Face To Face With the 'Human Barcode'

silentbrad writes with this excerpt from the Financial Post: "Fast-evolving biometric technologies are promising to deliver the most convenient, secure connection possible between you and your bank account — using your body itself in place of all of those wallets and purses stuffed with cash, change and plastic cards. Biometrics is the science of humans' physiological or behaviourial characteristics and it's being used to develop technology that recognizes and matches unique patterns in human fingerprints, faces and eyes and even sweat glands and buttock pressure. Its applications in the financial realm are a potentially huge time and effort saver, but that's just a beginning for the technology's usefulness. ... [BIOPTid Inc.]'s One Touch cube, set to be on the market within a year, is an external device that users can hook up to their computers and mobile electronics to replace passwords for Internet logins and banking. The cube reads a personal sweat gland barcode to verify identity from the moisture on a user's fingertip. ... 'Biometrics is something that's used by governments, it's used by "Big Brother" to keep an eye on us and we want to change that,' says [BIOPTid chief Scott McNulty] 'We think biometrics is something that can be actually used by the people and it becomes their technology that they use to protect themselves.'"

Re:

[Eponymous Hero]

or maybe alanis morrisette just sucks. that's always a possibility.

but you can change a password

[Anonymous Coward]

Once a biometric has been compromised (e.g., someone obtains a copy of your fingerprints), you're stuffed.

Re:

[Jeremiah Cornelius]

PLEASE! Buy our device! It's even on Slashdot, you cook geeks!

Re:

[nschubach]

you cook geeks!

As long as the instructions are on the side of the box...

Re:

[Dishevel]

Geeks do not follow the instructions on the side of the box.
They research it on Google then watch a youtube video on how to hack the hamburger helper and customize it for hardcore vegans or how make it code monkey friendly. Then they put their own twist on it and upload the video of their "Hamburger Helper Hack" to youtube and post about it on their blog.

Re:

[gweihir]

Not totally. If the biometric fingerprint is verified under controlled conditions (i.e. a competent person supervising it), it remains useful after compromise. That does only apply to the big-brother scenario though. But even then, this has very high verification cost and negates the claimed advantages.

Otherwise: Biometrics is snake-oil. Without the usual human greed (paired stupidity on customer side), nobody would even be talking about it anymore, as it is completely unsuitable to lower costs as unsupervi

Re:

[Joce640k]

Not totally. If the biometric fingerprint is verified under controlled conditions (i.e. a competent person supervising it).

Snork. I just blew coffee out of my nose (luckily I use a Model M and it survived...)

PS: What about people who don't have fingerprints? Pretty much anybody who does manual work will have very little fingerprint on their fingers.

Bank of America already has an answer for that

[Anonymous Coward]

Not totally. If the biometric fingerprint is verified under controlled conditions (i.e. a competent person supervising it).

What about people who don't have fingerprints?

According to Bank of America, the correct procedure is to refuse to cash a check from an armless man because he doesn't have any fingerprints. http://consumerist.com/2009/09/bank-of-america-asks-armless-man-for-thumbprint.html [consumerist.com]

Re:

[hoggoth]

Our research shows that people who do manual work are not relevant to the demographic we are targeting. Let them eat cake.

Re:

[boristdog]

And getting that fingerprint-lock locker open after an hour in the hot tub at the gym is damn near impossible.

Re:

[jbmartin6]

No fingerprints is also common among medical workers who are constantly scrubbing their hands.

Re:

[Anonymous Coward]

There is no such thing as "controlled" conditions. Since the whole point of a security system is, that you don't need a human to check.
If you need a human, you can just leave away the system in the first place.

The whole point of a password, is that only you know it!
But with biometrics, everyone can find them out, if he wants.
And every time some retard presents such a device, somebody makes a laughing stock out of him, by making a copy of his biometrics, and doing funny stuff with it.
Then, the inventor can't

Re:

[Immerman]

It depends on the security system - in a highly secure environment where guards or even just an alert receptionist is justified, biometrics do in fact offer a significant additional layer of security. It's only when used on their own that they fail spectacularly.

Re:

[gweihir]

Exactly.

Re:

[silentbrad]

According to the article, this particular one reads the sweat glands on the fingertip: "In addition to the metaphorical connotation, he trademarked his technology as “the human barcode” because the sweat-gland patterns create a numerical reading like a computerized barcode." There's also a Japanese one in the article that reads body pressure, "technology dubbed 'butt biometrics' by some tech press following its introduction last year." And one other that can recognize a face based on partial ima

Re:

[sociocapitalist]

Once a biometric has been compromised (e.g., someone obtains a copy of your fingerprints), you're stuffed.

