Biometrics: Prepare to be Scanned

npistentis writes "From an article in the Economist: It has been a long time coming. But after years of false starts, security systems based on biometrics--human characteristics such as faces, hand shapes and fingerprints--are finally taking off. Proponents have long argued that because biometrics cannot be forgotten, like a password, or lost or stolen, like a key or an identity card, they are an ideal way to control access to computer networks, airport service-areas and bank vaults. But biometrics have not yet spread beyond such niche markets, for two main reasons. The first is the unease they can inspire among users. Many people would prefer not to have to submit their eyes for scanning in order to withdraw money from a cash dispenser. The second reason is cost: biometric systems are expensive compared with other security measures, such as passwords and personal identification numbers. So while biometrics may provide extra security, the costs currently outweigh the benefits in most cases."

Fingers

I think they may be able to steal my finger with a big knife!

Re:Fingers

What about making a replica finger or eye that looks and feels like the real thing? Rest assured, if there's money to be made from creating such material, any technological shortcomings will be dealt with by the criminal world.

And what about classical hacking using the binary data your biometric details will eventually become once scanned?

Biometrics may sound futuristic and secure, but unlike a password or card, you can't replace your fingerprints or retina with a few keystokes, or have the bank send you a new one.

Re:Fingers

It seems that these sorts of sensors can be fooled using a geletin finger [schneier.com].

right to be uneasy

i'm all in favor of it, but it still does bring my mind back to minority report. Some people have a right to be uneasy.

At least...

Here you'll be treated with dignity. Now strip naked and get on the probulator!

The main problem in my eyes...

The main problem in my eyes is the fact that a biometric system turns a fingerprint or retina scan into a string of ones and zeros. If the software is cracked to reveal this string, then the person who belongs to the fingerprint is *permanently* compromised. You can't change fingerprints like you can passwords.

Re:The main problem in my eyes...

The digital form of the biometric is not really meant to be secret. After all, I can get your fingerprint just by setting up my own print scanner at a store.

The point of the scanner is to tie the binary string to a particular physical object, such as your finger or eye. For instance, suppose that you are visiting store X. If you scan in your finger and the fingerprint matches the one on file, the store is reasonably certain that you are the person who you claim to be.

Of course, this is vulnerable both to compromises of the scanning hardware, and, more importantly, of the central server that would store the biometric data. If, however, we assume a certain level of trust in someone and have them sign all the fingerprints, and also assume that the scanning device correctly produces a print matching that of the person putting their finger on it, then we can prevent most cases of things like identity theft.

Re:The main problem in my eyes...

But in the "Internet Age", where a store or bank is receiving electronic transactions from all over the globe, how can the store or bank have a "certain level of trust" that the data it is receiving is from a biometric scanner and not just a stolen recording of someone else's data?

And just take a look at the ATM thread a couple of articles below this to see how ATMs have been comprimised. Cracking counter-point devices will be childs play in comparison.

Re:The main problem in my eyes...

Other than very closed systems with very good guarantees, there is only one good use for biometrics and that is identification (NOT authentication). Think that instead of typing in your username, you scan something. Stealing that information is about as useful as stealing your username. You still need a seperate authentication step. The social security number nonsense is a good example of confusing identity with authentication. There are several companies out there who think that anyone who can recite the last 4 digits of my SSN must be me.

Would you be happy carrying no id cards, credit cards, library cards, employee cards etc but instead everywhere type in a pin or similar secret?

Re:The main problem in my eyes...

"Do you want to look younger, loose weight or change password? Call your local cosmetic surgeon now!"

