Fun with Fingerprint Readers 300
Two pieces of news that came in today make a fun counterpoint to each other. First, a grocery chain is trying out a biometric checkout system. Bring your groceries, pay with a fingerprint. Unfortunately, a story in Bruce Schneier's monthly newsletter notes that fingerprint scanners can be fooled with a bit of gelatin.
Thank god there's a flaw... (Score:4, Insightful)
Any way you look at it, it's still more secure than credit card numbers. Then again, you can always cancel your credit card number. What would you do here, cancel that finger, and start using another? You can only do that for so long...
Still a cool system (Score:4, Insightful)
Bring something, know something (Score:5, Insightful)
However, the kroeger system falls back to the old "bring something, know something" mode which makes it much more secure.
Sure someone can duplicate my fingerprint (how easy that would be to both do and hide when checking out is another point, but let's assume that it's reasonable to lift a latent print, make a mold and check through without the clerk noticing), but they still must know my pin.
This is no worse than the current system of debit cards with mag stripes on the back that are trivial to duplicate with not much more equipment.
It is, however, much more convenient.
Assuming I can change my pin to be something other than my telephone number, I'd use this system.
A Couple Choice Tidbits (Score:5, Insightful)
Yes - leave those purses out in the car so the guy stealing your stereo can get your credit cards too.
Kroger customer Mary Smith said she has a daughter in Katy who wants nothing to do with the finger image method of payment. She told her mother that it is "a way to get into your identity."
It's funny, Smith said, "you'd think it would be the old fart who'd be afraid."
This is funny because she doesn't appear to realize that her daughters fear is based on having more knowledge about technology and is justified fear. She is thinking "I'm not old- I'm cool and cutting edge." and that vanity is letting her opt in to a system where one day her checking account will be cleaned out by a bunch of tweakers who got her fingerprints off her car door and bought all the sudafed they could carry. Smart enough to build a meth lab - smart enough to make gelatin fingers.
Signatures (Score:5, Insightful)
Re:Biometrics (Score:5, Insightful)
You shop at a supermarket where your checkout is governed by your fingerprint. This works pretty well, for you... they store some personal info (CC#, name, address, etc.) and you just touch a pad to check out.
Now imagine that someone manages to replicate your fingerprint (which sounds like it will take about $10 and an afternoon). What do you do? If it were a credit card which had been stolen you could have it destroyed and reissued... but that doesn't work with your finger! Once someone spoofs your finger, it's over. You can never use your finger for ID again, because it's not certain that you're the only one.
That's bad.
Or how about this: Biometrics are easy. Really easy. I mean, you don't have to carry anything, you don't have to remember anything, it's great!
Which is why all kinds of places like video stores, restaurants, etc. would love it... they could make things more convenient for their customers and get faster customer service times, etc. The big drawback is that every transaction is indellibly associated with _you_. Right now, you can pay cash, give fake names, etc. and leave no trail as to what porn you rent, or how much cabbage you buy (you cabbage loving sicko!), but with super-convenient biometrics they know _exactly_ who you are every time.
That's probably bad too.
What's worse? Well, consider that you're pretty attached to your body in general. Though it's possible for you to get fake ID, a fake birth certificate, etc. there's very little in the way of a fake body you can get (plastic surgery aside, modifying the bits used for biomentrics isn't generally feasble - think retinal scans). So now, if for some reason you need a new identity, you pretty much can't have one. There's just no slipping through the cracks.
Why is that bad? Well, it's really only bad if you are doing something illegal, right? Sadly, "something illegal" often can be translated as "something politically unpopular". The idea that we should have the ability to change our government, by revolution if need be, is so deeply ingrained into the Western conciousness (and maybe the Eastern as well, though I don't know...)that it's not at all surprising you get creeped out by biometrics.
Re:Biometrics (Score:1, Insightful)
Having fingerprints of all citizens gives the government a significant amount of power, and if the government were to became corrupt/oppressive everyone that opposes it would end up in shit-creek with no paddle.
