Forgot your password?
typodupeerror

Biometric Payment Arrives in a Store Near You 206

Posted by ScuttleMonkey
from the new-string-of-finger-thefts dept.
"A chain of Florida convenience stores has begun accepting fingerprints as payment, using a biometric system called Pay By Touch. The company is a Bay-area startup backed by $130 million in VC cash and the acquisition of BioPay, a Virginia-based biometrics firm that's already done $7 billion in European transactions. From the article: 'The company is a bit puzzled by customer privacy fears. After all, they say, how can using a unique fingerprint for identification be riskier to theft than a plastic card, key chain token, or account number? ...The fingerprint image recorded is not the same as those collected by the federal government or law enforcement.'"
This discussion has been archived. No new comments can be posted.

Biometric Payment Arrives in a Store Near You

Comments Filter:
  • Uhh... (Score:5, Insightful)

    by Poromenos1 (830658) on Saturday June 24, 2006 @01:13PM (#15596993) Homepage
    how can using a unique fingerprint for identification be riskier to theft than a plastic card, key chain token, or account number?

    Because you leave them on everything you touch?
    • Uh.. aren't you elite enough to wear those fancy white gloves?
      • hospital grade latex gloves do not prevent fingerprint leakage, no matter what TV says

      • Re:Uhh... (Score:3, Funny)

        by Joebert (946227)
        Forget gloves, I'm waiting for the fluke where residue from the last print mixing with my print comes up in the computer as Micheal Jackson.
        Clerk: Uhhh, Micheal, Jackson ?...
        Me: Yeeeeah, I had them take it all off & start from scratch.
    • Re:Uhh... (Score:5, Insightful)

      by MarkByers (770551) on Saturday June 24, 2006 @01:20PM (#15597024) Homepage Journal
      And you can't cancel (change) your fingerprint if someone finds out what it is.
      • And you can't cancel (change) your fingerprint if someone finds out what it is.

        Quoth Helena Bonham Carter in Fight Club:

        "They're inside burning their fingerprints off with lye. The smell is terrible."

        A little more painful than cutting up a credit cArd, granted. At least to some people.
      • Re:Uhh... (Score:5, Insightful)

        by eclectro (227083) on Saturday June 24, 2006 @02:20PM (#15597279)
        And you can't cancel (change) your fingerprint if someone finds out what it is.

        And you can't stop the production of gummy bears [extremetech.com]

        I could probably travel the world on a single package of gummy bears and a set of prints lifted from the sides of soda cans, tossed in the trash outside the convenience store.

        Just remember though, outlaw gummy bears, and only outlaws will have gummy bears.
      • Re:Uhh... (Score:3, Insightful)

        by AnyoneEB (574727)
        It does not matter. A person's fingerprint is not a secret. You leave them everywhere. (Unless you wear gloves all the time.) I assume the cashier watches the customer scan their fingerprint, so they know the fingerprint belongs to the customer. If someone comes in and tries to scan a finger not connected to anything, the cashier will probably suspect something.
        • "If someone comes in and tries to scan a finger not connected to anything, the cashier will probably suspect something."

          Which is why you imprint the alternate fingerprint on a adhesive film and put it on your own finger.
    • Re:Uhh... (Score:3, Informative)

      by frisket (149522)
      No, because the crooks can just chop off your finger and use it.
    • Re:Uhh... (Score:3, Interesting)

      by cyriustek (851451)
      Another issue is that your fingerprint must be stored somewhere else in a database. This leaves room for an attacker to use a digital copy of your fingerprint for other transactions.

      Somebody please correct me if I am wrong, but this is nowhere as safe as a private/public key. If the external party saved your public key, there is no worry. However, your fingerprint does not have two version, one being public, and one being private for signing. On the bright side, they can combine a pin number with the finger
    • If this was Digg, I'd mark this "old news." We've had this at Jewel stores in the Chicago area for almost a year.
      Haven't tried it myself, though. I use Peapod.
  • thoughts (Score:3, Informative)

    by yagu (721525) * <yayagu.gmail@com> on Saturday June 24, 2006 @01:14PM (#15596994) Journal

    From the article:

    The company is a bit puzzled by customer privacy fears. After all, they say, how can using a unique fingerprint for identification be riskier to theft than a plastic card, key chain token or account number that's tapped into a computer or spoken over the phone?

    WTF? How can they say that? Don't they know how many times each day people lose their fingers? Not to mention the countless times people give each other the finger! (Done so a few times myself.)

