Fingerprint Purchasing Technology Ensures Buyer Has a Pulse 156
An anonymous reader writes "A small U.S. university has come up with a novel solution to reduce the possibility of using a dead person's hand to get past a fingerprint scanner through the use of hemoglobin detection. The device quickly checks the fingerprint and hemoglobin 'non-intrusively' to verify the identity and whether the individual is alive. This field of research is called Biocryptology and seeks to ensure that biometric security devices can't be easily bypassed."
How about O2? (Score:5, Insightful)
Re: (Score:2)
Probably the same thing. Use a garden variety pulse oximeter which measures the IR spectrum of hemoglobin molecules. Oxygenated ones have a slightly different spectrum than deoxygenated molecules.
Sounds like a PITA to remove the remote possibility of being Beuhler'd. But it probably got a patent.
Re: (Score:2)
Achkkk. Phphhht. Read TFA. The school in question didn't even develop the technology, they're just beta testing it.
Such news!
Next up....
Well, I got nothing.
Re: (Score:2)
Next up....
Well, I got nothing.
Just like TFA. I say you submit it!
Re:How about O2? (Score:5, Insightful)
Passwords, someone complains you can just beat people with wrenches.
Biometrics, someone complains you can just cut off a body part.
Biometrics with life detection, someone complains the system can't detect if the persons family is being held hostage....
Re: (Score:2)
Re: (Score:1)
Who said anything about dragging? Just ask politely, and don't forget to mention that you have a direct communication line to people holding a 12 gauge shotgun to their kid's forehead. People are surprisingly cooperative when you press the right button. Or in other words, threaten to pull the right trigger...
Seems the only solution is not to have secrets or possessions worth guarding with security systems. But it's probably still too soon for our society to accept that...
Re: (Score:3, Insightful)
For the last bit, this is probably a desired feature. You'd -want- the device to be able to detect if you're under duress.
Re: (Score:2)
For the last bit, this is probably a desired feature. You'd -want- the device to be able to detect if you're under duress.
You assume that the device would be rigged to do something to help you in that event. "Warning: Elevated blood pressure detected. Access to secure area denied." (a few seconds later) *BANG!* "Okay, bring me the next one, Terrorist Bob."
Never assume security is there to help you.
Re: (Score:2)
Fuck that shit. Too complex, too delicate.
Skin resistance using contacts built into the fingerprint-reader ; microphone for breathing rate (arrange the wall-mounted reader so that you've got to have your mouth in a certain place, where the microphone is, for signal-to-noise ratio improvement. Say, use two fingerprint readers metre apart, to be operated simultaneously ; put microphone in wall 0.75m above the midpoint of the two fingerprint sen
Re: (Score:2)
Duress code...
http://en.wikipedia.org/wiki/Duress_code [wikipedia.org]
Re: (Score:2)
Duress code...
How does that save the family held hostage? Or the poor sap with a gun pointed to his head?
Re: (Score:2)
...and them someone complains that the duress detection could be fooled by using a mix of mild narcotics.
My point is people will soon be here to bitch about how all the work you are doing is SOOO stupid.
And now you can read some examples without even leaving this browser tab!
Re: (Score:2)
Is there such a thing as an emergency PIN/password? I.e. a secondary password that lets you in just the same, but quietly alerts authorities that you are being coerced? There is an urban legend that says ATM PINs entered backwards do this, but they're just that -- legends.
Re: (Score:2)
Re: (Score:2)
Isn't it hunter2? I thought that was the default password for the internets.
Re: (Score:1)
No, unless you actually clamp the finger so you can control all the light hitting it, telling hemoglobin oxygen levels by color is overwhelmed by skin color or by anything that calluses the fingers, such as playing guitar, or that keeps them abraded, such as dishwashing. In fact, doing fingerprints on stay-at-home parents with many children presents its own issues.
A pulse is easier to detect by movement, but is still useless against the "gummy worm" fake fingerprint attack, documented over a decade ago at h
Re: (Score:2)
A pulse is easier to detect by movement, but is still useless against the "gummy worm" fake fingerprint attack, documented over a decade ago at http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/ [theregister.co.uk]. There is still no fingerprint technology that reliably detects this attack.
Well, I beg to differ on that particular point. The technology to reliably detect that published attack has been (and is being) shipped in a major OEM's Enterprise level laptops for several years. Call your salesman if you'd like to know if yours has it.
