×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Fingerprint Purchasing Technology Ensures Buyer Has a Pulse

samzenpus posted about a year ago | from the no-zombie-shopping dept.

Crime 156

An anonymous reader writes "A small U.S. university has come up with a novel solution to reduce the possibility of using a dead person's hand to get past a fingerprint scanner through the use of hemoglobin detection. The device quickly checks the fingerprint and hemoglobin 'non-intrusively' to verify the identity and whether the individual is alive. This field of research is called Biocryptology and seeks to ensure that biometric security devices can't be easily bypassed."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

156 comments

How about O2? (4, Insightful)

Comrade Ogilvy (1719488) | about a year ago | (#43005045)

Checking for oxygenation level might be possible. Does not have to be a very accurate reading.

Re:How about O2? (1)

ColdWetDog (752185) | about a year ago | (#43005075)

Probably the same thing. Use a garden variety pulse oximeter which measures the IR spectrum of hemoglobin molecules. Oxygenated ones have a slightly different spectrum than deoxygenated molecules.

Sounds like a PITA to remove the remote possibility of being Beuhler'd. But it probably got a patent.

Re:How about O2? (1)

ColdWetDog (752185) | about a year ago | (#43005187)

Achkkk. Phphhht. Read TFA. The school in question didn't even develop the technology, they're just beta testing it.

Such news!

Next up....

Well, I got nothing.

Re:How about O2? (4, Insightful)

gandhi_2 (1108023) | about a year ago | (#43005559)

Passwords, someone complains you can just beat people with wrenches.

Biometrics, someone complains you can just cut off a body part.

Biometrics with life detection, someone complains the system can't detect if the persons family is being held hostage....

Re:How about O2? (1)

Githaron (2462596) | about a year ago | (#43006135)

It is a lot harder to drag a hostage to a door without being obvious than it is pull a dead hand/finger out of your coat when no one is looking.

Re:How about O2? (1)

Anonymous Coward | about a year ago | (#43006591)

Who said anything about dragging? Just ask politely, and don't forget to mention that you have a direct communication line to people holding a 12 gauge shotgun to their kid's forehead. People are surprisingly cooperative when you press the right button. Or in other words, threaten to pull the right trigger...

Seems the only solution is not to have secrets or possessions worth guarding with security systems. But it's probably still too soon for our society to accept that...

Re:How about O2? (2, Insightful)

Nihilanth (470467) | about a year ago | (#43006199)

For the last bit, this is probably a desired feature. You'd -want- the device to be able to detect if you're under duress.

Re:How about O2? (0)

Anonymous Coward | about a year ago | (#43006705)

For the last bit, this is probably a desired feature. You'd -want- the device to be able to detect if you're under duress.

What if you just happen to be stressed at the time? You have to wait until you calm down to get in?

Re:How about O2? (0)

Anonymous Coward | about a year ago | (#43005265)

That'll get shot down because it'll violate HIPAA regulations. Collecting medical data without sufficient privacy safeguards.

Re:How about O2? (2)

X0563511 (793323) | about a year ago | (#43005739)

Erm, no? HIPAA talks about medical records. If all you're doing is keeping a particular biometric, that would not fall under HIPAA.

Re:How about O2? (0)

Anonymous Coward | about a year ago | (#43005387)

"Checking for oxygenation level might be possible. Does not have to be a very accurate reading."

Unless you're a smoker, then you have to check the O without the '2'.

Re:How about O2? (1)

Anonymous Coward | about a year ago | (#43005589)

No, unless you actually clamp the finger so you can control all the light hitting it, telling hemoglobin oxygen levels by color is overwhelmed by skin color or by anything that calluses the fingers, such as playing guitar, or that keeps them abraded, such as dishwashing. In fact, doing fingerprints on stay-at-home parents with many children presents its own issues.

A pulse is easier to detect by movement, but is still useless against the "gummy worm" fake fingerprint attack, documented over a decade ago at http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/. There is still no fingerprint technology that reliably detects this attack.

