Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Security

Fun with Fingerprint Readers 300

Posted by michael
from the black-forest-or-haribo dept.
Two pieces of news that came in today make a fun counterpoint to each other. First, a grocery chain is trying out a biometric checkout system. Bring your groceries, pay with a fingerprint. Unfortunately, a story in Bruce Schneier's monthly newsletter notes that fingerprint scanners can be fooled with a bit of gelatin.
This discussion has been archived. No new comments can be posted.

Fun with Fingerprint Readers

Comments Filter:
  • by CitznFish (222446) on Wednesday May 15, 2002 @05:36PM (#3526359) Homepage Journal
    Can I buy the Gelatine at the Store and use it to falsely pay for my groceries? How convenient! :)
  • Biometrics (Score:2, Redundant)

    by Computer! (412422)
    Could someone please explain the problem with biometrics for ID? I mean, I get the creeps when I think about companies storing biometric data, but I'm not sure why. Why should I be scared? This is a legitimate question. Please outline a scenario for misuse, or the downsides to using biometrics for identification.

    Thanks.

    • Re:Biometrics (Score:5, Interesting)

      by gclef (96311) on Wednesday May 15, 2002 @05:56PM (#3526476)
      If a credit card database is compromised, you lose integrity of the card. This means someone else can use the card to impersonate you. But it's a number. You don't really care, since you can get another number and revoke the compromised one.

      On the other hand, if a biometric database is compromised, you lose the integrity of a part of your body. This means someone can now use tricks like the gelatin one outlined here to impersonate you. But you can't get another body. You can't revoke the compromised data.

      In general, biometrics are more accurate for authentication, but their failure modes are much more severe.
      • by sydb (176695) <michael.wd21@co@uk> on Wednesday May 15, 2002 @05:58PM (#3526492)
        On the other hand, if a biometric database is compromised, you lose the integrity of a part of your body. This means someone can now use tricks like the gelatin one outlined here to impersonate you. But you can't get another body. You can't revoke the compromised data.

        Well, I've got ten fingers and ten toes. That makes me good for twenty lost body parts, if I can get my foot up onto the checkout without straining my groin.
      • The way a biometric database *Should* work is to take some data points from the image and then create a hashfrom the data points. This should be done for the same reason you should NOT store passwords, but rather their hash. The other reason for hashing the data is that is going to be much smaller and quicker to search. OTOH drives are cheap and...
        • Unfortunately, this weakens the "uniqueness" of the biometric. Whether it weakens it enough to make it pointless obviously depends on how you take the hash.

          Also, if you're only taking the hash, that makes the system easier to spoof, since an attacker doesn't care about the whole print, just its values at certain points.
          • There's ways to make the hash unique to that fingerprint, and only that fingerprint, just like passwords work. It's just a one-way encryption.

            What's this idea that hashs weaken the uniqueness of its data? If that was the case, password crackers would be a LOT faster than they are.
      • But credit cards can be used remotely (telephone, web, etc..) And with a bit more equipment, expertise and time one could duplicate thousands and thousands of credit cards.

        But since biometics would happen locally, could the average criminal get the biometric database, duplicate a fingerprint from the encoded fingerprint data and use it? How about cloning up some DNA? Beyond a physical attack, these things don't come easily, and definately not in the volume of compromised users that would make something like this profitable.

        Biometrics are nice not because it will be impossible to duplicate, but rather because it will be difficult and expensive to duplicate.

        • I think we misunderstand each other. I acknowledge that they're difficult to duplicate. That's not what I'm worried about. What I'm worried about is how you can deal with duplication.

          Duplication/compromise of the system *will* happen, if the reward is high enough. The question becomes, what do you do then? For traditional card systems, you revoke the card. You can't do that with biometrics, which is a concern for any system of this sort.
      • A lot of people make the mistake of thinking that the security of biometric systems relies on keeping the biometric data secret. I can steal your finger prints much easier ways than breaking into a biometric database, ala latent prints. For there to be real security the system to which you are authenticating needs to verify two things: one that the biometric data provided is that of the person trying to authenticate, and second that the data is coming from a valid tamperproof biometric scanner. The second part is certainly very tricky, basically you need very good scanners (which apparantly aren't common), and an infrastructure where you have a certificate for the known good scanners, and you only accept biometric data signed by one of those certificates. To scale better a PKI system could be employed with a certificate authority to manage the certificates of scanners.
    • Re:Biometrics (Score:5, Insightful)

      by kabir (35200) on Wednesday May 15, 2002 @05:56PM (#3526480)
      How about this?

      You shop at a supermarket where your checkout is governed by your fingerprint. This works pretty well, for you... they store some personal info (CC#, name, address, etc.) and you just touch a pad to check out.

      Now imagine that someone manages to replicate your fingerprint (which sounds like it will take about $10 and an afternoon). What do you do? If it were a credit card which had been stolen you could have it destroyed and reissued... but that doesn't work with your finger! Once someone spoofs your finger, it's over. You can never use your finger for ID again, because it's not certain that you're the only one.

      That's bad.

      Or how about this: Biometrics are easy. Really easy. I mean, you don't have to carry anything, you don't have to remember anything, it's great!
      Which is why all kinds of places like video stores, restaurants, etc. would love it... they could make things more convenient for their customers and get faster customer service times, etc. The big drawback is that every transaction is indellibly associated with _you_. Right now, you can pay cash, give fake names, etc. and leave no trail as to what porn you rent, or how much cabbage you buy (you cabbage loving sicko!), but with super-convenient biometrics they know _exactly_ who you are every time.

      That's probably bad too.

      What's worse? Well, consider that you're pretty attached to your body in general. Though it's possible for you to get fake ID, a fake birth certificate, etc. there's very little in the way of a fake body you can get (plastic surgery aside, modifying the bits used for biomentrics isn't generally feasble - think retinal scans). So now, if for some reason you need a new identity, you pretty much can't have one. There's just no slipping through the cracks.

