Chaos Computer Club Claims It Can Reproduce Fingerprints From People's Photos

An anonymous reader writes Chaos Computer Club, Europe's largest association of hackers, claims it can reproduce your fingerprints from a couple of photos that show your fingers. At the 31st annual Chaos Computer Club convention in Hamburg, Germany, Jan Krissler, also known by his alias "Starbug," explained how he copied the thumbprint of German Defense Minister Ursula von der Leyen. Because these fingerprints can be used for biometric authentication, Starbug believes that after his talk, "politicians will presumably wear gloves when talking in public." Even better than gummi bears.

This is why "biometric" authentication is useless

Despite some of the biggest names in security lauding the advantages of biometric authentication, it's pretty flawed by design. If your fingerprints, facial structure, etc. are ever compromised, they become useless. Unlike a password or a cert, you cannot simply revoke who you are. So once the cat is out of the bag, you simply cannot use it again. Not to mention the fact that it could be fairly trivial to obtain fingerprints or other biometric data of a target.

No details

TFA has no details, so there is no way to evaluate the credibility of the claim.

Re:IMO, The biggest problem with fingerprint....

[markdavis]

Fingerprints aren't even good for ID. They shouldn't be used at all.

Biometrics should be limited to deep vein scans which are fast, accurate, very hard to "steal", very difficult to obtain without the user's consent, and aren't being left all over the place all the time.

Re:This is why "biometric" authentication is usele

[Opportunist]

It all boils down to the triad of security: Something you know, something you have, something you are. It's GOOD practice to pick one from each group in your authentication process (or at least, as it's common, one of two groups, usually a token and a PIN). It's useless to pick more than one from each group.

All three would e.g. mean that you have a guard sitting there who compares your face to a book of "accepted" faces (something you are) while you hold your RFID card (something you have) against a scanner after punching in your PIN (something you know). That's about as good as it gets. Nothing you could do that ADDS to this could improve this part of your security. Using two of one group is useless. It's useless to require two different PINs. For the obvious reason, someone who can force you to hand over your first pin will also force the second one out of you. Equally it's useless to require two tokens. Where you can steal one, you can steal two.

You can of course improve by using better means to do either of the three groups. You could give the guard additional tools, use better encoding for the cards, use longer PINs. But you cannot improve by using two features from the same group.