Slashdot Mirror
Fingerprint Scanners Fooled By Play-Doh
* * Beatles-Beatles writes to tell us YubaNet is reporting that in recent tests by Stephanie C Schuckers, an associate professor of electrical and computer engineering at Clarkston University, she has shown that, among other things, biometric security measures were fooled 90% of the time by simple attacks like Play-Doh molds. From the article: "Schuckers' biometric research is funded by the National Science Foundation (NSF), the Office of Homeland Security and the Department of Defense. She is currently assessing spoofing vulnerability in fingerprint scanners and designing methods to correct for these as part of a $3.1 million interdisciplinary research project funded through the NSF."
Or is it starting to look like ScuttleMonkey is getting kickbacks from **Beatles-Beatles?
Better not install it in a kindergarten then.
Wow, two in a row for Beatles. This is getting ridiculous...
I'm not fat, just big boned...
It's one thing to fool fingerprint scanners. The ones described in the article use a photo system that takes a picture of the full print and detects similarities with prints on file. It does sound pretty easy to fool. However, what about swipe-based scanners? Or retinal scanners? Surely Play-Doh isn't durable enough to drag over a fingerprint swipe-scanner and it's probably difficult to make a good replica of an eye with the stuff.
But the real security comes with a Marine standing guard. If you can get passed that guy, the biggest problem is already solved.
Jesus saved me from my past. He can save you as well.
"News for financial partners of the editors, bank balances that matter."
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
A guy at work was always talking about using gummy bears to commit the perfect crime. You somehow make a mold of someone's fingerprint using that gummy bear material. Then you use it on a fingerprint scanner, which gets fooled by it, and it lets you in. Then, get this- you eat the gummy bear fingerprint mold, and permanently destroy the evidence of your intrusion.
I always thought that was a little disgusting. You mean you're just going to eat that thing right after you pressed it against a disgusting fingerprint scanner?
This is old hat, sortof.
German computer magazine C'T defeated fingerprint scanners a few years ago using gummibears. Im sure www.heise.de should ahve a (german) copy of that still online somewhere
There are three flavors of a security pass:
1. Something you have, like badge or actual key.
2. Something you know, like a password or pass phrase.
3. Something you are, like a General, Doctor, or American citizen.
Two-form authentication (where you use two of the three above forms) is quickly becoming regconized as being much more secure. Numerous security professionals were hoping biometrics would fit into the "something you are" category, but increasingly that category is being replaced by "something you have". You can have a General's uniform or forged passport... or a playdough impression from an authenticated finger. All this study does is confirm that migration.
The road to tyranny has always been paved with claims of necessity.
For all us not not from the same cultural sphere as the submitter, Play-Doh is a clay-like compound used by children to form various things. http://en.wikipedia.org/wiki/Play-Doh
If you have no children and buy PLay-doh you might be added to the terrorist watching list as a security risk.
Wow, they really need to keep some play-doh around in SD-6. Next time Sloane is stuck in the torture room and they need his fingerprint they've got the solution right there!
"Don't meddle in the affairs of a patent dragon, for thou art tasty and good with ketchup." ~ohcrapitssteve
I may be using the wrong term here, but why not have some sort of capicitance measuring device on the fingerprint scanner? Something a bit less sensitive than your iPod wheel or a normal laptop touchpad so it has to detect a current on the persons finger before it will even begin to scan?
Not that I've tried it, but I'm pretty sure you can use Playdoh to navigate around your iPod.
Fingerprints are now part of our total security strategy and a first-line screening technique for inprocessing of mass police events. When groups are processed after WTO rallies and other such large police events, processing uses fingerprint ID. Imagine a case in which 500 were arrested and all could be terror suspects, and the terrorist, who would have been ID'd, got away because of a fingerprint error. Fingerprints are used by banks to cash out-of-state checks. It's time to verify fingerprints and begin associating them with a biometric less modifiable, such as retinal ID. Of course, concerns about the coercivity of this approach are justified, but the security benefit outweighs. If we're going to use biometrics, let's use effective ones. Of course, the merits of mass arrest are questionable, but if we are going to do it, let's do it right.
Since when has this country used intellectual elite as a pejorative term?
I for one have a problem logging on via the scanner after a longer bath. The damned thing won't recongize the fingerprint and won't let me logon until the skin dries and the wrinkles on the fingers go away.
