Give your fingerprints for Gym membership?

[fractal]

The fingerprint sensor was connected to a laptop connected via internet to a central server. It was not a standalone device.

I was looking at a manual of one of the products (looks similar to the one I saw)

In the specifications, it says:

Image dimension 272 x 320 pixels
Image bit depth 8bit, 256 grayscale
Resolution 500 dpi
Template SUPREMA / ISO 19794-2 / ANSI 378
Extractor / Matcher MINEX certified and compliant​

So there does seem to be an image capture of some sort and the that image is later converted into ISO 19794 format
It appears to be an insecure system by design as the image is visible on the laptop (hence transmitted from the device) to the admin/ gym employee and not clear if it is stored or logged in the laptop or transmitted to the server.

 

[Lord Nemesis]

They do mention that their devices use an optical sensor which means it has a CCD or CMOS just like in a digital camera. But that doesn't mean that it stores or transmits readable scans. What do you think happens in a typical digital camera? The data captured from the sensor through a processing unit which does a number of things to the data before its finally converted/packaged into one of the image formats like BMP/TIFF or even a lossy compression format like JPG.

In a fingerprint scanner, the image itself is captured in a different manner that is more suitable for fingerprints and it again goes through a processing engine that applies a number of filters to reach a stage where extraction of Minutiae data is possible. It probably doesn't and shouldn't even have the hardware/firmware that can convert it one of the standard image formats since its not required. Even if it does, the output will not be anything like what you get from a scanner or a camera.

What sort of image did you see on the laptop? Is it an image like with a camera?

 

[fractal]

It looked like the red and gray image below. I assume that the red marks where the template points for the standard format are being identified. However the fingerprint also seemed to be displayed in gray as in the image below. Whatever the underlying format, it looked like an usable image

It is probably unnecessary to display the image, but the software seems to have this feature

 

[nRiTeCh]

I recently checked out Power World Gym, a chain with Indian branches in NCR and Bangalore
They have a bio metric system which members need to use to sign in to the Gym. From the companies point of view, I suspect this keeps their costs low and cuts down on fraud though this could also be easily achieved with a membership card with name and photo or the old fashioned way of just having staff who recognize their customers (it was a small gym)

Not sure if they store the fingerprint itself or just a hash. When I asked about some details of what was being stored, the staff did not have any clear idea. I was not comfortable with signing up so left

Curious if some other gyms (or other small and local businesses) have also started such a practice. What would you do if you were asked for bio metrics?

If you were comfortable giving you prints to Aadhaar where you already compromised on everything there shouldn't be any hesitation in gym or offices.

 

[fractal]

Not really. If your biometrics were not compromised at time of Aadhar enrollment, its claimed that they are secure. Aadhar user details have been leaked numerous times but not biometrics as far as I am aware.
Each time you provide biometrics whether to the government or a private entity with no safeguards, there is a risk. Why increase the risk? E.g. if this Gym does store raw biometrics it could be potentially used to spoof Aadhar someday

If you were comfortable giving you prints to Aadhaar where you already compromised on everything there shouldn't be any hesitation in gym or offices.

The only exception is if you think that there is no choice e,g, if your employer insists on it, or the government mandates it

 

[nRiTeCh]

Well even if your employer insists you should resist on personal and security grounds or best leave that organization. Why come under pressure when govt is above pvt. Better read all the parameters before working for or enrolling for such services.

The world is already secured as well as compromised at the very same time and its already way too late to think on such factors as the world is adopting all these technologies already in every scenario and thousands already enrolling without fear.

Our data was already compromised the day we started using smartphones so you really never know who has your bank details or wives birthday or even private pics.
Whatever happens later no one can be blamed except ourselves.

 

[NotMyRealName]

... it could be potentially used to spoof Aadhar someday

Most people will not realise or refuse to realise how much of a risk this is.

No matter how secure the scanner is supposed to be, there's always a possibility that someone could be saving the raw data and not just a hash of the scan.

... or wives birthday...

Jeez man, what kind of birthday parties are people having these days???

 

[guptavis]

It is impossible tbh. I live near a developed lake and its quite crowded every evening, not to mention the crowd in the weekends. every time I walk there, I think to myself that mother earth requires a new plague.

We got what you wished for !!

 

[NotMyRealName]

Sadly, even after the 'plague' people are back to their old ways, polluting and destroying.

 

[kvn95ss]

If I'm not wrong, I think you can use your knuckle or curl your small finger and usually it gets registered as a finger print.