Re:How about O2? (1)

FrankSchwab (675585) | about a year ago | (#43006379)

A pulse is easier to detect by movement, but is still useless against the "gummy worm" fake fingerprint attack, documented over a decade ago at http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/ [theregister.co.uk] . There is still no fingerprint technology that reliably detects this attack.

Well, I beg to differ on that particular point. The technology to reliably detect that published attack has been (and is being) shipped in a major OEM's Enterprise level laptops for several years. Call your salesman if you'd like to know if yours has it.

Unfortunately, not all OEMs that include fingerprint sensors choose to include antispoof features. Most consumer grade laptops, for example, don't. So when you go buy that $300 special down at Best Buy, don't go crowing that you can build a spoof for it - Matsumoto's paper will give you a direct recipe and procedure for doing that, and you may be successful. BTW, should you wish to attempt it yourself, there are easier materials to use than Gummi bears. A pulse sensor is a plausible way to prevent this attack (unless, of course, you're using live Gummi's, which would be inhumane).

Spoofing of biometrics is a well-known problem, but that doesn't mean there isn't advancement in the state of the art (on both sides). Heck, it's even the subject of a major motion picture (Tom Cruise in a bit of a stinker, "Minority Report"). There will always be attacks possible - the question is whether the attack on the biometric is really the easiest way into whatever's being protected. If you have my laptop and are trying to break into my system, wouldn't it be easier to simply image the hard drive rather than etching PCBs to make molds for the Gummi bear spoof? At some point in time, the $5 wrench is easier to employ than the necessary spoof building technology, and that's what we're aiming for.

Re:How about O2? (0)

Anonymous Coward | about a year ago | (#43006269)

What is to prevent you "printing" the finger print on a strip of plastic, then putting the plastic over your finger. You now have a pulse and a valid fingerprint to be read by the "reader".

And yes, having access to the persons finger(s) makes it easier, but if you can cut the finger off, you can get a finger print from it as well.

Re:How about O2? (1)

Anubis350 (772791) | about a year ago | (#43006329)

Gives the attacker motive to kill someone with CO poisoning then, it will be read as oxygenation (CN can have a similar effect - also it means anyone going through such a coded lock may not be allowed to have painted fingernails, not that that's such a big deal)

Re:How about O2? (0)

Anonymous Coward | about a year ago | (#43007965)

Not good enough. Sure, it prevents somebody using a cut off finger on the fingerprint reader.

But what if I cut off someone's hand, skin it, then use the skin as a glove? Now, the fingerprint will register correctly on the scanner, and there will by body heath. Devices looking for a pulse will notice mine. Devices looking for hemoglobin and oxygen will see it through my "double skin". And don't think measuring skin thickness will work - people have varying skin thickness.

Re:How about O2? (1)

durrr (1316311) | about a year ago | (#43008207)

And skinning a finger to translucency and using your own as a backing, or artificially pumping a blood equivalent fluid through a dead finger is impossible!

Gun to the Head (2)

rodrigoandrade (713371) | about a year ago | (#43005061)

Does the device only check for pulse or does it also compare to the person's normal blood pressure (which was obtained upon registration into the system) to make sure the person being authenticated isn't being coerced into granting access to unauthorized personnel/burglars, etc???

Re:Gun to the Head (0)

Anonymous Coward | about a year ago | (#43005145)

One would hope the cashier would notice. After all, the assailant can only point the gun in one direction.

Re:Gun to the Head (2)

ColdWetDog (752185) | about a year ago | (#43005221)

One would hope the cashier would notice. After all, the assailant can only point the gun in one direction.

Ee's not dead! Ee's just pining for the fjords!

Re:Gun to the Head (1)

Hotawa Hawk-eye (976755) | about a year ago | (#43005827)

If this device is being used at a location where a human cashier is working, just get the cashier to look at the thumb pad while the person is pressing their thumb against it. If the employee sees a thumb being held in another set of fingers, or sees a thumb whose tip shows signs of being surgically stitched onto a stub, he or she presses the "Hold transaction" button on the register and asks for ID or calls the police as appropriate. The additional check would be needed for locations where there is no human cashier involved, say at a gas station's self-service pump (where the cashier is in the central kiosk monitoring all the pumps for problems and processing cash transactions.)

