Biometric Payment Arrives in a Store Near You 206
"A chain of Florida convenience stores has begun accepting fingerprints as payment, using a biometric system called Pay By Touch. The company is a Bay-area startup backed by $130 million in VC cash and the acquisition of BioPay, a Virginia-based biometrics firm that's already done $7 billion in European transactions. From the article: 'The company is a bit puzzled by customer privacy fears. After all, they say, how can using a unique fingerprint for identification be riskier to theft than a plastic card, key chain token, or account number? ...The fingerprint image recorded is not the same as those collected by the federal government or law enforcement.'"
Uhh... (Score:5, Insightful)
Because you leave them on everything you touch?
Re:Uhh... (Score:2, Funny)
Re:Uhh... (Score:2)
Re:Uhh... (Score:3, Funny)
Re:Uhh... (Score:5, Insightful)
Re:Uhh... (Score:2)
Quoth Helena Bonham Carter in Fight Club:
"They're inside burning their fingerprints off with lye. The smell is terrible."
A little more painful than cutting up a credit cArd, granted. At least to some people.
Re:Uhh... (Score:5, Insightful)
And you can't stop the production of gummy bears [extremetech.com]
I could probably travel the world on a single package of gummy bears and a set of prints lifted from the sides of soda cans, tossed in the trash outside the convenience store.
Just remember though, outlaw gummy bears, and only outlaws will have gummy bears.
Re:Uhh... (Score:2)
(eeeeeeeeeeeeewwwwwwww)
Re:Uhh... (Score:2)
Re:Uhh... (Score:3, Insightful)
Re:Uhh... (Score:2)
Which is why you imprint the alternate fingerprint on a adhesive film and put it on your own finger.
Re:Uhh... (Score:3, Informative)
Re:Uhh... (Score:3, Interesting)
Somebody please correct me if I am wrong, but this is nowhere as safe as a private/public key. If the external party saved your public key, there is no worry. However, your fingerprint does not have two version, one being public, and one being private for signing. On the bright side, they can combine a pin number with the finger
Re:Uhh... (Score:2)
Haven't tried it myself, though. I use Peapod.
Re:Uhh... (Score:2)
thoughts (Score:3, Informative)
From the article:
WTF? How can they say that? Don't they know how many times each day people lose their fingers? Not to mention the countless times people give each other the finger! (Done so a few times myself.)
Also:
I experienced this at Epcot... in Orlando. I don't know if it was in its experimental phase, but it introduced lots of confusion as people entered the park. And, it was not clear how or where it was used the rest of the time we were in the park -- if it was exclusively to prevent abuse, so be it, but it was an eerie experience at the gates.
I do wonder about the statement: (FTA)
How can that be? I know my prints are on file (Top Secret clearance, cool!), but I wonder how these prints would differ. Are they storing some kind of hash with no backup of the original scan or image? Weird, but doubtful.I think this is great technology as people get more comfortable with it. I would (and do) worry about how soon people get good at counterfeiting fingerprints. Thought I'd read a couple of articles on that very hack and that hacking fingerprints turned out not to be too very hard. Any resources on that?
Regardless, great point about it not being that much different (and quite a bit less likely to wander off) from keychain fobs, credit cards, etc.
Company pledges (Score:5, Insightful)
I read this line too and it made me want to scream. "Company pledges" are worth exactly shit these days. "We pledge to protect your privacy and retain the right to alter this pledge at any time." "We pledge to never sell or distribute all of this personal information that we insist on gathering, really, unless we're bought out by another company that doesn't pledge this."
I don't want pledges. I don't want them to have this info, period. I don't want to receive marketing from them any more than I want it from third parties.
Now, if there was accountability behind these pledges, such as "We are bonded for a $10,000 per customer coverage to never leak any customer information" or "Under penalties of perjury with a minimum of five years prison time to be served by each member of the entire Board of Directors, we pledge to never sell or otherwise distribute any personal information collected by us. Furthermore, under threat of the same penalites we pledge to use this information only for verification of your account, and never for marketing purposes of any sort."
Those are some pledges that I'd be slightly more inclined to believe.
Re:Company pledges (Score:5, Insightful)
These days you have to assume that any item of data you give to anyone is insecure from that point on.
Re:Company pledges (Score:2)
Re:Company pledges (Score:2)
Of course, with fingerprints the problem is that everyone from the police to the bum in the park picking up your discarded soda can has that info. Period.
And the real bitch is that as idiots like this company and politicians and law-enforcement yearning for easy solutions start making biometrics like DNA and fingerprints prevalent in society, the incidence and ease of forgeries will make the current card skimming frauds look like a fart in a shitstorm.
