Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Using Face Recognition Instead of a PIN Number

samzenpus posted more than 7 years ago | from the please-enter-your-face-again dept.

Security 254

coondoggie writes "Face recognition as a unique biometric is growing slowly in certain corporate and consumer applications, but researchers at the University of Houston (UH) are trying to make the technology far more ubiquitous and secure: they want it to replace the dozens of personal identification numbers (PIN), passwords and credit card numbers everyone uses every day. University researchers developed the URxD face recognition software that uses a three-dimensional snapshot of a person's face to create a unique biometric identifier."

Sorry! There are no comments related to the filter you selected.

Bad idea (4, Insightful)

Ckwop (707653) | more than 7 years ago | (#20082735)

This is stupid for a couple of reasons. The first is that biometrics suck and are usually almost trivial to subvert. See the $10 fake finger [] , for an example. What do you do if somebody hacks your credentials as well? Have facial re-constructive surgery? But even if you had very good biometrics that were hard to fake, it still less secure than having separate credentials to access everything.

Why is this? Well for the sake of argument, let's suppose it costs £50 to create a duplicate of my chip and pin card that will work in any cash point. I have four such cards in my wallet so the cost of duplicating them all is £200. In order for the biometric to replace my cards completely and be equally secure, it has to cost more than £200 to fake.

The problem is that the unified security mechanism rarely costs more to subvert then all the IDs it replaced. This doesn't just apply to bank-cards it also applies to national ID cards and any centralisation of security.

The fundamental principle here is that centralising security often reduces security. This is something to keep in mind when you're consolidating servers [] .


Re:Bad idea (1)

froggero1 (848930) | more than 7 years ago | (#20082801)

You know what else is a bad idea?

Entering in your PIN number into an ATM machine and getting a NSF funds error message.

PIN *NUMBER* ??? (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#20082805)

That is a little redundant, douchebag. Why do they have to post stories with a title that says "Personal Identification Number Number?" Die, tool.

Re:PIN *NUMBER* ??? (3, Funny)

IainMH (176964) | more than 7 years ago | (#20082879)

That is a little redundant, douchebag. Why do they have to post stories with a title that says "Personal Identification Number Number?" Die, tool.
We're used to it - 'Built on NT Technology' :-)

Re:PIN *NUMBER* ??? (2, Funny)

Mr2cents (323101) | more than 7 years ago | (#20082947)

Stop it! I swear, if I see one more of these redundant pleonasms on my LCD display, I'm going to explode!

Re:PIN *NUMBER* ??? (1, Offtopic)

monk.e.boy (1077985) | more than 7 years ago | (#20083853)

I thought it was PIN Identification Number Number?



Re:PIN *NUMBER* ??? (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#20082899)

Attention, everyone who gets all upset and pedantic about people saying PIN number:

STFU up already!

Re:PIN *NUMBER* ??? (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#20083155)

Automated Teller Machine Machine

Re:PIN *NUMBER* ??? (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#20083449)

Network Interface Card Card.

Re:PIN *NUMBER* ??? (2, Funny)

Guy Harris (3803) | more than 7 years ago | (#20083153)

Why do they have to post stories with a title that says "Personal Identification Number Number?"

What would you use at an ATM machine other than a PIN number?

Re:PIN *NUMBER* ??? (0, Redundant)

91degrees (207121) | more than 7 years ago | (#20083361)

A PIN perhaps.

Re:PIN *NUMBER* ??? (1, Insightful)

Guy LeDouche (713304) | more than 7 years ago | (#20083475)

But a PIN is only compatible with an ATM. You need a PIN number in order to use an ATM machine.

Re:PIN *NUMBER* ??? (0, Redundant)

91degrees (207121) | more than 7 years ago | (#20083507)

Thanks for that, on behalf of my self and other people who are a bit slow today.

All just part of the terror of the RAS syndrome! (1, Redundant)

fantomas (94850) | more than 7 years ago | (#20083649)

These are all just examples of the terror of the creeping RAS syndrome! []

(RAS=Redundant Acronym Syndrome)

Re:PIN *NUMBER* ??? (0, Redundant)

JoeInnes (1025257) | more than 7 years ago | (#20083215)

Interesting. Note how the AC freely admits it's a relatively small infraction ("that is a little redundant"), yet still feels the need to call the poster a douchebag and a tool, and instruct him to die. I would conclude that he has a defective sensus of proportionus, and recommend a course of chill pills. Next patient please.

Re:PIN *NUMBER* ??? (4, Funny)

yotto (590067) | more than 7 years ago | (#20083571)

The next person who makes an acronym joke, I'm going to fire a SAM-Missile like TCP/IP protocol attack on. I'm serious, you're going to need a DC Comics superhero or the skills of an FPS shooter main character to survive this one. First, your FAT table will go, then your NIC card, then all your OSS software, and for the final coupe de gras, I'll translate all your code to the COBOL language.

