Cash, Credit -- or Prints?
<http://online.wsj.com/article_print/0,,SB109744462285841431,00.html> The Wall Street Journal October 11, 2004 Cash, Credit -- or Prints? Fingerprints May Replace Money, Passwords and Keys; One Downside: Gummi Fakes By WILLIAM M. BULKELEY Staff Reporter of THE WALL STREET JOURNAL October 11, 2004; Page B1 Fingerprints aren't just for criminals anymore. Increasingly, they are for customers. Fingerprint identification is being used to speed up checkouts at Piggly Wiggly supermarkets in South Carolina, and to open storage lockers at the Statue of Liberty. Fingerprints are also being used as password substitutes in cellphones and laptop computers, and in place of combinations to open up safes. But these aren't the fingerprints of yore, in which the person placed his hand on an ink pad, then on paper. Instead, the user sets his hand on a computerized device topped with a plate of glass, and an optical reader and special software and chips identify the ridges and valleys of the fingertips. Fingerprint technology seems to be reaching critical mass and is spreading faster than other widely promoted "biometric" identification methods, such as eyeball scanning, handprint-geometry reading and facial recognition. Interest in these and other new security systems was heightened by the September 2001 terror attacks. "Fingerprints will be dominant for the foreseeable future," says Don McKeon, the product manager for biometric security at International Business Machines Corp. One reason fingerprint-security is spreading is that technological advances are bringing the cost down. Microsoft Corp. recently introduced a stand-alone fingerprint reader for $54, and a keyboard and a mouse with fingerprint readers. Last week, IBM said it would start selling laptop computers with fingerprint readers built in. These products reduce the need for personal-computer users to remember passwords. A customer uses a fingerprint reader to pay at a Piggly Wiggly store, cutting his checkout time. Earlier this year, American Power Conversion Corp., a Rhode Island company that makes backup computer batteries, started selling a fingerprint reader for PCs with a street price of $45 -- less than half the price of competitors at the time. American Power says it has sold tens of thousands of the devices since. Korea's LG Electronics Inc. has introduced a cellphone with a silicon chip at its base that requires the owner's finger to be swiped across its surface before the phone can be used. This summer, NTT DoCoMo Inc. started selling a similar phone reader that is being used on Japanese trains as an electronic wallet to pay fares or to activate withdrawals from on-board cash machines. Proponents have never had trouble explaining the benefits of fingerprints as payment-and-password alternatives: Each person has a unique set, and their use is established in the legal system as an authoritative means of identification. But some people are uneasy about registering their fingerprints because of the association with criminality and the potential that such a universal identifier linked to all personal information would reduce privacy. Moreover, numerous businesses and governments have tested fingerprint systems in the past only to rip them out when the hype failed to match reality. That's partly because the optical readers have had problems with certain people's fingers. Elderly people with dry skin, children who pressed down too hard, even women with smaller fingers -- including many Asians -- were often rejected as unreadable. Security experts also have successfully fooled some systems by making plaster molds of fingers and then creating fake fingers by filling the molds with Silly-Putty-type plasticizers or gelatin similar to that used in candy Gummi Bears. But advocates say the rate of false rejections of legitimate users has been greatly reduced by improved software. "I'd say 99% of people can register" their fingers, says Brad Hill, who installed fingerprint-controlled lockers at his souvenir store at the Statue of Liberty this summer when the National Park Service forbade tourists from entering the statue while carrying packages. Mr. Hill was worried that tourists would lose locker keys when security screeners forced them to empty their pockets. Some makers of readers also say their technology can solve the fake-finger problem by taking readings from below the surface skin layer. Or they suggest combining four-digit ID codes with fingerprint scanning to virtually eliminate false readings. Makers of fingerprint readers acknowledge the privacy concerns. But they maintain that the threat of personal invasion is minimized because most systems don't store the actual print, but instead use it to generate a unique series of numbers that can't be reverse-engineered to re-create the print. And public willingness to submit to fingerprint readers has so
Re: Cash, Credit -- or Prints?