    Also:

    It's similar to the finger-scan technology used at theme park gates. Those systems take measurements of patrons' hands and fingers and link them to a multi-day pass to prevent several people from using one person's pass.

    I experienced this at Epcot... in Orlando. I don't know if it was in its experimental phase, but it introduced lots of confusion as people entered the park. And, it was not clear how or where it was used the rest of the time we were in the park -- if it was exclusively to prevent abuse, so be it, but it was an eerie experience at the gates.

    I do wonder about the statement: (FTA)

    The company pledges not to sell or rent personal information, or access to it. The fingerprint image recorded is not the same as those collected by the federal government or law enforcement.
    How can that be? I know my prints are on file (Top Secret clearance, cool!), but I wonder how these prints would differ. Are they storing some kind of hash with no backup of the original scan or image? Weird, but doubtful.

    I think this is great technology as people get more comfortable with it. I would (and do) worry about how soon people get good at counterfeiting fingerprints. Thought I'd read a couple of articles on that very hack and that hacking fingerprints turned out not to be too very hard. Any resources on that?

    Regardless, great point about it not being that much different (and quite a bit less likely to wander off) from keychain fobs, credit cards, etc.

    • Company pledges (Score:5, Insightful)

      by plover (150551) * on Saturday June 24, 2006 @01:18PM (#15597016) Homepage Journal
      From TFA: The company pledges not to sell or rent personal information, or access to it.

      I read this line too and it made me want to scream. "Company pledges" are worth exactly shit these days. "We pledge to protect your privacy and retain the right to alter this pledge at any time." "We pledge to never sell or distribute all of this personal information that we insist on gathering, really, unless we're bought out by another company that doesn't pledge this."

      I don't want pledges. I don't want them to have this info, period. I don't want to receive marketing from them any more than I want it from third parties.

      Now, if there was accountability behind these pledges, such as "We are bonded for a $10,000 per customer coverage to never leak any customer information" or "Under penalties of perjury with a minimum of five years prison time to be served by each member of the entire Board of Directors, we pledge to never sell or otherwise distribute any personal information collected by us. Furthermore, under threat of the same penalites we pledge to use this information only for verification of your account, and never for marketing purposes of any sort."

      Those are some pledges that I'd be slightly more inclined to believe.

      • Re:Company pledges (Score:5, Insightful)

        by sbaker (47485) * on Saturday June 24, 2006 @01:26PM (#15597043) Homepage
        It's hard to imagine anything that's more personally sensitive than SWIFT banking transactions - and they gave those records up to the US government in no time flat!

        These days you have to assume that any item of data you give to anyone is insecure from that point on.

      • Now, if there was accountability behind these pledges, such as "We are bonded for a $10,000 per customer coverage to never leak any customer information" or "Under penalties of perjury with a minimum of five years prison time to be served by each member of the entire Board of Directors, we pledge to never sell or otherwise distribute any personal information collected by us. Furthermore, under threat of the same penalites we pledge to use this information only for verification of your account, and never for
      • "I don't want them to have this info, period."

        Of course, with fingerprints the problem is that everyone from the police to the bum in the park picking up your discarded soda can has that info. Period.

        And the real bitch is that as idiots like this company and politicians and law-enforcement yearning for easy solutions start making biometrics like DNA and fingerprints prevalent in society, the incidence and ease of forgeries will make the current card skimming frauds look like a fart in a shitstorm.
    • Re:thoughts (Score:5, Informative)

      by DrSkwid (118965) on Saturday June 24, 2006 @01:50PM (#15597146) Homepage Journal
      > "The company pledges not to sell or rent personal information, or access to it."

      That should read "The current management of the company pledges not to sell or rent ...."

      http://www.paybytouch.com/privacy_policy.html [paybytouch.com]

      Notification of Changes
      If we make material changes to this policy, we will notify you here, by email, or by means of a notice on the Pay By Touch homepage so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we may disclose it. We will update our privacy policy from time to time.

      Notice the OR, they can change their TOS any time and promise to change their TOS page accordingly.

      Pay By Touch may share your personal information with companies that Pay By Touch contracts to privately and securely verify your identity, process your payments, cash your checks, and prevent fraudulent use of the Pay By Touch services.

      We all know how secure third parties are.

