Comment by octoberfranklin
Comment by octoberfranklin 4 days ago
Wear an NFC ring on your finger.
Unlike your palmprint, you can get a new ring with a new private key if yours is compromised.
Comment by octoberfranklin 4 days ago
Wear an NFC ring on your finger.
Unlike your palmprint, you can get a new ring with a new private key if yours is compromised.
Yeah 25 years ago people said stuff like that about fingerprint scanners, and then they got hacked by literal gummy bears:
https://www.theregister.com/2002/05/16/gummi_bears_defeat_fi...
For 2020's-era palm scanners you don't have to replicate a 3D hand -- just like a video chat doesn't replicate my 3D face. You just have to emit photons (some of them infrared, yes) in the correct pattern. The hack won't look like a 3D-printed hand, it'll look like a display panel that works beyond visible wavelengths. It'll probably be some device developed for a totally unrelated market, and then one day "whoops, all those palm scanners are 0wn3d" (natürlich auf Deutsch) will be a talk title at CCC.
But all this is academic. The real problem with biometrics is that when your password is a body part, you can't change your password.
I agree and I get it. But at the same time, it is only used for payment and discounts at grocery store. Payment with a card is even less secure here in US. So, I do not think that Amazon Go was particularly unsecured since it was just for credit card payment.
If someone manages to replicate my pulsing blood vessels from my hand and trick the scanner, that would be fine. I would dispute the purchase, and the store would not even pull the camera footage, and just refund.
Amazon Go was not used to hold access to bank accounts or crypto wallets. I think it was a good technology and balance between convenience and security, for the purpose (grocery loyalty and payment).
A twin or even sometimes a relative (son and mother) can open an iphone and its banking apps using the facial recognition. That is more concerning to me than Amazon Go palm scanning for groceries.
> Payment with a card is even less secure here in US.
This is not even remotely true. Credit card chips do real cryptography.
It's been a decade since I saw a card terminal without a chip reader, except for parking meters and soft drink vending machines.
It all boils down to the tradeoff between convenience and security. I don't think it is particularly easy to replicate a living hand with all the blood vessels. And it is not particularly easy to get a NFC ring with a secure element compatible with payment terminals.
I thought that the engineering team at Amazon did a great job with Amazon One. I wish someone could pick up the tech and carry on.