Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Crime Security Science

Fingerprint Purchasing Technology Ensures Buyer Has a Pulse 156

An anonymous reader writes "A small U.S. university has come up with a novel solution to reduce the possibility of using a dead person's hand to get past a fingerprint scanner through the use of hemoglobin detection. The device quickly checks the fingerprint and hemoglobin 'non-intrusively' to verify the identity and whether the individual is alive. This field of research is called Biocryptology and seeks to ensure that biometric security devices can't be easily bypassed."
This discussion has been archived. No new comments can be posted.

Fingerprint Purchasing Technology Ensures Buyer Has a Pulse

Comments Filter:
  • How about O2? (Score:5, Insightful)

    by Comrade Ogilvy ( 1719488 ) on Monday February 25, 2013 @12:53PM (#43005045)
    Checking for oxygenation level might be possible. Does not have to be a very accurate reading.
    • Probably the same thing. Use a garden variety pulse oximeter which measures the IR spectrum of hemoglobin molecules. Oxygenated ones have a slightly different spectrum than deoxygenated molecules.

      Sounds like a PITA to remove the remote possibility of being Beuhler'd. But it probably got a patent.

      • Achkkk. Phphhht. Read TFA. The school in question didn't even develop the technology, they're just beta testing it.

        Such news!

        Next up....

        Well, I got nothing.

      • Re:How about O2? (Score:5, Insightful)

        by gandhi_2 ( 1108023 ) on Monday February 25, 2013 @01:30PM (#43005559) Homepage

        Passwords, someone complains you can just beat people with wrenches.

        Biometrics, someone complains you can just cut off a body part.

        Biometrics with life detection, someone complains the system can't detect if the persons family is being held hostage....

        • It is a lot harder to drag a hostage to a door without being obvious than it is pull a dead hand/finger out of your coat when no one is looking.
          • by Anonymous Coward

            Who said anything about dragging? Just ask politely, and don't forget to mention that you have a direct communication line to people holding a 12 gauge shotgun to their kid's forehead. People are surprisingly cooperative when you press the right button. Or in other words, threaten to pull the right trigger...

            Seems the only solution is not to have secrets or possessions worth guarding with security systems. But it's probably still too soon for our society to accept that...

        • Re: (Score:3, Insightful)

          by Nihilanth ( 470467 )

          For the last bit, this is probably a desired feature. You'd -want- the device to be able to detect if you're under duress.

          • For the last bit, this is probably a desired feature. You'd -want- the device to be able to detect if you're under duress.

            You assume that the device would be rigged to do something to help you in that event. "Warning: Elevated blood pressure detected. Access to secure area denied." (a few seconds later) *BANG!* "Okay, bring me the next one, Terrorist Bob."

            Never assume security is there to help you.

        • Duress code...

          http://en.wikipedia.org/wiki/Duress_code [wikipedia.org]

          • by dkf ( 304284 )

            Duress code...

            How does that save the family held hostage? Or the poor sap with a gun pointed to his head?

          • ...and them someone complains that the duress detection could be fooled by using a mix of mild narcotics.

            My point is people will soon be here to bitch about how all the work you are doing is SOOO stupid.

            And now you can read some examples without even leaving this browser tab!

        • Is there such a thing as an emergency PIN/password? I.e. a secondary password that lets you in just the same, but quietly alerts authorities that you are being coerced? There is an urban legend that says ATM PINs entered backwards do this, but they're just that -- legends.

        • That's not really the point of biometrics. You should technically still use a password. Its something you know, something you have, something you are. The biometric passes the third test but a secure facility would still require the other two. In addition biometric can't be given out. Passwords tend to make the rounds. Of course the most common use of biometrics are in timeclocks to make sure the person is actually present at work.
    • by Anonymous Coward

      No, unless you actually clamp the finger so you can control all the light hitting it, telling hemoglobin oxygen levels by color is overwhelmed by skin color or by anything that calluses the fingers, such as playing guitar, or that keeps them abraded, such as dishwashing. In fact, doing fingerprints on stay-at-home parents with many children presents its own issues.

      A pulse is easier to detect by movement, but is still useless against the "gummy worm" fake fingerprint attack, documented over a decade ago at h

      • A pulse is easier to detect by movement, but is still useless against the "gummy worm" fake fingerprint attack, documented over a decade ago at http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/ [theregister.co.uk]. There is still no fingerprint technology that reliably detects this attack.