Yeah, you'll be FUBAR beyond all recognition.

Re:Bad idea (0)

Anonymous Coward | more than 7 years ago | (#20082893)

Yes, most biometric authentication methods DO have obvious vunerabilities, but one method I can think of does show some prospect:

Scanning the veins in your hand; basically a 3-dimensional thermal map of the blood networks within.

Benefits of
1. Unique to every individual.
2. VERY difficult to duplicate.
3. VERY Difficult to steal.
4. Sanitary; contact to a surface is not necessary, just hold you hand a few centimeters over the thermal camera.

Even if someone does cut off your hand, they would have to pump 37C fluid through it, this is a dead give away in public...picture guy with severed hand, a water heater, and a portable pump.

Or...would you rather verify yourself by DNA? Just walk up to an ATM and cough up a mouth full for the "verification spitoon"

Re:Bad idea (1)

LiquidCoooled (634315) | more than 7 years ago | (#20082961)

picture guy with severed hand, a water heater, and a portable pump.

That sounds like a typical episode of Torchwood to me.

Easy to reproduce and.. (4, Funny)

QuantumG (50515) | more than 7 years ago | (#20083013)

The reason why it is a bad idea to use your face as a password is that everyone can see your freakin' face. Why not just write your password in black marker on your forehead?

That's secure right?

Re:Easy to reproduce and.. (1, Funny)

Anonymous Coward | more than 7 years ago | (#20083347)

Yes, if you are black.

Re:Easy to reproduce and.. (1)

femto (459605) | more than 7 years ago | (#20083549)

Combine a mobile phone camera with software [] to reconstruct a three dimensional object from a sequence of images and you can crack the "password" of anyone you pass on the street.

Re:Bad idea (1)

mwvdlee (775178) | more than 7 years ago | (#20083319)

In short it's the old adage that you should never use the same password twice.

Re:Bad idea (1)

eiapoce (1049910) | more than 7 years ago | (#20083351)

My S6000FD camera face recognition works fairly well, recognizes the faces of: 1) real people 2) faces on poster 3) even paintings of faces. So I could just go to the ATM, show a natural size picture of the face of the card owner and the trick would be done. It would be nice to have a count of false positives of this website for a demostration: []

I've been working for a brief time in a society dealing with security measures. I clearly remember the issue with fingerfrint readers in third world countries where the thieves used to cut the finger from the victim (we were selling a sensor that also measured temperature and heartbeat). Biometrics are generally a very bad idea.

Re:Bad idea (0)

Anonymous Coward | more than 7 years ago | (#20083763)

oh come on..lets spends billions of dollars to develop this uber dork technology for a the average credit card or bank card Or just putting it out there...put a picture of the person on the credit card or bank card like a ID and let person working the cash look at it. Bang...billions saved and your credit card is more secure. Sure it would cost more to get the initial card but really much simplier and more secure.

The reason this won't get know when the credit card company calls you and asks for a small fee for additional fraud insurance...that's a lot of money they are raking in on the fear of credit card fraud, why pass it up.

Re:Bad idea - Yeah my face (1)

monk.e.boy (1077985) | more than 7 years ago | (#20083869)

Bad idea: some people, like myself, have extremely ugly face which are going to break the camera.

"Error: sorry this machine is not configured for baboons" :-(


It's worse than that (1)

CarpetShark (865376) | more than 7 years ago | (#20083871)

Those are all good points, but the main problem I see with biometrics is that it puts humans rather than keys/cards/ids between the criminal and their target. With previous tech, the criminal could just wait until no one is around, and steal their keys/cards/tokens. With this approach, the criminal is much more likely to resort to putting a weapon in someone's face, and forcing them to assist in a crime. With a sufficiently principled person, that could lead to death.

Interesting, but Ill decline (3, Insightful)

Aranykai (1053846) | more than 7 years ago | (#20082737)

Its an interesting concept. I will agree with that.

Essentially, it uses your face to access your information in a database, which could include bank, credit card, medical, or pretty much anything else desired.

However, all a person then needs to commit fraud is to capture these scans and feed it back to the software...

Ill keep my zero liability credit cards and my 4 and 6 digit pin numbers thank you.

Re:Interesting, but Ill decline (1)

ja (14684) | more than 7 years ago | (#20082963)

However, all a person then needs to commit fraud is to capture these scans and feed it back to the software...

And how would this be any different from capturing your pin-codes and feeding them back to the application? I for one already have a build-in scanner (my eyes) as well as fingers that will do just that.

Re:Interesting, but Ill decline (1)

Slow Smurf (839532) | more than 7 years ago | (#20083183)

You would be at least mildly aware if someone took your pin number. In theory, other than watching you enter it in some way, there would be no way to get it.

If facial recognition, or any other biometrics, are the only security system, then anyone could record you anywhere randomly and it would be usable. Again, in theory, possibly requiring technology we don't have yet.

