Biometric Payment Arrives in a Store Near You

"A chain of Florida convenience stores has begun accepting fingerprints as payment, using a biometric system called Pay By Touch. The company is a Bay-area startup backed by $130 million in VC cash and the acquisition of BioPay, a Virginia-based biometrics firm that's already done $7 billion in European transactions. From the article: 'The company is a bit puzzled by customer privacy fears. After all, they say, how can using a unique fingerprint for identification be riskier to theft than a plastic card, key chain token, or account number? ...The fingerprint image recorded is not the same as those collected by the federal government or law enforcement.'"

thoughts

[yagu]

From the article:

The company is a bit puzzled by customer privacy fears. After all, they say, how can using a unique fingerprint for identification be riskier to theft than a plastic card, key chain token or account number that's tapped into a computer or spoken over the phone?

WTF? How can they say that? Don't they know how many times each day people lose their fingers? Not to mention the countless times people give each other the finger! (Done so a few times myself.)

Also:

It's similar to the finger-scan technology used at theme park gates. Those systems take measurements of patrons' hands and fingers and link them to a multi-day pass to prevent several people from using one person's pass.

I experienced this at Epcot... in Orlando. I don't know if it was in its experimental phase, but it introduced lots of confusion as people entered the park. And, it was not clear how or where it was used the rest of the time we were in the park -- if it was exclusively to prevent abuse, so be it, but it was an eerie experience at the gates.

I do wonder about the statement: (FTA)

The company pledges not to sell or rent personal information, or access to it. The fingerprint image recorded is not the same as those collected by the federal government or law enforcement.

How can that be? I know my prints are on file (Top Secret clearance, cool!), but I wonder how these prints would differ. Are they storing some kind of hash with no backup of the original scan or image? Weird, but doubtful.

I think this is great technology as people get more comfortable with it. I would (and do) worry about how soon people get good at counterfeiting fingerprints. Thought I'd read a couple of articles on that very hack and that hacking fingerprints turned out not to be too very hard. Any resources on that?

Regardless, great point about it not being that much different (and quite a bit less likely to wander off) from keychain fobs, credit cards, etc.

Gummibears anyone?

[sbaker]

Didn't Slashdot run a story a while back about a supermarket fingerprint pay
system that was tried a year or so ago? It could be faked out REALLY easily
using a Gummibear.

I can't find the slashdot story - but check this out for example:

http://www.theregister.com/2002/05/16/gummi_bears_ defeat_fingerprint_sensors/ [theregister.com]

Does this new gizmo do something magical to avoid this rather easy attack?

Just google gummibear and fingerprint and you'll find a gazillion How To
articles.

If the biometrics guys are 'a bit puzzled by customer privacy fears" then
they are horribly ill-informed!

I can avoid leaving my credit card lying around for someone to steal - but
it's very hard indeed to avoid leaving my fingerprints in all sorts of
public places. If I could find out how to defeat their scanner so easily
with about 10 seconds of Googling - you can be very sure that the bad guys
will be lining up.

Nothing new

[Anonymous Coward]

How is this news? The Pay-By-Touch service has been in like every Cub Foods (grocery store chain) in the Minneapolis area since I moved here.

Re:thoughts

[DrSkwid]

> "The company pledges not to sell or rent personal information, or access to it."

That should read "The current management of the company pledges not to sell or rent ...."

http://www.paybytouch.com/privacy_policy.html [paybytouch.com]

Notification of Changes
If we make material changes to this policy, we will notify you here, by email, or by means of a notice on the Pay By Touch homepage so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we may disclose it. We will update our privacy policy from time to time.

Notice the OR, they can change their TOS any time and promise to change their TOS page accordingly.

Pay By Touch may share your personal information with companies that Pay By Touch contracts to privately and securely verify your identity, process your payments, cash your checks, and prevent fraudulent use of the Pay By Touch services.

We all know how secure third parties are.

"In some cases Pay By Touch may provide algorithm or sensor vendor partners who have entered into confidentiality agreements with Pay By Touch with anonymous biometric scans. These companies use the anonymous test scans only to develop, test, modify and improve the performance of their hardware and software products related to the Pay By Touch services. These test scans are not linked to any personally-identifiable identity or account information."

