Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Vein Patterns to Verify Identity

Posted by samzenpus on Thu Jun 30, 2005 01:03 AM
from the look-inside dept.
Security Technology
JonN writes "Fujitsu Ltd. will start selling a biometric security device next month that relies on vein patterns in the hand to verify a user's identity, it said today. The palm-vein detector contains a camera that takes a picture of the palm of a user's hand. The image is then matched against a database as a means of verification. The camera works in the near-infrared range so veins present under the skin are visible, and a proprietary algorithm is used to help confirm identity. The system takes into account identifying features such as the number of veins, their position and the points at which they cross."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Vein Patterns to Verify Identity 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Anybody else see "Demolition Man"? (Score:5, Insightful)

    by nokilli (759129) on Thursday June 30 2005, @01:04AM (#12948268)
    Biometrics sounds great, right up until the point you run into the desperate dude who is willing to take out your eyeball -- or in this case remove your hand -- just to be able to access whatever it is that is being protected by biometrics.

    So who is this really good for?

    Wouldn't you rather give up the memorized password rather than your eye or your hand?

    But then, how does your employer look at this.

    He doesn't give a shit about your body. He just wants to protect corporate assets. From his point-of-view, it is statistically less likely that he'll lose such assets were biometrics used over passwords.

    Just remember that when next you go to ask for the raise, and your boss is making you authenticate to the company's grid using biometrics.

    • Re:Anybody else see "Demolition Man"? (Score:5, Interesting)

      by plover (150551) * on Thursday June 30 2005, @01:08AM (#12948279) Homepage Journal
      Well, to an infrared vein scanner that works entirely by imaging the heat given off by your circulating blood, a severed hand will be every bit as valid as one made of wood.

      Not that I expect the bad guys to be smart enough to know this up front (so we might still be losing a few hands to some idiots) but the entire technology functions as a liveness detector.

      • Or they just force your ass over to the scanner with a gun to your head, Solid Snake style.

        • Re:Anybody else see "Demolition Man"? (Score:4, Informative)

          by Blastrogath (579992) on Thursday June 30 2005, @01:17AM (#12948318)
          >Or they just force your ass over to the scanner with a gun to your head, Solid Snake style.

          they can do that with a password, or keys, or almost anything else. I can't immediately think of anything that doesn't work with, other than well armed guards willing to perforate the hostage.

          • they can do that with a password, or keys, or almost anything else.

            With a password you can have emergency passwords that trigger an alert. Maybe they don't grant you access. Maybe they grant you access but there's an alarm going off in an office somewhere.

            Harder to do with biometrics. Hmmm. Left hand good, right hand bad.

            • Re:Anybody else see "Demolition Man"? (Score:5, Insightful)

              by KronicD (568558) on Thursday June 30 2005, @03:09AM (#12948631) Homepage
              Your comment is valid and raises the point that biometics should be used as part of a three factor identification system.

              1) Something you know (password/login)
              2) Something you have (token, keycard, secureid, proxy card etc)
              3) Something you are (biometric)

              This allows for duress passwords as well as the use of biometics to increase the strength of an authentication system, rather than replace it completely.
          • With a password you can actually deny an agressor access. They'd have to torture you until you gave it up. For opening a door or something pointless like that you'd give up your password in a heartbeat, but let me tell you about a little system called deniable cryptography. Suppose you work for the NSA. You're given a laptop on which you are required to encrypt any work which is deemed sensitive (and seeing this is the NSA, let's just say that everything is sensitive). You are instructed to encrypt documents of different security grades under different passwords. No system is prescribed for the grading of documents, you're just told you should use at least three.

            So now what happens when the bad guys grab your laptop and take out the rubber hose? I say you won't tell them a single password. How can I say so with such certainty? Well suppose after being beaten for an hour you decide to give up the least sensitive material on the laptop. In fact, this isn't even NSA material, it's just some emails you received from your girlfriend. So you give them your first password, say 'tulip'. The bad guys run to their cryptoanalyst guys and give over the password. They discover that it does indeed provide them with something intelligible. But they don't find anything of value, as you intended. Looking at the remaining space on the harddrive they notice that there is a heck of a lot left, so they send their low brow associates back to get another password from you.

            After another hour of torture you might give up another password. And after another hour you might give up another password. But every time you give up a password you're just guarenteeing more extensive torture. Every time you give up a password the cryptoanalyst guys say there is more data on the disk. When you get to the end of your list of passwords you're really screwed because as far as the cryptoanalysts are concerned, all the free space on your disk is potentially more top quality intelligence. It is impossible for you to convince your captors that they have all the passwords for the laptop. So you will eventually die in their hands or, worse yet, the torture will go on indefinitely.

