Charlie's Diary

[ Site Index] [ Feedback ]

Thu, 27 Oct 2005

And enough of that ...

I'm going to drop the biometrics topic for a while. (Stand by for something completely different.)

In the meantime, I'd just like to add that the uncorrected proofs of the Ace trade paperback of "The Atrocity Archives" arrived today, and they look great! It's officially on sale as of January 3rd, and I'll add a "buy it now" link shortly.

posted at: 14:06 | path: /misc | permanent link to this entry

Flawed reasoning

I said (last week) I'd dissect Dave's responses to my comments on biometric payments. Having had time to digest them, I'm not sure such a dissection is necessary. Rather, I'd like to make some observations:

Firstly, Dave is right in one key observation -- that Visa, Mastercard, and the other card issuing agencies screw the merchants with their fees and the public with their interest rates. (Here in the UK, Barclaycard, one of the most respectable -- and biggest -- card issuers, charges as standard an APR of around 19% on outstanding balances on their credit cards. This is in the context of a bank base rate almost 14% power. Such interest rate gouging is normally associated with loan sharks, and their treatment of small merchants is little better.)

Moreover, the credit/debit card infrastructure is an improvised Heath-Robinson lashup. What originated as a modest voucher-payment system aimed at business travellers in the 1950s has sprouted into a monstrous half-assed identity verification system using a combination of cards and passwords (your PIN) that provide access to the banking system for virtually everyone. Additional features have been bolted on top of the original specifications, compromising the security and integrity of the system. Nobody in their right mind would have designed a system like this, but nobody in their right mind did so -- it just sort of grew, and replacing it is, on the face of things, a good idea.

However, replacing the existing infrastructure purely because the proposed replacement is cheaper is not the right reason.

One of the things I picked up during my time inside Datacash is that the business of banking is not, at heart, about lending money: it's about managing risk. If you extend credit to people, and in return they refund the loans and pay you fees or interest, your profits depend not only on the interest rate, but on the proportion of borrowers who default on their payments. It also depends on the degree to which you are exposed to fraud. Identity theft is the current fashionable form of fraud carried out by individuals and small groups of criminals, because flaws in the existing banking and credit infrastructure make it relatively easy to perpetrate.

Now, biometric systems in general do not prevent fraud. All they can achieve is to verify that an individual possessing certain physical characteristics was involved in one or more transactions. (Furthermore, the error rate is sufficiently high in most systems that you may not even be able to prove that much.) If you can obtain biometrically authenticated identification tokens using, say, a stolen birth certificate or the birth certificate of a baby who died at the age of 18 months in a foreign country (and who has therefore not had a death certificate filed in their country of birth) you can quite easily masquerade as someone else -- and because biometric ID is being mis-sold as a tool for providing proof of identity, rather than as a mechanism for confirming continuity of identity a successful identity thief who has equipped themselves with valid biometrics is in a position to manipulate the trust we place in these supposedly infallible markers (as the biometrics companies would like us to believe in them).

If I have a beef with the deployment of biometrics, it's not so much with micropayment systems such as BioPay's -- where the amount at stake is low -- but with the systematic misrepresentation by government agencies of an intrusive government identity registry as a security feature. Rather than going into it at length here I'd just like to refer interested readers to comments by Microsot UK's National Technology Officer, Jerry Fishenden, who warns that the UK ID card scheme will trigger massive identity fraud, to Barry Kefauver of the International Civil Aviation Organization who says that biometric passports alone won't counter terrorism threats, and to Bruce Schneier who points out that biometric identification systems are no stronger than the protocol used to register a new user on the system (which is to say, they're as weak as the weakest acceptable documentation required to obtain an ID).

Biometrics are only really useful when there's a trusted path from the reader to the verifier, and when new identities on the system are confirmed with a high degree of precision. If there's a loose link in the chain -- for example, if fingerprint data are sent over a data network for authentication using weak encryption, or if documents are mailed via fraud-riddled postal services where they can be intercepted by criminals, they offer no additional margin of security over existing practices -- and indeed, may make things much worse because of the widespread perception that biometrics prove identity rather than indicating continuity.

