Very interesting question. I'd bet almost any amount of money that it's fairly trivial to simply alligator-clip-out the fingerprint's file from almost any of the cheaper devices. Hell, I'd bet that's true even of more expensive "secure" devices as well. -TD

From: Frank Siebenlist <franks@mcs.anl.gov> To: "R.A. Hettinga" <rah@shipwright.com> CC: cryptography@metzdowd.com, cypherpunks@al-qaeda.net Subject: Re: Cash, Credit -- or Prints? Date: Mon, 11 Oct 2004 17:34:19 -0700

Can anyone explain how sophisticated those fingerprint readers are?

Are there readers out there that by themselves are secure devices and essentially are able to talk with their servers thru the PCs/workstations over a protocol such that any man-in-the-middle, like a driver, can not learn anything from the traffic? (...and all that for less than $40, of course...)

If not, would a trojan then be able to capture your fingerprint's digital-fingerprint, and impersonate you from any other node on the network?

-Frank.

R.A. Hettinga wrote:

...

<http://online.wsj.com/article_print/0,,SB109744462285841431,00.html>

The Wall Street Journal

October 11, 2004

Cash, Credit -- or Prints? Fingerprints May Replace Money, Passwords and Keys; One Downside: Gummi Fakes

By WILLIAM M. BULKELEY Staff Reporter of THE WALL STREET JOURNAL October 11, 2004; Page B1

Fingerprints aren't just for criminals anymore. Increasingly, they are for customers.

Fingerprint identification is being used to speed up checkouts at Piggly Wiggly supermarkets in South Carolina, and to open storage lockers at the Statue of Liberty. Fingerprints are also being used as password substitutes in cellphones and laptop computers, and in place of combinations to open up safes.

But these aren't the fingerprints of yore, in which the person placed his hand on an ink pad, then on paper. Instead, the user sets his hand on a computerized device topped with a plate of glass, and an optical reader and special software and chips identify the ridges and valleys of the fingertips.

Fingerprint technology seems to be reaching critical mass and is spreading faster than other widely promoted "biometric" identification methods, such as eyeball scanning, handprint-geometry reading and facial recognition. Interest in these and other new security systems was heightened by the September 2001 terror attacks.

"Fingerprints will be dominant for the foreseeable future," says Don McKeon, the product manager for biometric security at International Business Machines Corp.

One reason fingerprint-security is spreading is that technological advances are bringing the cost down. Microsoft Corp. recently introduced a stand-alone fingerprint reader for $54, and a keyboard and a mouse with fingerprint readers. Last week, IBM said it would start selling laptop computers with fingerprint readers built in. These products reduce the need for personal-computer users to remember passwords.

A customer uses a fingerprint reader to pay at a Piggly Wiggly store, cutting his checkout time.

Earlier this year, American Power Conversion Corp., a Rhode Island company that makes backup computer batteries, started selling a fingerprint reader for PCs with a street price of $45 -- less than half the price of competitors at the time. American Power says it has sold tens of thousands of the devices since.

Korea's LG Electronics Inc. has introduced a cellphone with a silicon chip at its base that requires the owner's finger to be swiped across its surface before the phone can be used. This summer, NTT DoCoMo Inc. started selling a similar phone reader that is being used on Japanese trains as an electronic wallet to pay fares or to activate withdrawals from on-board cash machines.

Proponents have never had trouble explaining the benefits of fingerprints as payment-and-password alternatives: Each person has a unique set, and their use is established in the legal system as an authoritative means of identification. But some people are uneasy about registering their fingerprints because of the association with criminality and the potential that such a universal identifier linked to all personal information would reduce privacy.

Moreover, numerous businesses and governments have tested fingerprint systems in the past only to rip them out when the hype failed to match reality. That's partly because the optical readers have had problems with certain people's fingers. Elderly people with dry skin, children who pressed down too hard, even women with smaller fingers -- including many Asians -- were often rejected as unreadable.

Security experts also have successfully fooled some systems by making plaster molds of fingers and then creating fake fingers by filling the molds with Silly-Putty-type plasticizers or gelatin similar to that used in candy Gummi Bears.

