Pay By Touch Goes Online 85
Max Fomitchev writes to tell us that Pay By Touch, the biometric identification service, has announced an online version of their service. While currently the only implementation of this service is in the brick-and-mortar storefront of Star Markets grocery stores, the company hopes that online vendors will start signing up soon.
Finally! (Score:5, Funny)
Re:Finally! (Score:5, Funny)
Now if I can just get into one of his holosuites and take a spin at "Vulcan Love Slave 2: The Revenge"!
Re: (Score:1)
Re: (Score:1)
Re:Finally! (Score:5, Interesting)
Fingerprints are not hard at all; it's been done, and done well already. You can google for detailed instructions.
Basically, you scan the fingerprint by any means you have (it depends on how and where you could lift it). Print it on transparent OH film, then use it to etch a negative print on circuit board - this just requires standard stuff you can get in any electronics store of course. Use that negative as the mold for a latex positive; in the simplest case, just dab a solid layer of latex on your fingertip and press on the mold until the latex hardens.
The beauty, if that's what you want to call it, is that once you have one scanned print, you can trivially duplicate and send it as a black and white image to anybody, anywhere who wants to use your print.
Fingerprints very seriously suck for identification nowadays.
Re: (Score:3, Insightful)
Why bother? Just steal the hash data that is generated by the scanner and use a hacked driver to inject it into a browser or whatever. Passwords can be changed. Fingerprints can't be (painlessly). Let's hope that this system is using both fingerprints and passwords/keys. And let's hope it won't become ubiquitou
Re: (Score:2)
I like my anonymity too, but I really like having my fingers staying attached to my hand.
Thieves are all over this... (Score:1)
Thieves chop man's finger off to defeat biometric car [theregister.co.uk]
Re: (Score:1)
Grocery Stores? (Score:4, Funny)
Re: (Score:3, Funny)
"What about strip clubs?"
Sorry, but its only in Soviet Strip Clubs that you're allowed to pay for touching yourself!
I can see someone might want to substitute "pay-by-touch" in such situations, though:
An anglo from Toronto, a Quebecer, and a newfie from Newfoundland go to a strip club in Montreal (yes, this is a Kanuckistani joke)
The Quebecer gets a lap dance, and slips $10.00 in the strippers' panties.
The Torontonian gets a lap dance, and, not to be outdone, slips $20.00 in the strippers' pantie
dinger? (Score:5, Insightful)
really.. a dinger..? you don't say...
The whole fingerprint-for-payment-at-the-store thing has been debated here plenty before, so i'll steer clear of it.. but TFA (well, TFblogpost) is centered around Pay By Touch launching a service that lets you scan your fingerprint at home and autopay at various online websites with a simple swipe of your finger. I don't know who steered them down this path, but they should be fired.. promptly.
I can recall several dotbombs that had this same business model (an e-wallet that had all your info in it already so all you needed to do was purchase from participating vendors and a username/password/whatever was all you'd need to make each purchase), and they all failed miserably. Anyone remember flooz [com.com]? Maybe i'm just a cynic and these guys will have a fresh new approach that will catch on like wildfire.. but it seems a nonstarter to me, since none of the failed dotcoms so much as required you to have a biometric scanner in your home.
What a dinger? (Score:1)
Re: (Score:2)
Except, of course, for PayPal, which is wildly successful to the point of being the only payment option for many (possibly most) small-time storefronts I see on the Web.
Re: PayPal's monopoly (Score:1)
Privacy Concerns ? (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
So, don't ever ask to have your password reset. You have been warned!!!!
Re: (Score:2)
1. We are in a nation of, by and for the corporations.
2. With the new bankruptcy laws, corporations do not have a problem with your lifelong responsibility and if a method can be agreed upon whereby the incurred obligations "more clearly point to you" all the better for the corporations.
3. So the nation does not have a problem. Any squawking is just the sound of poultry caught in the machinery of the system.
The general public could prove to be too inteligent to make wide adoption
Re: (Score:2)
Did something like this actually happen and did someone win a court case against a bank? Whatever happened to personal responsiblity and taking the blame for one's own (erroneous) actions?
Re: (Score:1)
The answer here is called "anti-spoof," or more appropriately "live finger detection."
Quite a lot of research has gone into how the fingerprint scanners themselves can distinguish live human skin from other materials, or even dead human skin. There has been much success in this area to date, and you should expect to see this new technology in products before too long.
What this equates to is you having to be physically present at the time of authentication, as it will be impossible for someone to spoof
Re: (Score:1)
UP Next: How Muggers cut away their victims fingers and make sure it lives long enough to make a withdrawal.