Unfortunately, not all OEMs that include fingerprint sensors choose to include antispoof features. Most consumer grade laptops, for example, don't. So when you go buy that $300 special down at Best Buy, don't go crowing that you can build a spoof for it -
Re: (Score:2)
Re: (Score:2)
And skinning a finger to translucency and using your own as a backing, or artificially pumping a blood equivalent fluid through a dead finger is impossible!
Re: (Score:2)
I have a quote about this I'd stated ... a score ago?
"The problem with biometrics is keeping the body parts alive." --mrmeval
And you can quote me. :-P
It does measure Oxygen saturation to deduce pulse (Score:2)
Re: (Score:2)
At a glance the patent seems to be for a very specific approach to measuring pulse oximetry. The approach seems near identical to US patent 5737439 Anti-fraud biometric scanner that accurately detects blood flow [google.com]. In any event the basic technique for using pulse oximetry for liveness testing is described in Sandstrom, "Liveness Detection in Fingerprint Recognition Systems", 2004 and Hill & Stoneham, "Practical applications of pulse oximetry", 2000. The use of two IR absorption measurements is not nove
Re: (Score:2)
;>)
correcto, they do in fact cite that particular patent in their own patent. Note the quote I included in my GP post also mentions the use of UV wavelengths too for measuring skin.
Re: (Score:2)
But, if I paste the fingerprint on a shaved section of a little dogs ass, then, not only have I hacked my way in, I have MADE everyone using the lock after me, touch a little dogs ass.
Filthy technology, go wash your hands.
Re: (Score:3)
Erm, no? HIPAA talks about medical records. If all you're doing is keeping a particular biometric, that would not fall under HIPAA.
Re: (Score:2)
That'll get shot down because it'll violate HIPAA regulations. Collecting medical data without sufficient privacy safeguards.
The ignorance is astounding. HIPAA only applies to medical professionals (and even then, only those who conduct business electronically, which in practice means everyone, but in theory, some backwoods doctor with a paper-only record keeping system, accepting only cash for payment, and no land line could POSSIBLY skirt the law)
There is no law in the United States which generally proh
Re: (Score:2)
You know, that is the funny thing about laws.... They can and often do change. I believe all biometrics stored electronically should have the protections of HIPPA. So much can be learned from them that if they fall into the wrong hands can be just as devastating as if a hospital released all your files. Things like this scanner that ca
Gun to the Head (Score:3)
Does the device only check for pulse or does it also compare to the person's normal blood pressure (which was obtained upon registration into the system) to make sure the person being authenticated isn't being coerced into granting access to unauthorized personnel/burglars, etc???
Re: (Score:3)
Blood pressure is a wildly varying metric.
Try it. Measure your blood pressure at various points of the day over a week.
I'd also be interested how one might reliably check blood pressure with access to only a finger.
Re: (Score:2)
I know that when in hospital recently my pulse was monitored by a finger sensor that simply clipped on. So they can measure some degree of blood pressure variation from a finger.
Re: (Score:3)
One would hope the cashier would notice. After all, the assailant can only point the gun in one direction.
Ee's not dead! Ee's just pining for the fjords!
Re: (Score:2)
If this device is being used at a location where a human cashier is working, just get the cashier to look at the thumb pad while the person is pressing their thumb against it. If the employee sees a thumb being held in another set of fingers, or sees a thumb whose tip shows signs of being surgically stitched onto a stub, he or she presses the "Hold transaction" button on the register and asks for ID or calls the police as appropriate. The additional check would be needed for locations where there is no huma
Re: (Score:3, Funny)
If someone's using a severed hand to pay for gas, I think your gas station might have bigger problems.
Re: (Score:2)
... sees a thumb whose tip shows signs of being surgically stitched onto a stub
What if the customer is wearing fingerless gloves? He could hide the surgical stitch underneath the glove, but the end of the thumb would still be exposed and readable by the machine.
IANAL (Score:5, Funny)
Biometric Authentication is a bad idea. (Score:5, Insightful)
Here's a good reason why: What happens when someone manages to steal your password? You change it. What happens when someone managed to recreate your DNA or other biological identifier used for authentication? Good luck getting new DNA or fingerprints.
Re: (Score:3)
Sounds like the basis for a start-up!
Re: (Score:3)
If someone manages to recreate your DNA and then recreate an adult hand from that, I'd say A) you have bigger problems than authentication and B) we've gone way past current technological levels.
Re: (Score:2)
If someone manages to recreate your DNA and then recreate an adult hand from that, I'd say
C) the art of masturbation will probe new dimensions . . .
