Big Brother Is Watching ATMs
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I just heard that a bank card company has just released a program for using photos of the iris in people's eyes as a biometric ID to replace people's PIN codes for ATM / credit cards. What I found really interesting is how they plan to implement it. As people use the ATM, they are photographed. (Every ATM has a security camera.) Over time, as people use the ATM, the security camera images are composited to produce a high-quality image of their irises, which is coded and placed in their account information. Once this is accomplished, when a card is inserted into the ATM and the security camera gets an iris image that matches the account sufficiently closely, the user can conduct transactions without entering the PIN code. People affected by this will merely receive a letter that under certain circumstances, entering the PIN is no longer necessary, but this is not a security problem. This scenario may not be a security problem, but it certainly poses a privacy problem. Given the frequency that the average Joe Sixpack uses the ATM, it is only a matter of time before the government mandates a nationwide eyeprint ID database to catch ATM and credit card theives, money launderers, tax cheats, and other undesirables. Perhaps the eyeprint could even replace or supplement the SSN as the unique taxpayer ID key for tax and other purposes. Of course, given the fact that ATMs have had cameras from the start, this theoretical eyeprint database could already be under construction. How's that for paranoia? >:-( Of course, there are a few ways to beat this, such as mirror sunglasses, (which would only be useful while alternative credentials to eyeprint ID are still available) and contact lenses, (which would have to be carefully oriented so that the same side of the lens was always up, or the fact that you are wearing contacts and are therefore a Suspicious Person™ would become obvious to the system) and of course intraocular implants of various types. Of course if the implant's power-on LED gives your eyes a constant Satanic red glow, you may be flagged as a Suspicious Person™ anyway. -----BEGIN PGP SIGNATURE----- Version: PGP for Business Security 5.5 iQA/AwUBNIJMc8JF0kXqpw3MEQJEiACdH+0zupstOe2EK3nO+xkF6nY4SOsAnAuO d/cf2DBRj3tiSUHgBaQHOgq9 =LxX3 -----END PGP SIGNATURE----- Jonathan Wienke PGP Key Fingerprints: 7484 2FB7 7588 ACD1 3A8F 778A 7407 2928 3312 6597 8258 9A9E D9FA 4878 C245 D245 EAA7 0DCC "If ye love wealth greater than liberty, the tranquility of servitude greater than the animating contest for freedom, go home from us in peace. We seek not your counsel, nor your arms. Crouch down and lick the hand that feeds you. May your chains set lightly upon you; and may posterity forget that ye were our countrymen." -- Samuel Adams "Stupidity is the one arena of of human achievement where most people fulfill their potential." -- Jonathan Wienke Never sign a contract that contains the phrase "first-born child." RSA export-o-matic: print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
G'day Jonathan, Could you please identify this "bank card company" by name, card, nation, etc. ? Without some explicit cite of a commercial entity -- or a reference to some "strip-'em-naked-with-electrons" Police R&D group like the guys at Rome AFB -- this report sounds like another of those ID-Implant fantasies circulated by the guys who are bolting steel plate to their screen doors and programming their backyard AA to auto-target (a) Black Helicopters (b) which are on low-level rapid approach (c) full Oriental, Arab, and Hispanic troopers (c) wearing Blue Helmets. Got a single verifiable fact you could share? Or, with further checking, could you confirm that is this just another spicy rumor crafted to keep the boyos in the hills rubbing garlic into their hollow-points with proper militia enthusiasm? (Not that I don't enjoy a good tale to wake up sleepy Computer Science undergrads, mind you...) Up the Revolution, _Vin
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I just heard that a bank card company has just released a program for using photos of the iris in people's eyes as a biometric ID to replace people's PIN codes for ATM / credit cards. What I found really interesting is how they plan to implement it. As people use the ATM, they are photographed. (Every ATM has a security camera.) Over time, as people use the ATM, the security camera images are composited to produce a high-quality image of their irises, which is coded and placed in their account information.