            In summary, deniable encryption ensures that it isn't in your interest to give up a single password. You're better off claiming that it was some dude's laptop you stole on the way to where you got jumped.

            • Re:Anybody else see "Demolition Man"? (Score:4, Interesting)

              by iabervon (1971) on Thursday June 30 2005, @11:16AM (#12951018) Homepage Journal
              Knowing that, why wouldn't you just give up all the passwords at once? This would put you in exactly the position you'd be in if there was only one password; you don't have anything further to give them, and there's more randomness on the disk.

              Actually, the smart thing would be to have a hard drive full of boring documents, and have a hidden directory full of porn, with all the important stuff steganographically added, encrypted, to the porn. That way your captors will have a reasonable explanation of every bit on the disk from the start, and you can just say that you don't take secret documents out of the office.

          • Re:Anybody else see "Demolition Man"? (Score:4, Informative)

            by Peyna (14792) on Thursday June 30 2005, @03:16AM (#12948656) Homepage
            Getting someone's live hand over a scanner doesn't require a person to consciously divulge any information.

            So, it is a lot different than getting a password out of someone. I can beat you all day and you'll never tell me the password. I can knock you unconscious and drag your limp body over to the scanner and place your hand on it without your help.
      • an infrared vein scanner that works entirely by imaging the heat given off by your circulating blood

        Infrared [wikipedia.org] uses a different part of the spectrum; you're thinking of thermal imaging. Taken from this article [com.com], this is how the Contactless Palm Vein Authentication System works:
        "It works using infrared light to scan for hemoglobin, which provides oxygen to cells in the body, the company said. Reduced hemoglobin absorbs near-infrared rays, so on the image it shows up as black, with the rest of the hand colore

        • 3 answers.
          1. The tubes for the computer were designed to be used this way. The hand is intended to pump blood and once it loses pressure it colapses and becomes fairly disfunctional.
          2. A pump designed to handle pumping water into a hand is pritty complicated technology. At this point your better off using some sort of electronic bypass system like the devices used to trick slot machines into giving you a "win"
          Maybe a heat patern "copy" using a heat emitter fake hand. Then you need only scan the original to have a key that works forever.

          3. The results won't be the same. The water will leak heat more than blood will and heat up the surrounding tissue. The sensor will get a blur and probably give a negitive.
            • For 99.99999% of the applications out there, no one would even DREAM of going to these lengths.

              For the other 0.00001% (read military secrets) of the applications out there, there is likely to be two or three other authentication processes out there, one of which involves a person pysically giving you access.


              • What lengths? It's a process that takes a few minutes, £10 worth of plastic and a secondary school knowledge of anatomy.

                The deterrant is one of severity of punishment for the nature of the crime, not one of technical difficulty. That's a deterrant to be sure, but the nature of it should be understood.

                Your point about multiple security systems is valid of course, but the grandparent was placing erroneous faith in the technical security of the system, and that at least deserves correction.
        • It's usually easyer to kidnap you and make you unlock something than to "re-animate" your hand for the scanner. You'd need to be kidnapped with a password also, so you don't just lie.
    • Realistically speaking, how much is it worth to you to secure your company's assets? At retail locations, conventional wisdom says "give the dude the money, because it's not worth it."

      Would you lose a body part?

      I think the answer would be "Heck No!"

      What would the court say? Isn't using biometric security putting life and limb of the employees in jeopardy?

      That would be an interesting case for a judge and jury.
      • I don't think you're going to find this equipment in stores that bare the "less than $50 after dark" and "employees do not have safe combination" type signs. That being said, this might be nice in some applications...
        • single sign on and never having to change passwords every 90 days
        • No more keys for your front door... unless you have cold winters like we do... I don't want to hold my hand in front of a camera at -40C
        • No more PIN numbers, or signatures for verification for bank and credit cards

    • Uh, what? (Score:4, Insightful)

      by Bill_Royle (639563) on Thursday June 30 2005, @01:23AM (#12948340)
      That's the dumbest argument I've heard all evening.

      The "desperate dude who is willing to take out my eyeball?" Why wouldn't he just leave it in your head and just piggyback through? Or bring you along to access that "protected" stuff?

      Sure I'd rather give up a memorized password instead of an eye or hand, but again this is a question of severity. I don't believe you go from demanding a password to cutting out an eye without things other than biometrics being a critical factor.

