Fun with Fingerprint Readers

Two pieces of news that came in today make a fun counterpoint to each other. First, a grocery chain is trying out a biometric checkout system. Bring your groceries, pay with a fingerprint. Unfortunately, a story in Bruce Schneier's monthly newsletter notes that fingerprint scanners can be fooled with a bit of gelatin.

There's an even easier way

[Beryllium+Sphere(tm)]

The last user will have left a latent print on the reader.

Used to be, you could just shine a flashlight into the reader and get enough contrast out of the previous user's print to satisfy some readers.

There have been improvements since, and it would never have fooled a live finger detector anyway. But it's a good example of low-tech bypassing of high-tech security.

Re:Biometrics

http://www.infowars.com/biometrics_pr.html

One response pro-biometrics

[JackAsh]

I'm a Security Consultant and I'm currently working on purchasing and installing some Biometrics authentication system at my company. This probably makes me biased towards Bio, but at the same time, it also means I've been studying and contemplating the issue for some time now.

Biometrics, like any other system, has it's flaws. Schneier himself points out in a previous article "Biometrics is a unique identifier, not a secret". And now it doesn't even appear to be a unique identifier. So what gives?

What gives is that it's quite possibly the best system around, at least when compared to all the others. What are your alternatives? Passwords? Digital Certificates? Smart (dumb) cards? SecureID tokens? None of these are as unique to a user as a Biometric is. As a matter of fact, NONE of these are unique to a user - Certs are unique to the computer or card they reside on, the cards and tokens are physical objects that anyone can have, and finally your password everyone knows because you wrote it on a Post-It(TM) note on your monitor (or under the keyboard or tape dispenser).

Now, that doesn't mean you can blindly put a Biometrics system in place and call it a day. Installing a setting up Biometrics requires thought, consideration and risk analysis.

To answer some of the fears, no, most Biometrics databases don't give you anything when compromised. Why? Because they don't store the biometric. They merely store minutiae from the sample. These can be loosely defined as a series of data points illustrating some of the salient features of the biometric registered. If it's your fingerprint, the database merely contains a bunch of vectors illustrating where the most important ridges and forks and such are on your print. THIS INFORMATION IS NOT ENOUGH TO RECOVER THE PRINT. It's encryption, it's processing (the database might be encrypted, though). While you could potentially create a Biometric from the minutiae (assuming you understood the data format and what it describes) that fooled the algorigthm the minutiae were sampled from, your "faked" fingerprint would not fool a different algorithm.

Regarding anonymity, it will still exist. Nobody will stop you from going to the ATM and picking up cash before you head to the store to get the Goatse man's greatest gaps volume 16.

Anonymity needs to exist, but so does liability and responsibility. That ever-necessary anonymity will continue to exist, and you will probably be able to get it just as well as you can now. The difference is you will not be able to erase yourself and get away from your previous responsibilities/liabilities. The two are different concepts.

As for the "identification" issue with Biometrics, allow me to illustrate one simple point - most commercial Biometric fingerprint systems have a false acceptance rate of 1 in 100000 at most. Any decently sized organization compiling Biometric data will probably register a heck of a lot more. Identifying a user in a big population from a random biometric sampling is a data processing nightmare - that's why that whole Visionics video-camera-at-stadium thing sucked so bad. Biometrics however are really good for saying "My name is John Doe, and here's a fingerprint (or two) to prove it". Or, at a company case "my userid is jdoe and here's my fingerprint to prove it".

This problem is the identification (finding user in a population) versus authentication (verifying a claimed ID) problem, and it's much discussed in Biometric literature. God knows I've had to preach this one out about 600 times in the past few months when meeting with different departments.

So it really comes down to implementation, and alternatives. You can have your money tied to a credit card number, and when someone finds the receipt you threw away they can impersonate you at Amazon.com until the next bill arrives. Or, you can have it tied to you card, but need a fingerprint to access the card. The idea is enhancing, not necessarily replacing.

As a lot of you have heard, authentication/verification systems usually work with something you know (password, pin), something you have (token, smart card, mag card) or something you are (biometric). The best systems use all of the above.

Even then you still need to figure out your risk scenario. For your average office building with access controls at doors and other entry points a system asking for "userid" and "biometric" will probably be good enough. If you're running a DoD installation with nuclear weapons, I expect a system with ID check, Smartcard, 10 fingerprints, retina scan and password will be necessary (I hope).

Finally to address this cool gelatin crack - this is neat stuff. I'm glad to see that people are coming up with potential attacks - it makes the developers of this stuff work even harder to create systems that can't be fooled. The latest capacitive sensors I've seen might not even be fooled by this - they claim they read the second or third layer of skin, not the external one. But even if it does fool them, it won't in a few months.

Remember, biometrics are not your enemy - if anything they help keep your privacy stronger by providing better control of who gets to pretend to be you (imagine your PGP keys being protected by a passphrase AND a fingerprint or two). There will always be issues with this or any other system - I just can't think of one that will be better than a properly implemented Biometric system.

-Jack Ash

Re:Biometrics

(I don't mean to pick on you, but I wanted to get these facts out)

OK, I haved worked in the fingerprint field for a number of years, and I also implemented one of the these company's own biometric database.

Unlike MS Passport or other single point databases, this biometric database offers little to potential gummy finger manufactures.

1. Fingerprints are not stored as images!! Let me say that 50 times. They store Minutae (critical points generated from pattern analysis of the image). What this means, is you can't reproduce the finger from the points in most cases (certainly not said company's as they use crossover and endpoints, not ridges for minutae) Also, it is VERY easy to tell if someone is replaying minutae to the matcher.

2. Good authentication technology uses biometrics as only a part of the authentication.

3. We split our databases into 4 separate physical locations. (2 redundant, but cryptographically separate pairs for backup purposes). Comprimise would have to occure at 2+ locations, simultanously. Pairs are generated and stored from one time pads with random data.

Only by intercepting the ssl data packets and breaking the 2048 bit encryption would one get at the one time pads (one would also have to match other randomly generated identifiers as well).

In short, there's alot of barriers to break down, and in the end all you get is the stupid minutae (which must be different from the stored minutae).

It's much easier to try to get latent prints and borrow a digital microscope.

Either that, or can someone loan a list of the primes to 1024 bits?