Face To Face With the 'Human Barcode' 111
silentbrad writes with this excerpt from the Financial Post: "Fast-evolving biometric technologies are promising to deliver the most convenient, secure connection possible between you and your bank account — using your body itself in place of all of those wallets and purses stuffed with cash, change and plastic cards. Biometrics is the science of humans' physiological or behaviourial characteristics and it's being used to develop technology that recognizes and matches unique patterns in human fingerprints, faces and eyes and even sweat glands and buttock pressure. Its applications in the financial realm are a potentially huge time and effort saver, but that's just a beginning for the technology's usefulness. ... [BIOPTid Inc.]'s One Touch cube, set to be on the market within a year, is an external device that users can hook up to their computers and mobile electronics to replace passwords for Internet logins and banking. The cube reads a personal sweat gland barcode to verify identity from the moisture on a user's fingertip. ... 'Biometrics is something that's used by governments, it's used by "Big Brother" to keep an eye on us and we want to change that,' says [BIOPTid chief Scott McNulty]
'We think biometrics is something that can be actually used by the people and it becomes their technology that they use to protect themselves.'"
Re: (Score:2)
but you can change a password (Score:5, Insightful)
Once a biometric has been compromised (e.g., someone obtains a copy of your fingerprints), you're stuffed.
Re: (Score:2)
PLEASE! Buy our device! It's even on Slashdot, you cook geeks!
Re: (Score:2)
you cook geeks!
As long as the instructions are on the side of the box...
Re: (Score:3)
Geeks do not follow the instructions on the side of the box.
They research it on Google then watch a youtube video on how to hack the hamburger helper and customize it for hardcore vegans or how make it code monkey friendly. Then they put their own twist on it and upload the video of their "Hamburger Helper Hack" to youtube and post about it on their blog.
Re: (Score:3)
Not totally. If the biometric fingerprint is verified under controlled conditions (i.e. a competent person supervising it), it remains useful after compromise. That does only apply to the big-brother scenario though. But even then, this has very high verification cost and negates the claimed advantages.
Otherwise: Biometrics is snake-oil. Without the usual human greed (paired stupidity on customer side), nobody would even be talking about it anymore, as it is completely unsuitable to lower costs as unsupervi
Re: (Score:2)
Not totally. If the biometric fingerprint is verified under controlled conditions (i.e. a competent person supervising it).
Snork. I just blew coffee out of my nose (luckily I use a Model M and it survived...)
PS: What about people who don't have fingerprints? Pretty much anybody who does manual work will have very little fingerprint on their fingers.
Bank of America already has an answer for that (Score:1)
Not totally. If the biometric fingerprint is verified under controlled conditions (i.e. a competent person supervising it).
What about people who don't have fingerprints?
According to Bank of America, the correct procedure is to refuse to cash a check from an armless man because he doesn't have any fingerprints. http://consumerist.com/2009/09/bank-of-america-asks-armless-man-for-thumbprint.html [consumerist.com]
Re: (Score:2)
Our research shows that people who do manual work are not relevant to the demographic we are targeting. Let them eat cake.
Re: (Score:2)
And getting that fingerprint-lock locker open after an hour in the hot tub at the gym is damn near impossible.
Re: (Score:2)
Re: (Score:1)
There is no such thing as "controlled" conditions. Since the whole point of a security system is, that you don't need a human to check.
If you need a human, you can just leave away the system in the first place.
The whole point of a password, is that only you know it!
But with biometrics, everyone can find them out, if he wants.
And every time some retard presents such a device, somebody makes a laughing stock out of him, by making a copy of his biometrics, and doing funny stuff with it.
Then, the inventor can't
Re: (Score:3)
It depends on the security system - in a highly secure environment where guards or even just an alert receptionist is justified, biometrics do in fact offer a significant additional layer of security. It's only when used on their own that they fail spectacularly.
Re: (Score:2)
Exactly.
Re: (Score:2)
Re: (Score:2)
Once a biometric has been compromised (e.g., someone obtains a copy of your fingerprints), you're stuffed.
Especially if the metric used is "buttock pressure"...
Re: (Score:3)
"Protect themselves?" (Score:5, Insightful)
The best way for me to protect myself with biometrics...is to keep the details of my biometrics out of any government or private company's database, thank you very much.
Re: (Score:2)
The best way for me to protect myself with biometrics...is to keep the details of my biometrics out of any government or private company's database, thank you very much.
Too late. Either they already have it, or they can get it without your knowing they got it.