Vin McLellan + The Privacy Guild + <vin@shore.net> 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> --
On Mon, 1 Dec 1997, Vin McLellan wrote:
G'day Jonathan,
Could you please identify this "bank card company" by name, card, nation, etc. ?
Without some explicit cite of a commercial entity -- or a reference to some "strip-'em-naked-with-electrons" Police R&D group like the guys at Rome AFB -- this report sounds like another of those ID-Implant fantasies circulated by the guys who are bolting steel plate to their screen doors and programming their backyard AA to auto-target (a) Black Helicopters (b) which are on low-level rapid approach (c) full Oriental, Arab, and Hispanic troopers (c) wearing Blue Helmets.
"There are, however, two companies working on devices that examine the human iris, the most notably being IrisScan who owns the patent. The technique's major advantage over retina scans is that it does not require the user to focus on a target, because the iris pattern is on the eye's surface. In fact, the video image of an eye can be taken from several up to 3 feet away, and the user does not have to interact actively with the device. Sensar, a company that has licensed the iris scanning technology from IriScan hopes to position its IrisIdent product into ATMs in the coming years." http://www.ctst.com/ff_industry.html I suggest you contact the manufacturer for more information. -- Lucky Green <shamrock@cypherpunks.to> PGP v5 encrypted email preferred. "Tonga? Where the hell is Tonga? They have Cypherpunks there?"
At 10:50 EST on Monday, December 1, 1997, Vin McLellan wrote: |G'day Jonathan, | | Could you please identify this "bank card company" by name, card, |nation, etc. ? You *could* read the newspaper... /pbp ==== Body Parts May Become a Way To Identify ATM Customers By GORDON FAIRCLOUGH Staff Reporter of THE WALL STREET JOURNAL Thomas J. Drury walks up to the automated-teller machine in his suburban office and swipes his bank card. Instead of punching in a secret code, however, he stares straight ahead. The machine verifies his identity by looking at his eyes. If Mr. Drury, chief executive officer of Sensar Corp., and his colleagues have their way, this eye-scanning technology will become standard equipment on ATMs around the world. It is being tested by NCR Corp. and Citicorp, among others. [...]
On Mon, Dec 01, 1997 at 05:07:11PM -0500, Robert A. Costner wrote: [...]
As wonderful as eye scanning technology may sound, it promises to offer very weak identification and only be reliable in the short run. This is based on the premise that a reproduction of an eye will work as well. Just as a reproduction of a driver's license seems to work for check forgery.
PINs offer security based on the fact that they are a secret. Not a shared secret. For comparison, take a look at the authentication procedure of the SSA and Wells Fargo bank. Over the internet, both want
Social Security Number Date of Birth Mother's Maiden Name
Imagine a bank machine requesting the same info as the only prerequisite for dispensing cash! This info might have been a method of secure authentication about the time I was born, but today, such info is almost common knowledge. This no longer is a secret, too many people have the info. Widespread use of eye scanners will provide the same results. As databases are built, and sold, the raw info becomes available and automated tellers become excellent targets for fake authentications. If you get it wrong, you just walk away.
Eye scans may help aid authentication, but they should not take the place of PINs.
From "Government Computer News", 1997-11-24
Optical character recognition converts an image into usable text. But what if the character you want to recognize is a human being? Try Visionics Corp's FaceIt PC 3.0, which works with a digital video camera to secure a desktop computer against intruders. The GCN Lab staff members were skeptical at first. After all, OCR and voice recognition are still not mature technologies, and face recognition applications are greener still. FaceIt surprised us -- pleasantly. [description of test environment, and test] The software can be set to require a smile or blink from any person attempting access...[I suppose you could stick out your tongue...] ...During testing, the software never misidentified anyone, nor was it fooled if a user wore or removed glasses. Visionics claims that changes in facial hair will not cause misidentification, but we didn't test that claim. http://www.FaceIt.com -- Kent Crispin "No reason to get excited", kent@songbird.com the thief he kindly spoke... PGP fingerprint: B1 8B 72 ED 55 21 5E 44 61 F4 58 0F 72 10 65 55 http://songbird.com/kent/pgp_key.html
Robert A. Costner <pooh@efga.org> wrote:
As wonderful as eye scanning technology may sound, it promises to offer very weak identification and only be reliable in the short run. This is based on the premise that a reproduction of an eye will work as well. Just as a reproduction of a driver's license seems to work for check forgery.
