Fake Fingerprints Can Imitate Real Ones In Biometric Systems, Research Shows (theguardian.com)

← Back to Stories (view on slashdot.org)

Fake Fingerprints Can Imitate Real Ones In Biometric Systems, Research Shows (theguardian.com)

Posted by msmash on Thursday November 15, 2018 @08:45AM from the closer-look dept.

schwit1 shares a report: Researchers have used a neural network to generate artificial fingerprints that work as a "master key" for biometric identification systems and prove fake fingerprints can be created. According to a paper [PDF] presented at a security conference in Los Angeles, the artificially generated fingerprints, dubbed "DeepMasterPrints" by the researchers from New York University, were able to imitate more than one in five fingerprints in a biometric system that should only have an error rate of one in a thousand.

The researchers, led by NYU's Philip Bontrager, say that "the underlying method is likely to have broad applications in fingerprint security as well as fingerprint synthesis." As with much security research, demonstrating flaws in existing authentication systems is considered to be an important part of developing more secure replacements in the future. In order to work, the DeepMasterPrints take advantage of two properties of fingerprint-based authentication systems. The first is that, for ergonomic reasons, most fingerprint readers do not read the entire finger at once, instead imaging whichever part of the finger touches the scanner.

27 of 64 comments (clear)

Min score:

Reason:

Sort:

Fingerprints are lousy ID by Anonymous Coward · 2018-11-15 08:59 · Score: 1

Can't change them. Can't revoke them. You leave a copy of them around on everything you touch. Why do people still use these for identification?
1. Re:Fingerprints are lousy ID by Actually,+I+do+RTFA · 2018-11-15 11:38 · Score: 1
  
  There's even a commercial on TV now about how great the fingerprint password system is on their laptop... that they show off by having a child use your fingerprint while you're asleep. See, you don't even have to get woken up or supervise your kids to authorize them for whatever they want.
  
  --
  Your ad here. Ask me how!
2. Re:Fingerprints are lousy ID by jargonburn · 2018-11-15 12:03 · Score: 2
  
  No, they're just fine for identification...just not for authentication.
Prior Art by Anonymous Coward · 2018-11-15 08:59 · Score: 2, Insightful

James Bond
Myth Busters...
It's been done. Finger print scanners are NOT secure.
Having said that, I too have developed a "don't give a fuck attitude" towards the insecurity. It's just too convenient to touch my PC or phone and have it unlock.
I use it. I know it's wrong, but...
1. Re:Prior Art by phantomfive · 2018-11-15 09:36 · Score: 2
  
  The only reason I even lock my phone is because I don't want to pocket-dial anyone (or press other random buttons in my pocket). I don't lock my wallet, either.
  
  --
  "First they came for the slanderers and i said nothing."
2. Re:Prior Art by phantomfive · 2018-11-15 09:41 · Score: 1
  
  Myth Busters...
  Myth Busters made a copy of a real fingerprint. These guys generated an image of a fingerprint that was close enough to unlock the phone.....without knowing what the original fingerprint looked like.
  
  That's why they call it the "master key" fingerprint....because it can unlock the phone like a ghost key. They used the adversarial neural network to find weaknesses in the fingerprint identification algorithm. Basically, some features of fingerprints are more common than others.
  
  --
  "First they came for the slanderers and i said nothing."
3. Re:Prior Art by mobby_6kl · 2018-11-15 10:48 · Score: 1
  
  Sometimes it pays off to RTFA or even just the summary, doesn't it.
  I haven't really considered fingerprints to be a very secure to begin with, due to the possibility of copying the prints or even just some goon forcefully pushing your thumb into the scanner. Still, it was "good enough" for most cases and to CYA from the corporate overlords who require the phone to be locked. This just makes it completely useless against any professional attacker and maybe even Joe Blow the phone thief, if the method can be reasonably easily replicated.
4. Re:Prior Art by dgatwood · 2018-11-15 12:03 · Score: 1
  
  Pretty much, yeah. The biggest flaw in the security of modern phones is that it is binary. You either have full access to the device or you don't.
  On my laptop, I can create encrypted volumes that provide restricted access to things like financial records, and use different passwords. The fingerprint reader can't provide access to those.
  I can even put entire applications inside those containers, if there were some valid reason to do so, and symlink the apps' sandbox container directories into the encrypted volume.
  When cell phones have similar levels of configurability —when I can lock down an app or specific files within an app and require additional security for those apps or files — I'll take cell phone security seriously. Until then, I pretty much assume that anything on a mobile device might as well be on a postcard stapled to the back of my shirt, and treat the device accordingly.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
5. Re:Prior Art by rtb61 · 2018-11-15 12:51 · Score: 1
  
  Consider the security difference between a passphrase and a fingerprint. You can use different passphrases for different sites but your fingerprint, give it away once to some fuckhead corporation and they have it for life and it can be sold to whomever wants to buy. So yeah, password has been compromised change it once at that location, so what the fuck do you do if you fingerprint has been compromised, for the rest of your fucking life, hmmm.
  
