[WSJ] Giving security the finger.

I Find Karma (adam@cs.caltech.edu)
Mon, 10 Aug 1998 09:17:00 -0700

I keep thinking of Rohit's munchkinview of the world: a munchkin, like a
person, is born with nothing but a unique identity (in this case,
fingerprints are the encoding). And then you give ways to keep any
munchkin from spoofing any other munchkin's identity -- although with
the case of peoples' fingerprints, spoofing could be nasty:

> The company has grappled with some grisly fraud scenarios. Fearing that
> some criminals might be motivated to slice off someone's finger in order
> to make use of the print, the company installed a sensor that would
> measure the user's body temperature and heart beat.

The full article follows...

> Companies in Sweden Offer Other Solutions For Securing Internet --- New
> `Digital Signatures' Come In Form of Fingerprints, Instead of Passwords,
> PINs
> By Almar Latour
> The Wall Street Journal
> 08/10/98
> STOCKHOLM -- Would you get fingerprinted to check your bank statement?
> If you are in Sweden, you might.
> As the number of Internet users in Sweden grows rapidly, companies are
> developing a variety of security solutions for banking and commerce on
> the Web.
> Swedish banks aggressively encourage their clients to conduct their
> banking transactions at home, and Swedish government institutions are
> pushing citizens to fill out forms on their home personal computers.
> Such sensitive transactions require security, and the Swedes like to
> regulate and organize Internet matters, and security issues, in great
> detail. Swedish banks have tried to develop a common standard for
> Internet transactions, while lawmakers are discussing the legalities of
> "digital signatures" -- an issue that also is being discussed at the
> European Commission.
> Sweden's highly organized society has traditionally relied heavily on an
> ID-card system. Whenever people want to sign a check or use a credit
> card, they have to show an additional official ID card that features
> their state number.
> "It's natural for us to search for solutions to protect your identity on
> the Internet," said Ann-Marie Nilsson, president of Swedish IT Companies
> Organization in Stockholm, a group of 500 technology companies. "We use
> the Internet intensively and, culturally, we are used to showing our IDs
> with every minor transaction."
> The country is on the cutting edge of Internet usage, with three million
> Swedes, or one-third of the country's population, regularly logging on
> to the Web. There is even a pilot program featuring a small focus group
> that will vote via the Internet in the September national elections.
> One company that is thriving as a result of Sweden's focus on Internet
> security is iD2 Technologies, a small Stockholm business that develops
> and sells technology to secure financial services on the Internet. It
> has received more queries -- and orders -- than it can handle from
> governments to postal services to retail banks. The reason for all the
> attention? Formed in April 1996, iD2 designed a system providing an
> extremely high level of identification security on the Internet.
> The technology is called public key infrastructure and relies on
> so-called asymmetric encryption -- an identification system that
> features two digital keys: one that is kept in a public data bank and
> another that is kept on a user's personal ID card. For example, each
> time a consumer banking from home wants to execute a transaction, he
> inserts his card into a device the size of a computer mouse and punches
> in a personal identification number, or PIN. Then, the key in his card
> is matched with the card in the public data bank. If the security system
> finds the match, the user can access his account.
> "The technology is hard to explain," said Bjorn Gustavsson, president of
> iD2 and a veteran manager in the informationtechnology industry. "But
> its applications are generally easy to use."
> In December last year, MeritaNordbanken, the largest retail bank in the
> Nordic region, launched an on-line banking system using iD2 technology
> for the system's identification security. MeritaNordbanken estimates it
> will have about 70,000 customers using its Internet system by year end.
> With about 5,000 more customers signing up every month, the bank saw
> good reason to invest more than 26 million kronor ($3.3 million) in
> Internet security this year alone.
> "We need to take action to prevent the worst from happening," said Jari
> Nyholm, manager of IT security at MeritaNordbanken. "Throughout the
> world, the Swedes are perhaps the most frequent users of the
> Internet-people here want it to be safe to do business there."
> Currently owned by AU-Systems, a joint venture between Swedish phone
> company Telia AB and Telefon AB L.M. Ericsson, iD2 is now handling other
> ambitious projects. It is developing a national ID smart card for
> Finland's postal service and is creating security technology for Funai
> Electric Co. of Japan for a low-cost device that will provide Web
> services on television sets. "We are well-financed at the moment," Mr.
> Gustavsson said. "But if the industry growth continues, we might go
> public in the next two years."
> Another company, Fingerprint Cards AB, is taking identification-security
> technology a step further. Based in Gothenburg, on Sweden's west coast,
> the company is developing technology that may one day replace bank-card
> codes and passwords with, well, fingerprints. Springing from a partially
> state-funded research project in the 1980s, the company recently
> developed a system that combines a sensor that reads fingerprints,
> software that identifies fingerprints and a microprocessor that matches
> fingerprint data.
> With Fingerprint Cards' technology, instead of punching in numbers to
> access computer systems, users would carry an identity card that has a
> three-dimensional fingerprint digitally stored inside. To activate
> devices, or to access accounts, users would insert their card in a
> card-reading device. Then, the user places his finger on a reading
> device. A sensor reads the print and verifies it with the fingerprint
> stored inside the card.
> The company has grappled with some grisly fraud scenarios. Fearing that
> some criminals might be motivated to slice off someone's finger in order
> to make use of the print, the company installed a sensor that would
> measure the user's body temperature and heart beat.


You can have my encryption algorithm... when you pry my cold dead
fingers from its private key.
-- John Barlow, Decrypting the Puzzle Palace