Re:Gun to the Head (3, Funny)

Anonymous Coward | about a year ago | (#43006051)

If someone's using a severed hand to pay for gas, I think your gas station might have bigger problems.

Re:Gun to the Head (0)

Anonymous Coward | about a year ago | (#43005159)

Keep calm or you're dead, now open the safe.

Re:Gun to the Head (2)

X0563511 (793323) | about a year ago | (#43005775)

Blood pressure is a wildly varying metric.

Try it. Measure your blood pressure at various points of the day over a week.

I'd also be interested how one might reliably check blood pressure with access to only a finger.

Re:Gun to the Head (0)

Anonymous Coward | about a year ago | (#43006187)

Yeah, great idea.

And then you just happened to have a fight with your supervisor over budget cuts and you think your wife's probably cheating on you and this fucking piece of electronics is now repeatedly telling you "I'm sorry, Dave, your blood pressure doesn't match your profile. I honestly think you ought to sit down calmly, take a stress pill, and think things over." which doE SN'T HE LP YOU TO CALM THE FUCK DOWN! AT!! ALL!!! RRARGGHHA AGSHADJKSFHJK Ls;dl;as!!!! .

Meanwhile, an intruder with a gummy bear mold of your fingerprint on his finger calmly walks through.

Re:Gun to the Head (0)

Anonymous Coward | about a year ago | (#43007509)

Detecting fear may not be a good idea. What if the person was running to a restricted area to escape something they are afraid of with the knowledge that the thing they are afraid of would not be able to enter the restricted area?

Patent (0)

Anonymous Coward | about a year ago | (#43005071)

I don't even want to read the article, but I'm sure they are filing yet another stupid patent for this completely ground breaking idea...
Something like "use of infrared or similar device combined with a fingerprint sensor.

Re:Patent (0)

Anonymous Coward | about a year ago | (#43005501)

No, dumbass. They're getting a copyright. Patents are for artistic works.

"Date Rape" drugs (0)

Anonymous Coward | about a year ago | (#43005099)

What if the attacker drugged the victim with certain "date rape" drugs to make them more impressionable and willing to open the door for them?

Biometric Authentication is a bad idea. (5, Insightful)

Anonymous Coward | about a year ago | (#43005109)

Here's a good reason why: What happens when someone manages to steal your password? You change it. What happens when someone managed to recreate your DNA or other biological identifier used for authentication? Good luck getting new DNA or fingerprints.

Re:Biometric Authentication is a bad idea. (2)

Nemyst (1383049) | about a year ago | (#43005461)

If someone manages to recreate your DNA and then recreate an adult hand from that, I'd say A) you have bigger problems than authentication and B) we've gone way past current technological levels.

Re:Biometric Authentication is a bad idea. (0)

Anonymous Coward | about a year ago | (#43005849)

Lex Luthor could do it.

Re:Biometric Authentication is a bad idea. (1)

PolygamousRanchKid (1290638) | about a year ago | (#43006547)

If someone manages to recreate your DNA and then recreate an adult hand from that, I'd say

C) the art of masturbation will probe new dimensions . . .

Re:Biometric Authentication is a bad idea. (1)

mark-t (151149) | about a year ago | (#43006691)

An adult hand with even the same DNA as another would still not necessarily have the same fingerprints. Although the precise process by which they are formed is subject to some debate, it is generally agreed that fingerprints are formed by some combination of environmental factors in the womb between roughly the 10th and 17th week of development. Even identical twins, with identical DNA, have distinct fingerprints.

Re:Biometric Authentication is a bad idea. (1)

Hatta (162192) | about a year ago | (#43007689)

It's easier than that. Dust for fingerprints and have a 3d printer make a mold for fingers with those fingerprints. Grab a stray hair follicle, and amplify a bunch of DNA using standard protocols. Mix the DNA into some gelatin and pour it into the mold. Run some tubing through the mold hooked up to a perstaltic pump to simulate the pulse.

