Tuesday 9 February 2010

Bridlington Off-Licence introduces fingerprint scanners

The improper use of biometrics is a little known, but very worrying growth industry. When organisations such as Microsoft and Cisco are concerned, we should all be.

An off-licence in Bridlington has installed a fingerprint scanning machine to ascertain the age of customers who wish to purchase alcohol and cigarettes. First you go in, with either your passport or driving licence to verify your age. Then, if you want to, you can have your thumbprint taken and stored on the shop’s database.

Any hacker who knows what they are doing (and unfortunately there are too many of them around) will be able to steal this information. Your collar may be felt by the police for a crime you didn’t commit, simply because someone has your thumbprint on their computer which they can reproduce and leave at the scene of a crime.

Couple this with the fact a criminal will also have sensitive personal information about you, the scope for fraud is immense. All of these risks to stop a 17 year-old from buying a can of lager. It’s simply not worth it.

I have recorded an interview which will be broadcast on BBC Look North tonight explaining some of the dangers. My advise to anyone thinking of handing over their biometric details voluntarily is: DON’T! Use your passport instead. It is a recognised form of identification and it displays the minimum amount of personal information about you.

I will keep you all updated on this story when there are more developments.

UPDATE:  Here is the full report on BBC Look North, ending with an interview from Alex Deane, Director of Big Brother Watch.

 

10 comments:

  1. Are you simple ? Speaking as a hacker who has been asked to evaluate the security of these fingerprint scanners I can safely say there is no possibility of hacking these machines. The database is stored internally, it is not connected to the internet, and the fingerprint itself is encrypted using an algorithm that is completely irreversible ! If you wanted to clone someone's prints it'd be far simpler to walk into a cafe and pick up a used glass.

    ReplyDelete
  2. There is so much paranoia around "biometrics" but unfortunately not enough knowledge. I've also looked in detail at these units and have to agree with the previous post. Look into the facts around the algorithm used, and what actually gets stored , and you'll realise that these machines pose no threat at all.

    ReplyDelete
  3. I think its a good idea..I'm currently purchasing a my-id scanner and will be installed soon.
    Protection of my license is paramount...I have looked around for a solution and feel this is a good investment

    ReplyDelete
  4. Three anonymous comments in 50 minutes. I am wondering if they are all from the same person.

    Experts in this field assure us my fears are well founded. They put their names to what they say, as I do. We do not hide behind anonymity.

    ReplyDelete
  5. Hello, I'm a neutral observer who happens to have enrolled on one of these machines, Now I'm really concerned that someone's going to steal the shops machine, and my fingerprints will turn up all over a murder weapon or something !!!

    The guy in the shop told me this was completely impossible, but I've just read your statement above WHAT IS THE TRUTH !!!

    How can one person say it is possible, and someone else tell me it's completely impossible ?

    ReplyDelete
  6. Grace: This is a statement from Microsoft's Identity Architect Kim Cameron, "It is absolutely premature to begin using 'conventional biometrics' in schools."

    The same can be applied to your local off-licence. I am not opposed to the use of biometrics when it is vital, such as law enforcement, but I am opposed when they are used for trivial things. Once someone has your biometric details, cross-referenced with other personal information, there is an increased risk that crimes will be committed in your name.

    ReplyDelete
  7. OK so it's "premature" but that doesn't say "You'll be arrested for a crime you didn't commit"

    After a rather panicy night I've just spent the morning reading about these scanners. The unit actually performs analysis on the image of your finger starting at the centre and working outwards, picking out the different forks and joins on ridges of your finger, and this is the only information it holds on to, NOT the actual fingerprint image. Because of this, it is indeed impossible to reproduce the image that was taken. The data it stores is only of any use when comparing another fingerprint that has been scanned on the same scanner.

    I think Mr Allison you should check your facts before making rash comments and costing me a nights sleep in the middle of my final exams !

    Or course if you can provide a detailed explanation of how exactly these hackers are going to plant me in the frame, then I'll take it back.

    Grace.

    ReplyDelete
  8. Grace: It is possible to reproduce the image, as the US National Science and Technology Council's sub-committee on biometrics have stated:

    "There have been studies where pseudo fingerprint images have been reconstructed from the fingerprint template." to return to the analogy of a drawing (fingerprint template) and a photograph (fingerprint), it is certainly possible to recognise an image from a drawing. You don't necessarily need the original photo."

    I have also published on the blog an article by Andrew Clymer senior identity management security expert (more than 8 years with Cisco Systems)

    I hope it will be of use.

    ReplyDelete
  9. Andrew, try as you may to put the fear of god into me, I have studied the data in detail. Have you seen a "pseudo" fingerprint image? Well let me assure you it looks nothing like a fingerprint.It would be immediately spotted as a PSEUDO image if placed on a murder weapon. The "PSEUDO" image can be used to trick a scanner using the exact same algorithm into accepting the print. So I conceed to you this, someone COULD break into my off-license, steal the scanner, hack the data from it, perform some extremely complicated math to reverse engineer the templates into a "PSEUDO" image, replace the scanner before they notice it's gone, create an artificial latex finger from the pseudo image, walk into the store and buy some alcohol. The words "Slim" and "none" come to mind.

    I'm not going to worry about being lifted for "a crime I did not commit" as that is clearly a huge exaggeration.

    I would encourage anyone as worried about this as I was not to listen to the scaremongers. Go and read up on it yourselves, most of the information is freely available on the internet and the university library.

    If we always listened to the scaremongers, we'd still be riding horses with saddlebags of precious metals down to market. With every technological advance there is always an element of risk,Aeroplanes crash, Motor cars catch fire and explode, People can watch you entering your pin at the cash machine. For me using a fingerprint scanner in my local off license is MUCH MUCH less risky than carrying my passport around in my handbag, My friend had hers stolen, and has had huge loan from the bank accepted in her name.

    Nuff said.

    ReplyDelete
  10. Grace: I am not a scaremonger or a member of the flat earth society. I have read the concerns of experts and have come to my own conclusions. You hand over your biometric data to all and sundry if you want to, but I will not.

    ReplyDelete