Common misconception

Your idea has problems for several reasons:

- biometric data is not stored as a simple image. It's not stored as a compressed image, or a md5 of the image. It is most often stored as a series one-way-hash values, each of which is derived from some characteristic inherint in the scan. Someone could steal this data, but creating the original image is near impossible, like breaking a 100 kilobyte rsa key.
- biometric data is stored in a different format by every manufacturer. There is no standard - heck, they can barely get a standard API for how to interface with the hardware and drivers (www.bioapi.org), let alone agree on a standard format. Thus, if visa were to start using scanners, and your fingerprint scan were stolen, only visa systems would be affected.
- most authentication systems (other than the implied example of logging onto a computer) use multiple pieces of information, usualy two or more of the following type:
- something remembered ( a password or pin)
- something kept (a security card, a credit card)
- somethign intrinsic (a biometric)

Now, how useful is that fingerprint scan if the visa card it's associated with is not in the theif's hands? How useful is it if you cancel your card and get a new one?

- if someone did manage to steal an image of your fingerprint or retina, it won't do much good: systems these days are able to tell the difference between a dead/living finger, a photo, and even a plastic mold (many systems look for temperature of what is scanned, and can even look for capilary blood flow).

- if someone gets access to a computer system where they can use the information stolen and bypass the scanning device, well, you have much bigger problems: such a breakin would probably compromise things to the point where they can simulate a positive authentication from the driver/hardware, for any user.

- (this one only applies to fingerprints): you have ten fingers, use a different one. For eyes, switch eyes.

Having said all of that, please realize that biometrics are intended to enhance security by adding another layer to the authentication systems in place, not to replace them. A bankcard+pin+fingerprint is more secure than a bankcard+pin.

Anytime you hear/read the mass media promoting the death fo passwords via biometrics, realize that either A) the reporter doesn't get it or B) they have talked to a marketing person at one of the manufacturers who is (most likely in my experience) pandering to the media in an attempt to grow the market and get sales, despite the falsehoods involved.

By the same token, anyone who tells you a password by itself is secure, is also wrong.

Is it worth the cost?

The trouble is, it is not clear that these identity-verification systems are worth the cost and trouble of introducing them. All 19 of the September 11th hijackers entered the United States using valid visas, on their own passports, for example. Verifying their identities using biometric visas would have made no difference.

I find it hard to justify the cost of using biometrics, at least in this airport example. The airlines in are in decline, the government has just bailed them out with a couple billion, and revenues are still falling. Does the TSA really need to scan my finger before I step onto a plane? Like the quote says, biometrics wouldn't have made a difference on 9/11.

False claim

The two main reasons being unease and cost?! That is wrong. The simple truth is poor performance. So far, no system has been able to match faces better than 60-80% in real life tests. That is still far too poor to be really useful for police work and other, similar purpose.

Re:False claim

Facial recognition is only 1 of the technologies involved in biometrics... To claim that the whole industry has failed to grow because one Type of biometric does not function well is untrue.

Besides that, your numbers are wrong... facial recognition systems can actually have failure rates higher than that under less than ideal ircumstances, and when put into use as identification, not verification systems.

First, definitions, for those who didn't read the article:

Identification: determin from a scan who someone is, searching over a list of possibilities.

Authentication: determin with reasonable confidence that the user is who they claim they are.

Authentication is much much easier to get right, since you can always ask for a rescan if you are unsure. Authentication systems are designed so that the device (hardware and software) return a confidence level - sometimes a percentage. It is up to the application developer to determin just how high a confidence level you want. If you set it too low, people with similar faces might be abel to authenticate for each other - borthers for example. If set to high, then slight (natural) variations in a person's face can cause rejections. Generaly, you must strike a balance between false positives and rejections. Such a compromise is acceptable, if you have other security measures in place (see note at end of post).

Identification is much, much harder. First of all, it is very cpu intensive - one can model identification as a low-confidence-level authentication against every listed person in the database. If you have 40,000 people in the database, this can take awhile. Hashing doesn't help much, and is illadvised, since we are looking for a close match, not an exact. Biometric data isn't the kind where you can take the first 5 bytes and dump into hash buckets either - but I digress. So, how do you speed it up? You reduce the dataset by reducing the detail in the data you store for each person.

Then you run into the problems with how these systems have been rolled out - using low resolution security cameras is not a good way to get an accurate scan of a person's face - especially when the people being scanned a re small enough (in relation to the scene) to be only 10s of pixels wide.