Brain-damaged (Score:3, Interesting)
Let's see. Easy to fake. Impossible to revoke. Ripe for abuse. No duress password. How is this going to protect anybody or anything? At some point, convenience trumping everything else is going to lead to a lot of INconvenient situations.
Re: (Score:2)
Not to worry!
"We think we'll be the only technology that's 'spoof-proof,'" says Scott McNulty, president and chief executive of BIOPTid Inc.
Re: (Score:3)
No way in hell. And I just had some other company representative claim the same thing here a few weeks ago. After careful examination, this claim turned out to be bogus, but it looked good on the surface. I almost felt sorry for the guy, making such claims in front of an audience of skeptic security experts is not a path to happiness.
Re:Brain-damaged (Score:4, Insightful)
Almost though, right? Because honestly, it's an insane claim. Your sensors are measuring an image, we can make very convincing images. Make your sensor fancy, have it measure heat. We can generate heat to incredibly precise degrees faster than you can blink. Heartbeat, capacitance, translucency, these are all child's play once we know what you're looking at. Since your sensors are almost surely of lower resolution than we're capable of reproducing, the key is the algorithm.
Now this? Sweat glands? We can make Blu-Rays, but you don't think we can spoof a sweat gland to the precision that you're measuring it? Please.
My ears will perk up in interest if or when a biometrics company claims that they're measuring an effect we're unable to reproduce. Create a biometric system that authenticates based on the subjective experience of consciousness. Now that's biometrics.
Re: (Score:3)
Its called the Turing Test.
You are in the desert, you see a tortoise lying on his back in the hot sun. You recognize his plight but do nothing to help. Why?
Re: (Score:2)
Now we're getting somewhere! Now, this test only works if administered by a human, which runs counter to the purpose of having a device, and the specific question will only authenticate that the subject is human, not a specific human, but hey, it's a start.
It's a tricky question though. What is a part of a human, unique for every individual, that we can reliably read often enough that it can be error-corrected, fast enough to be practical, by a device that is cheap enough to be worth the cost of the securit
Re: (Score:2)
You are in the desert, you see a tortoise lying on his back in the hot sun. You recognize his plight but do nothing to help. Why?
1. Tortoises and turtles can bite.
2. Tortoises are generally quite capable of recovering from being flipped on their back. Natural selection and all that.
Re: (Score:2)
Me, I'd flip the tortoise.
1) It's usually quite simple to flip a tortoise while keeping your fingers safe, that shell severely restricts it's range of motion.
2) Sure, but just like when you're trying to wrestle a sofa up a flight of stairs, a little help from a random passerby is likely to be appreciated. Then again I've met plenty of folks that wouldn't consider engaging in a random act of kindness even for other humans.
Re: (Score:1)
Its called the Turing Test.
You are in the desert, you see a tortoise lying on his back in the hot sun. You recognize his plight but do nothing to help. Why?
Tell me about your mother...
Re: (Score:2)
Re: (Score:2)
If you can read the sensor's output, and inject your own input, you can defeat any system. A keyboard is a sensor too, and just as vulnerable to what you've described.
There are ways to protect against that when it's warranted, but I don't think it has anything to do with biometric systems in particular. If we're going to debate the relative worth of authentication systems, we need to first assume that the system's communication with its host is secure, or they're all exactly the same--worthless.
Re: (Score:3)
Biometrics are more vulnerable to this than passwords are, in two ways:
1) You can enter a password into a remote terminal and have it be verified against a central database without ever transmitting the password in either direction (see challenge-based authentication protocols). You can't do this with biometrics: verification consists of comp
Re: (Score:2)
Biometrics are more vulnerable to this than passwords are, in two ways:
1) You can enter a password into a remote terminal and have it be verified against a central database without ever transmitting the password in either direction (see challenge-based authentication protocols). You can't do this with biometrics: verification consists of comparing the measure against the database entry and determining that the two match to within the desired degree of precision, and this requires transmitting the measured values to the database.
You have a fundamental misunderstanding here. Sending a hash for near-matching in the way you describe is absolutely possible. See MusicBrainz [slashdot.org] for an off-the-top-of-my-head example, but a fuzzy hash is a very basic thing, and already done all over the place.
2) The average user does not leave their password on every surface they touch. In order to inject a password into a compromised reader, the attacker needs to record it from a compromised reader. Biometrics can be obtained through any number of methods that don't involve a compromised reader.
Strawman. While correct, you're disputing something that I was not trying to argue, and I certainly wasn't trying to argue that fingerprint scanners are secure in anyway. A review of the post you replied to will show that it wasn't even implied, so if yo
Re: (Score:2)
PROFIT!
