Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fingerprint Scanners Still Easy to Fool

Posted by michael on from the mission-possible dept.

Anlan writes "A Swedish student wrote her Master's thesis about current fingerprint technology. After a thorough literature study some live testing took place. Simple DIY fingerprint copies were used (detailed how-to in the thesis). Have current commercial products improved as much as proponents claim? Well, this qoute from the abstract says it all: 'The experiments focus on making artificial fingerprints in gelatin from a latent fingerprint. Nine different systems were tested at the CeBIT trade fair in Germany and all were deceived. Three other different systems were put up against more extensive tests with three different subjects. All systems were circumvented with all subjects' artificial fingerprints, but with varying results.' You can guess how happy the sales people at CeBIT were - most systems claim to be spoof proof..."

35 of 378 comments (clear)

  1. Airport Police by mirko · · Score: 5, Insightful

    So, will they remove these fingerprint scanners, in the US Internaitonal Airport ?

    --
    Trolling using another account since 2005.
    1. Re:Airport Police by Stargoat · · Score: 4, Funny

      Airport! No, don't bring that up! George Bush will have to invade Sweden now!

      --
      Hoist Number One and Number Six.
    2. Re:Airport Police by dave420 · · Score: 5, Insightful
      No, because it appears like they're actually doing some good. Just like when they had the national guard monkeys running around with M16s. Absolutely no use whatsoever, but makes the American public go "Gee - we're so protected! I love our President(tm)!"

      The war on terror isn't about the terrorists, it's all PR.

    3. Re:Airport Police by wo1verin3 · · Score: 5, Funny

      >>So, will they remove these fingerprint
      >>scanners, in the US Internaitonal Airport ?

      No, they'll just continue to refuse letting travellers use gelatin molds in place of their real hands.

    4. Re:Airport Police by XryanX · · Score: 5, Insightful

      I'm sure someone that was trained in stage makeup could easily make a fake finger that would slip over their real one, and yet still look realistic.

    5. Re:Airport Police by Captain+Caveman · · Score: 4, Funny

      Yes, they will be replaced by rectal scanners because it is impossible to make a perfect gelatin mold out of your ass.

    6. Re:Airport Police by dave420 · · Score: 4, Insightful
      The 3,000 dead on 9/11 died in a single incident, 3 years ago. Those who died in Afghanistan and Iraq died at American hands. I stand by my point - what age of terrorism?

      If the war on terrorism was about decreasing terrorism, the US wouldn't have invaded Iraq. Iraq had nothing to do with any terrorism, but they did have plenty of oil. You figure it out. You have to be seriously missing the plot if you can't understand it.

    7. Re:Airport Police by CreatureComfort · · Score: 5, Interesting


      I think you missed his point, Dook"43".

      He did not say that efforts to stop terrorism shouldn't be made, only that the efforts that are currently being made are pure PR fluff. Having M16 armed national guardsmen at airports was absurd. What were they supposed to accomplish? In any instance, opening fire with a machine gun in a crowded airport lobby would kill far more innocent people than terrorists. Not to mention, just how were these guardsmen supposed to tell if someone was a terrorist, before blowing themselves up or driving an explosive laden vehicle into the terminal?

      Lets talk about other "safety" measures:
      1) Turn all airport screeners into government employees. Well, now our dear TSA is moving to recertify airports to use private screeners.
      2) Even with government screeners, security is like tissue paper. I attended a conference last week, and one of the vendors was giving out "swiss army" type knives, 5 blades + corkscrew, etc. He told me he had dumped a box 50 of these into his bag, and at the last minute decided to carry that bag on instead of checking it. He didn't even remember that the box was in there until he was in the air. He stayed quiet about it until after he landed, because he didn't want to get stuck somewhere in middle america. Security never even noticed. (BTW, he said he did report it to airport security after he landed and was outside the secured zone.)

      If we are going to be serious about security follow El Al's proceedures, most of which are deliberately kept very quiet and out of the public view. Instead the current administration follows a typical american penchant to do something, anything that makes a lot of noise and is very visible for "feel good" moments, but which accomplish either nothing, or the opposite of what they are supposed to.

      --
      "Unheard of means only it's undreamed of yet,
      Impossible means not yet done." ~~ Julia Ecklar
    8. Re:Airport Police by jrumney · · Score: 4, Informative
      Just like when they had the national guard monkeys running around with M16s. Absolutely no use whatsoever, but makes the American public go "Gee - we're so protected! I love our President(tm)!

      Granted, I'm not an American so maybe my perception is different, but the sight of nervous 19 year olds with M16s at Logan airport in late 2001 did not make me feel "protected".

    9. Re:Airport Police by LaCosaNostradamus · · Score: 4, Informative

      {sigh} So much Limbaugh-esque mythology, so little time.

