I can only see this going into a very dystopian path. Based on their actions, I don’t trust these companies, their security practices, nor their privacy policies. Why would I give them my biometrics? And my full palm, at that!? Hell no!

  • frustbox@lemmy.ml
    link
    fedilink
    arrow-up
    37
    arrow-down
    1
    ·
    1 year ago

    One scar away from losing access to your ability to pay …

    Biometrics can not really be changed. Except maybe through time or trauma (i.e. age or injury). They can be used to uniquely(?) identify a person - except maybe twins - at the expense of anonymity, which has it’s own set of problems.

    But because they can not easily be changed they’re a terrible security feature. Once they leak, they’re unusable and you’re hosed. You can’t issue a new palm print for your bank account like you could a new chip card and password.

    Also, just because you waved your hand over a scanner does not mean that you approve and consent of the transaction. With tap to pay there were ideas of mobile point of sales devices just tapping on peoples backpacks in a crowded area. You don’t even keep your biometrics markers in your pocket, they’re just out in the open for anyone with a camera. This may be bordering on paranoia, but a few years back (2014) German hackers from Chaos Computer Club took iris scans from Angela Merkel (then Chancellor of Germany) and finger prints of Ursula von der Leyen (then Minister of defense) using nothing but press fotos. Cameras have only gotten better.

    TL;DR: Biometrics can be used for identification but should never be used for authorisation.

    • TWeaK@lemm.ee
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      Paying with your phone works on the presumption that your phone is locked and you accept responsibility for ensuring your phone wasn’t breached. It uses contactless technology, but it’s still effectively chip and pin as far as your bank is concerned.

      Meanwhile, paying with a contactless card is processed as “cardholder not present” where the seller assumes de facto liability and must prove otherwise. Contactless payments were never a new type of card processing, it was a new method but is categorised the same as when mail/phone ordering from a catalogue. The same with online purchases. They were always a step below card & signature or chip & pin. Paying with your phone is the same as chip & pin though, where the onus is on you to ensure the transaction is secure.

      Paying with your hand has all sorts of issues making it impractical. You would definitely need an additional confirmation eg PIN, but claiming that your hand is as secure as a traditional card doesn’t lend well to pinning the liability on you. So banks are unlikely to use it.

    • Blackmist@feddit.uk
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      Biometrics also aren’t great and uniqueness. At least where computers are concerned.

      Recently we had one of our customers install fingerprint readers on their points of sale, the idea being any staff member can log in just by touching the pad. Even with only a few hundred staff registered, you get people logging in as each other.

      • AWistfulNihilist@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        I worked with Kronos, had their top tier biometrics in a 1,000+ employee company.

        1. The data is only as good as the person loading the data.

        2. Some people don’t have good fingerprints.

        It was bad enough that of you had a person with a bad fingerprint, Kronos would just take ANY input. It would even tell you if a persons fingerprint wasn’t good enough. It happened fucking constantly.

        So either it’s so good you can’t escape it, it is so bad you can’t use it to identify anyone uniquely. It’s literally either a threat or an inconvenience.

  • dan@lemm.ee
    link
    fedilink
    English
    arrow-up
    35
    ·
    1 year ago

    Shit no! You know what you can’t change if/when they inevitably leak your data? Your fucking hand.

  • Dissasterix @lemmy.world
    link
    fedilink
    arrow-up
    33
    arrow-down
    2
    ·
    1 year ago

    Its hard to believe anyone would use the thing. It’ll be more problematic if/when its used for regulatory purposes. Sort of at the desensitization still. Today.

    I had to take a State exam for licensure a few years back. I was told that I had to take a palm/vein scan to prove my identity. I informed her Ive never had one so it could not prove my identity-- but hey, Im the crazy one. Its on a server somewhere now tho… Modernity is pretty stupid, tbh.

    • guajojo@lemmy.world
      link
      fedilink
      arrow-up
      5
      ·
      1 year ago

      The thing it these readers are so convenient, my only complain is I wish they would work as the password hash technology. But as of right now we don’t know for sure if that machine is saving a “hash” of your palm or is directly saving a copy of the original biometric data that would allow it to “recreate” your biometric ID somewhere else

      • Dissasterix @lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        I dont think its even that convenient! It requires electricity, web connectivity and loads of digital logic. My state ID just tangibly exists.

    • zefiax@lemmy.world
      link
      fedilink
      arrow-up
      1
      arrow-down
      1
      ·
      1 year ago

      I would probably use it. Sounds convenient, don’t have to take out my phone or wallet.

  • ReakDuck@lemmy.ml
    link
    fedilink
    arrow-up
    28
    arrow-down
    2
    ·
    1 year ago

    I hope this tech stays where ever the fuck it is and never touches Europe

  • ImFresh3x@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    16
    ·
    1 year ago

    I like to do this at Whole Foods in front of my anti vax friends and tell them about how cool it is to have a chip that lets me pay by waving my hand.

    • perviouslyiner@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Embedded RFID? How is it like living with one of those in you? Deviant talks about how convenient they can be for cloning things like your hotel room key.

  • Stoneykins [any]@mander.xyz
    link
    fedilink
    arrow-up
    13
    arrow-down
    1
    ·
    1 year ago

    I still think the idea of tech implants are cool but I’ve also reached the point where I wouldn’t get one unless I learned to build it myself and was in charge of every single aspect of it.

    Considering I lack degrees in medicine and computer science, I don’t think I’ll have them done anytime soon lol

  • stevedidwhat_infosec@infosec.pub
    link
    fedilink
    English
    arrow-up
    24
    arrow-down
    16
    ·
    1 year ago

    Forget about privacy, this is just fucking dumb

    One point of failure that can’t be replaced if stolen?

    This won’t ever take off, and will most definitely die out quickly in favor of literally any other technique including just embedding an nfc chip and battery to your palm surgically. Which I probably still wouldn’t be thrilled about but

    • 𝕸𝖔𝖘𝖘@infosec.pubOP
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      1 year ago

      I’ve see where you can pay with your fingerprint at some venders. It’s a similar concept, in terms of single point of failure. Regardless, I hope you’re right.

      E: **mostly right. I won’t embed anything in my skin for payments. CC or cash or phone NFC (and I don’t like that one for it’s security implications). That’s it.

    • Melody Fwygon@lemmy.one
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      Who needs an NFC chip when you can just place a nail shaped NFC sticker on them and gel paint over them? We don’t need implantables; those could get copied anyways and cause the need for unnecessary surgeries to replace them as well.

      Buy the tags; apply them to your nails and paint them any color you want; pair them to your phone and use appropriate username + password + 2FA + Fingerprint combos to authenticate to your financial institution.

      Lost a nail? No big deal. The tags don’t carry financial data; they just provide a URI to the merchant; which can ping your phone/smartwatch and ensure that you are:

      • Present at the location.
      • Not too far away from pay terminal.
      • Have not signaled to your devices you are under duress. (Spoken keyword and/or excessively stressed biosigns)
      • Have not blocked spending by tap.
  • phase@lemmy.8th.world
    link
    fedilink
    arrow-up
    7
    ·
    1 year ago

    Someone took the novel “The Java Script Café” from “Stealing the network: How to own an identity” (page 141) and made a business model for it.