Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.
posted by janrinok on Monday March 04, @06:19PM   Printer-friendly
from the Anyone-run-this-by-Cellphone-Security? dept.

Looks like VISA credit card has developed a way of storing biometric data on our cellphones, then use that as an authenticator.

https://reclaimthenet.org/visa-applies-for-biometric-authentication-patent

What could possibly go wrong here?

I guess I am really leery of cellphone security and app resilience. Is it so complex that it's too finicky to use? Does it require a good internet connection to work? ( Can you hear me now? ), or maybe it's based on QR codes?

I have been wrestling with a fast-food burger app over login issues. I am quite jaded over trusting anything I have to log on to to get a fresh timeout permission. For this, all I am risking is the cost of a trip to the restaurant vs. the liklihood the coupon offer will still work when I present at the register. ( The Wendy's Story already discussed here ).

How much impact would a denial-of-service cause for you? How robust is this technology. I've already seen the most expensive cars shut down for the most trivial crap. That's why I drive an old one made before their design became enshittified.

Cut n paste snippets below.

Visa – one of the world's two biggest payments processors – appears to be moving into biometric data-based authentication, at least according to a patent it has applied for. And Visa claims that this would be fully privacy-friendly.

If Visa's patent – designed, according to the giant's filing, to provide "biometric templates for privacy preserving authentication" – is approved and implemented, the end result would be replacement of PINs with biometric identification.

The method would be used at ATMs, payment checkouts, and Visa made sure to note that the technology's use can be extended to unlocking apartments or letting people into venues like theaters, amusement parks, etc.

These latter, non-payment scenarios would allow Visa to monetize the patent via licensing to other companies.

The rationale for using such a system is said to be to improve security of user information in physical spaces.

The patent states that the system would work by customers enrolling into the program which means creating "a biometric template" on their device.

This data is encrypted and signed, and that signature, rather than the biometric information, is used by "access device" to verify the signature.

This, Visa said in the filing, is what preserves privacy, since the templates are stored on the user device rather than "in some giant database."

This appears to be the key point the company is trying to make with the proposed patent, and was careful to stress that security breaching of such databases results in "disastrous" consequences.

That's because the use of biometrics is at once safer than that of PINs and passwords, but also much riskier, given that unauthorized access provides those behind a hack to a large amount of personal information.


Original Submission

This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 5, Insightful) by drussell on Monday March 04, @06:28PM (5 children)

    by drussell (2678) on Monday March 04, @06:28PM (#1347309) Journal

    People should me more leery about using biometric data for random authentication than the chance of a service outage!

    You can change a password, you cannot change your fingerprint, or the look of the photo of your iris when it is scanned.

    Once your biometric data is compromised, you're permanently fucked!

    It is the one of the dumbest ideas ever, but since it seems all science-fiction-y and futuristic, all the ignorant people out there in the masses that don't know any better and can't think for themselves about consequences of actions are like "Hyuk, yuk! Duhhh... Derp! YEAH! Sign me UP!" 🙄

    • (Score: 5, Insightful) by DannyB on Monday March 04, @06:58PM (1 child)

      by DannyB (5839) Subscriber Badge on Monday March 04, @06:58PM (#1347325) Journal

      Don't use biometric data.

      Imagine technology that would allow a PDA type device, including an authenticator, to be "tattooed" on your right (dominant) hand. That way you just wave your dominant hand in front of the payment terminal, and confirm by pressing a button on your hand. People without exception will love that they can use their dominant (right) hand for payments.

      Now these would wear off and have to be re-applied. Naturally, it is going to be a cloud based subscription service.

      It will be convenient. Then popular. Then it will be required.

      Now imagine that if it were even possible in such a utopia that some people, especially teens, could not afford the subscription.

      No problem!

      You can get it subsidized if you are also willing to have a color animated advertising banner tattooed on your forehead whenever you get your authenticator tattoo/PDA refreshed. Good ol' advertising to the rescue!

      Next, teens will compete to get the ads for the coolest things. Nobody wants a car insurance or laxative ad. Everyone wants an ad for the latest cool thing, coolest brands, or upcoming concert or event. Or an ad for some hip social media channel.

      Next, some social media channels pay you to run a live feed on your forehead.

      This won't be distracting at all. School teachers won't mind.

      --
      The people who rely on government handouts and refuse to work should be kicked out of congress.
      • (Score: 2) by Ox0000 on Tuesday March 05, @02:05AM

        by Ox0000 (5111) on Tuesday March 05, @02:05AM (#1347391)

        Imagine technology that would allow a PDA type device, including an authenticator, to be "tattooed" on your right (dominant) hand. That way you just wave your dominant hand in front of the payment terminal, and confirm by pressing a button on your hand. People without exception will love that they can use their dominant (right) hand for payments.

        Oh... I'll show them my hand [wikipedia.org] all right. In fact, I'll show them two [wikimedia.org]!

    • (Score: 4, Insightful) by pTamok on Monday March 04, @08:35PM

      by pTamok (3042) on Monday March 04, @08:35PM (#1347350)

      You can change a password, you cannot change your fingerprint, or the look of the photo of your iris when it is scanned.