      Why is that bad? Well, it's really only bad if you are doing something illegal, right? Sadly, "something illegal" often can be translated as "something politically unpopular". The idea that we should have the ability to change our government, by revolution if need be, is so deeply ingrained into the Western conciousness (and maybe the Eastern as well, though I don't know...)that it's not at all surprising you get creeped out by biometrics.
      • Re:Biometrics (Score:5, Insightful)

        by 7-Vodka (195504) on Wednesday May 15, 2002 @06:32PM (#3526625) Journal
        What's worse? Well, consider that you're pretty attached to your body in general. Though it's possible for you to get fake ID, a fake birth certificate, etc. there's very little in the way of a fake body you can get (plastic surgery aside, modifying the bits used for biomentrics isn't generally feasble - think retinal scans). So now, if for some reason you need a new identity, you pretty much can't have one. There's just no slipping through the cracks.

        Why is that bad? Well, it's really only bad if you are doing something illegal, right?

        Wrong! What if you're in a witness protection program?
        OR if you simply have a stalker and need to change your identity? Or if you have a shite name and you wanna change it. Or if things about you change, like you had leprosy but are now cured. Somone with outdated info will read you still have leprosy.
        Your data is probably readily available from many sources, some of which will be insecure. You're screwed.

      • Now imagine that someone manages to replicate your fingerprint (which sounds like it will take about $10 and an afternoon)

        Umm, they need your finger to do that. It is possible that I might not notice a thief picking my pocket, but I'm pretty sure I'd notice if he were trying to make a gelatin mold out of my finger.
        • Umm, they need your finger to do that. It is possible that I might not notice a thief picking my pocket, but I'm pretty sure I'd notice if he were trying to make a gelatin mold out of my finger.

          Did you read the article? It plainly stated that the most interesting part of the experiment was lifting fingerprints from a surface and producing an artificial finger.

      • by JackAsh (80274) on Wednesday May 15, 2002 @07:01PM (#3526761)
        I'm a Security Consultant and I'm currently working on purchasing and installing some Biometrics authentication system at my company. This probably makes me biased towards Bio, but at the same time, it also means I've been studying and contemplating the issue for some time now.

        Biometrics, like any other system, has it's flaws. Schneier himself points out in a previous article "Biometrics is a unique identifier, not a secret". And now it doesn't even appear to be a unique identifier. So what gives?

        What gives is that it's quite possibly the best system around, at least when compared to all the others. What are your alternatives? Passwords? Digital Certificates? Smart (dumb) cards? SecureID tokens? None of these are as unique to a user as a Biometric is. As a matter of fact, NONE of these are unique to a user - Certs are unique to the computer or card they reside on, the cards and tokens are physical objects that anyone can have, and finally your password everyone knows because you wrote it on a Post-It(TM) note on your monitor (or under the keyboard or tape dispenser).

        Now, that doesn't mean you can blindly put a Biometrics system in place and call it a day. Installing a setting up Biometrics requires thought, consideration and risk analysis.

        To answer some of the fears, no, most Biometrics databases don't give you anything when compromised. Why? Because they don't store the biometric. They merely store minutiae from the sample. These can be loosely defined as a series of data points illustrating some of the salient features of the biometric registered. If it's your fingerprint, the database merely contains a bunch of vectors illustrating where the most important ridges and forks and such are on your print. THIS INFORMATION IS NOT ENOUGH TO RECOVER THE PRINT. It's encryption, it's processing (the database might be encrypted, though). While you could potentially create a Biometric from the minutiae (assuming you understood the data format and what it describes) that fooled the algorigthm the minutiae were sampled from, your "faked" fingerprint would not fool a different algorithm.

        Regarding anonymity, it will still exist. Nobody will stop you from going to the ATM and picking up cash before you head to the store to get the Goatse man's greatest gaps volume 16.

        Anonymity needs to exist, but so does liability and responsibility. That ever-necessary anonymity will continue to exist, and you will probably be able to get it just as well as you can now. The difference is you will not be able to erase yourself and get away from your previous responsibilities/liabilities. The two are different concepts.

        As for the "identification" issue with Biometrics, allow me to illustrate one simple point - most commercial Biometric fingerprint systems have a false acceptance rate of 1 in 100000 at most. Any decently sized organization compiling Biometric data will probably register a heck of a lot more. Identifying a user in a big population from a random biometric sampling is a data processing nightmare - that's why that whole Visionics video-camera-at-stadium thing sucked so bad. Biometrics however are really good for saying "My name is John Doe, and here's a fingerprint (or two) to prove it". Or, at a company case "my userid is jdoe and here's my fingerprint to prove it".

        This problem is the identification (finding user in a population) versus authentication (verifying a claimed ID) problem, and it's much discussed in Biometric literature. God knows I've had to preach this one out about 600 times in the past few months when meeting with different departments.

        So it really comes down to implementation, and alternatives. You can have your money tied to a credit card number, and when someone finds the receipt you threw away they can impersonate you at Amazon.com until the next bill arrives. Or, you can have it tied to you card, but need a fingerprint to access the card. The idea is enhancing, not necessarily replacing.

        As a lot of you have heard, authentication/verification systems usually work with something you know (password, pin), something you have (token, smart card, mag card) or something you are (biometric). The best systems use all of the above.

        Even then you still need to figure out your risk scenario. For your average office building with access controls at doors and other entry points a system asking for "userid" and "biometric" will probably be good enough. If you're running a DoD installation with nuclear weapons, I expect a system with ID check, Smartcard, 10 fingerprints, retina scan and password will be necessary (I hope).

        Finally to address this cool gelatin crack - this is neat stuff. I'm glad to see that people are coming up with potential attacks - it makes the developers of this stuff work even harder to create systems that can't be fooled. The latest capacitive sensors I've seen might not even be fooled by this - they claim they read the second or third layer of skin, not the external one. But even if it does fool them, it won't in a few months.