With respect, I disagree. I think it is quite likely that an iris-scan technology can effectively differentiate between a living eye and a reproduction (or, as one of my many correspondents on this topic suggested, an eye forcibly removed from the socket of a potential fraud victim.) In any case, the issue of false positives/negatives will be settled with evidence. I think the technology will probably be useful, in those terms. My concern is rather with who owns and controls the scan data from an individual's own eye: whoever scans him or her? Scans at a distance? Surreptitiously? Whatever entity claims the right to validate or authenticate the individual's identity, for his or her own good? for the public good? If the value of eye-scanning (or any other type of biometric authentication) is to be short-lived, it will be because the scan-data itself will be poorly held, or transferred insecurely. While it may be difficult or impossible to fake out the camera with a phony eyeball, it will _certainly_ be possible to inject a copy of the proper scan-data somewhere into the linkage between the camera lens and probably remote authentication server which will support it. The inherent weakness of biometric identifiers is that, if (or when) there is a breach in the authentication system (or the access controls or crypto system which secures the database which supports it,) it will be impossible to correct the situation (as we might issue a new ATM card or smartcard, or a new SecurID, or change a user's password.) The real victim of a poorly-designed authentication system which uses biometrics will be the citizen/consumer who trusted his (irreplacable, being often single and unique) biometric scan to an entity which handled it with improper care and precautions. My sarcastic reaction to Jonathan's initial post was in reaction to his report that some commercial banking organization was planning to surreptitiously collect these iris scans and use them to replace user-memorized PINs for validating cash disbursements. (Jon tells me that he originally heard this version on AM radio is San Francisco: the Barbara Simpson show, KSFO 560AM, which he has found an often-reliable source.) I still consider this unlikely -- if for no other reason than the fact that banking regulators (i.e., insurers) would never allow it. There is, of course, a whole set of political and sociological issues which revolve around the rough equivalence of effective biometric system, and the database which will give it value, and the traditionally feared "national ID" paper-document system. Jonathan's initial post validly raised that fear. There is also an important public-policy discussion in the question of whether the commercial value of such a system (and its database) to consumers will again tempt the mass of (US) citizens into voluntarily giving up control over this authentication technology (for easy credit or faster and bigger ATM withdrawals) to business... for the government to later take advantage of as it will, when this aspect of our privacy is just another commodity. [Much of American privacy has already been traded off by our citizens in a similar fashion. Europe, where privacy was redefined when governments extended citizen property rights to include information about that citizen, presents a different model. With some problems, which Libertarians are prone to stress;-) and some valuable protections.] (Did anyone note the European Commission's denunciation of US crypto policy specifically noted that forcing European citizens to include a message-recovery mechanism for government eavesdropping in their legal e-mail or other electronic message systems would probably be a violation of privacy rights commonly held by all citizens of the European Union?) Biometrics (something you are) is one of the three classic mechanisms by which we convince a computer that we are indeed someone whose identity was previously registered with the computer: something one knows (password, PIN,) something one has (token, smartcard, ATM card,) or something one is (the biometric.) Biometric identifiers, because they are static -- and thus, inherently subject to replay attacks from _somewhere_ in their process or procedures -- will likely always require confirmation from other authenticators. Certainly they will require a secondary confirmation before they are used to validate an active transfer of value like an ATM's disbursement of cash. (The lawyers and auditors will demand it.) I actually expect that the current standard for "strong authentication" in business practice -- "two factors;" typically a password and a token/card (often enhanced with a one-time password generator, which provides proof that the token is in the users hand at the moment the authentication code is generated) -- will soon be expanded to three. It is far more likely that auditors in the future will define "strong