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
It's easier than that. Dust for fingerprints and have a 3d printer make a mold for fingers with those fingerprints. Grab a stray hair follicle, and amplify a bunch of DNA using standard protocols. Mix the DNA into some gelatin and pour it into the mold. Run some tubing through the mold hooked up to a perstaltic pump to simulate the pulse.
This is all achievable with current technology.
Re: (Score:2)
just sit on top of the microwave to change your DNA or go for a swim in the Spent fuel pool
Re: (Score:2)
that's why biometrics should be used for the *username* part of authentication and not for the *password* part.
When presented in front of a login screen, swiping your finger should say: "I know now that you are JigJag. Please enter your password: "
Re: (Score:2)
One word: retroviral engineering.
Re: (Score:2)
Here's a good reason why: What happens when someone manages to steal your password? You change it. What happens when someone managed to recreate your DNA or other biological identifier used for authentication? Good luck getting new DNA or fingerprints.
A fingerprint is also something convenient that most people have with them at all times that can be used as a second factor for authentication.
If a PIN/password is good enough, than PIN/password+print would be better in virtually all cases.
Same for a credit card with no additional checks vs. a card+print
Protects against zombies (Score:2)
And it also protects you data during the zombie apocalypse!
Not checking pulse (Score:5, Insightful)
The title is wrong. This is not checking for a pulse. If it were, then people with artificial heart pumps like Dick Cheney wouldn't be able to use it. They are alive, but do not have a pulse.
That said, I could see something like this checking for a pulse. This brings up the interesting problem of how to handle biometric checks for people who don't have those biometrics. Not everyone has fingers. Not everyone has eyes. Not everyone has a pulse. Maybe you don't care about that, as you don't have any of them among your target users, but what happens when that changes? You need a plan to handle that.
Re:Not checking pulse (Score:5, Funny)
...people... like Dick Cheney... are alive...
That seems debatable.
Re: (Score:2)
What I couldn't figure out was the emphasis on shopping; I thought these applications were for security. Cutting someone's hand off to make purchases seems a bit extreme.
Re: (Score:2)
You obviously haven't been to an American toy store on Black Friday.
Re: (Score:2)
I would speculate that Cheney does have a pulse, even if it is triggered mechanically, as a pulse is the rhythmic pumping of blood around the circulatory system to oxygenate the organs and extremities.
It might be very rapid and fairly flat (or slow and big), but it would still be there and measurable.
Re: (Score:2)
My understanding is that he didn't (another poster pointed out that he has since received a heart transplant). I'm under the impression that the artificial heart in question produced a steady flow, more like a fan than a traditional pump. Technically, there would undoubtedly be some variation or vibration that could be considered a pulse, but it's the sort of thing that would be within the noise level of a normal pulse, not something likely to be detected. It would also likely be the case that other move
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
.
Look at the application for the patent assigned to the company involved. The patent details say that it measures the change in oxygenation levels which varies slightly as each heartbeat pumps more blood through the vascular system. Here are some details. (it doesn't measure blood pressure, like some people were guessing above, it measures hemoglobin oxygenation/deoxygenation levels).
.
It measures "Pulse Oximetry" [wikipedia.org] which measures the ratio of oxygenated vs. deoxyg
Re: (Score:2)
Wait, are you sure he received an implant and didn't just demand it from some 3rd world orphan to pay off a family debt?
Re: (Score:2)
My point isn't that this isn't an interesting technology. It's that we need to be careful in designing systems to watch out for the edge cases. As long as there's a plan in place for handling them, everything is fine.
And of course you see this sort of comment on Slashdot. I work as a software engineer. If I ignored a case that was only a ten in a million case (0.001%), I would be flooded with field issues. In the real world, you can test for the common cases, but you have to design for the tricky ones.
Almost worthless (Score:4, Informative)
There is only one paragraph that mentions anything about the technology, and that is the paragraph in the summary here.
The rest reads like filler material and pimping the advantages of investing/working in the upper midwest.
Lame. I was hoping for more details.
Re: (Score:2)
I talked to Alan about this a month ago. It's RF based detection of dermal layer blood vessels, not fingerprints. Living tissue is required for the hemoglobins to move.
That said, his interest is in the financial application of the technology. He's trying to replace the credit card, not simply to produce a hard to forge biometric device.
Re: (Score:3)
A replacement for credit cards that is even less secure than the current ones doesn't sound like a good idea to me.
