Slashdot Mirror
Fun with Fingerprint Readers
Two pieces of news that came in today make a fun counterpoint to each other. First, a grocery chain is trying out a biometric checkout system. Bring your groceries, pay with a fingerprint. Unfortunately, a story in Bruce Schneier's monthly newsletter notes that fingerprint scanners can be fooled with a bit of gelatin.
Can I buy the Gelatine at the Store and use it to falsely pay for my groceries? How convenient! :)
'mmmmmmmmm.... forbidden donut'
Could someone please explain the problem with biometrics for ID? I mean, I get the creeps when I think about companies storing biometric data, but I'm not sure why. Why should I be scared? This is a legitimate question. Please outline a scenario for misuse, or the downsides to using biometrics for identification.
Thanks.
If you fall off a building, go real limp, because maybe you'll look like a dummy and people will be like hey, free dummy
I'd rather that someone be able to go through a fair amount of trouble and fool the device, because if they didn't, then they might have to resort to cutting off my finger. Give them an easier way, and one that leaves me digitally intact!
Any way you look at it, it's still more secure than credit card numbers. Then again, you can always cancel your credit card number. What would you do here, cancel that finger, and start using another? You can only do that for so long...
Kevin Fox
Bill Cosby... As a security consultant? Yikes.
Mod me if I'm wrong, but this still sounds like a fairly secure system. Right now, any old bum can steal a credit card and run down to Safeway. With this, people have to put in a little effort to card that bottle of JD. There will always be holes.
Wow, this is a much better solution than I've been using, and much less bloody.
Need Free Juniper/NetScreen Support? JuniperForum
People were lifting latent fingerprints and using litography to create fake fingerprint readers a decade ago (although Im pretty sure they used some sort of plastic latex or silicone or something, makes a lot more sense than gelatin). On national TV no less, the nation being the Netherlands. Our major Airport was using a fingerprint system for VIPs to bypass the passport checks in those days, so it made a nice splash.
... fingerprints were tried and rejected a long time ago, why are we still seeing shit like this now?
That airport also funded development of an iris scanner they are using at the moment BTW, which is now being licensed to IBM and some others
Macgyver did this with a glass and some candle wax :)
(B) + (D) + (B) + (D) = (K) + (&)
Bruce quotes research showing that you *can* fake fingerprints. Something that the vendors claim is impossible.
However, the kroeger system falls back to the old "bring something, know something" mode which makes it much more secure.
Sure someone can duplicate my fingerprint (how easy that would be to both do and hide when checking out is another point, but let's assume that it's reasonable to lift a latent print, make a mold and check through without the clerk noticing), but they still must know my pin.
This is no worse than the current system of debit cards with mag stripes on the back that are trivial to duplicate with not much more equipment.
It is, however, much more convenient.
Assuming I can change my pin to be something other than my telephone number, I'd use this system.
"His more interesting experiment involves latent fingerprints. He takes a fingerprint left on a piece of glass, enhances it with a cyanoacrylate adhesive, and then photographs it with a digital camera. Using PhotoShop, he improves the contrast and prints the fingerprint onto a transparency sheet. Then, he takes a photo-sensitive printed-circuit board (PCB) and uses the fingerprint transparency to etch the fingerprint into the copper, making it three-dimensional"
Bah! Too much work - I just wanna shape shift ala Mystique!
Women in particular appreciate SecureTouch, he said, because they don't have to bring in their purses
Yes - leave those purses out in the car so the guy stealing your stereo can get your credit cards too.
Kroger customer Mary Smith said she has a daughter in Katy who wants nothing to do with the finger image method of payment. She told her mother that it is "a way to get into your identity."
It's funny, Smith said, "you'd think it would be the old fart who'd be afraid."
This is funny because she doesn't appear to realize that her daughters fear is based on having more knowledge about technology and is justified fear. She is thinking "I'm not old- I'm cool and cutting edge." and that vanity is letting her opt in to a system where one day her checking account will be cleaned out by a bunch of tweakers who got her fingerprints off her car door and bought all the sudafed they could carry. Smart enough to build a meth lab - smart enough to make gelatin fingers.
