OPM Says 5.6 million Fingerprints Stolen In Cyberattack

mschaffer writes: The Office of Personnel Management data breach that happened this summer just got a little worse. The OPM now says that 5.6 million people's fingerprints were stolen as part of the hacks. The Washington Post reports: "That's more than five times the 1.1 million government officials estimated when the cyberattacks were initially disclosed over the summer. However, OPM said Wednesday the total number of those believed to be caught up in the breaches, which included the theft of the Social Security numbers and addresses of more than 21 million former and current government employees, remains the same."

the song remains the same, too

[turkeydance]

oops!

Credentials

[Isarian]

And this is why fingerprints are NOT good credentials.

Re:Credentials

Not really, all credentials can be stolen or copied. Fingerprints are just very difficult to change once they have been compromised. That's why that are bad credentials.

Re:Credentials

[alvinrod]

For something requiring high levels of security, probably not, but that doesn't mean it's not reasonably to use for unlocking a phone or authenticating a small purchase, especially if the alternative is no authentication at all because it's too cumbersome.

This is a case of why certain types of data should be stored in raw, unencrypted formats. Something like this should be stored as the result of applying some type of one-way function on a fingerprint to store a representation of it. That way you can authenticate with a sample, but not steal a person's credentials simply because they used some service with poor security measures.

A password or a physical object are just as useless as credentials if some idiot is storing them unencrypted or in plain-text and the information about them can be stolen and duplicated.

Re:Credentials

"The OPM is emailing the people affected, advising them to change their fingerprints.

The advice comes with guidelines for proper fingerprint security, such as having a fingerprints at least ten digits long, with at least one loop, one whorl, one arch, and one "special character". Also, it's recommended to never re-use your fingerprints for multiple sites, and to change your fingerprints at least once every 90 days, being sure to never re-use any of your last ten fingerprints."

Re:Credentials

you boldly mispelled impossible.

Re:Credentials

It's been a tad bit harder to type since the Chinese took my distal phalanges.

Re:Credentials

[avandesande]

it's only a matter of time before someone figures out how to print fake finger prints as some sort of stamp, or at the very least transfer them to gummy bears.

Re:Credentials

[fisted]

I'd venture a guess that that time is (way) negative.

Re:Credentials

[Salgak1]

I know that scanning/modeling each individual fingerprint, and reducing it to a searchable hash is the basic technique the FBI's "IAFIS" system uses: both the record fingerprints and the examined fingerprints are hashed, and hashes are compared for close matches. I can't speak to the specific actual technique (as I recall, it's both proprietary and close-hold), and suspect SEVERAL different hashes are involved, but that's the basic methodology. I worked on the requirements team for the technology update for that system from 2005-2006. . .

Re:Credentials

Well let's hope the developers understood the requirements better than you did.

There are well distributed standards https://books.google.com/books?id=kSfYd2Pj9V4C&pg=PA65&lpg=PA65&dq=iafis+fingerprint+coding&source=bl&ots=Q1f4Nflk3-&sig=pfnpUmRgTKqKiBOpevgyQgunXrI&hl=en&sa=X&ved=0CDEQ6AEwBmoVChMI3aT4_5mOyAIVijo-Ch1lqAD7#v=onepage&q=iafis%20fingerprint%20coding&f=false for AFIS and IAFIS encoding of prints. It's a good thing they aren't using some proprietary encoding or they'd have a lot more trouble testifying about it when they go to court.

Re:Credentials

Not difficult, just painful. I've got a scar across my right index. It was clear enough to get a remark last time I got printed so surely changed it

Re: Credentials

What is to prevent someone from making random fingerprints or some other easily randomized data that can be used in place of ones own prints? Obviously I'm not thinking of scanners that can count your heartbeats while scanning your "print".

Re: Credentials

Searching for "close hashes" does not compute

Re:Credentials

[Salgak1]

I worked part of the requirements, primarily financial and perimeter security. I had the 50-thousand foot explanation. Thanks for the clarification. .

Re:Credentials

[rsborg]

it's only a matter of time before someone figures out how to print fake finger prints as some sort of stamp, or at the very least transfer them to gummy bears.

You mean like how the CCC theoretically defeated TouchID on the iPhone [1]? A pretty basic process, all you need is a 2400 dpi scanner, photo-sensitive PCB, graphite spray, a very nice pristine stray fingerprint (on a glass), and lots and lots of free time and determination.

