Good Thinking

Using smartphone photos as fingerprints could help fight identity theft

Using smartphone photos as fin...
In tests, the system has proven to be 99.5 percent accurate
In tests, the system has proven to be 99.5 percent accurate
View 1 Image
In tests, the system has proven to be 99.5 percent accurate
In tests, the system has proven to be 99.5 percent accurate

Sorry, but your smartphone's camera isn't perfect. Its image sensor contains microscopic manufacturing flaws, which show up in its photos as tiny imperfections known as photo-response non-uniformity (PRNU). Because each phone has its own unique PRNU pattern, scientists from the University at Buffalo have proposed that it could be used as a form of personal identification.

It was already known that stand-alone digital cameras each have a distinct PRNU, which can be used to match photos to the camera that took them. Fifty sample photos are required for the matching process, however, which would prove impractical in an ID-checking scenario.

Because smartphone cameras tend to have significantly smaller image sensors than stand-alones, however, the flaws in those sensors show up much more in the photos. As a result, the U Buffalo team discovered that just a single shot is all that's required to match the PRNU in a smartphone photo to the phone that took it.

In a system proposed by the scientists, users would start off by registering with a bank, retailer or other institution that regularly needed to check their ID. Part of that registration process would involve supplying a photo taken by their smartphone, from which a reference copy of their PRNU could be obtained.

From there, whenever they needed to prove their identity, they would be presented with an image of two QR codes, displayed on the screen of an ATM or cash register. They would take a photo of that display, using their phone, then use an app to send that photo to the bank/retailer/etc. As long as the PRNU in the shot of the QR codes matched the one on file for that user, their identity would be authenticated. For added security, the QR codes would contain information that was specific to each transaction.

The technology has so far proven 99.5 accurate, in tests involving 16,000 photos and 30 different iPhone 6s smartphones and 10 different Galaxy Note 5s smartphones.

Led by Prof. Kui Ren, the research is described in an open-access paper.

Source: University at Buffalo

Like the yellow microdots in printers, this was probably a calculated effort.
The minor variations in sensor cell sensitivity will be detectable if the image is captured as RAW, but they are immediately lost during any type of lossy compression, e.g. JPEG.
And unfortunately this system is very susceptible to a third party impersonating a victim. All it takes is access to a victim's phone or potentially just a single RAW image taken with it. At that point the variations could be easily added to any raw image on any device.
Nice idea, but a $0.20 secure identity IC is still the better way to go.
99.5% - so what happens to every 200th user? " Sorry: no cash for you. Have a nice day. "
The other option is to let them get their cash anyhow... which means so can the bad guys...
Not to mention the extra time and effort - the lines at ATM machines are bad enough already: this mad idea would double them.