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
tsutomu@mlab.jks.ynu.ac.jp
someone is going to find a whole shitload of emails tomorrow morning
The last user will have left a latent print on the reader.
Used to be, you could just shine a flashlight into the reader and get enough contrast out of the previous user's print to satisfy some readers.
There have been improvements since, and it would never have fooled a live finger detector anyway. But it's a good example of low-tech bypassing of high-tech security.
Fingerprint scanners can be fooled with gelatin, but I heard on the radio this morning (BBC Radio 1) that George Bush wants to use them to control access to the United States. If it was my country, I'd rather a more secure method of access control was being looked into. Before this article, I wasn't aware of any problems with fingerprint scanners. As for using them to pay, I know they can be used for saying either: (1) Yes this person is who they say they are, or (2) No this person is not who they say they are, but thought that it wasn't feasible to use the fingerprint to look up an individual in a database.
Follow me
How can you care about the risk of someone faking your finger print when most financial transactions are verified with a signature?
Hacker Media
This certainly doesn't mean that biometrics based on fingerprints should be ruled out.
Just as you need both a username and a password to log in to any computer system, a combination of a fingerprint and password, or fingerprint and pin should be used for any reasonable authentication.
Combined with decent access controls (this person may only do X at Y time) and a complete audit of actions, fingerprint biometrics can fit nicely into an extremely secure environment.
I'd certainly rather use my finger than my RSA number keychain!
I'm heading for Krogers and buying me a life time supply of caffine and HoHo's!
Never answer an anonymous letter. - Yogi Berra
NOTE: Locations will be based on best deals, and include E-Coupons and such, as well as projected route
Painless, quick, and efficient. That's how grocery stores should operate. Forget fingerprint scanners. Eliminate the long checkout lines, crowded aisles, and rude people.
Were these experiments performed for Starfleet? His presentation logo looks like the Starfleet logo.
Miko O'Sullivan
The way a biometric database *Should* work is to take some data points from the image and then create a hashfrom the data points. This should be done for the same reason you should NOT store passwords, but rather their hash. The other reason for hashing the data is that is going to be much smaller and quicker to search. OTOH drives are cheap and...
A ton of people are posting that this - combined w/a pin is super secure.
I've got one question.
How long do you think you will last when that guy cutting off your finger is yelling at you to tell him the pin?
I'm guessing for the average joe it will be measured in seconds. (Especially as the media and powers that be preach this constant message of 'just hand over whatever they want - don't fight back')
.
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
They give a brief mention to Kroger in the linked article as well..
=-=-=-=-=-=-=-=-=
Oh bother.
"Women in particular appreciate SecureTouch, he said, because they don't have to bring in their purses."
So they leave it in plan sight in the car, so they can come back to a broken window and and a missing purse. (not to mention all of those unmentionalbes inside the purse)
Let's leave out, for now, the fact that it's not possible to verify this claim at all: there's no way to test all living people and compare their prints. This is troubling, but a bit of a red herring.
More troubling is the way fingerprinting is practiced. There's a case in Philly right now where a federal judge has prohibited the prosecution from testifying that two fingerprints "match." From this article: The answers, respectively, are "no," "no one knows," and "no."
I'm home sick and I don't feel like doing more research on this right now. The above links and Google will help if you want to look at it more.
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
Once this guy makes eyeballs out of jell-o, and fools a retina scanner, I'll shake his hand!
In the US he might be sued for reverse engineering practices by the security companies.
I wonder if I get a higher credit limit on my thumb than any of the other digits.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Ban gelatin.
What?
No going in and squezing the vegetables?
No trying to put boxes of condoms in old ladies troleys?
No sneeking a peek at the cashiers boobs?
What's the fun of that???
True it is insecure. But the problem is that there is a common belief that it is secure. When this mindset gets into the people, they trust it without checking/verifying the security.