[Discuss criminal futures]

posted at: 14:02 | path: /sing | permanent link to this entry

Fri, 21 Oct 2005

Speaking of authentication ...

Here's how the British clearing banks nearly collapsed during the 1990s due to ATM fraud.

(If you were wondering why the Chip and PIN system was rolled out -- at vast expense -- so abruptly, here's why, in a nutshell.)

Incidentally, if you think the moral of that story is that PINs are no good, you're wrong -- the real issues it exposes are that (a) banks are horribly exposed these days, and (b) any central database that is responsible for the transfer of money is a target for attacks on its authentication mechanism. (Moving to biometrics, in my view, merely creates a central authentication database full of authentication tokens that will attract criminals like a honeypot. And unlike a PIN, your bank can't issue you a new set of fingerprints or iris patterns if your biometrics are compromised.)

[link][Discuss criminal futures]

posted at: 12:57 | path: /sing | permanent link to this entry

More on Imaginary Crimes

I've been away for a week (and recovering from a flu bug before that). While I was away, Dave Edelman emailed me a couple of responses to the article on biometrics I posted on the 8th (right below this one). Dave works for BioPay (although he does not speak for them in an official capacity), so you can take his comments as representative of -- but not an official response from -- folks who work in the biometric authentication/payment business.

I normally run this blog as my own personal soapbox (or bully pulpit, if you want to be uncharitable) but I think Dave's comments deserve to be heard, so with his permission, I reproduce them here. I'll post my own thoughts on his responses later.

(Full disclosure also requires me to state that, when it comes to talking about the credit card clearing system, I was lead programmer at Datacash from approximately two weeks before the company was formed, leaving shortly after its' IPO. However, (a) I left some five years ago, and (b) the British credit card settlement system operates rather differently from the American one.)

Over to Dave:

A couple of quick responses. (And yes, I work for BioPay, but I don't speak for them in an official capacity.)

1 - While it's probably feasible to forge someone else's fingerprint, it's *extremely* easy to swipe someone's credit card number or print out fake checks in their name. Obviously.

2 - Finger scanning is just phase 1. As soon as other biometric technologies (iris, face, etc.) get quick and cheap enough to use at point-of-sale, we'll probably be moving on, or using a combination of biometric verification.

3 - You're right that the selling point for the merchant is that it's cheaper. WAY cheaper. Right now Visa screws small merchants by taking a 2% cut off every purchase. Banks do the same with debit. BP transactions cost as little as 10 cents. Unless you're Starbucks or Walmart and can negotiate low credit card transaction rates, the difference in transaction fee can literally make the difference between making a profit and losing money -- we're talking thousands of dollars every month. Just one more way the small merchant gets fucked out of business.

4 - Right now (and for the next few years, at least) all of the vendors using BP and PBT are selling small-ticket items. You can't buy a car or a Powerbook with biometrics. If someone goes through all the hassle of forging a fingerprint, all they'll get out of it right now is a few cups of coffee and a trip to the grocery store. If someone steals your checkbook, they could walk away with a Lexus.

5 - Biometric verification isn't perfect. But it's here today, you can use it, it's cheap. The fraud protection systems protecting checks and credit cards -- which are accepted everywhere -- are laughable.

So, there you have a first grab-bag of general objections to the anti-biometrics position. I'm probably not giving anything away if I say that Dave's comments haven't changed my position, but they demand a response, and I'll give it shortly.

(Meanwhile, go read Dave's book when it comes out.)

[Discuss criminal futures]

posted at: 12:34 | path: /sing | permanent link to this entry

Sat, 08 Oct 2005

Imaginary crimes

Predicting the future isn't actually the core of an SF writer's job, although it's what everybody seems to expect us to try -- and fail -- to do.

On the other hand, it's a fun hobby and sometimes you get one right. And the flipside of it is, it's often easier to spot an on-coming clusterfuck than a successful new technology.

