Slashdot Mirror

← Back to Stories (view on slashdot.org)

Japan Researchers Warn of Fingerprint Theft From 'Peace' Sign (phys.org)

Posted by BeauHD on from the finer-details dept.

Tulsa_Time quotes a report from Phys.Org: Could flashing the "peace" sign in photos lead to fingerprint data being stolen? Research by a team at Japan's National Institute of Informatics (NII) says so, raising alarm bells over the popular two-fingered pose. Fingerprint recognition technology is becoming widely available to verify identities, such as when logging on to smartphones, tablets and laptop computers. But the proliferation of mobile devices with high-quality cameras and social media sites where photographs can be easily posted is raising the risk of personal information being leaked, reports said. The NII researchers were able to copy fingerprints based on photos taken by a digital camera three meters (nine feet) away from the subject.

70 of 119 comments (clear)

  1. Slashdot has malicious ads by Anonymous Coward · · Score: 2, Informative

    Fix your fucking website already

    1. Re: Slashdot has malicious ads by Anonymous Coward · · Score: 2, Funny

      Slashdot has ads?

    2. Re:Slashdot has malicious ads by Hylandr · · Score: 2

      You're not running ad-block pro?

      Tsk, Tsk.

      --
      ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
    3. Re: Slashdot has malicious ads by Buchenskjoll · · Score: 1

      I'm running bad luck, bro.

      --
      -- Make America hate again!
    4. Re:Slashdot has malicious ads by ckatko · · Score: 2

      Isn't Adblock Pro the one that sold out?

      Pretty sure uBlock Origin is one of the few that isn't whored-out these days.

    5. Re:Slashdot has malicious ads by Hylandr · · Score: 1

      I don't pay anything, and I turned off the 'tasteful ads'.

      --
      ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
    6. Re:Slashdot has malicious ads by omnichad · · Score: 1

      I'm not sure they sold out, but they were never really against ads in the first place. They were against dangerous/intrusive/annoying ads but still understood that ads pay for things and sought a fair compromise.

    7. Re:Slashdot has malicious ads by PrimaryConsult · · Score: 1

      That is why I still use Adblock, and allow the unintrusive ads.

      That said I have a few disagreements with what it finds unintrusive. Wikipedia ads are IMO intrusive, as are those ones that pop up a few minutes after you start reading an article or webpage and grey out the page.

  2. Hippies Lack Fingerprints by Anonymous Coward · · Score: 2, Funny

    Years of burning their fingers on the glass bong have rendered this technique ineffective.

    1. Re:Hippies Lack Fingerprints by Comrade+Ogilvy · · Score: 4, Interesting

      I have been drinking out of a bottle wrapped in a paper bag for years, just to be safe. Screaming at people enough to keep them more than 3 meters away is a cinch. What's the problem?

    2. Re:Hippies Lack Fingerprints by LynnwoodRooster · · Score: 1

      So that's YOU that I see every morning at the Hyde street exit of Civic Center stop in San Francisco... Can you code?

      --
      Browsing at +1 - no ACs, I ignore their posts. So refreshing!
  3. What's the problem here? by Anonymous Coward · · Score: 1

    Fingerprints and other biometric information should only be used for identification and not for authentication.

    1. Re:What's the problem here? by Calydor · · Score: 1

      Is there really a difference today?

      --
      -=This sig has nothing to do with my comment. Move along now=-
  4. Sigh. by ledow · · Score: 5, Insightful

    Fingerprints are not used for authentication, right? So it's not a problem, is it?

    Even the kids in my school get this - you do have to explain the first time but then it's obvious to them.

    Where do you write down your password? Almost nowhere (some of our kids have password in their planners and things like that, but they have no access anyway).

    Where do you leave your fingerprint? Everywhere you go, on everything you touch, including the device you're logging into, and every device you've ever logged into.

    Though we don't get high-level attacks, I feel that users need to only have this explained once to question the James Bond etc. concept of using fingerprints for doors, high security facilities, etc.

    The fact that cameras are at the point that you can photograph someone's fingerprint? That's been true for a little while. That means that Trump / May / whatever leader's fingerprints have basically been public-domain for the world's spies for many years. Hence you should be SERIOUSLY questioning use of fingerprints as anything more than convenience or casual use.

