Slashdot Mirror

← Back to Stories (view on slashdot.org)

Subverting Fingerprinting

Posted by kdawson on from the on-a-stalk dept.

squizzar writes in with news of a 27 year old Chinese woman who was discovered to have had her fingerprints surgically swapped between hands in order to fool Japanese immigration. "It is Japan's first case of alleged biometric fraud, but police believe the practice may be widespread. ... The apparent ability of illegal migration networks to break through hi-tech controls suggests that other countries who fingerprint visitors could be equally vulnerable — not least the United States, according to BBC Asia analyst Andre Vornic." Time for some biometric escalation. Could iris scans be subverted as easily?

17 of 169 comments (clear)

  1. Re:Shodan's retinal scanners can always be fooled by Ethanol-fueled · · Score: 5, Funny

    This method is much more compact.

  2. Did she fool anyone, though? by AnotherUsername · · Score: 4, Insightful
    From TFA:

    Japanese newspapers said police had noticed that Ms Lin's fingers had unnatural scars when she was arrested last month for allegedly faking a marriage to a Japanese man.

    Seems like until they can get rid of the circular scars around their fingertips, they aren't going to fool anyone. From now on, when officials notice circular scars or other shaped scars around fingertips, they will probably have the person undergo further testing.

    As far as iris switching...I don't think so. I have a feeling that the permanent blindness that likely follows(though I am not an ophthalmologist, so I can't be sure as to what is possible) will override any benefits that come from the short term gains of biometrics trickery.

    --
    I don't like Linux. This doesn't make me a troll.
    1. Re:Did she fool anyone, though? by Jah-Wren+Ryel · · Score: 4, Insightful

      From now on, when officials notice circular scars or other shaped scars around fingertips, they will probably have the person undergo further testing.

      However, their cost to check has now gone up by at least 2x, maybe even 10x - they need to manually inspect every person (you can't just check the negatives because if the faker happens to have passed through successfully in the past their 'new' prints will already be in the database).

      And this is only one attack vector. We've already seen the korean woman last year who used a practical application of the gummy bear trick to fool the japanese too.

      The thing to remember is that these systems will only get less effective as time goes by. All the hype when proposed about how great they are, for whatever intended purpose, represents the best they will ever be - the more familiarity people get with the systems, the more ways people will figure out how to circumvent them.

      Kinda warms my freedom loving heart it does.

      --
      When information is power, privacy is freedom.
    2. Re:Did she fool anyone, though? by MillionthMonkey · · Score: 4, Funny

      A guy at work was always talking about using gummy bears to commit the perfect crime. You somehow make a mold of someone's fingerprint using that gummy bear material. Then you use it on a fingerprint scanner, which gets fooled by it, and it lets you in. Then, get this- you eat the gummy bear fingerprint mold, and permanently destroy the evidence of your intrusion.

      That always struck me as a little improbable. You mean you're just going to eat that thing right after you pressed it against a disgusting fingerprint scanner?

  3. long term identity subversion prevention by drDugan · · Score: 3, Insightful

    The only real identity that is immune from subversion is consistent, community agreement.

    What I mean by this is that every piece of data measured can be faked, copied, or altered in the database against which the measurement is checked. DNA can be planted, id cards will be sold on black markets and faked, biometrics can be later changed or forged. The measured data in the database against which identity is checked can be altered - *all* the technology-based methods for ID have vectors of attack.

    What cannot be faked is what ones peers and friends agree upon regarding who an individual really is, and that the human in wuestion really is the person they agree it is. If all the friends and neighbors agree you really are Bob, then you're Bob regardless of what you do, or what data is stored in electronic systems. This is an unwieldy (nearly impossible) metric for access to a bar, authentication for into services, permission to drive, or asserting your ID at the bank to get your money. However, at its heart, community consistency could be the unalterable root from which all the other identification methods would rely upon. Basically one can create all kinds of electronic, physical, and technology based systems that will need to get reset when they are faked or forged or incorrect. To rely on other electronic systems for that reset is flawed and misses the essential nature of how people understand and use interpersonal identity.

    1. Re:long term identity subversion prevention by girlintraining · · Score: 3, Funny

      To rely on other electronic systems for that reset is flawed and misses the essential nature of how people understand and use interpersonal identity.

      Not everyone likes their friends, family, coworkers, or neighbors. Some people have jobs that are highly mobile. Some people prefer not having attachments to others. There are individuals that don't have a community identity of any kind. Should a person be denied access to those resources simply on the basis that they have no friends?

      Officer: "Well your honor, he hadn't committed any crimes but we noticed that he had no friends."

      Judge: "Good enough for me! Anyone who has no friends is clearly a threat to society. Book 'em danno."

      Officer: "Uh, yes sir. Who's Danno?"

      Judge: "Nevermind, son. It was before your time."

      --
      #fuckbeta #iamslashdot #dicemustdie
    2. Re:long term identity subversion prevention by Jahava · · Score: 3, Insightful

      What cannot be faked is what ones peers and friends agree upon regarding who an individual really is, and that the human in wuestion really is the person they agree it is. If all the friends and neighbors agree you really are Bob, then you're Bob regardless of what you do, or what data is stored in electronic systems. This is an unwieldy (nearly impossible) metric for access to a bar, authentication for into services, permission to drive, or asserting your ID at the bank to get your money. However, at its heart, community consistency could be the unalterable root from which all the other identification methods would rely upon. Basically one can create all kinds of electronic, physical, and technology based systems that will need to get reset when they are faked or forged or incorrect. To rely on other electronic systems for that reset is flawed and misses the essential nature of how people understand and use interpersonal identity.