If you look at Nazi Germany, everyone was required to show papers to receive services and simply move arround. This was never done to protect the people, but to protect the government from those who were against it.
Re:Biometrics (Score:5, Insightful)
Why is that bad? Well, it's really only bad if you are doing something illegal, right?
Wrong! What if you're in a witness protection program?
OR if you simply have a stalker and need to change your identity? Or if you have a shite name and you wanna change it. Or if things about you change, like you had leprosy but are now cured. Somone with outdated info will read you still have leprosy.
Your data is probably readily available from many sources, some of which will be insecure. You're screwed.
Re:Biometrics (Score:1, Insightful)
What happens to people in witness protection when they continue to use the same bank accounts and credit cards? I can assure you, they aren't good things. And we can expect equally bad things when they have to use biometrics.
Everything has problems (Score:2, Insightful)
Re:Biometrics (Score:2, Insightful)
Re:Bring something, know something (Score:5, Insightful)
This is NOT a bad thing... (Score:3, Insightful)
In all such transactions:
- Authentication is necessary. (ie the transaction requires at least one of these mechanisms).
- All the authentication methods are vulnerable - no security mechansim is perfect.
- All of these could be subverted by to invade your privacy.
However, if you can't use cash for your transaction or you prefer not to for the convenience, you've got to live with the authentication tradeoffs.
As pointed out, authentication is necessary for many transactions - there is no escaping this fact. So the best questions when evaluating the technology is RELATIVE to its alternatives.
So fingerprint readers can be spoofed easily (assuming you can get a copy of the finger you want to copy, which is not necessarily easy). Well credit cards numbers can be obtained and used fradulently; signatures can be forged.
None of these mechanisms are fundamentally good or bad. However, I believe having alternatives IS good for two reasons:
1. It provides competition between different authentication mechanisms so that people get a choice in what security/convenience tradoff they want to make.
2. Having multiple authentication mechanisms automatically increases the diversity of the authentication infrastructure which means that it is harder for an organisation to subvert because they need to coordinate your identity across multiple systems rather than having a single one.
In the scenario described (and many previous articles on the same subject at Slashdot), these new systems augment rather than replace existing ones. As long as this continues to be the case, I am more than happy for these mechanisms to exists and compete.
Re:Biometrics (Score:4, Insightful)
In this case "somthing you are" is a fingerprint.
"something you know" is a pin number or password.
"something you have" is typically something like a credit card, smart card, security fob, etc. This category doesn't apply to the case at hand.
So, once somebody replicates your fingerprint, all you need to do is change your pin number. Problem solved.
More than $10... (Score:4, Insightful)
"Hey, let me use your finger so I can copy it and steal stuff with your prints!"
The second method that allows latent prints to be used requires more work. Still, if you have a laser printer, I'd estimate it runs only $50-100. And the costs of the trick can probably be reduced quite a bit.
As to the security issues: Prints alone = bad. Prints + PIN = Somewhat bad. But most crooks prolly aren't going to be that desperate.
It is probably best to use fingerprints as a method of correcting for the deficiencies of credit cards. i.e. verifying that the person with the card is indeed the owner.
It's probably most useful if fingerprint scanners can ever be made economical for the home user - Person makes a CC purchase online, pushes their thumb on a reader, and the image of their thumb gets hashed and sent to the CC company for verification. As a result, a CC thief has to steal the user's fingerprint in addition to their CC #. Theft of a fingerprint no longer means you've permanently lost its usefulness, as it's only used in conjunction with other methods. Your only problem is that the next time around the thief only needs to yoink your CC # - But I have a feeling repeat strikes of CC theft almost never happen.
Prints already on file (Score:2, Insightful)
How many people already have their prints on file? No...not just criminals. People who have been arrested, but not convicted. Members of the military, police, child care workers. Children of paranoid parents, etc, etc, ad infinitum. All 'respectable' persons. Clear prints, already in electronic format, ready to be stolen/hacked/duplicated and used.