      "In some cases Pay By Touch may provide algorithm or sensor vendor partners who have entered into confidentiality agreements with Pay By Touch with anonymous biometric scans. These companies use the anonymous test scans only to develop, test, modify and improve the performance of their hardware and software products related to the Pay By Touch services. These test scans are not linked to any personally-identifiable identity or account information."

      Er, they are fingerprints, how anonymous are fingerprints!

      http://www.paybytouch.com/member_terms.html [paybytouch.com]

      THE PAY BY TOUCH SERVICE IS PROVIDED "AS IS" WITHOUT ANY WARRANTIES OR REPRESENTATIONS WHATEVER OF ANY KIND, WHETHER EXPRESS OR IMPLIED. Pay By Touch will not be liable or responsible for any damage or injury caused by your use of the Service.

      Great, that's the feel good factor !

      • Re:thoughts (Score:3, Insightful)

        by JWSmythe (446288) *
        Well, on the anonymous scan part, that is pretty obvious. They're providing a box to developers like you and I. We touch it, it returns a fake record. If it works, it'll return the same fake record every time. If it has a false, it'll probably return a different fake record.

        I'm not particularly comfortable with it still.

        As someone else said, your fingerprints are everywhere.

        Say this does become wide spread. Everyone's using it. I go into a high dollar sto
        • This might seem an obvious point, but wouldn't the cashier probably notice you holding up a fake finger to the device? I guess you could make a latex thimble with the faked print on instead.
          • Re:thoughts (Score:3, Informative)

            by JWSmythe (446288) *
            Cashiers don't even look to see the name on a credit card matches the drivers license. What would make you think that they'd pay attention to a bit of discoloration on the index finger?

                Over the years, I've sent girlfriend's out with my credit card to buy things. Only once has one been refused. It's pretty obvious that it's a guy's name on the card, and a girl trying to use it. Even if they checked ID's, they'd see the last names weren't even similar.
    • If it is in fact a completely different scan that cannot be linked to law enforcement scans that is an awesome technology. DNA even wouldnt be that big of a deal if law enforcement didnt have that type of DNA id. If the two are different, I think it is much less of a privacy issue. We know the govt will take databases en masse to "look for things" so if this is different than their system, they cant simply use it to get around those pesky warrants. (which is a whole different situation, it isnt like a war
      • Look, it's some form of identification of a person, allright?

        So let's assume the FBI wanted to figure out who a person with those characteristics were. What do you think the FBI would do? They would contact Pay By Touch, and Pay By Touch would give them the data they wanted.

        It doesn't matter at all if it's not "the same". If it's some kind of hash, it still uniquely identifies the customer from their fingerprint, and would be useful to law enforcement. If it's some other way of identifying people from f

    • Re:thoughts (Score:2, Informative)

      by demigod186 (934599)
      I agree with your comments, but they are technically correct about the fingerprints being different. The government stores them as images on what are called "ten print" glass plates. Most matching is still done by hand.

      There are two reasons why the fingerprints are different. The first is that they don't store the fingerprint or any image of the finger print, they run a filter to make the initial image black and white(no grays). Then they run an edge detection filter to make the lines obvious. An algor
      • Re:thoughts (Score:3, Insightful)

        by fyngyrz (762201)

        Only the graph is saved, and the graphs are compared to verify identity. The fingerprint data that my company uses is less than 1k of data consisting of only minutiae type, links to other minutiae, and distances. So in other words, there is no way to get an image of the finger back, so the police can't use it(for manual matching).

        All they have to do is use your equipment to generate a matching graph of the fingerprint in question, and the police can match against your records that way. In other words,

    • I experienced this at Epcot... in Orlando.

      Me too, there is a thriving business in Florida selling used tickets. The people on the gates of Disney simply wave you through if the fingerprint machine flags a problem. The machine let me through even though I bought a dog eared ticket from some dude in a hot-air-balloon shaped kiosk.

      Just one more point:

      backed by $130 million in VC cash

      Holy Shit! The (failed) Beagle Mars lander only cost 40 million GBP ($71 million) to launch and was a much better idea IMHO.

    • From the sounds of it they are either recording the information based on something different that cannot be used to reconstruct the data pattern currently in use at places like the FBI, or they are hashing the results prior to storage. In either case the data they have would be no use to the FBI etc.