Theoretically automated, but basic brute-force defenses and secondary factors would render such an attack as unreliable.

[1] https://www.ccc.de/en/updates/...

Re:Credentials

There is probably someone in the OPM seriously considering this, and proposing it for physcal year 2016

If you are going to steal... at least mess up

In stealing the real finger prints. Should have randomly wlked the databases and reassign all finger-prints (even better individual fingers) to other persons, also other info (partial phone numbers, name, dates, what not) . So database would be worthless - trancate the SQL database logs a few times to be sure. :)

See if the backup actually works or not. :)

If you do not restore your database, how do you know it works??

Re:If you are going to steal... at least mess up

[MagickalMyst]

Mod +1 Funny

I'm anonymous! And so is my wife!

ouch, gonna be hard to patch that.


With this incessant rampant identity theft, pretty soon we're all going to be Anonymous because we can't prove who we are any more.
(See, your identity is stolen, so you don't have one, he pedantically explained the joke in proper nerd fashion.)

Re:I'm anonymous! And so is my wife!

You won't have to prove who you are. You'll have to prove who you're not.

Re:I'm anonymous! And so is my wife!

[fisted]

A lot of climbing provides a reasonable workaround

Re:I'm anonymous! And so is my wife!

[davester666]

I am clearly not the droid you are looking for.

Idiot.

Re:I'm anonymous! And so is my wife!

[fisted]

To whoever modded this funny, I wasn't joking...

easy

[sociocapitalist]

Just change the passwords associated with the accounts...

Oh wait...can't change those fingerprints so easily.

THIS is why I hate giving my fingerprints to companies (ie datacenters) who require them for access.

Re:easy

[TheGratefulNet]

maybe I've seen too many movies, but for something that is locked down that tight, it sounds like 'bad guys' would really want to get in there.

I need my fingers. I would have to have one cut off by a bad guy, so he could use my prints.

might be very farfetched, but I'm not so sure I'd want to sign up for a security job that needed prints. in fact, it seems quite stupid for a security company to put its people at risk like this!

Re:easy

[ShanghaiBill]

I would have to have one cut off by a bad guy, so he could use my prints ... might be very farfetched

It is very farfetched. There is no known instance where this has ever happened. The British tabloids printed a story years ago about a severed finger used to gain access, but it was a hoax.

Many modern fingerprint scanners have pulse detection, so a severed finger wouldn't work.

You should find something else to worry about, like maybe getting hit by a meteor.

Re:easy

[TheGratefulNet]

if its true that they can't be used if 'cut off'; does every thief who might TRY this, know this?

it actually matters less if it works. what matters is if anyone ever still thinks it can work and is willing to do this evil deed.

again, why even take the chance. there is risk and it seems like its not worth any risk at all, with other alternatives being better in many ways.

Re:easy

[fisted]

Many modern fingerprint scanners have pulse detection, so a severed finger wouldn't work.

Oh okay, that makes it much better. At least you will know that your missing finger(s) didn't gain the criminals access to whatever they tried to access.

You're probably assuming it goes more or less like this:
1. Criminal wants to access fingerprint-based facility
2. Criminal finds out the fingerprint scanner model
3. Criminal reads the manual/specification of the scanner
4. Criminal realizes it won't work with a cut-off finger
5. Criminal is like "damn, no dice."

When really it's more like:
1. Criminal wants to access fingerprint-based facility
2. Criminal waits for someone who has access
3. Criminal cuts off one of two of their fingers
4. Criminal tries to get access using those fingers
5. Access is denied
6. Criminal dumps the worthless fingers somewhere

Re:easy

But Lockey did it with an eyeball!

Re:easy

I "love" finger printer / bio scanners... NOT

It takes me between 10 and 20 minutes to through the scanner. Pisses the guard off as I back everyone up to wait for me. Cannot flag me though, security violation. Cannot fire me, ADA.

Diabetic and smooth finger tips, not enough to read. :)

Re:easy

[ShanghaiBill]

When really it's more like:

Except that it is NOT like that. That has happened zero, nada, zilch, times. Kidnapping and mutilation are extremely serious crimes. It is unlikely that any sane person is going to risk that to gain access to your iPhone. Do you also refuse to wear Nikes, because someone might cut your feet off to steal them?

Re:easy

[Stormy+Dragon]

No, it's really more like:

1. Criminal wants to access fingerprint-based facility
2. Criminal bashes hole in door, eliminating need for fingerprints

The only reason you need the fingerprints is if you want to be able to enter surreptitously, which you're obviously not worried about once you get to the "cutting off people's fingers" stage.