This is all achievable with current technology.

Re:Biometric Authentication is a bad idea. (1)

Joe_Dragon (2206452) | about a year ago | (#43007389)

just sit on top of the microwave to change your DNA or go for a swim in the Spent fuel pool

Re:Biometric Authentication is a bad idea. (1)

JigJag (2046772) | about a year ago | (#43007801)

that's why biometrics should be used for the *username* part of authentication and not for the *password* part.

When presented in front of a login screen, swiping your finger should say: "I know now that you are JigJag. Please enter your password: "

Zombie shopper stopper? (0)

Anonymous Coward | about a year ago | (#43005143)

Finally a way to stop these [youtube.com] guys from shopping in malls, which is their favorite hangout.

Not checking pulse (4, Insightful)

crow (16139) | about a year ago | (#43005151)

The title is wrong. This is not checking for a pulse. If it were, then people with artificial heart pumps like Dick Cheney wouldn't be able to use it. They are alive, but do not have a pulse.

That said, I could see something like this checking for a pulse. This brings up the interesting problem of how to handle biometric checks for people who don't have those biometrics. Not everyone has fingers. Not everyone has eyes. Not everyone has a pulse. Maybe you don't care about that, as you don't have any of them among your target users, but what happens when that changes? You need a plan to handle that.

Re:Not checking pulse (1)

Ol Biscuitbarrel (1859702) | about a year ago | (#43005361)

What I couldn't figure out was the emphasis on shopping; I thought these applications were for security. Cutting someone's hand off to make purchases seems a bit extreme.

Re:Not checking pulse (1)

dgatwood (11270) | about a year ago | (#43005881)

What I couldn't figure out was the emphasis on shopping; I thought these applications were for security. Cutting someone's hand off to make purchases seems a bit extreme.

You obviously haven't been to an American toy store on Black Friday.

anomaly detected (0)

Anonymous Coward | about a year ago | (#43005435)

You do what you always do when the computer can't recognise the input; have a human enter the details manually.

We'll never achive 100% computer automation for any sytem that involves processing people, and even if we did, we'd still want a human to be involved for edge cases (see the current debate on drones in another thread)

Re:Not checking pulse (0)

Anonymous Coward | about a year ago | (#43005469)

Not everyone has fingers. Not everyone has eyes. Not everyone has a pulse. Maybe you don't care about that, as you don't have any of them among your target users, but what happens when that changes? You need a plan to handle that.
 
Correct. We need to address the 0.001% before we can worry about the rest.
 
Once again, a Slashtard isn't happy unless the solution takes every potential situation into account. News at 11.

Re:Not checking pulse (0)

Anonymous Coward | about a year ago | (#43005965)

If it were, then people with artificial heart pumps like Dick Cheney wouldn't be able to use it.

Don't worry, Dick Cheney has had a pulse since March 24, 2012, when he received someone else's heart. No news about if he's still acts like heartless bastard or not.

Re:Not checking pulse (1)

GodfatherofSoul (174979) | about a year ago | (#43007715)

Wait, are you sure he received an implant and didn't just demand it from some 3rd world orphan to pay off a family debt?

Almost worthless (3, Informative)

codepigeon (1202896) | about a year ago | (#43005161)

I actually read the article; what a useless waste of a web page.

There is only one paragraph that mentions anything about the technology, and that is the paragraph in the summary here.
The rest reads like filler material and pimping the advantages of investing/working in the upper midwest.

Lame. I was hoping for more details.

Re:Almost worthless (1)

plover (150551) | about a year ago | (#43005567)

I talked to Alan about this a month ago. It's RF based detection of dermal layer blood vessels, not fingerprints. Living tissue is required for the hemoglobins to move.

That said, his interest is in the financial application of the technology. He's trying to replace the credit card, not simply to produce a hard to forge biometric device.

