds to changes in light level; a particularly secure iris recognition system could make use of this by, for example, providing a variable light source over the course of a few seconds to ensure that the iris is 'live' and not somehow simulated.
this is similar to the capabilities of that desktop face-recognition software that was going around a couple years ago - you could put it in a mode where it asked you to blink or smile or something during the recognition process. a bit less convenient but a bit more secure.
Backup system would be needed as well
by
Kaa
·
· Score: 3
The standard problem with the biometric systems: what happens if your body changes? What if I got conjuctivitis (eye inflammation)? or something happened to my brow and I have to have my eye bandaged? or I developed a temporary light sensitivity and have to wear a patch today? What about colored contact lenses?
The idea is good, but I'd like to have an alternative system available as well.
Kaa
--
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
a whole new reason for kidnapping
by
avdp
·
· Score: 3
Everybody has been talking about the possibilities of getting one's eyeballs ripped out of their face... Well, regardless or whether or not that would work (and it seems it wouldn't), I see an even greater danger than that! Kidnapping! Plain and simple!
here is the scenario i am imagining...
you're walking somewhere, not suspecting anything bad.
a stranger comes next to you, tell you he has a gun, to be real quite. maybe he's holding you with a smile on his face, you know - like two friends or something.
walks to an ATM, tells you to look at the machine
widthraw cash
either kills you, or just run
Think about it! at least with a card or a pin, if you don't carry the card with you, there is nothing the criminal can do. And if you do carry it with you(I suspect most of us do), at least you have the option not to give the pin. or give a wrong pin, or something! With the eye thing, you can't leaves your eyes home, and you can't lie. Seems like a criminals' perfect situation.
The number of passwords that a busy Net user (like me) has to remember is getting silly. I have a system for passwords which works most of the time, but I'd much rather get rid of the silly things.
What we need, and which may well happen within a few years, is a system like this for the desktop. It might work something like this: you'd run an iris scan server on each machine on the network. When authenication is required, the remote host connects to your iris scan server which gets the little camera mounted on your monitor to ID you using your iris pattern and send the data back just like a password.
quit worrying about being mugged for your eyes
by
Merk
·
· Score: 3
Just the other week I happened to be looking through the Sept. 1997 "Proceedings of the IEEE", which was a special issue on Automated Biometric Systems.
They mention that it is possible to tell whether the eye is alive or not:
Another interesting aspect of the iris from a biometric point of view has to do with its moment-to-moment dynamics. Due to the complex interplay of the iris' muscles, the diameter of the pupil is in a constant state of small oscillation. Potentially, this movement could be monitored to make sure that a live specimen is being evaluated. Further, since the iris reacts very quickly to changes in impinging illumination (e.g., on the order of hundreds of milliseconds for contraction), monitoring the reaction to a controlled illuminant could provide similar evidence. In contrast, upon morbidity, the iris contracts and hardens, facts that may have ramifications for its use in forensics.
This article even mentions Never Say Never Again as a way iris recognition came to popular attention. My guess is that people who have worked on iris recognition are familliar with its use in movies and books and have tried to overcome potential deficiencies that have been suggested there.
So if these guys did their homework you won't have to worry about being mugged for your eyes.
Slashdot Mirror
Hrm, the problem there is that an ATM can know (to some level of trustworthiness) that the data it's getting really is from an eye scanner.
If the data's coming off the net, who knows - it might be coming off a hard disk, grabbed from a sniffer, or anywhere....
If your password gets compromised, you can change it.... how do you change your eyes?
--
- The mugger must knock you out and steal your wallet. This risk is already present.
- The mugger must not immediately leave the scene of the crime, even though he's already got whatever cash and credit cards you were carrying.
- The mugger must now use his scalpel, forceps, grapefruit spoon, melon baller, or whatever else he's got handy to remove your eyeball from the socket and sever the optic nerve and muscles that hold it in place, all without puncturing the eyeball in the process (which would probably result in an unusable iris due to the influx of blood).
- You must not wake up during any of this.
- Because of the $300-per-day limit your bank undoubtedly has on ATM withdrawals, the mugger must now appear on security video at multiple ATM locations over several days holding a severed eyeball, or the whole endeavor is only mildly profitable given the risk. Additionally, the eyeball must maintain its appearance for quite some time with no hydration or blood supply. Formaldehyde may help here; I don't know.