      Your employer may not give a shit about you, but most employers do. The liabilities of employees getting hurt is much of the reason that many employer-offered health plans have increases every year. I doubt that any employer will be nonchalant when one of their employees come to work with only one hand.

      There's nothing wrong with an employer implementing biometrics, if it's an at-will company. It's up to the employee as to whether that proposition is acceptable.

    • Biometrics sounds great, right up until the point you run into the desperate dude who is willing to take out your eyeball -- or in this case remove your hand...

      The cut-off-the-hand-to-defeat-a-biometric-scanner approach is a typical Hollywood interpretation of a clever way to compromise biometrics.

      Biometric systems that are worth using to protect assets of any value test for what is called "liveness" to make sure that someone's hand (or body part of choice) hasn't been severed to bypass the system.

    • One other thing that can be bad about biometric only interfaces that is rarely discussed is that it doesnt allow for whats called in the industry as duress codes. Say for example you are a security guard that has a gun pointed at your head and your being force to give access to someone.

      If you have a password/PIN then most security panels allow for a dual PIN and duress code for a user. The regular PIN just opens the door. The duress PIN will open the door and trigger a silent alarm. No one gets hurt, bad
    • I'm so tired of hearing the "dude who is so desperate, he's willing to take your eyeball" type argument. If someone is that desperate, he's more likely to off you and rob you than worry about using your eyeball to hack your accounts. Generally the desperate folks are the strung out drug users, not wanting to come down again. They don't put this much forethought into their crimes.

      Now the professional hacker (cracker for those who still insist on the distinction) don't want to get their hands dirty. They pre

  • Palm readers (Score:5, Funny)

    by plover (150551) * on Thursday June 30 2005, @01:04AM (#12948271) Homepage Journal
    Please wait while we read your palm ... hmm ... your cat-5 line is very long, and is getting crosstalk ... oh, yes ... your gullibility line is quite full ... umm, hm ... I forsee many postings in this thread ...

    That'll be $25.00 please.

  • Yeah, but.... (Score:4, Funny)

    by croddy (659025) on Thursday June 30 2005, @01:07AM (#12948275)
    Yeah, but can it tell my fortune?
  • I guess more biometric sensors are always better -- but at a point, doesn't it seem excessive? I guess I'll be able to sleep easier tonight knowing that if I'm killed in my sleep and my murder spreads my bodyparts across the county, I can still be indentified by the veins in my hands. Thank God.

    • Re:Excessive (Score:5, Insightful)

      by plover (150551) * on Thursday June 30 2005, @01:17AM (#12948317) Homepage Journal
      What makes you think biometrics are better? Systems can be fooled.

      Just like any other computer-based biometric system, it only starts with a scanner. Once you get past the handwaving (pun intended) it turns into bits and bytes, just like any other security token, such as a password. These systems will have weaknesses, it's the nature of systems. Look at all the components: palm reader camera, imaging software, algorithms to reduce a hand-print to a series of numbers, a database full of those numbers, a database full of "rights" to be granted based on those numbers, a signal to the turnstile or electric door lock to let you in, and networks and wires interconnecting all of those pieces.

      To a bad guy, a wedge into any single component listed above might be enough to send "ACCESS GRANTED" to the door lock.

      Yes, the same is true of any security system of any sort -- but for reasons I can't fathom, biometric-based security systems seem to give a higher "sense" of protection to the executives writing the checks.

      At least this one won't be fooled by Jello.

  • Paranoia... here we come... (Score:4, Funny)

    by Chmarr (18662) on Thursday June 30 2005, @01:09AM (#12948280)
    "Please insert hand for vein identification"

    "Hand invalid. Third attempt failed. Hand retained."

  • What about... (Score:5, Funny)

    by Anonymous Coward on Thursday June 30 2005, @01:09AM (#12948281)
    My hairy palms, you insensitive clod.

  • Credit Card? (Score:5, Funny)

    by Kaorimoch (858523) on Thursday June 30 2005, @01:10AM (#12948286) Journal
    This could get amusing. "Honey, can you swipe your arm for these groceries? My arm credit limit is a bit low this month." When you get robbed in back alleys, the drugged up crims rip off your arm and take it to the ATM to pull out all your money. I'm sure the "cost an arm and a leg" jokes are coming.
  • While some factors, both genetic and external, may lead to the divergence of form in venal positioning and number, the chance that two people have similar (if not identical) veinous patterns is not small.

    Medicine is based on the supposition that human beings are, at a very basic level, extremely similar to each other. This allows us to give generalized prescriptions instead of having to perform meticulous measuring and experimentation to determine the correct level of drugs to give to a person.