      I haven't gotten a chance to do much digginng into fingerprint recognition, but it appears to be based on the anomolies in your prints. There's probably a name for them... spots where there are enclosing circ
  • Gummibears anyone? (Score:5, Informative)

    by sbaker (47485) * on Saturday June 24, 2006 @01:15PM (#15597001) Homepage
    Didn't Slashdot run a story a while back about a supermarket fingerprint pay
    system that was tried a year or so ago? It could be faked out REALLY easily
    using a Gummibear.

    I can't find the slashdot story - but check this out for example:

    http://www.theregister.com/2002/05/16/gummi_bears_ defeat_fingerprint_sensors/ [theregister.com]

    Does this new gizmo do something magical to avoid this rather easy attack?

    Just google gummibear and fingerprint and you'll find a gazillion How To
    articles.

    If the biometrics guys are 'a bit puzzled by customer privacy fears" then
    they are horribly ill-informed!

    I can avoid leaving my credit card lying around for someone to steal - but
    it's very hard indeed to avoid leaving my fingerprints in all sorts of
    public places. If I could find out how to defeat their scanner so easily
    with about 10 seconds of Googling - you can be very sure that the bad guys
    will be lining up.

    • by SubliminalVortex (942332) * on Saturday June 24, 2006 @01:32PM (#15597072)
      Touching a "gummy bear" in a way in which it wasn't intended is just plain wrong. Gummy bears are meant to be eaten not fondled.

      Also, do you know how old that gummy bear is? You might be touching an under-aged gummy bear.

      One might have a gummy bear fetish. (hrmpphph they are tasty.....)

      • Anything I do with a consenting gummibear in the privacy of my own home is none of your business, you rights-constricting lowlife!
    • Wow, did you actually read the article that you linked against? That basically had nothing to do with gummibears-- the example of them was only as FUD against biometrics. The real techniques required circuts, cameras and chemistery.
      • "Wow, did you actually read the article that you linked against? That basically had nothing to do with gummibears-- the example of them was only as FUD against biometrics. The real techniques required circuts, cameras and chemistery."

        Yes - I did read it. As I understand it, the process is:

        1) Use some cyanoacrylate (superglue) - just as the police forensics guys do - to 'develop' the latent print into something you can see.
        2) Photograph it with a regular digital camera.
        3) Print the photo (using your compute
      • by plover (150551) * on Saturday June 24, 2006 @05:02PM (#15597886) Homepage Journal
        Superglue, cameras, blank circuit boards, and etchant are required to make the mold. All crap I have had laying around my house for the past 20 years. And gelatin is require to make the fingerprints. That's in my pantry, and not so old. The last two ingredients are knowledge (see the link) and the lack of ethics that keep normal people from committing crimes (in sadly short supply.)

        "Gummibear fingerprints" are not certainly not FUD (although they're not made from real gummibears.) They're a real attack that's easy to make, and fun to eat!

        The reasons they'd work so well for fraud are numerous. First, while it's pretty easy to keep track of your fingers, it's virtually impossible to "guard" your fingerprints. You leave them everywhere -- your phone, doorknobs, keyboards, dishes, plastic bags, everywhere. It just takes a little bit of "Hardy Boys Detective Handbook" work to photograph them. Making a circuit board from a photograph is something I did a lot in 7th grade, but nowdays digital cameras and laser printers are more common than photographic enlargers. And even I can mix up gelatin without burning down the kitchen.

        The neat thing is that gelatin itself is the ideal material for forging fingerprints. It is simply animal protein (it's pretty much ground up cow hooves and collagen, if you want the real details.) It's biotic matter, so it has roughly the same electrical capacitive properties as human skin. It's thin and transparent, so a "pulse detector" that senses the infrared pulses given off by circulating blood can see right through it. And if you wet it, it's kind of sticky and can easily be applied to the fingertips before heading to the cash register. Once applied, they're virtually impossible to see. Gelatin is almost indistinguishable in every way from human skin.

        Everything that a fingerprint scanner can be built to look for (at a cheap enough price to sell to grocery stores) is right there on your fingertip. Even if the alarm bells sounded and the guards came running, you'd still have time to pop your finger into your mouth and eat the evidence.


    • My bank requires that their customers provide a password so that they can "verify" who their dealing with over the phone, or even at the teller line. Here's the funny part...the tellers will just ask, out in the open, "what's your password?" and the customers just stand there and blurt them out for anyone to hear. It's the dumbest form of "security" I've seen.
  • by SubliminalVortex (942332) * on Saturday June 24, 2006 @01:16PM (#15597004)
    Fingers today only, next month, we charge an arm and a leg!
  • by Who235 (959706) <{secretagentx9} {at} {cia.com}> on Saturday June 24, 2006 @01:17PM (#15597010)
    Officials from the Tampa police department respond to a rash of armed index finger amputations. Meat cleaver sales rise, while guitar sales plummet.