If this is just checking for the presence of capillaries, I can't think of any reason that it couldn't trivially be fooled by a slight tweak to the gummy bear trick in which you stick the glue pattern print onto a shaved elbow instead of a gummy bear.
If, on the other hand, this is trying to determine who you are based on the pattern of blood vessels, I suspect that the methodology is just plai
Re: (Score:2)
I don't know Alan, but looking at pictures of the device at http://www.hanscan.com/en/hsc-ac-it2 [hanscan.com] I'd guess that it's a Fingerprint cards RF-based placement scanner (http://www.fingerprints.com/Products/Sensors/FPC1011F.aspx) with an IR pulse detector (for example, http://pulsesensor.myshopify.com/pages/open-hardware [myshopify.com]), wrapped by a bunch of simple software apps for time-and-attendance, low-value shopping, etc.
Frankly, everyone in the business is trying to replace credit cards; how else can you envision getti
Look at the patent application (Score:2)
.
Look at the patent application for this assigned to the company involved. It measures the change in oxygenation levels which varies slightly as each heartbeat pumps more blood through the vascular system. Here are some details. (it doesn't measure blood pressure, like some people were guessing above, it measures hemoglobin oxygenation/deoxygenation levels).
.
It measures "Pulse Oximetry" [wikipedia.org] which measures the ratio of oxygenated vs. deoxygenated hemoglobin in the blood b
Arms Race? (Score:1)
When will the public realize that all of these biometric systems are defeatable? You're just adding another layer of data that can also be faked. You know what can't easily be faked or spoofed? Sufficiently strong public-key cryptography. So let's get it over with and start assigning giant private keys to everyone on the planet and dealing with the infrastructure issues and loss/replacement stuff (similar to passports today, I imagine). Then it's easy to authenticate anyone: they just sign data with th
Does it check to see if he has a gun to head? (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
Too late to matter (Score:2)
Meanwhile.... (Score:2)
Company Korporov Kopinc. announces new device to keep pulse on a dead body hand, the company says this device can bring the real deal on "another world" handshakes.
yeah, right (Score:4, Interesting)
Show me a biometric test that can't be spoofed for 10% the cost of the test hardware. Go ahead, I dare ya.
Fake retinas and fake fingerprints took, what, a couple weeks to show up after their respective scanners went into production? Why should any other sort of bio-scanner/detector be any different?
Re: (Score:2)
Because no one has ever gotten past a guard by wearing a uniform and carrying a large box. Or by bribing them. Or by threatening them or their family (we are talking about chopping people's fingers off to use in a fingerprint scanner). Or by faking an ID. And so on.
I already know how to crack that lock (Score:2)
Gummy bear attack (Score:3)
Does this device offer the least bit of protection against the "gummy bear attack" (i.e. a thin molded replica fingerprint, formed from, e.g., etched gelatin, over a living finger)? If not, then it's pretty useless (because lugging around a whole dead body or even severed finger is already riskier/harder than a simple replacement mold).
Re: (Score:2)
Possibly. My experience is with fingerprint swipe sensors, not fingerprint placement sensors, and with those the gummi bear mold has to be fairly thick to survive a swipe over the sensor. The thickness tends to block the light from such optical sensor, and so the attempt is detected and blocked. With a placement sensor, the gummi bear mold could probably be made thinner; I don't know if it can be made thin enough.
Re: (Score:2)
As long as you don't have a Gummy bear that has the right IR absorbtion profile, yes it will defeat it.
However, I can't imagine that if you're going to the trouble to reproduce fingerprints or activate latent ones that you couldn't do it using a material that has the right IR spectrum. Most likely they're just transmitting light and measuring relative absorbance at a few wavelengths, and it should be easy to make a plastic film that passes for blood in this test.
Re: (Score:2)
I haven't put a gummy bear on a spectrometer to check, but my naive guess is that plain gelatin (which is basically boiled-down skin and connective tissue bits anyway) would already have a very similar transmission profile to skin (e.g. fairly transparent with no strong/distinctive spectral features), so you wouldn't even need to search for fancier materials. Not that a little materials research would likely be a major deterrent to an attacker who is already willing to *murder and hack off body parts* to de
Re: (Score:2)
And if a thin layer of unblooded skin would block the scan, it would also make it fail when cold or for people with circulation problems. Or, if the skin is sweaty, dirty, etc.
So a gummy bear mold comes well within required tolerances.