:-)
It is not bad, as I give up on the computer in the evening, just don't wash your hands before a presentation
"She is currently assessing spoofing vulnerability in fingerprint scanners and designing methods to correct for these as part of a $3.1 million interdisciplinary research project funded through the NSF."
I hope she didn't use it all on Play-Doh...
ScuttleMonkey IS ... * * Beatles-Beatles ?
-Jar.
(Who is so happy now he can join in with the Beatles-Beatles thing)
Together, We Can Make Slashdot Better. I Do NOT Mod ACs. - Check Me Out
... I, for one, enjoy * * Beatles-Beatles's articles. Everything he posts is news to me and the content is stuff that matters to me. I especially love his well-designed, non-sketchy website. If Slashdot would implement his wonderful CSS styles (when you hover over text, it all becomes italicized and underlined with a box drawn around it) my experience here would be great. Is there any way we can make * * Beatles-Beatles a moderator, or better yet, an administrator on Slashdot? That would be excellent. Keep up the great work ScuttleMonkey and * * Beatles-Beatles!
Why not add a little hardware and check for a living finger? When I was in the hospital, they put a noninvasive sensor on my finger that measured my pulse and blood oxygen level. It uses two frequencies of light to measure oxygenated haemoglobin.
Mea navis aericumbens anguillis abundat
Wow, two in a row for Beatles. This is getting ridiculous...
I think as a collective we've got to get around to doing something about this. Criticisms that Slashdot content, and the overall quality of the website are merrited. I think a boycott is in order here.
Lets make it clear to the editors that these kind of submissions shouldn't be tolerated, and will recieve no attention. These kind of posts should recieve no replies regardless of importance. After which we should all carry out the task of resubmitting the article for discussions on the topic to resume.
After this post I intend to disregard any submission by '**Beatles-Beatles' and refuse to contribute or mod any of this Sponsorship Scandal(for those who don't live in Canada) like material. (Not a perfect analogy, but someone's getting a payoff it seems)
ending transmission....
spell the name of the University correctly if he is going to spam slashdot. It's CLARKSON, there is no T in there!
Monstar L
Last summer on WTH: Spoofing fingerprints in 10 minutes shown at WTH last summer. The guy on the video also says that he never encountered a fingerprint reader which couldn't be fooled. Interesting is also to see is that he does not make a fake finger, but only a thin acryl layer placed over ones real finger. And also on the CCC website: A image gallery with text (EN) how to copy a finger print. So it's not all about the Play-Doh
Actually, that won't do anything. The problem is that Mr Beatles does SEO and is getting more pagerank (supposedly) from being linked from slashdot's FP. The only affirmative action you could take would be to remove any link to slashdot you may have on your web site. If I had one, I'd remove it now. Too bad, because slashdot is such a wonderful time waster... But thanks for your contribution of typically ill-informed libertarian rhetoric. It's more obvious when you paste it into random situations like this just how bankrupt that argument is.
Redundancy is impractical after certain level, how'd you like that you have to login tens of times to a system every day, and that this takes, eye scan, finger scan, face scan, answering distorted CAPTCHA, entering user, password, ordering a set of pictures in right order and what not.
At the end it'll be so "redundant" noone will want to use it.
Fingerprint scanners are rubbish. They're simply not that reliable. Even if they sound reliable - if you have a scanner that's 99.9% accurate, that means that one person in 1000 has a close enough fingerprint to pretend to be you. Or to put it another way, 10000 Belgians share your fingerprint.
And the best scanners are nowhere near that accurate.
I announced my displeasure with the ueber google-gayness of the beatles link in these stories before - and was modded as '-6 tin foil'.
/. used it, how many stories would beatles post?) and the fact that the first 100 million lines in the pages about link voting are hippie gay credits for the two guys who set it up makes me wary.
The problem is, if a slashdot page links to starwars dot com with the words 'solo shot first' then this will change the very nature and fabric of the universe, and may actually cause earth quakes and or hurricanes, or at least a small butterfly flapping it's wings might get struck by lightening (deserves it!).
Google is a bit dumb, and I am suprised that slashdot users : viaga, cheap-prescription-drugs, auto-warranty and friends haven't been posting more stories.
