Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Biotech Security

Vein Patterns Could Replace Fingerprints 152

Death Metal writes "Companies in Europe have begun to roll out an advanced biometric system from Japan that identifies people from the unique patterns of veins inside their fingers. Finger vein authentication, introduced widely by Japanese banks in the last two years, is claimed to be the fastest and most secure biometric method. Developed by Hitachi, it verifies a person's identity based on the lattice work of minute blood vessels under the skin."
This discussion has been archived. No new comments can be posted.

Vein Patterns Could Replace Fingerprints

Comments Filter:
  • by Anonymous Coward

    it's big and blue.

  • Makes you wonder what else can be discerned from the pattern of blood vessels and other scan information.

    Can't let all that valuable information go to waste, can we?

    • by Andr T. ( 1006215 ) <andretaff@@@gmail...com> on Thursday November 13, 2008 @06:09AM (#25744951)
      Robot voice: "Hello, mister... JOHN SMITH. You forgot to pay your... UNIVERSITY BILL. You'll be expelled in... THREE DAYS. Also, you have... BLOOD CANCER. You'll die in... SIX WEEKS."
    • by Tsu Dho Nimh ( 663417 ) <abacaxi&hotmail,com> on Thursday November 13, 2008 @07:37AM (#25745341)

      Makes you wonder what else can be discerned from the pattern of blood vessels and other scan information.

      If you scan both hands simultaneously, you can usually tell if the person is right or left-handed. The hand that is used more has a larger blood supply, bigger blood vessels.

      It doesn't work on piano players, typists and some others who use both hands vigorously.

      • Re: (Score:2, Insightful)

        I would also like to point out that left-handed people are, typically, closer to ambidexterity than right-handed people. I was extremely left-side dominant as a small child, but, now I approach many tasks right handed. This would be a result of the estimation that ~90% of the world is right-side dominant.

        As an example, biomechanically, using a screwdriver to drive a screw in left-handed is inefficient so I naturally at this point turn a screwdriver clockwise right-handed and counter-clockwise left-handed.

        • by mdwh2 ( 535323 )

          I'm left handed, but for using a mouse, my right hand is dominant. This means I can use a keyboard and mouse ambidextrously. Which is very handy for playing FPSs.

        • by smoker2 ( 750216 )
          I always expected all humans to be like that. The only definition of left or right handedness is, what is your default when there are no other variables. As a car mechanic, there are places you can't get to right handed, and others you can't reach left handed. The situation defines the preference. Writing is mainly governed by politics (small p), that is to say, education. When writing was big (dark ages/middle ages), writing used slow drying inks that would smudge if you wrote from right to left when using
        • Comment removed based on user account deletion
  • by mlts ( 1038732 ) * on Thursday November 13, 2008 @04:48AM (#25744569)

    Maybe its me being pedantic, but I consider biometrics something that is intended to replace typing in a username, as opposed to being both pairs of the username/password combo. Ideally, one would have biometrics to ID which user is wanting access, then have a contactless smart card and/or a PIN for the "password" part that confirms the user is whom he or she said they are.

    • by cjfs ( 1253208 ) on Thursday November 13, 2008 @04:59AM (#25744609) Homepage Journal

      Agreed. Single-factor authentication based on something that's not reissuable is a recipe for failure.

      Eventually people will run out of non-compromised fingers ;-)

      • Agreed. Single-factor authentication based on something that's not reissuable is a recipe for failure.

        Very true, and very bad. On top of that, add a horribly broken authentication protocol:

        You send your username to the authenticating party in the clear, and they verify that it matches their stored copy of your username.

        Hello... ? What's the password, here? I can't think of any way to copy your fingerprint off that laptop I just stole from you. Nor do I ever get the idea to produce a workable replica of your iris from the hi-res photo I have in my database.

        On the web, where you send your site-specific pa

        • I remember in college I had a class in computer security and there was a Marine in the class who disagreed with the idea that biometrics cannot be stolen.
          • Was he in Vietnam? There were stories about some of the Marines who have separated from civilization for long periods of time with a combination of PTSD and general stress of war, they took the fingers of the people who they killed and wore them as trophies. Gruesome and Barbaric yes. However biometrics can be stolen.

      • With stem cell research anything is 're issuable'!

    • by Joebert ( 946227 )
      We used to have something like that called Ugly People when I was a kid.
    • Re: (Score:3, Interesting)

      by Bearhouse ( 1034238 )

      Your right, should be a two-step process.
      The summary uses two terms, identification & authentication, as if they were interchangeable. They are not.

