Pay as You Smudge

Posted on October 2, 2006 in Security

It seems a cool idea to create a system where we can pay using our fingerprints but a recent Scientific American evaluation found the idea wanting:

As an authentication tool, fingerprints are great–police catch criminals with them, after all. But it is not foolproof: it’s possible to use fingerprint images–derived from gelatin or clay, for instance–to fool readers. Clarkson University researchers found that 90 percent of well-made fakes could pass for real ones. In July, ZDNet quoted a Deloitte and Touche analyst that biometric spoofing is a growing concern, especially considering that we leave fingerprints everywhere. In principle, crooks who know you use Pay By Touch could lift your prints from your cocktail glass, make a mold, and then go on a free shopping spree. Call it the six-finger discount.

I suppose you can make things harder by using an unlisted telephone number or even make up a seven-digit number (as if you need another data string to remember). You might also try using a pinky rather than an index finger, to add a bit of uncertainty. Algorithms that look for signs of life, like sweat or a pulse, might also foil the rubber finger.

But then there’s the germ factor: touching a panel that who-knows-how-many have previously touched. A paper presented today at the Interscience Conference on Antimicrobial Agents and Chemotherapy reported a study that found people with colds staying at hotels left the rhinovirus on surfaces they touched 35 percent of the time. Uninfected people picked up the virus on their fingertips 47 percent of the time, even 18 hours after the surface was contaminated. Scanners may be less filthy than hotel rooms, since the finger is on the reader only briefly, but I would not bet on that.

File this under the category of “people who love technology too much for their own good”.