  --
  Chaos - everything, everywhere, everywhen
I'm sure governments have known this for awhile by Glarimore · 2018-11-15 09:02 · Score: 1

I'm sure some governments have known this for awhile. I wonder how many people have been framed? And how would you ever prove your innocence?

I have similar worries in regard to the proliferation of 'deep fakes' and other methods of realistic video editing that is indistinguishable from original recordings.

I imagine we will deal with these issues to the best of our ability as time goes on, but "Damn future, you scary!"
1. Re:I'm sure governments have known this for awhile by rgmoore · 2018-11-15 10:59 · Score: 1
  
  I wonder how many people have been framed? And how would you ever prove your innocence?
  I don't think this would be very helpful for framing anyone; the goal is completely different. The goal when framing somebody is to create a unique match, while this technique creates a fingerprint that matches something like 20% of the database. If you could manage to plant one of these fingerprints, it might well match the person you're trying to frame, but it would match many other people who you aren't trying to frame, too. That would actually create reasonable doubt rather than remove it.
  
  --
  There's no point in questioning authority if you aren't going to listen to the answers.
2. Re:I'm sure governments have known this for awhile by Actually,+I+do+RTFA · 2018-11-15 11:51 · Score: 1
  
  Fingerprint analysis is normally limited to returning a "match"/"no match" on the suspect. So, if you didn't have an example of the fingerprint, it's a 20% chance of working.
  
  --
  Your ad here. Ask me how!
3. Re:I'm sure governments have known this for awhile by rgmoore · 2018-11-16 07:14 · Score: 1
  
  Actually, fingerprint evidence is used in a number of ways. One way is to get a match vs no match on the suspect. Another way is to query a fingerprint database to find a list of possible suspects. The key is that the defendant is allowed to have their expert look at the evidence, so the person trying to frame them can't control and make sure it's only used for match/no match. If the defendant's expert uses it to query the database and finds it's a match to 20% of the fingerprints there, you have instant reasonable doubt.
  
  --
  There's no point in questioning authority if you aren't going to listen to the answers.
4. Re:I'm sure governments have known this for awhile by Actually,+I+do+RTFA · 2018-11-16 17:28 · Score: 1
  
  That's true, if the person you're framing has resources. Otherwise, it works 20% of the time. And given that something like 1/4 of Americans cannot put together $400 in an emergency, you have a 8% chance of it working.
  
  --
  Your ad here. Ask me how!
Re:Didn't mythbusters already do this? by LostOne · 2018-11-15 09:07 · Score: 1

They did demonstrate that it isn't particularly hard to fool simple fingerprint scanners. I mean, they used a simple photocopy of a fingerprint. Granted, those were fairly simple scanners, but it isn't too hard to imagine similar techniques working with more advanced scanners. I've also seen some presentations by physical penetration testers that were able to lift fingerprints and fool fingerprint locks, though they often simply bypassed the reader altogether.

--

If it works in theory, try something else in practice.
Along similar lines... by nuckfuts · 2018-11-15 09:25 · Score: 1

It may also be worth noting that today's cameras have enough resolution to reveal your fingerprints when you flash a peace sign in a photo, for example.
Re:Didn't mythbusters already do this? by mobby_6kl · 2018-11-15 09:26 · Score: 1

A silicone molding works on TouchID and I assume other capacitive scanners. It might also be possible to lift a print off a shiny surface with a bit more luck/skill/equipment too: https://youtu.be/2u4ZLGsw1zo?t...
Ahead of the curve by Tablizer · 2018-11-15 09:28 · Score: 1

Maybe the Orange Dude is right: everything is becoming fake, rigged, and/or bugged.
He's not paranoid, he's a profi...prophet.

--
Table-ized A.I.
Research shows? by glenebob · 2018-11-15 09:39 · Score: 2, Insightful

What the hell was wrong with "common sense shows"? It's a hell of a lot cheaper.
1. Re:Research shows? by yarbo · 2018-11-15 15:44 · Score: 1
  
  A lot is wrong with it. How hard is it? What information do you need? Can anything change with storage or reading to fix it? What? Your common sense doesn't take you far when it's right, and when it's wrong, it's even worse. https://www.newscientist.com/a... - here's a whole list of examples of common sense leading researchers astray. In short, common sense is easy when you already know the answer.
Re:Didn't mythbusters already do this? by sjames · 2018-11-15 09:52 · Score: 2

Also interesting, the most expensive one tested was the easiest to fool.
This needed research? by cshark · 2018-11-15 09:54 · Score: 1

Why did this need to be researched? We've known about this as long as we've had the technology.

