Slashdot Mirror
Fingerprint Scanners Fooled By Play-Doh
* * Beatles-Beatles writes to tell us YubaNet is reporting that in recent tests by Stephanie C Schuckers, an associate professor of electrical and computer engineering at Clarkston University, she has shown that, among other things, biometric security measures were fooled 90% of the time by simple attacks like Play-Doh molds. From the article: "Schuckers' biometric research is funded by the National Science Foundation (NSF), the Office of Homeland Security and the Department of Defense. She is currently assessing spoofing vulnerability in fingerprint scanners and designing methods to correct for these as part of a $3.1 million interdisciplinary research project funded through the NSF."
Or is it starting to look like ScuttleMonkey is getting kickbacks from **Beatles-Beatles?
Better not install it in a kindergarten then.
I'm not fat, just big boned...
It's one thing to fool fingerprint scanners. The ones described in the article use a photo system that takes a picture of the full print and detects similarities with prints on file. It does sound pretty easy to fool. However, what about swipe-based scanners? Or retinal scanners? Surely Play-Doh isn't durable enough to drag over a fingerprint swipe-scanner and it's probably difficult to make a good replica of an eye with the stuff.
But the real security comes with a Marine standing guard. If you can get passed that guy, the biggest problem is already solved.
Jesus saved me from my past. He can save you as well.
"News for financial partners of the editors, bank balances that matter."
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
A guy at work was always talking about using gummy bears to commit the perfect crime. You somehow make a mold of someone's fingerprint using that gummy bear material. Then you use it on a fingerprint scanner, which gets fooled by it, and it lets you in. Then, get this- you eat the gummy bear fingerprint mold, and permanently destroy the evidence of your intrusion.
I always thought that was a little disgusting. You mean you're just going to eat that thing right after you pressed it against a disgusting fingerprint scanner?
This is old hat, sortof.
German computer magazine C'T defeated fingerprint scanners a few years ago using gummibears. Im sure www.heise.de should ahve a (german) copy of that still online somewhere
There are three flavors of a security pass:
1. Something you have, like badge or actual key.
2. Something you know, like a password or pass phrase.
3. Something you are, like a General, Doctor, or American citizen.
Two-form authentication (where you use two of the three above forms) is quickly becoming regconized as being much more secure. Numerous security professionals were hoping biometrics would fit into the "something you are" category, but increasingly that category is being replaced by "something you have". You can have a General's uniform or forged passport... or a playdough impression from an authenticated finger. All this study does is confirm that migration.
The road to tyranny has always been paved with claims of necessity.
For all us not not from the same cultural sphere as the submitter, Play-Doh is a clay-like compound used by children to form various things. http://en.wikipedia.org/wiki/Play-Doh
If you have no children and buy PLay-doh you might be added to the terrorist watching list as a security risk.
I may be using the wrong term here, but why not have some sort of capicitance measuring device on the fingerprint scanner? Something a bit less sensitive than your iPod wheel or a normal laptop touchpad so it has to detect a current on the persons finger before it will even begin to scan?
Not that I've tried it, but I'm pretty sure you can use Playdoh to navigate around your iPod.
I for one have a problem logging on via the scanner after a longer bath. The damned thing won't recongize the fingerprint and won't let me logon until the skin dries and the wrinkles on the fingers go away.
:-)
It is not bad, as I give up on the computer in the evening, just don't wash your hands before a presentation
ScuttleMonkey IS ... * * Beatles-Beatles ?
-Jar.
(Who is so happy now he can join in with the Beatles-Beatles thing)
Together, We Can Make Slashdot Better. I Do NOT Mod ACs. - Check Me Out
... I, for one, enjoy * * Beatles-Beatles's articles. Everything he posts is news to me and the content is stuff that matters to me. I especially love his well-designed, non-sketchy website. If Slashdot would implement his wonderful CSS styles (when you hover over text, it all becomes italicized and underlined with a box drawn around it) my experience here would be great. Is there any way we can make * * Beatles-Beatles a moderator, or better yet, an administrator on Slashdot? That would be excellent. Keep up the great work ScuttleMonkey and * * Beatles-Beatles!
Today's submissions that were rejected include a new digital imaging chip from the folks at Univ of Rochester and the Gnope.Org release (PHP GTK Toolkit).