        Remember, biometrics are not your enemy - if anything they help keep your privacy stronger by providing better control of who gets to pretend to be you (imagine your PGP keys being protected by a passphrase AND a fingerprint or two). There will always be issues with this or any other system - I just can't think of one that will be better than a properly implemented Biometric system.

        -Jack Ash
        • Anonymity needs to exist, but so does liability and responsibility. That ever-necessary anonymity will continue to exist, and you will probably be able to get it just as well as you can now. The difference is you will not be able to erase yourself and get away from your previous responsibilities/liabilities. The two are different concepts.

          Yes, they are two different concepts, but you're sort of implying that being able to escape liability isn't important or desirable (from a social, not an individual, standpoint). I think I rather dissagree with this.

          Heck, let's take the easy witness protection program that someone else mentioned in this sub thread. Assuming that my biometrics are on file with a bunch of different businesses, agencies, etc. How is it then possible to change my name and dissapear? As long as cash remains a viable option then there's the cash only solution, but cash becomes less and less viable every day, though hardly anyone notices. Public prejudice ("who would need/have such a large amount of cash but a criminal?" and other such drivel) are as much at fault as anything else.

          Bottom line is: there is, I believe, value to being able to shed one's identity, and biometrics is completely at odds with that.
          • You raise interesting points. While there is a need for things like a witness protection program, what is making the system work is that systems have too many fingerprints in store, and there is a finite, highly probable chance that other people share your biometric - it's just that they don't know it. Comparing the minutiae points of two fingerprint samples might give a certain percentage match, but not 100% - A lot of other people (most systems default to 1 in 10000 false acceptance rate) will have a similar fingerprint given a large enough population in a business database. It is also computationally infeasible (most likely) to run a match against all fingerprints in the system once you have a large enough database (of course, this argument falls down with enough computing power and time).

            In any event, as you yourself agree cash is always available as a last resort. And if you truly need a witness protection program I expect the Government will have enough resources to change or wipe your records from at least the databases that matter. Hopefully together with the new ID you'll move far away enough that you won't need to frequent the same businesses you were before (and a nice hello to globalization issues here).

            Yes, I realize there will be problems, but nothing irresoluble with good will and a little bit of effort.

            Think of the advantages on the other hand - Joe Shmoe is behind his child support payments and has skipped state - well, guess what - now you have a good chance of finding that deadbeat and getting him back on plan... And so on for any other number of crimes.

            Look at it this other way. Shedding your ID right now is most likely illegal in some way (note, I said likely - there might be cases and forms in which it xan be done legally). And difficult. But it can be done. And people can still track you, with difficulty, but it can be done. This is merely one of those technologies that will make the former harder and the latter easier, but both will still be possible.

            -JackAsh
        • To answer some of the fears, no, most Biometrics databases don't give you anything when compromised. Why? Because they don't store the biometric. They merely store minutiae from the sample. These can be loosely defined as a series of data points illustrating some of the salient features of the biometric registered. If it's your fingerprint, the database merely contains a bunch of vectors illustrating where the most important ridges and forks and such are on your print. THIS INFORMATION IS NOT ENOUGH TO RECOVER THE PRINT. It's encryption, it's processing (the database might be encrypted, though). While you could potentially create a Biometric from the minutiae (assuming you understood the data format and what it describes) that fooled the algorigthm the minutiae were sampled from, your "faked" fingerprint would not fool a different algorithm.

          Sounds like little more than security through obscurity, and we know were that's gotten us in the past. Using an encoding system that is difficult to understand and assuming that no one will figure it out is not a good idea - I think the telephone companies have plenty of stories to back that up.

          I also don't buy the argument that it would be impossible to create a fingerprint that generated the same hash points. As I see it, this is little different than crypt()ing passwords. Of course the function is one-way so that you can't derive the original data from the hash, but given enough processing time and knowledge of the algorithm(s) an input can be generated that creates the same hash.

          The biggest problem I see with bioinformatics (or at least fingerprints) is that they are forever tied to you. Passwords can be changed infintely, but you can't very will replace your fingers if someone dupes the prints.

          • Penguin,

            Actually there is no obscurity here - it's just a sound mathematical principle. Think about it this way - when you digitally sign a message with PGP or with a certificate a mathematical signature is created with a digest from your message that verifies in no uncertain terms that that message has not been tampered with (within a certain degree of probability). Obviously, the cryptographic message digest is of a certain fixed, limited size, which means there are a lot of character combinations that could have generated a digest like that, it's just that you are not likely to a) encouter them; or b) find one that makes sense in any language.

            Fingerprints are similar to that. I'd suggest going to google images and search for the term "fingerprint minutiae" there's several graphics there that can explain it better than I ever will. But to simplify, let me suggest a simplified model:

            My fingerprint, when scanned, results in a model that contains an XY grid centered in the image, with a diagonal ridge at coordinates 5,17; and a whorl at -6, 12; and a fork at 3, -4.

            Now there's about 80 other minutiae on my finger, that my current scanner picks up, but this will suffice. As you can imagine you cannot reconstruct my fingerprint from this data. It's just impossible. You might get an idea of what it looks like, but it's never exact because the minutiae are not enough to describe the print itself.

            You argument is sound - this is very similar to the crypt() function. One way, etc.

            Except with this data you can very easily generate one print that will fool this one algorithm. Real easy, even - much more so than brute forcing a crypt() hash. Just create a basic fingerprint and modify it to contain those features within it. Heck, even make it a bit imperfect - a fingerprint is never read the same way twice, and most modern algorithms are smart enough to check for identity matches.

