Cash, Credit -- or Prints?

[Tyler Durden]

Very interesting question. I'd bet almost any amount of money that it's 
fairly trivial to simply alligator-clip-out the fingerprint's file from 
almost any of the cheaper devices. Hell, I'd bet that's true even of more 
expensive "secure" devices as well.
-TD




>From: Frank Siebenlist <franks at mcs.anl.gov>
>To: "R.A. Hettinga" <rah at shipwright.com>
>CC: cryptography at metzdowd.com, cypherpunks at al-qaeda.net
>Subject: Re: Cash, Credit -- or Prints?
>Date: Mon, 11 Oct 2004 17:34:19 -0700
>
>Can anyone explain how sophisticated those fingerprint readers are?
>
>Are there readers out there that by themselves are secure devices and 
>essentially are able to talk with their servers thru the PCs/workstations 
>over a protocol such that any man-in-the-middle, like a driver, can not 
>learn anything from the traffic?
>(...and all that for less than $40, of course...)
>
>If not, would a trojan then be able to capture your fingerprint's 
>digital-fingerprint, and impersonate you from any other node on the 
>network?
>
>-Frank.
>
>
>
>R.A. Hettinga wrote:
>
>><http://online.wsj.com/article_print/0,,SB109744462285841431,00.html>
>>
>>The Wall Street Journal
>>
>>
>>October 11, 2004
>>
>>
>>Cash, Credit -- or Prints?
>>Fingerprints May Replace
>>Money, Passwords and Keys;
>>One Downside: Gummi Fakes
>>
>>By WILLIAM M. BULKELEY
>>Staff Reporter of THE WALL STREET JOURNAL
>>October 11, 2004; Page B1
>>
>>
>>Fingerprints aren't just for criminals anymore. Increasingly, they are for
>>customers.
>>
>>Fingerprint identification is being used to speed up checkouts at Piggly
>>Wiggly supermarkets in South Carolina, and to open storage lockers at the
>>Statue of Liberty. Fingerprints are also being used as password 
>>substitutes
>>in cellphones and laptop computers, and in place of combinations to open 
>>up
>>safes.
>>
>>But these aren't the fingerprints of yore, in which the person placed his
>>hand on an ink pad, then on paper. Instead, the user sets his hand on a
>>computerized device topped with a plate of glass, and an optical reader 
>>and
>>special software and chips identify the ridges and valleys of the
>>fingertips.
>>
>>Fingerprint technology seems to be reaching critical mass and is spreading
>>faster than other widely promoted "biometric" identification methods, such
>>as eyeball scanning, handprint-geometry reading and facial recognition.
>>Interest in these and other new security systems was heightened by the
>>September 2001 terror attacks.
>>
>>"Fingerprints will be dominant for the foreseeable future," says Don
>>McKeon, the product manager for biometric security at International
>>Business Machines Corp.
>>
>>One reason fingerprint-security is spreading is that technological 
>>advances
>>are bringing the cost down. Microsoft Corp. recently introduced a
>>stand-alone fingerprint reader for $54, and a keyboard and a mouse with
>>fingerprint readers. Last week, IBM said it would start selling laptop
>>computers with fingerprint readers built in. These products reduce the 
>>need
>>for personal-computer users to remember passwords.
>>
>>A customer uses a fingerprint reader to pay at a Piggly Wiggly store,
>>cutting his checkout time.
>>
>>
>>
>>Earlier this year, American Power Conversion Corp., a Rhode Island company
>>that makes backup computer batteries, started selling a fingerprint reader
>>for PCs with a street price of $45 -- less than half the price of
>>competitors at the time. American Power says it has sold tens of thousands
>>of the devices since.
>>
>>Korea's LG Electronics Inc. has introduced a cellphone with a silicon chip
>>at its base that requires the owner's finger to be swiped across its
>>surface before the phone can be used. This summer, NTT DoCoMo Inc. started
>>selling a similar phone reader that is being used on Japanese trains as an
>>electronic wallet to pay fares or to activate withdrawals from on-board
>>cash machines.
>>
>>Proponents have never had trouble explaining the benefits of fingerprints
>>as payment-and-password alternatives: Each person has a unique set, and
>>their use is established in the legal system as an authoritative means of
>>identification. But some people are uneasy about registering their
>>fingerprints because of the association with criminality and the potential
>>that such a universal identifier linked to all personal information would
>>reduce privacy.
>>
>>Moreover, numerous businesses and governments have tested fingerprint
>>systems in the past only to rip them out when the hype failed to match
>>reality. That's partly because the optical readers have had problems with
>>certain people's fingers. Elderly people with dry skin, children who
>>pressed down too hard, even women with smaller fingers -- including many
>>Asians -- were often rejected as unreadable.
>>
>>Security experts also have successfully fooled some systems by making
>>plaster molds of fingers and then creating fake fingers by filling the
>>molds with Silly-Putty-type plasticizers or gelatin similar to that used 
>>in
>>candy Gummi Bears.
>>
>>But advocates say the rate of false rejections of legitimate users has 
>>been
>>greatly reduced by improved software. "I'd say 99% of people can register"
>>their fingers, says Brad Hill, who installed fingerprint-controlled 
>>lockers
>>at his souvenir store at the Statue of Liberty this summer when the