Re:Almost worthless (2)

dgatwood (11270) | about a year ago | (#43006083)

A replacement for credit cards that is even less secure than the current ones doesn't sound like a good idea to me.

If this is just checking for the presence of capillaries, I can't think of any reason that it couldn't trivially be fooled by a slight tweak to the gummy bear trick in which you stick the glue pattern print onto a shaved elbow instead of a gummy bear.

If, on the other hand, this is trying to determine who you are based on the pattern of blood vessels, I suspect that the methodology is just plain doomed to fail. What makes fingerprints a good method of identification is that they are relatively static. By contrast, the blood vessels in your skin change significantly over the course of your life, particularly in your fingertips. Every time you get a paper cut, new capillaries form. Imagine having to update your biometric profile every time you get a paper cut or a solder burn. :-)

Re:Almost worthless (1)

FrankSchwab (675585) | about a year ago | (#43007223)

I don't know Alan, but looking at pictures of the device at http://www.hanscan.com/en/hsc-ac-it2 [hanscan.com] I'd guess that it's a Fingerprint cards RF-based placement scanner (http://www.fingerprints.com/Products/Sensors/FPC1011F.aspx) with an IR pulse detector (for example, http://pulsesensor.myshopify.com/pages/open-hardware [myshopify.com] ), wrapped by a bunch of simple software apps for time-and-attendance, low-value shopping, etc.

Frankly, everyone in the business is trying to replace credit cards; how else can you envision getting 3% of every transaction made, anywhere, without having to do more than lift a finger now and then?

And there are a lot of people trying to do it:
http://www.paywithisis.com/ [paywithisis.com]
http://www.marketwire.com/press-release/lenovo-nok-nok-labs-paypal-validity-lead-open-industry-alliance-revolutionize-online-1755467.htm [marketwire.com]
http://www.inquisitr.com/490728/authentec-iphone-6-fingerprint-detection-and-apple-release-date-rumors/ [inquisitr.com]

I wish him luck.

Arms Race? (1)

Anonymous Coward | about a year ago | (#43005173)

When will the public realize that all of these biometric systems are defeatable? You're just adding another layer of data that can also be faked. You know what can't easily be faked or spoofed? Sufficiently strong public-key cryptography. So let's get it over with and start assigning giant private keys to everyone on the planet and dealing with the infrastructure issues and loss/replacement stuff (similar to passports today, I imagine). Then it's easy to authenticate anyone: they just sign data with their private key and that can't be faked. The standards could be open, we could have multiple implementations of hardware/software signing devices to use during transactions. Some of them would suck and get compromised, resulting in waves of people having to revoke their keys and apply for replacements. We have time to work the system out and come up with something that's sane in practice.

Re:Arms Race? (0)

Anonymous Coward | about a year ago | (#43006211)

couldn't someone just steal your private key almost as easily (or more so) as they could murder you and cut off your finger? Public key cryptography might be a good idea, but when it comes down to preventing targeted attacks, it's essentially the same as an old fashioned locked door with keys, simply steal the key from one of the people that holds it and you're in.

Does it check to see if he has a gun to head? (4, Insightful)

boddhisatva (774894) | about a year ago | (#43005179)

This kind of stuff is good marketing. Useless, but that hasn't stopped anyone from blowing money so far.

Too late to matter (2)

RicardoKAlmeida (2790435) | about a year ago | (#43005215)

Now convince criminals that your disembodied fingers won't work. There will always be skeptics. Don't worry, your missing fingers won't do the job for them.

Meanwhile.... (1)

M0j0_j0j0 (1250800) | about a year ago | (#43005231)

Company Korporov Kopinc. announces new device to keep pulse on a dead body hand, the company says this device can bring the real deal on "another world" handshakes.

Already been done. (0)

Anonymous Coward | about a year ago | (#43005271)

The vast majority of the fingerprint readers used for secure purposes already won't work for nonliving fingers.

yeah, right (3, Interesting)

cellocgw (617879) | about a year ago | (#43005273)

Show me a biometric test that can't be spoofed for 10% the cost of the test hardware. Go ahead, I dare ya.
Fake retinas and fake fingerprints took, what, a couple weeks to show up after their respective scanners went into production? Why should any other sort of bio-scanner/detector be any different?