Regular readers of this blog will know that I have a serious down on national identity cards and biometric authentication technologies. One of my reasons for disliking these technologies (besides the obvious one that biometrics all assume human beings are invariant over time -- we aren't, we're squishy things that change shape -- and mechanising identity recognition in this way is merely going to replace one category of recognition error with a range of new and exciting new ones) is that the deployment of biometrically authenticated ID by the state, backed by (presumably) the best systems they can afford, will legitimize biometric ID in the public perception, leading to all sorts of other abuses.

If you wonder what this has to do with you, let me give you an example of an inappropriate use of biometric ID, and a form of identity fraud that doesn't exist yet but that could wipe out your bank account in five years' time.

American corporations have a touching faith in better living through technology, and Pay By Touch Solutions and their rivals Biopay are no exceptions. As The Register explains, these companies want you to register your fingerprints and bank account details with them. You will then be able to purchase goods from stores participating in their network by simply typing in your bank account number and using your fingerprint to authenticate that you are, really and truly, the account holder.

As the director of Pay by Touch told The Register, "the primary reason consumers sign up is for convenience," ... "They don't need a wallet or purse. When it become more ubiquitous, consumers won't have to carry cards around."

Note that the fingerprint authentication companies don't actually send a snapshot of your fingerprint from the finger reading terminal to the corporate database for checking: they digitize it, create a set of forty variables that are defined by your print, and compare them to the database contents. But they keep your fingerprints on file all the same.

Now, there are some minor obvious flaws with any fingerprint reading system, starting with: don't use it when you've just been swimming. (Your skin swells up, obscuring your prints.) Don't use it if you've got eczema (I've got it, and it periodically wipes 20-30% of my fingerprints for a period of months or years). Don't burn your fingertip on the cooking range or you won't be able to buy any plasters. Wash your hands after every payment (after all, you don't think the shops will wipe down their readers every minute, do you? And the guy before you was probably scratching his ass right before he paid.) You'll have no joy using it if you're an amputee either ... but I digress.

One huge problem with this system is that if a criminal entrepreneur can figure out a way of faking out fingerprint readers, and can get their hands on a copy of your fingerprints and your bank account info, you are in a world of hurt.

Think it's impossible? Think again. A couple of enterprising students at Yokohama National University demonstrated, a couple of years ago, that it's trivially easy -- a kitchen worktop job, basically -- to cook up a "fake finger" that will fool a biometric scanner. Here's their paper on faking fingerprint readers.

A number of refinements to their techniques suggest themselves immediately. Suppose you are the criminal entrepreneur I mentioned earlier, and thanks to some discreet blackmail you've gotten hold of a backup DVD containing a database of fingerprint photographs and their associated bank account numbers. What can you do with it?

First you buy a gizmo called a 3D printer. 3D printers are tools for manufacturing three dimensional models out of resin, wax, sintered metal, or other substances; here's an overview of current desktop rapid prototyping tools, priced from US $7500 to $50,000. (Don't worry about the cost, your victims are the ones who'll pay for it.) I'd probably look into the Roland MDX-15/20 if I was doing this. The requirement is simple: you want a machine that you can feed a CAD diagram to, and which will then mill you a small metal mold -- the MDX-15 and MDX-20 are sold as "ideal for jewelry and model making", which I guess this job qualifies as.

Second, you or your accomplices in crime figure out a way of importing the fingerprint images into a CAD application. You're going to need to put some programming effort into this because what you want to do is to make a mold suitable for casting latex or silicone finger cots (dyed flesh-tone, naturally) engraved with a negative of the fingerprint.

Finally, you need a scheme that will allow you to deploy your fingerprint-reader-fooling bank fraud profitably. Because I don't want to encourage criminality I'm not going to give you one, but I can think of two right off the top of my head that drastically reduce the risk of being caught while maximizing the revenue stream. Hint: if you can turn the printed finger cots out on a production-line basis and package them, you've got something the size and shape of a sealed condom that you can sell for a thousand dollars a pop.