Re:thoughts (Score:5, Informative)
That should read "The current management of the company pledges not to sell or rent
http://www.paybytouch.com/privacy_policy.html [paybytouch.com]
Notification of Changes
If we make material changes to this policy, we will notify you here, by email, or by means of a notice on the Pay By Touch homepage so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we may disclose it. We will update our privacy policy from time to time.
Notice the OR, they can change their TOS any time and promise to change their TOS page accordingly.
Pay By Touch may share your personal information with companies that Pay By Touch contracts to privately and securely verify your identity, process your payments, cash your checks, and prevent fraudulent use of the Pay By Touch services.
We all know how secure third parties are.
"In some cases Pay By Touch may provide algorithm or sensor vendor partners who have entered into confidentiality agreements with Pay By Touch with anonymous biometric scans. These companies use the anonymous test scans only to develop, test, modify and improve the performance of their hardware and software products related to the Pay By Touch services. These test scans are not linked to any personally-identifiable identity or account information."
Er, they are fingerprints, how anonymous are fingerprints!
http://www.paybytouch.com/member_terms.html [paybytouch.com]
THE PAY BY TOUCH SERVICE IS PROVIDED "AS IS" WITHOUT ANY WARRANTIES OR REPRESENTATIONS WHATEVER OF ANY KIND, WHETHER EXPRESS OR IMPLIED. Pay By Touch will not be liable or responsible for any damage or injury caused by your use of the Service.
Great, that's the feel good factor !
Re:thoughts (Score:3, Insightful)
I'm not particularly comfortable with it still.
As someone else said, your fingerprints are everywhere.
Say this does become wide spread. Everyone's using it. I go into a high dollar sto
Re:thoughts (Score:2)
Re:thoughts (Score:3, Informative)
Over the years, I've sent girlfriend's out with my credit card to buy things. Only once has one been refused. It's pretty obvious that it's a guy's name on the card, and a girl trying to use it. Even if they checked ID's, they'd see the last names weren't even similar.
Re:thoughts (Score:2)
Re:thoughts (Score:2)
So let's assume the FBI wanted to figure out who a person with those characteristics were. What do you think the FBI would do? They would contact Pay By Touch, and Pay By Touch would give them the data they wanted.
It doesn't matter at all if it's not "the same". If it's some kind of hash, it still uniquely identifies the customer from their fingerprint, and would be useful to law enforcement. If it's some other way of identifying people from f
Re:thoughts (Score:2, Informative)
There are two reasons why the fingerprints are different. The first is that they don't store the fingerprint or any image of the finger print, they run a filter to make the initial image black and white(no grays). Then they run an edge detection filter to make the lines obvious. An algor
Re:thoughts (Score:3, Insightful)
All they have to do is use your equipment to generate a matching graph of the fingerprint in question, and the police can match against your records that way. In other words,
Re:thoughts (Score:2)
Me too, there is a thriving business in Florida selling used tickets. The people on the gates of Disney simply wave you through if the fingerprint machine flags a problem. The machine let me through even though I bought a dog eared ticket from some dude in a hot-air-balloon shaped kiosk.
Just one more point:
Holy Shit! The (failed) Beagle Mars lander only cost 40 million GBP ($71 million) to launch and was a much better idea IMHO.
Re:thoughts (Score:2)
I haven't gotten a chance to do much digginng into fingerprint recognition, but it appears to be based on the anomolies in your prints. There's probably a name for them... spots where there are enclosing circ
Gummibears anyone? (Score:5, Informative)
system that was tried a year or so ago? It could be faked out REALLY easily
using a Gummibear.
I can't find the slashdot story - but check this out for example:
http://www.theregister.com/2002/05/16/gummi_bears
Does this new gizmo do something magical to avoid this rather easy attack?
Just google gummibear and fingerprint and you'll find a gazillion How To
articles.
If the biometrics guys are 'a bit puzzled by customer privacy fears" then
they are horribly ill-informed!
I can avoid leaving my credit card lying around for someone to steal - but
it's very hard indeed to avoid leaving my fingerprints in all sorts of
public places. If I could find out how to defeat their scanner so easily
with about 10 seconds of Googling - you can be very sure that the bad guys
will be lining up.
Re:Gummibears anyone? (Score:4, Funny)
Also, do you know how old that gummy bear is? You might be touching an under-aged gummy bear.
One might have a gummy bear fetish. (hrmpphph they are tasty.....)
