Can anyone explain how sophisticated those fingerprint readers are?

Are there readers out there that by themselves are secure devices and essentially are able to talk with their servers thru the PCs/workstations over a protocol such that any man-in-the-middle, like a driver, can not learn anything from the traffic?
(...and all that for less than $40, of course...)

If not, would a trojan then be able to capture your fingerprint's digital-fingerprint, and impersonate you from any other node on the network?


R.A. Hettinga wrote:


The Wall Street Journal

October 11, 2004

Cash, Credit -- or Prints? Fingerprints May Replace Money, Passwords and Keys; One Downside: Gummi Fakes

October 11, 2004; Page B1

Fingerprints aren't just for criminals anymore. Increasingly, they are for customers.

Fingerprint identification is being used to speed up checkouts at Piggly
Wiggly supermarkets in South Carolina, and to open storage lockers at the
Statue of Liberty. Fingerprints are also being used as password substitutes
in cellphones and laptop computers, and in place of combinations to open up

But these aren't the fingerprints of yore, in which the person placed his
hand on an ink pad, then on paper. Instead, the user sets his hand on a
computerized device topped with a plate of glass, and an optical reader and
special software and chips identify the ridges and valleys of the

Fingerprint technology seems to be reaching critical mass and is spreading
faster than other widely promoted "biometric" identification methods, such
as eyeball scanning, handprint-geometry reading and facial recognition.
Interest in these and other new security systems was heightened by the
September 2001 terror attacks.

"Fingerprints will be dominant for the foreseeable future," says Don
McKeon, the product manager for biometric security at International
Business Machines Corp.

One reason fingerprint-security is spreading is that technological advances
are bringing the cost down. Microsoft Corp. recently introduced a
stand-alone fingerprint reader for $54, and a keyboard and a mouse with
fingerprint readers. Last week, IBM said it would start selling laptop
computers with fingerprint readers built in. These products reduce the need
for personal-computer users to remember passwords.

A customer uses a fingerprint reader to pay at a Piggly Wiggly store,
cutting his checkout time.

Earlier this year, American Power Conversion Corp., a Rhode Island company
that makes backup computer batteries, started selling a fingerprint reader
for PCs with a street price of $45 -- less than half the price of
competitors at the time. American Power says it has sold tens of thousands
of the devices since.

Korea's LG Electronics Inc. has introduced a cellphone with a silicon chip
at its base that requires the owner's finger to be swiped across its
surface before the phone can be used. This summer, NTT DoCoMo Inc. started
selling a similar phone reader that is being used on Japanese trains as an
electronic wallet to pay fares or to activate withdrawals from on-board
cash machines.

Proponents have never had trouble explaining the benefits of fingerprints
as payment-and-password alternatives: Each person has a unique set, and
their use is established in the legal system as an authoritative means of
identification. But some people are uneasy about registering their
fingerprints because of the association with criminality and the potential
that such a universal identifier linked to all personal information would
reduce privacy.

Moreover, numerous businesses and governments have tested fingerprint
systems in the past only to rip them out when the hype failed to match
reality. That's partly because the optical readers have had problems with
certain people's fingers. Elderly people with dry skin, children who
pressed down too hard, even women with smaller fingers -- including many
Asians -- were often rejected as unreadable.

Security experts also have successfully fooled some systems by making
plaster molds of fingers and then creating fake fingers by filling the
molds with Silly-Putty-type plasticizers or gelatin similar to that used in
candy Gummi Bears.

But advocates say the rate of false rejections of legitimate users has been
greatly reduced by improved software. "I'd say 99% of people can register"
their fingers, says Brad Hill, who installed fingerprint-controlled lockers
at his souvenir store at the Statue of Liberty this summer when the
National Park Service forbade tourists from entering the statue while
carrying packages. Mr. Hill was worried that tourists would lose locker
keys when security screeners forced them to empty their pockets.