I am not 100% happy witht he ghey projects like micro formats to use link voting either (google doesn't AFAIK have the option to non-googlify a link, if it did and
akin to those twats scraping over who invented music, the internet, downloading music, downloading the internet, sex, tits and beer by fighting over who 'invented' podcasting.
humbug?
of course, this is an estimation.
please type the word in this image: ballpark
random letters - if you are visually impaired, please email us at pater@slashdot.org
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
Quoted from FP:
University, she has shown that, among other things, biometric security measures were fooled 90% of the time by simple attacks like Play-Doh molds.
Quoted from TFA:
Schuckers and her research team made casts from live fingers using dental materials and used Play-Doh to create molds. They also assembled a collection of cadaver fingers. In the laboratory, the researchers then systematically tested more than 60 of the faked samples. The results were a 90 percent false verification rate.
The crucial piece of missing information: The need for dental materials; the same stuff used to make casting for denture, false teeth, etc. To do what the researchers did, one needs more than play-doh. But of course ignoring this makes the FP much more dramatic becuase it implies that a preschool toy is sufficent for fooling biometric scanners.
For the record the quote from the FP is the part written by the editors, not by the submitter (unitalicized portion of FP), so the error (or omission) was made by a /. editor, not by the submitter.
I find it frustrating that what I once thought was a useful and interesting source of infomation and lively discussion seems to have become what it once seemed to differentiate itself from. Slashdot editors seems to be adopting the playbook of big media and skewed news to drive up user posts.
I find this sad because I thought that Slashdot was a site with an alternative playbook, that treated its readers as more saavy. Now it seems to be on the slippery slope to USA Today style reporting. I can only assume that this change is an attempt to drive up ad revenue. But I am afraid it will alienate many of the readers.
Or is it starting to look like ScuttleMonkey is getting kickbacks from **Beatles-Beatles?
In the words of Napoleon: "Never ascribe to malice, that which can be explained by incompetence."
May the Maths Be with you!
I remember Macgyver defeating a hand print scanner using chalk dust to stick to the oils deposited by the previous person who used the scanner. I guess a swipe scanner makes much more sense if you want to try and keep Macgyver out (who are we kidding here, Macgyver can defeat any security system with nothing more than a bar of chocolate and a toothpick).
Fooling fingerprint scanners is really a child's play with Play-Doh !
Assume I was drunk when I posted this.
I got a laptop with fingerprint identification and thought it was ultra-cool to just stick my index finger on there to log in (this was to XP tablet edition).
Then I wondered if you could trick it, so I looked at my index finger, and saw that it was a loop, and then had someone else in the office try with one of their fingers that also was a loop. Nothing just by pressing down.
But, because the login software takes continuous readings (which they display!), my buddy was able to keep sliding and mashing and rotating his finger around until after 4 or 5 seconds, Bong, logged in!! We were laughing, so we tried with with three other guys here, and they all logged on. Some of them had to rotate their hand all the way around, but *everyone* got on. THIS SOFTWARE DOES NOT WORK! DO NOT TRUST IT!
I reported this to the fingerprint software people (sorry, don't remember their name), but they never responded. I just turned it off completely - it's a joke.
I recently purchased a new MS keyboard with the fingerprint scanner.
With 5 family members and Windows XP, it's working fabulously at home.
I wouldn't change my door locks to fingerprint scanners, but for a home computer used by the family it's great.
They're on to the Play-doh trick. I think I'll just switch to Silly Putty.
*gives honourable badge of the tinfoil hat club*
Congratulations. We haven't heard THIS one yet.
Anagram("United States of America") == "Dine out, taste a Mac, fries"
1. Get some sort of funding/investment for a start-up business or a research project of some sort.
2. Generate traffic to a site to improve ad revenue or subscribers.
3. Sell a product or service of some sort.
4. ???
5. Profit.
~ Better a freak than a sheep. ~
Now ordinarily the parent would simply be regarded as a troll, but all you have to do is look through a few Slashdot journals to see examples of quality submissions that have been rejected. The fact that a search engine spammer's articles get preference really explains this kind of frustration.
I'd like to hear some kind of explanation from the editor(s). I'd like to think that this is simply some kind of failure of process rather than something fundamentally wrong with Slashdot itself. It would be nice if the next Slashback dealt with these issues in some way.
May the Maths Be with you!