    1. Re:Sigh. by JanneM · · Score: 1

      Finger prints are fine for identification, not verification. They're your username, not your password. If you do use them like that they are not dangerous.

      But of course nobody does; US, Japan and other countries all use fingerprints to verify the password identity for instance. And as a result they catch multiple people here in Japan every year that entered the country with fake fingerprints. And since they just catch people that happen to get arrested for some other reason, it probably means there's hundreds entering the country using other peoples' ID and fingerprints each year.

      --
      Trust the Computer. The Computer is your friend.
    2. Re:Sigh. by ThatsMyNick · · Score: 1

      Yeah, try explaining why your finger print is all over a crime scene.

    3. Re:Sigh. by ag0ny · · Score: 1

      Haven't read the article, but...

      and that's where you should have stopped. The article explains how they have achieved what you say they won't be able to. Using a common camera, from 3 meters away.

      --
      My site
    4. Re:Sigh. by MrL0G1C · · Score: 1, Informative

      I RTFA and it's very light on details. You basically have to guess that:

      1. The researchers used an expensive 'digital camera' with a good optical zoom.
      2. The lighting is just right.
      3. They zoomed in on the fingerprints.

      Otherwise the GP post is right, this really wouldn't apply to 99.999+% of photos taken.

      Or, take a picture of something from 3meters away and see what you get when you load that image onto a computer and zoom in to it.

      --
      Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
    5. Re:Sigh. by CptLoRes · · Score: 1

      No, they only said "a digital camera from 3 meter away". So it could be anything like a professional 40MPixel DSLR with a tele lens zoomed into the finger for all we know.

    6. Re:Sigh. by ledow · · Score: 5, Informative

      Actually guys, this is not only possible - it's old news.

      And, no, it doesn't necessarily need stupendously perfect conditions:

      http://www.bbc.co.uk/news/tech...

    7. Re:Sigh. by StikyPad · · Score: 2, Funny

      Or, take a picture of something from 3meters away and see what you get when you load that image onto a computer and zoom in to it.

      Obviously you have to enhance after zooming. If you continue enhancing, you can zoom in to any image indefinitely.

      --
      https://www.eff.org/https-everywhere
    8. Re:Sigh. by StikyPad · · Score: 1

      Assuming you have more than one finger, and especially if you have an alibi, it shouldn't be terribly difficult.

      --
      https://www.eff.org/https-everywhere
    9. Re:Sigh. by David_Hart · · Score: 2

      Or, take a picture of something from 3meters away and see what you get when you load that image onto a computer and zoom in to it.

      Obviously you have to enhance after zooming. If you continue enhancing, you can zoom in to any image indefinitely.

      Incorrect... "enhancing" isn't anything like what you see in the movies. You can't enhance infinitely. You can enhance up to a point, but after that, there just isn't enough data and you start adding artifacts and inaccuracies. You might be able to get away with some inaccuracies depending on the fingerprint reader and the matching algorithm. That's why the researchers specified a limit in distance. They also don't go into the size of the photos, but the point is that now there is enough resolution provided by digital cameras (20MP+) and phones (10MP+) today to provide the necessary level of detail at 3 meters.

    10. Re:Sigh. by Applehu+Akbar · · Score: 1

      "Fingerprints are not used for authentication, right? So it's not a problem, is it?"

      Fingerprints are the most convenient form of authentication, but you have to consider the surroundings. If someone grabs your phone, he is highly unlikely to have taken high-res photos of your fingertips, or to have been able to prowl around in your home and lift fingerprints. For a desktop, on the other hand, the lifted fingerprint attack is a simple and obvious one.

    11. Re:Sigh. by peragrin · · Score: 3, Funny

      I didn't write the go but I did hear the thunderous woosh as the joke passed by your head at Mach 5.

      I am surprised it didn't suck the air out of your lungs leaving you speechless. Then again from your post length you have excess air inside anyways.

      --
      i thought once I was found, but it was only a dream.
    12. Re:Sigh. by Arashi256 · · Score: 1

      No, no. I saw this on CSI. You just enhance the image. Jeez, I thought as somebody posting on Slashdot you would know this! What a n00b.

    13. Re:Sigh. by sh00z · · Score: 1

      Incorrect... "enhancing" isn't anything like what you see in the movies.