So, now we know the technical difficulties - but why the bum rap, and why would a police force choose to roll something like this out anyway? This is several fold, but the main thing it comes down to is misconceptions about what these systems are doing, and badly written systems. Due to the limitations mentioned above, these systems can only provide possible matches, like 'Person X is a 20% match against Osama Bin Laden'. the system isn't claiming that the person IS Osama, only that the face appears somewhat similar. As such, the system is supposed to be used as a guide - if it picks someone out, that person deserves more attention - that attention could be a remote-controled security cam singling them oout for a better scan, or for officers in the area to walk over for a better look. Unfortunatly, just because that is how the system is supposed to work does not mean it is used that way - all too often these are rolled out as a way to 'increase security while retaining a minimal police/secuity force'. You get officers who think of a potential match as a authentication, and they send officers running down at high speed only to find it's not Osama... The next potential match they are more hesitent about, and so on, until they mistrust the system completely. Is the system doing anything wrong? No, its that the users don't understand what it is doing. Better training would help, but so would the people making the purchasing descisions understanding the technology, and staffing accordingly.

In the sort of rollouts described above, facial recognition has a success rate of less than 30%, much lowe r than what you describe. With rates that low, people complain, and stories get published. Used properly, the data these sy

Re:False claim

"Facial recognition is only 1 of the technologies involved in biometrics... To claim that the whole industry has failed to grow because one Type of biometric does not function well is untrue."

Even if a system were your fabled 5-nines accuracy (1 wrong answer per 100,000 questions) it would still be unsuitable for the applications it's being suggested for. It's almost too easy to remind you that the very best biometrics is about 60% accurate.

It's not just about biometrics, although their dismal rate of failure, combined with the unattainable promises of their salesmen should be suspicious enough. It's about the statistics of large numbers. If you have a million people per day going through an airport, and a biometric machine with 99.999% accuracy, you've falsely accused 100 people of being terrorists. Every day.

And, to quote Schneier, it decreases security. Biometrics can be fooled. Easily. Trivially. If you depend on biometrics, then the terrorists will waltz past your scanners undetected, even as the innocent people queue to be strip-searched. Biometrics fail in a predictable way, and anybody who realises that can game the system. Vendors and terrorists alike.

Of course, it's a rosy future for people who sell such failed systems. Look at "lie detectors" for example. Still in use long after it was proven that you could toss a coin for better accuracy. Does it increase security? No. Does it make people think we're doing something? Yes. Sold!

this cannot be rushed

Whether you consider this a good thing or not, if and when it is implemented we need to remember that just like anyother form of security, the weak link will still be the human factor.

Even if you have the best biometric system, but it is not monitored for tampering (and its database) regularly, who is to say a malicious person didn't add or change a users information. And because biometrics are supposed to be so good, who will the people in charge believe, someone saying they are john smith the computer tech, or the computer that reported them being as being some criminal?

Disabled people?

So what happens when someone who has lost one or both eyes tries to withdraw money from their bank account? Or when a burn victim passes through a face recognition checkpoint?

Eek!

"So what happens when someone who has lost one or both eyes tries to withdraw money from their bank account?"

Well, that gives the mob/bookies/dealers/etc a real way to get you back. "Pay up or we'll take your eyes/fingers." Not only do you experience major pain/permanent disability, but you lose your identity and they can clean out your bank account.

The third reason...

Actually there is a third reason that many of us are uneasy about biometrics. You can't change, unlike, for example, passwords or some "secure token" type of device.

That means, once your identity is compromised, it stays compromised... and there is little to nothing that you can do about it.

That is why I don't like biometrics...

Re:minority report

but realistically, the government would never spend the insane amount of money to install cameras all over the public area of America, especially not high-tech eye-scanning ones.

Agreed. But don't estimate the money-spending abilities of corporate marketing departments as they attempt to identify and target consumers. (Which, by and large, was what was scanning whatshisname in Minority Report.)

If you're not happy being paranoid about marketing departments, consider that once the cameras are there, it's real easy for whatever random government organization to use PATRIOT IX to get that data without a warrant, but with a gag order that prevents your being told they got the data.