      Once your biometric data is compromised, you're permanently fucked!

      You've already hit +5 Insightful, so I can't mod you higher. I can simply only agree.

    • (Score: 5, Insightful) by mcgrew on Tuesday March 05, @12:02AM

      by mcgrew (701) <publish@mcgrewbooks.com> on Tuesday March 05, @12:02AM (#1347378) Homepage Journal

      They should also be leery of using their phone as a wallet! WTF? I'll not let anyone use my wallet, even in an emergency, but I'll let you use my phone. I'd be a fool to use my phone as a wallet.

      It's a PHONE. Phone calls, texts, I'll read the paper or read a Kindle book on it in a waiting room, but using a phone as a wallet is brain dead stupid. The only identifiable data on my phone is my address book and Kindle books.

      --
      mcgrewbooks.com mcgrew.info nooze.org
    • (Score: 4, Interesting) by Beryllium Sphere (r) on Tuesday March 05, @02:16AM

      by Beryllium Sphere (r) (5062) on Tuesday March 05, @02:16AM (#1347394)

      The photo on your driver's license is a biometric. It doesn't have to be kept secret.
      Passwords have to be kept secret because it's the only way to guarantee who has them.
      Biometric security comes from having a trustworthy authentication channel. My phone will not unlock from a picture of me, only from my actual face. But I don't have to keep my face secret.

  • (Score: 2, Insightful) by DannyB on Monday March 04, @07:00PM

    by DannyB (5839) Subscriber Badge on Monday March 04, @07:00PM (#1347326) Journal

    --
    The people who rely on government handouts and refuse to work should be kicked out of congress.
  • (Score: 5, Insightful) by captain normal on Monday March 04, @08:12PM (14 children)

    by captain normal (2205) on Monday March 04, @08:12PM (#1347346)

    Well....

    "This, Visa said in the filing, is what preserves privacy, since the templates are stored on the user device rather than "in some giant database."

    Seems to make it easy for the bad folk. Just take a pipe wrench and bash someone on the head, then use their device to drain their bank accounts, ring up all kinds of charges on their Visa accounts and fly off to anywhere.

    --
    When life isn't going right, go left.
    • (Score: 5, Insightful) by pTamok on Monday March 04, @08:30PM (8 children)

      by pTamok (3042) on Monday March 04, @08:30PM (#1347349)

      When life isn't going right, go left.

      But...Americans really don't like socialism. Apparently, being free to exploit people with fewer resources than yourself is part of the American dream.

      Oddly, some people are against UBI. The argument is, if people have their needs covered, they won't want to work. Billionaires don't seem to avoid getting extra income, even though the incentive for them not to work is far higher. Strange disconnect there.

      • (Score: 5, Insightful) by drussell on Monday March 04, @09:39PM (4 children)

        by drussell (2678) on Monday March 04, @09:39PM (#1347364) Journal

        But...Americans really don't like socialism.

        That is completely incorrect. Americans have been carefully conditioned to recoil at the term "socialist" and to always conflate it with extremist communism.

        Americans love socialist policies! They just don't like them being CALLED socialism! 🙄

        Socialist policies (even some, like "Social Security" for example, that sound socialist, right in the name) routinely poll in the 65-90% support across the entire population.

        Most people there are simply too obtuse to realize that they actually support those things which they have been told and conditioned to hate.

        It is absolutely absurd!!

        • (Score: 4, Interesting) by mcgrew on Tuesday March 05, @12:11AM (3 children)

          by mcgrew (701) <publish@mcgrewbooks.com> on Tuesday March 05, @12:11AM (#1347381) Homepage Journal

          Indeed. I can't remember the fellow's name, but I read that there was a Republican Senator in the 1950s who said "Americans will accept socialism, just not by that name."

          The world's two happiest countries, Finland and Sweden, IINM, are both socialist. We're pretty miserable here in the fascist USA. Most of us, anyway.

          --
          mcgrewbooks.com mcgrew.info nooze.org
          • (Score: 0, Troll) by crafoo on Tuesday March 05, @03:42AM (2 children)

            by crafoo (6639) on Tuesday March 05, @03:42AM (#1347399)

            Finland and Sweden are not real countries. They exist solely at the pleasure and convenience of the real world powers. They are allowed to exist because the USA and to some extent, the EU, says they can. I would say that the "happiness" of these countries (and you should really look into those studies and how the metrics are defined) are happy because they're mostly an ethno-state who has outsourced all of their nasty functions to third world slavers.

            • (Score: 3, Funny) by Anonymous Coward on Tuesday March 05, @03:56AM

              by Anonymous Coward on Tuesday March 05, @03:56AM (#1347403)

              It's been a while since you've been outside, hasn't it?

            • (Score: 1, Informative) by Anonymous Coward on Tuesday March 05, @10:26AM

              by Anonymous Coward on Tuesday March 05, @10:26AM (#1347428)

              Thank you for allowing us to exist. Sweden an ethno-state? You have not been here anytime during the last 30 years or so have you? It's starting to look fairly olive and dark in the skin colour.