      Identification is the process by which the identity of a user is established, and authentication is the process by which a service confirms the claim of a user to use a specific identity by the use of credentials (usually a password or a certificate).

      So the biometrics would identify you, not authentify.

      • by conchur ( 907178 ) on Thursday November 13, 2008 @06:17AM (#25744991)

        "authentify" - Does that mean simultaneous identification and authentication? Does "indentificate" mean the same thing?

        • Presumably ;-) OK, I typed that a little fast. Having said that...urm...'perform authtication' then? Anybody got a less clumsy way to say it?

          • Presumably ;-) OK, I typed that a little fast. Having said that...urm...'perform authtication' then? Anybody got a less clumsy way to say it?

            I think the word you are looking for is "authenticate"

      • The usual industry acronym is 'AAA'. It stands for 'authentication, authorization, and accounting'.

        You've just said that identification is when you're identified and authentication is when your identity is confirmed. That's a terribly nit-picky distinction and not the one generally used by AAA software authors, documentation writers, or users.

        Authentication is determining who a user is. Authorization is determining what that user is allowed to do, what resources they are allowed to use, during what time fra

    • by jonaskoelker ( 922170 ) <(moc.oohay) (ta) (rekleoksanoj)> on Thursday November 13, 2008 @06:47AM (#25745107)

      I consider biometrics something that is intended to replace typing in a username

      And wisely so. Biometric data is an identifier--it's something with a one-to-one mapping to an identity (here: a pile of cells). Other common identifiers are SSNs, usernames, user IDs, RSA public keys and sha1 hashes [the one-to-one-ness works well in practice for sha1, but of course not in theory].

      Identifiers are not authenticators. A good authenticator for any given identifier requires that only the identified thing can produce the authenticator; except in one-time schemes, performing the authentication should not allow anyone else to authenticate as you later on. It also requires that they one you're trying to prove something to can verify what you're claiming.

      A good authenticator for a public key is a signature on a random string. [make sure the one validating you knows how the signature looks before you send it; use a commitment scheme].

      A bad way to authenticate is by sending a copy of the private key [or for sha1 hashes, the string that hashes to the given hash].

      Biometric authentication "works" by having the identifier be the authenticator, and the authentication protocol works by sending a copy of the authenticator:

      You put your iris in front of the scanner and it does a "SELECT permissions FROM users WHERE iris = %s" [without the horrible SQL injection possibilities, of course]. What's to stop those who look up your iris from creating a replica? If you work by fingerprints, I send my goons to follow you around. When you open or close a door, they take your print and produce a rubber replica.

      An analogy would be that you learn a word that only you can pronounce, and the authentication works by you saying the word aloud, such that everyone in your vicinity can hear it. "Only you can pronounce", I don't buy that.

      • by Yoozer ( 1055188 )

        An analogy would be that you learn a word that only you can pronounce, and the authentication works by you saying the word aloud, such that everyone in your vicinity can hear it. "Only you can pronounce", I don't buy that.

        Say "passport" for me, please.

    • Re: (Score:1, Insightful)

      by ld a,b ( 1207022 )

      Exactly. Biometrics are the DRM of the 21st century. They are broken already. What keeps anyone from recording the patterns and playing them back to the machine? It's not like a machine cannot replicate pressure changes and heat.
      Sure, it is more difficult than scanning a fingerprint or cutting a finger off a person. A long yet still memorable password is exponentially more secure than a very long password that you have to carry around exposed all the time for others to copy.

    • Re: (Score:3, Informative)

      by jrumney ( 197329 )
      I don't know about this particular method, but biometric measurements in general are not perfectly repeatable, so they need to use fuzzy algorithms, which raise the probability of collisions. So they are more like a hashed password than a perfectly unique user ID.
    • by DrYak ( 748999 ) on Thursday November 13, 2008 @10:00AM (#25746695) Homepage

      Plus, as an MD, I have quite some suspicion about the stability of some biometric methods over time or over pathologies.

      Take today's method :
      - it relies on vein patterns.
      The main problem I see is that veins are biomechanically elastic, in order to be able to comply with varying amount of blood. It works as a "blood pool".
      Depending on pathologies, the shape of the veinous network can change dramatically.

      (same goes for retina. I mean looking at the change induced is the way to assess the progress of some disease like diabetes or hypertension).