Re: (Score:2)
Likely the case, but you'd still need to emulate the absorption spectra of oxygenated hemoglobin (to whatever resolution it is actually measured at - which isn't likely to be terribly accurate in a cheap and compact device). Again, probably just a piece of plastic with the right characteristics somewhere in the light path.
Re: (Score:2)
No, you don't need to "emulate the absorption spectra of oxygenated hemoglobin" --- the whole idea of the "gummy bear attack" is to put a thin fingerprint-replica cover, with material properties extremely similar to a layer of skin, over your real live finger (which provides the color, pulse, temperature, conductivity, elasticity, etc. of a living human, and can be used in plain sight of a security guard monitoring the scanner). A thin gelatin layer is likely to be very difficult to distinguish from a sligh
Re: (Score:2)
Oh, gotcha. That would obviously work.
I think the header to this article has a typo (Score:1)
10 years old (Score:2)
Are they adding a pulse oximeter? (Score:3)
The article was delightfully free of actual info, but I assume they are just adding this: http://en.wikipedia.org/wiki/Pulse_oximetry [wikipedia.org]
Slashvertisement without research (Score:2)
Yeah, the more expensive fingerprint readers have done this since the late 1980s. They can also tell if a retina was in a removed eye, et cetera.
Old idea (Score:2)
Whoop-de-doo. There are several outfits that have done something similar over the years, including companies that have tens of thousands of fingerprint devices out on the street already. I would be somewhat surprised if the tech covered in this article is not already patented by Lumidigm [lumidigm.com] or somebody like them.
"Liveness checks" have been a part of fingerprint tech for many years now, ever since the famous "ghosting" attack on the early L-1 and Cross Match sensors. Whoever wrote the article didn't do their ho
Sure (Score:2)
/s
So they're finally going to deliver? (Score:2)
Re: (Score:2)
Be enlightened:
http://www.bimmerfest.com/forums/archive/index.php/t-93096.html [bimmerfest.com]
Biometric security (Score:2)
Because instead of taping your password to the screen or in your wallet, let's stamp it on everything you touch.
Easy to fool. (Score:2)
It can's detect silicone fingerprints. The cool thing about these, is that you don't have to cut off someones thumb and distracting a salesgirl while you press it to a scanner, you just act like nothing's wrong and thumb away.
I'm surprised anyone with even half a brain could have decided that a pulse was enough.
Guns can make people do amazing things, like placing their prints wherever the guy controlling the gun wants them placed.
You could engineer a pump to drive pulsed blood through the capillaries.
Heck,
Re: (Score:2)
You could engineer a pump to drive pulsed blood through the capillaries.
Heck, you could even heat the blood while you're pumping it. (This device does not detect temperature btw)
It is a solution, certainly, but wrought with a myriad of flaws. This ought to be a very long time to market I expect. Unless of course, they decide to give the job of redesigning the scanner to someone who's passed the fourth grade.
I didn't see it above, but this comment is the perfect place for the obligatory xkcd reference:
http://xkcd.com/538/ [xkcd.com]
Re: (Score:2)
Bwa haha! I should have seen the obvious connection before I submitted my comment or I'd have made the reference myself. But with good souls like yours, this world shall never lack in welcome sharp minded assistance. ;)
what about skimming? (Score:2)
what about skimming?
Won't always work with me. (Score:2)
I have Raynaud's syndrome. There are times when it's cold and I've gone to the doctor's visit. They put the little gadget on my finger to take a reading and it doesn't work because the ends of my fingers are white. Will suck the first time I can't buy something because of this.
Dead Rights (Score:2)
What about vampires, zombies, and other undead? How can this fit into a modern multi-vital society?
How differs from digitalpersona uareu c. 1997 ? (Score:2)
Mythbusters (Score:2)
...busted this one already
http://youtu.be/3Hji3kp_i9k?t=2m42s [youtu.be]
(that's a finger print lock that's detecting signs of life)
Re: (Score:2)
Well, yes, they have. We build fingerprint swipe sensors where that attack is meaningless - the sensing surface is a single line that you "swipe" your finger across. Your suggested attack would, in the absolute worst case, cause the capture of a 50 micron tall line across the finger. Good luck getting that to match.
There are roughly a gajillion different designs of fingerprint sensors that have been built over the last 30 years. Many of them can be spoofed trivially (such as your attack), others are far
Re: (Score:2)
Next to each machine will be an armed guard and a vat of acetone that the customer will be required to dip their hand into before performing the transaction.