      A significant factor in Afghanistan and Iraq was oil. You assert price as some sort of proof against it. But price increases are to the benefit of the producers, which the Bush family have been known to dabble in from time to time. As well as their family friends, the House of Saud.

      The whole issue of invading an oil-rich country is to control it for the current set of Oil Barons. Bush's administration is packed with folks like that. (Duh.) Price is simply not an issue.

      Iraq was no world threat. About the only sovereign place that would really find Iraq threatening was Israel. And the last time I checked, Israel wasn't the 51st American state, and had no legal representation in any American legislature. If there's anything to be said for American fears of being controlled by foreign interests, then why won't we deal with Israeli influence upon the American military?

      As for criminal negligence, you are in direct hypocritical peril considering how much of that charge can be levelled at the American CIA, FBI and military command (specifically the Commander in Chief, whom you may have heard of) when 911 was being planned and executed. Libya is far more at fault for harboring terrorists, but after Bush's speeches on Afghanistan, Iraq, Syria, Iran and North Korea, you'll note a sound basis to my skepticism about Bush's due diligence. At any rate, any lax policy in Iraq about terrorist assholes cannot justify: invading Iraq, killing tens of thousands of her citizens (remember, she had an army, not of terrorists, but of Iraqi citizens who were defending against invaders), and taking control of her infrastructure.

      The summary of my statements here would revolve around the idea that America attacked Iraq twice in 12 years for no valid reason. America cannot make the case that it was acting in self-defense, since Iraq made no moves onto American territory. And as for WMDs, we only have to look at Israel to speculate on the term "double standard".

      Face facts, Ace: you've been bamboozled into thinking that America's assaults in the Middle East are not the Imperialist moves that they actually are. Perhaps when you find that you can't even afford to bury your own war-dead sons, then you'll wake up to realize the murderous and barbaric culture that you had been supporting.

      --
      [You have a stable society when some nut guns down a schoolyard and the law doesn't change.]
  2. As a self-appointed representative of ... by burgburgburg · · Score: 5, Funny
    the Security Industry, I'd just like to say:

    Shhhhhhhhhhhhhhhhhhh!!!!!

    Please remember this the next time a non-productive "feature" is uncovered.

  3. Easy Solution by Mz6 · · Score: 5, Funny

    Don't let your fingerprints get copied. Wear gloves ALL the time. Problem solved.

    --
    Hmmm.
    1. Re:Easy Solution by jacksonyee · · Score: 4, Insightful

      So what happens when some law enforcement organization such as the police or the passport office want to take your fingerprints? Do you deny their request and don't get anything done, or do you use glove prints rather than fingerprints. Even worse, what if someone hacks into the police database and creates fake gloves with other people's fingerprints etched in them?

      As much as the privacy advocates will laugh at this news article, fingerprints have been a proven source of clues for law enforcement agencys for decades. Nowadays, we have more sophisticated methods of detecting whether someone might have been at the scene of a crime or not, but fingerprinting is nice, quick, easy, and obvious. Of course, every system in existence can be fooled, and if you're really willing to break the system, you can. However, I hate to think that people other than the tinfoil hat crowd would be so concerned about fingerprints that they would wear gloves all the time. This is much more a legislative issue than it is a technological issue. Unless we stop legislative processes invading our privacy, technological means will be only a band-aid onto the root of the problem.

  4. J311-0 by lunarscape · · Score: 5, Funny
    The experiments focus on making artificial fingerprints in gelatin from a latent fingerprint

    That's great to know that some of the world's most sophisticated security systems can be circumvented with Jell-O

    1. Re:J311-0 by Braingoo · · Score: 4, Funny

      Bill Cosby would be proud Hey kids would jou like to try some Jell-o. jou can even use it to steal yor parents credit card number to buy more jell-o!

  5. In the great words of Sean Connery by imranius · · Score: 5, Funny

    "I'll show you a finger, Trebek!"

    - SNL Celebrity Jeopardy

  6. Something you have and Something you know by VinceWuzHere · · Score: 5, Insightful
    I really don't think that ANY biometric system will be foolproof until the old basic of security is implemented. The scheme is called "Something you have and Something you know" (someone out there does know the right name even if I can't remember it at the moment).

    Think of the simple RSA keyfob some of us carry; it gives us a number and we use that PLUS a password to get into secure systems (have + know).

    Carry this one step further and have the system check your fingerprint/handprint/iris/whatever PLUS ask for a password.

    I personally think it's damn scary in this age of terrorism that someone could fake a biometric and get onto a plane; if the airlines for example issued me a unique password to go along with fingerprint (or whatever) recognition then I'd feel a whole bunch better about the entire process and the underlying technologies.

    1. Re:Something you have and Something you know by Tryfen · · Score: 4, Insightful

      The mantra used to be something you know (password), something you have (ID card), something you are (fingerprint).

      The problem is that "something you are" is just a really weak version of "Something you have". Why is it weak? Because once it is compromised, you can never get it back. Never.

      If my RSA fob is stolen, I can get it reissued. If my password is stolen, I generate a new one. What am I supposed to do when my fingerprint shows up on Kazza? Sure, I can use one of the other nine, then once they're compromised, use my toes, after that...?

      Biometrics have a (small) part to play in security. But relying on them for anything important is daft.

      T

      --
      If a square is really a rhombus, why aren't all triangles purple?
    2. Re:Something you have and Something you know by MindStalker · · Score: 5, Funny

      Now, a clever man would not use a plane, because he would know that only a great fool would repeat the same method. I am not a great fool, so I can clearly not choose to attack with a plane. But you must have known I was not a great fool, you would have counted on it, so I can clearly have to attack with a plane.
      Because counter-terrorist come from America, as everyone knows. And the America's is entirely peopled with infidels. And infedels are used to having people not trust them, as you are not trusted by me. So I can clearly not attack with a plane.
      and you must have suspected I would have known you where an infidel, so I can clearly have to attack with a plane.
      You've beaten my Sadam, which means you're exceptionally strong. So, you could have placed your men on the plane, trusting on your strength to save you. So I can clearly not choose to attack with a plane. But, you've also bested my sleeper cells. And in studying, you must have learned that terrorist are dangerious so you would stay as far away from us as possible, so I can clearly attack with a plane.

  7. Re:fix? by tomcio.s · · Score: 5, Insightful

    Not at all actually, your extremedies (hands, feet) change temperature faster than the core of your body, and most people's extremedies are either colder (more common) or warmer (?) than the core of their body. So to make it heat sensitive would be to deny access to most users.

  8. Great minds think alike by VinceWuzHere · · Score: 4, Informative

    From the document abstract... "A description of different liveness detection methods is presented and discussed. Methods requiring extra hardware use temperature, pulse, blood pressure, electric resistance, etc., and methods using already existent information in the system use skin deformation, pores, perspiration, etc."

  9. Re:fix? by SlamMan · · Score: 4, Interesting

    Won't work, for all the reasons specified. However, what about recording the body temperature as well as the fingerprint?

    --
    Mod point free since 2001
  10. fingerprints at all... by tuxette · · Score: 5, Interesting
    Probably old news to some, but here's an interesting article about how fingerprints are perhaps not infallible, unique ID, with a link to this article

    Who cares about the scanners when the real problem lies in something entirely different?

    --
    People say I'm crazy, I got diamonds on the soles of my shoes...
  11. Re:fix? by stratjakt · · Score: 5, Insightful

    The temperature of your fingertips is going to vary widely. If you've been holding a cup of coffee, it'll jack up to 110, 120 maybe, if you just came inside it could be down around 60 or so.

    98 degrees is an average core body temperature, extremedies generally run cooler. Thats why your testicles hang down - they dont work at 98 degrees, they need to be cooler. It's also why briefs and tight pants make you sterile.

    Besides, all you'd have to do is put the fake finger in a cup of warm (98 degree) water..

    I think the real solution is to realize that this kind of shit only works in movies or cartoons right now.

    --
    I don't need no instructions to know how to rock!!!!
  12. Okay. by Red+Dane · · Score: 5, Insightful

    Just wanted to interject... I suppose it depends on whether you have one that bounces small radio signals off of the inside of your finger or one that simply captures an image. Certain fingerprint readers bounce radio signals off of the inside of your finger and read the underlying tissue structure (no, I'm not going to plug the product here). This prevents people from doing what she did at the trade convention. Fingerprint technology is always improving, and I'm sure that the industry will take this to heart and make these things even more complex. When you get right down to it, the systems aren't as complex as you might think. Most fingerplate templates weigh in from anywhere to 300 - 600 bytes in size.. but that is more to ease hardware requirements. I think they will combine other methods in the fingerprint taking process and eliminate these problems. Just my take on it, tear it apart guys ;)

  13. It's wafer thin... by MojoRilla · · Score: 4, Funny

    From the thesus...

    The main problem with liveness detection methods based on extra hardware, is that the scanners have to be adjusted to operate e±ciently in different kinds of environments, leading to problems when using a wafer-thin artifcial fingerprint glued on to a live finger.

    And finally, monsieur, a wafer-thin fingerprint. Oh sir...it's only wafer thin.