Especially if the metric used is "buttock pressure"...

Re:

[Marillion]

There's that. There other issue is that every biometric system requires the computer to make a judgment call. A facial recognition system has to guess it's you within a [insert-threshold-here] degree of confidence. That confidence level will never be 100%. A password and physical tokens are the only mechanisms that inherently have absolute yes/no thresholds. Before you start challenging this, I'm not considering the "spoofability" of any of these methods. Of course, physical tokens can be stollen or l

"Protect themselves?"

[hotdiggity]

“Biometrics is something that’s used by governments, it’s used by ‘Big Brother’ to keep an eye on us and we want to change that,” says Mr. McNulty. “We think biometrics is something that can be actually used by the people and it becomes their technology that they use to protect themselves.”

...

The best way for me to protect myself with biometrics...is to keep the details of my biometrics out of any government or private company's database, thank you very much.

Re:

[XxtraLarGe]

The best way for me to protect myself with biometrics...is to keep the details of my biometrics out of any government or private company's database, thank you very much.

Too late. Either they already have it, or they can get it without your knowing they got it.

Brain-damaged

[Anonymous Coward]

Let's see. Easy to fake. Impossible to revoke. Ripe for abuse. No duress password. How is this going to protect anybody or anything? At some point, convenience trumping everything else is going to lead to a lot of INconvenient situations.

Re:

[19thNervousBreakdown]

Not to worry!

"We think we'll be the only technology that's 'spoof-proof,'" says Scott McNulty, president and chief executive of BIOPTid Inc.

Re:

[gweihir]

No way in hell. And I just had some other company representative claim the same thing here a few weeks ago. After careful examination, this claim turned out to be bogus, but it looked good on the surface. I almost felt sorry for the guy, making such claims in front of an audience of skeptic security experts is not a path to happiness.

Re:Brain-damaged

[19thNervousBreakdown]

Almost though, right? Because honestly, it's an insane claim. Your sensors are measuring an image, we can make very convincing images. Make your sensor fancy, have it measure heat. We can generate heat to incredibly precise degrees faster than you can blink. Heartbeat, capacitance, translucency, these are all child's play once we know what you're looking at. Since your sensors are almost surely of lower resolution than we're capable of reproducing, the key is the algorithm.

Now this? Sweat glands? We can make Blu-Rays, but you don't think we can spoof a sweat gland to the precision that you're measuring it? Please.

My ears will perk up in interest if or when a biometrics company claims that they're measuring an effect we're unable to reproduce. Create a biometric system that authenticates based on the subjective experience of consciousness. Now that's biometrics.

Re:

[hoggoth]

Its called the Turing Test.

You are in the desert, you see a tortoise lying on his back in the hot sun. You recognize his plight but do nothing to help. Why?

Re:

[19thNervousBreakdown]

Now we're getting somewhere! Now, this test only works if administered by a human, which runs counter to the purpose of having a device, and the specific question will only authenticate that the subject is human, not a specific human, but hey, it's a start.

It's a tricky question though. What is a part of a human, unique for every individual, that we can reliably read often enough that it can be error-corrected, fast enough to be practical, by a device that is cheap enough to be worth the cost of the securit

Re:

[dkleinsc]

You are in the desert, you see a tortoise lying on his back in the hot sun. You recognize his plight but do nothing to help. Why?

1. Tortoises and turtles can bite.
2. Tortoises are generally quite capable of recovering from being flipped on their back. Natural selection and all that.

Re:

[Immerman]

Me, I'd flip the tortoise.
1) It's usually quite simple to flip a tortoise while keeping your fingers safe, that shell severely restricts it's range of motion.
2) Sure, but just like when you're trying to wrestle a sofa up a flight of stairs, a little help from a random passerby is likely to be appreciated. Then again I've met plenty of folks that wouldn't consider engaging in a random act of kindness even for other humans.

Re:

[Anonymous Coward]

Its called the Turing Test.

You are in the desert, you see a tortoise lying on his back in the hot sun. You recognize his plight but do nothing to help. Why?

Tell me about your mother...

Re:

[azalin]

Even easier: Just record the reading and bypass the sensors directly. Biometrics is ok as PART of a security system under supervised conditions. But as a standalone unsupervised solution it sucks and is easy to cheat.