Now, it so happens that the Matsumoto dude's paper did not go unnoticed back in 2002. Everyone who's serious about fingerprints as a biometric is now looking at the next step: verifying that the fingerprint is attached to a finger. (Wax dummies need not apply.) But the main techniques -- an infrared camera to check that the finger is at body temperature, with bone and blood vessels -- won't work against a molded finger cot. You'd also need to check that the surface in contact with the scanner is skin. Which leads to the next logical escallation: fingerprint-modification.

It's not hard to modify your fingerprints temporarily. Just put your hand in a bowl of warm (or cold: warm is more comfortable) water for half an hour, then look at your pinky. It's wrinkled, right? After a period of immersion your skin absorbs water and swells. Now, I'd like you to imagine that rather than immersing your hand in water, you've immersed your pinky in a finger-cot molded with someone else's fingerprints -- with an irritant or inflammatory in the grooves but not on the ridges (possibly some formulation containing a small amount of a mustard agent). Your fingertip will become sore -- but the swelling will not be evenly distributed: it will follow the pattern of someone else's fingerprint.

This latter step is more speculative, but I see no reason why it can't be done. And short of going way beyond simple fingerprinting, to include iris recognition or DNA scanning or whatever, there's no easy way of preventing it.

There are two selling points in fingerprints-for-paying-for-groceries. One selling point is to you, the public: it's convenient. And the dirty little secret they won't tell you is that the selling point for the grocery stores is, it's cheap. Cheaper than credit card readers, faster, or simply packs more customers in because of the perceived convenience factor. Security is not a selling point for biometrics, other than in the most tenuous magical-thinking manner. And you can bet that those global databases of fingerprints and account numbers are going to be a huge target for every hacker on the planet, simply because of their value.

Security god Bruce Schneier said, "a decade ago, no one really knew what use a database of a million credit card numbers would be - turns out you can do a lot of things with it." ... "Right now, we are not at the point that there are obvious uses of fingerprint, but 'I don't know' is not a good response when discussing security threats." Personally, I think Bruce is an optimist. You can walk into a WalMart today, drop a thousand pounds, and walk out with a computer, scanner, and software that would allow you to forge any US banknote in circulation back in the 1980s with minimal risk of trivial detection. Another few years and you'll be able to buy a computer that can crack 1999's 60-bit SSL encrypted credit card transactions in minutes or hours.

The pace of change is accelerating in biometrics: I reckon the gap between payment mechanisms coming on the scene and powerful tools for cracking them reaching consumer-level prices may be as little as five to ten years. It's reasonable to suppose that the current arms race between police and thieves will continue: after all, the more trust we place in any identification technology, the more valuable an exploit that invalidates it will become. And yesterday's centralized biometric database is tomorrow's criminal identity hacking accessory.

Final note. It is getting one hell of a lot too easy to pick up fingerprints. Here's an educational latent fingerprint kit you can buy online, with enough material to take twenty sets of prints; here's where the cops buy theirs. If I were you, I'd take to wearing gloves whenever I go out in public! In fact, I think that might just be one of the whacky social changes I throw into my next SF novel, ten years hence: all the banking IT geeks will have added silk gloves to their work wardrobe. Ten years after that they'll all be into ceramic terylene bourkas to reduce the risk of DNA leakage -- but that's another story.

[Discuss criminal futures]

posted at: 13:27 | path: /sing | permanent link to this entry

Thu, 06 Oct 2005

Filling In

So, on Monday I finished the final presubmission draft of "The Jennifer Morgue" and mailed it to my editor. Then I got my teeth into some other administrivia that had been building up while I went over deadline (my own personal one, not the one in the book contract) on TJM. I'm off next Friday to an SF convention in Ireland, so I thought I'd get everything nailed down and ship-shape before departure -- TJM is the last novel I've actually got a signed contract for at present, so I could go away knowing I had actually finished everything.

Which is probably why I promptly came down with the cold from hell; nose auditioning for an SFX role in a low-budget Lovecraft movie (green ichor generator), occasional racking cough (caused by breathing through my mouth and getting dried out -- see nose, above), the usual. It's beginning to ease off now, but I'm basically in sick-day mode (slouch around in dressing gown, drink lots of orange juice, surf various web comics, read a non-challenging novel). And guess what? The minor bits of work probably won't be finished before I go away, and I'm expecting a couple of new book contracts to show up Real Soon Now (if not a bunch of copy edits to keep me company when I expected to be on vacation).

On the subject of previous ramblings: it looks like the worst-case outcome from this year's season of hurricanes in the Gulf of Mexico has been averted -- at least as far as the aftermath of Katrina and Rita is concerned -- but the consequences are going to be with us for years to come, echoing around the world. Governments have suddenly noticed that there's not enough elasticity in the oil supply chain; the move by the big US oil companies to shut excess oil refinery capacity in the 1990s and move to a just in time model has given us the first real large-scale demonstration that just-in-time logistic systems are very brittle and can be broken by relatively predictable spikes in demand or once-a-decade problems.

The reason I keep rambling around this isn't because I've got some kind of axe to grind over the petrochemical economy or global climate change (although I'm pretty sure that anybody who doesn't believe in the latter is axe-grinding at this stage), but because I'm fascinated by the behaviour of complex systems.

Our civilization runs on a much slimmer margin than most of us realize. As a cost-saving measure, the corporate policy of the past three decades has been to abolish warehouses and stockpiles wherever possible and to use information technology to streamline logistical processes. If you go to Apple or Dell's web site and order a computer (or if you go to your local Ford dealership for a car), you may think you've bought one and it's being delivered -- but in practice, the computer (or car) doesn't exist yet; what happens is, your order triggers a series of cascading requistions for parts, almost all the way down to the factory in Taiwan that makes the resin the chips are embedded in, and those parts are shipped to factories and assembled, and the assemblies are shipped to a final factory for final assembly and packaging, and the package is shipped to your door (or the car dealership) via a packet-switched network of considerable complexity.

Stockpiles represent capital that is locked up, not in motion generating wealth. If you minimize your stockpiles of parts (or oil, or pork bellies, or whatever) you can make your investment capital work more efficiently. But efficiency is the enemy of flexibility. If your computer factory works the old-fashioned way, building boxes on a production line and warehousing them until someone buys them, then a hiccup in the supply of some vital widget won't stop the company selling computers -- it'll just cause the stockpile to drop. In contrast, a just-in-time system stalls instantly if just one critical component becomes unavailable.

There's an added twist to consider: our high-tech consumer gadgets are deflationary. Their value drops rapidly from the moment they're manufactured. Two years ago, a 42" plasma TV would have set me back £3500-5000; today, I can buy one (if I want) for £1000-1800. If you do stockpile goods, the stockpile is not merely an inefficient use of capital -- it's a drain on your profits.

The consequence of this is that high-tech businesses mediated by the internet ( is the classic example) are far more brittle and vulnerable to external disruption than their old-fashioned predecessors.

Oil is the obvious choke-point. We need oil to power our transport infrastructure -- all the delivery vans that bring supplies to our neighbourhood shops, or our doorsteps. We also use oil to deliver oil -- to filling stations, to refineries via supertanker -- and if the pipeline stalls, not only does the oil become expensive but, by and by, the means of delivering the oil becomes inaccessible.

I need to go and read some more on the collapse of complex civilizations. But here's a parting thought: these brittle networks propagate the side-effects whenever a single node breaks down. It may be that some time in the future, the US economy is brought low not by a hurricane in the Gulf taking out domestic oil refinery capacity -- but by a typhoon in the Pacific damaging some unmapped critical dependency in the supply paths used by the world's largest companies to keep their pipelines moving. Simply making the USA -- or the EU -- self-sufficient in energy supplies isn't enough; to address the problem, we need to wean ourselves off the cult of efficiency at the expense of resilience.

