It's probably due to the briefings I've had on fingerprint scanning. I doubt any of you are wondering if there will be a bizarre biometric twist to the mystery of the severed fingertip that turned up in a bowl of Wendy's chili this month. Authorities are sleuthing to track down its origins. This got me thinking about fingerprint—and finger—security.
For many years, fingerprint scanning and other forms of biometric identification have been the purview of ultra-high-security installations. Suddenly, fingerprint scanning has gone mainstream, showing up at airports, libraries, and grocery stores and in personal data-security applications. Now I wonder if the criminal element, ignorant of how the technology works, will consider "hacking" its way into fingerprint-secured applications. This gives a whole new meaning to "digital theft," doesn't it?
Grocery shoppers from Seattle to South Carolina are signing up for new checkout systems. Working in partnership with IBM, Pay By Touch lets shoppers pay using a finger scan linked to their checking account and the stores' loyalty programs. South Carolina's Piggly Wiggly grocery chain says it's had great customer acceptance, so it will roll out Pay By Touch to all its corporate-owned grocery stores next month.
"After only five months in our Charleston locations, more customers are using Pay By Touch Express Checking than any one of the credit card products we accept," says Rich Farrell, vice president of information services at Piggly Wiggly. Pay By Touch also offers a check cashing service via a marketing alliance with Certegy, so consumers enrolled in the program can cash checks via a finger scan as well.
Paris Hilton's infamous lost PDA (with posting of her personal data onto the Internet) underscores perhaps the hottest new application for biometric identification—securing personal data and personal computing devices. (See "Mobile Storage: Chips Served With Hard-Disk Salsa," p. 67, for the scoop on engineering gigs of on-the-go data.)
AuthenTec Inc., a manufacturer of fingerprint sensors for cell phones, PCs, and PC peripherals, has shipped more than 4 million sensors worldwide. Company cofounder Scott Moody showed me how the EntrePad 1510 sensor enables new functions that are controlled by the swipe of a finger. Each finger has its own print, so the phone can be programmed to dial assigned numbers or perform programmed functions via the scan of certain fingers. Multiple swipes of a finger can correlate to a given command. The sensor detects motion as well, providing mouse-like capabilities for gaming and navigation. And, the biometric sensors can be used in a phone to secure M-commerce (mobile commerce), such as the Near Field Communications (NFC) capabilities promoted by Philips and Sony, for contactless smart-card-like functions.
So why incorporate a fingerprint reader into a phone if the fingerprint itself can enable M-commerce? NFC goes beyond a simple ID concept, using two-way communications. For example, the cell phone can wirelessly receive electronic content like music or digital promos, track account balances, or store electronic receipts. Without a fingerprint match, all the e-commerce capabilities (and personal data) are locked and inaccessible to unauthorized users. Additionally, some users will be more comfortable with storing their fingerprint template in their private phone, versus having that template stored in a grocery store or bank system.
Note, though, that neither the Pay By Touch nor the AuthenTec system stores actual fingerprint images. Rather, they store "a set of unique data points," data that the companies say cannot be reverse-engineered to create a fingerprint. The data points are encrypted and stored as a unique algorithm.
AuthenTec sensors and competitive products from Fujitsu and other suppliers are being incorporated into PC keyboards for e-commerce and data security far beyond the everyday password. The advent of the Sarbanes-Oxley Act and the attendant need to build a careful accounting trail fuel further applications for fingerprint ID, as users "sign" documents with digital fingerprints.
But all this secured value revolving around fingerprints brings me back to the fear of a finger being hacked for data hacking (or less gruesomely, even a cast of a fingerprint being made to fool the readers). I asked Moody whether finger theft could become an issue. He explained that AuthenTec's True Print technology collects images below the surface layer of the skin, "at the live layer where the true print resides." True Print was engineered to negate surface-level contamination issues, but it also ensures that a print matches a live finger.
So as we progress into the brave new world of biometrics, it's important to get the word out: There's no point in hacking off those fingertips!