.comment-link {margin-left:.6em;}

Ontario Technoblog

Ontario Emperor technology blog.

This blog has been superseded by the mrontemp blog
Location: Ontario, California, United States

Sometime audio artist. Email comments on this blog to the gmail account mrontemp.

Friday, October 21, 2005

Robert Vamosi gives public biometrics the finger

From Security Watch:

Biometrics, although it's been around for a while, is suddenly hot within the security industry. Over the years, I've talked with various biometric vendors and security individuals, and I've always come away with a lukewarm feeling about the matter. I like biometrics on my laptop but not at the airport. Now biometrics, specifically fingerprint scanners, may soon be coming to a retail store near you as a convenient form of payment. The genie appears to be out of the bottle, with talk of library cards and even automobiles equipped with biometric security devices available or coming soon. Yet the question remains: Are biometric devices more secure than existing methods? I think not....

There are two basic methods for scanning fingerprints: optical scanning and capacitance scanning. Optical scanning uses a charged coupled device (CCD) to take a picture of your fingerprint. In doing so, it flips the image so that the valleys appear dark and the ridges appear light.

In capacitance scanning, electrical current instead of light is used to make up a fingerprint sample. Your finger rests against an array of tiny cells. The benefit here is that capacitance scanning is much harder to forge than a mere optical scan of a fingerprint.

Whether it be an optical image or a capacitance scan, the fingerprint must be compared to an existing database. To compare the entire print would require a lot of processing power; instead, as seen on CSI and other crime shows, unique identifiers are tagged and compared against a standing database using algorithms. Unfortunately, there are no standards regarding fingerprint analysis--at least not among the many new commercial systems about to roll out....

Companies such as Pay By Touch are racing to install fingerprint readers at local points of sale; stores identified on its site are specific locations of Piggly Wiggly, Cub Foods, and Farm Fresh stores. The idea, according to companies such as Pay By Touch, is that swiping your debit card and keying your PIN takes too much time; it creates long lines at the checkout. With biometrics, they argue, you simply press your index finger to a pad, and your debit account is automatically accessed, and more people buy more things faster.

I question the security of a one-touch payment system. With a debit card, I'm using two-factor authentication: I need the card, and I need a PIN number. With one-touch payment systems, you have only the fingerprint between you and fraud....

Simson Garfinkel points out, in a recent issue of CSO magazine, several examples of built-in flaws regarding fingerprint scanning: What about children with faint and sometimes ill-defined ridges and valleys? Certain ethnic groups are at a disadvantage, having less-distinct fingerprints than others. And what about people without hands?

And certainly if you've watched enough television or read an issue of Ellery Queen Mystery Magazine, you know of a few ways to lift fingerprints using talcum and tape, or even gummi bears. In April 2005, security analyst Bruce Schneier wrote about a carjacking in Malaysia that involved the attacker sawing off the index finger of the victim in order to gain access to the victim's biometrically secured Mercedes S-class....


Post a Comment

Links to this post:

Create a Link

<< Home