            The problem is that the next algorithm at a different ATM or shop doesn't look for the same features, but rather different ones. It might focus on ridges exclusively and their relation to each other, or some other random bit. And unfortunately you do not have that data - you just have the data that was important to the other algorithm. In essence the minutiae algorithms are EXTREMELY lossy, so much so that you would need to crack more databases than you want in order to compromise a single print.

            And hey, if all your fingerprints are compromised you can always switch back to passwords :).

            I guess my point is technology will make it infeasible to duplicate fingerprints exactly - Biometrics (at least as related to computer authentication) are still in their infancy. Being able to dupe a system with a jello mold is not exactly an attack that should succeed on a mature system. But it'll grow, and get so insanely good it'll take a heck of a hack to get through it. :)

            -JackAsh
      • Re:Biometrics (Score:4, Insightful)

        by jimmcq (88033) on Wednesday May 15, 2002 @07:09PM (#3526786) Journal
        any decent security needs to include at least two out of "somthing you are", "something you know", and "something you have".

        In this case "somthing you are" is a fingerprint.

        "something you know" is a pin number or password.

        "something you have" is typically something like a credit card, smart card, security fob, etc. This category doesn't apply to the case at hand.

        So, once somebody replicates your fingerprint, all you need to do is change your pin number. Problem solved.
        • Sure, you can change you pin, but once someone has your fingerprint (or whatever) then, unless you start adding furthur id/auth methods then you effectively only have one thing, not two, which makes it much easier to get by your security.

          That's the advantage that stuff which is not a part of your body has... you can change it.

          For example: if somone manages to replicate my SecurID token (I know it's tricky, but just pretend here) then yeah, I can just change my password, but the amount of effort they have to go through to get my new pin is certainly less than they had to go through to get both my old pin _and_ replicate my token. Naturally, for maximum security I'd want to change both.

          Can't do that with biometrics.
      • It has been shown by some studies that fingerprints aren't really as unique as we imagine. What do you do when you are the 1 in the millionth person who has the same print as someone else? I'd imagine you'd start noticing it when someone else's groceries start getting delivered to your door, or somehow your address keeps getting changed at your health club or whatever.

  • by KFury (19522) on Wednesday May 15, 2002 @05:43PM (#3526397) Homepage
    I'd rather that someone be able to go through a fair amount of trouble and fool the device, because if they didn't, then they might have to resort to cutting off my finger. Give them an easier way, and one that leaves me digitally intact!

    Any way you look at it, it's still more secure than credit card numbers. Then again, you can always cancel your credit card number. What would you do here, cancel that finger, and start using another? You can only do that for so long...
    • As I understand it, some of the system measure other stuff like tissue density and electrical charge, so a chopped off finger won't work.

      That having been said if someone's willing to hack off a person's finger to get access to their ATM (or whatever) why not just hold a gun on them and make them access it.
    • a recent email response from a rep for the Authentec [authentec.com] line of fingerprint scanners regarding use of their scanner via a "stolen" finger:
      ... "I checked into your question regarding the fingerprint scanner. The fingerprint scanner requires a live layer of skin to work. A finger that has been cut off will still be "live" for a certain period of time and will therefore work in the scanner. The actual time frame has not been determined as no one has volunteered to be a test subject." ...
  • by oasisbob (460665) on Wednesday May 15, 2002 @05:44PM (#3526401)
    Bill Cosby... As a security consultant? Yikes.
  • by kaustik (574490) on Wednesday May 15, 2002 @05:44PM (#3526406) Homepage
    Mod me if I'm wrong, but this still sounds like a fairly secure system. Right now, any old bum can steal a credit card and run down to Safeway. With this, people have to put in a little effort to card that bottle of JD. There will always be holes.
    • by driehuis (138692) on Wednesday May 15, 2002 @07:56PM (#3527014)
      Several people have pointed out the issue of key revocation (you'll find it very hard to type).

      But what's worse in *this* particular case is the demonstration that latent finger prints can near-trivially be developed into a fingerprint glove that fools the device. Just picture it... A would-be thieve would watch you in the supermarket, picking up a bottle of Coke, put it back because you do prefer Mountain Dew after all. He picks up that bottle by the neck, pays for it with cash. From there on he could plunder your credit card.

      Sounds scary to me...
    • Just wait until they start selling them (whether on the internet or in the dark alley next to the store) like CC numbers.
    • Right now, any old bum can steal a credit card and run down to Safeway

      Right. And then you say "Ah crap." You call the credit card company. They say "no biggie." And you're limited to $50 in liability. They give you a new 12-digit number, and everyone goes home happy. Not a big deal.

      I fail to see why this is a "big step up" or an "improvement." At some point, your biometric information is reduced to a series of zeroes and ones. Kinda like a credit card holds on its magnetic stripe. Except that you can only get a "new number" 10 times.

      So fine, maybe they can't steal your physical credit card any more. But you do a lot of purchases over the phone or internet, right? So now you get a thumbscanner for your serial port, and you scan yourself when you want to make a purchase instead of typing in your twelve digit PIN. Since a bunch of zeroes and ones fly over the Internet in either case, this is no more secure at all!

      If it ain't broke... don't fix it!
    • Except that read the article, it says he can use latent fingerprints. Fingerprints are on everything. Somone who works at a restaurant could make a goldmine with latent fingerprints. All you need is some powder and some tape and you can get all the prints you want from anywhere peoples hands come in contact with a smooth surface.
  • by austad (22163) on Wednesday May 15, 2002 @05:45PM (#3526407) Homepage
    Wow, this is a much better solution than I've been using, and much less bloody.
  • OLD news (Score:2, Interesting)

    by Anonymous Coward
    People were lifting latent fingerprints and using litography to create fake fingerprint readers a decade ago (although Im pretty sure they used some sort of plastic latex or silicone or something, makes a lot more sense than gelatin). On national TV no less, the nation being the Netherlands. Our major Airport was using a fingerprint system for VIPs to bypass the passport checks in those days, so it made a nice splash.