-Rob

Chopping of your Nose despite your Face

With passwords, all they had to do is torture me, but with biometrics they just cut off my hand...

Biometrics are bad because....

Becuase you can change your password a whole lot easier than you can change your DNA.

The flip side of not being able to lose or forget your biometrics is that you can't change it when it gets stolen. And, yes, people will find ways to spoof biometric authentication schemes into believing that they have your data. Whether it's fake fingerprints, or (more likely) some sort of data hack that sendst the computer the right bitstream for a given person's biometric data, once yours is gone, you're just hosed forever.

If your password or PIN gets stolen, you can make a new password, or get a new ATM card and a new PIN, and cancel the old ones. Once your biometric info is stolen or spoofed, you have the choice of cancelling it and not being able to authenticate anywhere, or just accpeting that your identity is stolen and will stay stolen.

Biometrics are great if *combined* with a password. But by themselves, they're foolish for strong authentication. Just because your fingerprints are on your hand doesn't mean that there isn't a pattern there that could be stolen and stored somewhere by bad actors.

-Rob

Re:Biometrics are bad because....

I think you need to look into security principles. As you say, a lone password is easy to compromise, so is a lone biomtric. However, any truely secure system needs to use multiple forms of identification - preferably two or more of the following:
- something intrinsic (a biometric, dna scan, etc)
- somethign known (a password)
- somethign kept (a security card)

By having more than one step involved, the system is much more secure than any individual part. Somesteals your backcard - but do they have your pin? Or, someone sees your pin - but do they have your card or account number? PINs are actually very simple and easy to break (thoeretically), but are pains to break in reality because of the Other required piece of the puzzle, the bankcard, and how false authentications lead to the removal of the card (most ATMs shred your card after a few false PINs are entered).

similarly: Just because someone steals your face, how will they get ahold of your new bankcard?

After that fact comes the fact that most biometrics are hard to fake - fingerprint scanners these days can be made smart enough to check the temperature of the item placed on them - and some are even smart enough to look for normal temperature differences and gradients within the skin surface, and refuse authentication to 'fingers' that are too regularly or irregularly warm. Some very high end systems look for capilary blood flow... Most facial systems are smart enough to refuse a photo held up of your face, and carrying around a stiff 3d mask of someone's face is kind of obvious.

Also, the fact that every type of scanning device on the market practially has a different data format for the biometric data (which is all one-way, you can get the data from a fingerprint, but not the other way around), and spoofing the data becomes more restrictive - a spoof of, say, visa's system wouldn't work against mastercard's (unless they were using the same equipment).

Having said all that, I'd still like it to be pin+card+face/fingerprint rather than card+biomtric. Biometrics should be used to Enhance security, not replace known or kept-item security methods.

Re:Biometrics are bad because....

While I agree with everything you have said, I must take issue with your contention that most biometrics are hard to fake.

Subscribe to Cryptogram from Bruce Schneier. Read some of the news, widely diseminated here on Slashdot and other tech sites. Systems like most finger print scanners and facial recognition systems are easy to fool.

For instance, while there are fingerprint systems that act as you indicate, the vast majority do not. They are the cheap readers in my iPaq or on some smart-card readers or those you can buy at Radio Shack. And since the famous gelatin exploit has the hacker wearing the stolen fingerprint gelatin mold over their own finger , even advanced machines will see 'normal temperature differences and gradients' or 'capilary blood flow' since it is seeing a real fingers. These systems are also prohibitively expensive, which means they can only be used for securing VERY sensitive assets. No use spending $10K on a fingerprint scanner to secure my $1k bank account, when this can be demonstably defeated for about $100 in materials and a few hours of work.

The same with facial recognition systems. In the new recently, one of the most widely used systems was fooled by a person holding up a picture or wearing a picture over a face like a mask nearly 100% of the time (I don't have the link handy, but I'm sure I read it on Cryptogram and here at \.). Again, while it may be possible to overcome these technical issues, the cost of such a system would restict it to acting as part of an authentication system for military bases and very large organizations with sensitive data, but no the general public. Most facial recognition systems CAN be fooled by holding up a picture.