I have a portable pulse oximeter sitting right next to me. It is pricey and is about 2.5" x 1.5" x 1.5". It clamps lightly around one's finger and has a numerical LED display for oxygen level and beats per minute. It's as accurate as a bedside hospital unit from what I have read. Adding one of these though would really drive up costs. Here is a pic of the unit I am talking about. $675, ouch.
Incorporating them would also require a major redesign. They clamp around an inserted finger, and this would make them harder to clean and maintain, and also make them more prone to breakage.
The non-invasive principle of operation of these is pretty neat, and might interest slashdoters. They work by shooting dual wavelengths of light through the finger, namely infra-red and a visible red color. On the other side of the finger, a sensor relays readings to a signal processor, which distinguishes between flesh, bone, and what-not based on the absorption differential between the two wavelengths, so it can isolate out variables between different kinds of fingers. The result is incredibly precise, and the LED on the front flashes in precise sync with one's pulse. I'm guessing the signal processor is a major cost, so maybe in time these will come down in price.
Is it just me, or does anyone else take this with a grain of salt? With a name like that..
They grow back. Background info here
AT&ROFLMAO
and I'll say it again. Play-Doh and technology do not mix! My DVD player will not play Play-Doh discs and my PC case mod of Play-Doh gave me trouble getting it out of the power supply.
... that Wallace (of Wallace and Gromit fame) can fool any fingerprint detector?
Looks like ScuttleMoney^H^Hkey still doesn't get. Interesting thing is, ScittleMonkey seems to use some standard template for * *Beatles-Beatles submissions, since ALL of them start by: "* * Beatles-Beatles writes to tell us ...".
So, let me repost some earlier post of mine:
Ok, let's have a look at his george-harrison.info website. Aha, maybe the links at the bottom of the page? Yes, I see: http://george-harrison.info/reciprocal-links.html.
Sooo, what may be on that page? Quoting:
Looking at the link list (just a small excerpt):
HTH!
Windows is like decaf - it tastes like the real thing, but it won't get you through the day.
Windows is like decaf - it tastes like the real thing, but it won't get you through the day.
I went to a friend's house the other day. He told me he was looking through a box of important papers and he found the recipe for play-doh. It seemed a bit weird at first but now it just seems suspicious.
So does this mean that Gumby can become an uberhacker (at least when facing these biometric devices)?, sid14_gci833464,00.html/.
More seriously... This is not new news. Previous schemes to foil the finger print scanners have been around for a good deal of time. One article I found is at http://searchsecurity.techtarget.com/tip/1,289483
Navicula hydraulica plena anguilarum est. Omnes castelli tuus nostri sunt. Ed elli avea del cul fatto trombetta.
Just pick the guy who ordered to arrest 500 anti-WTO protesters.
Trust me, I work for the government.
I don't care what source of the news and what reason beyond their publishing, as long as they provide useful information. If the nice lady has a patent and a startup enterprise, best luck to her, but next time somebody suggests a fingerprint-based security, I'll know how to show them what it's worth. Or bypass it, if I find it handy. So please STFU and start evaluating the actual value of info provided by the article, instead of looking for sinister reasons behind posting it.
Anagram("United States of America") == "Dine out, taste a Mac, fries"
Schuckers' biometric research is funded by the National Science Foundation (NSF), the Office of Homeland Security and the Department of Defense.
They misspelled "suckers". After all, it can be fooled by play-doh.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
A couple things that the scanners could do to tell the difference between playdough and a finger is. Make sure whatever is on the scanner is at average body temperature. Check the presence of natural skin oils. Check for a pulse.
Find me empirical evidence indicating that everyone's fingerprints are actually unique?
Thought not.
Whole thing's based on supposition and received wisdom, and is an utterly stupid basis for a security system. And I don't think much of the degree to which fingerprint evidence is relied on in court, either. Still, you try convincing a jury that every cop show and courtroom drama they've ever seen has misled them.
Supposing there exists a "much more robust security infrastructure" - how is it going to be improved by the addition of a Play-Doh, uh, I mean a fingerprint scanner? Why not just stick with the robust stuff, and forget the shiny newfangled contraptions?
This isn't the first demonstration that fingerprint scanners are useless. A few years ago, a Japanese university professor showed that it was possible to make a gelatin mold from a latent print (i.e., without direct access to the authorized finger in question) that would fool the readers most of the time! What is a fingerprint scanner adding but a false sense of security?