Re:easy

[fisted]

Except that it is NOT like that. I have heard of it zero, nada, zilch, times.

FTFY

Kidnapping and mutilation are extremely serious crimes.

No shit?

It is unlikely that any sane person is going to risk that

Well no shit, sherlock. It turns out that criminals usually don't belong to the "sane" kind of people.
Good grief. Please re-read your comments before actually submitting and pay close attention to whether what you're going to say makes any sense at all. Because this assertion about what sane people are not going to do is, apart from being completely obvious, utterly irrelevant to the question what insane people might do.

Seriously.

to gain access to your iPhone

What does an iPhone have to do with anything?

Do you also refuse to wear Nikes, because someone might cut your feet off to steal them?

Stop. Please. You're not making sense and this doesn't follow at all.

Re:easy

[fisted]

Since fingerprint authorization is deployed in the name of security, I think it's reasonable to assume that those doors aren't as easy to punch a hole into; while obtaining a finger only requires a pair of pliers.

Re:easy

[sociocapitalist]

maybe I've seen too many movies, but for something that is locked down that tight, it sounds like 'bad guys' would really want to get in there.

I need my fingers. I would have to have one cut off by a bad guy, so he could use my prints.

might be very farfetched, but I'm not so sure I'd want to sign up for a security job that needed prints. in fact, it seems quite stupid for a security company to put its people at risk like this!

My point is more that once the digital information representing your fingerprint is compromised that it is compromised forever and for every biometric authentication that uses a fingerprint.

Re:easy

[david_thornley]

Realistically, if someone wants my fingerprints, they'll get them. I leave them all over the place.

no big deal to any REAL sysadmin

how hard is it to just change your fingerprints every few months? i mean, seriously - if you aren't taking this kind of security risk seriously, you don't belong in humanity.

Re:no big deal to any REAL sysadmin

[behrooz0az]

you can only change it 19 or 20 times depending on gender.

Fingerprints should....

[mark-t]

.... only tell you who you can reasonably expect someone to be, but should not be relied on to tell you who somebody actually is.

Relying on any so-called completely unique feature of every human being that may be currently impossible or at least extraordinarily difficult to replicate makes the implicit assumption that no technology could potentially invented that will make forging it possible or viable.

Re:Fingerprints should....

[fuzzyfuzzyfungus]

Fingerprints are pretty trivial to forge. Back in elementary school, we used to slack off by covering our fingertip, palm, etc. with Elmer's glue, letting it dry, and then peeling it off. Formed a surprisingly detailed 'negative' of the skin that it dried on. Since the glue was water based, you could then apply a layer of rubber cement to the 'negative' and get a sticky rubber 'positive' that you could wash the glue off.

Obviously, the point of the exercise was not to evade biometrics, it was just something more interesting than what we should be doing, doable with the supplies available; but making relatively precise molds and then fabricating thin patterned membranes that can be applied to mask an individual's real fingerprints isn't rocket surgery.

They still have some forensic value because of how many crimes are unplanned or poorly planned, and how careful you have to be to avoid slipping up; and because if you are being fingerprinted in custody your fake prints are going to have to withstand greater scrutiny; but for a biometric login, which usually happens under limited physical security and only tests against the sample you provide, not the hundreds you leave on every surface throughout the day, they are getting pretty tepid.

DNA is more challenging to fake, especially if they want enough to plausibly plant into what looks like a real biopsy or fluid sample; but has the same "faking is the easy part; not shedding some of the real thing is the hard part" limitations. Even if you sidestep the difficulty of synthesizing by assuming that the person being impersonated is your accomplice, best of luck to you not shedding some of your own DNA.

SOMETHING MUST BE DONE!

[fuzzyfuzzyfungus]

I demand that we vigorously close the barn door by implementing a robust biometric authentication infrastructure to prevent this from happening again!

Re:SOMETHING MUST BE DONE!

[bobdehnhardt]

Be sure to include DNA from the horses that have already left...

Re:SOMETHING MUST BE DONE!

[cold+fjord]

I demand that we vigorously close the barn door by implementing a robust biometric authentication infrastructure to prevent this from happening again!

That's probably a good idea since I'm reasonably certain they haven't hired their last employee.

Re:SOMETHING MUST BE DONE!