        Well, I beg to differ on that particular point. The technology to reliably detect that published attack has been (and is being) shipped in a major OEM's Enterprise level laptops for several years. Call your salesman if you'd like to know if yours has it.

        Unfortunately, not all OEMs that include fingerprint sensors choose to include antispoof features. Most consumer grade laptops, for example, don't. So when you go buy that $300 special down at Best Buy, don't go crowing that you can build a spoof for it -

    • Gives the attacker motive to kill someone with CO poisoning then, it will be read as oxygenation (CN can have a similar effect - also it means anyone going through such a coded lock may not be allowed to have painted fingernails, not that that's such a big deal)
    • by durrr ( 1316311 )

      And skinning a finger to translucency and using your own as a backing, or artificially pumping a blood equivalent fluid through a dead finger is impossible!

    • by mrmeval ( 662166 )

      I have a quote about this I'd stated ... a score ago?

      "The problem with biometrics is keeping the body parts alive." --mrmeval

      And you can quote me. :-P

    • It measures "Pulse Oximetry" which measures the ratio of oxygenated vs. deoxygenated hemoglobin in the blood by measuring infrared absorption at two wavelengths, wavelengths Î1=630 nm and Î2=940 nm. Here's the relevant information from their patent application at line 82, the preferred embodiment of the invention in http://www.faqs.org/patents/app/20120119089 [faqs.org] :
      DESCRIPTION OF A PREFERRED EMBODIMENT OF THE INVENTION
      [0082] Basically, the invention is based on the transmission properties of quasi-
      • by Twylite ( 234238 )

        At a glance the patent seems to be for a very specific approach to measuring pulse oximetry. The approach seems near identical to US patent 5737439 Anti-fraud biometric scanner that accurately detects blood flow [google.com]. In any event the basic technique for using pulse oximetry for liveness testing is described in Sandstrom, "Liveness Detection in Fingerprint Recognition Systems", 2004 and Hill & Stoneham, "Practical applications of pulse oximetry", 2000. The use of two IR absorption measurements is not nove

        • Re: The use of two IR absorption measurements is not novel (see patent 5737439).
          ;>)
          correcto, they do in fact cite that particular patent in their own patent. Note the quote I included in my GP post also mentions the use of UV wavelengths too for measuring skin.
    • by flyneye ( 84093 )

      But, if I paste the fingerprint on a shaved section of a little dogs ass, then, not only have I hacked my way in, I have MADE everyone using the lock after me, touch a little dogs ass.
      Filthy technology, go wash your hands.

  • by rodrigoandrade ( 713371 ) on Monday February 25, 2013 @12:55PM (#43005061)

    Does the device only check for pulse or does it also compare to the person's normal blood pressure (which was obtained upon registration into the system) to make sure the person being authenticated isn't being coerced into granting access to unauthorized personnel/burglars, etc???

    • Blood pressure is a wildly varying metric.

      Try it. Measure your blood pressure at various points of the day over a week.

      I'd also be interested how one might reliably check blood pressure with access to only a finger.

      • by Macgrrl ( 762836 )

        I know that when in hospital recently my pulse was monitored by a finger sensor that simply clipped on. So they can measure some degree of blood pressure variation from a finger.

  • IANAL (Score:5, Funny)

    by masao ( 1930368 ) on Monday February 25, 2013 @12:57PM (#43005101)
    How will lawyers use it?
  • by Anonymous Coward on Monday February 25, 2013 @12:58PM (#43005109)

    Here's a good reason why: What happens when someone manages to steal your password? You change it. What happens when someone managed to recreate your DNA or other biological identifier used for authentication? Good luck getting new DNA or fingerprints.

    • Sounds like the basis for a start-up!

    • by Nemyst ( 1383049 )

      If someone manages to recreate your DNA and then recreate an adult hand from that, I'd say A) you have bigger problems than authentication and B) we've gone way past current technological levels.

      • If someone manages to recreate your DNA and then recreate an adult hand from that, I'd say

        C) the art of masturbation will probe new dimensions . . .

      • by mark-t ( 151149 )
        An adult hand with even the same DNA as another would still not necessarily have the same fingerprints. Although the precise process by which they are formed is subject to some debate, it is generally agreed that fingerprints are formed by some combination of environmental factors in the womb between roughly the 10th and 17th week of development. Even identical twins, with identical DNA, have distinct fingerprints.
      • by Hatta ( 162192 )

        It's easier than that. Dust for fingerprints and have a 3d printer make a mold for fingers with those fingerprints. Grab a stray hair follicle, and amplify a bunch of DNA using standard protocols. Mix the DNA into some gelatin and pour it into the mold. Run some tubing through the mold hooked up to a perstaltic pump to simulate the pulse.