    Even Da Vi

  • In short... (Score:4, Informative)

    by eznihm (552487) on Thursday June 30 2005, @01:15AM (#12948306)
    This is somewhat novel and cool because:

    a) there need not be any physical contact twixt the biometric reader and the individual - unlike with fingerprint scanners - defintely more hygenic

    b) as a previous poster mentioned, it doesn't work if the hand is severed

    c) fingerprints may be scarred, burned, or otherwise mutilated

    I mean, if you're gonna put people through biometric authentication, you might as well do it right, right?

  • I much prefer... (Score:4, Funny)

    by gardyloo (512791) on Thursday June 30 2005, @01:15AM (#12948308)
    ...hot chicks telling me they have to hear me say "passport".

  • Veins not very constant (Score:5, Informative)

    by theufo (575732) on Thursday June 30 2005, @01:16AM (#12948315) Homepage
    It is not uncommon for the smaller bloodvessels to simply disappear and appear over time to facilitate changes in energy consumption. A tiny inflammation can also cause the surrounding vessels to change themselves quite significantly. Wouldn't want to be denied my own money suddenly.
      • But you don't want to have to do this every week, for practical and security reasons.

        It'd be like changing your password every week, automatically, doesn't seem like so bad of an idea. Just a pain to maintain.
        • I have once worked for a firm that serviced a (privately-owned) high school where the primary mean of identification (for entering the premises, for instance) was that hand-measurement biometric tool. They had a serious problem because, well, between 13 and 18 the kids hands measurements varied wildly. They solved it by overlapping after confirmation the reference measurement data with the last measured data. This way, if the (natural) variation was below the "this is a different person" parameter, there is

  • What if the pattern changes? (Score:3, Interesting)

    by Hannah E. Davis (870669) on Thursday June 30 2005, @01:17AM (#12948319) Journal
    Since I switched from biology to computer science before learning anything about human anatomy or the circulatory system, there's a fairly good chance that I'm going to sound incredibly stupid here... but... what happens if you cut yourself really badly and the body basically has to rewire a few of those veins? Will you be locked out of the system?

    Also, since the camera is presumably looking at the heat coming from the veins, would this mean that if you lost circulation to your hand for whatever reason (extreme cold, medical condition, etc.), that would also cause the device to reject you?

    • I'm sure if you were injured to the point where your bloodflow was significantly altered, you'd probably be able to get a note from your surgeon to give to your Info Security department requesting a "change of veins" scan.

      Maybe you can convince the door guards that the giant pus-oozing gauzeball wrapped around your hand is causing the scanner to fail, so they'll just buzz you in anyway.

  • Talk to the picture of the hand. (Score:3, Interesting)

    by mikeophile (647318) on Thursday June 30 2005, @01:22AM (#12948335)
    Really now, how difficult can it be to fool one of these. It seems all it would take is:

    1. Remove the IR filter from a 3 megapixel or higher digital camera.

    2. Photograph the hand with and without a low pass IR filter.

    3. Print a mirror image of the first photo on an acetate sheet.

    4. Take the same print and print the other side with IR visible inkjet ink [hp.com] from the second photo.

    5. Fool scanner.

    6. Profit?

    • But looks really cool in movies.

      Anything that can be imaged can be reproduced to the accuracy of the imager. Hence, biometric security is like a social security number: it might be unique to you, but you can't change it ever* and if someone gets a hold of it, you're screwed.

      *I am aware that in extreme situations you can change your SSN. afaik, This capability was designed to address that point, however the address space of SSNs is not that sparse and the cost of changing the number is too high. (in bot
  • Some day in the very near future there will be a way to easily duplicate fingerprints, vein prints, retina prints, or whatever.

    Current solution: change password or revoke key.

    Solution for the future: slice your finger off and hope they can someday regrow you a new one with a new fingerprint.

    Do we really want to slice hands/arms and eyes off too? Biometric ID has NO solution if the thing you're testing against becomes compromised.

  • Why this won't work. (Score:5, Insightful)

    by rincebrain (776480) on Thursday June 30 2005, @01:35AM (#12948386) Homepage
    I've met quite a few people who have nonstationary veins; that is, veins that they can move around, that twist under their fingers and stay in their new position, etc.

    How will this system handle these?

  • to all the "chop off the hand" people (Score:5, Insightful)

    by SuperBanana (662181) on Thursday June 30 2005, @01:48AM (#12948420)

    Well, I see we've already got a few people posting "zOMG my hand's gonna get chopped off".