Re:yeah, right (0)

Anonymous Coward | about a year ago | (#43005463)

This tech is already available (has been for years really). It is called "a guard". A guard is superior to any tech that you can get (unless you get the buggy Monty Python kind).

Re:yeah, right (1)

nedlohs (1335013) | about a year ago | (#43008025)

Because no one has ever gotten past a guard by wearing a uniform and carrying a large box. Or by bribing them. Or by threatening them or their family (we are talking about chopping people's fingers off to use in a fingerprint scanner). Or by faking an ID. And so on.

Re:yeah, right (0)

Anonymous Coward | about a year ago | (#43005643)

The point isn't in having a 100% secure system. They simply don't exist. If that's your goal you may as well find a new line of work.
 
The point is setting the bar high enough that it can't be defeated easily. To hack a secure system takes time, skill and moxie. Once you weed out the lazy low lifes you start decreasing the criminal to victim ratio. So a thousand guys can pull off the hack but your chances of being a victim are much lower than they would be if a million guys could pull it off. And as they invest in time and skill needed increases the potential targets may not look as appealing. Is a skilled criminal really going to bother if I had a biometric security feature on, let's say, the ATM I use that is guarding my couple of hundred dollars that my accounts will allow them to have? Probably not. At that point your skills are better employed in doing honest work. It pays better and the risks are lower. That's how deterrents work in the real world.

Age-Old Problem Finally Put To Rest (0)

Anonymous Coward | about a year ago | (#43005325)

I was getting pretty worried about biometric security there, but I'm glad to see that we no longer need to worry about clever people figuring out ways to defeat this sort of thing.

Gummy bear attack (2)

femtobyte (710429) | about a year ago | (#43005393)

Does this device offer the least bit of protection against the "gummy bear attack" (i.e. a thin molded replica fingerprint, formed from, e.g., etched gelatin, over a living finger)? If not, then it's pretty useless (because lugging around a whole dead body or even severed finger is already riskier/harder than a simple replacement mold).

Re:Gummy bear attack (1)

FrankSchwab (675585) | about a year ago | (#43006785)

Possibly. My experience is with fingerprint swipe sensors, not fingerprint placement sensors, and with those the gummi bear mold has to be fairly thick to survive a swipe over the sensor. The thickness tends to block the light from such optical sensor, and so the attempt is detected and blocked. With a placement sensor, the gummi bear mold could probably be made thinner; I don't know if it can be made thin enough.

Re:Gummy bear attack (1)

Rich0 (548339) | about a year ago | (#43006841)

As long as you don't have a Gummy bear that has the right IR absorbtion profile, yes it will defeat it.

However, I can't imagine that if you're going to the trouble to reproduce fingerprints or activate latent ones that you couldn't do it using a material that has the right IR spectrum. Most likely they're just transmitting light and measuring relative absorbance at a few wavelengths, and it should be easy to make a plastic film that passes for blood in this test.

Re:Gummy bear attack (1)

femtobyte (710429) | about a year ago | (#43007083)

I haven't put a gummy bear on a spectrometer to check, but my naive guess is that plain gelatin (which is basically boiled-down skin and connective tissue bits anyway) would already have a very similar transmission profile to skin (e.g. fairly transparent with no strong/distinctive spectral features), so you wouldn't even need to search for fancier materials. Not that a little materials research would likely be a major deterrent to an attacker who is already willing to *murder and hack off body parts* to defeat your system.

Re:Gummy bear attack (1)

KiloByte (825081) | about a year ago | (#43008193)

And if a thin layer of unblooded skin would block the scan, it would also make it fail when cold or for people with circulation problems. Or, if the skin is sweaty, dirty, etc.

So a gummy bear mold comes well within required tolerances.