        This is all achievable with current technology.

    • just sit on top of the microwave to change your DNA or go for a swim in the Spent fuel pool

    • by JigJag ( 2046772 )

      that's why biometrics should be used for the *username* part of authentication and not for the *password* part.

      When presented in front of a login screen, swiping your finger should say: "I know now that you are JigJag. Please enter your password: "

    • One word: retroviral engineering.

    • by eth1 ( 94901 )

      Here's a good reason why: What happens when someone manages to steal your password? You change it. What happens when someone managed to recreate your DNA or other biological identifier used for authentication? Good luck getting new DNA or fingerprints.

      A fingerprint is also something convenient that most people have with them at all times that can be used as a second factor for authentication.

      If a PIN/password is good enough, than PIN/password+print would be better in virtually all cases.
      Same for a credit card with no additional checks vs. a card+print

  • And it also protects you data during the zombie apocalypse!

  • Not checking pulse (Score:5, Insightful)

    by crow ( 16139 ) on Monday February 25, 2013 @01:00PM (#43005151) Homepage Journal

    The title is wrong. This is not checking for a pulse. If it were, then people with artificial heart pumps like Dick Cheney wouldn't be able to use it. They are alive, but do not have a pulse.

    That said, I could see something like this checking for a pulse. This brings up the interesting problem of how to handle biometric checks for people who don't have those biometrics. Not everyone has fingers. Not everyone has eyes. Not everyone has a pulse. Maybe you don't care about that, as you don't have any of them among your target users, but what happens when that changes? You need a plan to handle that.

    • by CanHasDIY ( 1672858 ) on Monday February 25, 2013 @01:10PM (#43005313) Homepage Journal

      ...people... like Dick Cheney... are alive...

      That seems debatable.

    • What I couldn't figure out was the emphasis on shopping; I thought these applications were for security. Cutting someone's hand off to make purchases seems a bit extreme.

      • by dgatwood ( 11270 )

        What I couldn't figure out was the emphasis on shopping; I thought these applications were for security. Cutting someone's hand off to make purchases seems a bit extreme.

        You obviously haven't been to an American toy store on Black Friday.

    • by Macgrrl ( 762836 )

      I would speculate that Cheney does have a pulse, even if it is triggered mechanically, as a pulse is the rhythmic pumping of blood around the circulatory system to oxygenate the organs and extremities.

      It might be very rapid and fairly flat (or slow and big), but it would still be there and measurable.

      • by crow ( 16139 )

        My understanding is that he didn't (another poster pointed out that he has since received a heart transplant). I'm under the impression that the artificial heart in question produced a steady flow, more like a fan than a traditional pump. Technically, there would undoubtedly be some variation or vibration that could be considered a pulse, but it's the sort of thing that would be within the noise level of a normal pulse, not something likely to be detected. It would also likely be the case that other move

      • The LVAD doesn't give you a pulse. It uses archimedes screws. However, usually it just assists your heart. In some cases though the patients heart dies off and this is the only thing keeping them alive at which point they lose their pulse.
    • re This is not checking for a pulse.
      .
      Look at the application for the patent assigned to the company involved. The patent details say that it measures the change in oxygenation levels which varies slightly as each heartbeat pumps more blood through the vascular system. Here are some details. (it doesn't measure blood pressure, like some people were guessing above, it measures hemoglobin oxygenation/deoxygenation levels).
      .
      It measures "Pulse Oximetry" [wikipedia.org] which measures the ratio of oxygenated vs. deoxyg
  • Almost worthless (Score:4, Informative)

    by codepigeon ( 1202896 ) on Monday February 25, 2013 @01:01PM (#43005161)
    I actually read the article; what a useless waste of a web page.

    There is only one paragraph that mentions anything about the technology, and that is the paragraph in the summary here.
    The rest reads like filler material and pimping the advantages of investing/working in the upper midwest.

    Lame. I was hoping for more details.
    • by plover ( 150551 )

      I talked to Alan about this a month ago. It's RF based detection of dermal layer blood vessels, not fingerprints. Living tissue is required for the hemoglobins to move.

      That said, his interest is in the financial application of the technology. He's trying to replace the credit card, not simply to produce a hard to forge biometric device.