I'd rather go with the small time window to steal my info, as I wouldn't gain anything from the biometrics anyway.

Re:Interesting, but Ill decline (2, Interesting)

1u3hr (530656) | more than 7 years ago | (#20083365)

And how would this be any different from capturing your pin-code

If you suspect that you can change your pin code. Or change them daily if you want to.

I'm sure a mask could be reverse engineered to any given "face code" that would fool a machine, if not a human.

Re:Interesting, but Ill decline (1)

ajs318 (655362) | more than 7 years ago | (#20083605)

I think this is one of the reasons why those keypads at store tills where you enter your PIN are insecure. They could be made less insecure by having a touch screen with the digits displayed in a random arrangement each time (and one of the keys should be "re-randomise"). It's very easy to work out which keys a person is pressing (especially in the summer when sleeveless tops are common and you can see a person's tendons moving). At least if there were no correlation between key position and number entered, it wouldn't be as easy to get another person's PIN that way.

When you use a hole-in-the-wall machine, your body is blocking the view of the keypad and your arms are mostly inside the cavity, so this is much less of an issue.

are there any biometrics ... (0)

Anonymous Coward | more than 7 years ago | (#20082751)

...that haven't already been cracked?

Check for life! (4, Interesting)

reality-bytes (119275) | more than 7 years ago | (#20082753)

I hope this system includes some method to check whether the rest of the person apart from the face is present.

Some poor Malaysian fellow has already lost a finger [] . I'd hate to have my head stolen just to access my bank account.

Re:Check for life! (2, Funny)

Anonymous Coward | more than 7 years ago | (#20082795)

Jeez! Seeing that, maybe it's time to rethink my biometric penile scanner I've been planning.

Re:Check for life! (2, Funny)

ozmanjusri (601766) | more than 7 years ago | (#20083065)

maybe it's time to rethink my biometric penile scanner I've been planning

Now that HAS to be a Micro-soft project...

Re:Check for life! (1)

S.O.B. (136083) | more than 7 years ago | (#20083473)

How can you do a biometric scan of a prison?

Re:Check for life! (1)

Shano (179535) | more than 7 years ago | (#20083403)

Just a finger? He was lucky [] .

Its not the number of passwords that is the issue (4, Interesting)

cliffski (65094) | more than 7 years ago | (#20082757)

But the fact that every single one of them has different stupid restrictions. I try to limit myself to two common passwords where possible. one is fairly short, one is quite long.
Recently I needed a new password for a site. I tried the short one. "your password must be at least X characters". fine, whatever, that's why I use my long one,"your password is too long", so a new, made-up one "your password must contain at least one number". WTF?
Can we not at least agree some standard on this? Like many people I end up having to write this new mangled password down, totally defeating its security.
I do not see, from a code POV, why it matters that the password is less than X characters. Between 5 and 10 characters? WHY? what is wrong with between 5 and 50 characters? or 5 and 100 characters?
Most people can remember a sentence pretty easily, especially a favourite catchphrase or movie quote, remembering "tuesdaypass442" is not so easy, and thus they get written down. I understand the need for minimum pass lengths, but capping the max so low, and so close to the min, is just madness. Give us flexibility in passwords, not some dubious new expensive tech to do the same job.

Re:Its not the number of passwords that is the iss (1, Insightful)

Aranykai (1053846) | more than 7 years ago | (#20082789)

Minimum requirements such as character types and length are there to force complexity(to a certain degree). It has nothing to do with how the program is coded.

Also, if you allowed 50 character passwords, I would imagine you password reset/failure support calls/tickets would rise considerably because people forget them.

Re:Its not the number of passwords that is the iss (2, Insightful)

cliffski (65094) | more than 7 years ago | (#20082859)

I disagree, I think "welcome to the real world" is easier to remember than "mypasswrd1". sentences evoke memories, visual and auditory, which random lumps of characters or artificially squashed single words do not.

Re:Its not the number of passwords that is the iss (3, Interesting)

Havenwar (867124) | more than 7 years ago | (#20082991)

yes, you are right, welcome to the real world is easy to remember. and now it will evoke the memory of w2trwrld, which is between 5-10 letters and contain one digit, and thus will be accepted as strong on 90% of the passworded applications out there.

Re:Its not the number of passwords that is the iss (1)

cliffski (65094) | more than 7 years ago | (#20083033)

you just proved my point. which of those 3 is your password again?

Re:Its not the number of passwords that is the iss (1)

Havenwar (867124) | more than 7 years ago | (#20083467)

I would have used the last one, I listed the three to show how I would work it out. five letters is too short for a password in my world, but then I am somewhat paranoid. As you said a sentence invokes memories and feelings, if you work one into a password then the sentence will invoke the memory of your workprocess - as I showed. Or at least it will if you put any amount of concious effort into choosing a password.