      • (Score: 2) by mcgrew on Tuesday March 05, @12:07AM

        by mcgrew (701) <publish@mcgrewbooks.com> on Tuesday March 05, @12:07AM (#1347379) Homepage Journal

        UBI will come, but not yet. I won't see it. When unemployment reaches a certain point as a result of mechanization, it will be necessary and stopping it will be impossible.

        --
        mcgrewbooks.com mcgrew.info nooze.org
      • (Score: 1, Redundant) by crafoo on Tuesday March 05, @03:47AM (1 child)

        by crafoo (6639) on Tuesday March 05, @03:47AM (#1347400)

        on the topic of UBI, why are you desperately yearning for your enslavement? don't you think the powers handing out your UBI will have some things to say about how you live your life? who you report to and how often, maybe a blood and urine sample or two to be sure you're spending it right?

        • (Score: 1, Insightful) by Anonymous Coward on Tuesday March 05, @03:54AM

          by Anonymous Coward on Tuesday March 05, @03:54AM (#1347402)

          I beg your pardon‽‽‽
          Have you considered today's state of things?

    • (Score: 5, Informative) by RS3 on Monday March 04, @09:04PM (3 children)

      by RS3 (6367) on Monday March 04, @09:04PM (#1347356)

      A couple of years ago a friend of mine tumbled down an embankment and wound up unconscious. Turned out he had underlying medical problems.

      Anyway, he got taken to ER and they unlocked his phone using his thumb. He was livid when he found out, and of course changed to a number sequence instead.

      So many things seem like good ideas at first glance. I tell everyone I know and come across: do not trust phones or phone numbers as some kind of security thing. Craziness.

      • (Score: 3, Interesting) by Beryllium Sphere (r) on Tuesday March 05, @02:23AM (2 children)

        by Beryllium Sphere (r) (5062) on Tuesday March 05, @02:23AM (#1347396)

        Isn't that a story about the need for the principle of least privilege?

        If I'm unconscious I want the EMTs or ER personnel to know what medications I'm on, which I'm allergic to, and any chronic conditions I have. Fortunately my phone's OS offers a way for someone with physical access to get that and other information. It doesn't let them into the phone overall.

        • (Score: 2) by RS3 on Tuesday March 05, @03:34AM

          by RS3 (6367) on Tuesday March 05, @03:34AM (#1347398)

          Which phone OS?

          It's a great idea, but there are many scenarios where your phone is damaged/destroyed, lost, etc. For people with conditions, medications, allergies, etc., there exist medical alert / ID bracelets that allow medical personnel to get the pertinent information, medical history, etc. I had a younger brother who had medical problems and wore one.

        • (Score: 3, Interesting) by gnuman on Tuesday March 05, @01:49PM

          by gnuman (5013) on Tuesday March 05, @01:49PM (#1347439)

          There is this Emergency Info page on Android that is accessible from locked phone. You can fill out things, like your blood type, emergency contact, etc. without need to unlock the phone. Unlocking the phone actually makes accessing this information more difficult.

    • (Score: 2) by gnuman on Tuesday March 05, @02:11PM

      by gnuman (5013) on Tuesday March 05, @02:11PM (#1347444)

      Seems to make it easy for the bad folk. Just take a pipe wrench and bash someone on the head, then use their device to drain their bank accounts, ring up all kinds of charges on their Visa accounts and fly off to anywhere.

      s/phone/wallet/

      and you can do same thing with a pipe wrench. Heck, even without a wallet, you can do similar things with a pipe wrench. So I don't understand this outrage here.

  • (Score: 5, Interesting) by Anonymous Coward on Monday March 04, @09:20PM (1 child)

    by Anonymous Coward on Monday March 04, @09:20PM (#1347360)

    Close friend went to board a flight, using the smart-phone boarding pass so common now. But the scanner/reader at that gate was broken. Luckily, they had a paper printout of their boarding pass and got right on. Everyone in line without paper had to go find a kiosk (outside security at this airport), wait in line, get a paper boarding pass, re-enter security. If they were lucky they made the flight.

  • (Score: 3, Insightful) by SomeRandomGeek on Tuesday March 05, @04:59PM

    by SomeRandomGeek (856) on Tuesday March 05, @04:59PM (#1347478)

    On the one hand, I have no idea what VISA is attempting to patent, since everything described in the article has been pretty standard stuff for at least a decade. On the other hand, I don't understand all the hate from the community for VISA trying to have better authentication of payment methods. There seem to be a lot of comments of the form "I can imagine a scenario where they really fuck it up and it is a disaster." But those comments all assume that VISA will do something really stupid which is not actually described in the article.
    The article does not say that VISA intends to require their customers use biometrics.
    The article does not say that VISA intends to continue to require customers to use biometrics even after that those customers biometrics have been compromised.
    The article does not say that VISA intends to store unhashed biometrics that hackers can then steal.

    In case you haven't been paying attention, currently credit cards are basically unauthenticated. The information seen by every low wage employee of every vendor who processes the card is enough to steal that card. Even a poor biometrics implementation would reduce credit card fraud.

(1)