[TheGratefulNet]

paging catherine the great. will you please come to the courtesy phone. catherine the great. to the courtesy phone. thankyou.

Re:SOMETHING MUST BE DONE!

[rholtzjr]

So you are saying we give them MORE information to be collected on the next hack?

No problem

Just change the fingerprints on all accounts and you're safe again.

Re:No problem

[k6mfw]

Just change the fingerprints on all accounts and you're safe again.

That is a totally ridiculous solution and yet it seems so reasonable (I'm sure someone will say, "it is the only way to be sure.")

With impending guvmint shutdown sometimes I wonder who's minding the store? There's gotta be a "In Soviet Russia" answer to this one.

Everyone, it was everyone

[NotDrWho]

This same song-and-dance seems to play out with every big hack now:

Week one:
"It was just a few people who had some data limited compromised"

Week two:
It was just a few people who had most of their data compromised, but not their passwords

Week three:
"It was a lot of people, who had most of their data compromised, but not their passwords"

Week four:
"They got everything on everyone"

Re:Everyone, it was everyone

Its like boiling frogs slowly so they don't jump out of the pan, only your slowly boiling the public so that by the time the full extent of the corruption/incompetence is revealed there is less outcry.

Re:Everyone, it was everyone

[bitingduck]

Except with OPM it's a lot more than just your credit card number and SSN-- for a lot of people it's their entire personal history that was collected in the process of getting a security clearance, which can include a *lot* of details, all nicely collected in one spot and verified. Including fingerprints...

And that doesn't even address the possible issues that will come up if the hackers also wrote new information to the database so that what people self report may no longer match their history when it's time to renew the clearance...

Re:Everyone, it was everyone

If you need OPM to reissue your 1099 because it was sent the wrong address, well you can assured that info will securely contained. It also won't be sent to you.

NOT Stolen

This can't be stealing - the originals are still there !

It's just that they made a copy of the data.

--- RIAA

Re:NOT Stolen

[Pseudonymous+Powers]

Prosecuting these hackers under the DMCA for stealing fingerprints would be like prosecuting a notorious gangster for, I don't know, tax evasion. It's ridiculous, and it would never happen.

Re:NOT Stolen

[behrooz0az]

I'm pretty sure it's obtaining classified information illegally and breaking into government computer systems. YMMV

That's just great...

[__aaclcg7560]

The Chinese have my background investigative report and my fingerprints for my government job. Next they will be shutting down the government for no reason.

Re:That's just great...

... and my fingerprints for my government job.

Just how many different fingerprints do you have? I mean, I have a separate work phone and personal phone, but you've gone all out. Well done!

Re:That's just great...

[__aaclcg7560]

One set when I got hired last year, another set this year when renewing my PIV card.

Re: That's just great...

Actually they will just open several lines of credit in your name and get some money the us owes them. (Of cource it will not count as an actual debt payment but.....)

Seriously, we owe them money, they make a lot of money selling factory labor to us companies, they won't shutdown the government (who keeps borrowing from them and refuses to pay on the principle) or attack wall street (another common claim) because that would cost their government money.

Re: That's just great...

[__aaclcg7560]

The Chinese only owns $1.712T of the U.S. public debt. Social Security and other government retirement programs has $5.117T. While we do the Chinese some money, we owe our retires even more money.

http://useconomy.about.com/od/monetarypolicy/f/Who-Owns-US-National-Debt.htm

SF-86 forms

[OffTheLip]

Very detailed histories of a persons family, including SSN's, were part of the heist via Form SF-86. Being a longtime defense department contractor whose security clearance details were likely compromised I am pissed. The forms included personal info from friends gracious enough to vouch for my veracity as a trusted agent for the US government. We were expected to protect paper and electronic copies of this form as we would other sensitive data. The joke appears to be on us.

Re:SF-86 forms

What recourse exists in law and regulation against the government when they fail to keep it secret? Yes I know citizens are treated harshly, but this is a country of, by and for the people, after all.

We might have to revet to common law and the constitution itself.

JJ

Infamous last words

[Nidi62]

You can have my fingerprints when you pry them from my cold, dead.....oh.

Revoke

[ledow]

No problem. Just revoke th... Oh.

HELL YEAH

DIS GON BE GUD

No problem

[Ashenkase]

Just reset your fingerprint, this time please use numbers, letters and other symbols.

How easy is it to print in oil fingerprints...

...and then place them at a scene?

