[Home]  [Headlines]  [Latest Articles]  [Latest Comments]  [Post]  [Sign-in]  [Mail]  [Setup]  [Help] 

Status: Not Logged In; Sign In

Scott Ritter: Hezbollah OBLITERATES IDF, Netanyahu in deep legal trouble

Vivek Ramaswamy says he and Elon Musk are set up for 'mass deportations' of millions of 'unelected bureaucrats'

Evidence Points to Voter Fraud in 2024 Wisconsin Senate Race

Rickards: Your Trump Investment Guide

Pentagon 'Shocked' By Houthi Arsenal, Sophistication Is 'Getting Scary'

Cancer Starves When You Eat These Surprising Foods | Dr. William Li

Megyn Kelly Gets Fiery About Trump's Choice of Matt Gaetz for Attorney General

Over 100 leftist groups organize coalition to rebuild morale and resist MAGA after Trump win

Mainstream Media Cries Foul Over Musk Meeting With Iran Ambassador...On Peace

Vaccine Stocks Slide Further After Trump Taps RFK Jr. To Lead HHS; CNN Outraged

Do Trump’s picks Rubio, Huckabee signal his approval of West Bank annexation?

Pac-Man

Barron Trump

Big Pharma-Sponsored Vaccinologist Finally Admits mRNA Shots Are Killing Millions

US fiscal year 2025 opens with a staggering $257 billion October deficit$3 trillion annual pace.

His brain has been damaged by American processed food.

Iran willing to resolve doubts about its atomic programme with IAEA

FBI Official Who Oversaw J6 Pipe Bomb Probe Lied About Receiving 'Corrupted' Evidence “We have complete data. Not complete, because there’s some data that was corrupted by one of the providers—not purposely by them, right,” former FBI official Steven D’Antuono told the House Judiciary Committee in a

Musk’s DOGE Takes To X To Crowdsource Talent: ‘80+ Hours Per Week,’

Female Bodybuilders vs. 16 Year Old Farmers

Whoopi Goldberg announces she is joining women in their sex abstinence

Musk secretly met with Iran's UN envoy NYT

D.O.G.E. To have a leaderboard of most wasteful government spending

In Most U.S. Cities, Social Security Payments Last Married Couples Just 19 Days Or Less

Another major healthcare provider files for Chapter 11 bankruptcy

The Ukrainians have put Tulsi Gabbard on their Myrotvorets kill list

Sen. Johnson unveils photo of Biden-appointed crossdressers after reporters rage over Gaetz nomination

sted on: Nov 15 07:56 'WE WOULD LOSE' War with Iran: Col. Lawrence Wilkerson

Israeli minister says Palestinians should have no voting or land rights

The Case For Radical Changes In US National Defense: Col. Douglas Macgregor


Science/Tech
See other Science/Tech Articles

Title: Cash or plastic? How about fingerprint?
Source: CNN/Money
URL Source: http://money.cnn.com/2005/07/19/pf/security_biometrics/index.htm
Published: Jul 20, 2005
Author: Grace Wong, CNN/Money staff writer
Post Date: 2005-08-02 11:41:11 by DeaconBenjamin
Keywords: fingerprint?, plastic?, about
Views: 66
Comments: 5

Biometric transactions are faster and more convenient -- and closer than you may think.

NEW YORK (CNN/Money) - Instead of keeping countless cards and pieces of information that verify your identification, soon there may be only one thing you need: yourself.

As identity theft has become the bane of consumers everywhere, technologies aimed at making transactions more secure are gaining ground. Such "biometric technologies" include iris scans, as well as those for fingerprints, palm, skin, voice and face patterns.

"In everyday life, the use of biometrics has been growing," said Philip Youn, a consultant at International Biometric Group.

The underlying strength of biometrics is that it uses patterns that are unique to each individual. Your fingerprints belong to you alone, and unlike that password to your online bank account, you can never lose it. Where can you see it now?

Retail. Albertson's, the No. 2 supermarket chain, is one of hundreds of retailers testing biometric payment systems that let customers pay for purchases with a mere swipe of a finger.

It works like this: You register your fingerprint and your bank account with a service provider. The main ones are Pay By Touch and BioPay.

When you shop at a participating merchant, you just swipe your finger and the payment is automatically transferred from your bank to the merchant -- you don't have to hand over a card, sign a receipt or punch in a PIN.

Earlier this year, Albertson's joined the Pay By Touch network and is testing the service at four of its stores in the Portland, Oregon area.

