idea: brinworld meets the credit card
Authentication is "Something you have / know / are." A simple plastic credit card + PIN provides the first two, including a photo provides the third "something you are". A face is more often checked than the readily forgable signature, in live authentication. But as cameras become ubiquitous (e.g., in cell phones) some extra security could be obtained for *remote* authentication by sending a trusted photo of the account holder plus a live picture of the card user. A picture glued into the card could be forged, but a smartcard (with more data area than a magstripe) could include a picture of the account holder, so a thief has no idea what to look like. But the vendor can check the encrypted smartcard face to the face on the phone or webcam. For high-value remote transactions, where you pay someone to check faces, this might be viable in a few years. In a few years after that, machines might be able to check faces more cheaply, as reliably. The live face-check with embedded digital photos is already standard practice on high-security building-entry cards (and passports?), with the guard comparing the card-embedded face to the one before him. Ubiquitous cameras will bring that face-check to remote transactions, reducing cost due to lower fraud. Thoughts?
On Tue, Jul 08, 2003 at 12:16:36PM -0700, Major Variola (ret) wrote:
Authentication is "Something you have / know / are."
[..]
A picture glued into the card could be forged, but a smartcard (with more data area than a magstripe) could include a picture of the account holder, so a thief has no idea what to look like. But the vendor can check the encrypted smartcard face to the face on the phone or webcam. For high-value remote transactions, where you pay someone to check faces, this might be viable in a few years. In a few years after that, machines might be able to check faces more cheaply, as reliably.
The live face-check with embedded digital photos is already standard practice on high-security building-entry cards (and passports?), with the guard comparing the card-embedded face to the one before him. Ubiquitous cameras will bring that face-check to remote transactions, reducing cost due to lower fraud.
Thoughts?
How does it allow the merchant to view the picture while preventing the thief from doing so? Saying "it's encrypted" is, at best, sweeping a very large problem under a small rug. Who holds the key? How does the card or the user authenticate a real merchant vs. a thief posing as a merchant? Those are the hard problems. No one in biometrics has yet been able to solve them in a general way. Eric
Those are the hard problems. No one in biometrics has yet been able to solve them in a general way.
And the merchant example is the wrong application. The merchant doesn't care WHO you are - that's a false premise. Merchant cares if you can pay. Now, that's a completely solvable issue. Of course, we know who and why is trying to misrepresent this. All other applications of biometrics boil down to threatening with punishment (we know who you are, behave or else ...) - and then the biometrics ceases to be in the interest of the eyeball holder. Even granting door access to "employees" fits this category. You don't let "any qualified mathematician willing to work" to enter the lab - you let in only those that you know where they live, have signed contracts with them, etc. ===== end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com
You might find "facecerts" interesting. http://www.computer.org/proceedings/dcc/1896/18960435.pdf This is more for face-to-face checking, however. For your remote scenario some sort of one-way hash to verify the image might be intersting. It would have to allow for fuzzy matching after hashing (for obvious reasons). I think this just raises the bar a tiny bit though, as an attacker could stalk their victim before stealing their card to get an idea about what appearance to forge. (or capture webcam traffic before lifting the card / identity info) Cheers, Adam Lydick On Tue, 2003-07-08 at 12:16, Major Variola (ret) wrote:
Authentication is "Something you have / know / are."
A simple plastic credit card + PIN provides the first two, including a photo provides the third "something you are". A face is more often checked than the readily forgable signature, in live authentication.
But as cameras become ubiquitous (e.g., in cell phones) some extra security could be obtained for *remote* authentication by sending a trusted photo of the account holder plus a live picture of the card user.
A picture glued into the card could be forged, but a smartcard (with more data area than a magstripe) could include a picture of the account holder, so a thief has no idea what to look like. But the vendor can check the encrypted smartcard face to the face on the phone or webcam. For high-value remote transactions, where you pay someone to check faces, this might be viable in a few years. In a few years after that, machines might be able to check faces more cheaply, as reliably.
The live face-check with embedded digital photos is already standard practice on high-security building-entry cards (and passports?), with the guard comparing the card-embedded face to the one before him. Ubiquitous cameras will bring that face-check to remote transactions, reducing cost due to lower fraud.
Thoughts?
participants (4)
-
Adam Lydick -
Eric Murray -
Major Variola (ret) -
Morlock Elloi