For example, let's say that some scientist said that he invented a calculator that is almost never wrong. Now a common person using this would assume that it is always right. They aren't going to double check the results when they see that 2+2=5. I've simplified it a lot, but I mean, how often do you double check the receipts after you buy stuff at the grocery store? I think Dateline had reported that 3 out of 10 items at grocery stores are usually rung out wrong.
The thing with credit cards and cash is that merchants know what to watch out for. (ie strip of paper inside cash, checking with bank with credit card).. In addition, most of the times, you need access to the credit card number or the CC itself. But for a finger print, if someone steals it, you can't call up a bank and tell them that someone is using your finger print and you want them to cancel it. Also, if everyone assumes it's so secure, are they going to believe you and have the same security features (such as you not being responsible for the charges) when you report it "stolen"
The only way it would work is for your fingerprint to replace your signature...even then, there's still some inherent insecurities..
_______________________________
"I'm not Conceited...I'm just a realist..."
I understand that security needs to be tight when it comes to money, but I think that although this guy brings up some interesting points, I think that this method of purchase is more secure than most of our purchases done today. Cash can be stolen, so can credit cards, and people can forge your checks. So what's the big deal with the capability to duplicated fingerprints. I think it would be much harder to get a clear fingerprint from someone without their knowing than to pickpocket them and steal their wallet. The only problem I can see with this is that you can't just go and have your fingerprints changed (unless you have a lot of money), so this would be more permanent. I think that adding a 6 digit pin would fix this problem.
How to fake retinal scans using mirrored contacts and laser etching. Story on next year's Slashdot.
>> within a minute of pulling in, I pull out with my groceries... never left the car!
In that case, why not just stay at home while your car drives itself?
Maybe they don't need Men anymore? To turn them on with those Secure Touches?
Another tasty solution to beating facial recognition?
See also this +5 thread regarding the limitations of biometrics, featuring another Bruce Schneirism. (Does Slashdot love Bruce or what?)
I'm a Security Consultant and I'm currently working on purchasing and installing some Biometrics authentication system at my company. This probably makes me biased towards Bio, but at the same time, it also means I've been studying and contemplating the issue for some time now.
Biometrics, like any other system, has it's flaws. Schneier himself points out in a previous article "Biometrics is a unique identifier, not a secret". And now it doesn't even appear to be a unique identifier. So what gives?
What gives is that it's quite possibly the best system around, at least when compared to all the others. What are your alternatives? Passwords? Digital Certificates? Smart (dumb) cards? SecureID tokens? None of these are as unique to a user as a Biometric is. As a matter of fact, NONE of these are unique to a user - Certs are unique to the computer or card they reside on, the cards and tokens are physical objects that anyone can have, and finally your password everyone knows because you wrote it on a Post-It(TM) note on your monitor (or under the keyboard or tape dispenser).
Now, that doesn't mean you can blindly put a Biometrics system in place and call it a day. Installing a setting up Biometrics requires thought, consideration and risk analysis.
To answer some of the fears, no, most Biometrics databases don't give you anything when compromised. Why? Because they don't store the biometric. They merely store minutiae from the sample. These can be loosely defined as a series of data points illustrating some of the salient features of the biometric registered. If it's your fingerprint, the database merely contains a bunch of vectors illustrating where the most important ridges and forks and such are on your print. THIS INFORMATION IS NOT ENOUGH TO RECOVER THE PRINT. It's encryption, it's processing (the database might be encrypted, though). While you could potentially create a Biometric from the minutiae (assuming you understood the data format and what it describes) that fooled the algorigthm the minutiae were sampled from, your "faked" fingerprint would not fool a different algorithm.
Regarding anonymity, it will still exist. Nobody will stop you from going to the ATM and picking up cash before you head to the store to get the Goatse man's greatest gaps volume 16.
Anonymity needs to exist, but so does liability and responsibility. That ever-necessary anonymity will continue to exist, and you will probably be able to get it just as well as you can now. The difference is you will not be able to erase yourself and get away from your previous responsibilities/liabilities. The two are different concepts.