    Here's a pop quiz. How's a device that uses near-IR to see active blood vessels going to work....

    ...on a hand with no blood pressure, and no hot blood flowing through it? Seems to me a cut-off hand would be virtually worthless within seconds; the veins would become the same temperature as the rest of the hand, and collapse due to lack of blood pressure.

  • Biometric security idea of the week. (Score:5, Insightful)

    by RyanFenton (230700) on Thursday June 30 2005, @01:57AM (#12948445)
    This time, it's the translucent map of the hand.

    Problems with this idea?

    1. Injury or other causes of restricted bloodlow will change the pattern. People may be wearing a watch or carring a bag which may change the net translucent image of the hand for some time.

    2. No mention if this is 3-d imaging, or multiple-perspective scanning of some sort - but if it's just a 2-d single image, then another source of the 2-d image could be used as fake ID. In the case of 3-d imaging, fakes become more difficult - gummy hands are a lot less common than gummy bears. Still - there has to be a basis for pattern-recognition in the complex mess that makes up a human hand/palm, and that basis can be exploited. A rubber glove with ink on the palm, flipped inside-out may do the trick, or something similar.

    3. This equipment... will it be cheap? Will it require large databases and further security for that data? How much cheaper will this be than other security methods? Cost more than most things will likely determine the impact of a biometric technology. Just having another identification scheme won't help that much, if it can only be used in already-secure or expensive scenarios.

    Biometrics are a great idea, and some very cool implementations - but they always seem to involve a lot of false negatives/positives (none have solved both), and are fairly expensive relative to their unreliability. They certainly haven't been a replacement for most standard security schemes. How is this scheme different?

    • Re:Biometric security idea of the week. (Score:4, Informative)

      by keen (86192) on Thursday June 30 2005, @02:27AM (#12948536)
      There has been some work to prevent the use of fake fingers in biometric devices. One I have read about is checking the resistance of the object placed on the scanner to be sure it matches the known resistance of skin. Resistance can be forged of course, but it is an extra layer in the system.

      Some systems have been so weak that you can simply breathe [i.cz]on them to cause moisture condensation - which in turn causes the device to believe the last finger has been placed on it again!

  • Can It Be Done? (Score:4, Funny)

    by ndansmith (582590) on Thursday June 30 2005, @02:06AM (#12948473)
    Biometrics are still so far from reliable. Hopefully this whole effort will not be in vain.

  • biometrics just s*cks (Score:4, Insightful)

    by l3v1 (787564) on Thursday June 30 2005, @03:21AM (#12948663)
    My main problems with almos all biometrics identification & recognition systems for public use is that
    - none of them works good enough (see below)
    - if you combine multiple biometrics to raise the efficiency they will become exponentially more inconvenient and expensive, and still not being 100%
    - very many biometrics can be falsified and there probably are levels where even cutting a hand isn't a big deal to get to the information; in cases when you need the hand/finger/etc. alive there's kidnapping and remember, one doesn't have to interrogate the fella, just to take him

    Ok, so about efficiency. If you care to dig a bit deep and read research regarding different types of biometrics, you'll easily find quite high numbers on %. There's two things one has to constantly keep in mind:
    - most if them give those high % only in specific working conditions
    - if you read one biometrics works at 9x%, always think on the reverse: e.g. how many real people does that 100%-9x% mean in the real life like airports with multi-million guests a day ? even 99% goodness means 10000 from 1mil. people falsly angered and that's a lot

    • Re:Obvious question (Score:4, Interesting)

      by plover (150551) * on Thursday June 30 2005, @01:23AM (#12948344) Homepage Journal
      It's much better than fingerprint readers. For example, it's known that people who work in certain jobs (such as pineapple farming) actually have their fingerprints removed by the acids and the abrasion.

      The device works by looking at the infrared radiation emitted by your warm blood in relationship to the relatively cool epidermis. Unless the layer of tough skin is also a thermal insulator, it'll probably be able to read them just fine. The thing they aren't advertising is it probably won't work when the ambient temperature is above 98.6 degrees Fahrenheit.

      But if you RTFA, you'd see that their false rejection rates are 0.01%, or one in 10,000 incorrect rejections. That's pretty damned impressive for a biometric system.

    • I suppose it wouldn't fly to have someone press a nipple to the computer, but the hand doesn't seem ideal. A little Japanese class bias? Nobody who works with his hands uses a computer? What about sports? Motorcycle road rash? Kitchen knife? Hand tool? Just about anything that could run a cut across that vein pattern.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.