>>National Park Service forbade tourists from entering the statue while
>>carrying packages. Mr. Hill was worried that tourists would lose locker
>>keys when security screeners forced them to empty their pockets.
>>
>>Some makers of readers also say their technology can solve the fake-finger
>>problem by taking readings from below the surface skin layer. Or they
>>suggest combining four-digit ID codes with fingerprint scanning to
>>virtually eliminate false readings.
>>
>>Makers of fingerprint readers acknowledge the privacy concerns. But they
>>maintain that the threat of personal invasion is minimized because most
>>systems don't store the actual print, but instead use it to generate a
>>unique series of numbers that can't be reverse-engineered to re-create the
>>print. And public willingness to submit to fingerprint readers has soared
>>since the 2001 terrorist attacks, as the need for security overcomes
>>worries about unwarranted intrusion.
>>
>>While the market for fingerprint readers is small, it is growing fast.
>>International Biometric Group, a New York market-research firm, predicts
>>that sales will rise 86% to $368 million this year from $198 million last
>>year. AuthenTec Inc., of Melbourne, Fla., which makes the
>>fingerprint-reading chips used in the LG cellphone, expects to ship more
>>than three million of them this year, triple the level of 2003. Their 
>>price
>>has fallen below $6 apiece, and Scott Moody, AuthenTec's chief executive,
>>sees that dropping below $4 next year.
>>
>>Ubiquitous use of fingerprints could eliminate a huge consumer headache:
>>remembering passwords for various Web sites. With American Power's
>>fingerprint reader, users register all of their passwords online, along
>>with the associated Web sites. Then they never have to type in a password
>>again.
>>
>>"Our parents didn't deal with the problem of remembering 20 passwords, and
>>our grandkids won't even know what they are," says IBM's Mr. McKeon.
>>
>>Potentially, fingerprint readers also could replace credit and debit 
>>cards.
>>Pay by Touch Co., a closely held San Francisco company that is working 
>>with
>>IBM, installs fingerprint readers in retail stores where customers can
>>register their fingers by touching the pad five times. Then they can
>>register supermarket loyalty cards and several credit card-numbers. They
>>even can use the fingerprint reader to withdraw money from a checking
>>account at the cash register.
>>
>>Another use: A consumer could register a driver's license and his or her
>>age with the system, so clerks won't have to examine identification cards
>>for purchases of beer or cigarettes. The next time the customer checks 
>>out,
>>he or she just touches the pad, enters his or her phone number and selects
>>from the list of payment options. Pay by Touch, which charges retailers 5
>>to 10 cents per transaction, claims the system reduces checkout time by 
>>30%.
>>
>>One early user of Pay by Touch are a handful of Piggly Wiggly 
>>supermarkets.
>>After installing the system in four stores in July, "a good, strong
>>percentage of our transactions are done by touch" already, says David
>>Schools, senior vice president of Piggly Wiggly Carolina Inc., based in
>>Charleston. He declined to be more specific. The chain hopes that 
>>customers
>>will register checking accounts and make electronic withdrawals via
>>fingerprint ID to pay for purchases, which would save the grocer steep
>>credit-card or debit-card fees.
>>
>>IBM says that convenience stores are experimenting with fingerprints as an
>>alternative to radio-frequency identification cards like Exxon Mobil
>>Corp.'s Speedpass, to deal with the "sweaty jogger problem" -- cashless
>>runners coming in for coffee or Gatorade. The problem with RFID cards is
>>that anyone can use one that is lost or stolen. Not so with fingerprints.
>>
>>Jeff Baughan, vice president of information technology at Catholic Health
>>Systems in Buffalo, N.Y., says he anticipates some day installing wireless
>>readers on the carts used by nursers that would read patients' fingers, to
>>double-check that the right patient gets the right medicine. Currently, 
>>the
>>health-care system is installing Ultra-Scan Corp. devices that read 
>>fingers
>>to register incoming patients and make sure that different people aren't
>>using the same insurance card.
>>
>>Fingerprint-scanner authorization also is being used by business owners as
>>a replacement for lock combinations on safes. "Traditionally, two people
>>are given the same combination, and if there's a loss, how can you figure
>>out who took it?" says Edward McGunn, president of Corporate Safe
>>Specialists Inc., of Posen, Ill. He predicts that within two years, 80% of
>>his sales will be fingerprint safes, partly because it's much simpler to
>>train an unskilled manager to open one. "This is the most exciting time to
>>be in the safe business in my lifetime," says Mr. McGunn, a
>>third-generation safe maker.
>>
>>
>
>--
>Frank Siebenlist franks at mcs.anl.gov
>The Globus Alliance - Argonne National Laboratory
>
>---------------------------------------------------------------------
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

_________________________________________________________________
On the road to retirement? Check out MSN Life Events for advice on how to 
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement