Slashdot Mirror
Fingerprint Scanners Still Easy to Fool
Anlan writes "A Swedish student wrote her Master's thesis about current fingerprint technology. After a thorough literature study some live testing took place. Simple DIY fingerprint copies were used (detailed how-to in the thesis). Have current commercial products improved as much as proponents claim? Well, this qoute from the abstract says it all: 'The experiments focus on making artificial fingerprints in gelatin from a latent fingerprint. Nine different systems were tested at the CeBIT trade fair in Germany and all were deceived. Three other different systems were put up against more extensive tests with three different subjects. All systems were circumvented with all subjects' artificial fingerprints, but with varying results.' You can guess how happy the sales people at CeBIT were - most systems claim to be spoof proof..."
So, will they remove these fingerprint scanners, in the US Internaitonal Airport ?
Trolling using another account since 2005.
Shhhhhhhhhhhhhhhhhhh!!!!!
Please remember this the next time a non-productive "feature" is uncovered.
Don't let your fingerprints get copied. Wear gloves ALL the time. Problem solved.
Hmmm.
That's great to know that some of the world's most sophisticated security systems can be circumvented with Jell-O
make sure not to touch your car much or leave it parked in the same place too long.
An easy way to fix this, although I am no expert, is to make the fingerprint scanners heat sensitive. If the fingerprint matches and is within 1 degree of 98.6 F, then it opens. I think that would prevent people from holding a thing of gelatin against it, and it would prevent people from holding a lighter under it, because it has to be within 1 degree. It's not a flawless way to fix it, but it would make it at least a bit more difficult to foil, neh?
Help! I'm being repressed!
"I'll show you a finger, Trebek!"
- SNL Celebrity Jeopardy
Think of the simple RSA keyfob some of us carry; it gives us a number and we use that PLUS a password to get into secure systems (have + know).
Carry this one step further and have the system check your fingerprint/handprint/iris/whatever PLUS ask for a password.
I personally think it's damn scary in this age of terrorism that someone could fake a biometric and get onto a plane; if the airlines for example issued me a unique password to go along with fingerprint (or whatever) recognition then I'd feel a whole bunch better about the entire process and the underlying technologies.
..the passports to be changed yet again, to have "better", "smart" fingerprint recognition/imprinting techniques?
http://efil.blogspot.com/
These have been, and probably always will be easy to fool. If anyone needs ultra-high security, it's doubtful that they'd choose this form of biometrics to begin with, unless they themselves are foolish.
As is true with any security measure, if it can br beaten, the geeks will find a way.
From the document abstract... "A description of different liveness detection methods is presented and discussed. Methods requiring extra hardware use temperature, pulse, blood pressure, electric resistance, etc., and methods using already existent information in the system use skin deformation, pores, perspiration, etc."
Who cares about the scanners when the real problem lies in something entirely different?
People say I'm crazy, I got diamonds on the soles of my shoes...
For the Swedish bikkinni team anway, should use other "appendages" to authenticate the message.
Just wanted to interject... I suppose it depends on whether you have one that bounces small radio signals off of the inside of your finger or one that simply captures an image. Certain fingerprint readers bounce radio signals off of the inside of your finger and read the underlying tissue structure (no, I'm not going to plug the product here). This prevents people from doing what she did at the trade convention. Fingerprint technology is always improving, and I'm sure that the industry will take this to heart and make these things even more complex. When you get right down to it, the systems aren't as complex as you might think. Most fingerplate templates weigh in from anywhere to 300 - 600 bytes in size.. but that is more to ease hardware requirements. I think they will combine other methods in the fingerprint taking process and eliminate these problems. Just my take on it, tear it apart guys ;)
I believe c't magazine successfully fooled more than 50% of scanners by placing a clear plastic bag, filled with water, on top of the glass. This makes the greasy residue of the genuine user's fingerprint show up clearly to the scanner.
When I am king, you will be first against the wall.
If its so easy to falsify fingerprints then they will want more. Say hello to have a DNA sample taken at birth to be used as ID for the rest of your monitored exixtence.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
From the thesus...
The main problem with liveness detection methods based on extra hardware, is that the scanners have to be adjusted to operate e±ciently in different kinds of environments, leading to problems when using a wafer-thin artifcial fingerprint glued on to a live finger.
And finally, monsieur, a wafer-thin fingerprint. Oh sir...it's only wafer thin.
You're right about that. It was in Diamonds Are Forever. Bond was posing as a diamond thief, if I'm remembering correcting, while meeting with the real theif's contact for something. The real theif and the contact had never actually meet face to face before and the only identification she had to verify his identity were his finger prints. So, Q mad a set of fake "press on" prints for Bond.
they may not work for me. I have a chemical burn on three of my fingers on my right hand. It still hasn't healed properly and the scar tissue keeps rearanging itself (small blisters keep forming). My other hobby, wood carving, leaves me with several fresh cuts on my hands and fingers each week, from these I can see changes in my prints.
I used to have a cool sig, back when I cared
In a former career I spent time mixing cement. One day I was mixing a small amount in a 5 gallon bucket. At the time I had nothing to mix it with so I used my hand. After mixing I washed my hand and it was amazingly smooth. I didn't think much more about it. The next day the skin on my hand was very sore. I looked at it and noticed that the mixing had worn down the top layes of skin on my hand. To the point where I barely had any fingerprints at all. So if you want to remove your fingerprints temporarily in a somewhat painful(but not excruciating) way, just mix up a bucket of concrete with your hand..... Hmmmm, is this a circumvention device?
mp3's are only for those with bad memories
... defeating fingerprint scans is a lot harder than stealing a PIN.
There is an old saying that is attributed to the Secret Service. They can't stop someone really dedicated from killing the President. All they can do is raise the level of difficulty so high that the average individual won't be able to do it. I think that is applicable to the fingerprint scanners used in American airports. Yes, they can be beat, but they raise the threshold. They won't catch the dedicated/educated terrorists, but it will help against idiots. And stopping idiot terrorists is still a good idea. And don't fool yourselves, a lot of terrorists are idiots. Just look at the Shoe Bomber, not what I would call England's best and brightest.
I myself have an identical twin brother, and our fingerprints are nothing alike. Fingerprints are a developmental feature, not a genetic one.
There is no mod option "-1: Disagree" for a reason. "Overrated" is not an acceptable substitute. Post something instead.
Good thing this was written by a student who is NOT a US citizen or she would probably be prosecuted under the DMCA.
sudo eat my shorts
Okay, Assuming you are still reading this.. check out the Tensor 4210 sub-dermal reader, there are a lot of other products out there that do the same thing. If it can be found OEM, then it might be worth half a poop. Otherwise you're married :( product marriage + attempted product development = low return/failure. But I'm preaching to the choir here ;)
Twins don't have the same fingerprint. Twins have similar prints because the basic print is determined genetically. However prints can be altered in the amniotic environment. The skin of a fetus is "soft" and "pruny" like you are when you are in the bathtub. Depending on how the fetus is laying or pressed against something the prints can be molded slightly differently in each twin. So they are not identical but similar.
Just thought I'd mention it. :) The story also had "heavy water fusion batteries" 4 years before the world learned the term "cold fusion". This was back in 1985 before my creativty was destroyed by life and career and reality television.
--- Ban humanity.
Man, do you realize how small a quantum leap is? It is the closest thing to nothing in the universe...
Why would you want to photocopy the fingerprint of the severed finger when you can just place the severed finger on the fingerprint scanner?
The main problem with liveness detection methods based on extra hardware, is that the scanners have to be adjusted to operate efficiently in different kinds of environments...
"So why does it have a rectal probe?"
"That's just part of the design."
Do not fold, spindle or mutilate.
Incorporating pulse oximeters (those little things with the red light they put on you fingers while in the hospital) could make it harder to use Jell-o fingers. They verify it is a real finger by sensing blood oxygen and pulse and then the scanner would verify the identity. They are also cheap and realiable Just a thought.
Things are not as they appear, nor are they otherwise
Uh, that's because calcium hydroxide -burned- it off, not "wore it down". It's actually quite common, because there is a delay between exposure and reaction. Well, that and people think "hey, it's just rocks and dirt and stuff, i don't have to wear gloves..."
Please help metamoderate.
Has anyone read the actual report?
In order to get the latent prints (from which the 'fake' prints are created), the experimenters had their subjects wipe their finger on their nose (to make the latent prints easier to capture), had them press their finger on a glass platen, and even checked if their fingers had scars (if so, they chose another, better finger).
With this kind of cooperation and preparation, no wonder they beat the systems. As anyone knows, once you have someone on the inside you can break any security system.
In the real world, latent prints are blurred, not defined; smudged, not clean; and might not even be the finger the user has enrolled in the fingerprint device itself. Fingers don't come with labels like 'index' or 'thumb'.
Again, if the experimenters retrieved their samples from a dirty beer glass in a smoky bar I'd be more concerned, but...they didn't. The world of the lab is a lot different from the real world.
Let's take these reports in context, fellow Slashdotters.
In any case, I say we argue for fingerprint devices that protect fingerprint templates by matching and storing them on-board a device that you carry with you as another reply mentioned, where the fingerprint templates are encrypted or protected.
I didn't really understand anything you said, but I see you managed to mention testicles in a /. post, and that was cool...
[cue Butthead laugh]
.sigs are for post^Hers.
Fingerprint scanners are exactly that.
Finger. Print. Scanners.
They're not "Absolute Identity Verifiers", or "Identity Truth Machines".
They are simply tools to be used with other forms and methods of identification. Are *all* fingerprinting validation systems supposed to include "temperature, pulse, blood pressure, electric resistance, etc"? Only if some company were relying on fingerprints ALONE to verify someone's identity. But NO company would rely on fingerprints alone. Also, it would make the machine MUCH too costly for anybody to buy.
The bottom line is, yeah sure, fingerprint scanners can't tell the difference between a human finger and a gelatin one. But if a fingerprint is *all* that it takes to get access to something, then the institution has problems that dig far deeper than the inadequacies of any fingerprint scanner.
Imagine if the keyring that you currently keep in your pocket, kept leaving copies of itself on every object you touch. Imagine anyone who found a copy (with a little work) could drive your car away or freely spend your money or walk right in the front door of your locked house. Now imagine that the worst has happened, that someone has stolen a copy of your keys. Currently, it's rather inconvenient, you must create new keys (and sometimes, locks). Now tell me, how do you change your keys when the key is your right thumb? You can't. Once your key is stolen, you're totally screwed, forever.
A friend of mine in the office has some sort of skin condition which causes his hands to produce very acidic sweat. It's acidic enough to buff the leather on his steering wheel and gear shifter. His fingers will erase the letters off the keys on some keyboards (I assume some keyboards use better quality ink that is more resistant). Coffee mugs with cheap paint on them suffer the same fate on the handles.
This person can open any fingerprint-protected laptop in the office (we bought a bunch of these from some company who was beta-testing them, they are now out of production) and make it boot. He just smears his fingertip onto the sensor and wiggles it a little bit, and the machine accepts it as an authorized print.
These fingerprint detectors are of the capacitance-coupling variety. I don't know if the same trick works with the other fingerprint sensor technologies.
this thesis is only a better documented, nicely written replay of a japanese experiment from some years ago :
the matsumoto experiment
and it surely doesnt mean the biometrics are not secure!
a complete biometrics based security solution has 3 "components" :
Something you know: e.g. a password or a PIN.
Something you hold: e.g. a credit card, a key, or a passport.
Something you are (biometrics): e.g. a fingerprint, iris pattern, etc.
their demonstration only fooled the 3-rd component of such a system ... which means they got NOTHING! ... plus, the most secure fingerprint scanners read the biometric info from under the epidermis(the outer "dead" skin) and are not so easily fooled with an artificial finger or fingertip ... the fact that they tested cheap of-the-shelf hardware is not exactly concludent.
.. while unfailible security does not exist, biometrics can make a big difference when used right!
The whole study is just an argument against bad hardware and sloppy security systems, not against the usage of the biometrics
"There is nothing more frightful than ignorance in action." Johann Wolfgang von Goethe
Wonder if her techniques would fool the fingerprint scanner on the high-end iPaq PPCs?? It's not the type you press your finger on, you have to roll your finger over a narrow scanner...so the "gelatin" technique doesn't seem like it would be as effective on the rolling sytems because you'd be stretching/skewing the gelettin imprint....just a thought.
There's a big difference. If someone compromises your lock, you can change it.
If someone compromises your finger, you can't chop it off and grow a new one. Your method of authentication is screwed for the rest of your life.
--
*Art
when the National Guard were deployed to the
USA's airports, they were never issued ammo.
The worst they could have done is install their
bayonet (for crowd control purposes(?)).
It was strictly a Bush PR move. And 2-1/2 yrs
later, the situation regarding the "war on
terrorism" hasn't evolved much. The USA still
has unguarded borders and seaports. Both
illegal immigration and the rate of identity
theft are both higher now than before 9/11/01.
It sure isn't any comfort that fingerprint
scanners are so ineffective, just as have
iris scanners also proven to be. What's
next? Maybe implanted RFID chips?
Any reasonable authentication system will require more than one factor, only if you have someone's ID card and passphrase would this work in a 2 or 3 factor scenario. Maybe a concern for Lexus but not for most access control systems. In the world of biometrics its a trade off, throughput, accuracy and price for customer acceptance. Fingerprint is easy to use and inexpensive.