      Fingerprint worked so-so because the relatively stable : as long as the deeper structures aren't destroyed, the skin regrows with the same prints, no matter what.
      Fucking up fingerprints require deep mutilation of fingers. These kind of accident can happen is heavy industrial workers, but its not something the average laptop wielding geek is very likely to experience. Thus fingerprints are good enough.

      Whereas, the current trend of blood-related biometric systems are affect by pathologie (I've mentionned hypertension and diabetes) which are much more frequent, specially among the sedentary people: typically the users of such systems.

      Thus, I have real doubts about the long term feasibility of such measures.

      • by Lemmeoutada Collecti ( 588075 ) <obereonNO@SPAMgmail.com> on Thursday November 13, 2008 @10:57AM (#25747491) Homepage Journal

        Messing up a fingerprint requires nothing more than a sharp object and several horizontal lacerations in some cases... I know this from personal experience. On of my fingerprints was permanently altered enough that the whorls were distorted when I got a simple cut that became infected. The regrown print now has a section across it stretched to the side, distorting the shapes enough that most systems don't recognize it as the same fingerprint anymore.

        Of course, there is still enough that a human can identify it, but the limited data sets used in most biometrics can't find sufficient matching markers.

        In the case of another finger, I also have vertical wrinkles that come from aging, so now that fingerprint is segregated like looking at it through blinds.

        There are many everyday events that can cause enough change in fingerprints to mess up most biometric readers. These range from short term events like having a cut or blister, to permanent changes like slicing a fingertip off and the doctor not lining it back up perfectly.

        There is nothing about the human body that is immune to change. It is that elastic ability to adapt that has made homo sapiens a viable species.

      • "Depending on pathologies, the shape of the veinous network can change dramatically."

        I see you play with your cats as well.

  • by irexe ( 567524 ) on Thursday November 13, 2008 @04:58AM (#25744603)
    Until someone figures out how to revoke and replace biometric properties in case of fraud, I don't see why we should even be considering them as a serious replacement for good old passports.
    • by phoenix321 ( 734987 ) * on Thursday November 13, 2008 @05:16AM (#25744695)

      It would be very necessary to mandate a "duress PIN" or password for every authentication point. A silent alarm whenever someone is forced to enter credentials against their will.

      This should be mandatory for all authentication systems anyway, it would certainly hinder these ridiculous one-day kidnappings and ATM muggings.

      • Re: (Score:3, Interesting)

        by Kent Recal ( 714863 )

        And how would a duress pin help anything?
        As if the cops could jump onto the scene during the short time that an ATM transaction takes...

        If the bad guys stand next to you, pointing a gun to your head while you make the transaction then the ATM camera will capture that anyways and provide good evidence later on.
        But if they don't (which, I guess is more likely) then entering a duress pin changes exactly nothing. Sure, the bank now knows that you may be in trouble - but what can they do, hand out marked money?

        I

        • Re: (Score:3, Insightful)

          by Hellies ( 1395359 )

          And how would a duress pin help anything? As if the cops could jump onto the scene during the short time that an ATM transaction takes...

          Seriously? In the case that a duress code is entered, the police have a lot of information to work with. As opposed to someone reporting the crime possibly hours after is happened. 1. The cops are informed that a kidnapping is in progress right now and have the exact location of the kidnappers. 2. They know the person who has been kidnapped by the bank account that is being accessed. 3. They have the images from the ATM camera, which may indicate how many kidnappers there are, how they are dressed, what

          • Okay, maybe I underestimated the value of such a duress code. I'll at least agree that it wouldn't hurt to have on either.

    • Re: (Score:3, Insightful)

      One key element of that method is that fraud is harder to perform than with other method of biometric identification methods. You leave fingerprints and DNA samples all the time and they are easy to copy or displace, and yet they can and are used as strong evidences in criminal cases. At least, with vein patterns, no one can copy yours from an indirect transfer on a regular surface of from a photo of you.

    • Re: (Score:2, Informative)

      IBM research developed back in '02 an interesting way of revoking and replacing biometrics [ibm.com] already.
  • by (Score.5, Interestin ( 865513 ) on Thursday November 13, 2008 @05:05AM (#25744637)

    An evaluation by the National Physical Laboratory in the UK found vein patterns to be the least reliable biometric they'd ever encountered, worse even than face recognition which became notorious for its zero-percent hit rate in several public trials (OK, so you can't get worse than zero percent, but in carefully controlled lab trials face recognition did get a non-zero score).