    Film at 11:00.
  • by Manip (656104) on Saturday June 24, 2006 @01:19PM (#15597018)
    Some people's fingerprints can't be scanned by these machines... Last year I went to Florida and they have fingerprint machines at all the big theme parts and at the airport. None of these machines could pick up my prints... And every second time I used them I got rejected ... So this flawless technology is anything but... I do nothing special with my hands, so it must be one of those "from birth" things... But if you're unlucky like I am then don't expect to be paying with your fingers any time soon. I am not looking forward to going back though American customs as I know the fingerprint machine will reject my prints and I'll get sent home or something crazy.
    • The Pay-By-Touch sales representative that I met with a couple years ago told me that about 1-2% of the population has fingerprints that can't be read by their machine. Particularly affected were 'pineapple pickers.' He said the combination of the enzymes and acids in the pineapple juices plus the rough texture of the plants caused their fingerprints to be completely obliterated.
      • This is true about the 1-2% of the pop. Those people don't produce enough oil on their skin.
        • Those people don't produce enough oil on their skin.

          The Pay-By-Touch salesman wasn't referring to the "oily fingerprints left as evidence at the scene of a crime", he was referring to the actual ridges and whorls on the surface of the skin. The PBT reader doesn't look for skin oils, it just reads the surface profile looking at the ridges, intersections and islands. The pineapple pickers simply don't have any texture at all on their fingertips.

  • by NeuroManson (214835) on Saturday June 24, 2006 @01:20PM (#15597025) Homepage
    "After all, they say, how can using a unique fingerprint for identification be riskier to theft than a plastic card, key chain token, or account number?"

    Just look at murder victims whose hands have been lopped off to hide their identities. It doesn't take much of a (morbid) leap of logic that someone could hold onto a thumb, and surrepticiously use it to withdraw someone's entire finances.
  • After all the bullshit being done the Government lately, I don't goddamned well think I'll sign up for any voluntary fingerprinting.
  • Let's face it... biometric authentication/payment is really cool. As long as I can be sure the cryptographic basis of it is secure (i.e., that my fingerprint can't be recreated from it), I would be comfortable using it. But you know, most of the world is stupid and doesn't understand this kind of stuff, or has stupid opinions about it, and will be afraid of it. I understand that people are afraid about invasion of privacy and identity theft, but the issue should be "Are we sure that company $X's implemen

    • How about "Biometrics are horrible security methods"? YOu can cancel CC numbers, revoke certificates, and change passwords. How the fuck do you change your fingerprint? You can't. Its comprimised once (and these machines are easy to fool) and you have no security.
      • Yeah. That's a good excuse, I agree. But my point was that the majority of the population will reject it because it is "creepy" to them, without considering how it actually works or the real risks and rewards.

        What someone needs to do is create a smart card with a built-in fingerprint reader and PIN pad, so you can use your own, totally secure device. It will authenticate you using the PIN and fingerprint, and then allow you to cryptographically authenticate to another device (e.g. the payment system at

    • But you know, most of the world is stupid and doesn't understand this kind of stuff, or has stupid opinions about it, and will be afraid of it.

      Don't mind me, I'm just buying some powder, a makeup brush and tape. Don't mind my friend in line ahead of you, he's just testing out his new windex on the fingerprint reader to make sure the bottle isn't defective.

      I'm not "stupid" but I do have opinions of this. Based on their demo [paybytouch.com] (flash) they use a simple pad-based scanner where you press your finger, rather tha
      • Oh. That's stupid, the swipe-based ones are more secure, take less space, are cheaper to build (I would suspect a row of LED's and optical sensors is cheaper than an entire grid of them or a small camera), and look niftier.

  • 'The fingerprint image recorded is not the same as those collected by the federal government or law enforcement.'

    But just watch...it could be USED by law enforcement in about ten seconds!

    California has required you to give a scanned fingerprint for years just to get or renew your driver's license. I've always wondered how many divisions of law enforcement now have MY fingerprint in their dtatbase. When I asked the guy at the DMV, he said he didn't know, but was SURE that law enforcement could access the

  • by CrazyJim1 (809850) on Saturday June 24, 2006 @01:27PM (#15597048) Journal
    Mugger steals your finger, worse.
    • Many fingerprint readers can detect whether the finger is alive or dead, which should help partially solve this problem (but only if all fingerprint readers use this technology, otherwise they will just exploit the one that doesn't).