Conclusion: scalpel gangs are not going to rule the streets anytime soon. I'd be more worried about the reliability of the hardware, and the fact that while you can change a PIN, you can't easily change your iris pattern.Dan Wineman
Think about it - you've just eliminated the current ideal of compartmentalizing your proofs of identity (e.g. passwords, accounts, etc.) by having them all use a single key. Namely your eyeball, which will, sooner or later, not be all that useful once someone figures out how to spoof the scanner.
I'll stick with different passwords for everything important, thanks.
-- This and all my posts are in the public domain. I am a lawyer. I am not your lawyer, and this is not legal advice.
The person who sent in this link makes an excellent point... I wouldn't want to be mugged for my eyes. That's why I find it stupid to only have a single form of authentication. A PIN number or some other code should be used as well, to make eyes less attractive to would-be theives.
:)
1. something you HAVE
2. something you ARE
3. something you KNOW
/me shrugs.
Using biometrics on your desktop for securing network logins is tempting but it is also very dangerous - there must be a secure path from the reader to the verifier. In the case of an ATM it is physically secured inside the ATM strongbox.
On a network it would have to be a combination of cryptographic authentication and a tamper-resistant reader (no such thing as tamperproof).
Without this it would be ridiculously easy to sniff your iris/finger/hand/face/voice print over the network and impersonate you.
The embedded cryptographic engine inside the tamper resistant reader would use a challenge-response algorithm to enable the server to ensure that:
1. The scan comes from a real scanner
2. The scan has been performed in the last few seconds.
Without this, it is useless.
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
The inventor of this technology assures us that photographs of irises will not be distributed outside of the bank. But as we know, accidents (and outright negligence, and occasional criminal behavior) do happen.
It's easy to replace a stolen ATM card, and maybe even to get your ATM number changed. But what if your iris image gets stolen?? Once that cat is out of the bag, how can the bank ever trust your eyes again, and how can you ever prove that it wasn't you who withdrew $700 in Jamaica?
At the very least, they should incorporate a PIN number with this, to ensure that fraud doesn't occur. Even if they have your eyes, they can't get your money without a PIN. In my mind this would be the best solution all around: no card to lose, your eyes become immensely less valuable for a mugger, and if your iris photo is stolen, it only increases their chances of stealing your money to one in ten thousand. I'm not saying iris checking with PIN is crimeproof, but iris checking with no PIN is a rotten idea.
Finding God in a Dog
I hate to be picky, but these machines scan the details of your iris (the color in your eyes around the pupil), not the retina (which requires, IIRC, bright light and a close-in lens).
Other-n-that, pretty darned cool. Though I'd still like to have a code of some sort (might be nice to have an "emergency" code that'd provide money, but call the cops, too...or something like that...)
the human pupil naturally oscillates and responds to changes in light level; a particularly secure iris recognition system could make use of this by, for example, providing a variable light source over the course of a few seconds to ensure that the iris is 'live' and not somehow simulated.
this is similar to the capabilities of that desktop face-recognition software that was going around a couple years ago - you could put it in a mode where it asked you to blink or smile or something during the recognition process. a bit less convenient but a bit more secure.
http://www.iriscan.com/ has some good information about iris scanning, particularly this page.
-- in china, chinese food is just called food.
The standard problem with the biometric systems: what happens if your body changes? What if I got conjuctivitis (eye inflammation)? or something happened to my brow and I have to have my eye bandaged? or I developed a temporary light sensitivity and have to wear a patch today? What about colored contact lenses?
The idea is good, but I'd like to have an alternative system available as well.
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
here is the scenario i am imagining...
Think about it! at least with a card or a pin, if you don't carry the card with you, there is nothing the criminal can do. And if you do carry it with you(I suspect most of us do), at least you have the option not to give the pin. or give a wrong pin, or something! With the eye thing, you can't leaves your eyes home, and you can't lie. Seems like a criminals' perfect situation.
The number of passwords that a busy Net user (like me) has to remember is getting silly. I have a system for passwords which works most of the time, but I'd much rather get rid of the silly things.
What we need, and which may well happen within a few years, is a system like this for the desktop. It might work something like this: you'd run an iris scan server on each machine on the network. When authenication is required, the remote host connects to your iris scan server which gets the little camera mounted on your monitor to ID you using your iris pattern and send the data back just like a password.
Just the other week I happened to be looking through the Sept. 1997 "Proceedings of the IEEE", which was a special issue on Automated Biometric Systems.
They mention that it is possible to tell whether the eye is alive or not:
This article even mentions Never Say Never Again as a way iris recognition came to popular attention. My guess is that people who have worked on iris recognition are familliar with its use in movies and books and have tried to overcome potential deficiencies that have been suggested there.
So if these guys did their homework you won't have to worry about being mugged for your eyes.