Some makers of readers also say their technology can solve the fake-finger
problem by taking readings from below the surface skin layer. Or they
suggest combining four-digit ID codes with fingerprint scanning to
virtually eliminate false readings.

Makers of fingerprint readers acknowledge the privacy concerns. But they
maintain that the threat of personal invasion is minimized because most
systems don't store the actual print, but instead use it to generate a
unique series of numbers that can't be reverse-engineered to re-create the
print. And public willingness to submit to fingerprint readers has soared
since the 2001 terrorist attacks, as the need for security overcomes
worries about unwarranted intrusion.

While the market for fingerprint readers is small, it is growing fast.
International Biometric Group, a New York market-research firm, predicts
that sales will rise 86% to $368 million this year from $198 million last
year. AuthenTec Inc., of Melbourne, Fla., which makes the
fingerprint-reading chips used in the LG cellphone, expects to ship more
than three million of them this year, triple the level of 2003. Their price
has fallen below $6 apiece, and Scott Moody, AuthenTec's chief executive,
sees that dropping below $4 next year.

Ubiquitous use of fingerprints could eliminate a huge consumer headache:
remembering passwords for various Web sites. With American Power's
fingerprint reader, users register all of their passwords online, along
with the associated Web sites. Then they never have to type in a password

"Our parents didn't deal with the problem of remembering 20 passwords, and
our grandkids won't even know what they are," says IBM's Mr. McKeon.

Potentially, fingerprint readers also could replace credit and debit cards.
Pay by Touch Co., a closely held San Francisco company that is working with
IBM, installs fingerprint readers in retail stores where customers can
register their fingers by touching the pad five times. Then they can
register supermarket loyalty cards and several credit card-numbers. They
even can use the fingerprint reader to withdraw money from a checking
account at the cash register.

Another use: A consumer could register a driver's license and his or her
age with the system, so clerks won't have to examine identification cards
for purchases of beer or cigarettes. The next time the customer checks out,
he or she just touches the pad, enters his or her phone number and selects
from the list of payment options. Pay by Touch, which charges retailers 5
to 10 cents per transaction, claims the system reduces checkout time by 30%.

One early user of Pay by Touch are a handful of Piggly Wiggly supermarkets.
After installing the system in four stores in July, "a good, strong
percentage of our transactions are done by touch" already, says David
Schools, senior vice president of Piggly Wiggly Carolina Inc., based in
Charleston. He declined to be more specific. The chain hopes that customers
will register checking accounts and make electronic withdrawals via
fingerprint ID to pay for purchases, which would save the grocer steep
credit-card or debit-card fees.

IBM says that convenience stores are experimenting with fingerprints as an
alternative to radio-frequency identification cards like Exxon Mobil
Corp.'s Speedpass, to deal with the "sweaty jogger problem" -- cashless
runners coming in for coffee or Gatorade. The problem with RFID cards is
that anyone can use one that is lost or stolen. Not so with fingerprints.

Jeff Baughan, vice president of information technology at Catholic Health
Systems in Buffalo, N.Y., says he anticipates some day installing wireless
readers on the carts used by nursers that would read patients' fingers, to
double-check that the right patient gets the right medicine. Currently, the
health-care system is installing Ultra-Scan Corp. devices that read fingers
to register incoming patients and make sure that different people aren't
using the same insurance card.

Fingerprint-scanner authorization also is being used by business owners as
a replacement for lock combinations on safes. "Traditionally, two people
are given the same combination, and if there's a loss, how can you figure
out who took it?" says Edward McGunn, president of Corporate Safe
Specialists Inc., of Posen, Ill. He predicts that within two years, 80% of
his sales will be fingerprint safes, partly because it's much simpler to
train an unskilled manager to open one. "This is the most exciting time to
be in the safe business in my lifetime," says Mr. McGunn, a
third-generation safe maker.

-- Frank Siebenlist [EMAIL PROTECTED] The Globus Alliance - Argonne National Laboratory

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to