  14. Accidental Discovery by The+Slashdolt · · Score: 4, Interesting

    In a former career I spent time mixing cement. One day I was mixing a small amount in a 5 gallon bucket. At the time I had nothing to mix it with so I used my hand. After mixing I washed my hand and it was amazingly smooth. I didn't think much more about it. The next day the skin on my hand was very sore. I looked at it and noticed that the mixing had worn down the top layes of skin on my hand. To the point where I barely had any fingerprints at all. So if you want to remove your fingerprints temporarily in a somewhat painful(but not excruciating) way, just mix up a bucket of concrete with your hand..... Hmmmm, is this a circumvention device?

    --
    mp3's are only for those with bad memories
  15. They'll stay to raise the threshold... by MyNameIsFred · · Score: 4, Insightful

    There is an old saying that is attributed to the Secret Service. They can't stop someone really dedicated from killing the President. All they can do is raise the level of difficulty so high that the average individual won't be able to do it. I think that is applicable to the fingerprint scanners used in American airports. Yes, they can be beat, but they raise the threshold. They won't catch the dedicated/educated terrorists, but it will help against idiots. And stopping idiot terrorists is still a good idea. And don't fool yourselves, a lot of terrorists are idiots. Just look at the Shoe Bomber, not what I would call England's best and brightest.

    1. Re:They'll stay to raise the threshold... by hackstraw · · Score: 4, Insightful

      All they can do is raise the level of difficulty so high that the average individual won't be able to do it.

      I would describe John Hinckley, as average at best, and he stepped forward from a crowd of television reporters and fired six shots hitting the President (Reagan) and others.

  16. Re:Could someone explain 4.5.3 to me? by Apocalypse111 · · Score: 5, Informative

    I myself have an identical twin brother, and our fingerprints are nothing alike. Fingerprints are a developmental feature, not a genetic one.

    --
    There is no mod option "-1: Disagree" for a reason. "Overrated" is not an acceptable substitute. Post something instead.
  17. Non-US student by AragornSonOfArathorn · · Score: 4, Insightful

    Good thing this was written by a student who is NOT a US citizen or she would probably be prosecuted under the DMCA.

    --
    sudo eat my shorts
  18. Re:Why am I not surprised... by HermanZA · · Score: 4, Funny

    Man, do you realize how small a quantum leap is? It is the closest thing to nothing in the universe...

  19. calcium hydroxide burns by SuperBanana · · Score: 5, Informative
    In a former career I spent time mixing cement. One day I was mixing a small amount in a 5 gallon bucket. At the time I had nothing to mix it with so I used my hand. After mixing I washed my hand and it was amazingly smooth. I didn't think much more about it. I looked at it and noticed that the mixing had worn down the top layes of skin on my hand.

    Uh, that's because calcium hydroxide -burned- it off, not "wore it down". It's actually quite common, because there is a delay between exposure and reaction. Well, that and people think "hey, it's just rocks and dirt and stuff, i don't have to wear gloves..."

    --
    Please help metamoderate.
  20. It's even easier than that. by pclminion · · Score: 4, Interesting
    Forget making crude copies of authorized fingerprints... It's even easier than that.

    A friend of mine in the office has some sort of skin condition which causes his hands to produce very acidic sweat. It's acidic enough to buff the leather on his steering wheel and gear shifter. His fingers will erase the letters off the keys on some keyboards (I assume some keyboards use better quality ink that is more resistant). Coffee mugs with cheap paint on them suffer the same fate on the handles.

    This person can open any fingerprint-protected laptop in the office (we bought a bunch of these from some company who was beta-testing them, they are now out of production) and make it boot. He just smears his fingertip onto the sensor and wiggles it a little bit, and the machine accepts it as an authorized print.

    These fingerprint detectors are of the capacitance-coupling variety. I don't know if the same trick works with the other fingerprint sensor technologies.

  21. just another argument against cheap stuff by rozz · · Score: 4, Insightful

    this thesis is only a better documented, nicely written replay of a japanese experiment from some years ago :
    the matsumoto experiment

    and it surely doesnt mean the biometrics are not secure!

    a complete biometrics based security solution has 3 "components" :

    Something you know: e.g. a password or a PIN.

    Something you hold: e.g. a credit card, a key, or a passport.

    Something you are (biometrics): e.g. a fingerprint, iris pattern, etc.

    their demonstration only fooled the 3-rd component of such a system ... which means they got NOTHING! ... plus, the most secure fingerprint scanners read the biometric info from under the epidermis(the outer "dead" skin) and are not so easily fooled with an artificial finger or fingertip ... the fact that they tested cheap of-the-shelf hardware is not exactly concludent.
    The whole study is just an argument against bad hardware and sloppy security systems, not against the usage of the biometrics .. while unfailible security does not exist, biometrics can make a big difference when used right!

    --
    "There is nothing more frightful than ignorance in action." Johann Wolfgang von Goethe