But advocates say the rate of false rejections of legitimate users has been greatly reduced by improved software. "I'd say 99% of people can register" their fingers, says Brad Hill, who installed fingerprint-controlled lockers at his souvenir store at the Statue of Liberty this summer when the National Park Service forbade tourists from entering the statue while carrying packages. Mr. Hill was worried that tourists would lose locker keys when security screeners forced them to empty their pockets.

Some makers of readers also say their technology can solve the fake-finger problem by taking readings from below the surface skin layer. Or they suggest combining four-digit ID codes with fingerprint scanning to virtually eliminate false readings.

Makers of fingerprint readers acknowledge the privacy concerns. But they maintain that the threat of personal invasion is minimized because most systems don't store the actual print, but instead use it to generate a unique series of numbers that can't be reverse-engineered to re-create the print. And public willingness to submit to fingerprint readers has soared since the 2001 terrorist attacks, as the need for security overcomes worries about unwarranted intrusion.

While the market for fingerprint readers is small, it is growing fast. International Biometric Group, a New York market-research firm, predicts that sales will rise 86% to $368 million this year from $198 million last year. AuthenTec Inc., of Melbourne, Fla., which makes the fingerprint-reading chips used in the LG cellphone, expects to ship more than three million of them this year, triple the level of 2003. Their price has fallen below $6 apiece, and Scott Moody, AuthenTec's chief executive, sees that dropping below $4 next year.

Ubiquitous use of fingerprints could eliminate a huge consumer headache: remembering passwords for various Web sites. With American Power's fingerprint reader, users register all of their passwords online, along with the associated Web sites. Then they never have to type in a password again.

"Our parents didn't deal with the problem of remembering 20 passwords, and our grandkids won't even know what they are," says IBM's Mr. McKeon.

Potentially, fingerprint readers also could replace credit and debit cards. Pay by Touch Co., a closely held San Francisco company that is working with IBM, installs fingerprint readers in retail stores where customers can register their fingers by touching the pad five times. Then they can register supermarket loyalty cards and several credit card-numbers. They even can use the fingerprint reader to withdraw money from a checking account at the cash register.

Another use: A consumer could register a driver's license and his or her age with the system, so clerks won't have to examine identification cards for purchases of beer or cigarettes. The next time the customer checks out, he or she just touches the pad, enters his or her phone number and selects from the list of payment options. Pay by Touch, which charges retailers 5 to 10 cents per transaction, claims the system reduces checkout time by 30%.

One early user of Pay by Touch are a handful of Piggly Wiggly supermarkets. After installing the system in four stores in July, "a good, strong percentage of our transactions are done by touch" already, says David Schools, senior vice president of Piggly Wiggly Carolina Inc., based in Charleston. He declined to be more specific. The chain hopes that customers will register checking accounts and make electronic withdrawals via fingerprint ID to pay for purchases, which would save the grocer steep credit-card or debit-card fees.

IBM says that convenience stores are experimenting with fingerprints as an alternative to radio-frequency identification cards like Exxon Mobil Corp.'s Speedpass, to deal with the "sweaty jogger problem" -- cashless runners coming in for coffee or Gatorade. The problem with RFID cards is that anyone can use one that is lost or stolen. Not so with fingerprints.

Jeff Baughan, vice president of information technology at Catholic Health Systems in Buffalo, N.Y., says he anticipates some day installing wireless readers on the carts used by nursers that would read patients' fingers, to double-check that the right patient gets the right medicine. Currently, the health-care system is installing Ultra-Scan Corp. devices that read fingers to register incoming patients and make sure that different people aren't using the same insurance card.

Fingerprint-scanner authorization also is being used by business owners as a replacement for lock combinations on safes. "Traditionally, two people are given the same combination, and if there's a loss, how can you figure out who took it?" says Edward McGunn, president of Corporate Safe Specialists Inc., of Posen, Ill. He predicts that within two years, 80% of his sales will be fingerprint safes, partly because it's much simpler to train an unskilled manager to open one. "This is the most exciting time to be in the safe business in my lifetime," says Mr. McGunn, a third-generation safe maker.

-- Frank Siebenlist franks@mcs.anl.gov The Globus Alliance - Argonne National Laboratory

--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

_________________________________________________________________ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement