Subverting Fingerprinting

squizzar writes in with news of a 27 year old Chinese woman who was discovered to have had her fingerprints surgically swapped between hands in order to fool Japanese immigration. "It is Japan's first case of alleged biometric fraud, but police believe the practice may be widespread. ... The apparent ability of illegal migration networks to break through hi-tech controls suggests that other countries who fingerprint visitors could be equally vulnerable — not least the United States, according to BBC Asia analyst Andre Vornic." Time for some biometric escalation. Could iris scans be subverted as easily?

Re:Shodan's retinal scanners can always be fooled

[Ethanol-fueled]

This method is much more compact.

Did she fool anyone, though?

[AnotherUsername]

From TFA:

Japanese newspapers said police had noticed that Ms Lin's fingers had unnatural scars when she was arrested last month for allegedly faking a marriage to a Japanese man.

Seems like until they can get rid of the circular scars around their fingertips, they aren't going to fool anyone. From now on, when officials notice circular scars or other shaped scars around fingertips, they will probably have the person undergo further testing.

As far as iris switching...I don't think so. I have a feeling that the permanent blindness that likely follows(though I am not an ophthalmologist, so I can't be sure as to what is possible) will override any benefits that come from the short term gains of biometrics trickery.

Re:Did she fool anyone, though?

[Jah-Wren+Ryel]

From now on, when officials notice circular scars or other shaped scars around fingertips, they will probably have the person undergo further testing.

However, their cost to check has now gone up by at least 2x, maybe even 10x - they need to manually inspect every person (you can't just check the negatives because if the faker happens to have passed through successfully in the past their 'new' prints will already be in the database).

And this is only one attack vector. We've already seen the korean woman last year who used a practical application of the gummy bear trick to fool the japanese too.

The thing to remember is that these systems will only get less effective as time goes by. All the hype when proposed about how great they are, for whatever intended purpose, represents the best they will ever be - the more familiarity people get with the systems, the more ways people will figure out how to circumvent them.

Kinda warms my freedom loving heart it does.

Re:Did she fool anyone, though?

[MillionthMonkey]

A guy at work was always talking about using gummy bears to commit the perfect crime. You somehow make a mold of someone's fingerprint using that gummy bear material. Then you use it on a fingerprint scanner, which gets fooled by it, and it lets you in. Then, get this- you eat the gummy bear fingerprint mold, and permanently destroy the evidence of your intrusion.

That always struck me as a little improbable. You mean you're just going to eat that thing right after you pressed it against a disgusting fingerprint scanner?

Re:Watching 'Bladerunner' too many times?

[MichaelSmith]

Or how about just carving a custom print into the finger. Maybe something like the laser surgery they do on corneas or tattoos.

FBI fighting this since the 1930's

[Somegeek]

"other countries who fingerprint visitors could be equally vulnerable — not least the United States", according to BBC Asia analyst Andre Vornic.

Vornic needs to do some research. Criminals in the US have been attempting to surgically alter or mask their fingerprints since at least the 1930s, and the FBI has been researching the techniques since then as well. I remember reading about this in a book from the 60's, where a counterfeiter surgically swapped his prints around, and the FBI recognized them, out of order, and matched them back up with the original fingers.

Re:Woah

[Idiomatick]

According to mythbusters you could get past most scanners with a photocopy of someone else's fingers :P

What about publishing them openly?

[Richard_J_N]

How about a public (anonymised) repository of fingerprints. The idea is this: I can't change my prints, nor can I get back control once the government has taken them. But I could publish them to the world. That makes the print very easy for anyone else to fake. In other words, plausible deniability.

Re:Woah

[cgenman]

True story:

I worked at a video game developer once who had biometric finger scanners to clock in and out, but required you to type in your employee number first.

"If it has my fingerprint, shouldn't it know my employee number?"

So I started playing with it. I started with the same finger on the same hand. It took it. Then a different finger on the same hand. Yup. It took a different finger on a different hand. And then we got creative.

Someone Else's finger? Check. Elbow? Check. Toe? Check. Tongue? Check.

In fact, we finally found the limit of the system. It took a warm hot dog pressed up against the fingerprint scanner, but not a cold one. A lot of my faith in fingerprint biometrics was shattered then and there. I since dated someone who had a fingerprint scanner on her computer, though that only seemed to let me trough wrongly some of the time.

Another thing we learned? Co-workers don't appreciate it when you lick the thumb scanner that everyone has to clock in with.

Iris size: Trivial

[DrYak]

Also the eye may dilate as you kill them which will also fuck the result.

Mydriasis happens with death, indeed.
But it's almost trivial to induce myosis instead, using the proper chemicals. (Cocaine, as an example of something which won't be difficult to obtain for would-be criminals. As a bonus, this same substances doubles as a way to kill the victim through overdoses AND a way to preserve the iris in myosis).