      • by dgatwood ( 11270 )

        A replacement for credit cards that is even less secure than the current ones doesn't sound like a good idea to me.

        If this is just checking for the presence of capillaries, I can't think of any reason that it couldn't trivially be fooled by a slight tweak to the gummy bear trick in which you stick the glue pattern print onto a shaved elbow instead of a gummy bear.

        If, on the other hand, this is trying to determine who you are based on the pattern of blood vessels, I suspect that the methodology is just plai

      • I don't know Alan, but looking at pictures of the device at http://www.hanscan.com/en/hsc-ac-it2 [hanscan.com] I'd guess that it's a Fingerprint cards RF-based placement scanner (http://www.fingerprints.com/Products/Sensors/FPC1011F.aspx) with an IR pulse detector (for example, http://pulsesensor.myshopify.com/pages/open-hardware [myshopify.com]), wrapped by a bunch of simple software apps for time-and-attendance, low-value shopping, etc.

        Frankly, everyone in the business is trying to replace credit cards; how else can you envision getti

    • re I was hoping for more details.
      .
      Look at the patent application for this assigned to the company involved. It measures the change in oxygenation levels which varies slightly as each heartbeat pumps more blood through the vascular system. Here are some details. (it doesn't measure blood pressure, like some people were guessing above, it measures hemoglobin oxygenation/deoxygenation levels).
      .
      It measures "Pulse Oximetry" [wikipedia.org] which measures the ratio of oxygenated vs. deoxygenated hemoglobin in the blood b
  • by Anonymous Coward

    When will the public realize that all of these biometric systems are defeatable? You're just adding another layer of data that can also be faked. You know what can't easily be faked or spoofed? Sufficiently strong public-key cryptography. So let's get it over with and start assigning giant private keys to everyone on the planet and dealing with the infrastructure issues and loss/replacement stuff (similar to passports today, I imagine). Then it's easy to authenticate anyone: they just sign data with th

  • by boddhisatva ( 774894 ) on Monday February 25, 2013 @01:02PM (#43005179)
    This kind of stuff is good marketing. Useless, but that hasn't stopped anyone from blowing money so far.
  • Now convince criminals that your disembodied fingers won't work. There will always be skeptics. Don't worry, your missing fingers won't do the job for them.
  • Company Korporov Kopinc. announces new device to keep pulse on a dead body hand, the company says this device can bring the real deal on "another world" handshakes.

  • yeah, right (Score:4, Interesting)

    by cellocgw ( 617879 ) <cellocgw&gmail,com> on Monday February 25, 2013 @01:08PM (#43005273) Journal

    Show me a biometric test that can't be spoofed for 10% the cost of the test hardware. Go ahead, I dare ya.
    Fake retinas and fake fingerprints took, what, a couple weeks to show up after their respective scanners went into production? Why should any other sort of bio-scanner/detector be any different?

  • Hey, pal! Does this smell like chloroform to you?
  • by femtobyte ( 710429 ) on Monday February 25, 2013 @01:17PM (#43005393)

    Does this device offer the least bit of protection against the "gummy bear attack" (i.e. a thin molded replica fingerprint, formed from, e.g., etched gelatin, over a living finger)? If not, then it's pretty useless (because lugging around a whole dead body or even severed finger is already riskier/harder than a simple replacement mold).

    • Possibly. My experience is with fingerprint swipe sensors, not fingerprint placement sensors, and with those the gummi bear mold has to be fairly thick to survive a swipe over the sensor. The thickness tends to block the light from such optical sensor, and so the attempt is detected and blocked. With a placement sensor, the gummi bear mold could probably be made thinner; I don't know if it can be made thin enough.

    • by Rich0 ( 548339 )

      As long as you don't have a Gummy bear that has the right IR absorbtion profile, yes it will defeat it.

      However, I can't imagine that if you're going to the trouble to reproduce fingerprints or activate latent ones that you couldn't do it using a material that has the right IR spectrum. Most likely they're just transmitting light and measuring relative absorbance at a few wavelengths, and it should be easy to make a plastic film that passes for blood in this test.

      • I haven't put a gummy bear on a spectrometer to check, but my naive guess is that plain gelatin (which is basically boiled-down skin and connective tissue bits anyway) would already have a very similar transmission profile to skin (e.g. fairly transparent with no strong/distinctive spectral features), so you wouldn't even need to search for fancier materials. Not that a little materials research would likely be a major deterrent to an attacker who is already willing to *murder and hack off body parts* to de

        • And if a thin layer of unblooded skin would block the scan, it would also make it fail when cold or for people with circulation problems. Or, if the skin is sweaty, dirty, etc.