As for the "identification" issue with Biometrics, allow me to illustrate one simple point - most commercial Biometric fingerprint systems have a false acceptance rate of 1 in 100000 at most. Any decently sized organization compiling Biometric data will probably register a heck of a lot more. Identifying a user in a big population from a random biometric sampling is a data processing nightmare - that's why that whole Visionics video-camera-at-stadium thing sucked so bad. Biometrics however are really good for saying "My name is John Doe, and here's a fingerprint (or two) to prove it". Or, at a company case "my userid is jdoe and here's my fingerprint to prove it".
This problem is the identification (finding user in a population) versus authentication (verifying a claimed ID) problem, and it's much discussed in Biometric literature. God knows I've had to preach this one out about 600 times in the past few months when meeting with different departments.
So it really comes down to implementation, and alternatives. You can have your money tied to a credit card number, and when someone finds the receipt you threw away they can impersonate you at Amazon.com until the next bill arrives. Or, you can have it tied to you card, but need a fingerprint to access the card. The idea is enhancing, not necessarily replacing.
As a lot of you have heard, authentication/verification systems usually work with something you know (password, pin), something you have (token, smart card, mag card) or something you are (biometric). The best systems use all of the above.
Even then you still need to figure out your risk scenario. For your average office building with access controls at doors and other entry points a system asking for "userid" and "biometric" will probably be good enough. If you're running a DoD installation with nuclear weapons, I expect a system with ID check, Smartcard, 10 fingerprints, retina scan and password will be necessary (I hope).
Finally to address this cool gelatin crack - this is neat stuff. I'm glad to see that people are coming up with potential attacks - it makes the developers of this stuff work even harder to create systems that can't be fooled. The latest capacitive sensors I've seen might not even be fooled by this - they claim they read the second or third layer of skin, not the external one. But even if it does fool them, it won't in a few months.
Remember, biometrics are not your enemy - if anything they help keep your privacy stronger by providing better control of who gets to pretend to be you (imagine your PGP keys being protected by a passphrase AND a fingerprint or two). There will always be issues with this or any other system - I just can't think of one that will be better than a properly implemented Biometric system.
-Jack Ash
For any transaction where something ther than hard cash is accepted (and I am using transaction is a broad sense here, such as being able to enter a secured area for exampleas well as making a purchase), it is necessary to authenitcate the client, be it with a credit card number, signature, photo id, fingerprint, retinal scan, facial scan, DNA test, some other mechanism or a combination.
In all such transactions:
- Authentication is necessary. (ie the transaction requires at least one of these mechanisms).
- All the authentication methods are vulnerable - no security mechansim is perfect.
- All of these could be subverted by to invade your privacy.
However, if you can't use cash for your transaction or you prefer not to for the convenience, you've got to live with the authentication tradeoffs.
As pointed out, authentication is necessary for many transactions - there is no escaping this fact. So the best questions when evaluating the technology is RELATIVE to its alternatives.
So fingerprint readers can be spoofed easily (assuming you can get a copy of the finger you want to copy, which is not necessarily easy). Well credit cards numbers can be obtained and used fradulently; signatures can be forged.
None of these mechanisms are fundamentally good or bad. However, I believe having alternatives IS good for two reasons:
1. It provides competition between different authentication mechanisms so that people get a choice in what security/convenience tradoff they want to make.
2. Having multiple authentication mechanisms automatically increases the diversity of the authentication infrastructure which means that it is harder for an organisation to subvert because they need to coordinate your identity across multiple systems rather than having a single one.
In the scenario described (and many previous articles on the same subject at Slashdot), these new systems augment rather than replace existing ones. As long as this continues to be the case, I am more than happy for these mechanisms to exists and compete.
So I just signed up for a project next year using PDAs and biomentrics from ST Microelectronics. Anyone used their fingerpring reco kit? Is it any good?