Not user friendly (0)

Anonymous Coward | more than 7 years ago | (#20083681)

We are supposed to make the system user friendly, because, after all the end-user end up using them. Limiting artificially the user to password less than 10 char long, is not quite user friendly, since there will be a subset of user which will want more than 10 chars, to build sentence easier to recognize. Furthermore, I don't know much on password, but aren't anyway hash saved in the system as opposed to encrypted or plain password ?

Re:Its not the number of passwords that is the iss (1)

asc99c (938635) | more than 7 years ago | (#20083743)

Actually, it somehow evoked the memory of Waterworld [] . Dammit.

Re:Its not the number of passwords that is the iss (1)

the Plums in us (1040258) | more than 7 years ago | (#20082857)

Absolutely for removing restrictions on pass lengths. Even worse is when the restrictions are written on the input form, i.e. Web Password (5-8 characters) which is an actual example from a bank's online access service.

I don't know about standardizing passwords though, unless it's something really broad, i.e. must have at least one number and be from 6-100 characters. Otherwise it narrows the possibilities down a bit much.

On that note, having only two passwords for all your services is a bit risky, unless they're very good passwords, and you're very careful about where and when you type them, and the sites you're visiting are all trustworthy. I have about 4 or 5 regular use ones, and all the important stuff like web banking, paypal, etc. each gets it's own separate password.

Re:Its not the number of passwords that is the iss (1)

cliffski (65094) | more than 7 years ago | (#20083011)

absolutely, anything that involves money has its own secure unique one. I just mean for web forums and subscriptions for stuff.

Re:Its not the number of passwords that is the iss (1)

Yvanhoe (564877) | more than 7 years ago | (#20083157)

Plus, having the same password on several website is an issue. I do this also but I keep wondering what will happen the day that one of the maintainers of the forum where I registered decides to impersonate me on other forums or even -gasp- on slashdot. Hopefully, my email password is unique and I can recover some stuff from there...

Re:Its not the number of passwords that is the iss (2, Insightful)

cerberusss (660701) | more than 7 years ago | (#20083209)

Like many people I end up having to write this new mangled password down, totally defeating its security.
I don't see why writing down defeats a password its security. As long as you guard that piece of paper, it's totally safe.

Re:Its not the number of passwords that is the iss (0)

Anonymous Coward | more than 7 years ago | (#20083261)

Hi Mr Cliffsky

I would like to tell you about a new internet service that provides, err, information and stuff. Just need you to supply a password. Actually for added security we need 3: a short one, a long one and a middle sized one with a numeric digit in it.

Re:Its not the number of passwords that is the iss (1)

Threni (635302) | more than 7 years ago | (#20083825)

> "your password must contain at least one number". WTF?

It means your password won't be a word from a dictionary. You've not heard of `dictionary attacks` then?

> I do not see, from a code POV, why it matters that the password is less than X characters.

I don't see that this has anything to do with coding.

> capping the max so low, and so close to the min, is just madness

The min is obvious. There has to be a maximum. I know of some sites which let you use any length you like, but only the first N is actually checked. This works both ways - great for people like you who want to enter whole sentences, as long as enough is stored to make the password secure.

I don't have a problem with writing down passwords. This allows you to come up with short-ish yet strong passwords like "K8*_2dYD1". The downside with writing them down is just that people might find your password list, but normally you're defending yourself against people who haven't been through your property. If people really want your password and they have access to your password list they probably also have access to your PC and can look for data there, install keyloggers etc.

If you're going to write them down, there are steps you can take to make the information less accessible, such as not identifying which password is for which account; not always writing down the full password or always adding a fixed number of characters to the start of each password which you have to remember not to enter when you're logging in; writing down made up passwords to the list so people waste log-in attempts attempting duff ones etc. You could also not keep the passwords all in one place, or maintain multiple password lists, and keep a decoy list somewhere obvious etc.

Re:Its not the number of passwords that is the iss (1)

Maelwryth (982896) | more than 7 years ago | (#20083849)

" remembering "tuesdaypass442" is not so easy"
Use a pattern. It is easier to remember and harder to break. qk2mwj3n is not a bad password and the pattern isn't that hard. Keep the same pattern and then extend it for whatever password length you need.

Oh dear (0, Redundant)

badfish99 (826052) | more than 7 years ago | (#20082761)

Now the thieves are going to cut off my head, instead of just taking my finger [] .

Re:Oh dear (0)

Anonymous Coward | more than 7 years ago | (#20083535)

Now the thieves are going to cut off my head, instead of just taking my finger.
Now who would do that? []

Mission Impossible! (1)

WK2 (1072560) | more than 7 years ago | (#20082771)

Tag this Mission Impossible!

But seriously, all someone would have to do is create a sufficient mask. Perhaps that is tough to do now, but if this idea were to take off, the supplies and instructions for doing so, would be available everywhere. And worst of all, you're wearing all of your passwords on your face!