--
This signature has Super Cow Powers
Re:Didn't mythbusters already do this? by sjames · 2018-11-15 09:56 · Score: 1

The mythbusters demonstrated copying a fingerprint known to be accepted by the scanner. This is a skeleton key created fingerprint that has about a 20% chance of working even if you don't have a fingerprint to copy.
Next thing you know, FaceID will be hacked by WillAffleckUW · 2018-11-15 10:12 · Score: 1

Oh, wait, it already is.
Look, the main problem is one of tuning. Fingerprints are just 3D printed objects, and many scanners aren't that bright. In the old days we could just do a ridge pattern on plastic to throw them, now we have to emulate the ridges for the fancier detection devices. Still takes us less than 60 seconds, of course.

--
-- Tigger warning: This post may contain tiggers! --
Deep vein scan by markdavis · 2018-11-15 10:46 · Score: 1

>"Fake Fingerprints Can Imitate Real Ones In Biometric Systems, Research Shows"
Which is one of MANY reasons why fingerprints should not be used for "real" security- it isn't really secure.
Further, using fingerprints (or worse, DNA) and allowing a third-party to have access to that data is unacceptable. Not only because the government and big business should have no need to indiscriminately track what people are doing all the time but because they should not have fingerprint registration data (which will be horribly abused) .
Stand up for your rights (and the rights of your children and future generations). Once you give this data to the government or big business, it will NEVER be erased or restricted, regardless of claims, policies, or laws- it will go into huge databases and shared between agencies and used however they want for as long as they want. Even worse, with every crime investigation, you will be searched without probable cause. It is a genie that can't be put back into the bottle.
Fingerprints are something you leave all over the place all the time. They are easy to lift, copy, and forge. Easy to fake, easy to use to frame people. Time after time they have been shown to be poor for security and yet very effective at tracking people.
DNA is even worse. Like fingerprints, you leave it all over the place all the time. Samples can be lifted and planted and analyzed. DNA is more than a means to ID, it contains very sensitive information about you.
Iris scan is better than DNS or fingerprints- there is no leaving your iris image all over, and it doesn't say that much about you. But your eyes (iris, not retinal) could be scanned without your permission by any high resolution camera pointed at your face, even your own phone.
There is only one safer and practical biometric I know of right now- that is deep vein palm scan. That registration data cannot be readily abused. It can't be latently collected like DNA, fingerprints, and face recognition can. You have
to know you are registering/enrolling when it happens. You don't leave evidence of it all over the place. When you go to use it, you know you are using it every time. And on top of all that, it is accurate, fast, reliable, unchanging, live-sensing, and cheap. If you must participate in a biometric, this is the one you should insist on using.
Example/info: http://www.m2sys.com/palm-vein... https://www.imprivata.com/why-...
Now, it might not be suitable for phones, but for anything else that requires real security (and privacy as a major bonus), I think deep vein palm scan is a great idea.
1. Re:Deep vein scan by markdavis · 2018-11-15 11:13 · Score: 1
  
  >No harder to fake than a finger print. Just a bit harder to get the raw data...
  That is incorrect on both counts. It is much, much, much, much harder to get the raw data or fake for a variety of reasons. Not the least of which is that people don't normally have their palms in contact with things as much as fingers, and don't have them facing outwards towards possible collection devices and can't just leave deep vein patterns lying around for people to collect. And the thermal imaging being done needs to be done close-up because of the only slight difference of temperatures needed to gather the data of the veins under the entire epidermis and perhaps other tissue. Faking this, even if you have the data, is also orders of magnitude more difficult. It isn't just an image, it is all thermal. So you would have to present a "fake" thermal image that is not only correct as a pattern, but correct as a difference between surrounding tissue temperatures.
  >There is NO biometric method that cannot be faked.
  That is, of course, true. Which is why I said "safer and practical", I didn't say "safe" or "perfectly secure." It does appear to be the "best" option, by far, compared to what is currently used and what is practical to possibly use.... and I have seen it in action and used it myself; I was very impressed.
This is not a password this is an ID by uulbri · 2018-11-15 20:44 · Score: 1

The fundamental issue with biometrics is that people tend to think they represent a kind of security token (an idea actually pushed by greedy companies whose only goal is to sell you more of their useless stuff under the umbrella of "innovation").
It is clearly not ! This is simply an easier/convenient way to identify yourself, the equivalent of your good old login name. Full stop. any attempt to use biometrics beyond this point is just utterly stupid.