Re: (Score:2)
Only good if the scanner is being watched all the time. With a scanner on a computer and on-line purchases, you could just spoof the datastream coming from the sensor and feed it into a hacked driver. Mark my words: the protocols *will* be cracked. And this will be go
Re: (Score:1)
Hacking this protocol would mean hacking the PKI security it is wrapped in, at which point you would be breaking the equivalent to SSL and stealing someone's banking information. Good luck.
The data coming off of the sensor is not going to be usable by anyone without the private key of the hosting system; and if you can get this key, the problem is no longer specific to the biometric system being used.
Re: (Score:2)
If your fingerprint is compromised, they'll just ask for your password.
Re: (Score:2)
Re: (Score:1)
Dumbasses. (Score:5, Interesting)
Really?
What about the fingerprint information you're evidently (there's nothing to carry) sending over the wire? No way to intercept that huh? How about the fingerprints you leave on just about everything you touch? No way to lift those off of that surface and to use them on a scanner, in the case of on-line purchases, a scanner that's right there beside you without anyone looking over your shoulder to see you're actually using your own finger and not some copy made out of gummy bears.
Re: (Score:2)
Re:Dumbasses. (Score:4, Interesting)
The reason is simple - whoever controls the hardware can tell the scanner to report whatever it wants, mount data replay attacks, etc.
Even if the scanner this company is using is ultra-strong and can tell fingers apart from gummy-bears, who is to say I'll even use their scanner. All I need to do is take one apart, figure out how it works, remove any embedded encryption keys, and then create my own "virtual" scanner that reports whatever finger-prints I want it to. As the parent mentioned, there is a ready supply of fingerprints - I might start with my mailman who leaves his on my front porch every day.
And even strong biometric systems have problems (inability to change compromised credentials for one). This system isn't even remotely strong from the start.
Here is an idea for a payment system that would work. Credit card with no mag stripe - just a smart-card interface, a small LCD display, a small PIN entry pad, and a small acoustic modem (possibly an external device that the card can be attached to easily), and a tiny USB interface. Card contains SSL key known to nobody, but the cert is signed by the bank issuing the card (with CRL available). I walk up to a check-out counter, and insert my card, and then remove it. The card displays the transaction amount on the display, and I enter my PIN on the card. I re-insert the card, and the transaction is complete. Transactions are time-stamped and cannot be replayed (unless the transaction is a subscription which would be noted on the display). PINs are entered on the card itself - so no capturing these unless you have a camera overhead. SSL key never leaves the card, so without physical card presence you can't make transactions. Acoustic modem / USB can be used for online or phone transactions - again with full security.
This would resist just about every form of fraud that is common today. Without the card and the PIN you can't make a transaction. Sure, you could steal the card and force somebody to enter a PIN at gunpoint, but this is not a significant source of fraud (and while we're at it we could have a 2nd call-police PIN that still makes transactions appear to work). The only downside is the implementation cost - but I wonder if it wouldn't pay for itself pretty quickly...
Chip & Pin (Score:1)
You're almost describing the EMV (Europay MasterCard VISA) standard for smart cards, implemented in the UK as Chip & PIN [chipandpin.co.uk]. The chip on the smart card is used during the encryption process and cardholder presense verified by a PIN, which is encrypted on the numberpad, before it gets any further (thus providing two factor authentication.
It has drawbacks, direct and indirect observation of the PIN plus it doesn't stop card cloning, as the mag strip still exists. Indeed specially rigged readers [bbc.co.uk] were used th
Re:Chip & Pin (Score:2)
1. The merchant can charge you for more than the authorized amount. They need only modify the PIN-pad device to display one amount and charge a different one. The charge should be displayed on hardware controlled by the cardholder/bank.
2. Not sure if the device is using SSL certs and signed transactions. If it is just a static account number with a PIN it could easily be cloned.
3. If criminals are using rigged readers they wouldn't even need to clone the cards. They cou
Re: (Score:2)
And ANYTHING done remotely is insecure unless you control the hardware, and you can't.
Rather amusing that people still try this crap.
.
Re: (Score:1)
Fingerprints works really? (Score:1)
Re: (Score:2)
A typical fingerprint scanner has to allow for rotational and translational differences and differences in pressure and pad and finger cleanliness between applications of the finger to the pad.
Then it has to cope with image recognition matters - it has to pull out features from the print an
Re: (Score:2)
Passwords and crypto keys aren't 100% unique either, most likely, especially with the weak passwords many people tend to use.
-b.
Re: (Score:1)
Never leave home without it (Score:2)
Re: (Score:1, Interesting)
Incidently.. (Score:4, Funny)
I needed a hobby and a little more cash, this should solve both of those problems.