    Looks like another great example of biometric vendor marketing at work. "Buy our stuff, it's gooder than anyone else's!".

    • Is there a place to check this? I found the article you're talking about - but you have to buy it to read it. The reference can be found here [npl.co.uk].
    • Re: (Score:3, Insightful)

      by MrMr ( 219533 )
      I don't see the contradiction: I would consider the least reliable metric the most secure.
      Or are we talking about the security of the bank?
    • by smoker2 ( 750216 ) on Thursday November 13, 2008 @01:06PM (#25749477) Homepage Journal
      In my capacity as truck driver, I have had occasion to visit Felixstowe container terminal. They have been trying to get a similar system going for years. I have a photo card that contains the data and I have to place my hand on a pad up against metal posts. This system has never worked reliably, and so far other than when I went through the initial process, I have never had to use it. The terminals are always out of order. So we just wave the card instead.
  • Bonus news (Score:3, Interesting)

    by Artifex ( 18308 ) on Thursday November 13, 2008 @05:06AM (#25744641) Journal

    It's less likely your fingers will get hacked off and taken by criminals trying to get past scanners, if this is used. Although I suspect criminals will find a way to flash-freeze fingers, seal the ends, and then warm up in water before using in the same situations where they could get away with severed fingers for fingerprints (remote access, etc.)

    • a good tourniquet and a hacksaw would probably solve it, as long as you went back a bit, probably the forearm and put it in the scanner moderately quickly afterwards.
  • by hcdejong ( 561314 ) <`hobbes' `at' `xmsnet.nl'> on Thursday November 13, 2008 @05:08AM (#25744649)

    The gruesome possibility that criminals may hack off a finger has already been discounted by Hitachi's scientists. Asked if authentication could be "forged" with a severed finger, the company says: "As blood would flow out of a disconnected finger, authentication would no longer be possible."

    So you'd need a contraption that feeds blood through the finger. It's an extra obstacle, but if you're desperate/psychopatic enough to sever someone's finger, rigging a blood supply is no big obstacle.

  • So, is there actually a working, reliable, automatic fingerprint-reading system that can be used as legal evidence? I am not aware of one, but I am not aware of a whole lot of stuff. (like where's my coffee?)

    Cragen

    • This will be more reliable than fingerprint scanners... those things that they tested on Mythbusters and easily fooled every one with the most basic techniques ....

      (and I see that independent testing has shown that it is *less* reliable) ... ... oh look another unreliable biometric test!

  • Well, at least this method offers less excuse to post gross pictures on Idle [slashdot.org]. So I'm all for it. Extra points for being able to give the bank machine the middle finger (yes, I've actually read the article).
  • GMAC standard (Score:2, Interesting)

    by MegaBitzz ( 1380669 )
    They recently introduced the palm scan to ID people walking in and out of their tests (GMAT etc). I still haven't figured out why. If nothing else it's an interesting way to get strange diseases from sick people who sneeze politely.
  • It's also been in the news recently about body odour could replace fingerprints. I couldn't find the article I saw recently on BBC, but I found this one [bbc.co.uk] instead.
    It talks about how biometrics could change security with regards to the recent lost usb keys and such.
    From the article:
    "A less tested form of biometrics is odour recognition, which is being studied to see if sensors can tell people apart by the way they smell.
    Apparently, not even a strong curry can hide personal odour, but the tech required is ex
  • by Viol8 ( 599362 ) on Thursday November 13, 2008 @06:23AM (#25745017) Homepage

    ...getting sick of the endless ways to identify and tag individuals that have appeared recently? Fingerprints, iris scans, voice recognition, face regonition, smell (!) , walking gait, now vein patterns. How long before we're all just barcoded with a unique id??

    I'm sure some people will say I'm just being paranoid but with the advancement of AI image processing it won't be long before we can be identified no matter where we are , what the time is , or what we're doing. Yes , the governments all roll out the "terrorism" line whenever questioned about this but we've all seen how its been abused already.

    So whats next - infra red heat pattern signatures of individuals? Chemical piss analysis in public toilets?

    • by squoozer ( 730327 ) on Thursday November 13, 2008 @06:54AM (#25745149)

      We sort of already do carry around a barcode - in our DNA. While we aren't even close to being able to process it fast enough to make it viable at the moment I could easily imagine we will be able to in the future. Welcome to the world of Gattaca only we won't be able to get round the checks as easily as he does in the film.

    • How long before we're all just barcoded with a unique id??

      a barcode would be far easier to break.. just slap someone's barcode on some pig skin, lay it on your arm, and get something to scan you..