      Give me a hard copy right there.

    14. Re:Sigh. by pjt33 · · Score: 1

      If someone grabs your phone, it's probably got your fingerprints all over it.

    15. Re:Sigh. by Applehu+Akbar · · Score: 1

      Not if you have it in one of those rubbery cases and keep the display clean.

    16. Re:Sigh. by syn3rg · · Score: 1

      And that is why I only use a single digit, facing me, as a hand gesture...

      --
      The contents of this message have been doubly encrypted by ROT13
    17. Re: Sigh. by omnichad · · Score: 1

      Far from the last episode - there's been two full new seasons since then.

    18. Re:Sigh. by fish_in_the_c · · Score: 1

      biometrics in general are a fine second layer of authentication, they should not be a primary level of authentication for 2 reasons.
      1) they are generally not horribly hard to fake.
      2) once someone has figured out how to fake your biometric data it isn't like you can change it.

      Since Roman times there have been 3 ways to 'establish trust' Something you have, something you know, something you are.
      So the best anyone can do is this something you know( password or pin) tied to something you have ( smart device, smart card ,token) and used to authentic something you are ( biometric,retena, iris, fingerprint).

      --
      âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
    19. Re:Sigh. by Anubis+IV · · Score: 1

      You're talking about identification, which is related to authentication, but isn't quite the same. Just as your username is used to identify you, so too is your fingerprint used to identify you. But just as your username isn't sufficient in and of itself to authenticate your identity (i.e. I can't log in as you by simply knowing your username), and so too should your fingerprint be insufficient to authenticate your identity.

      The police can identify you using your fingerprint just fine, but that doesn't mean fingerprints should be used for authentication. Inasmuch as they are being used for authentication, it's poor security.

    20. Re:Sigh. by Gavagai80 · · Score: 1

      That's in the year 2019. Gotta wait 2 years.

      --
      This space intentionally left blank
    21. Re:Sigh. by Macdude · · Score: 1

      I've said for years:

      Fingerprint* = Identification, not authorization.
      Think of your fingerprint being your user ID, not your password.

      * This applies to any biometric identification system, e.g. retina scans.

      --
      "Grab them by the pussy" -- President of the United States of America
    22. Re:Sigh. by phantomfive · · Score: 1

      Where do you leave your fingerprint? Everywhere you go, on everything you touch, including the device you're logging into, and every device you've ever logged into.

      Specifically, you are leaving your fingerprint on the very device you are trying to log in to. If a thief wants to find it, he doesn't have to go very far.

      --
      "First they came for the slanderers and i said nothing."
    23. Re:Sigh. by swillden · · Score: 1

      Fingerprints are not used for authentication, right?

      Wrong. Fingerprints are great authenticators (and not particularly good identifiers; uniqueness guarantees are very weak), but the authentication is derived from the integrity of the measurement process, not the secrecy of the fingerprint.

      That is, the security of a fingerprint-based authentication is primarily derived from the assurance you have that the fingerprint being measured is an actual body part and not some simulacrum. In the case of attended authentication stations, where a guard examines your fingers to verify that you're not wearing latex finger covers or similar the security is actually very good. In the case of a mobile phone phone sensor or similar, the security is fairly low -- though stronger than a typical phone password when shoulder-surfing opportunities are factored in.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    24. Re:Sigh. by green1 · · Score: 1

      You do realize most phones these days use TOUCH screens right?

    25. Re:Sigh. by ledow · · Score: 1

      A PCB etching kit.

      Print off fingerprint in black/white onto acetate.

      Etch the PCB using the acetate as a mask. It's now a raised copy of the fingerprint.

      Use as a template for something malleable (gel, etc.).

    26. Re:Sigh. by ThatsMyNick · · Score: 1

      Good luck explaining that to a jury though.

    27. Re:Sigh. by Wolfrider · · Score: 1

      --Maybe we should start giving people the "flying V" (like the Brits do) for photos...

      --
      .
      == WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
  5. who'd have thunk it by Anonymous Coward · · Score: 1

    Coming next: Seconds after the moment you shake hands with me, all your personal datas are belong to us.

  6. Flipping the Bird by Anonymous Coward · · Score: 4, Funny

    The NII researchers were able to copy fingerprints based on photos taken by a digital camera three meters (nine feet) away from the subject.