Probably would need to mirror-print a lipid based "ink" onto a temporary flexible substrate.

At the scene one could transfer/rub the resultant print onto a fixed location item...

That would put the person at the scene...

Something to beware of methinks...

OPM

Other People's Money

Maybe I'm nuts..

[TrimTabTim]

....but over the last years, I've started to really cheer in glee every time there's a horrible breach of sensitive data.

Only after a percentage of people are thoroughly harmed and screwed by the escape of sensitive information, will the world realize that there simply is no sound way to keep secrets safe. It is a logical fallacy for one to think they can make a system that is perfectly secure as every measure has a countermeasure

Therefore, the only option that will remain after a sufficient number of people get fleeced, fucked and flogged will be to never collect it in the first place. To collect it, is to invite evil-doers to an all you can eat buffet.

So celebrate the evil blackhats of the world!! Huzzah! For us to see progress, they must steal their billions, destroy lives, maim murder and pillage! Sure, we technology buffs understand risks and speak loudly about the NSAs, Facebooks and all the other "user abusers" of the world. But we clever geeks can never convince the masses to change their ways because our message is inconvenient.

No sir. Until enough good people are fucked, the assholes of the world will keep winning the minds of innocent fools with lies like "If you've done nothing wrong you should have nothing to hide". How about this one, "We collect your information in order to better serve you". Orwell is spinning in his grave.

Ending my rant: Good people need encryption and privacy the most, but they won't realize this until they've been burned by fire. So burn baby burn.

Re:Maybe I'm nuts..

I was part of the OPM breech and Ashley Madison breech so forgive me but FUCK YOU!!!

Re:Maybe I'm nuts..

Just remember to get the order right, rape, pillage, plunder and then burn.....

Re:Maybe I'm nuts..

Ashley Madison

FUCK YOU!!!

I'm sorry your marriage is hilariously terrible, but there are easier ways to get some than propositioning random Slashdotters.

Re: Maybe I'm nuts..

Exactly. When there is nothing left to steal people will begin to understand they need to worry about only ones self and not what some jerkoff says who still thinks he or she knows you better than you yourself do. It is good when the OPM gets there balls handed back to them. No matter who you are or who you work for, in the end you are but one of billions and no man stands above another.

Re:Maybe I'm nuts..

Actually, it goes: Rape, murder, pillage, burn. In that order. Anything else is uncivilized.

Re:Maybe I'm nuts..

[AHuxley]

Re: simply is no sound way to keep secrets safe.
The US gov and mil and all the Western mil's did a good job over many years. Encrypted, per site, no public net access.
No great issues going back decades given the US had a great early start in advanced digital databases.
At some point all the US data was placed on a network facing the 'internet' and the data was not encrypted.
That gov/contractor need for a massive easy to read and use database was 'worth' more than a lot of secure encrypted files.
Some mil or gov group wanted to find skills fast and did not want to ask a lot of different networks or be logged asking for keys to vast different databases.
The solution seems to have been a huge plain text effort kept online. The other option would have been in the creation of many different account per person per project per contractor. A simple to use database in English open to the net would have been useful to insert entire histories as bait/traps or to totally hide complex work histories/projects.
The language issue might have been that need. Put everything in from every contractor, mil, gov and see if any have much needed languages or could be trained given past testing or education... it would not be the first time the US needed language skills quickly.
Contractors, gov, mil liked the open, easy to use system so much it just stayed open, online and readable.
Or it was all just bait, one huge trap with a percentage of names and projects total fiction for other nations to sort and wonder about.

I hate opacity

[AndyKron]

Good. I'm glad they were stolen. I hate opacity. I hope everything online gets stolen, even the stuff that was stolen should be stolen again.

Dates???

Anybody know what dates the fingerprints were taken that were jacked? I was last fingerprinted by DoD in 2008 and DHS in 2013.

Re:Dates???

[bitingduck]

They haven't said, but if I had to guess, I'd guess everybody who has a PIV-II card had their fingerprints stolen.