Think about THAT when the vote comes up for biometric entry into the country.
All the 'kid registration' over the last few years has been a desensitization to this point.
Latent fingerprints (Score:4, Insightful)
But what's worse in *this* particular case is the demonstration that latent finger prints can near-trivially be developed into a fingerprint glove that fools the device. Just picture it... A would-be thieve would watch you in the supermarket, picking up a bottle of Coke, put it back because you do prefer Mountain Dew after all. He picks up that bottle by the neck, pays for it with cash. From there on he could plunder your credit card.
Sounds scary to me...
Re:Stick my finger in it (Score:3, Insightful)
Uhhh, you must've missed the part about taking latent prints and etching them into PCBs, right? Unless you religiously wear gloves, you could be pretty much screwed on this fingerprint deal.....
mandatory (Score:2, Insightful)
Next, they'll demand a fingerprint in order to qualify to buy food at non-extortionary prices.
Shaws, Stop and Shop, Kroger... You should rot in hell.
Re:One response pro-biometrics (Score:2, Insightful)
Actually there is no obscurity here - it's just a sound mathematical principle. Think about it this way - when you digitally sign a message with PGP or with a certificate a mathematical signature is created with a digest from your message that verifies in no uncertain terms that that message has not been tampered with (within a certain degree of probability). Obviously, the cryptographic message digest is of a certain fixed, limited size, which means there are a lot of character combinations that could have generated a digest like that, it's just that you are not likely to a) encouter them; or b) find one that makes sense in any language.
Fingerprints are similar to that. I'd suggest going to google images and search for the term "fingerprint minutiae" there's several graphics there that can explain it better than I ever will. But to simplify, let me suggest a simplified model:
My fingerprint, when scanned, results in a model that contains an XY grid centered in the image, with a diagonal ridge at coordinates 5,17; and a whorl at -6, 12; and a fork at 3, -4.
Now there's about 80 other minutiae on my finger, that my current scanner picks up, but this will suffice. As you can imagine you cannot reconstruct my fingerprint from this data. It's just impossible. You might get an idea of what it looks like, but it's never exact because the minutiae are not enough to describe the print itself.
You argument is sound - this is very similar to the crypt() function. One way, etc.
Except with this data you can very easily generate one print that will fool this one algorithm. Real easy, even - much more so than brute forcing a crypt() hash. Just create a basic fingerprint and modify it to contain those features within it. Heck, even make it a bit imperfect - a fingerprint is never read the same way twice, and most modern algorithms are smart enough to check for identity matches.
The problem is that the next algorithm at a different ATM or shop doesn't look for the same features, but rather different ones. It might focus on ridges exclusively and their relation to each other, or some other random bit. And unfortunately you do not have that data - you just have the data that was important to the other algorithm. In essence the minutiae algorithms are EXTREMELY lossy, so much so that you would need to crack more databases than you want in order to compromise a single print.
And hey, if all your fingerprints are compromised you can always switch back to passwords
I guess my point is technology will make it infeasible to duplicate fingerprints exactly - Biometrics (at least as related to computer authentication) are still in their infancy. Being able to dupe a system with a jello mold is not exactly an attack that should succeed on a mature system. But it'll grow, and get so insanely good it'll take a heck of a hack to get through it.
-JackAsh
Re:More than $10... (Score:2, Insightful)
It's probably most useful if fingerprint scanners can ever be made economical for the home user - Person makes a CC purchase online, pushes their thumb on a reader, and the image of their thumb gets hashed and sent to the CC company for verification. As a result, a CC thief has to steal the user's fingerprint in addition to their CC #.
Wheee, now both the CC and the finger print hash are stored in the same insecure, slapped together, e-server in bumfuck idaho. This offers no more protection than just a CC# and when someone steals your hash you have to take some lye to your fingertips.
Until you can make all e-comerce servers rock solid secure I don't want my ID based on something that would physically hurt to change.