Biometrics technology available, but hasn't caught on in U.S. (PINs vs. Bio-metrics)

MENAFN.COM Knight Ridder Newspapers ^ | Wednesday, April 26, 2006 | Dave Scott

[APRPEH]

AKRON, Ohio _ Futurists promised us wireless telephones. Now we have them.

They promised us itty-bitty boxes that store thousands of songs. We have those, too.

So whatever came of the idea of going up to an automated teller machine, having it check your fingerprint and drawing out some cash?

The answer is that you can, if you live in Chile or Saudi Arabia. But the folks who make ATMs, such as Green-based Diebold Inc., say the idea just isn't working out in the United States.

Fingerprints, retinal scanners, iris readers and palm geometry readers all fall into the category of biometrics. The science practically guarantees security because it measures unique parts of the body.

But the scanners still fall far behind the popularity of that tried-and-true method of identification: the personal identification number (PIN).

"In the case of ATMs, the PIN will be here for a long time," said Jim Block, Diebold's director of global advanced technology.

[APRPEH]

Just throwing it out there for comments....

[LegendHasIt]

What was it that I was watching last night or the night before.....???

Whatever it was "They" removed someone's eye to get past the biometric retina scanner security device to get into a high security area.

Same sort of thing can be done to get past fingerprint scanners, palm readers etc.

No thanks. I'll just endeavor to remember my pass codes and PIN numbers.

And if "They" try to torture my FR password or my ATM card PIN out of me, at least I can lie and slow them down a bit.

[edcoil]

I want my flying car promised to me when I was a child.

[BIGZ]

Maybe the Dems could use this process a proof of citizenship to vote.Just sitck your finger on the voter registration.

[NJ_gent]

Biometrics is a Pandora's Box of horrors. This, coming from a tech person, should be a warning. There are multiple places where biometrics can be attacked, and once your biometric template gets out there, it becomes utterly useless.

Imagine a world where you use biometrics for everything from grocery shopping to identification to board an airplane. Where does that information get checked against? There's a template stored on a central server somewhere. Chances are, your local supermarket has one in their local store. Walmart might have their own at their corporate headquarters. What happens if I, a person pretty good with computers, gets access to all the biometric templates stored on Walmart's systems. Let's think smaller: let's say I get the ones stored in your local supermarket. How many fingerprints/iris scans/facial recognition/etc templates do I now have? A few hundred? A thousand? Assuming the local supermarket even knows the data was accessed, what can they do? Warn a thousand customers that their iris template is now up for grabs on Kazaa? What are they going to do? Change their eyes?

Passwords can be changed. Accounts can be recreated. Biometric templates are permanent and foolable. There are at least thirteen different documented, tried and true ways of breaking biometric security. Once the security is breeched for you, there's no going back. Once your iris template, or fingerprint template, or whichever template is compromised, you're done with biometric security forever.

Simply put, biometric security will be the holy grail... for identity thieves, con artists, and terrorists. Take it from someone who knows: biometrics can't possibly be made "safe" (not even in theory) and will cost you more than you can possibly imagine. Widescale implementation will bring about waves of identity theft and fraud not yet imagined in this country.

[supercat]

I favor the approach of having a card the size of a credit-card calculator with a keypad and display. To buy something on the Internet, you would key in the merchant ID, amount to authorize, and a PIN, and the device would then give a time-stamped authorization code for the purchase. Even if someone else got the code it wouldn't work for them, thus preventing fraudulent purchases.

[supercat]

Simply put, biometric security will be the holy grail... for identity thieves, con artists, and terrorists. Take it from someone who knows: biometrics can't possibly be made "safe" (not even in theory) and will cost you more than you can possibly imagine. Widescale implementation will bring about waves of identity theft and fraud not yet imagined in this country.

The one spot I can see biometrics as being useful would be as security for equipment you own and control. Such a device need not have your entire biometric imprint in any recoverable form. If stolen, any codes in the device could be invalidated the same was as one invalidates stolen credit cards, passwords, etc.

[GovernmentShrinker]

The time for Biometric ID has come, but not for transactions with machines. It would be VERY good for voting, for determining if someone's in the country legally, for registering for any kind of welfare benefits, for purchasing large quantities of ammonium nitrate, for travel on common carriers, for applying for jobs in high security situations or caring for vulnerable people (children, retarded, elderly), etc.

[NJ_gent]

"Such a device need not have your entire biometric imprint in any recoverable form."

If you don't have the 'entire biometric imprint', what are you authenticating against when you put your finger on it/let it scan your eye/etc?

That's the inherent problem with all biometric devices: access control can only be done through matchable templates which store information that can never be changed. Maybe it's stored on the device itself. In that case, I just steal the device and decrypt the templates. Maybe it's stored on a server located 5,000 miles away. Are you sure the information isn't being snooped between the device and the server? Are you sure the device itself hasn't been compromised? Are you sure the server the templates are stored on hasn't been compromised? Are you sure the line(s) connecting the two haven't been compromised? Are each and every one of those things completely and totally secured against all unauthorized access 24/7?