Re:

[19thNervousBreakdown]

If you can read the sensor's output, and inject your own input, you can defeat any system. A keyboard is a sensor too, and just as vulnerable to what you've described.

There are ways to protect against that when it's warranted, but I don't think it has anything to do with biometric systems in particular. If we're going to debate the relative worth of authentication systems, we need to first assume that the system's communication with its host is secure, or they're all exactly the same--worthless.

Re:

[Carnildo]

If you can read the sensor's output, and inject your own input, you can defeat any system. A keyboard is a sensor too, and just as vulnerable to what you've described.

Biometrics are more vulnerable to this than passwords are, in two ways:

1) You can enter a password into a remote terminal and have it be verified against a central database without ever transmitting the password in either direction (see challenge-based authentication protocols). You can't do this with biometrics: verification consists of comp

Re:

[19thNervousBreakdown]

Biometrics are more vulnerable to this than passwords are, in two ways:

1) You can enter a password into a remote terminal and have it be verified against a central database without ever transmitting the password in either direction (see challenge-based authentication protocols). You can't do this with biometrics: verification consists of comparing the measure against the database entry and determining that the two match to within the desired degree of precision, and this requires transmitting the measured values to the database.

You have a fundamental misunderstanding here. Sending a hash for near-matching in the way you describe is absolutely possible. See MusicBrainz [slashdot.org] for an off-the-top-of-my-head example, but a fuzzy hash is a very basic thing, and already done all over the place.

2) The average user does not leave their password on every surface they touch. In order to inject a password into a compromised reader, the attacker needs to record it from a compromised reader. Biometrics can be obtained through any number of methods that don't involve a compromised reader.

Strawman. While correct, you're disputing something that I was not trying to argue, and I certainly wasn't trying to argue that fingerprint scanners are secure in anyway. A review of the post you replied to will show that it wasn't even implied, so if yo

Re:

[Jeremiah Cornelius]

1. Easy to fake.
2. Impossible to revoke.
3. Ripe for abuse.
4. No duress password....

PROFIT!

Re:Brain-damaged

[Joce640k]

Let's see. Easy to fake. Impossible to revoke. Ripe for abuse. No duress password. How is this going to protect anybody or anything? At some point, convenience trumping everything else is going to lead to a lot of INconvenient situations.

You forgot one: We leave copies of them behind us wherever we go (DNA, fingerprints...).

Re:

[arth1]

Let's see. Easy to fake. Impossible to revoke. Ripe for abuse. No duress password.

And not static either - there are examples of people's fingerprints or retina pattern changing, and medical conditions can occur that makes taking samples impossible. Even DNA isn't necessarily good enough, as identical twins and other clones may share the DNA, while someone having received genetic treatment might not.

So there has to be a backup way to authenticate, in which case the backup way can be more useful to use in the first place.

Place bunghole on reader

[HangingChad]

human fingerprints, faces and eyes and even sweat glands and buttock pressure.

A fellow programmer and I used to joke about developing a bunghole scanner for identification. Not so funny now, is it?

Re:

[CanHasDIY]

Watch out for that proprietary connector, it's a little .. wider .. than a standard connector.

No worries, it has rounded corners.

Re:

[azalin]

I'm afraid round corners are patented by the fruit. But there is another proven design by a certain Vlad Tepes who's original copyright has already expired.

Re:

[Immerman]

Nope - all corners, no rounding, and now approved as the primary authentication method for all official government interactions.

And people still welcomed the change until they realized that it didn't actually reduce the existing B.S. they had to go through.

Re:

[s.petry]

Probes should only be used for diagnosing medical issues (see Idiocracy for the reference)

Re:

[gweihir]

Then, if you get a Hemorrhoid, figurative PITA will be added to the literal one because you cannot log-on anywhere anymore.

Re:

[azalin]

Wasn't there a south park episode about a certain high speed mono-wheel bike?

Re:

[Agent0013]

human fingerprints, faces and eyes and even sweat glands and buttock pressure.

A fellow programmer and I used to joke about developing a bunghole scanner for identification. Not so funny now, is it?

That's nothing! When I first looked at the above quote I read it as "human fingerprints, feces and eyes". Now that would be an interesting bio metric scanner.

Failure?

