- The Washington Times - Wednesday, November 9, 2005

A large and persistent nuisance is the need to prove your identity. On the Internet, you have passwords for your bank, mutual funds, Amazon, EBay, e-mail account, Internet service provider, PayPal and subscription publications. In your wallet, you carry a driver’s license, corporate ID, credit cards, and on and on.

We are used to it, but it is burdensome. It is also unnecessary. Suppose that infallible electronic fingerprint readers existed. (The readers exist. The infallible part is another matter.) Suppose that a policeman then asks for your “driver’s license.” You put your hand on the reader he offers. It transmits your prints by radio to the central police computer, which determines that, yes, you have a valid license.

Easy. Painless. No, “Gee, officer, I must have left it. …” The potential convenience of such a system is enormous. To buy an airline ticket from your travel agent, you push the Visa button and put your hand on the reader. Your prints, heavily encrypted, go to Visa, which responds that payment is authorized. No card.

To buy a ticket online, your computer has a reader. You don’t need to enter, or even to know, your card number. To fly, no ticket. And no passport: A reader will check your prints against the database at the State Department, where your information will be stored.

The key is that if you can decisively prove your identity, the information normally on cards can be remotely stored.

We are creeping up on this. A company called PayByTouch offers pretty much the scenario described above. From its Web site: “Imagine this. At checkout, you place your finger on a small scanner. Instantly, you see a list of your payment accounts on a screen. You select one of them using a familiar keypad, approve the amount of the purchase, rewards points or discounts are automatically applied, and you’re done. No cards, checks, cash — or hassle.” Bingo.

The company stresses that it doesn’t actually use your fingerprint, but a mathematical formulation calculated from 40 characteristics (“points,” in police jargon).

It is, according to Pay By Touch, impossible to re-create your print from the mathematical expression.

Pay By Touch isn’t the only firm with the technology: BioPay offers a similar service, and both are garnering clients.

Not all is roses with this scheme however (Though, to be fair, no other system, certainly to include the current ones, is perfectly secure). According to Security Focus, “at least one of BioPay’s practices has raised eyebrows among security and privacy experts.

Although PayByTouch executives say the company does not keep the original image of the fingerprints used by the customer to enroll, BioPay does, storing two fingerprints images from each of its 2 million customers encrypted in an offline database.”

An underlying problem is that a fingerprint, unlike a password, cannot be changed. Once your print gets stolen, it is stolen for life. All sorts of places already store prints, such as the police and the military. Some state governments, such as Virginia, require prints for the issue of concealed-carry permits. Some ID cards have prints on them.

The scams and countermeasures possible in principle are many, but much more difficult than merely stealing a credit card number.

Nothing is perfectly secure. But if the approach is at least as secure as present methods, which it seems to be, and lots more convenient, which it certainly is, we’ll see more of it.



Click to Read More

Click to Hide