I think the header to this article has a typo (1)

Luke Steiger (2850585) | about a year ago | (#43005431)

I believe the implied, and correct, is: "Fingerprint Purchasing Technology Ensures Buyer Has an IMPULSE"

10 years old (1)

EmperorOfCanada (1332175) | about a year ago | (#43005445)

I read about this at least 10 years ago when some Japanese ATMs were going with fingerprints. They looked at the blood flowing through the skin to make sure they were looking at a live finger and also not just a faked fingerprint on a live finger.

Calluses (0)

Anonymous Coward | about a year ago | (#43005609)

I can see it now, people with finger tip calluses and thick skin syndrome will not be able to use this. They will form their own constituency to protest against the unfeeling corporate non-entities that are holding them down.

Slashvertisement without research (1)

stonecypher (118140) | about a year ago | (#43005681)

Yeah, the more expensive fingerprint readers have done this since the late 1980s. They can also tell if a retina was in a removed eye, et cetera.

Larry King... (0)

Anonymous Coward | about a year ago | (#43005699)

... will be pissed....

Old idea (2)

drdread66 (1063396) | about a year ago | (#43005797)

Whoop-de-doo. There are several outfits that have done something similar over the years, including companies that have tens of thousands of fingerprint devices out on the street already. I would be somewhat surprised if the tech covered in this article is not already patented by Lumidigm [lumidigm.com] or somebody like them.

"Liveness checks" have been a part of fingerprint tech for many years now, ever since the famous "ghosting" attack on the early L-1 and Cross Match sensors. Whoever wrote the article didn't do their homework if they think this is actually "news."

Process change (0)

Anonymous Coward | about a year ago | (#43005929)

Note to self: first use person to get past security THEN kill them.

The straw solution (0)

Anonymous Coward | about a year ago | (#43005949)

did these fingerprint biometric 'security experts' ever solve the issue where someone could defeat nearly all fingerprint 'security' machines by blowing on the detection area with a small straw? The heat and humidity from the breath triggers the finger detector and the residual sweat from the previous fingerprint's impression passes the ID test and allows the straw-blower access to the system.
    Biometric ID systems are all so stupid. If the access point is so important that someone is willing to pay tens of thousands of dollars for a flaky electronics system, then just hire a real person to guard it. We have plenty of people who need real jobs.

Re:The straw solution (1)

FrankSchwab (675585) | about a year ago | (#43006861)

Well, yes, they have. We build fingerprint swipe sensors where that attack is meaningless - the sensing surface is a single line that you "swipe" your finger across. Your suggested attack would, in the absolute worst case, cause the capture of a 50 micron tall line across the finger. Good luck getting that to match.

There are roughly a gajillion different designs of fingerprint sensors that have been built over the last 30 years. Many of them can be spoofed trivially (such as your attack), others are far more difficult. This particular one is probably spoofable, but the amount of work necessary to do so is probably significant enough that a $5 wrench would make for a more usable attack.

Disease? (0)

Anonymous Coward | about a year ago | (#43006005)

So what if you have hypothyroidism, kidney failure, certain anemias, etc. and have low hemoglobin? If you're American, there's a 50/50 chance you can't afford treatment, even if you have insurance.

So they're finally going to deliver? (1)

jandrese (485) | about a year ago | (#43006219)

I remember when fingerprint scanners first started getting widespread use people asked about "what if someone lifts my fingerprint, or worse, cuts off my finger?" and the manufacturers all said "Don't worry, it only works on live fingers." Then people tried it and discovered that yes, you can lift someone's fingerprint duplicate it, and the scanner is more than happy to take it. Luckily the latter has not proven popular (I don't know of any case of someone having a body part severed to defeat a biometric lock), but the former put a huge black eye on the concept of fingerprint scanners as security. Your average person leaves fingerprints everywhere and you'll never know if someone has gone and lifted them.

and then somebody gets HIV (0)

Anonymous Coward | about a year ago | (#43006429)

and the lawyers will laugh their way to the bank

Biometric security (1)

Arancaytar (966377) | about a year ago | (#43006551)

Because instead of taping your password to the screen or in your wallet, let's stamp it on everything you touch.