Re:Gummibears anyone? (Score:2)
Re:Gummibears anyone? (Score:2)
Re:Gummibears anyone? (Score:2)
Re:Gummibears anyone? (Score:2)
Yes - I did read it. As I understand it, the process is:
1) Use some cyanoacrylate (superglue) - just as the police forensics guys do - to 'develop' the latent print into something you can see.
2) Photograph it with a regular digital camera.
3) Print the photo (using your compute
Re:Gummibears anyone? (Score:4, Informative)
"Gummibear fingerprints" are not certainly not FUD (although they're not made from real gummibears.) They're a real attack that's easy to make, and fun to eat!
The reasons they'd work so well for fraud are numerous. First, while it's pretty easy to keep track of your fingers, it's virtually impossible to "guard" your fingerprints. You leave them everywhere -- your phone, doorknobs, keyboards, dishes, plastic bags, everywhere. It just takes a little bit of "Hardy Boys Detective Handbook" work to photograph them. Making a circuit board from a photograph is something I did a lot in 7th grade, but nowdays digital cameras and laser printers are more common than photographic enlargers. And even I can mix up gelatin without burning down the kitchen.
The neat thing is that gelatin itself is the ideal material for forging fingerprints. It is simply animal protein (it's pretty much ground up cow hooves and collagen, if you want the real details.) It's biotic matter, so it has roughly the same electrical capacitive properties as human skin. It's thin and transparent, so a "pulse detector" that senses the infrared pulses given off by circulating blood can see right through it. And if you wet it, it's kind of sticky and can easily be applied to the fingertips before heading to the cash register. Once applied, they're virtually impossible to see. Gelatin is almost indistinguishable in every way from human skin.
Everything that a fingerprint scanner can be built to look for (at a cheap enough price to sell to grocery stores) is right there on your fingertip. Even if the alarm bells sounded and the guards came running, you'd still have time to pop your finger into your mouth and eat the evidence.
Re:Something else just as stupid (Score:2)
My bank requires that their customers provide a password so that they can "verify" who their dealing with over the phone, or even at the teller line. Here's the funny part...the tellers will just ask, out in the open, "what's your password?" and the customers just stand there and blurt them out for anyone to hear. It's the dumbest form of "security" I've seen.
Re:Gummibears anyone? (Score:2)
It's not enough to make it a bit harder - you have to make it virtually impossible.
Worse still - once someone has cloned your fingerprint, what do you do about it? If someone clones your credit card you can phone the card company and they put a stop on that card and issue a new one. Thi
Re:Gummibears anyone? (Score:2)
The cost of shopping.... (Score:5, Funny)
In Other News (Score:5, Funny)
Film at 11:00.
Re:In Other News (Score:2)
Fingerprints are less reliable ... (Score:4, Interesting)
Re:Fingerprints are less reliable ... (Score:2)
Re:Fingerprints are less reliable ... (Score:3, Insightful)
Re:Fingerprints are less reliable ... (Score:2)
The Pay-By-Touch salesman wasn't referring to the "oily fingerprints left as evidence at the scene of a crime", he was referring to the actual ridges and whorls on the surface of the skin. The PBT reader doesn't look for skin oils, it just reads the surface profile looking at the ridges, intersections and islands. The pineapple pickers simply don't have any texture at all on their fingertips.
Don't they watch murder shows? (Score:5, Interesting)
Just look at murder victims whose hands have been lopped off to hide their identities. It doesn't take much of a (morbid) leap of logic that someone could hold onto a thumb, and surrepticiously use it to withdraw someone's entire finances.
Uh, no. (Score:2)
Re:Uh, no. (Score:2)
Well, you can expect them to close that loophole before too much longer. It's a pretty obvious next step. Banks already report you to the feds if you simply use too much of it.
People will reject it (Score:2)
Let's face it... biometric authentication/payment is really cool. As long as I can be sure the cryptographic basis of it is secure (i.e., that my fingerprint can't be recreated from it), I would be comfortable using it. But you know, most of the world is stupid and doesn't understand this kind of stuff, or has stupid opinions about it, and will be afraid of it. I understand that people are afraid about invasion of privacy and identity theft, but the issue should be "Are we sure that company $X's implemen
Re:People will reject it (Score:2)
Re:People will reject it (Score:2)
Yeah. That's a good excuse, I agree. But my point was that the majority of the population will reject it because it is "creepy" to them, without considering how it actually works or the real risks and rewards.
What someone needs to do is create a smart card with a built-in fingerprint reader and PIN pad, so you can use your own, totally secure device. It will authenticate you using the PIN and fingerprint, and then allow you to cryptographically authenticate to another device (e.g. the payment system at
Re:People will reject it (Score:2)
Re:People will reject it (Score:2)
Don't mind me, I'm just buying some powder, a makeup brush and tape. Don't mind my friend in line ahead of you, he's just testing out his new windex on the fingerprint reader to make sure the bottle isn't defective.