Re:Mission Impossible! (1)

cheese-cube (910830) | more than 7 years ago | (#20082841)

Gah beat me to that one! I was going to say that the only vulnerability with the face recognition instead of a PIN idea is Ethan Hunt.

Like to Forget (1)

pembo13 (770295) | more than 7 years ago | (#20082777)

I kinda like the ability to forget or lose my PIN number. I can't exactly lose my face.

Re:Like to Forget (1)

xaxa (988988) | more than 7 years ago | (#20082997)

I'd like to be able to say to someone "no, I can't access my account with this card, I don't know the PIN". I have a few bank/credit cards, if I'm mugged -- or perhaps threatened at knifepoint at an ATM -- "forgetting" the PIN to some of them might be useful... also, if criminals want my PIN, they need me alive. If they just want my face, they don't.

Re:Like to Forget (1)

IBBoard (1128019) | more than 7 years ago | (#20083075)

also, if criminals want my PIN, they need me alive.

No they don't, they just need to beat it out of you and kill you, then enter it. Yes you could have given them the wrong one, but you'd still end up dead at the end of it ;)

If anything then it's easier to check that it's not a criminal with a face (or a finger print) as you can check for blood flow and heat patterns. It won't solve the problem of someone holding you there, but a trained monkey can enter a PIN while only a real living person (or quite a complex fake) can match a face print and have blood flow etc.

Not that I support the idea of one single biometric log-in, but there are some ways in which it can be made more difficult for a criminal to just steal what they need and empty your account :)

Re:Like to Forget (1)

ajs318 (655362) | more than 7 years ago | (#20083721)

Which sort of makes the case for a "duress PIN" which, when entered, allows you to withdraw money (maybe bring up a fake error message that you have only £50 -- or whatever the account holder's maximum liability in event of theft is; this guards neatly against the account holder withdrawing money themself with the duress PIN -- left of your daily spending limit) but also alerts the bank to the fact that it was used, photographs the user (if it's a HITW machine with a camera) and slaps an automatic trace on the card.

Many burglar alarm systems have something similar which cuts off any local bell boxes but not the remote monitoring service. (Unfortunately, the duress code is almost always the usual code with the units incremented, so a savvy criminal only has to enter "1233" if you said "1234". Most systems give 2 retries, so if 1234 really was the real code then entering 1233 would still be non-fatal; entering a wrong code usually even restarts the timer. One would hope for the banks not to fall into this trap.)

Re:Like to Forget (1)

forgotenpasswerdmoro (955491) | more than 7 years ago | (#20083145)

Re: losing your face.

It happens all the time.

Car accidents, Biking accidents. Children grow up. Another good one is serious allergic reactions. People forget to pay Guido and they find out how there face feels with massive bruising and swelling.

Any system would have to take into account people who have no faces, or have there faces changed radically, and that may be a highway to exploiting the system especially if it is centralized.

Sounds pretty fucked up for twins... (3, Interesting)

forgoil (104808) | more than 7 years ago | (#20082783)

Or people looking really alike, I mean, how precise is this thing? What about make up? Trip to the beach? Getting your hair done? Shaving accident?

They are trying to solve a problem (I hate pin codes) by making it to a worse problem. Way to go...

And beatings... (1)

IBBoard (1128019) | more than 7 years ago | (#20083031)

Never mind the more superficial changes. What if you get mugged and beaten for a different card (or a watch or gadget or something) and have your face beaten up? How does it cope with busted lips, big swollen black eyes, broken noses and worse?

I guess it'd be one way to ensure that people can't take their money out!

Re:Sounds pretty fucked up for twins... (3, Funny)

3vi1 (544505) | more than 7 years ago | (#20083669)

Twins won't be a problem: the software can tell them apart because the evil one has a goatee and the good one doesn't.

Yes, even the female ones.

Sounds great! Until... (1)

RootsLINUX (854452) | more than 7 years ago | (#20082791)

Someone takes a picture of your face using their cell phone, or takes an existing picture off of myspace, etc. I think it would be pretty damn hard for a camera to do facial recognition unless it truly is a 3D camera -- otherwise you can just stick a picture of the owner's face in front of the lens and you're in business.

you do not want someone transplanting your face (1)

Anonymous Coward | more than 7 years ago | (#20082819)

As with all biometrics this is stupid and dangerous. Others have already remarked about centralised security meaning higher value. Biometric security means that often the easiest way to subvert the system is to steal you or your body parts. Very few things are worth that to you (your employer or bank might think otherwise; they have different priorities :-) so never agree to take part in biometrics.

Obviously CmdrTaco and Alan Cox wouldn't like it (3, Funny)

jsse (254124) | more than 7 years ago | (#20082903)

Because it requires them to shave.

"Please stuck your head in the scanner for face recognition."