Re:Brain-damaged (Score:4, Insightful)
Let's see. Easy to fake. Impossible to revoke. Ripe for abuse. No duress password. How is this going to protect anybody or anything? At some point, convenience trumping everything else is going to lead to a lot of INconvenient situations.
You forgot one: We leave copies of them behind us wherever we go (DNA, fingerprints...).
Re: (Score:3)
Let's see. Easy to fake. Impossible to revoke. Ripe for abuse. No duress password.
And not static either - there are examples of people's fingerprints or retina pattern changing, and medical conditions can occur that makes taking samples impossible. Even DNA isn't necessarily good enough, as identical twins and other clones may share the DNA, while someone having received genetic treatment might not.
So there has to be a backup way to authenticate, in which case the backup way can be more useful to use in the first place.
Place bunghole on reader (Score:2, Interesting)
human fingerprints, faces and eyes and even sweat glands and buttock pressure.
A fellow programmer and I used to joke about developing a bunghole scanner for identification. Not so funny now, is it?
Re: (Score:2)
Watch out for that proprietary connector, it's a little .. wider .. than a standard connector.
No worries, it has rounded corners.
Re: (Score:2)
Re: (Score:2)
Nope - all corners, no rounding, and now approved as the primary authentication method for all official government interactions.
And people still welcomed the change until they realized that it didn't actually reduce the existing B.S. they had to go through.
Re: (Score:2)
Probes should only be used for diagnosing medical issues (see Idiocracy for the reference)
Re: (Score:3)
Then, if you get a Hemorrhoid, figurative PITA will be added to the literal one because you cannot log-on anywhere anymore.
Re: (Score:2)
Re: (Score:1)
human fingerprints, faces and eyes and even sweat glands and buttock pressure.
A fellow programmer and I used to joke about developing a bunghole scanner for identification. Not so funny now, is it?
That's nothing! When I first looked at the above quote I read it as "human fingerprints, feces and eyes". Now that would be an interesting bio metric scanner.
Failure? (Score:5, Interesting)
We have fingerprint readers here. Sometimes, they don't recognize my finger. It's still my finger, but there's nothing i can do to convince it it's me, so I'm stuck and can't do my job until it decides to let me in. Face recognition is the same way. There's no way I can change my face, or alter my fingerprint to make it work, so I basically am just screwed. If there's any chance of that with this, there's no way I want it.
Re: (Score:2)
Re: (Score:2)
Gummy bears.
Biometrics has some potential advantages, but also some really surprising weaknesses. Fingerprint scanners can be tricked by proper application of a gummy bear, and aging or (more suddenly) injury can sufficiently deform any detail structure to the point where the old record is worthless.
There was an article on slashdot a while back on creating finger dummies from gummy bears. It worked very well it seems.
Re: (Score:2)
Actually, you CAN change your face... you just probably don't want too. ....
But say that you happen to have an accident and it caused irreversible damage to your face, would that than also mean you no longer can open any locked files on your computer ?
Sounds like we'll always need a back-door somehow to catch those situations... but OTOH we started using biometrics to close that back-door in the first place
(disclaimer, I did not read the article)
On a side note, every time I see something about biometrics co
biometrics will be broken ... (Score:4, Insightful)
Scan the eyeball it has a deep 3d structure that is unique: opps,
Researchers create synthetic iris that can defeat eye-scanning security systems:
http://www.theverge.com/2012/7/26/3188518/synthetic-iris-scanning-security [theverge.com].
See all the ways to cheat on drug piss tests ....
If it is a system, it can be hacked. No system should ever take validation as 100% proof.
'We think biometrics is something that can be actually used by the people and it becomes their technology that they use to protect themselves.'"
This from the banking system that brought us 4 digit PIN codes that were considered perfect validation. *sigh*
Back in the olden days (Score:2)
You just got mugged for your wallet.
Change password (Score:1)
I can get a new password if it is compromised, it's a lot harder to get new Biometrics.
Re: (Score:1)
Simple: You don't use your body to authenticate, but someone else's. If compromised, you just replace that one. ...
Finally, a new job for unlearned people: Serve as living password! However, password stealing won't be pretty
Biometric System I'd Like to See (Score:4, Funny)
Re: (Score:1)
I'd like to see a biometric system that forces you to perform a little dance in order to authenticate. That would be pretty funny.
Let's just hope nobody ever tries to implement a system that requires you to also "make a little love". I'm imagining the implementation winding up something like Boong-Ga Boong-Ga.