"One thing we've heard repeatedly from our customers is that they would like to speed up the checkout process," Albertson's spokeswoman Shannon Bennett said. The feedback has been "very positive" she said, although the company hasn't announced any expansion plans for the program.

So far Pay By Touch is available at 100 to 200 stores while rival BioPay's system can be accessed at 150 locations.

"Biometric payments are the safest because no information is passed to the merchant," said Donita Prakash, vice president of marketing at BioPay.

And because you don't have to present your card at the point of sale, the transaction is faster, Pay By Touch marketing director Shannon Riordan said.

Another selling point: biometrics could offer are instant age verification for alcohol and tobacco sales.

Computers. Getting started with biometrics for your computer is as easy as picking up a product like the Biopod Password Manager produced by APC. The small fingerprint scanning device, which plugs into a USB port, stores all your passwords in your fingerprint.

When you go visit your favorite Web sites -- whether it be http://Amazon.com or your investment portfolio -- all you have to do is scan your fingerprint.

If you don't want to deal with external hardware, IBM, Toshiba and Compaq all sell notebook models already outfitted with a fingerprint reader.

The price of the Biopod is about $50 while laptops with the device built-in can sell for as little as $1,300.

Travel. If you travel internationally, then soon you'll be carrying some high-tech identification. The Department of State has launched a plan to introduce electronic passports that come with a chip that stores the usual personal information as well as a digital photo which enables biometric comparison through the use of facial recognition technology at international borders.

According to State Department spokeswoman Joanne Moore, the electronic passports are still in test mode, but partial implementation is planned for the fall and full implementation in 2006.

Fundamentally flawed technology?

No biometric technology is 100 percent reliable, and privacy advocates are concerned with another problem -- centralized databases holding huge amounts of personal information.

"Whenever you're collecting uniquely identifiable information that you can't change, that's a very bad idea. It's a honeypot for hackers and attackers," Pam Dixon, executive director of the World Privacy Forum, said.

"Biometric technology would seem like it's a fantastic fix for identity theft, but once the ultimate identifier is stolen, there is no recourse for an individual to prove who they are," she said.

While victims of identity theft can get a new credit card number, change their address and even apply for a new Social Security number, they can't change their DNA.

Furthermore, there are those who just cannot use certain biometric systems, IBG's Youn said, explaining that some people's fingerprints are damaged, and others are born without readable prints -- although this is a small portion of the population.

Representatives from Pay By Touch and BioPay said when it comes to security, users of biometric payment services can relax because both companies don't store pictures of fingerprints. Instead, tiny measurements unique to each finger are recorded as an algorithm. If a hacker breaks into the system, all he or she would find is a number rather than a usable image of a fingerprint, they said.

Is a federal law that better protects personal data on the way? Click here.

Post Comment   Private Reply   Ignore Thread  


TopPage UpFull ThreadPage DownBottom/Latest

#1. To: DeaconBenjamin (#0)

Does the phrase "In a pig's ass" mean anything to you Grace?

Boonie Rat

MACV SOCOM, PhuBai/Hue '65-'66

It is clear, therefore, that it is time to rethink traditional strategy and tactics when it comes to opposing a modern police state. America is quickly moving into a long dark night of police state tyranny, where the rights now accepted by most as being inalienable will disappear. Let the coming night be filled with a thousand points of resistance. Like the fog which forms when conditions are right and disappears when they are not, so must the resistance to tyranny be.

Louis Beam

boonie rat  posted on  2005-08-02   12:01:41 ET  Reply   Trace   Private Reply  


#2. To: DeaconBenjamin (#0)

Biometric data has possibilities; however, you want more customer control over those possibilities.

Imagine a little biometric dongle that you'd carry on your keyring the way you now carry loyalty cards. There'd be encryption software inside it, and a small database containing a record for each account you had at each store you patronized. When you checked out at a store, you'd hold the dongle under a RFID scanner and press your thumb on it. The scanner would issue an encrypted challenge containing the store's ID; the dongle would look up your customer ID for that store, combine it with data from your thumbprint mangled in a way unique to your account with that store, encrypt everything with the session key contained in the challenge, and respond.

This way, your thumbprint data never exists anywhere more than a few milliseconds, as the dongle is mangling and encrypting it.

If you want to open another account with the store under another name, the dongle would simply generate a different fingerprint-mangling factor. They have no idea what your thumbprint actually looks like; they just know that the data you submitted at the checkout is the same as the data you submitted when you registered--which is all they need to know. (It'd be a little tricky to have two accounts with the same store in the same dongle, though: the dongle's account database would be keyed by store ID.)