"Your face was not recognized, please rub your face with the towel provided and try agiain."


"We failed to recognized your face after several trials. We'll now shave your face for a better recognition result. To avoid you moving your head while shaving is in progress, we'll lock your head firmly now."

*shaver pop out*


MI (2, Insightful)

bazorg (911295) | more than 7 years ago | (#20082935)

these guys didn't watch "Mission: impossible" [] ?

Re:MI (2, Funny)

Remusti (1131423) | more than 7 years ago | (#20083177)

Or Face/Off, evidently.

So... (5, Insightful)

QMalcolm (1094433) | more than 7 years ago | (#20082959)

Instead of using something that's secret and can be changed, they want to start using something that everyone can see, and is not changeable.

Update biometrics. (2, Insightful)

iknownuttin (1099999) | more than 7 years ago | (#20083255)

Instead of using something that's secret and can be changed, they want to start using something that everyone can see, and is not changeable.

I guess you'd have to have your biometrics updated every few years as you age. More often if you smoke, drink heavily, sun bath, etc... those things age you faster.

This is a great opportunity... (1)

MiniMike (234881) | more than 7 years ago | (#20082967)

This is a great opportunity- for my evil twin to clean out my bank account!

As if he hasn't haunted me enough already...

It's Bogus (3, Interesting)

ajs318 (655362) | more than 7 years ago | (#20082977)

It's bogus. I can say this with certainty.

How do I know? Because the exact same maths apply to a different domain, and we'd already have seen developments there if this was true.

Decompilation uses exactly the same abstract mathematical concepts as shape recognition (of which facial recognition clearly is a subset). Just replace "vertices" with assembly-language instructions and the "shapes" to which they may belong with program structures (for / while loops, subroutines &c).

If there was anything in this facial recognition malarkey, somebody would have created a working decompiler by now. That's just a simple application of the law of averages; there are many more hackers out there than there are biometrics researchers. And there's a huge application for a decompiler: the ability to decompile a program which originally was written in, say, Visual BASIC into C++ will mean that programmers can collaborate on a project without having to have a language in common (and, incidentally, it will also mean that Freedoms One and Three can be taken by force like Freedoms Zero and Two). So far, nobody has created such a thing.

It's snake oil, pure and simple.

Plus, I kind of like the extra security layer that I get by having different PINs for all my cards and different paswords for all my online accounts. If someone discovers, say, my Halifax PIN, they'll have to steal my Halifax card. But if they catch me on a day when I'm not carrying that one and steal my Lloyds TSB card or my Abbey National card instead, the Halifax PIN is useless to them (and while I'm sorting out blocking the stolen card, I can change the compromised PIN). Likewise, if someone discovers my Yahoo! Messenger password, they can't impersonate me on Slashdot.

Re:It's Bogus (0)

Anonymous Coward | more than 7 years ago | (#20083395)

Er - decompilation *IS* trivial.

Documenting the decompiled code a little harder, but far from impossible.

ummmm... (2, Interesting)

Mr Abstracto (226219) | more than 7 years ago | (#20083055)

...what about twins?

Re:ummmm... (2, Informative)

Bardsley (946251) | more than 7 years ago | (#20083505)

What about twins?? The latest advances in face recognition are capable of distinguishing between twins [] [pdf].

Stupid for several reasons (3, Insightful)

PontifexPrimus (576159) | more than 7 years ago | (#20083063)

Here are, just off the top of my head, a couple of reasons why I think that's a really stupid idea:
  • You have to consciously enter a PIN to give it away - unless you're fooled by a complete rebuild of an ATM, you're not likely to enter this particular number anywhere else; but you show your face to everyone in the street, making it trivial to get several photographs of it and even do a 3D reconstruction if desired.
  • You can enter a number at a keypad even if severely impaired and under pretty unfriendly conditions (outside ATM in heavy rain, when you're wearing gloves and are a little under the effect of both a cold and cold medicine, say). It's a pretty fool-proof, accessible way of entering a small amount of data. Facial recognition, on the other hand, requires - unless there have been vast advances - very good lighting, a clear image of the face not obscured by sunglasses, intensive make-up or bruises, and no vast changes in hair style or beard growth.
  • Image recognition is cost intensive, energy intensive and computationally expensive; a keypad of the highest level, secure and proof against vandalism will cost what? A couple of hundred bucks at most? To get facial recognition you need light sources that don't interfere with the cameras, the cameras themselves, complex software behind them and - also very important - you need large amounts of data on the facial features. Granted, it might be easy to compress them to a couple of hundred kb's if you're willing to sacrifice some accuracy, but compare that with the four or five byte you need to store a PIN!
  • Problem of false negatives and false positives: when I enter a PIN I can usually get it right on the first try; I usually only run into problems when I confuse it with the PIN from another card. Entering it wrongly has happened maybe once or twice in my life, as far as I remember. Now, what are the chances that the facial recognition software will correctly identify me 99.99999% of the time? And how big is the risk that it might mistake another person for me?
  • Another thing: right now I can hand my credit card to my brother, tell him to pick me up a little cash from an ATM and give him my PIN and card. Will there be provisions made for you to authorize other people, like your spouse? How many? For how long?
I think it's strange that so many people seem to think just because something is newer it is automatically better than the old technology / method / tool. Don't get me wrong, I love progress - but increasing the failure points of a known and working (if not perfect) system seems like a strange idea to me...