          So a gummy bear mold comes well within required tolerances.

        • by Rich0 ( 548339 )

          Likely the case, but you'd still need to emulate the absorption spectra of oxygenated hemoglobin (to whatever resolution it is actually measured at - which isn't likely to be terribly accurate in a cheap and compact device). Again, probably just a piece of plastic with the right characteristics somewhere in the light path.

          • No, you don't need to "emulate the absorption spectra of oxygenated hemoglobin" --- the whole idea of the "gummy bear attack" is to put a thin fingerprint-replica cover, with material properties extremely similar to a layer of skin, over your real live finger (which provides the color, pulse, temperature, conductivity, elasticity, etc. of a living human, and can be used in plain sight of a security guard monitoring the scanner). A thin gelatin layer is likely to be very difficult to distinguish from a sligh

  • I believe the implied, and correct, is: "Fingerprint Purchasing Technology Ensures Buyer Has an IMPULSE"
  • I read about this at least 10 years ago when some Japanese ATMs were going with fingerprints. They looked at the blood flowing through the skin to make sure they were looking at a live finger and also not just a faked fingerprint on a live finger.
  • by rwyoder ( 759998 ) on Monday February 25, 2013 @01:35PM (#43005611)

    The article was delightfully free of actual info, but I assume they are just adding this: http://en.wikipedia.org/wiki/Pulse_oximetry [wikipedia.org]

  • Yeah, the more expensive fingerprint readers have done this since the late 1980s. They can also tell if a retina was in a removed eye, et cetera.

  • Whoop-de-doo. There are several outfits that have done something similar over the years, including companies that have tens of thousands of fingerprint devices out on the street already. I would be somewhat surprised if the tech covered in this article is not already patented by Lumidigm [lumidigm.com] or somebody like them.

    "Liveness checks" have been a part of fingerprint tech for many years now, ever since the famous "ghosting" attack on the early L-1 and Cross Match sensors. Whoever wrote the article didn't do their ho

  • One would *never* be able to simulate a pulse in a dead finger.

    /s
  • I remember when fingerprint scanners first started getting widespread use people asked about "what if someone lifts my fingerprint, or worse, cuts off my finger?" and the manufacturers all said "Don't worry, it only works on live fingers." Then people tried it and discovered that yes, you can lift someone's fingerprint duplicate it, and the scanner is more than happy to take it. Luckily the latter has not proven popular (I don't know of any case of someone having a body part severed to defeat a biometric
  • Because instead of taping your password to the screen or in your wallet, let's stamp it on everything you touch.

  • It can's detect silicone fingerprints. The cool thing about these, is that you don't have to cut off someones thumb and distracting a salesgirl while you press it to a scanner, you just act like nothing's wrong and thumb away.

    I'm surprised anyone with even half a brain could have decided that a pulse was enough.
    Guns can make people do amazing things, like placing their prints wherever the guy controlling the gun wants them placed.
    You could engineer a pump to drive pulsed blood through the capillaries.
    Heck,

    • You could engineer a pump to drive pulsed blood through the capillaries.
      Heck, you could even heat the blood while you're pumping it. (This device does not detect temperature btw)

      It is a solution, certainly, but wrought with a myriad of flaws. This ought to be a very long time to market I expect. Unless of course, they decide to give the job of redesigning the scanner to someone who's passed the fourth grade.

      I didn't see it above, but this comment is the perfect place for the obligatory xkcd reference:
      http://xkcd.com/538/ [xkcd.com]

      • Bwa haha! I should have seen the obvious connection before I submitted my comment or I'd have made the reference myself. But with good souls like yours, this world shall never lack in welcome sharp minded assistance. ;)

  • what about skimming?

  • I have Raynaud's syndrome. There are times when it's cold and I've gone to the doctor's visit. They put the little gadget on my finger to take a reading and it doesn't work because the ends of my fingers are white. Will suck the first time I can't buy something because of this.

  • What about vampires, zombies, and other undead? How can this fit into a modern multi-vital society?

  • The check-for-life feature is 15-20 years old.
  • ...busted this one already
    http://youtu.be/3Hji3kp_i9k?t=2m42s [youtu.be]
    (that's a finger print lock that's detecting signs of life)

Understanding is always the understanding of a smaller problem in relation to a bigger problem. -- P.D. Ouspensky

Working...