I'm not "stupid" but I do have opinions of this. Based on their demo [paybytouch.com] (flash) they use a simple pad-based scanner where you press your finger, rather tha
Re:People will reject it (Score:2)
Oh. That's stupid, the swipe-based ones are more secure, take less space, are cheaper to build (I would suspect a row of LED's and optical sensors is cheaper than an entire grid of them or a small camera), and look niftier.
But it could be.used by them! (Score:2, Interesting)
But just watch...it could be USED by law enforcement in about ten seconds!
California has required you to give a scanned fingerprint for years just to get or renew your driver's license. I've always wondered how many divisions of law enforcement now have MY fingerprint in their dtatbase. When I asked the guy at the DMV, he said he didn't know, but was SURE that law enforcement could access the
Mugger steals credit card: bad (Score:3, Funny)
Re:Mugger steals credit card: bad (Score:2)
The other two issues that I think are more important (and mentioned already above) are:
* Your fingerprint is basically public information - you leave a copy of it on everything you touch
* Unlike a bank card or a password, it cannot be changed once it is compromised.
Together thes
Re:Mugger steals credit card: bad (Score:2)
Credit card fraud cases don't get much attention since they are a dime a dozen. Violent assault cases get much more attention, and thus have a much greater chance of getting caught. I think most criminals willing to attack a human and take their finger would find the risk outweighs any potential gains.
Re:Mugger steals credit card: bad (Score:2)
The argument is that stealing a wallet has, historically speaking, been a profit-making enterprise. Stealing a finger, however, has not. The use of a fingerprint for authentication changes the status quo; now stealing a finger offers the same motivation: Profit. The argument is that this will create the pool of folks who will steal fingers in a natural manner.
Before you attempt to bring to the argument
Re:Mugger steals credit card: bad (Score:2)
Re:Mugger steals credit card: bad (Score:2)
Same as a credit card. "Use the asset quickly" is not a hurdle criminals don't understand.
The same can be said about stealing a wallet or burgling a home. Yet, these are common.
Well, (a) they can take them all, or (b) they can simply watch you buy something so they know which one it is
Re:Mugger steals credit card: bad (Score:2)
Ehhhh?? This is a very bizarre statement to make. So, you've chopped someone's finger off and there's blood everywhere. It's pretty much all leaked out of the finger. How exactly do you use this in the next 30 minutes to purchase something, without suspicion, whilst making blood pump through it?
Re:Mugger steals credit card: bad (Score:2)
The finger won't leak much blood. It's not attached to a a heart to pump it, you see. So, no blood pressure. The stump will leak blood, but that's not a technical problem for the thief. It might even be an advantage, because...
Print Scanners? (Score:2, Interesting)
Re:Print Scanners? (Score:2)
Perhaps because most people are more comfortable with having a finger chopped off than having an eye (or both) ripped out of their head?
On a smaller scale, they're probably also more comfortable with laying a finger on a pad than putting their eye up to an eyecup or having a "guaranteed safe" laser probe them in the eye.
Okay so we have (Score:3, Funny)
fuel from anything in 9 years. Check.
Now all we need hoverboards and Pepsi Perfect.
I'm not *that* anonymous (Score:5, Interesting)
Scuttlemonkey wrote "An anonymous reader writes..." despite the fact that this is my journal [slashdot.org] entry, and says qo quite clearly at the top of the story: "Journal written by anaesthetica (596507) and posted by ScuttleMonkey on 14:12 Saturday 24 June 2006"
I mean, I may not stand out in a crowd, but this is just an unnecessary blow to my ego.
Re:I'm not *that* anonymous (Score:2)
Methinks
Could this be the first sign of the coming Singularity?
*puzzled*
SB
Re:I'm not *that* anonymous (Score:2)
Re:I'm not *that* anonymous (Score:2)
Ah.
I hadn't noticed the checkbox doohicky...
SB
Others use it, too (Score:2, Interesting)
Re:Others use it, too (Score:4, Insightful)
7 digit pin means it's probably not too accurate (Score:2)
Jewel in Illinois has had this a while (Score:2)
http://www.businessweek.com/technology/content/mar 2006/tc20060328_901806.htm [businessweek.com]
For all you phobic people out there who don't want them to "have a copy of your fingerprint" from what I found out from the employees it doesn't work that way. It doesn't store your fingerprint, just certain points on it. So really there is not a way to one way hash back to your actual fingerprint. Now, maybe the employee didn't know what they were talking about but for them to have
Where do I begin? (Score:2)
The easiest, most computationally inexpensive way to check fingerprints against a database is to hash the print that you found at the crime scene--or the point of sale--and compare it to a database of hashes stored in the same way.