    Instead of making a peace sign when having your photo taken, an obvious solution is to flip the bird instead! Your fingerprints are facing away from the camera. All of the problems are solved, once and for all!

    1. Re:Flipping the Bird by Diss+Champ · · Score: 1

      Doesn't work. You're just giving your fingerprints to the guy you don't even see with a camera 3 meters behind your back.

      With the bird, you're only giving them 1 fingerprint, and not the one most people check.

  7. That's an improvement. by Hylandr · · Score: 4, Insightful

    I would much rather have a photo of my fingers stolen than have my fingers, or finger tips stolen!

    --
    ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
  8. Something similar was done 2 years ago by Anonymous Coward · · Score: 4, Informative

    German defense minister got her fingerprints "stolen" in a similar fashion two years ago.

  9. So basically by 93+Escort+Wagon · · Score: 1

    They're saying they have the fingerprints of every Japanese female under the age of 30.

    --
    #DeleteChrome
    1. Re:So basically by PolygamousRanchKid+ · · Score: 1

      They're saying they have the fingerprints of every Japanese female under the age of 30.

      Hmmm . . . so if we photograph gang members, tossing gang sings, the police can build a database of gang members, with their fingerprints.

      This is why when strangers photograph me, I flip them the bird, not a peace sign. Then they don't get my fingerprint, since it is not facing them.

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    2. Re:So basically by JanneM · · Score: 1

      This is why when strangers photograph me, I flip them the bird, not a peace sign. Then they don't get my fingerprint, since it is not facing them.

      Most parts of your skin has distinctive, unique patterns. You can get a unique print from your elbow, wrist, knuckles, knees... And you tend to leave such marks around too, if less commonly than fingers.

      --
      Trust the Computer. The Computer is your friend.
  10. Banks use them for verification by shanen · · Score: 1

    Fingerprints are not used for authentication, right?

    Not sure about the States, but in Japan many of the banks have biometric devices on the ATMs to read fingerprints. From the placement of the devices, I would say the thumb is unlikely to be used, and I would suppose that most people use their index finger.

    Also there are a lot of smartphones with fingerprint recognition, and I have two computers with it (though I'm not using it because I don't regard it as secure).

    --
    Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
  11. Peace sign - fuck that by Chrisq · · Score: 3, Informative

    It's the V for victory

  12. Don't worry, they have a solution by MadTinfoilHatter · · Score: 4, Funny

    The proposed solution is to hold your hand the other way around exposing only your fingernails. ;-)

    1. Re:Don't worry, they have a solution by MadTinfoilHatter · · Score: 1

      Don't forget to lower your index finger.

      The point was that you don't even need to do that.

    2. Re:Don't worry, they have a solution by Snard · · Score: 1

      But what happens if they read your fingerprints in the reflection from your glasses? :)

      --
      - Mike
    3. Re:Don't worry, they have a solution by Aighearach · · Score: 1

      In much of the world that is true; it is the female version of the middle finger.

  13. You would not write your password by SlashDread · · Score: 4, Insightful

    on your forehead right? For anyone to see?

    Then why do people think information you leave all over the place is a replacement for a password?

  14. I call BS by johannesg · · Score: 1

    When I pass through border control they cannot even get my fingerprints when I'm touching the glass. And now a blurry mobile phone would be able to do better from several meters away?

    I guess the next warning will be to always wear gloves, otherwise you will be leaving a trail of fingerprints everywhere you go...

    1. Re:I call BS by swb · · Score: 1

      I can only assume this involves the best cameras under good conditions.

      I did a google image search for peace sign and only what look like stock photos and at high resolutions even remotely resolved even the most basic topology of the finger tips, but even then when zoomed in it was far too blurry to see anything resembling a fingerprint that could be duplicated.

      Everything else? A facebook photo where the hand is 5% of even a high resolution facebook picture? You're talking a pixel subset of maybe a few hundred by a few hundred pixels given all the most optimistic variables -- close zooming, high resolution. Finger tips even then are going to be a pixelated mess.

      Now look at the *avergae* photo of someone doing this, and the pixel subset representing the hand is smaller yet, the exposure is way off, the shutter speed too slow to cope with shake and subject movement and lighting.