However, if you are correct in your original assumption, that even using these easily foolable systems as one step in the authentication process is a much better way than relying on them alone.

And using them as part of an authentication system, not as an identification system, as some US airports have tried... There is a vast difference between comparing a person standing at the right distance from the camera or pressing the right digit into the read with re-tries allowed, that to pick a face out of a crowd of unknowns nad try to say "Unknown identified as Osama bin Looben, please arrest"...

You cannot change your biometrics.

As it was said time over and over here,
The Problem is that if somebody menace at pinpoint you can give a password or a pin and they will go on statisfied. You loose money but after you can change the in or apssword and that's it.

With biometric you CANNOT change those data. Meaning once you are compromised this is over. For ever.

Furthermore criminal aren't exactly known to be Sissy which would repugn or be afraid of , let us say, chopping a handor an arm. Or getting an eye out of that socket. Even worst it was proved that for many system with caoutchouc , rubber or high res photo scan , you can foolsome of those system. And I bet that you could hack you way thru if you have physical access like any password system.

The only way to go would be a DOUBLE system. password *and* biometric. Biometric cannot replace the password system with more security. On the contrary it has too many disadvantage.

So what is my point ? Seeing biometric as more than an extension of the password system will bring a lot of problem as well as a false sense of security. And a false sense of security is far worst than anything weak security.

Error rates?

Bioscrypt now claim an error rate of 0.1% [bioscrypt.com] on fingerprint IDs.

I suppose it depends how large your access list needs to be. It would be pretty good for a server room inside a secure building with 2 staff members on the access list, but with 10,000 on site (such as some places have) a false positive would be almost assured unless they had to carry a token of some kind. (Physical or otherwise, eg pin or swipe card.)

Biometric passphrases

That article was more or less product placement. Biometric passwords, while looking very cool in sci-fi flicks, have the following misfeatures:

1. The "password" can't be changed. If compromised, it's compromised for life.
2. You only have two thumbs and two eyes, and then you have to re-use your "passwords". Do you want your employer to have access to your bank account? Would your current employer want your last employer to have your access code to their building?
3. They are not secret. Especially so with thumbprints: every time you grab a glass or a doorknob you leave your "password" written all over it.

I would say these are the real reasons no one else than gadgeteer type bosses would ever consider using biometric passphrases.

great

instead of looking in your desk and finding out that your password is 'pencil', Rutger Hauer types are going to rip your eyes out. Yay for progress!

Can't be stolen? Are they on crack?

How long until someone sets up a phony ATM to capture retinal patterns? And unlike passwords, your retinal pattern is not something you can change as needed.

Don't get me wrong, biometrics has its place but that place is part of a multi-factor security system. I predict that we will eventually see ATMs that require a card, password and biometrics. Three factors: something you have, something you know and something you are.

Biometrics by itself is useless for security.

Ob. h2g2 (Douglas Adam predition)

In 50 years time we will have to give all kinds of bio information for everything, so we will carry a handy machine readable card with every bit of data on it to make it more convenient...

Thus defeating the entire purpose, and a stunning testament to human nature.

body part security

The problem with using body parts like fingers, retinas, or faces for access control security is that one's physical body can be coerced. No one can force me to reveal my secure password. I can choose to die rather than reveal it, and if I die, the protected data will die with me.

A few scenarios come to mind. I'm walking in a city late at night near an ATM. A thief puts a gun to my head and tells me to go to my ATM and withdraw funds for him. I can refuse, but if he kills me he will get no money. With a fingerprint, retina, or facial scan, he can shoot me first and just drag my body to the ATM.

Another scenario is private data on my computer that I want to be kept safe from everyone including governments. A government can physically coerce a citizen into using his fingerprint scanner to retrieve the data that they want. They can do nothing about a strong password, and, again, if they kill you they lose any chance of getting the data.

Of course, this is where torture comes in, but I'd rather have the choice of being tortured or even dying to protect sensitive data. Biometrics take away that choice.

