Fingerprint Scanners Still Easy to Fool

Anlan writes "A Swedish student wrote her Master's thesis about current fingerprint technology. After a thorough literature study some live testing took place. Simple DIY fingerprint copies were used (detailed how-to in the thesis). Have current commercial products improved as much as proponents claim? Well, this qoute from the abstract says it all: 'The experiments focus on making artificial fingerprints in gelatin from a latent fingerprint. Nine different systems were tested at the CeBIT trade fair in Germany and all were deceived. Three other different systems were put up against more extensive tests with three different subjects. All systems were circumvented with all subjects' artificial fingerprints, but with varying results.' You can guess how happy the sales people at CeBIT were - most systems claim to be spoof proof..."

Airport Police

[mirko]

So, will they remove these fingerprint scanners, in the US Internaitonal Airport ?

So if you can open your car with fingerprints...

[cacheMan]

make sure not to touch your car much or leave it parked in the same place too long.

Something you have and Something you know

[VinceWuzHere]

I really don't think that ANY biometric system will be foolproof until the old basic of security is implemented. The scheme is called "Something you have and Something you know" (someone out there does know the right name even if I can't remember it at the moment).

Think of the simple RSA keyfob some of us carry; it gives us a number and we use that PLUS a password to get into secure systems (have + know).

Carry this one step further and have the system check your fingerprint/handprint/iris/whatever PLUS ask for a password.

I personally think it's damn scary in this age of terrorism that someone could fake a biometric and get onto a plane; if the airlines for example issued me a unique password to go along with fingerprint (or whatever) recognition then I'd feel a whole bunch better about the entire process and the underlying technologies.

Are you surprised?

[The_Real_Nire]

These have been, and probably always will be easy to fool. If anyone needs ultra-high security, it's doubtful that they'd choose this form of biometrics to begin with, unless they themselves are foolish.

As is true with any security measure, if it can br beaten, the geeks will find a way.

Re:fix?

[tomcio.s]

Not at all actually, your extremedies (hands, feet) change temperature faster than the core of your body, and most people's extremedies are either colder (more common) or warmer (?) than the core of their body. So to make it heat sensitive would be to deny access to most users.

Re:fix?

[ecklesweb]

A person's external skin temp is going to be a lot less than 98.6, and I think it's going to be a lot more variable than a person's internal temperature. Even if that wasn't true, your system would deny access to anyone with a cold and a 1.1 degree fever. Beyond all that, how much harder would it be to mold that fake fingerprint into, say, latex intead of gelatin, and then putting it on the end of an electric heater that pumps out your magic 98.6 degrees?

Is this is the state of our security today?

Re:Easy Solution

[endx7]

Even when you are using the scanner?

Re:Are you surprised?

[Mz6]

Which still means that ANY highly secretive area will still be secured by a person (as is with the military). This person will know everyone that is allowed access into that area. Thus no need for a finger-printing device, then an eye scanner like in the movies. People will still do this.

Re:fix?

[AKAImBatman]

It's not a flawless way to fix it, but it would make it at least a bit more difficult to foil, neh?

It would also be impossible to use. 98.6 degrees is the temperature of certain orifices in your body. These orifices are generally pretty good at maintaining a certain amount of heat. However, your hands and feet are extremities that do not keep a constant temperature. In fact, your body will sometimes shut off the blood flow if it needs the heat somewhere else.

This means that you'll never be able to accurately predict the lower bounds of finger temperature. Someone may have just been outside in cold weather. Or they may have poor blood flow to their hands (e.g. my wife's hands barely even show up on an heat sensitive screen). Similarly, they may have just touched a warm car door, or lit up a cigarette. Maybe they have some coffee in their hands.

Basically, there's almost no way short of human or artificial intelligence to near flawlessly determine if the fingerprint belongs to a real human or not.

Re:fix?

[stratjakt]

The temperature of your fingertips is going to vary widely. If you've been holding a cup of coffee, it'll jack up to 110, 120 maybe, if you just came inside it could be down around 60 or so.

98 degrees is an average core body temperature, extremedies generally run cooler. Thats why your testicles hang down - they dont work at 98 degrees, they need to be cooler. It's also why briefs and tight pants make you sterile.

Besides, all you'd have to do is put the fake finger in a cup of warm (98 degree) water..

I think the real solution is to realize that this kind of shit only works in movies or cartoons right now.

Re:Airport Police

[dave420]

No, because it appears like they're actually doing some good. Just like when they had the national guard monkeys running around with M16s. Absolutely no use whatsoever, but makes the American public go "Gee - we're so protected! I love our President(tm)!"

The war on terror isn't about the terrorists, it's all PR.

Okay.

[Red Dane]

Just wanted to interject... I suppose it depends on whether you have one that bounces small radio signals off of the inside of your finger or one that simply captures an image. Certain fingerprint readers bounce radio signals off of the inside of your finger and read the underlying tissue structure (no, I'm not going to plug the product here). This prevents people from doing what she did at the trade convention. Fingerprint technology is always improving, and I'm sure that the industry will take this to heart and make these things even more complex. When you get right down to it, the systems aren't as complex as you might think. Most fingerplate templates weigh in from anywhere to 300 - 600 bytes in size.. but that is more to ease hardware requirements. I think they will combine other methods in the fingerprint taking process and eliminate these problems. Just my take on it, tear it apart guys ;)

Re:Something you have and Something you know

[Tryfen]

The mantra used to be something you know (password), something you have (ID card), something you are (fingerprint).

The problem is that "something you are" is just a really weak version of "Something you have". Why is it weak? Because once it is compromised, you can never get it back. Never.

If my RSA fob is stolen, I can get it reissued. If my password is stolen, I generate a new one. What am I supposed to do when my fingerprint shows up on Kazza? