Cash, Credit -- or Prints?

Mon Oct 11 20:34:19 EDT 2004

Can anyone explain how sophisticated those fingerprint readers are?

Are there readers out there that by themselves are secure devices and 
essentially are able to talk with their servers thru the 
PCs/workstations over a protocol such that any man-in-the-middle, like a 
driver, can not learn anything from the traffic?
(...and all that for less than $40, of course...)

If not, would a trojan then be able to capture your fingerprint's 
digital-fingerprint, and impersonate you from any other node on the network?

-Frank.

R.A. Hettinga wrote:

> <http://online.wsj.com/article_print/0,,SB109744462285841431,00.html>
>
> The Wall Street Journal
>
>
> October 11, 2004
>
>
> Cash, Credit -- or Prints?
> Fingerprints May Replace
> Money, Passwords and Keys;
> One Downside: Gummi Fakes
>
> By WILLIAM M. BULKELEY
> Staff Reporter of THE WALL STREET JOURNAL
> October 11, 2004; Page B1
>
>
> Fingerprints aren't just for criminals anymore. Increasingly, they are for
> customers.
>
> Fingerprint identification is being used to speed up checkouts at Piggly
> Wiggly supermarkets in South Carolina, and to open storage lockers at the
> Statue of Liberty. Fingerprints are also being used as password 
> substitutes
> in cellphones and laptop computers, and in place of combinations to 
> open up
> safes.
>
> But these aren't the fingerprints of yore, in which the person placed his
> hand on an ink pad, then on paper. Instead, the user sets his hand on a
> computerized device topped with a plate of glass, and an optical 
> reader and
> special software and chips identify the ridges and valleys of the
> fingertips.
>
> Fingerprint technology seems to be reaching critical mass and is spreading
> faster than other widely promoted "biometric" identification methods, such
> as eyeball scanning, handprint-geometry reading and facial recognition.
> Interest in these and other new security systems was heightened by the
> September 2001 terror attacks.
>
> "Fingerprints will be dominant for the foreseeable future," says Don
> McKeon, the product manager for biometric security at International
> Business Machines Corp.
>
> One reason fingerprint-security is spreading is that technological 
> advances
> are bringing the cost down. Microsoft Corp. recently introduced a
> stand-alone fingerprint reader for $54, and a keyboard and a mouse with
> fingerprint readers. Last week, IBM said it would start selling laptop
> computers with fingerprint readers built in. These products reduce the 
> need
> for personal-computer users to remember passwords.
>
> A customer uses a fingerprint reader to pay at a Piggly Wiggly store,
> cutting his checkout time.
>
>
>
> Earlier this year, American Power Conversion Corp., a Rhode Island company
> that makes backup computer batteries, started selling a fingerprint reader
> for PCs with a street price of $45 -- less than half the price of
> competitors at the time. American Power says it has sold tens of thousands
> of the devices since.
>
> Korea's LG Electronics Inc. has introduced a cellphone with a silicon chip
> at its base that requires the owner's finger to be swiped across its
> surface before the phone can be used. This summer, NTT DoCoMo Inc. started
> selling a similar phone reader that is being used on Japanese trains as an
> electronic wallet to pay fares or to activate withdrawals from on-board
> cash machines.
>
> Proponents have never had trouble explaining the benefits of fingerprints
> as payment-and-password alternatives: Each person has a unique set, and
> their use is established in the legal system as an authoritative means of
> identification. But some people are uneasy about registering their
> fingerprints because of the association with criminality and the potential
> that such a universal identifier linked to all personal information would
> reduce privacy.
>
> Moreover, numerous businesses and governments have tested fingerprint
> systems in the past only to rip them out when the hype failed to match
> reality. That's partly because the optical readers have had problems with
> certain people's fingers. Elderly people with dry skin, children who
> pressed down too hard, even women with smaller fingers -- including many
> Asians -- were often rejected as unreadable.
>
> Security experts also have successfully fooled some systems by making
> plaster molds of fingers and then creating fake fingers by filling the
> molds with Silly-Putty-type plasticizers or gelatin similar to that 
> used in
> candy Gummi Bears.
>
> But advocates say the rate of false rejections of legitimate users has 
> been
> greatly reduced by improved software. "I'd say 99% of people can register"
> their fingers, says Brad Hill, who installed fingerprint-controlled 
> lockers
> at his souvenir store at the Statue of Liberty this summer when the
> National Park Service forbade tourists from entering the statue while
> carrying packages. Mr. Hill was worried that tourists would lose locker