Having said all this, voice print ID avoids many of these pitfalls. It seems the most promising since no one can physically force you to speak your password, and if you die the data remains protected.

The other reason

The economist article fails to mention the other major reason these systems have not taken off - comparability.

Or, I should say, the Lack of it.

Each fingerprint device on the market uses its own format for storing it's data - making each device incompatible. At first, this would seem to be an easily surmountable problem - but then you must realize that until recently, Every device on the market had its own API for development.

Let me give you an example to illustrate this issue: company X has 2000 employees, and it goes to look at biometric systems - they are either faced with the choice of paying for very expensive equipment from 'long time players' in the industry - who would be around in 2-5 years when the devices start failing due to wear and tear - or choose from some of the 'upstarts', and risk being out in the cold if the company they choose isn't around in several years. a hardware switch down the line not only would incur the cost of re scanning everyone, but the application itself would need to be modified to work with the API for the new device.

Enter the BioAPI (www.bioapi.org) - which proposed a standard api - now widely adopted. You may notice that the Bioapi page mentions it was founded in 1998. It has taken several years for this standard to come to the foreground and there are still roadblocks - not all manufacturers participate freely.
As an example: one rather large manufacturer, Identix (www.identix.com) seems to have been stonewalling for years. Why would a manufacturer do such a thing against what is good for the industry? Because they were leading the industry. When you have all of the high end government contracts coming your way, a standard the opens the doors for the little guy is a Bad Thing for your business - or so they thought.
Take a look at the members list on the bioapi site - identix is listed - then take a look at the supported devices list... not a single identix product.

In 1999 I witnessed this stonewalling firsthand at a meeting in washinton DC. This meeting had manufacturers and interested parties from all over the globe in attendance, including representatives from the US military. The whole agenda for the meeting was how to promote/define standards so that the industry could grow.
I had the unfortunate luck to be seated next to the Identix representative. He had apparently flown in just so he could stonewall - every opportunity he got, he grabbed the microphone and ranted about how we should let the free market dictate standards - that they would come about naturally in the free market (he loved the term free market).
Meanwhile the rest of the group was discussing issues about how to resolve device inter operability - even so far as to discuss how data could be shared between devices. No concrete decisions were made at the meeting, but it did get people talking.

Anyway, my whole point is, one of the major reasons the biometric security industry hasn't grown (as fast as has been predicted for the past 8 years) is because without standards no one wanted to invest in writing applications. It was just too risky.

Note: I am flipping a coin as to wether to post this anonymously or not, since Identix could decide to try and silence this sort of talk...

Las Vegas already uses something like this...

You may not know it, but if you ever went to a casino in Las Vegas, they probably have you on tape. They have photos and images of well-known gamblers who like to cheat, and they have software which takes photo's of people inside the casino's and they attempt to match the photo to the database. The only differance is the casino's hire lots of security specalists that make the final decision.

Having said that, if someone is taking my picture and storing it in a database, there should be a sign by the entrance warning people of that.

Something else from the link that I find disturbing:
In the wake of the terrorist attacks of September 11th 2001, however, these objections have been swept aside. After all, if you are already being forced to remove your shoes at the airport, and submit your laptop for explosives testing, surely you will not object to having your fingers scanned too?

I think this is really dangerous that every law that takes away civil liberties is linked to September 11th. And they give those laws such nice names, like "the patriot act".

American citizens will also be affected, as new passports with a chip that contains biometric data are issued from next year.

This is something that will be too easy to abuse. Remember, our government illegally bugged black panther offices, and did all sorts of illegal crap. I wonder if our government will use this kind of data to track private groups, such as those that protest the WTO. Could it be that if you show up to protest the WTO, then you will get audited by the IRS the next year?

another false start

Until there are social (legal and business) safeguards that require the verifier to discard my personal identity info once verified, this will be another false start to a real security model. A standard license that prohibits storage and transmission of my personal data beyond the limits of the verification transaction might be sufficient, if it had enforcement teeth. Where's a transactional security component whose documentation includes a license requiring interoperation with a law that protects the software user?