Er, they are fingerprints, how anonymous are fingerprints!

http://www.paybytouch.com/member_terms.html [paybytouch.com]

THE PAY BY TOUCH SERVICE IS PROVIDED "AS IS" WITHOUT ANY WARRANTIES OR REPRESENTATIONS WHATEVER OF ANY KIND, WHETHER EXPRESS OR IMPLIED. Pay By Touch will not be liable or responsible for any damage or injury caused by your use of the Service.

Great, that's the feel good factor !

Re:thoughts

[demigod186]

I agree with your comments, but they are technically correct about the fingerprints being different. The government stores them as images on what are called "ten print" glass plates. Most matching is still done by hand.

There are two reasons why the fingerprints are different. The first is that they don't store the fingerprint or any image of the finger print, they run a filter to make the initial image black and white(no grays). Then they run an edge detection filter to make the lines obvious. An algorithm is then run that locates minutiae points. There are about 5 different types of minutiae(when a line becomes two, when two lines converge, an arch, a loop, a whorl). The distances between the points(about 12) is computed, and the whole thing is turned into a weighted undirected graph. They use graphs so that even an upside down fingerprint will match with the original.

Only the graph is saved, and the graphs are compared to verify identity. The fingerprint data that my company uses is less than 1k of data consisting of only minutiae type, links to other minutiae, and distances. So in other words, there is no way to get an image of the finger back, so the police can't use it(for manual matching).

The second reason is the that there is a union for the police workers that do fingerprint matching, and they have put up a fit to make sure that the police departments only use picture prints or ten prints(Job protection).

Re:Uhh...

[frisket]

No, because the crooks can just chop off your finger and use it.

Does anyone remember...

[Red Samurai]

The story on fingerprint scanners being fooled by play-doh? I can't find the bloody link anymore though.

Modern Biometrics

[cdrguru]

It is important to know that these sensors are not optical in any way. They are using sensors similar to those from Authentec which use an RF scan to penetrate the first layer of skin. This eliminates problems with "too wet" and "too dry" fingers and also prevents spoofing by just about everything except cutting the finger off.

There are some systems that can be fooled much easier, but they are not being used by PayByTouch. Nor is anyone serious about using a fingerprint scanner anymore.

Microsoft sells an optically-based fingerprint scanner that can be fooled by latex molds, gummi bears and lots of other stuff.

Re:Gummibears anyone?

[plover]

Superglue, cameras, blank circuit boards, and etchant are required to make the mold. All crap I have had laying around my house for the past 20 years. And gelatin is require to make the fingerprints. That's in my pantry, and not so old. The last two ingredients are knowledge (see the link) and the lack of ethics that keep normal people from committing crimes (in sadly short supply.)

"Gummibear fingerprints" are not certainly not FUD (although they're not made from real gummibears.) They're a real attack that's easy to make, and fun to eat!

The reasons they'd work so well for fraud are numerous. First, while it's pretty easy to keep track of your fingers, it's virtually impossible to "guard" your fingerprints. You leave them everywhere -- your phone, doorknobs, keyboards, dishes, plastic bags, everywhere. It just takes a little bit of "Hardy Boys Detective Handbook" work to photograph them. Making a circuit board from a photograph is something I did a lot in 7th grade, but nowdays digital cameras and laser printers are more common than photographic enlargers. And even I can mix up gelatin without burning down the kitchen.

The neat thing is that gelatin itself is the ideal material for forging fingerprints. It is simply animal protein (it's pretty much ground up cow hooves and collagen, if you want the real details.) It's biotic matter, so it has roughly the same electrical capacitive properties as human skin. It's thin and transparent, so a "pulse detector" that senses the infrared pulses given off by circulating blood can see right through it. And if you wet it, it's kind of sticky and can easily be applied to the fingertips before heading to the cash register. Once applied, they're virtually impossible to see. Gelatin is almost indistinguishable in every way from human skin.

Everything that a fingerprint scanner can be built to look for (at a cheap enough price to sell to grocery stores) is right there on your fingertip. Even if the alarm bells sounded and the guards came running, you'd still have time to pop your finger into your mouth and eat the evidence.

Re:thoughts

[JWSmythe]

Cashiers don't even look to see the name on a credit card matches the drivers license. What would make you think that they'd pay attention to a bit of discoloration on the index finger?

    Over the years, I've sent girlfriend's out with my credit card to buy things. Only once has one been refused. It's pretty obvious that it's a guy's name on the card, and a girl trying to use it. Even if they checked ID's, they'd see the last names weren't even similar.