    That airport also funded development of an iris scanner they are using at the moment BTW, which is now being licensed to IBM and some others ... fingerprints were tried and rejected a long time ago, why are we still seeing shit like this now?
  • by T3kno (51315)
    Macgyver did this with a glass and some candle wax :)
  • by rw2 (17419) on Wednesday May 15, 2002 @05:46PM (#3526420) Homepage
    Bruce quotes research showing that you *can* fake fingerprints. Something that the vendors claim is impossible.

    However, the kroeger system falls back to the old "bring something, know something" mode which makes it much more secure.

    Sure someone can duplicate my fingerprint (how easy that would be to both do and hide when checking out is another point, but let's assume that it's reasonable to lift a latent print, make a mold and check through without the clerk noticing), but they still must know my pin.

    This is no worse than the current system of debit cards with mag stripes on the back that are trivial to duplicate with not much more equipment.

    It is, however, much more convenient.

    Assuming I can change my pin to be something other than my telephone number, I'd use this system.
    • "how easy that would be to both do and hide when checking out is another point"
      considering your finger print will be in a db, and anyone in the IT dept. can get, it would be pretty easy.
      as far as fooling clerks, thats probably easier then you think, considering most "counterfitting" is done guy clipping the corners of hight decomination bills and pasting them to a lower denomination bill. That kind of shows you how muchs clerks think about what there doing vs. doing it by rout.

      mag strip duplicaton is more expensive and requires more know how then faking a finger print scanner.

      your point about a pin number is good, but howlong will that last? CC companies have already determined its cheaper to pay off bad purchaser then to force there customers to enter a pin.
    • The average passcode is 4-5 digits long. Most people press the buttons with the index finger, making it trivial to shoulder-surf to figure out the passcode. I can do it while pretending to count my money.
      Unfortunately, the fingerprint system has sometimes been marketed as having close to zero false positives, but perhaps many false negatives. Maybe some company won't implement layered security and trust everything to the fingerprint. They'll be screwed. Or, they'll trust the fingerprint and passcode and be equally screwed.
      Unlike a credit card, it seems to be comparitively easy to create a false fingerprint. Plus, if your credit card is stolen you will generally find out. If someone goes the Photoshop route and creates a set of fingerprints from your grubby prints last night's Heineken then you may not find out for days.
    • I would use it with one caveat. I must be able to challenge a charge if I didn't make it. The danger with a system like this is that there is a perception that fingerprint security is very secure. That perception could lead to fraud claims that aren't treated fairly.
    • Sure someone can duplicate my fingerprint (how easy that would be to both do and hide when checking out is another point, but let's assume that it's reasonable to lift a latent print, make a mold and check through without the clerk noticing), but they still must know my pin.

      But that's not when they'd do it. They'd come over to your house late at night, pick a few things out of your trash, and just lift the prints then. Or just lift them from your door knob, or the door handle of your car, or sit around in a mall with little security and lots of people when you use the atm there. Tons-o-places to lift prints, since no one really thinks about leaving prints anywhere. Now true that all those places might not give you the BEST print, but there's bound to be lots of places that do.

      This is no worse than the current system of debit cards

      Right, but is it any better, thats the million (give or take) dollar question. If companies are going to spring mucho dinero to upgrade systems (and then likely to pass that expense onto the customer, citing "improved security for the betterment of the customer") only to end up with a system that in reality is no more secure than the one it replaces, that would be a "bad thing".

      I agree that it is more convenient though. However the "you can only be hacked ten times before you can no longer purchase anything" issue is an interesting one. You could DOS people quite effectively that way (esp co-workers since lifting their prints off of their keyboards would be trivial).
    • by Fjord (99230) on Wednesday May 15, 2002 @06:57PM (#3526733) Homepage Journal
      But even with a credit/debit card if it's involved in fraud, you can cancel it. It's hard to cancel your fingerprint and have them issue you a new one. Once a thief has stolen it, they have it for good.
    • When you lose your card, you cancel it and get a new #. Sure, say your pin is secure both ways, but you've effectively lost one line of defence forever if you get your fingerprint copied.

      Also, different banks (say) would have different # for my account. Not so with fingerprints. Anyone at any company can lift your prints from their DB and search on any other company for any details they want.
    • We used to have a fingerprint scanner to access work, and it was pretty good for the most part. The most annoying things were that some people's finger's took several attempts to ID, and if you did anything that abraded your fingers, this also stopped it ID-ing. Since it was just a finger scanner/touchpad box mounted externally and an embedded 68k inside to drive it, it would probably be interesting to build using a cheap scanner.

      It was a standard joke that you had to return your fingers when you finished working.

      Xix.
  • by _ph1ux_ (216706) on Wednesday May 15, 2002 @05:51PM (#3526438)
    "His more interesting experiment involves latent fingerprints. He takes a fingerprint left on a piece of glass, enhances it with a cyanoacrylate adhesive, and then photographs it with a digital camera. Using PhotoShop, he improves the contrast and prints the fingerprint onto a transparency sheet. Then, he takes a photo-sensitive printed-circuit board (PCB) and uses the fingerprint transparency to etch the fingerprint into the copper, making it three-dimensional"

    Bah! Too much work - I just wanna shape shift ala Mystique!
  • by stoolpigeon (454276) <bittercode@gmail> on Wednesday May 15, 2002 @05:51PM (#3526439) Homepage Journal
    Women in particular appreciate SecureTouch, he said, because they don't have to bring in their purses

    Yes - leave those purses out in the car so the guy stealing your stereo can get your credit cards too.

    Kroger customer Mary Smith said she has a daughter in Katy who wants nothing to do with the finger image method of payment. She told her mother that it is "a way to get into your identity."
    It's funny, Smith said, "you'd think it would be the old fart who'd be afraid."