[Discuss market anomalies]

posted at: 17:33 | path: /writing | permanent link to this entry


Is SF About to Go Blind? -- Popular Science article by Greg Mone
Unwirer -- an experiment in weblog mediated collaborative fiction
Inside the MIT Media Lab -- what it's like to spend a a day wandering around the Media Lab
"Nothing like this will be built again" -- inside a nuclear reactor complex

Quick links:

RSS Feed (Moved!)

Who am I?

Contact me

Buy my books: (FAQ)

Missile Gap
Via Subterranean Press (US HC -- due Jan, 2007)

The Jennifer Morgue
Via Golden Gryphon (US HC -- due Nov, 2006)

Via (US HC -- due June 30, 2006)

The Clan Corporate
Via (US HC -- out now)

Via (US HC)
Via (US PB -- due June 27, 2006)
Via (UK HC)
Via (UK PB)
Free download

The Hidden Family
Via (US HC)
Via (US PB)

The Family Trade
Via (US HC)
Via (US PB)

Iron Sunrise
Via (US HC)
Via (US PB)
Via (UK HC)
Via (UK PB)

The Atrocity Archives
Via (Trade PB)
Via (Trade PB)
Via Golden Gryphon (HC)
Via (HC)
Via (HC)

Singularity Sky
Via (US HC)
Via (US PB)
Via (US ebook)
Via (UK HC)
Via (UK PB)


Some webby stuff I'm reading:

Engadget ]
Gizmodo ]
The Memory Hole ]
Boing!Boing! ]
Futurismic ]
Walter Jon Williams ]
Making Light (TNH) ]
Crooked Timber ]
Junius (Chris Bertram) ]
Baghdad Burning (Riverbend) ]
Bruce Sterling ]
Ian McDonald ]
Amygdala (Gary Farber) ]
Cyborg Democracy ]
Body and Soul (Jeanne d'Arc)  ]
Atrios ]
The Sideshow (Avedon Carol) ]
This Modern World (Tom Tomorrow) ]
Jesus's General ]
Mick Farren ]
Early days of a Better Nation (Ken MacLeod) ]
Respectful of Otters (Rivka) ]
Tangent Online ]
Grouse Today ]
Hacktivismo ]
Terra Nova ]
Whatever (John Scalzi) ]
Justine Larbalestier ]
Yankee Fog ]
The Law west of Ealing Broadway ]
Cough the Lot ]
The Yorkshire Ranter ]
Newshog ]
Kung Fu Monkey ]
S1ngularity ]
Pagan Prattle ]
Gwyneth Jones ]
Calpundit ]
Lenin's Tomb ]
Progressive Gold ]
Kathryn Cramer ]
Halfway down the Danube ]
Fistful of Euros ]
Orcinus ]
Shrillblog ]
Steve Gilliard ]
Frankenstein Journal (Chris Lawson) ]
The Panda's Thumb ]
Martin Wisse ]
Kuro5hin ]
Advogato ]
Talking Points Memo ]
The Register ]
Cryptome ]
Juan Cole: Informed comment ]
Global Guerillas (John Robb) ]
Shadow of the Hegemon (Demosthenes) ]
Simon Bisson's Journal ]
Max Sawicky's weblog ]
Guy Kewney's mobile campaign ]
Hitherby Dragons ]
Counterspin Central ]
MetaFilter ]
NTKnow ]
Encyclopaedia Astronautica ]
Fafblog ]
BBC News (Scotland) ]
Pravda ]
Meerkat open wire service ]
Warren Ellis ]
Brad DeLong ]
Hullabaloo (Digby) ]
Jeff Vail ]
The Whiskey Bar (Billmon) ]
Groupthink Central (Yuval Rubinstein) ]
Unmedia (Aziz Poonawalla) ]
Rebecca's Pocket (Rebecca Blood) ]

Older stuff:

June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
August 2002
July 2002
June 2002
May 2002
April 2002
March 2002
(I screwed the pooch in respect of the blosxom entry datestamps on March 28th, 2002, so everything before then shows up as being from the same time)

[ Site Index] [ Feedback ]

Powered by Blosxom!