    • So whats next - infra red heat pattern signatures of individuals? Chemical piss analysis in public toilets?

      Don't give them any ideas!

    • Chemical piss analysis in public toilets?

      We've already done that. :) At least not for individuals yet, though.
      http://science.slashdot.org/article.pl?sid=08/03/09/2121249 [slashdot.org]
  • I forget their name, but I actually used a working prototype that used this exact method of biometric identification.

  • by floydman ( 179924 ) <floydman@gmail.com> on Thursday November 13, 2008 @06:53AM (#25745147)

    For the plain simple fact that they leave traces behind. Police work, you know!

  • The Japanese people all wear those finger-less gloves anyways, so this has probably worked out quite well for them :] And two years until the Western world caught on to this~
  • Identification and surveillance technology is advancing very fast. There was a story a few weeks back about how keys can be copied from photographs, and I expect eventually Minority Report style eye scanners that work from a distance will become available. Maybe even fingerprints from a photograph.

    AI is improving quickly too, and I expect eventually a computer will be able to take feeds from various cameras/scanners/RFID and use it to track a person automatically. At that point the UK government will want t

  • This is a privacy ACCEPTABLE form of biometrics. Why? Because it does not severely invade privacy like fingerprints, DNA, odor, and face recognition. All the other forms of biometrics I just listed can be used on you WITHOUT YOUR PERMISSION, often if you are not even PRESENT. You can't shed or leave vein patterns wherever you go. You veins can't a photographed or video taped from a distance. You can't gather info other than ID with vein patterns.

    Finally, a reasonable and secure biometric that can only

    • by HuguesT ( 84078 )

      Retina patterns are like this as well, but might be more of a hassle to go through.

      • Actually, that is a good point. I temporarily forgot about those. I had championed retina scans in the past as the only privacy-friendly biometric... I guess there are now two :)

    • huh? i find the blanket statement that your vein patterns can't be copied is extremely naive. looks like they're just reading light patterns, which are not spectacularly difficult to fake. all you'd need is to get someone's scan (which would be on every bloody eftpos machine, locker and doorway you go through) and it's compromised forever.
      • Re: (Score:3, Interesting)

        by markdavis ( 642305 )

        I am under the assumption that it would rather difficult to get close enough (contact) to someone and use a special light and scanner/sensors to obtain vein patterns without a person knowing... except if maybe they were asleep. This isn't a photograph, it is a contact scan that requires multiple infrared light sources.

        From a security standpoint, even if you did obtain someone's scan, then how exactly would you impersonate a fake vein pattern in your arm to trick a scanner?

        I do want to point out that I woul

  • why would it replace fingerprints? wouldn't it make much more sense to use them together?
  • now people with varicose veins can just wave their finger from the back of the line and cut in front of the rest of us.
  • There never existed a security system which can't be broken. As security systems evolve, the break-ins into the system too. An intelligent animal called a human creates a security system, why it can't be broken by the same but another instance of this intelligent human animal? Agreed, different instances of this human have different level of intelligence yet there will always be an human instance more intelligent than the creator of the security system. We sometimes call this "Theory of natural progres

  • Look Ma no hands!! Just as there are people out there with no finger prints or hands even (Remove biometric body part of choice) there are certainly going to be people with blood flow conditions that would render this method useless.

    .....................

    If you mod me down well lets face it who really cares

  • Not New (Score:3, Informative)

    by Thnurg ( 457568 ) on Thursday November 13, 2008 @09:52AM (#25746583) Homepage

    This is not new. Vein pattern recognition on the back of the hand was developed years ago. So long ago in fact that the computer part of it was a BBC Micro. [blogspot.com]

  • The company I work for (Konica Minolta) has these as an option on our MFPs [google.com] (as an authentication system that avoids having to type in usernames/passwords to use the device). We've had them for quite a while now really (I don't pay that much attention to sides of the business that don't affect me, but it's at LEAST 2 years)

    Generally we've found that people prefer card readers though.

  • by Assmasher ( 456699 ) on Thursday November 13, 2008 @10:32AM (#25747109) Journal

    ...been doing this specifically for security biometrics for years. Perhaps the news would be that it will become more pervasive, but the same problems that prevented it from taking off in the past apply now as well - you have to network the device in order to validate the user's pattern (most of them actually create a sort of hash code actually.)

Keep up the good work! But please don't ask me to help.

Working...