Re: (Score:2)
Biometrics are not a complete security solution (Score:2)
A few ways to crack biometric scanners:
1. Create a physical duplicate of the biometric info good enough to fool the machine, e.g. a rubber thumbprint.
2. Attack not the scanner, but the wire that runs from the scanner to the computer that will analyze the results: Copy the data sent down the wire on a successful scan, and send that data down the same wire to get in.
3. Attack the software that analyses the biometrics to always report "pass".
They're useful, but they aren't unbeatable.
oops, someone wrote a clueless article again (Score:5, Insightful)
Fingerprints are an image file compared to another image file. Iris scans are an image file taken by a camera and compared to another image file. Face recognition is the same. All three of those are infinitely more fake-able than a password.
To get my money now, you have to get it out of my wallet. Good luck. To fake my face, they need to take a picture of my face. That's a bit easier. To fake my fingerprints, they need to get a hold of my fingerprints and I definitely leave those in more places than my wallet. You may recall that the Mythbusters made a laser printed fingerprint on a $100 laser printer, licked it, and got past a top of the line $1000+ fingerprint reader. To fake my iris, they need a closeup of my face, also not so difficult. There really isn't any biometric data that's good enough right now to be used in financial transactions short of a DNA sequence and I'm not giving them a DNA sample and waiting weeks to buy a bagel.
Re:oops, someone wrote a clueless article again (Score:4, Insightful)
If you follow the tech industry long enough, all the hype gets recycled and comes back in slightly regurgitated form later. For example, "thin clients" (the Next Big Thing in 1997) and "cloud" (the Next Big Thing in 2007).
Biometrics were all the rage in the late 1990s, when people were starting to recognize how problematic passwords could be. The enthusiasm died out quickly. Parent has outlined the main reasons why: they're easier to spoof than might first appear, and to use biometrics in authentication requires biometric data to be transmitted and stored (and therefore subject to compromise).
I think face recognition technology is starting to change the tech industry, but not in a good way. It's not used for authentication. It's used for automated surveillance and tracking. *That* is the future of biometrics.
Re: (Score:2)
Change password? (Score:2)
".....Sorry sir, your password is invalid, your hash function needs to be certificated again..."
Oh geez. (Score:2)
buttock pressure.
That machine better be self cleaning, and do a fantastic job at such.
ohh bugger (Score:1)
I thought this was about Geordie football...
Hmm (Score:2)
My eye's iris, which is always visible, is easier to copy than a key or card in my pocket.
I think biometrics offer higher convenience, but lower security.
Am I right
Re: (Score:2)
My eye's iris, which is always visible, is easier to copy than a key or card in my pocket.
I think biometrics offer higher convenience, but lower security.
Am I right
I'm not even sure about the higher convenience. Biometrics can change or become unreadable enough trigger a false negative. Manual labor, chemicals, minor cuts or activities like rock climbing can easily change your fingerprints enough to become unreadable. What happens next? The can't just hand you a spare hand or reset your password. Iris scanner? No more contact lenses, better not get an eye infection, please place your face exactly at the same places where that guy with the running nose was seconds ago.
Re: (Score:2)
Identification != Authentication (Score:5, Insightful)
Identification is the process by which the identity of a user is established, and authentication is the process by which a service confirms the claim of a user to use a specific identity by the use of credentials (usually a password or a certificate).
All biometric systems only do identification. It's about time everyone gets what biometric really is: A FANCY USERNAME.
Re: (Score:2)
Required reading (Score:3)
If you think biometrics is useful for unsupervised authentication, please read this:
http://www.schneier.com/crypto-gram-9808.html#biometrics [schneier.com]
http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/ [theregister.co.uk]
Your fingerprints are not secrets.
This Summary Reads Like A Press Release! (Score:4, Insightful)
You know, I'm OK with the occasional bad link or poorly researched story, but could we avoid regurgitating obvious press releases from private companies? Look, editors, I really, really rarely complain about you guys, but we do expect at least a little bit of work in filtering and, you know, editing stories.
Re: (Score:2)
I hate to say it but it totally doesn't surprise me, now that I look, that the editor in question is timothy. *sigh*
Greenlight that baby! (Score:2)
No Biometrics please ! (Score:2)
Biometrics is the most stupid way of authenticating anyone. As soon as someone is able to fake your credentials (and so far it's always been simple - fingerprints, face recognition, etc) you're 0wned. Because you cannot change your credentials. Because your credentials are you.
So biometrics for authentication is a no-no. Only clueless executives can realistically push this forward.
Re: (Score:2)
Oh wow (Score:2)