Easy to fool. (1)

angiasaa (758006) | about a year ago | (#43006571)

It can's detect silicone fingerprints. The cool thing about these, is that you don't have to cut off someones thumb and distracting a salesgirl while you press it to a scanner, you just act like nothing's wrong and thumb away.

I'm surprised anyone with even half a brain could have decided that a pulse was enough.
Guns can make people do amazing things, like placing their prints wherever the guy controlling the gun wants them placed.
You could engineer a pump to drive pulsed blood through the capillaries.
Heck, you could even heat the blood while you're pumping it. (This device does not detect temperature btw)

It is a solution, certainly, but wrought with a myriad of flaws. This ought to be a very long time to market I expect. Unless of course, they decide to give the job of redesigning the scanner to someone who's passed the fourth grade.

Re:Easy to fool. (1)

FrankSchwab (675585) | about a year ago | (#43006923)

You could engineer a pump to drive pulsed blood through the capillaries.
Heck, you could even heat the blood while you're pumping it. (This device does not detect temperature btw)

It is a solution, certainly, but wrought with a myriad of flaws. This ought to be a very long time to market I expect. Unless of course, they decide to give the job of redesigning the scanner to someone who's passed the fourth grade.

I didn't see it above, but this comment is the perfect place for the obligatory xkcd reference:
http://xkcd.com/538/ [xkcd.com]

Re:Easy to fool. (1)

angiasaa (758006) | about a year ago | (#43007081)

Bwa haha! I should have seen the obvious connection before I submitted my comment or I'd have made the reference myself. But with good souls like yours, this world shall never lack in welcome sharp minded assistance. ;)

Title is ambiguous (0)

Anonymous Coward | about a year ago | (#43006827)

I read the summary and was disappointed that this wasn't about a technology that allows me to purchase new fingerprints.

all security (0)

Anonymous Coward | about a year ago | (#43006831)

It all boils down to a process. This process will end with a function that determines a certain percentage (always less than 100%) of likeliness that you're the person that should access. Any process, I repeat, ANY PROCESS that does not end in a 100% certainty of who you are, has wiggle room for those that are not you. And as far as I know (maybe some of you nerds out there will chime in with another way) the only way to be 100% certain that the person is who they say they are, is to know them personally, and interact with them on a personal level. Human-to-human security is always the best solution, and even then there's a chance that the humans that work the security could be persuaded to follow another leader's plans...

Also, you could arrange the building in such a way that it's an ever-changing multi-level maze, whereby everyday a guy pops out of a garbage can, or bush, and gives you a map that self-destructs in 5 seconds. If you're one of the lucky people that have security clearance, you should always throw the paper behind your back when you're done reading it. Also, bring your niece along.

Same old same old (0)

Anonymous Coward | about a year ago | (#43007107)

Checking for blood oxygen level would be easy... and easily fooled. Certain Chinese manufacturers added melamine to pet food to increase its apparent protein content. I wonder what one might have to add to a severed finger to make its blood oxygen level appear normal. Chlorine bleach? Peroxide? A rusty nail? You can rest assured that someone somewhere will go to great lengths to find out.

Isn't this old news? (0)

Anonymous Coward | about a year ago | (#43007603)

Isn't this old news? I worked at a US based hardware manufacturer back in 2005 that made fingerprint scanners, and we were scanning for the em field around fingerprints at that time - not the external fingerprint, but the EM field created by a living finger with pumping blood. I figured this was the 'norm' - not only because it makes sure your subject is alive, but because the sub-skin part of your prints are less likely to be damages or obscured for day-to-day use.

Oh well, maybe we were too far ahead there... one thing I learned at that job is it doesn't pay to be first with new tech, it pays to be a copycat at a lower price.

Great (1)

dotar (1400363) | about a year ago | (#43008103)

Linking biology to cryptography will just encourage criminals to either cut off my hand, or keep me alive just long enough to steal all my money.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...