      The other two issues that I think are more important (and mentioned already above) are:

      * Your fingerprint is basically public information - you leave a copy of it on everything you touch
      * Unlike a bank card or a password, it cannot be changed once it is compromised.

      Together thes
    • There are some people willing to steal a wallet. There are not very many that will steal a finger.

      Credit card fraud cases don't get much attention since they are a dime a dozen. Violent assault cases get much more attention, and thus have a much greater chance of getting caught. I think most criminals willing to attack a human and take their finger would find the risk outweighs any potential gains.
      • There are some people willing to steal a wallet. There are not very many that will steal a finger.

        The argument is that stealing a wallet has, historically speaking, been a profit-making enterprise. Stealing a finger, however, has not. The use of a fingerprint for authentication changes the status quo; now stealing a finger offers the same motivation: Profit. The argument is that this will create the pool of folks who will steal fingers in a natural manner.

        Before you attempt to bring to the argument

        • There is still a limited window of opportunity for using the finger. You chop off my finger, relatively soon, I'm going to notify my bank soon, unless you kill me, in which case, you probably would have killed me for my wallet and credit cards anyways. Most criminals are cowards, looking for a safe, easy mark. Stealing a finger is neither safe nor easy. You can do all sorts of things to make finger stealing unprofitable. Let the user choose which finger it is (so the attacker doesn't know which one to t
          • You chop off my finger, relatively soon, I'm going to notify my bank soon

            Same as a credit card. "Use the asset quickly" is not a hurdle criminals don't understand.

            Stealing a finger is neither safe nor easy.

            The same can be said about stealing a wallet or burgling a home. Yet, these are common.

            Let the user choose which finger it is (so the attacker doesn't know which one to take),

            Well, (a) they can take them all, or (b) they can simply watch you buy something so they know which one it is

        • There's nothing inherently difficult about making a severed finger or removed eye show lifesigns, from pulse to micromovements to blinking.

          Ehhhh?? This is a very bizarre statement to make. So, you've chopped someone's finger off and there's blood everywhere. It's pretty much all leaked out of the finger. How exactly do you use this in the next 30 minutes to purchase something, without suspicion, whilst making blood pump through it?
          • So, you've chopped someone's finger off and there's blood everywhere. It's pretty much all leaked out of the finger.

            The finger won't leak much blood. It's not attached to a a heart to pump it, you see. So, no blood pressure. The stump will leak blood, but that's not a technical problem for the thief. It might even be an advantage, because...

            How exactly do you use this in the next 30 minutes to purchase something, without suspicion, whilst making blood pump through it?

            ...you come prepared to yo

  • Print Scanners? (Score:2, Interesting)

    by Fusione (980444)
    Iris scanners are not that expensive anymore, and I don't understand why thumb scanners are used anywhere outside of having a little usb toy attached to your computer. This confusion doubles when you consider it in situations where security is very important, like cash transactions.
    • Iris scanners are not that expensive anymore, and I don't understand why thumb scanners are used anywhere outside of having a little usb toy attached to your computer.

      Perhaps because most people are more comfortable with having a finger chopped off than having an eye (or both) ripped out of their head?

      On a smaller scale, they're probably also more comfortable with laying a finger on a pad than putting their eye up to an eyecup or having a "guaranteed safe" laser probe them in the eye.

  • by zephc (225327) on Saturday June 24, 2006 @01:34PM (#15597080)
    finger-print scanners as payment. Check.
    fuel from anything in 9 years. Check.

    Now all we need hoverboards and Pepsi Perfect.
  • by anaesthetica (596507) on Saturday June 24, 2006 @01:37PM (#15597092) Homepage Journal

    Scuttlemonkey wrote "An anonymous reader writes..." despite the fact that this is my journal [slashdot.org] entry, and says qo quite clearly at the top of the story: "Journal written by anaesthetica (596507) and posted by ScuttleMonkey on 14:12 Saturday 24 June 2006"

    I mean, I may not stand out in a crowd, but this is just an unnecessary blow to my ego.