Sanitation

is a big problem, partially real and partially imagined. The real issue is transmission of viruses and bacteria through body fluids - what if I have an eye infection when I peer into the retina scanner? What if I pick my nose, then scan my fingerprint? The imagined issue is the 'cootie factor', where you wont want to touch something that 1,000,000 other people touched (think toilet seat).
Lastly, our new biometric overlords (The US Govt) will undoubtedly put 1,000,001 policies and procedures in place creating a huge barrier to market entry, unless of course you're the gov't approved contractor. None of which will be followed by the unscrupulous, thus continuing the tradition of fucking the honest and awarding (by default) the sketchy.

obvious downfull

Even if you can get the technology to the point where false positives occur less than 1% of the time
airports etc will be made unusable because there will be more candidates for a intensive search and id check than can be dealt with in a day.

But the real killer will be the problem of persistant false positives. How many times will someone who looks a bit like a known terrorist have to be taken out of queue and subjected to intensive questioning and searches before the lawyers and courts get involved?

A password I can't change?

That is effectively what biometric security is. Consider then that the entire network must be physically secure or my (eye/finger/etc.) "password" will quickly be known and re-used. The "password" I used decades ago is still valid!
Also, I'd rather give a mugger my wallet & pin, than my wallet & thumb...

Forget Biometrics

All who are familiar with the ATM scams know why it is inherently insecure. The more likely scenario is that eventually you will all be tagged [digitalangel.net] like cattle. GPS tracking will ensure security by monitoring to make sure you are never in two places at the same time, or making quantum leaps through space-time.

Finally...

I'll be able to pick up a free case of pinkeye from the eye scanner at the local Wal-Mart. My life is complete

This is another case of...

...just becasue you HAVE the technology, and COULD use it... ...doesn't mean you necessarialy SHOULD.

another creepy-ass thought
Retinal scanners: Remember that Tom Cruise sci-fi flick where everyone was constantly getting retinally scanned wherever they went? You guys think DoubleClick are a bunch of scumbags now, just wait 'till they link up with RetinAll Marketing.

Coming out of a big speaker in the near future:
"Welcome to Blockbuster, Mr Slappyjack. You may be interested in the Jenna Jameson collection we have in the back room. We did notice you were looking at internet porn about her all day while your wife was out. We do not, however, have any Ass-Reaming-Mature-Tranny-Bukkake videos, which we know you enjoy. If you like we'd be glad to order one for you. Have a nice day."

yeah. nice.

Remember when we all thought RadioShack asking for our addresses just becasue we needed a couple of AA batteries was high annoyance? NOTHING compared to what the future holds.

All Together Now

Repeat after me....

Biometrics are unique but not secret.

Faking fingerprints trivial

This email [does-not-exist.org] talks about how easy faking fingerprints is. Key paragraph:

The time it takes to make a perfect duplicate is about 15 minutes (with special material it can be reduced to less than 10 minutes). To make a duplicate of a lifted fingerprint took me several days in 1992 and I had to do a lot of experiments to find the right process/technique. Now it takes me half an hour and the material costs are $20 (also sufficient for about 20 duplicates), the only equipment you need is a digital camera and an UV lamp. Not only do I now make the duplicates in a fraction of the time, but also the quality is better.

biometrics is a joke

the key thing is.. to remember your password... because people cant steal your knowledge.. depending on how strong your will power is.. however.. they can steal your body parts.
and your fingerprints CAN be duplicated.
so biometrics is an expensive technology with too many vulnerabilities
now.. for the common home user, who wants it for the hell of it... or medium level security.. yeah...
but for bank vaults, and other things.. murder would be on the rise.. and theft would be more successful.

MY EYES!!!

"Many people would prefer not to have to submit their eyes for scanning in order to withdraw money from a cash dispenser."

Pfffft whatever.

The reason I don't want to press my baby blues up against a retinal scanner is because I'm relatively sure a needle will pop out and pierce my eyes.

I don't think I'm alone in feeling this way.

Knunov