No leadership, professionalism in government

Unfortunately our so called leaders are nothing more then paycheck loafs. Do as little as possible, treat their job as a vacation and try and spend money as if it grows on tree's. When you have as much security issues from the White House to Social Security and beyond. Your talking about some serious lapses in protecting information. Then it pretty much explains the whole Hillary Clinton email fiasco because nobody in Washington takes security seriously. Does anybody even witness anyone in Washington DC even addressing these issues? No, they work to cover them up not fix them. Let's have a committee on these issues, let's spend millions doing a study on security. Let's throw some money to one of our "friends" to come up with a strategy on fixing this issue. At least in the private sector things get done, people get fired. In government you get excuses, more political posturing and finger pointing and nothing gets solved. The problems with digital information is very real and yet its becoming the way to store information. Its cheaper, its quick to reference, and in some ways it is a good thing. But not securing it properly is like leaving you car unlocked in a bad neighborhood. At some point, somebody will steal it.

Re:No leadership, professionalism in government

In government? Hate to break it to you, but it's the same out here too (I post, as I get paid to sit on slashdot)

How to fake fingerprints

[__roo]

How to fake fingerprints, in case you want to know what to do with them.

OPM Says 5.6 million Fingerprints Stolen... So?

[grep+-v+'.*'+*]

So what? It's not the person, it's data ABOUT the person -- in other words, metadata.

And everyone knows that metadata isn't real data; that's why the government is busy collecting so much of it.

------

(Yes, I realize metadata would be where you actually found those fingerprints. But look-- soon you'll be able to find them everywhere!)

((And besides, I thought "privacy was dead, get over it."))

Re:OPM Says 5.6 million Fingerprints Stolen... So?

[TechnoJoe]

So what?

None of these people will ever again be able to participate in spying/undercover operations. Major governments already have software to comb over millions of fingersprints. If the mob doesn't have it already, I'm sure they will soon.

If you must, then it should be vein scan

[markdavis]

>"OPM Says 5.6 million Fingerprints Stolen In Cyberattack"

Which is why fingerprints and DNA should *NEVER* be given, taken, or stored as biometrics.

Deep vein scan. THAT is the only reasonable biometric. It is of almost no value if stolen, can't be misused easily, isn't left all over the place like fingerprints and DNA, is quite unique, contains no sensitive information about the person, is very difficult to fake, can't be easily collected or read without the user's knowledge, is fast and easy to collect and also to use.

Re:If you must, then it should be vein scan

" is fast and easy to collect"
so you are saying that it gets digitialised like other biometric data and stored digitally where it is just ones and zeros?

What is stopping that collection of ones and zeros that is a nice neat file or DB record being copied and then injected into any verification system requiring that data?

Or are you relying the fact that there are only a few hardware scanners at the moment and they verify at source?

Because if these were for instance installed at the airport then the data/scan would most likely travel across the internet and be verified on another server. That server has no knowledge that tha human is in that scanner only that the data was passed to it for pattern matching.

Re:If you must, then it should be vein scan

[sociocapitalist]

>"OPM Says 5.6 million Fingerprints Stolen In Cyberattack"

Which is why fingerprints and DNA should *NEVER* be given, taken, or stored as biometrics.

Deep vein scan. THAT is the only reasonable biometric. It is of almost no value if stolen, can't be misused easily, isn't left all over the place like fingerprints and DNA, is quite unique, contains no sensitive information about the person, is very difficult to fake, can't be easily collected or read without the user's knowledge, is fast and easy to collect and also to use.

Any biometric signature that has been digitized can then be used as an attack on a secure system, granted not by the same input system.

Re:If you must, then it should be vein scan

[markdavis]

>"Any biometric signature that has been digitized can then be used as an attack on a secure system, granted not by the same input system."

Yes, but unlike fingerprints, you can't use the vein data to create a fake palm or arm to trick physical scanners. At least, not without a tremendous amount of effort and complexity...

Re:If you must, then it should be vein scan

[sociocapitalist]

>"Any biometric signature that has been digitized can then be used as an attack on a secure system, granted not by the same input system."

Yes, but unlike fingerprints, you can't use the vein data to create a fake palm or arm to trick physical scanners. At least, not without a tremendous amount of effort and complexity...

Agreed, that's why I said not the same input system. If you have digital access to the system at any point where you can 'input' the 'scan' data then the actual physical scan becomes unnecessary.

Anyone else remember Chelsea?

Anyone else remember how Chelsea Manning and Julian Assange let us know a few years back about how Hillary Clinton was orchestrating a large scale ring of snooping fingerprints and credit cards from the United Nations? I do.

Yeah it really has happened

To steal a Mercedes http://m.theregister.co.uk/2005/04/04/fingerprint_merc_chop/

If the target value is high enough...

I was worried...

[Buchenskjoll]

I was worried when I read this, but then I checked and I still have my fingerprints.