  • Others use it, too (Score:2, Interesting)

    by johnmoe (103704)
    Cub Foods also uses it. You need to enter a 7 digit number along with your finger print. It really didn't seem easier than swiping a card and entering a four digit number, so I didn't go with it. They suggest using your phone number for the seven digit number. I imagine the number is needed to make the database lookup practical. I wonder what would happen if LOTS of people started using the same seven digit number "1234567"...
    • by mark-t (151149) <markt@ l y n x.bc.ca> on Saturday June 24, 2006 @02:51PM (#15597420) Journal
      The 7 digit number is probably there to conform to the normal standard of requiring two pieces of ID for confirmation of who you are. The 7 digit number is one, and your fingerprint is the other. This not only confirms your identity but also confirms that their records are accurate with respect to any identification that you have previously provided them with. If something doesn't match up with their records, they can ask you for details and confirm your identity another way before processing your payment.
    • I'd bet there are many duplicate fingerprints as far as their scanners are concerned if they need you to use such a long pin. The system probably functions primarily on your pin, using a relatively low quality fingerprint scan for verification or duplicate resolution in case two people have the same pin.
  • here is a similar article about the same thing:
    http://www.businessweek.com/technology/content/mar 2006/tc20060328_901806.htm [businessweek.com]

    For all you phobic people out there who don't want them to "have a copy of your fingerprint" from what I found out from the employees it doesn't work that way. It doesn't store your fingerprint, just certain points on it. So really there is not a way to one way hash back to your actual fingerprint. Now, maybe the employee didn't know what they were talking about but for them to have
    • *most fingerprint systems don't store the actual fingerprint*.

      The easiest, most computationally inexpensive way to check fingerprints against a database is to hash the print that you found at the crime scene--or the point of sale--and compare it to a database of hashes stored in the same way.

      If you have the hash database, you have the fingerprint. Just because it's not the *same* hash as what law enforcement uses doesn't stop the NSA from using it against you. If you had more than one hash database, you m
    • Actually this is how all law enforcement data bases work. They find places where print ridges have certain kinds of discontinuities, bifurcations etc... then store the potions of these points relative to each other. Very few database matches rely on a complete match, nor are they actually comparing actual pictures of prints, but rather how many points in common line up. Since lifting prints often distorts the print or misses some areas, exact matches are really ever found, but the quality of the match go
      • then store the potions of these points relative to each other

          Eye of frog, tail of newt, wing of bat, potion of fingerprint points. Great. Now they've resorted to spell-casting in order to confirm identities.

          Ok, it's not that funny. Laugh anyway.

          (Good points, BTW. I doubt these people's databases are any more secure than anyone else's - which means, not.)

        SB
  • Fingerprint payment is already in trial in the UK by the Co-op.

    More info:
    http://www.computing.co.uk/computing/analysis/2158 818/op-users-back-pay-touch [computing.co.uk]
  • Which finger did they want on file, again? :eg:

  • The fingerprint image recorded is not the same as those collected by the federal government or law enforcement.
    No, but the fingerprint is. And I'm SURE some (compan(y|ies)|government[s]?) out there have a process for generating a unique hash of a fingerprint from any high-quality scan of it.
  • Piggly Wiggly has been doing this for at least a year from what I know.

    http://www.findbiometrics.com/viewnews.php?id=2264 [findbiometrics.com]
  • by daeg (828071)
    We did an interview with these guys long before the SP Times did, when they first started rolling the system out in the Bay area. Supposedly their machines require a normal body temperature and a pulse to be detected and the process can take a few seconds.

    Also note that the system is closed. Merchants have no ability to troubleshoot or fix their machines, it requires a full visit by the company. It also requires a broadband connection. Yes, it goes over the Internet. Many, many small stores still use dialup
  • Fingerprinting has been commonly associated with criminals in the past and many people that would have problems with being fingerprinted are likely unable to move past that association.

    I do not think it will be an issue in another one or two generations because people are getting fingerprinted more and more for other purposes anyways so the stigma will probably not last forever.

  • bit puzzled by customer privacy fears

    Well, they seemingly are stupid like a dumb ducks behind, and still they will get rich. Why ? Because such moves will be backed heavily by US government, since they will be able to get a nationwide fingerprint database in a few months and they don't even have to pay for it.

    I'd prefer living without money in a jungle than using my fingerprint as a payment method, that's for sure.

    how can using a unique fingerprint for identification be riskier to theft than a plast
  • The story on fingerprint scanners being fooled by play-doh? I can't find the bloody link anymore though.
  • Modern Biometrics (Score:5, Informative)

    by cdrguru (88047) on Saturday June 24, 2006 @03:39PM (#15597589) Homepage
    It is important to know that these sensors are not optical in any way. They are using sensors similar to those from Authentec which use an RF scan to penetrate the first layer of skin. This eliminates problems with "too wet" and "too dry" fingers and also prevents spoofing by just about everything except cutting the finger off.