[theJML]

We have fingerprint readers here. Sometimes, they don't recognize my finger. It's still my finger, but there's nothing i can do to convince it it's me, so I'm stuck and can't do my job until it decides to let me in. Face recognition is the same way. There's no way I can change my face, or alter my fingerprint to make it work, so I basically am just screwed. If there's any chance of that with this, there's no way I want it.

Re:

[Greyfox]

Climbing putty has become popular in my workplace. The other day I noticed that the stuff takes a fingerprint better than anything else I've ever seen. I'm curious whether I could imprint my fingerprint on a piece of putty and if that would fool a fingerprint scanner. The stuff deforms very easily and quickly loses its shape so I don't think there would be security issues with it, but it would be kind of nifty if that were the case.

Re:

[azalin]

Gummy bears.

Biometrics has some potential advantages, but also some really surprising weaknesses. Fingerprint scanners can be tricked by proper application of a gummy bear, and aging or (more suddenly) injury can sufficiently deform any detail structure to the point where the old record is worthless.

There was an article on slashdot a while back on creating finger dummies from gummy bears. It worked very well it seems.

Re:

[deroby]

Actually, you CAN change your face... you just probably don't want too.
But say that you happen to have an accident and it caused irreversible damage to your face, would that than also mean you no longer can open any locked files on your computer ?
Sounds like we'll always need a back-door somehow to catch those situations... but OTOH we started using biometrics to close that back-door in the first place ....
(disclaimer, I did not read the article)

On a side note, every time I see something about biometrics co

biometrics will be broken ...

[RichMan]

Scan the eyeball it has a deep 3d structure that is unique: opps,
Researchers create synthetic iris that can defeat eye-scanning security systems:
http://www.theverge.com/2012/7/26/3188518/synthetic-iris-scanning-security [theverge.com].

See all the ways to cheat on drug piss tests ....

If it is a system, it can be hacked. No system should ever take validation as 100% proof.

'We think biometrics is something that can be actually used by the people and it becomes their technology that they use to protect themselves.'"
This from the banking system that brought us 4 digit PIN codes that were considered perfect validation. *sigh*

Back in the olden days

[sl4shd0rk]

You just got mugged for your wallet.

Change password

[Anonymous Coward]

I can get a new password if it is compromised, it's a lot harder to get new Biometrics.

Re:

[Anonymous Coward]

Simple: You don't use your body to authenticate, but someone else's. If compromised, you just replace that one.
Finally, a new job for unlearned people: Serve as living password! However, password stealing won't be pretty ...

Biometric System I'd Like to See

[Greyfox]

I'd like to see a biometric system that forces you to perform a little dance in order to authenticate. That would be pretty funny.

Re:

[drinkypoo]

I'd like to see a biometric system that forces you to perform a little dance in order to authenticate. That would be pretty funny.

Let's just hope nobody ever tries to implement a system that requires you to also "make a little love". I'm imagining the implementation winding up something like Boong-Ga Boong-Ga.

Re:

[azalin]

I suddenly get the image of teledildonics as an authentication device. *shudder*

Biometrics are not a complete security solution

[dkleinsc]

A few ways to crack biometric scanners:
1. Create a physical duplicate of the biometric info good enough to fool the machine, e.g. a rubber thumbprint.
2. Attack not the scanner, but the wire that runs from the scanner to the computer that will analyze the results: Copy the data sent down the wire on a successful scan, and send that data down the same wire to get in.
3. Attack the software that analyses the biometrics to always report "pass".

They're useful, but they aren't unbeatable.

oops, someone wrote a clueless article again

[slashmydots]

I guess yet another author has fallen victim to not knowing what the hell they're talking about again. Our technology isn't good enough to do true biometrics. Any system like he outlined is a glorified fingerprint scanner. It's not a magical device that "senses" your finger. Any biometric device takes some set of 0's and 1's and compares it to other 0's and 1's and if they match to a certain degree, it's approved. That means any of them can be faked to be close enough or hacked to approve wrong data.

Fingerprints are an image file compared to another image file. Iris scans are an image file taken by a camera and compared to another image file. Face recognition is the same. All three of those are infinitely more fake-able than a password.

To get my money now, you have to get it out of my wallet. Good luck. To fake my face, they need to take a picture of my face. That's a bit easier. To fake my fingerprints, they need to get a hold of my fingerprints and I definitely leave those in more places than my wallet. You may recall that the Mythbusters made a laser printed fingerprint on a $100 laser printer, licked it, and got past a top of the line $1000+ fingerprint reader. To fake my iris, they need a closeup of my face, also not so difficult. There really isn't any biometric data that's good enough right now to be used in financial transactions short of a DNA sequence and I'm not giving them a DNA sample and waiting weeks to buy a bagel.