    This is funny because she doesn't appear to realize that her daughters fear is based on having more knowledge about technology and is justified fear. She is thinking "I'm not old- I'm cool and cutting edge." and that vanity is letting her opt in to a system where one day her checking account will be cleaned out by a bunch of tweakers who got her fingerprints off her car door and bought all the sudafed they could carry. Smart enough to build a meth lab - smart enough to make gelatin fingers.

  • by asavage (548758) on Wednesday May 15, 2002 @05:52PM (#3526446)
    Matsumoto's paper is not on the Web. You can get a copy by asking: Tsutomu Matsumoto
    tsutomu@mlab.jks.ynu.ac.jp

    someone is going to find a whole shitload of emails tomorrow morning

  • by Beryllium Sphere(tm) (193358) on Wednesday May 15, 2002 @05:53PM (#3526454) Homepage Journal
    The last user will have left a latent print on the reader.

    Used to be, you could just shine a flashlight into the reader and get enough contrast out of the previous user's print to satisfy some readers.

    There have been improvements since, and it would never have fooled a live finger detector anyway. But it's a good example of low-tech bypassing of high-tech security.

  • Fingerprint scanners can be fooled with gelatin, but I heard on the radio this morning (BBC Radio 1) that George Bush wants to use them to control access to the United States. If it was my country, I'd rather a more secure method of access control was being looked into. Before this article, I wasn't aware of any problems with fingerprint scanners. As for using them to pay, I know they can be used for saying either: (1) Yes this person is who they say they are, or (2) No this person is not who they say they are, but thought that it wasn't feasible to use the fingerprint to look up an individual in a database.
  • Signatures (Score:5, Insightful)

    by Kizzle (555439) on Wednesday May 15, 2002 @05:54PM (#3526466)
    How can you care about the risk of someone faking your finger print when most financial transactions are verified with a signature?
    • How can you care about the risk of someone faking your finger print when most financial transactions are verified with a signature?

      The problem is that if people believe that fingerprints and other biometrics are "more secure" than signatures, they'll rely on them more and more - making it easier for criminals to do more damage, and making it harder for honest people to prove they didn't commit the fraudulent transactions.
    • >How can you care about the risk of someone faking your finger print when most financial transactions are verified with a signature?

      That is an insightful question.

      It points to how to implement a reasonably good fingerprint system.

      "Most financial transactions" require both a signature and a revocable token. If your checkbook or credit card is stolen you call up the bank and report it, and then you're off the hook (theoretically) when someone forges your signature.

      A good system would need to combine the fingerprint either with a revocable token (e.g. thumbprint your Mastercard) or with a PIN.

      Your grocery store may already have stuck you with a frequent shopper card, required to get their best prices. Combining one of those with a fingerprint scanner and a good revocation policy might work.

    • How can you care about the risk of someone faking your finger print when most financial transactions are verified with a signature?

      It's a lot easier to fake my fingerprint than it is to fake my signature. I've been practicing my signature for many years now. I doubt you're going to be able to learn how to reproduce it in the amount of time it takes to create a wax fingerprint.

      • When you hand a check to a cashier at the supermarket do they ever check to see if your signature looks like all of your other ones? Nope.
        • When you hand a check to a cashier at the supermarket do they ever check to see if your signature looks like all of your other ones? Nope.



          Nope, but you can challenge the charge later by asking them to show the cheque with your signature on it.

  • by jonbrewer (11894) on Wednesday May 15, 2002 @05:55PM (#3526474) Homepage
    This certainly doesn't mean that biometrics based on fingerprints should be ruled out.

    Just as you need both a username and a password to log in to any computer system, a combination of a fingerprint and password, or fingerprint and pin should be used for any reasonable authentication.

    Combined with decent access controls (this person may only do X at Y time) and a complete audit of actions, fingerprint biometrics can fit nicely into an extremely secure environment.

    I'd certainly rather use my finger than my RSA number keychain!
  • I'm heading for Krogers [chron.com] and buying me a life time supply of caffine and HoHo's!
  • OK, I've worked for years with automotive telematics/AutoPC systems, and here's what I want:

    • Household system handles menus and inventory, identifies the need to get groceries.
    • Using Bluetooth or WiFi, tells car what it needs, and the locations that the goods can be picked up
      NOTE: Locations will be based on best deals, and include E-Coupons and such, as well as projected route
    • Later, on the way home, I'm given choices of places to stop. I choose one, and the groceries are ordered and ready for pickup
    • I stop, the groceries are loaded into my trunk.
    • Using e-tags, the car determines that I got all the stuff I selected
    • within a minute of pulling in, I pull out with my groceries... never left the car!
    • I arrive home. The E-Tags also indicate to the home what I've purchased and updates the inventory


    Painless, quick, and efficient. That's how grocery stores should operate. Forget fingerprint scanners. Eliminate the long checkout lines, crowded aisles, and rude people.

  • Starfleet??? (Score:3, Interesting)

    by mikosullivan (320993) <miko.idocs@com> on Wednesday May 15, 2002 @06:02PM (#3526510)
    Were these experiments performed for Starfleet? His presentation logo [itu.int] looks like the Starfleet logo [indranet.com].
  • A ton of people are posting that this - combined w/a pin is super secure.

    I've got one question.

    How long do you think you will last when that guy cutting off your finger is yelling at you to tell him the pin?

    I'm guessing for the average joe it will be measured in seconds. (Especially as the media and powers that be preach this constant message of 'just hand over whatever they want - don't fight back')

    .
  • Hmmm.. I have seen this somewhere.. Ah yes, here! [slashdot.org]

    They give a brief mention to Kroger in the linked article [nwsource.com] as well..

  • "Women in particular appreciate SecureTouch, he said, because they don't have to bring in their purses."