    There are some systems that can be fooled much easier, but they are not being used by PayByTouch. Nor is anyone serious about using a fingerprint scanner anymore.

    Microsoft sells an optically-based fingerprint scanner that can be fooled by latex molds, gummi bears and lots of other stuff.
  • Stores in my area have been doing that for a while now. It is good to see that /. is up to speed on technology.
  • by gleffler (540281) *
    is a fear of two-factor authentication. Really, the solution here is to keep the fancy fingerprint-system and to *combine* it with a PIN that can be changed readily by presenting a second form of photo ID. This way, if your fingerprints get compromised, your PIN is still unique and you can change it whenever you want. The fact that they're so insistent on "touch it and go without any work!" is the security downfall, and it's kind of sad when it would literally take an extra 10 seconds at most to input a 6-d
  • have had this for about 6 weeks now. I still pay with cash or credit card because the notion of giving my fingerprints to the government (via Jewel) doesn't appeal to me.

    I wonder if any of the people who signed up for this considered the fact that the government could obtain their fingerprints by doing nothing more than getting a subpeona. In fact, I suspect that most businesses would gladly divulge them for the asking, so long as it was for fighting terrorism.

  • So...someone gets your card with your biometric data on it, and the card gets hacked. Now they can make new cards with your info including your fingerprints on it. Fingerprint readers can be faked pretty easily these days, using all sorts of products available in the home. Once your fingerprints along with your ID are stolen, that's pretty much it. You can't change your fingerprints. With username/password or credit card info, if it gets stolen, you can simply change all that info or get a new card with a n
  • "A chain of Florida convenience stores has begun accepting fingerprints as payment, using a biometric system called Pay By Touch. The company is a Bay-area startup backed by $130 million in VC cash and the acquisition of BioPay, a Virginia-based biometrics firm that's already done $7 billion in European transactions...

    Okay, we just need an Australian court to decide the distribution of remaining assets to Japanese investors on the sellers in Nigerian government officials to make this truly a world-wide

  • Not a print image (Score:3, Interesting)

    by Baavgai (598847) on Saturday June 24, 2006 @07:06PM (#15598299) Homepage
    We use finger print readers where I work. This, of course, only applies to the system I'm familiar with, but I doubt the store one is that divergent. They don't store anything resembling an image, but rather a numerical encoding of a given number of key points. I get the impression the actual process involves some kind of hash number validation.

    The reason that "the fingerprint image recorded is not the same as those collected by the federal government or law enforcement" may be chillingly pragmatic. We were told when implementing our system that if we stored fingerprint data up to government specs we would be required to provide that information to the government. As a result our company, and most others, store data below the threshold that will get them noticed by the feds.

    The fingerprint validation itself is somewhat fluid. Most people don't press the reader the exact same way twice in a row, the finger distorts under different levels of pressure, reacts to environmental changes, and even the current health of the individual. This kind validation requires a level tolerance to be set.

    Some individuals never seem to get a good read, the tolerance for such people needs to be loosened to get any kind of positive feedback. As a result, some of our employees could hoist a big toe on the reader and probably get a pass. I simply wouldn't trust these things not to mistake me for the granny with the bad fingerprints.
  • There is a supermarket chain where I am, Farm Fresh, that has been using fingerprints and "PayByTouch" for atleast a year now. Never tried it, they're food kinda went down the toilet (though they have a good beer selection) so I don't go there that much and the cash I usually use hasn't been rejected yet... It's just one of those POS attachments that sits there but never gets used. Anyone tried it? Anyone had real experience with this system? Is it anything like the fingerprint scanners coming with some lap
  • Sorry, but if I'm to get mugged or defrauded by a desperate criminal, I'd much rather lose my wallet than my thumb or index finger. Just a thought. I can get new credit cards. I can't get a new finger quite as easily.
  • ...large scale studies on the uniqueness of fingerprints (especially the reduced data that is actually stored and compared.)

    In addition, if your "fingerprint" is stolen there is no fix. You can't get a new set from fingerprints-R-us.

Lo! Men have become the tool of their tools. -- Henry David Thoreau

Working...