This was the first question I randomly peeked at to see how far from my opinion this certification is. I closed the book and haven't opened it again so far. A shame this is getting almost as mandatory in security jobs as Cisco certification for networking and Checkpoint/Nokia for firewalls.
I just installed bought a biometric fingerprint security system and I must say it is really secure!
"Fingerprint Scanners Fooled By Play-Doh"
D'oh!
w00t
Bush has diverted $3.4 billion from the Department of Education to an unnamed defense contractor, explaining "what use is having educated people when this contraband threatens the safety of us all." Citing security concerns, he would not elaborate which contractor received the funds, though he did name BeatlesBeatles as the White House liasion for this project. "No one has a better handle on Al Qaeda than BeatlesBeatles," Bush explained.
Bush added: "some people think you can eat it, too."
the screensavers on tech tv showed how to do this with a gummy bear, that's nothing new.
While the above reply is insightful, it kinda misses the point on security. It's not enough for the twin to "know how to talk like a General". For access to most secure facilities, the process is difficult to fake.
1. Drive to the site, showing the guard at the gate an appropriate ID CARD.
2. Proceed to an inner gate, showing a separate ID BADGE (the sticker on your vehicle, as well as the license plate ## must match information on the badge).
3. Use the BADGE to gain entrance to the first door by passing badge over a card reader.
4. BADGE into another reader at the second door, and punch in a personal code.
5. Door number 3 uses another code.
6. Ummmm.....PROFIT!
This is not the method to launch the nukes, mind you--this just gets you into a relatively low-security building.
In other news, Mr. Bill was arrested Saturday for suspicion of ID Theft and Conspiracy when it was found he was unlawfully trying to enter a secure location with a fingerprint scanner.
The police said his only words after getting caught were "DOH!" and then "Ohhh noooooooo!"
He who knows best knows how little he knows. - Thomas Jefferson
I hope the Department of Homeland Security pulled the strings to her a DMCA exception. Although, it would be funny to see government research get nailed by this ridiculous law. Maybe then something would change.
I know you guys can't spell, but if you could you would have been able to link to the right school. Clarkson University, www.clarkson.edu.
scuttlemonkey.user.js:
Applying 12V DC to a door control solenoid will indeed release it. However, in any sensible system, the wires to the solenoid will be concealed inside the building, so in order to get access to them you would have to already have access to the building. And if I was building security systems, I would design them to pass a milliamp or so through the solenoid coil all the time, for tamper detection: if someone cuts the wires, the current stops and a silent alarm goes off -- the first you get to know about it is when the Old Bill arrive and your collar is felt. If someone tries to apply a battery without cutting the wires, that's easy to sense :)
..... but talking about that might prejudice a patent I'm applying for.
It ought to be possible to lift someone's fingerprint from something they touched and make a mould from it, using copper clad PCB board. And a PIN provides little to no security, as thousands of British debit card users are about to discover. Come to think of it, you ought to be enable to replicate someone's DNA if you could persuade them to
Je fume. Tu fumes. Nous fûmes!
I've said this before on slashdot: the biggest problem with biometrics is that once compromised they cannot be easily changed. You can always change your password if someone discovers it, but you can't easily change your retinal pattern. So if someone has a fake eyeball with your pattern you can't keep them from using it by using another pattern. The naive have assumed that biometrics are much harder to steal than passwords and would be too closely tied to the person to whom they belong to be compromised. For every type of authentication, there is a surprisingly easy and clever way to compromise it.
ClarkSON University, not ClarkSTON University.
There are three flavors of a security pass:
1. Something you have, like badge or actual key.
2. Something you know, like a password or pass phrase.
3. Something you are, like a General, Doctor, or American citizen.
Well, 2 out of 3 isn't bad.
"Something you are" is not a position you hold, such as Doctor or General. It is independent of your position or profession. That General's uniform is something you have, not something you are.
Think more along the lines of "your face" or "your fingerprints" or "your DNA" or something like that. It is inherent to your physical body.
Biometrics is trying to do "something you are"... it just isn't doing it very well right now.
A badge (can be) 2-factor authentication. It is something you have, and it has a picture of your face on it, making it something you are.
Of course, identity validation in the hands of the person requesting identification is inherently insecure, which is why all the best SciFi movies have a badge that, somehow, pulls up your picture from a central computer database, and the hero's sidekick changes the image in the database milliseconds before the guard looks at the image on his display.