    2. Re:I call BS by johannesg · · Score: 1

      I was told by a border guard that I shouldn't worry, that it is quite normal for prints to be faded "in old people". I'm 46...

  15. Rock/metal horns also affected by azrael29a · · Score: 3, Informative

    I guess the horns "\m/" sign is also affected, even though you're displaying only your index and pinky fingers. The vulcan greeting sign "_\\//" would be the worst to photograph, since it displays all the fingerprints.

    1. Re:Rock/metal horns also affected by azrael29a · · Score: 1

      I forgot about the Roman/Nazi salute also showing all five fingerprints. o/ And the high-five. Basically we should wear gloves all the year to avoid fingerprint disclosure ;-)

  16. Ironic results by CODiNE · · Score: 1

    As Japanese photos gradually become less peaceful...
    British photos gradually become more well behaved.

    Assuming people stop holding up those 2 fingers.

    --
    Cwm, fjord-bank glyphs vext quiz
    1. Re:Ironic results by 93+Escort+Wagon · · Score: 2

      HA! I am now in possession of the fingerprints from the famous Briton, Winston Churchill! I bet I can get into many secret places with them and do many evil deeds!

      --
      #DeleteChrome
  17. Re:Same for retina checks by sh00z · · Score: 1

    The same is true for retina print (eye print) checks. It does take a better camera (20M pixel), and it may require a brief *infrared* flash (so you will *not* notice it), but it will allow one to copy the retina prints from everyone looking in the camera's direction, and they are most often good enough to confuse retina scanners into accepting a false eye as valid.

    Biometry may be useful as a 2FA/3FA, but it really isn't "safe" by itself.

    Uh, that would be iris scans, right? If someone is reading your retina, it's not from more than a couple of centimeters in front of your eye.

  18. The V of freedom and victory, not peace. by Anonymous Coward · · Score: 2, Informative

    The sign they are talking about is the V of Vrijheid and Victoire, after the Dutch word for Freedom and the French word for Victory. People in occupied Belgium used it during WWII. The gesture was used as a response to the Nazi salute, and was used every time the Germans lost a battle (the news was spread by the BBC). This way the people managed to scare the German soldier, and indirectly instructed them to be nice and to not commit war crimes. This sign was adopted in both the Netherlands and France and was even picked up by Churchill who made the symbol for the allies (after having done it wrong the first few times, he showed the back of his hands which was a way to insult other people in the British lower classes).

    1. Re:The V of freedom and victory, not peace. by Verdatum · · Score: 1

      Further, it's not uncommon for Japanese people when being photographed while making the gesture to also say the Japanified version of the English word "Victory" (sounding sort of like "Wikutorii"), similar to how Americans say "cheese", causing a smiling face.

  19. Re:That's not what Biometrics is for by Enigma2175 · · Score: 1

    Biometrics: securing your data via non-changeable, non-secret data.

    Biometrics should *never* be used in a situation where the input is not controlled. For example, it is okay to use it as part of a border crossing, it is *not* okay to use it on a door lock. It is okay to use it on a phone, as the goal there is "prevent someone from quickly unlocking your phone if you step away for a moment and you trust them not to steal it" - in any other situation, a person with physical access to your phone can already compromise it, so alternatives don't significantly increase security.

    But someone with physical access to your phone can't already compromise it, if it's a later model iPhone, at least not according to the FBI. The FBI asked the court to compel Apple to create an exploitable OS so that they could break into a phone, presumably because they could not access it even though they had physical possession. With the later models that have the secure enclave, even that wouldn't have sufficed to break into the phone. Given enough time and effort (and Apple's signing key), it might still be possible but it's not like in the old days of computers where physical access == pwned.

    https://en.wikipedia.org/wiki/...

    --

    Enigma

  20. Two-finger salute by doggo · · Score: 2

    They should just reverse the hand gesture and show the camera their fingernails.

  21. In other news... by eeyore · · Score: 1

    Glove Manufacturers report an encouraging spike in sales

  22. So what TFA really means is by TheDarkener · · Score: 1

    Anyone can have their hands photographed and fingerprints stolen. Who the fuck came up with the fearmongering scare tactic that singles out making the peace sign as a way of stealing fingerprint data? That's so fucking lame.

    --
    It is pitch black. You are likely to be eaten by a grue.