authentication" systems as requiring (1) a user-memorized PIN, (2) a token, and (3) a biometric, than that they will do away with the requirement for either the PIN or the token. Tokens (by classical definition, personal and mobile, usually pocketable) are becoming personal repositories for encryption and digital signature keys, eventually secure crypto-engines, so these hand-held authenticators will likely become even more valuable. And a PIN or password will, at the very least, still be required to secure the smartcard's internal data so that the crown jewels are not readily available to every pickpocket. The interesting question is what sort of controls will be placed (probably by legislation) on second or third party access or traffic in consumers'/citizens' biometric data. It may be that all parties (citizens, government, business) will have a common interest in holding systems which capture or store these data-files to a very high infosec or crypto standard in order to keep biometric files from falling into the realm of meaningless index data (like Bob's example of the US social security number.) The use of biometrics as an authenticator will have commercial value -- to the citizen/consumer and to commercial entities -- only if the biometric scan-data is handled securely and respectfully. The use of biometrics as an administrative tool is probably inevitable -- something we already see with photographs and fingerprints (which are, of course, also biometrics.) And as machines are better adapted to scan for fingerprints, or faces and irises (remotely, as in an airline terminal, bank lobby, or street corner?) -- and then to search, match, identify and log the presence of these consumers/citizens at this or that place -- our culture will inevitably get more constipated and the freedom of our anonymity will be cramped (albiet, a protected place may be "safer," as some will argue.) Hey, no one said the future was going to be easier to live than the past;-) This record-keeping has been an obsession of modern governments since the French Revolution, and only if we keep explaining and making the impact of the technology a political issue -- as in the way computer-monitoring can cut the cost of a $70,000 typical wiretap to a few dollars, vastly increasing the capability of government to listen to more, quite cheaply -- can citizens grasp what is at stake and strive to defend themselves and the next generation. Random thoughts, shared for comment. Suerte, _Vin "Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege." _ A thinking man's Creed for Crypto/ vbm. * Vin McLellan + The Privacy Guild + <vin@shore.net> * 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
At 11:37 AM 12/1/97 -0800, Paul Pomes wrote:
Thomas J. Drury walks up to the automated-teller machine in his suburban office and swipes his bank card. Instead of punching in a secret code, however, he stares straight ahead. The machine verifies his identity by looking at his eyes.
If Mr. Drury, chief executive officer of Sensar Corp., and his colleagues have their way, this eye-scanning technology will become standard equipment on ATMs around the world. It is being tested by NCR Corp. and Citicorp, among others.
As wonderful as eye scanning technology may sound, it promises to offer very weak identification and only be reliable in the short run. This is based on the premise that a reproduction of an eye will work as well. Just as a reproduction of a driver's license seems to work for check forgery. PINs offer security based on the fact that they are a secret. Not a shared secret. For comparison, take a look at the authentication procedure of the SSA and Wells Fargo bank. Over the internet, both want Social Security Number Date of Birth Mother's Maiden Name Imagine a bank machine requesting the same info as the only prerequisite for dispensing cash! This info might have been a method of secure authentication about the time I was born, but today, such info is almost common knowledge. This no longer is a secret, too many people have the info. Widespread use of eye scanners will provide the same results. As databases are built, and sold, the raw info becomes available and automated tellers become excellent targets for fake authentications. If you get it wrong, you just walk away. Eye scans may help aid authentication, but they should not take the place of PINs. -- Robert Costner Phone: (770) 512-8746 Electronic Frontiers Georgia mailto:pooh@efga.org http://www.efga.org/ run PGP 5.0 for my public key
At 10:50 01/12/97 -0500, you wrote:
G'day Jonathan,
Could you please identify this "bank card company" by name, card, nation, etc. ?
In the UK, it was announced that the Nationwide Building Society was implementing such a scheme. Exactly where in the UK this happening, I do not know.
participants (7)
-
David Lucas -
Jonathan Wienke -
Kent Crispin -
Lucky Green -
Paul Pomes -
Robert A. Costner -
Vin McLellan