Very interesting question. I'd bet almost any amount of money that it's fairly trivial to simply alligator-clip-out the fingerprint's file from almost any of the cheaper devices. Hell, I'd bet that's true even of more expensive "secure" devices as well. -TD From: Frank Siebenlist <[EMAIL PROTECTED]> To: "R.A. Hettinga" <[EMAIL PROTECTED]> CC: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Cash, Credit -- or Prints? Date: Mon, 11 Oct 2004 17:34:19 -0700 Can anyone explain how sophisticated those fingerprint readers are? Are there readers out there that by themselves are secure devices and essentially are able to talk with their servers thru the PCs/workstations over a protocol such that any man-in-the-middle, like a driver, can not learn anything from the traffic? (...and all that for less than $40, of course...) If not, would a trojan then be able to capture your fingerprint's digital-fingerprint, and impersonate you from any other node on the network? -Frank. R.A. Hettinga wrote: <http://online.wsj.com/article_print/0,,SB109744462285841431,00.html> The Wall Street Journal October 11, 2004 Cash, Credit -- or Prints? Fingerprints May Replace Money, Passwords and Keys; One Downside: Gummi Fakes By WILLIAM M. BULKELEY Staff Reporter of THE WALL STREET JOURNAL October 11, 2004; Page B1 Fingerprints aren't just for criminals anymore. Increasingly, they are for customers. Fingerprint identification is being used to speed up checkouts at Piggly Wiggly supermarkets in South Carolina, and to open storage lockers at the Statue of Liberty. Fingerprints are also being used as password substitutes in cellphones and laptop computers, and in place of combinations to open up safes. But these aren't the fingerprints of yore, in which the person placed his hand on an ink pad, then on paper. Instead, the user sets his hand on a computerized device topped with a plate of glass, and an optical reader and special software and chips identify the ridges and valleys of the fingertips. Fingerprint technology seems to be reaching critical mass and is spreading faster than other widely promoted "biometric" identification methods, such as eyeball scanning, handprint-geometry reading and facial recognition. Interest in these and other new security systems was heightened by the September 2001 terror attacks. "Fingerprints will be dominant for the foreseeable future," says Don McKeon, the product manager for biometric security at International Business Machines Corp. One reason fingerprint-security is spreading is that technological advances are bringing the cost down. Microsoft Corp. recently introduced a stand-alone fingerprint reader for $54, and a keyboard and a mouse with fingerprint readers. Last week, IBM said it would start selling laptop computers with fingerprint readers built in. These products reduce the need for personal-computer users to remember passwords. A customer uses a fingerprint reader to pay at a Piggly Wiggly store, cutting his checkout time. Earlier this year, American Power Conversion Corp., a Rhode Island company that makes backup computer batteries, started selling a fingerprint reader for PCs with a street price of $45 -- less than half the price of competitors at the time. American Power says it has sold tens of thousands of the devices since. Korea's LG Electronics Inc. has introduced a cellphone with a silicon chip at its base that requires the owner's finger to be swiped across its surface before the phone can be used. This summer, NTT DoCoMo Inc. started selling a similar phone reader that is being used on Japanese trains as an electronic wallet to pay fares or to activate withdrawals from on-board cash machines. Proponents have never had trouble explaining the benefits of fingerprints as payment-and-password alternatives: Each person has a unique set, and their use is established in the legal system as an authoritative means of identification. But some people are uneasy about registering their fingerprints because of the association with criminality and the potential that such a universal identifier linked to all personal information would reduce privacy. Moreover, numerous businesses and governments have tested fingerprint systems in the past only to rip them out when the hype failed to match reality. That's partly because the optical readers have had problems with certain people's fingers. Elderly people with dry skin, children who pressed down too hard, even women with smaller fingers -- including many Asians -- were often rejected as unreadable. Security experts also have successfully fooled some systems by making plaster molds of fingers and then creating fake fingers by filling the molds with Silly-Putty-type plasticizers or gelatin similar to that used in candy Gummi Bears. But advocates say the rate of false rejections of legitimate users has been g
Re: Cash, Credit -- or Prints?
>From: Tyler Durden <[EMAIL PROTECTED]> >Sent: Oct 12, 2004 1:43 PM >To: [EMAIL PROTECTED] >Cc: [EMAIL PROTECTED] >Subject: Re: Cash, Credit -- or Prints? ... >Very interesting question. I'd bet almost any amount of money that it's >fairly trivial to simply alligator-clip-out the fingerprint's file from >almost any of the cheaper devices. Hell, I'd bet that's true even of more >expensive "secure" devices as well. I don't think the readers store an image of the fingerprint, just some information to make it easy to verify a match. I don't think you could reconstruct a fingerprint from that information, though you could presumably reconstruct a fingerprint image that would fool the detector. >From what I've seen, the whole field of biometrics needs a lot of work on >characterizing the attacks and defenses against them, and coming up with reasonable >ways to verify that a reader resists some attack. I think individual vendors often >have some ideas about this (though I gather their defenses are often disabled to keep >the false reject rate acceptably low), but there doesn't seem to be a clean process >for determining how skilled an attacker needs to be to, say, scan my finger once, and >produce either a fake finger or a machine for projecting a fake fingerprint into the >reader. Anyone know whether some kind of standard for this exists? >-TD --John
Re: Cash, Credit -- or Prints?
On Tue, 12 Oct 2004, John Kelsey wrote: > but there doesn't seem to be a clean process for determining how > skilled an attacker needs to be to, say, scan my finger once, and > produce either a fake finger or a machine for projecting a fake > fingerprint into the reader. ... or a replacement reader that fakes the signals to the rest of the security system. --apb (Alan Barrett)
Re: Cash, Credit -- or Prints?