Re:oops, someone wrote a clueless article again

[SirGarlon]

If you follow the tech industry long enough, all the hype gets recycled and comes back in slightly regurgitated form later. For example, "thin clients" (the Next Big Thing in 1997) and "cloud" (the Next Big Thing in 2007).

Biometrics were all the rage in the late 1990s, when people were starting to recognize how problematic passwords could be. The enthusiasm died out quickly. Parent has outlined the main reasons why: they're easier to spoof than might first appear, and to use biometrics in authentication requires biometric data to be transmitted and stored (and therefore subject to compromise).

I think face recognition technology is starting to change the tech industry, but not in a good way. It's not used for authentication. It's used for automated surveillance and tracking. *That* is the future of biometrics.

Re:

[slashmydots]

Well, at least HP could realistically be an option for manufacturing technology like that and then at least if you're black, it won't detect you [cnn.com]

Change password?

[stanlyb]

I just wonder, how one is supposed to change his password? Or if you become sick, would you be still a valid password? Or if your left leg is cut, are you going to be cut from your banking account too?
".....Sorry sir, your password is invalid, your hash function needs to be certificated again..."

Oh geez.

[JustAnotherIdiot]

buttock pressure.

That machine better be self cleaning, and do a fantastic job at such.

ohh bugger

[BlindRobin]

I thought this was about Geordie football...

Hmm

[Lord Lode]

My eye's iris, which is always visible, is easier to copy than a key or card in my pocket.

I think biometrics offer higher convenience, but lower security.

Am I right

Re:

[azalin]

My eye's iris, which is always visible, is easier to copy than a key or card in my pocket.

I think biometrics offer higher convenience, but lower security.

Am I right

I'm not even sure about the higher convenience. Biometrics can change or become unreadable enough trigger a false negative. Manual labor, chemicals, minor cuts or activities like rock climbing can easily change your fingerprints enough to become unreadable. What happens next? The can't just hand you a spare hand or reset your password. Iris scanner? No more contact lenses, better not get an eye infection, please place your face exactly at the same places where that guy with the running nose was seconds ago.

Re:

[cusco]

Actually iris scanners have gotten a lot better in the last couple of years. The AOptix scanner, a couple of which I've installed, is quite convenient. Stand anywhere in a circle about a meter and a half radius, centered two meters from the scanner, and it will enroll both irises within 1-4 seconds. To request access read your key card and just glance at the scanner. It will match whichever iris it encounters first, generally within one second, and if that iris is correlated with the card you presented

Identification != Authentication

[Anonymous Coward]

Identification is the process by which the identity of a user is established, and authentication is the process by which a service confirms the claim of a user to use a specific identity by the use of credentials (usually a password or a certificate).

All biometric systems only do identification. It's about time everyone gets what biometric really is: A FANCY USERNAME.

Re:

[rastoboy29]

Nice.

Required reading

[pesc]

If you think biometrics is useful for unsupervised authentication, please read this:

http://www.schneier.com/crypto-gram-9808.html#biometrics [schneier.com]
http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/ [theregister.co.uk]

Your fingerprints are not secrets.

This Summary Reads Like A Press Release!

[TheSpoom]

You know, I'm OK with the occasional bad link or poorly researched story, but could we avoid regurgitating obvious press releases from private companies? Look, editors, I really, really rarely complain about you guys, but we do expect at least a little bit of work in filtering and, you know, editing stories.

Re:

[TheSpoom]

I hate to say it but it totally doesn't surprise me, now that I look, that the editor in question is timothy. *sigh*

Greenlight that baby!

[paiute]

The whole body is now the password? I think this will kick that Weekend at Bernie's 3 development into high gear.

No Biometrics please !

[Pieroxy]

Biometrics is the most stupid way of authenticating anyone. As soon as someone is able to fake your credentials (and so far it's always been simple - fingerprints, face recognition, etc) you're 0wned. Because you cannot change your credentials. Because your credentials are you.

So biometrics for authentication is a no-no. Only clueless executives can realistically push this forward.

Re:

[account_deleted]

Comment removed based on user account deletion

Oh wow

[Charliemopps]

I guess hackers are ruined... no ones ever been able to software replicate a security dongle. If they had, there'd be copies of professional audio/video/photo editing software all over the pirate bay! Oh wait...