If you have the hash database, you have the fingerprint. Just because it's not the *same* hash as what law enforcement uses doesn't stop the NSA from using it against you. If you had more than one hash database, you m
Re:Ahhhh... thats also what the FBI has... (Score:3, Insightful)
Re:Ahhhh... thats also what the FBI has... (Score:2)
Eye of frog, tail of newt, wing of bat, potion of fingerprint points. Great. Now they've resorted to spell-casting in order to confirm identities.
Ok, it's not that funny. Laugh anyway.
(Good points, BTW. I doubt these people's databases are any more secure than anyone else's - which means, not.)
SB
In trial (Score:2)
More info:
http://www.computing.co.uk/computing/analysis/215
Okay, it's a cheap shot, but... (Score:2, Funny)
Re: (Score:2)
Piggly Wiggly (Score:2)
http://www.findbiometrics.com/viewnews.php?id=226
Pulse (Score:2)
Also note that the system is closed. Merchants have no ability to troubleshoot or fix their machines, it requires a full visit by the company. It also requires a broadband connection. Yes, it goes over the Internet. Many, many small stores still use dialup
One word answer: stigma (Score:2)
I do not think it will be an issue in another one or two generations because people are getting fingerprinted more and more for other purposes anyways so the stigma will probably not last forever.
"bit puzzled by customer privacy fears" (Score:2)
Well, they seemingly are stupid like a dumb ducks behind, and still they will get rich. Why ? Because such moves will be backed heavily by US government, since they will be able to get a nationwide fingerprint database in a few months and they don't even have to pay for it.
I'd prefer living without money in a jungle than using my fingerprint as a payment method, that's for sure.
how can using a unique fingerprint for identification be riskier to theft than a plast
Does anyone remember... (Score:2, Informative)
Modern Biometrics (Score:5, Informative)
There are some systems that can be fooled much easier, but they are not being used by PayByTouch. Nor is anyone serious about using a fingerprint scanner anymore.
Microsoft sells an optically-based fingerprint scanner that can be fooled by latex molds, gummi bears and lots of other stuff.
Wow, news that is 6 months old (Score:2)
The biggest problem (Score:2, Insightful)
Chicagoland Jewel stores (Score:2)
have had this for about 6 weeks now. I still pay with cash or credit card because the notion of giving my fingerprints to the government (via Jewel) doesn't appeal to me.
I wonder if any of the people who signed up for this considered the fact that the government could obtain their fingerprints by doing nothing more than getting a subpeona. In fact, I suspect that most businesses would gladly divulge them for the asking, so long as it was for fighting terrorism.
The problem is what happens when it's stolen (Score:2)
Truly Word-wide Story (Score:2)
"A chain of Florida convenience stores has begun accepting fingerprints as payment, using a biometric system called Pay By Touch. The company is a Bay-area startup backed by $130 million in VC cash and the acquisition of BioPay, a Virginia-based biometrics firm that's already done $7 billion in European transactions...
Okay, we just need an Australian court to decide the distribution of remaining assets to Japanese investors on the sellers in Nigerian government officials to make this truly a world-wide
Not a print image (Score:3, Interesting)
The reason that "the fingerprint image recorded is not the same as those collected by the federal government or law enforcement" may be chillingly pragmatic. We were told when implementing our system that if we stored fingerprint data up to government specs we would be required to provide that information to the government. As a result our company, and most others, store data below the threshold that will get them noticed by the feds.
The fingerprint validation itself is somewhat fluid. Most people don't press the reader the exact same way twice in a row, the finger distorts under different levels of pressure, reacts to environmental changes, and even the current health of the individual. This kind validation requires a level tolerance to be set.
Some individuals never seem to get a good read, the tolerance for such people needs to be loosened to get any kind of positive feedback. As a result, some of our employees could hoist a big toe on the reader and probably get a pass. I simply wouldn't trust these things not to mistake me for the granny with the bad fingerprints.
This has been around for a while... (Score:2)
Ten fingers (Score:2)
because there have been no... (Score:2)
In addition, if your "fingerprint" is stolen there is no fix. You can't get a new set from fingerprints-R-us.
Re:Without a Meat Cleaver (Score:2)
Re:Without a Meat Cleaver (Score:2)
Re:Men in Black (Score:2)