Alan Barrett <[EMAIL PROTECTED]> writes: >On Tue, 12 Oct 2004, John Kelsey wrote: >>but there doesn't seem to be a clean process for determining how >>skilled an attacker needs to be to, say, scan my finger once, and >>produce either a fake finger or a machine for projecting a fake >>fingerprint into the reader. > >... or a replacement reader that fakes the signals to the rest of the >security system. I've seen a number of smart card/PCMCIA combo devices that to this, they have a discrete fingerprint sensor device connected to a discrete crypto device. You can fake out the fingerprint check portion by tying one of the connecting lines to Vcc or GND. Peter.
Re: Cash, Credit -- or Prints?
Can anyone explain how sophisticated those fingerprint readers are? Are there readers out there that by themselves are secure devices and essentially are able to talk with their servers thru the PCs/workstations over a protocol such that any man-in-the-middle, like a driver, can not learn anything from the traffic? (...and all that for less than $40, of course...) If not, would a trojan then be able to capture your fingerprint's digital-fingerprint, and impersonate you from any other node on the network? -Frank. R.A. Hettinga wrote: <http://online.wsj.com/article_print/0,,SB109744462285841431,00.html> The Wall Street Journal October 11, 2004 Cash, Credit -- or Prints? Fingerprints May Replace Money, Passwords and Keys; One Downside: Gummi Fakes By WILLIAM M. BULKELEY Staff Reporter of THE WALL STREET JOURNAL October 11, 2004; Page B1 Fingerprints aren't just for criminals anymore. Increasingly, they are for customers. Fingerprint identification is being used to speed up checkouts at Piggly Wiggly supermarkets in South Carolina, and to open storage lockers at the Statue of Liberty. Fingerprints are also being used as password substitutes in cellphones and laptop computers, and in place of combinations to open up safes. But these aren't the fingerprints of yore, in which the person placed his hand on an ink pad, then on paper. Instead, the user sets his hand on a computerized device topped with a plate of glass, and an optical reader and special software and chips identify the ridges and valleys of the fingertips. Fingerprint technology seems to be reaching critical mass and is spreading faster than other widely promoted "biometric" identification methods, such as eyeball scanning, handprint-geometry reading and facial recognition. Interest in these and other new security systems was heightened by the September 2001 terror attacks. "Fingerprints will be dominant for the foreseeable future," says Don McKeon, the product manager for biometric security at International Business Machines Corp. One reason fingerprint-security is spreading is that technological advances are bringing the cost down. Microsoft Corp. recently introduced a stand-alone fingerprint reader for $54, and a keyboard and a mouse with fingerprint readers. Last week, IBM said it would start selling laptop computers with fingerprint readers built in. These products reduce the need for personal-computer users to remember passwords. A customer uses a fingerprint reader to pay at a Piggly Wiggly store, cutting his checkout time. Earlier this year, American Power Conversion Corp., a Rhode Island company that makes backup computer batteries, started selling a fingerprint reader for PCs with a street price of $45 -- less than half the price of competitors at the time. American Power says it has sold tens of thousands of the devices since. Korea's LG Electronics Inc. has introduced a cellphone with a silicon chip at its base that requires the owner's finger to be swiped across its surface before the phone can be used. This summer, NTT DoCoMo Inc. started selling a similar phone reader that is being used on Japanese trains as an electronic wallet to pay fares or to activate withdrawals from on-board cash machines. Proponents have never had trouble explaining the benefits of fingerprints as payment-and-password alternatives: Each person has a unique set, and their use is established in the legal system as an authoritative means of identification. But some people are uneasy about registering their fingerprints because of the association with criminality and the potential that such a universal identifier linked to all personal information would reduce privacy. Moreover, numerous businesses and governments have tested fingerprint systems in the past only to rip them out when the hype failed to match reality. That's partly because the optical readers have had problems with certain people's fingers. Elderly people with dry skin, children who pressed down too hard, even women with smaller fingers -- including many Asians -- were often rejected as unreadable. Security experts also have successfully fooled some systems by making plaster molds of fingers and then creating fake fingers by filling the molds with Silly-Putty-type plasticizers or gelatin similar to that used in candy Gummi Bears. But advocates say the rate of false rejections of legitimate users has been greatly reduced by improved software. "I'd say 99% of people can register" their fingers, says Brad Hill, who installed fingerprint-controlled lockers at his souvenir store at the Statue of Liberty this summer when the National Park Service forbade tourists from entering the statue while carrying packages. Mr. Hill was worried that tourists would lose locker keys when security screeners forced them to empty their pockets. Some makers of readers also say their technology can solve the fake-finger p