    So they leave it in plan sight in the car, so they can come back to a broken window and and a missing purse. (not to mention all of those unmentionalbes inside the purse)
    • Women in particular appreciate SecureTouch, because they don't have to....

      Maybe they don't need Men anymore? To turn them on with those Secure Touches?

  • by legLess (127550) on Wednesday May 15, 2002 @06:20PM (#3526584) Journal
    There's much debate about whether fingerprints are the primary keys to human identity. Law enforcement has based over 100 years of work on the premise that no two humans, anywhere, ever, have the same fingerprints. Some people say this is hogwash.

    Let's leave out, for now, the fact that it's not possible to verify this claim at all: there's no way to test all living people and compare their prints. This is troubling, but a bit of a red herring.

    More troubling is the way fingerprinting is practiced. There's a case in Philly right now where a federal judge has prohibited [go.com] the prosecution from testifying that two fingerprints "match." From this article: [nandotimes.com]
    But in 1993, a Supreme Court decision required judges to take a more active role in deciding what scientific evidence to admit. In the case of fingerprints, the so-called "Daubert" guidelines would lead to questions such as: Has the practice of fingerprint identification been adequately tested? What's the error rate? Are there standards and controls?
    The answers, respectively, are "no," "no one knows," and "no."

    I'm home sick and I don't feel like doing more research on this right now. The above links and Google [google.com] will help if you want to look at it more.
    • The main thing to note about all this, with regards to the research, is that there is a pretty good certainty, at least at this moment, that fingerprints are "unique" as long as a sufficient amount of points are actually collected and examined. So if you have a professional fingerprint collector collecting 10 fingers, and comparing it to a previous collection card, you have a very high probability of match.

      The issue is, the certainty of picking up just one or two latent prints on a door knob, and then comparing to the fingerprint card, has not been fully determined--and for good reason, the latent print is simply not the quality of the professional print.

      This is one of the reasons why, in the states that fingerprint for driver's licenses, the prints are never used for criminal investigations--the quality of one thumbprint smudge on the little glass platen is simply not good enough to compare a latent print to.

      This is kinda a fun time to talk about dl fingerprinting--since dl privacy is a big thing for me and all. California law, for instance, says that they must take a thumbprint of an individual getting a license. If you are a hairdresser, working with bleach, or a bricklayer, working with lime, it is highly possible that they will not have fingerprints. There is some type of print that would normally appear, but it has not. So is the fingerprint the potential print...or the one the blank one that is showing up. Apparently, they just write off the print as being uncollectable...which is very telling. It begs the question...what is your identity anyway?

  • by qurob (543434)
    Once this guy makes eyeballs out of jell-o, and fools a retina scanner, I'll shake his hand!
  • by aaandre (526056)
    In the US he might be sued for reverse engineering practices by the security companies.
  • At least this way I only have 10 fingers that I can max out on.

    I wonder if I get a higher credit limit on my thumb than any of the other digits.

  • by SVDave (231875) on Wednesday May 15, 2002 @06:32PM (#3526626)
    Ban gelatin.

    • I think the more sensible solution is to break gelatin so that it is incompatible with finger print scanners. It is up to the companies that make gelatin to change it so that it will cause fingerprint scanners to crash. The industry has to police itself, it can't rely on government to do it.

      --Dan
  • I understand that security needs to be tight when it comes to money, but I think that although this guy brings up some interesting points, I think that this method of purchase is more secure than most of our purchases done today. Cash can be stolen, so can credit cards, and people can forge your checks. So what's the big deal with the capability to duplicated fingerprints. I think it would be much harder to get a clear fingerprint from someone without their knowing than to pickpocket them and steal their wallet. The only problem I can see with this is that you can't just go and have your fingerprints changed (unless you have a lot of money), so this would be more permanent. I think that adding a 6 digit pin would fix this problem.
  • Next up... (Score:3, Interesting)

    by Wise Dragon (71071) on Wednesday May 15, 2002 @06:44PM (#3526688) Homepage
    How to fake retinal scans using mirrored contacts [halloweennight.com] and laser etching [fimark.com]. Story on next year's Slashdot.
  • Another tasty solution [8m.com] to beating facial recognition?
  • See also this +5 thread [slashdot.org] regarding the limitations of biometrics, featuring another Bruce Schneirism. (Does Slashdot love Bruce or what?)
  • by Richard_Davies (250599) on Wednesday May 15, 2002 @07:04PM (#3526773)
    For any transaction where something ther than hard cash is accepted (and I am using transaction is a broad sense here, such as being able to enter a secured area for exampleas well as making a purchase), it is necessary to authenitcate the client, be it with a credit card number, signature, photo id, fingerprint, retinal scan, facial scan, DNA test, some other mechanism or a combination.

    In all such transactions:
    - Authentication is necessary. (ie the transaction requires at least one of these mechanisms).
    - All the authentication methods are vulnerable - no security mechansim is perfect.
    - All of these could be subverted by to invade your privacy.

    However, if you can't use cash for your transaction or you prefer not to for the convenience, you've got to live with the authentication tradeoffs.

    As pointed out, authentication is necessary for many transactions - there is no escaping this fact. So the best questions when evaluating the technology is RELATIVE to its alternatives.

    So fingerprint readers can be spoofed easily (assuming you can get a copy of the finger you want to copy, which is not necessarily easy). Well credit cards numbers can be obtained and used fradulently; signatures can be forged.

    None of these mechanisms are fundamentally good or bad. However, I believe having alternatives IS good for two reasons:

    1. It provides competition between different authentication mechanisms so that people get a choice in what security/convenience tradoff they want to make.

    2. Having multiple authentication mechanisms automatically increases the diversity of the authentication infrastructure which means that it is harder for an organisation to subvert because they need to coordinate your identity across multiple systems rather than having a single one.