This is my sig. There are many like it but this one is... Oops. Frank, I've got your sig again! Where's mine?
MacGyver + A-Team = UNSTOPPABLE.
And this is why we use multi-factor authentication. Bruce Schneier has said it many times. We can't rely on one single form of authentication. Fingerprints can be stolen, RFIDs can be faked, passwords cracked...but just becaues one person can do one of those, doesn't mean they can do them all. The more factors you can include, the less likely that a person can steal them all. For instance, do a fingerprint scan and have the person speak a passphrase that changes daily.
Nullum magnum ingenium sine mixtura dementia (There is no great genius without a mixture of madness) - Aristotle
Or, they get their information by bashing Microsoft.
Microsoft about a year ago released a rebadged optical fingerprint reader from Digital Persona. It is a horrible device that can easily be fooled. It also wears out quickly because the sensor relies on a coating on the glass to image fingerprints. Once the coating rubs off, the sensor is useless. Needless to say, this isn't anywhere near the state of the art.
A better technology is based on capacitive sensors. They work much better and are extremely difficult to fool. I.e., Play-Doh doesn't work. Gummi Bears do not work. However, the sensors tend to wear out and can be fooled by cadaver fingers.
Look at sensors from Authentec. That is http://www.authentec.com/. They make sensors that use RF reflection to measure the patterns beneath the first layer of skin. They also have integrated thermal sensing. Cadaver fingers do not work. Neither does Play-Doh or anything else. Fooling these sensors, which are far better than the junk referred to in the original article, is extremely difficult. So, just how much does this military-spec technology cost? $32, quantity one retail.
Can we please send a copy of this to Ms. Schuckers so she can write papers based on the current state of the art, rather than utterly outmoded Microsoft-distributed optical scanners? Please?
Bush added: "some people think you can eat it, too."
...ducks
don't you mean
some people added: you can eat bush too
The fact that one can spoof a biometric with some ease, is not particularly novel nor should we expect that a single biometric is the solution to authenticating identity. A very simple combination of a biometric and an active input such as a password or pin, even spoken, provides a very strong solution to authentication. If the combination is used, I hardly even need strong passwords. The other factor to remember is that security, of whatever form, is only a temporary lock-out mechanism. In order to be robust to several decimal places, we have to force some regular change mechanism in password or pin as well.
"If all the American people want is security, let them live in prisons." Eisenhower
I guess Gumby and Mr. Bill are up shit creek too . . .
I'm not tense. I'm just terribly, terribly, alert.
Here's how it'll work:
1) Kill person
2) Cut off person's finger with pruning shears
3) Remove money from their account using their finger
And, if they've gone that far:
2b) Remove person's eye.
In the race to get rich quick, believe that criminals will do this.
i'm amazed that i survived - an airbag saved my life.
"Hey, I bet you can't get your fingerprint to stay on this piece of clay!"
I guess a lot of people would fall for that. If not, you could go ahead and add assault to the charges by knocking them out. Or better yet, you could just offer them a candy bar in exchange for their fingerprint.
http://www.amazon.com/gp/product/0449908577/103-09 72882-3463854?v=glance&n=283155
If you must moderate, please moderate as irrelevent, not something bad, because I'm sure someone will find this interest
ScuttleMonkey fooled by **Beatles-Beatles... Yet again.
One can always use the new iPod Nano for finger printing. You can catch any criminal with the mirror plating on the back them.
The most perfidious way of harming a cause consists of defending it deliberately with faulty arguments. - Nietzche
They were good, but they didn't link to george-harrison.info.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
Please get it right. The article does, it'd be nice if the summary did as well.
I know of a few ways as well.
For fingerprint scanners:
1) Crouch down and breathe hot air on the pad. (Over 80% effectiveness for fingerprint scanners on the market, and probably led to the playdough tests)
2) Put on a latex glove and press with your thumb on the pad.
3) Pour water on it till it shorts, default mechanisms are often to unlock or resort to mechanical locking mechanisms, so get a key that way. (this obviously doesn't work for computers).
4) Get a USB sniffer (this obviously doesn't work for doors).
For ID cards:
1) Get a copy of one and make a mimic'd copy, complain that it isn't working to security, get one reissued or just get in.
2) Run a credit card through, sometimes nearly anything will work.