Re: (Score:1)
Offhandedly (Score:1)
Re: (Score:1)
have i missed something? (Score:1)
go on, try it
When we're transmitting over the web, it becomes just a number we're sending, a number which can be intercepted, saved, sto
Re: (Score:1)
I dont have to imagine that since Ive done it... works great! No more or less secure than paying by CC over the phone. Also my wife using my CC even though she's not technically authorized. A clerk that wants to make a sale is going to do whatever it takes to get the charge through. Once I called my bank and had them give me my
Not the only stores (Score:4, Informative)
Re: (Score:1)
Re: (Score:1)
Piggly Wiggly too (Score:2)
Repudiation? (Score:5, Insightful)
Re: (Score:2)
Come on! We are all nerds here! Why hasn't anyone here gotten it? Its really simple. Biometric payment schemes are all just fancy passwords, the only problem here is that the password that is the weakest to break is one that never changes and which may be read by those in public. Your fingerprints never change and they can be read in public. Worse yet they also can be conterfitted easily by very simple technology. They also can be obeserved quietly and without intrusion as was noted by a few other poste
Re: (Score:1)
Re: (Score:3, Insightful)
And not only that, if you try to dispute a charge, not only will they deny that - You will be under investigation for fraud!
So long as I am only liabl
First! (Score:2, Insightful)
Re: (Score:2)
Credit cards already provide a viable tracking mechanism, and they haven't become mandatory in lieu of cash. I think the first politico to force through a law to make this mandatory would end up strung up from the nearest lamppost courtesy of the more extreme xtians that we have in the US. And rightly so - I'd even help tie the noose.
-b.
Re: (Score:1)
Re: (Score:2)
I hope that it won't work. As I said, though I'm not one, Christian zealots do have their uses. And politicians who pass harebrained and unconstitutional schemes to track and further erode people's rights deserve no less deportation to some place where their ideals are agreeable. North Korea or Libya would be a good start. Maybe the
Re: (Score:1)
I'd rather somone steal my cash (Score:2, Insightful)
That seems wrong on plenty of levels, the simplest of which is that when someone mugs you, conventional wisdom says that unless you're far more prepared than they are, you give them everything you have. When 'everything you have' begins to include your right index finger, then mugging is way easier in a cr
Re: (Score:2)
It's not as stupid as it sounds (Score:1)
Re: (Score:1)
PCs have been going down the wrong road ever since the first one came out. The only really 100% reliably secure payment scheme would require absolutely closed PCs, ones that didn't allow third-party software to run, as well as a rigidly-policed network. Any person/company that wanted to write software would have to be federally licensed and would be under extreme 24/7 monitoring. Anyone else would be locked out of the system usin
Re: (Score:2)
And you thing this is a *good* thing? Maybe in Trollville, but not in a free and democratic society. Besides, it would probably strangle innovation completely - some of the best ideas in computing, including the PC itself have come from hobbyists.
We alr
Re: (Score:1)
Re: (Score:2)
Guess what? I wouldn't *want* a secure identity system on the Internet. Anonymity = good. Financial? Just take the same approach as credit cards and make good any "shrinkage" that occurs. It's not that information wants to be free - it's t
Re: (Score:1)
Re: (Score:1)
Open-source software development and creativity aren't the issue here, security is. Any workable identity/financial system must be kept completely separate from other types of systems, all the way down to the hardware on individual computers. What good is financial software if it can be easily hacked? And "easily" is a relative term here - if the rewards are great enough then it won't be long before someone somewhere applies whatever amount of money is necessary to break it. Remem
disappointed (Score:2)
Great name !
the biometric identification service,
Yeah... it sounded to kinky to be true....
Non-Net Fingerprint Readers (Score:2)
Many of those have "password managers" that will get you into your money/email/Windows/whatever by swiping your finger, and the fingerprint information never goes across the internet. Plus it has the added bonus of working with a lot more than just these guys' proprietary system.
Criminals (Score:1)
Biometrics are a bad idea if they are the only form of confirmation, the same way the PIN numbers or signatures are laughably weak on their
Not the only one to use it (Score:2)
Not sure how long they've had it. It's part of their "SmartShop" program that also creates custom discounts and shopping lists personalized based on your previous purchases. They seem very advanced in that type of stuff, and it has helped them create a very loyal customer base.
-Pete
Not quite... (Score:2)
Re: (Score:1)
So fie on you, summary.
"Oooh baby, I love the way that feels..." (Score:1)
Contrarly, and with much humor, the opposite should also be stated: "What? You are just going to leave me like that?", "You're in love with the other machine in 12-items or less! You bastard!", "Sure you'll commit to buying that 12-pack of beer. It's just too bad you'll never commit to our