    In the scenario described (and many previous articles on the same subject at Slashdot), these new systems augment rather than replace existing ones. As long as this continues to be the case, I am more than happy for these mechanisms to exists and compete.
  • So I just signed up for a project next year using PDAs and biomentrics from ST Microelectronics [st.com]. Anyone used their fingerpring reco kit? Is it any good?

  • So I was wrong to laugh my ass off when hollywood spy types glued false "finger prints" to their digits... I have the good grace to admit that!

    But what about retinal scanners?

    If Arnie is locked out of a secret military compound trying saving the "presidents"/"a friend's"/"his own" "daughter"/"wife"/"pet cockerspaniel" and he comes up against a retinal scanner...

    Well then he's still gonna have to handle that the good ol' fashion way...

    By ripping out the "Drug Lord's"/"Mafia Boss's"/"Buddy gone bad's" eye ball!

    It's comforting to know that some things will never change.

    :)
  • More than $10... (Score:4, Insightful)

    by Andy Dodd (701) <atd7&cornell,edu> on Wednesday May 15, 2002 @07:17PM (#3526823) Homepage
    The first $10 gelatin trick requires you to have the original finger.

    "Hey, let me use your finger so I can copy it and steal stuff with your prints!"

    The second method that allows latent prints to be used requires more work. Still, if you have a laser printer, I'd estimate it runs only $50-100. And the costs of the trick can probably be reduced quite a bit.

    As to the security issues: Prints alone = bad. Prints + PIN = Somewhat bad. But most crooks prolly aren't going to be that desperate.

    It is probably best to use fingerprints as a method of correcting for the deficiencies of credit cards. i.e. verifying that the person with the card is indeed the owner.

    It's probably most useful if fingerprint scanners can ever be made economical for the home user - Person makes a CC purchase online, pushes their thumb on a reader, and the image of their thumb gets hashed and sent to the CC company for verification. As a result, a CC thief has to steal the user's fingerprint in addition to their CC #. Theft of a fingerprint no longer means you've permanently lost its usefulness, as it's only used in conjunction with other methods. Your only problem is that the next time around the thief only needs to yoink your CC # - But I have a feeling repeat strikes of CC theft almost never happen.
    • by InfinityEdge (9122)

      It's probably most useful if fingerprint scanners can ever be made economical for the home user - Person makes a CC purchase online, pushes their thumb on a reader, and the image of their thumb gets hashed and sent to the CC company for verification. As a result, a CC thief has to steal the user's fingerprint in addition to their CC #.

      Wheee, now both the CC and the finger print hash are stored in the same insecure, slapped together, e-server in bumfuck idaho. This offers no more protection than just a CC# and when someone steals your hash you have to take some lye to your fingertips.

      Until you can make all e-comerce servers rock solid secure I don't want my ID based on something that would physically hurt to change.

  • Given that it is evidently trivial to dupe a fingerprint in gelatin...

    How many people already have their prints on file? No...not just criminals. People who have been arrested, but not convicted. Members of the military, police, child care workers. Children of paranoid parents, etc, etc, ad infinitum. All 'respectable' persons. Clear prints, already in electronic format, ready to be stolen/hacked/duplicated and used.

    Think about THAT when the vote comes up for biometric entry into the country.

    All the 'kid registration' over the last few years has been a desensitization to this point.
  • by Anonymous Coward
    After working with biometric readers for quite some time, I wont mention names, but the most "awarded" biometric reader in the world can be tricked by simply blowing on it. Yes, blow warm moist air on it. The heat/moisture of the breath and the "residue" of the previously scanned finger tricks the reader in to thinking its a "live" finger. So faking the last user of the reader is a piece of cake. I've tested this thoroughly, lots of fingers, lots of people, works a treat.
  • 1. Present finger for scanning
    2. Scan matches fingerprint to ID record
    3. Checker's terminal displays photo of recognized person
    4. Checker notices that the fingerwielder looks nothing like the registered fingerowner.
    5. Fingerwielder flees.

    Alternatively, you can require a PIN code to use in conjunction with the scan. This is what they did at High Tech Burrito [hightechburrito.com] when they tested a thumb-scan system in Berkeley.
  • Now that this guy has shown it can be done, everybody will be doing it. And the process can be simplified. Just take an image of a latent print with a digital camera, clean it up in a computer, and print it using a raised-printing process like a business card.

    Soon, everybody who's now cloning cell phones will be able to do this. So much for fingerprint-based biometrics.

  • mandatory (Score:2, Insightful)

    by Alien Being (18488)
    My local supermarket charges 5.99 for chicken unless you carry their wallet cookie, in which case you qualify for the super special 1.99 price. 1.99 just happens to be the pre-shopper-card price.

    Next, they'll demand a fingerprint in order to qualify to buy food at non-extortionary prices.

    Shaws, Stop and Shop, Kroger... You should rot in hell.
  • by tandoor (571899) on Wednesday May 15, 2002 @11:10PM (#3527786) Homepage
    I've experimented with a popular fingerprint reader.

    If the previous person to use the reader had greasy or sweaty hands, and they don't intentionally wipe or smear the plate you can fake their print easily.

    Either hold your palm closely over the plate, or breath gently over the reader. Enough to create enough warmth to simulate a finger.

    With a little practice I could do it over and over. Quite fun giving a demo to security people!

  • That might prove harder than reading a password off a PostIt note stuck to a 3278 terminal.

    Geting a usable print that isn't smudged in some respect is not that easy. Ask any AFIS operator. Getting the right finger from a glass is also hard if the glass was rotated in the least.

    Its not likely to be done on casual contact.

    It requires collusion or coercion.

    That's no reason to give up on biometrics yet.

    No temperature sensor on the unit? (I'm sure that the gummy bear wasn't the same temperature as the guy's finger. Yuck.)
    And I can't forget my finger at home.
    I still like a LONG biometric password (my fingerprint) for logging on.

Excessive login or logout messages are a sure sign of senility.

Working...