Re:Stupid for several reasons (3, Interesting)

MichaelSmith (789609) | more than 7 years ago | (#20083353)

I agree with all of that. One one thing I would like to see with ATM's is an attempt to behave a bit like a human teller in the sense that if I steal a woman's credit card and front up at the counter then they know they I (being male) must not be the owner of the card.

Some simple image matching process would be a good idea IMHO. It doesn't have to be fantastic and definitely not a replacement for a PIN.

3D map of the face ? What about acne ? (2, Funny)

subStance (618153) | more than 7 years ago | (#20083129)

Surely the degree of accuracy to which you would have to measure the face to make it unique would imply that a good case of acne would be enough to deny access to your accounts.

Or better still, a broken nose ? Imagine having to go explain to the bank that you needed to change your pin because you were drunk and got into a fight at a pub ? There goes your chance at getting a homeloan ...

Face recognition with a photo! (1)

VincenzoRomano (881055) | more than 7 years ago | (#20083187)

And what happens if I put a photo or an hologram in front of that camera?

Re:Face recognition with a photo! (1)

maroberts (15852) | more than 7 years ago | (#20083251)

Even better, as it claims to the three-D, build a papier-mache head

In other news (0)

Anonymous Coward | more than 7 years ago | (#20083279)

The incidence of decapitations has increased 500%

Should be interesting (1)

Capt James McCarthy (860294) | more than 7 years ago | (#20083329)

To see how the hell they are going to have a person walk up to an ATM, and wait for the system to search through potentially billions (or trillions) of biometrics datapoints while it looks for an exact match. Then the system will have to re-run the search so it is sure it has the proper account. This all because some school wants to rid the world of a key (credit/atm card and pin).

Now if you enhance the credit/atm card with a biometric to ensure that the owner of the card is the one using it, that would be a more logical target. The CC/ATM number + pin would have a biometric record to pull and compare. Much quicker and still adding quite a bit of security to the accounts.

Biometrics are scary... (1)

WoollyMittens (1065278) | more than 7 years ago | (#20083429)

I don't want people motivated to steal my head / finger / iris / retina along with my wallet. Even if you can tell the difference between a living or a stolen body part, some idiot will try it anyway.

Re:Biometrics are scary... (1)

aadvancedGIR (959466) | more than 7 years ago | (#20083845)

And even if they simply copy a part of your body (it can realy cheap, you leave fingerprints everywhere you go and anyone with the right tools can make a 3D model of your head with just a couple of photos), you'll need expensive and painfull surgery.

I would even prefer subdermal RFID...

PIN. Just PIN (0, Redundant)

aristolochene (997556) | more than 7 years ago | (#20083457)

It's a PIN. Not a PIN number.

Re:PIN. Just PIN (0, Redundant)

aadvancedGIR (959466) | more than 7 years ago | (#20083859)

Can you guess what the 'N' stands for?

What's that saying: (1)

Late-Eight (1026794) | more than 7 years ago | (#20083461)

"If its not broken don't fix it."

Clearly some people have a little difficulty remembering pin codes, but in my opinion its the best way.
When you start adding security features that require a human component clearly a bad idea.

Identical Twins (0, Redundant)

RationalRoot (746945) | more than 7 years ago | (#20083543)

Identical Twins
Need I say More ?

Re:Identical Twins (0)

Anonymous Coward | more than 7 years ago | (#20083747)

This could become a problem since one of the twins often turn out to be evil.

Dad was Wrong! (1)

Aaron_Pike (528044) | more than 7 years ago | (#20083635)

That degree in Sculpture was a money maker, after all.

PIN Number is incorrect (0, Redundant)

Draelen (920902) | more than 7 years ago | (#20083643)

It's not "PIN Number", PIN stands for "Personal Identification Number", so you are really saying "Personal Identification Number Number", which is of course a redundancy.

Re:PIN Number is incorrect (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#20083855)

Much like your post.

Great... (1)

loic_2003 (707722) | more than 7 years ago | (#20083699)

now my evil twin is going to clear out my bank account...

Re:Great... (1)

pwrtool 45 (792547) | more than 7 years ago | (#20083795)

Improbable. The facial recognition software almost certainly takes into account the goatee.