"The new wave is not value-added; it's garbage-subtracted" - Esther Dyson, Dec 1994
We used to have a fingerprint scanner to access work, and it was pretty good for the most part. The most annoying things were that some people's finger's took several attempts to ID, and if you did anything that abraded your fingers, this also stopped it ID-ing. Since it was just a finger scanner/touchpad box mounted externally and an embedded 68k inside to drive it, it would probably be interesting to build using a cheap scanner.
It was a standard joke that you had to return your fingers when you finished working.
Xix.
"Everything is adjustable, provided you have the right tools"
WTF are you talking about? No one has ever asked me for ID with my credit card in the 1000's of purchases I've made (except for the times I'd forgotten to sign the back). No one checks signatures either. I've purchased thousands of dollars worth of computer and electronic equipment without supplying an ID. Maybe you live in a much more paranoid city/country but in CT/NYC I've never been hassled.
So I was wrong to laugh my ass off when hollywood spy types glued false "finger prints" to their digits... I have the good grace to admit that!
But what about retinal scanners?
If Arnie is locked out of a secret military compound trying saving the "presidents"/"a friend's"/"his own" "daughter"/"wife"/"pet cockerspaniel" and he comes up against a retinal scanner...
Well then he's still gonna have to handle that the good ol' fashion way...
By ripping out the "Drug Lord's"/"Mafia Boss's"/"Buddy gone bad's" eye ball!
It's comforting to know that some things will never change.
:)
The first $10 gelatin trick requires you to have the original finger.
"Hey, let me use your finger so I can copy it and steal stuff with your prints!"
The second method that allows latent prints to be used requires more work. Still, if you have a laser printer, I'd estimate it runs only $50-100. And the costs of the trick can probably be reduced quite a bit.
As to the security issues: Prints alone = bad. Prints + PIN = Somewhat bad. But most crooks prolly aren't going to be that desperate.
It is probably best to use fingerprints as a method of correcting for the deficiencies of credit cards. i.e. verifying that the person with the card is indeed the owner.
It's probably most useful if fingerprint scanners can ever be made economical for the home user - Person makes a CC purchase online, pushes their thumb on a reader, and the image of their thumb gets hashed and sent to the CC company for verification. As a result, a CC thief has to steal the user's fingerprint in addition to their CC #. Theft of a fingerprint no longer means you've permanently lost its usefulness, as it's only used in conjunction with other methods. Your only problem is that the next time around the thief only needs to yoink your CC # - But I have a feeling repeat strikes of CC theft almost never happen.
retrorocket.o not found, launch anyway?
that won't beat retinal scans which also check for blood flow...
Given that it is evidently trivial to dupe a fingerprint in gelatin...
How many people already have their prints on file? No...not just criminals. People who have been arrested, but not convicted. Members of the military, police, child care workers. Children of paranoid parents, etc, etc, ad infinitum. All 'respectable' persons. Clear prints, already in electronic format, ready to be stolen/hacked/duplicated and used.
Think about THAT when the vote comes up for biometric entry into the country.
All the 'kid registration' over the last few years has been a desensitization to this point.
After working with biometric readers for quite some time, I wont mention names, but the most "awarded" biometric reader in the world can be tricked by simply blowing on it. Yes, blow warm moist air on it. The heat/moisture of the breath and the "residue" of the previously scanned finger tricks the reader in to thinking its a "live" finger. So faking the last user of the reader is a piece of cake. I've tested this thoroughly, lots of fingers, lots of people, works a treat.
Several people have pointed out the issue of key revocation (you'll find it very hard to type).
But what's worse in *this* particular case is the demonstration that latent finger prints can near-trivially be developed into a fingerprint glove that fools the device. Just picture it... A would-be thieve would watch you in the supermarket, picking up a bottle of Coke, put it back because you do prefer Mountain Dew after all. He picks up that bottle by the neck, pays for it with cash. From there on he could plunder your credit card.
Sounds scary to me...
Bert Driehuis -- All I asked was a friggin' rotatin' chair. Throw me a bone here, people.