3) Pass a magnet nearby (this worked every time on a device labeled as an RFID scanner, and the vendor marketing it didn't know why)
For eye scanners:
1) Find a picture of the person offline and blow it up to actual eye size, laminate it.
2) Put a mirror in front of the scanner. (Yes, this works on at least one of them, and no, the vendor didn't specify why)
The name of the university at which Stephanie Schuckers works is Clarkson University, not Clarkston. It's in my hometown. Gotta represent.
... is don't give spammers a chance.
-- Lennon, from the grave.
Couldn't these scanners also have built-in heat detectors, and just check for 98.6 degrees F +/- a few degrees? Of course this still wouldn't be immune to "heated play doh attacks" but it would be one more measure of security. Of course, problems would arise on very cold days maybe, or when someone has a fever, but there could be some solution to that too. (I don't have all the answers! :)
Clarkson University does not have a t in the name.
Oh, come on! A Play-Doh mold is a reverse of the finger it was molded from. You right hand finger prints are not mirror images of your left hand finger prints. So while you might come up with some more complex technique to cast a false finger and somewhere in that technique use Play-Doh, the impilcation that you can just use Play-Doh to mold a finger and use that as a finger substitute is obviously false for any system that has any sense at all.
I'm an American. I love this country and the freedoms that we used to have.
You can do the Play-Doh thing to fake retinal scanners too. But man does it hurt.
There is apparently a sub-industry in this country devoted to no other purpose than producing duplicates of these "keys". Congress is investigating and considering making "key duplication" technologs punishable under the DMCA.
Seriously though, why is this interesting? Ok, so you can make a mold of a finger that has fingerprints on it. Is that in some way surprising to someone? Does any method of defeating security that involves having access to the original key (finger) for an extended period of time really concern anyone?
A pulse oxymeter is not a sophisticated device. A basic design requires only two LEDs a photosensor and an op amp. I'll guess the cost is in the tens of dollars.
Of course if you want it for medical purposes you need extra certifications for reliability, that I believe can drive the cost up.
Retinal images can be faked. The only truly accurate test would involve taking a sample of your flesh and analyzing that. To meet basic security criteria, you want a multi-factor analysis: for example, blood type and nuclear DNA. You'd also want to perform multiple tests and compare the results, to make sure you're not working with a doctored sample of someone else's flesh.
To support the requisite multiple tests, flesh samples should not be smaller than about 1/4" cubed. In order to obtain the samples, it is likely that local anasthesia will be required. Since you'll be injecting the subject anyway, you may as well inject them with a general tranquilizing agent, preferable addictive, to reduce the chance that they cause you trouble in future. Oh, and you may as well use the opportunity to implant a subdermal identification chip.
The result will be a society that's at least 17.4% safer than it currently is. Clearly, the security benefits outweigh any possible extremist concerns about individual rights. This system should be welcomed by everyone, except those who have something to hide. You don't have anything to hide, do you??
I don't think the Aquabats are RIAA-afiliated but look out if they get signed.
Please don't take this seriously. Sadly, I felt it necessary to state that.
Man, you really need that seminar!
Not really, that was (fairly obviously I thought) tongue-in-cheek. The more realistic scenario is bringing the live body up to the scanner and coerce said body to provide the credentials. The attacker can then proceed through, leaving a dead or live body behind has he pleases. The guard can protect against the most blantad of such attempts, but check the Red Cell reference for a case where they "kidnapped" the admiral in charge of the Naples naval base in Italy by having an operative sticking a gun in the admiral's side and drive him out of the base in his own car, complete with armed guard. They weren't stopped or questioned.
That's not to say that guards are worthless, they're valuable in detecting anomalies in some scenarios (the nightwatch that caught the Watergate burglars springs to mind, that was a good catch) but above all guards are unreliable as a security measure (or rather, reliability in guards cost money). Technological measures on the other hand are inflexible, once you've found an exploitable flaw, they cannot discover they're being tampered with and adapt. It's a tricky subject.
It's interesting that you mention banking as they address the issue slightly differently by focusing on risk rather than "security" (or trust). By assuming that measures and systems will fail and preparing to assert and absorb the consequences they're usually in much better shape than most others.
Stefan Axelsson
True. But you should have been told that this lady is in fact MacGyver in drag. Once you know that you can understand the rest with ease.
How many beans make five, anyhow ?
$30 thousand - hammer
$50 thousand - toilet seat
$3.1 million - play-doh.