Why not add a little hardware and check for a living finger? When I was in the hospital, they put a noninvasive sensor on my finger that measured my pulse and blood oxygen level. It uses two frequencies of light to measure oxygenated haemoglobin.
Mea navis aericumbens anguillis abundat
Last summer on WTH: Spoofing fingerprints in 10 minutes shown at WTH last summer. The guy on the video also says that he never encountered a fingerprint reader which couldn't be fooled. Interesting is also to see is that he does not make a fake finger, but only a thin acryl layer placed over ones real finger. And also on the CCC website: A image gallery with text (EN) how to copy a finger print. So it's not all about the Play-Doh
Quoted from FP:
University, she has shown that, among other things, biometric security measures were fooled 90% of the time by simple attacks like Play-Doh molds.
Quoted from TFA:
Schuckers and her research team made casts from live fingers using dental materials and used Play-Doh to create molds. They also assembled a collection of cadaver fingers. In the laboratory, the researchers then systematically tested more than 60 of the faked samples. The results were a 90 percent false verification rate.
The crucial piece of missing information: The need for dental materials; the same stuff used to make casting for denture, false teeth, etc. To do what the researchers did, one needs more than play-doh. But of course ignoring this makes the FP much more dramatic becuase it implies that a preschool toy is sufficent for fooling biometric scanners.
For the record the quote from the FP is the part written by the editors, not by the submitter (unitalicized portion of FP), so the error (or omission) was made by a /. editor, not by the submitter.
I find it frustrating that what I once thought was a useful and interesting source of infomation and lively discussion seems to have become what it once seemed to differentiate itself from. Slashdot editors seems to be adopting the playbook of big media and skewed news to drive up user posts.
I find this sad because I thought that Slashdot was a site with an alternative playbook, that treated its readers as more saavy. Now it seems to be on the slippery slope to USA Today style reporting. I can only assume that this change is an attempt to drive up ad revenue. But I am afraid it will alienate many of the readers.
I got a laptop with fingerprint identification and thought it was ultra-cool to just stick my index finger on there to log in (this was to XP tablet edition).
Then I wondered if you could trick it, so I looked at my index finger, and saw that it was a loop, and then had someone else in the office try with one of their fingers that also was a loop. Nothing just by pressing down.
But, because the login software takes continuous readings (which they display!), my buddy was able to keep sliding and mashing and rotating his finger around until after 4 or 5 seconds, Bong, logged in!! We were laughing, so we tried with with three other guys here, and they all logged on. Some of them had to rotate their hand all the way around, but *everyone* got on. THIS SOFTWARE DOES NOT WORK! DO NOT TRUST IT!
I reported this to the fingerprint software people (sorry, don't remember their name), but they never responded. I just turned it off completely - it's a joke.
Now ordinarily the parent would simply be regarded as a troll, but all you have to do is look through a few Slashdot journals to see examples of quality submissions that have been rejected. The fact that a search engine spammer's articles get preference really explains this kind of frustration.
I'd like to hear some kind of explanation from the editor(s). I'd like to think that this is simply some kind of failure of process rather than something fundamentally wrong with Slashdot itself. It would be nice if the next Slashback dealt with these issues in some way.
May the Maths Be with you!
I have a portable pulse oximeter sitting right next to me. It is pricey and is about 2.5" x 1.5" x 1.5". It clamps lightly around one's finger and has a numerical LED display for oxygen level and beats per minute. It's as accurate as a bedside hospital unit from what I have read. Adding one of these though would really drive up costs. Here is a pic of the unit I am talking about. $675, ouch.
Incorporating them would also require a major redesign. They clamp around an inserted finger, and this would make them harder to clean and maintain, and also make them more prone to breakage.
The non-invasive principle of operation of these is pretty neat, and might interest slashdoters. They work by shooting dual wavelengths of light through the finger, namely infra-red and a visible red color. On the other side of the finger, a sensor relays readings to a signal processor, which distinguishes between flesh, bone, and what-not based on the absorption differential between the two wavelengths, so it can isolate out variables between different kinds of fingers. The result is incredibly precise, and the LED on the front flashes in precise sync with one's pulse. I'm guessing the signal processor is a major cost, so maybe in time these will come down in price.