> keys when security screeners forced them to empty their pockets.
>
> Some makers of readers also say their technology can solve the fake-finger
> problem by taking readings from below the surface skin layer. Or they
> suggest combining four-digit ID codes with fingerprint scanning to
> virtually eliminate false readings.
>
> Makers of fingerprint readers acknowledge the privacy concerns. But they
> maintain that the threat of personal invasion is minimized because most
> systems don't store the actual print, but instead use it to generate a
> unique series of numbers that can't be reverse-engineered to re-create the
> print. And public willingness to submit to fingerprint readers has soared
> since the 2001 terrorist attacks, as the need for security overcomes
> worries about unwarranted intrusion.
>
> While the market for fingerprint readers is small, it is growing fast.
> International Biometric Group, a New York market-research firm, predicts
> that sales will rise 86% to $368 million this year from $198 million last
> year. AuthenTec Inc., of Melbourne, Fla., which makes the
> fingerprint-reading chips used in the LG cellphone, expects to ship more
> than three million of them this year, triple the level of 2003. Their 
> price
> has fallen below $6 apiece, and Scott Moody, AuthenTec's chief executive,
> sees that dropping below $4 next year.
>
> Ubiquitous use of fingerprints could eliminate a huge consumer headache:
> remembering passwords for various Web sites. With American Power's
> fingerprint reader, users register all of their passwords online, along
> with the associated Web sites. Then they never have to type in a password
> again.
>
> "Our parents didn't deal with the problem of remembering 20 passwords, and
> our grandkids won't even know what they are," says IBM's Mr. McKeon.
>
> Potentially, fingerprint readers also could replace credit and debit 
> cards.
> Pay by Touch Co., a closely held San Francisco company that is working 
> with
> IBM, installs fingerprint readers in retail stores where customers can
> register their fingers by touching the pad five times. Then they can
> register supermarket loyalty cards and several credit card-numbers. They
> even can use the fingerprint reader to withdraw money from a checking
> account at the cash register.
>
> Another use: A consumer could register a driver's license and his or her
> age with the system, so clerks won't have to examine identification cards
> for purchases of beer or cigarettes. The next time the customer checks 
> out,
> he or she just touches the pad, enters his or her phone number and selects
> from the list of payment options. Pay by Touch, which charges retailers 5
> to 10 cents per transaction, claims the system reduces checkout time 
> by 30%.
>
> One early user of Pay by Touch are a handful of Piggly Wiggly 
> supermarkets.
> After installing the system in four stores in July, "a good, strong
> percentage of our transactions are done by touch" already, says David
> Schools, senior vice president of Piggly Wiggly Carolina Inc., based in
> Charleston. He declined to be more specific. The chain hopes that 
> customers
> will register checking accounts and make electronic withdrawals via
> fingerprint ID to pay for purchases, which would save the grocer steep
> credit-card or debit-card fees.
>
> IBM says that convenience stores are experimenting with fingerprints as an
> alternative to radio-frequency identification cards like Exxon Mobil
> Corp.'s Speedpass, to deal with the "sweaty jogger problem" -- cashless
> runners coming in for coffee or Gatorade. The problem with RFID cards is
> that anyone can use one that is lost or stolen. Not so with fingerprints.
>
> Jeff Baughan, vice president of information technology at Catholic Health
> Systems in Buffalo, N.Y., says he anticipates some day installing wireless
> readers on the carts used by nursers that would read patients' fingers, to
> double-check that the right patient gets the right medicine. 
> Currently, the
> health-care system is installing Ultra-Scan Corp. devices that read 
> fingers
> to register incoming patients and make sure that different people aren't
> using the same insurance card.
>
> Fingerprint-scanner authorization also is being used by business owners as
> a replacement for lock combinations on safes. "Traditionally, two people
> are given the same combination, and if there's a loss, how can you figure
> out who took it?" says Edward McGunn, president of Corporate Safe
> Specialists Inc., of Posen, Ill. He predicts that within two years, 80% of
> his sales will be fingerprint safes, partly because it's much simpler to
> train an unskilled manager to open one. "This is the most exciting time to
> be in the safe business in my lifetime," says Mr. McGunn, a
> third-generation safe maker.
>
>

-- 
Frank Siebenlist franks at mcs.anl.gov
The Globus Alliance - Argonne National Laboratory

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com