SF, CA. The only time people ask to check Id is if you write "Check ID" on the back of your credit card, instead of having a signature.
Kevin Fox
1. Present finger for scanning
2. Scan matches fingerprint to ID record
3. Checker's terminal displays photo of recognized person
4. Checker notices that the fingerwielder looks nothing like the registered fingerowner.
5. Fingerwielder flees.
Alternatively, you can require a PIN code to use in conjunction with the scan. This is what they did at High Tech Burrito when they tested a thumb-scan system in Berkeley.
Kevin Fox
a recent email response from a rep for the Authentec line of fingerprint scanners regarding use of their scanner via a "stolen" finger:
...
"I checked into your question regarding the fingerprint scanner. The
fingerprint scanner requires a live layer of skin to work. A finger that
has been cut off will still be "live" for a certain period of time and will
therefore work in the scanner. The actual time frame has not been
determined as no one has volunteered to be a test subject." ...
Soon, everybody who's now cloning cell phones will be able to do this. So much for fingerprint-based biometrics.
My local supermarket charges 5.99 for chicken unless you carry their wallet cookie, in which case you qualify for the super special 1.99 price. 1.99 just happens to be the pre-shopper-card price.
Next, they'll demand a fingerprint in order to qualify to buy food at non-extortionary prices.
Shaws, Stop and Shop, Kroger... You should rot in hell.
I've experimented with a popular fingerprint reader.
If the previous person to use the reader had greasy or sweaty hands, and they don't intentionally wipe or smear the plate you can fake their print easily.
Either hold your palm closely over the plate, or breath gently over the reader. Enough to create enough warmth to simulate a finger.
With a little practice I could do it over and over. Quite fun giving a demo to security people!
That might prove harder than reading a password off a PostIt note stuck to a 3278 terminal.
Geting a usable print that isn't smudged in some respect is not that easy. Ask any AFIS operator. Getting the right finger from a glass is also hard if the glass was rotated in the least.
Its not likely to be done on casual contact.
It requires collusion or coercion.
That's no reason to give up on biometrics yet.
No temperature sensor on the unit? (I'm sure that the gummy bear wasn't the same temperature as the guy's finger. Yuck.)
And I can't forget my finger at home.
I still like a LONG biometric password (my fingerprint) for logging on.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
We discussed the same thing only a couple of weeks ago, see this article. Looks like a different grocery chain this time though...
Al.The Daily ACK - Eclectic posts by yet another hacker
What happens when someone creates a viable spoof of my biometric ID? (Thimbprint, retinal scan, whatever.) They can fake being me. So we include a PIN that I can change and I'm good again, right?
Think about the last time you went to the DMV. Is it staffed by high-paid security consultants? Or is it more likely to have employees who will see that your thumbprint matches and go ahead and give you the new license to replace the one you "lost"?
The "average Joe" will believe that thumbprints are authoritative and probably use that confirmation as sufficient evidence to reset your PIN for you, completely circumventing the system.
Don't believe me? I went to the post office recently. They have a policy that they won't accept credit cards that aren't signed. Mine has "See ID" written on the back, because I don't want anyone accepting it without checking an ID. Their policy, which the helpful employee showed me a copy of, said that in order to accept my ID he had to watch me sign it in his presence, then check my ID. Had I stolen the card and simply signed it in the parking lot before entering, he would have accepted it.
And the more "authoritative" the ID method is, the more likely someone will trust it. If a biometric only seems more secure than a plastic card with a mag strip, then we will have decreased actual security. So the real problem isn't "How do I keep someone from spoofing my biometrics?" It's "How do I keep a minimum-wage clerk from accepting the spoofed biometrics?"
Nope, no sig
Obviously, the next step is for Congress to outlaw gloves.
Unix is user friendly, it's just selective about who its friends are.
... could I use this same trick to put someone else's fingerprints on a gun?
I guess the fingerprints wouldn't be made out of the right stuff, but would it be likely to fool the police?