      I disagree. Community relationships can be forged just as easily (if not easier) than biometrics in every sense.
      First, you have to ask yourself "which community?" With modern transportation, Bob's community could easily span his state. With modern communication, Bob's community could span the entire world. Concepts of traditional associations and communities are in a state of constant flux. To Bob's closest friends, he may be a blob of text. It's entirely possible that Bob goes throughout life without anybody ever truly knowing him. And even if he develops close relationships, they may be difficult to extract and correlate enough to develop any serious sense of him. Just go read an obituary ... those are a person's closest contacts giving their most sincere impressions of that person. Do you feel like you really know him after reading one? Is it really likely that they do?
      Then, you have to ask yourself "what consistency?" To his World of Warcraft pals he may be a secret agent astronaut millionaire. To his Facebook friends, he may seem a fun, insightful guy who loves to play sports. To his parents, whom he visits on holidays, he might be a successful banker. To his landlord, he might be a deadbeat who lost his banking job in the recession. All of these personas are maintainable and verifiable in the context of his community relationships.
      So bring forgery into account. Online, forgery is easy, as long as there's internal consistency with his community. In person is more difficult, but there are physical look-alikes and actors who could pull it off. Someone claiming to be Bob could completely redefine his community impression with enough determination. Point is, someone can easily pretend to be Bob, with or without his blessing, in any of his community relationships if they devote enough time and circumstance works in their favor.
      So what really is a person's identity? It's not community relationships any more than it's biometrics. All of those are third-person impressions of an organism, and they only certify identity through temporal and physical correlation of their data. The only physical identity that is Bob is his brain, which (for now) cannot be duplicated and (spiritually) will never be (if that's the kind of thing you believe in). Even then, Bob can change in an instant with brain trauma ... a complete rewiring! ... but it's still Bob, from society's (and the law's) point of view.
      His identity is not absolutely verifiable for the same reason it's unique ... it resides in a medium that is neither fully understood nor fully expressible. For all practical purposes, Bob will remain the sum of his parts, both socially and biometrically. Our ability to gauge Bob, like our ability to impersonate him, is based squarely on our perceptive capabilities and our time investment, and biometrics (especially retinal scans and DNA prototyping) are pretty damned capable.

  4. Re:Watching 'Bladerunner' too many times? by MichaelSmith · · Score: 4, Interesting

    Or how about just carving a custom print into the finger. Maybe something like the laser surgery they do on corneas or tattoos.

    --
    http://michaelsmith.id.au
  5. FBI fighting this since the 1930's by Somegeek · · Score: 5, Informative

    "other countries who fingerprint visitors could be equally vulnerable — not least the United States", according to BBC Asia analyst Andre Vornic.

    Vornic needs to do some research. Criminals in the US have been attempting to surgically alter or mask their fingerprints since at least the 1930s, and the FBI has been researching the techniques since then as well. I remember reading about this in a book from the 60's, where a counterfeiter surgically swapped his prints around, and the FBI recognized them, out of order, and matched them back up with the original fingers.

    --
    And as you tread the halls of sanity, You feel so glad to be, Unable to go beyond. I have a message, From another time..
  6. Re:Watching 'Bladerunner' too many times? by HTH+NE1 · · Score: 3, Insightful

    The tech for swapping fingerprints apparently exists.

    The tech for swapping fingerprint cards has existed even longer. Sometimes it's the people taking the prints that swap them for you.

    --
    Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
  7. Re:What about the disabled? by abigor · · Score: 3, Funny

    Yes, Darth Vader has been able to slip undetected into numerous Western democracies for this very reason.

  8. Re:Woah by Idiomatick · · Score: 4, Informative

    According to mythbusters you could get past most scanners with a photocopy of someone else's fingers :P

  9. Fraud? by maxume · · Score: 3, Interesting

    Is it really fraud? Is there some promise that everyone has made to never make alterations to their bodies?

    (I think it's dumb, but I don't see how it is fraud, she didn't actually impersonate anyone or anything)

    --
    Nerd rage is the funniest rage.
  10. What about publishing them openly? by Richard_J_N · · Score: 4, Interesting

    How about a public (anonymised) repository of fingerprints. The idea is this: I can't change my prints, nor can I get back control once the government has taken them. But I could publish them to the world. That makes the print very easy for anyone else to fake. In other words, plausible deniability.

  11. Re:Woah by cgenman · · Score: 5, Funny

    True story:

    I worked at a video game developer once who had biometric finger scanners to clock in and out, but required you to type in your employee number first.

    "If it has my fingerprint, shouldn't it know my employee number?"

    So I started playing with it. I started with the same finger on the same hand. It took it. Then a different finger on the same hand. Yup. It took a different finger on a different hand. And then we got creative.

    Someone Else's finger? Check. Elbow? Check. Toe? Check. Tongue? Check.

    In fact, we finally found the limit of the system. It took a warm hot dog pressed up against the fingerprint scanner, but not a cold one. A lot of my faith in fingerprint biometrics was shattered then and there. I since dated someone who had a fingerprint scanner on her computer, though that only seemed to let me trough wrongly some of the time.

    Another thing we learned? Co-workers don't appreciate it when you lick the thumb scanner that everyone has to clock in with.

    --
    The ______ Agenda
  12. Re:Gives a new meaning to... by Opportunist · · Score: 3, Funny

    I don't want to see the keychain of a future burglar...

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  13. Iris size: Trivial by DrYak · · Score: 4, Informative

    Also the eye may dilate as you kill them which will also fuck the result.

    Mydriasis happens with death, indeed.
    But it's almost trivial to induce myosis instead, using the proper chemicals. (Cocaine, as an example of something which won't be difficult to obtain for would-be criminals. As a bonus, this same substances doubles as a way to kill the victim through overdoses AND a way to preserve the iris in myosis).

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]