Point Break redux (0)

Anonymous Coward | more than 7 years ago | (#20083773)

The gang wouldn't have had to use guns ... they could have just stood in front of ATMs in Washington DC. But not much surf on the Potomac.

As always, people miss the point (1)

Sycraft-fu (314770) | more than 7 years ago | (#20083797)

It really annoys me that so many alleged security researchers seem to think that biometrics should be used as a replacement for what we have. No, it should be an augmentation. Each different kind of security has different things that are good and bad about it. I'll cover the three I'm aware of (which I believe to be a complete list:

1) Something you have. This would be like a key or a smart card or something. The strength is that if properly designed it should be difficult to impossible to copy and that it has to be physically taken to be used. As such its absence can be noted and you can't get it remotely. The weakness is, of course, that it can in fact be physically taken, and also that many indeed can be copied.

2) Something you know. That'd be a password, PIN, whatever you want. This is something (hopefully) stored only in your head. The strength is that there's nothing to actually come and steal or look at. It's all in your head so someone has to either get you to give it up or they have to intercept it when you enter it. The weakness is of course that it can be intercepted without our knowledge, and if it is there's no way to know other than once unauthorized access has already happened.

3) Something you are. This is a fingerprint, face scan, DNA, whatever. Something that is just a part of you. The advantage is that you can't lose it or have it stolen (barring someone cutting off a limb or something) and it can't be copied, at least not exactly. The disadvantage is that what you are changes and our ability to measure it is limited anyhow. This means there's a limit to the accuracy at which what you are can be checked and still be useful. Thus though an exact copy of you may not be possible, it may be possible to make a mockup or find someone who's close enough to work.

So, because of this, better security comes form using two or three kinds of authentication. Just a biometric measurement isn't any better than a password, maybe worse since you can change a password but changing a face is pretty hard. However a biometric scan, plus a password, plus a token is an ironclad bitch to break. For that someone has to steal your token, find out your password, and construct an acceptable copy of the biometrics, all before you notice something is amiss and have access shut off.

So I'm all for biometrics for things, so long as they are an addition. Unfortunately, way too often I hear them as a replacement.

We get the same crap at work. Everyone's ID has a smart chip in it. So there's talk of making the computers support it. Great idea, password + smart chip = fuck you to remote password crackers and such. Even if the password is simple, you have to steal the smart card which you can't do over the net. However of course everyone doesn't want that, they want JUST the smart card. "Oh I won't have to remember a password anymore!" Great, until someone locally swipes it and then is in as you.

Opt out? (1)

Thecarpe (697076) | more than 7 years ago | (#20083807)

It concerns me, as a Christian, that technology is pursuing biometrics on face or hands to enable buying and selling.

Revelation 13:16-17 (for those who are curious - it's talking about the mark of the beast)
"He also forced everyone, small and great, rich and poor, free and slave, to reveive a mark on his right hand or on his forehead, so that no one could buy or sell unless he had the mark, which is the name of the beast or the number of his name."

For those who think it's all a bunch of religious bologna, that's fine. Without reading too much into the mark (speculation can be a big rabbit trail), the principle of the matter is that there will eventually be a time when those of us who have promised not to take such a mark (whatever it may be) will have to opt out - under the threat of certain hardship and persecution. For those of us who are not comfortable with the technology, hopefully there will always be the possibility to opt out.

Privacy is a whole other matter, not to mention that this is a pretty cracked tech. My problem with this whole thing is the precedent...

useful for fraud scoring, but not an auth factor (2, Informative)

rapiddescent (572442) | more than 7 years ago | (#20083823)

I doubt this will be a single authentication factor in any banking/payment environment because the university researchers from the article just don't understand how complex payment systems are and how much interoperability between card schemes does not exist.

Where it will be used is in fraud scoring. The Alliance and leicester trialled small webcam like devices on ATMs but for some reason took them out of service. Recognition is useful, but it will not be used to block transactions, it will mostly likely be used to raise a score on a fraud profile for a transaction.

This type of fraud profiling is becoming more important because the UK will be moving to Faster payments [] at the end of 2007 - where once banks had 3 days to run scanning products [] (for terrorist account activity and fraud) - they will only have a few minutes. The problem at the moment in the UK is that customers do a lot of electronic payments compared to USA - so many transactions will not have time for all the fraud checks.

so if someone who looks nothing like my description makes a transaction, then the score will increase on the account which can then implement further fraud checks in resulting transactions.

when I designed and built a fraud detection system for a UK mobile operator, we found that when a handset/number had fraud committed on it - it usually was usually picked up by lots of the fraud scanners and would stick out like a sore thumb. Each customer would have an associated fraud score and when it reached a certain point, the fraud team would get involved.

Concerned about the level of security here... (0)

Anonymous Coward | more than 7 years ago | (#20083867)

I am an identical twin, does this mean that my brother will be able to get into my secret pr0n folder using only his (And my, I guess) god-awful visage?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?