Posted by
ryuzaki0
on from the what-about-contacts? dept.
prevost writes "Three bank machines using retina-scans were turned on in Texas yesterday. Cool because it's harder for me to lose my eyes than my ATM card. Scary because eyes're harder to replace after you're mugged. Read more about it "
Everyone who's worried about getting mugged for their eyeballs -- do you have any idea how unlikely this is? Here's a breakdown:
The mugger must knock you out and steal your wallet. This risk is already present.
The mugger must not immediately leave the scene of the crime, even though he's already got whatever cash and credit cards you were carrying.
The mugger must now use his scalpel, forceps, grapefruit spoon, melon baller, or whatever else he's got handy to remove your eyeball from the socket and sever the optic nerve and muscles that hold it in place, all without puncturing the eyeball in the process (which would probably result in an unusable iris due to the influx of blood).
You must not wake up during any of this.
Because of the $300-per-day limit your bank undoubtedly has on ATM withdrawals, the mugger must now appear on security video at multiple ATM locations over several days holding a severed eyeball, or the whole endeavor is only mildly profitable given the risk. Additionally, the eyeball must maintain its appearance for quite some time with no hydration or blood supply. Formaldehyde may help here; I don't know.
Conclusion: scalpel gangs are not going to rule the streets anytime soon. I'd be more worried about the reliability of the hardware, and the fact that while you can change a PIN, you can't easily change your iris pattern.
Dan Wineman
Desktop biometrics - dangerous unless done right
by
XNormal
·
· Score: 5
Using biometrics on your desktop for securing network logins is tempting but it is also very dangerous - there must be a secure path from the reader to the verifier. In the case of an ATM it is physically secured inside the ATM strongbox. On a network it would have to be a combination of cryptographic authentication and a tamper-resistant reader (no such thing as tamperproof).
Without this it would be ridiculously easy to sniff your iris/finger/hand/face/voice print over the network and impersonate you.
The embedded cryptographic engine inside the tamper resistant reader would use a challenge-response algorithm to enable the server to ensure that:
1. The scan comes from a real scanner 2. The scan has been performed in the last few seconds.
Without this, it is useless.
--
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
Another privacy concern...
by
MAXOMENOS
·
· Score: 4
The inventor of this technology assures us that photographs of irises will not be distributed outside of the bank. But as we know, accidents (and outright negligence, and occasional criminal behavior) do happen.
It's easy to replace a stolen ATM card, and maybe even to get your ATM number changed. But what if your iris image gets stolen?? Once that cat is out of the bag, how can the bank ever trust your eyes again, and how can you ever prove that it wasn't you who withdrew $700 in Jamaica?
At the very least, they should incorporate a PIN number with this, to ensure that fraud doesn't occur. Even if they have your eyes, they can't get your money without a PIN. In my mind this would be the best solution all around: no card to lose, your eyes become immensely less valuable for a mugger, and if your iris photo is stolen, it only increases their chances of stealing your money to one in ten thousand. I'm not saying iris checking with PIN is crimeproof, but iris checking with no PIN is a rotten idea.
one of the cool things about iris scan technology is that it (can be configured so that it) rejects 'fake' id material like a photograph of an iris, some kind of model of an eye, or even a dead guy's eyeball.
the human pupil naturally oscillates and responds to changes in light level; a particularly secure iris recognition system could make use of this by, for example, providing a variable light source over the course of a few seconds to ensure that the iris is 'live' and not somehow simulated.
this is similar to the capabilities of that desktop face-recognition software that was going around a couple years ago - you could put it in a mode where it asked you to blink or smile or something during the recognition process. a bit less convenient but a bit more secure.
The number of passwords that a busy Net user (like me) has to remember is getting silly. I have a system for passwords which works most of the time, but I'd much rather get rid of the silly things.
What we need, and which may well happen within a few years, is a system like this for the desktop. It might work something like this: you'd run an iris scan server on each machine on the network. When authenication is required, the remote host connects to your iris scan server which gets the little camera mounted on your monitor to ID you using your iris pattern and send the data back just like a password.
Slashdot Mirror
- The mugger must knock you out and steal your wallet. This risk is already present.
- The mugger must not immediately leave the scene of the crime, even though he's already got whatever cash and credit cards you were carrying.
- The mugger must now use his scalpel, forceps, grapefruit spoon, melon baller, or whatever else he's got handy to remove your eyeball from the socket and sever the optic nerve and muscles that hold it in place, all without puncturing the eyeball in the process (which would probably result in an unusable iris due to the influx of blood).
- You must not wake up during any of this.
- Because of the $300-per-day limit your bank undoubtedly has on ATM withdrawals, the mugger must now appear on security video at multiple ATM locations over several days holding a severed eyeball, or the whole endeavor is only mildly profitable given the risk. Additionally, the eyeball must maintain its appearance for quite some time with no hydration or blood supply. Formaldehyde may help here; I don't know.
Conclusion: scalpel gangs are not going to rule the streets anytime soon. I'd be more worried about the reliability of the hardware, and the fact that while you can change a PIN, you can't easily change your iris pattern.Dan Wineman
Using biometrics on your desktop for securing network logins is tempting but it is also very dangerous - there must be a secure path from the reader to the verifier. In the case of an ATM it is physically secured inside the ATM strongbox.
On a network it would have to be a combination of cryptographic authentication and a tamper-resistant reader (no such thing as tamperproof).
Without this it would be ridiculously easy to sniff your iris/finger/hand/face/voice print over the network and impersonate you.
The embedded cryptographic engine inside the tamper resistant reader would use a challenge-response algorithm to enable the server to ensure that:
1. The scan comes from a real scanner
2. The scan has been performed in the last few seconds.
Without this, it is useless.
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
The inventor of this technology assures us that photographs of irises will not be distributed outside of the bank. But as we know, accidents (and outright negligence, and occasional criminal behavior) do happen.
It's easy to replace a stolen ATM card, and maybe even to get your ATM number changed. But what if your iris image gets stolen?? Once that cat is out of the bag, how can the bank ever trust your eyes again, and how can you ever prove that it wasn't you who withdrew $700 in Jamaica?
At the very least, they should incorporate a PIN number with this, to ensure that fraud doesn't occur. Even if they have your eyes, they can't get your money without a PIN. In my mind this would be the best solution all around: no card to lose, your eyes become immensely less valuable for a mugger, and if your iris photo is stolen, it only increases their chances of stealing your money to one in ten thousand. I'm not saying iris checking with PIN is crimeproof, but iris checking with no PIN is a rotten idea.
Finding God in a Dog
the human pupil naturally oscillates and responds to changes in light level; a particularly secure iris recognition system could make use of this by, for example, providing a variable light source over the course of a few seconds to ensure that the iris is 'live' and not somehow simulated.
this is similar to the capabilities of that desktop face-recognition software that was going around a couple years ago - you could put it in a mode where it asked you to blink or smile or something during the recognition process. a bit less convenient but a bit more secure.
http://www.iriscan.com/ has some good information about iris scanning, particularly this page.
-- in china, chinese food is just called food.
The number of passwords that a busy Net user (like me) has to remember is getting silly. I have a system for passwords which works most of the time, but I'd much rather get rid of the silly things.
What we need, and which may well happen within a few years, is a system like this for the desktop. It might work something like this: you'd run an iris scan server on each machine on the network. When authenication is required, the remote host connects to your iris scan server which gets the little camera mounted on your monitor to ID you using your iris pattern and send the data back just like a password.