Biometric Payment Arrives in a Store Near You

"A chain of Florida convenience stores has begun accepting fingerprints as payment, using a biometric system called Pay By Touch. The company is a Bay-area startup backed by $130 million in VC cash and the acquisition of BioPay, a Virginia-based biometrics firm that's already done $7 billion in European transactions. From the article: 'The company is a bit puzzled by customer privacy fears. After all, they say, how can using a unique fingerprint for identification be riskier to theft than a plastic card, key chain token, or account number? ...The fingerprint image recorded is not the same as those collected by the federal government or law enforcement.'"

Fingerprints are less reliable ...

[Manip]

Some people's fingerprints can't be scanned by these machines... Last year I went to Florida and they have fingerprint machines at all the big theme parts and at the airport. None of these machines could pick up my prints... And every second time I used them I got rejected ... So this flawless technology is anything but... I do nothing special with my hands, so it must be one of those "from birth" things... But if you're unlucky like I am then don't expect to be paying with your fingers any time soon. I am not looking forward to going back though American customs as I know the fingerprint machine will reject my prints and I'll get sent home or something crazy.

Don't they watch murder shows?

[NeuroManson]

"After all, they say, how can using a unique fingerprint for identification be riskier to theft than a plastic card, key chain token, or account number?"

Just look at murder victims whose hands have been lopped off to hide their identities. It doesn't take much of a (morbid) leap of logic that someone could hold onto a thumb, and surrepticiously use it to withdraw someone's entire finances.

But it could be.used by them!

[Newer Guy]

'The fingerprint image recorded is not the same as those collected by the federal government or law enforcement.'

But just watch...it could be USED by law enforcement in about ten seconds!

California has required you to give a scanned fingerprint for years just to get or renew your driver's license. I've always wondered how many divisions of law enforcement now have MY fingerprint in their dtatbase. When I asked the guy at the DMV, he said he didn't know, but was SURE that law enforcement could access their fingerprint database without ant warrants.

1984 was 22 years ago. We're WAY past that privacy wise!

Print Scanners?

[Fusione]

Iris scanners are not that expensive anymore, and I don't understand why thumb scanners are used anywhere outside of having a little usb toy attached to your computer. This confusion doubles when you consider it in situations where security is very important, like cash transactions.

I'm not *that* anonymous

[anaesthetica]

Scuttlemonkey wrote "An anonymous reader writes..." despite the fact that this is my journal [slashdot.org] entry, and says qo quite clearly at the top of the story: "Journal written by anaesthetica (596507) and posted by ScuttleMonkey on 14:12 Saturday 24 June 2006"

I mean, I may not stand out in a crowd, but this is just an unnecessary blow to my ego.

Others use it, too

[johnmoe]

Cub Foods also uses it. You need to enter a 7 digit number along with your finger print. It really didn't seem easier than swiping a card and entering a four digit number, so I didn't go with it. They suggest using your phone number for the seven digit number. I imagine the number is needed to make the database lookup practical. I wonder what would happen if LOTS of people started using the same seven digit number "1234567"...

Re:Uhh...

[cyriustek]

Another issue is that your fingerprint must be stored somewhere else in a database. This leaves room for an attacker to use a digital copy of your fingerprint for other transactions.

Somebody please correct me if I am wrong, but this is nowhere as safe as a private/public key. If the external party saved your public key, there is no worry. However, your fingerprint does not have two version, one being public, and one being private for signing. On the bright side, they can combine a pin number with the fingerprint, but the stores I have visited (Farm Fresh) do not require a PIN. Only a fingerprint.

Not a print image

[Baavgai]

We use finger print readers where I work. This, of course, only applies to the system I'm familiar with, but I doubt the store one is that divergent. They don't store anything resembling an image, but rather a numerical encoding of a given number of key points. I get the impression the actual process involves some kind of hash number validation.

The reason that "the fingerprint image recorded is not the same as those collected by the federal government or law enforcement" may be chillingly pragmatic. We were told when implementing our system that if we stored fingerprint data up to government specs we would be required to provide that information to the government. As a result our company, and most others, store data below the threshold that will get them noticed by the feds.

The fingerprint validation itself is somewhat fluid. Most people don't press the reader the exact same way twice in a row, the finger distorts under different levels of pressure, reacts to environmental changes, and even the current health of the individual. This kind validation requires a level tolerance to be set.

Some individuals never seem to get a good read, the tolerance for such people needs to be loosened to get any kind of positive feedback. As a result, some of our employees could hoist a big toe on the reader and probably get a pass. I simply wouldn't trust these things not to mistake me for the granny with the bad fingerprints.