Your thumbprint data can't be used to identify you across stores, because your dongle will mangle it differently for each store.

The RF communication between the scanner and your dongle can't be recorded for later use by an attacker, because each challenge from the scanner will have a different session key: if an attacker plays back exactly what your dongle said the last time, the scanner won't be able to decrypt it because it'll be using the new session key instead of the old one. Perhaps lights will begin to flash and sirens to sound.

If somebody steals your dongle, it won't do him any good, because mangling his thumbprint data will produce patterns that don't match any of your store accounts. Even taking it apart and analyzing the memory won't help him, because the thumbprint reader only holds thumbprint data just long enough to mangle and encrypt it, then overwrites it.

A hacker with his own tame RFID scanner wouldn't be able to do you any harm, because your dongle would only transmit if you had your thumb on the pad; presumably you'd only put your thumb on the pad when you were holding your dongle under a store scanner. At that point, a tame scanner might succeed in jamming the communication so that the checkout would fail, but he wouldn't be able to spoof a transaction.

If somebody can get inside access to a store's database, he can run up bills for you at that store, but he won't be able to do so anywhere else because there's nothing in the database that will allow him to identify himself as you at any other store. Even if he has your stolen dongle's memory contents at his fingertips, comparing that with the store's database won't give him enough information to steal your identity.

If you lose your dongle, you'll have to buy another one and either open new accounts with all your merchants. You could leave the old ones open, if you'd like: nobody will be able to use them.

But here's an attack that would work.

A hacker steals your dongle when you're not looking. He breaks it open and transfers the contents of its memory into two hacked dongles of his own that look just like yours. He puts one of the hacked dongles back where he found your (now deceased) dongle. You pick it up, take it to the store, and buy something with it. Instead of throwing away your thumbprint scan data, however, the hacked dongle remembers it. Then, a second time when you're not looking, the hacker steals back the first hacked dongle and leaves the second hacked dongle in its place. Now he's got your raw fingerprint data and he can construct a fake dongle that will pretend you just pressed your thumb on its fake pad whenever he pushes a button. He can use all your existing accounts. You have the second hacked dongle, which you think is your original, and no idea that your identity has been stolen. When you find out, though, you'd simply close all your active accounts and open new ones with the same merchants, and the hacker would be out of luck because he'd have no idea what new mangling factors your dongle had picked for the new accounts. He'd have to do the two-swap operation again to get your new information.

Barak  posted on  2005-08-02   13:12:57 ET  Reply   Trace   Private Reply  


#3. To: Barak, christine, Mr Nuke Buzzcut (#2)

But here's an attack that would work.

I thought of another one.

A hacker with a tame RFID scanner could disable the store scanner. Then your dongle would be talking to only one scanner, and you'd think it was the store's scanner when it'd actually be the hacker's scanner. The spoof scanner would send its own challenge, with its own session key and the store's store ID. It would be able to decrypt the response, because the key the dongle used to encrypt it came from the spoof scanner. Then the hacker would have the mangled fingerprint your dongle used with that store, and he'd be able to use it later.

Three problems, though:

First, the hacker wouldn't be able to check you out. His spoof scanner would read your dongle, but the store's checkout wouldn't proceed. Presumably, you'd notice this and suspect something was going on.

Second, it'd be pretty easy to fix the store's receiver so that an alarm was raised if it didn't receive everything the store's transmitter sent. Disabling the transmitter would then attract undue attention.

Third, another way to prevent this hack is for your dongle to memorize the store's public key during registration. Then the store could encrypt all but the store-ID part of its challenges with its private key. The hacker then wouldn't be able to spoof challenges successfully unless he had the store's private key.

Barak  posted on  2005-08-02   23:33:48 ET  Reply   Trace   Private Reply  


#4. To: DeaconBenjamin (#0)

Instead of keeping countless cards and pieces of information that verify your identification, soon there may be only one thing you need: yourself.

Yeah, but how does that work over the Internet? Looks like CC will still be around for a while.

God is always good!

RickyJ  posted on  2005-08-02   23:39:31 ET  Reply   Trace   Private Reply  


#5. To: Barak (#3)

i'm totally dongled!

christine  posted on  2005-08-03   0:02:27 ET  Reply   Trace   Private Reply  


TopPage UpFull ThreadPage DownBottom/Latest


[Home]  [Headlines]  [Latest Articles]  [Latest Comments]  [Post]  [Sign-in]  [Mail]  [Setup]  [Help]