If we could do that, we wouldn't need biometric authentication in the first place. (And don't even get me started on TEMPTEST technologies...)

My point is simply that no system is totally securable, so it must be flexible enough to change based on potential unauthorized dissemination of access control information. You can do that with a password or a PIN; they're changable. It's impossible with biometrics. Biometrics are totally incapable of adjusting to security compromise in the worst way possible and are assumed to be perfect by those who don't fully understand them, which makes them all the more dangerous.

[AFreeBird]

And in the movie National Treasure they lifted a fingerprint to gain access to to the sub levels of the National Archives.

Many biometric identifiers are left behind where ever we go; fingerprints & DNA being two of the biggies, and I'm not all that thrilled about having a laser scan my retina. I mean they put little warnings on laser pointers cautioning against pointing it at your eyes.... Sure, its low power and all that.. yada yada... but if for whatever reason it were to blind me... I would not be happy about it to say the least.

I don't know what the solution is, or will be, but I'm not thrilled with biometrics.

[NJ_gent]

"The time for Biometric ID has come, but not for transactions with machines. It would be VERY good for voting, for determining if someone's in the country legally, for registering for any kind of welfare benefits, for purchasing large quantities of ammonium nitrate, for travel on common carriers, for applying for jobs in high security situations or caring for vulnerable people (children, retarded, elderly), etc."

The exact opposite is true. Biometrics makes great sense for unlocking your car door or for identification only when writing a check (in lieu of or as a supplement to a driver license). The more valuable the target, the more likely it is that the biometric templates will be compromised, which will lead to horrendous situations where individuals can impersonate those in positions of high trust and security by exploiting a completely vulnerable system believed to be invulnerable.

There isn't a more dangerous situation you can have. Keep in mind that this is coming from a tech person when I say that biometrics are horrible for securing anything of any value and should be avoided at all costs.

You can change a PIN or a password when someone gets that information; you can't change your eyes or your hands.

[Revel]

You better go back and read #5. And also remember you are trying to shrink government...Not expand it.

[Revel]

Here is a rather long, but informational article on this subject that tells both sides. I think this is a very bad idea.

[Revel]

Here is a rather long, but informational article on this subject that tells both sides. I think this is a very bad idea.

http://www.eweek.com/article2/0,1895,1918162,00.asp

[NJ_gent]

"I'm not all that thrilled about having a laser scan my retina."

It's usually the iris that's scanned, but that's beside the point. The scanner is actually very safe. I've had an iris scanner for about three years now for my PC and I've never even heard of a problem with vision resulting from their use.

The real problem comes when you start using biometrics for payment information, government IDs, and other such valuable targets for thieves and terrorists. Biometrics are assumed to be perfect because your eyes don't change and don't match anyone else's (statistically it's highly unlikely, though not impossible for this to be wrong). The problem is that the information you're authenticating the scans against, a template, is very vulnerable to attack. Once the template is compromised, it's useless forever.

What that means is that if I somehow get ahold of the template for your iris, no one in the world can ever trust that an eye scan that comes up as you is really you. Once that template is out there, it's completely and totally useless as a security identifier, and it can never, ever be changed (because your eyes don't change).

[SauronOfMordor]

Whatever it was "They" removed someone's eye to get past the biometric retina scanner security device to get into a high security area.

BBC: Malaysia car thieves steal finger

Police in Malaysia are hunting for members of a violent gang who chopped off a car owner's finger to get round the vehicle's hi-tech security system.

The car, a Mercedes S-class, was protected by a fingerprint recognition system.

[NJ_gent]

Anyone who thinks this might be a good idea really needs to read this.

Take it from the tech people, folks, this is an absolutely horrible idea.

[AFreeBird]

It's usually the iris that's scanned, but that's beside the point. The scanner is actually very safe. I've had an iris scanner for about three years now for my PC and I've never even heard of a problem with vision resulting from their use.

Momma always told me not to look into the eyes of the sun... but momma...

Kinda hard to scan the iris and not the retina isn't it? You may only be looking at the iris but the light has to go further. Perhaps it is safe, and perhaps 3 years of use can quantify that assessment, but then again, what would a lifetime of use do?

And if someone wants into your systems, records or whatever bad enough, what's to stop them from coming to get your eye, whether you're attached to it or not.

[zeugma]

Good article, but as you said, it didn't really explore the dangers of the information being compromised.

I'm a professional nerd too, and must say that I don't trust these biometric systems as far as I can throw them. The article also didn't spend much time on RFID tags, which I think will come to be inescapably prevalent all over the damned place. These RFID tag will be the ultimate boon to thieves who will be able to scan their marks from a distance. Similarly, terrorists will be better able to target Americans abroad more easily thanks to the US government being unconcerned about the safety of the serfs they believe they rule over.

[AFreeBird]

Yea, RFIDs are problematic as well. I think their inclusion into passports was a bad idea. Sure, normal readers will only work at close distances, but you could always have a hidden reader nearby a legit one, and really, if you were to turn up the gain/wattage & sensitivity on the reader; longer distances are possible.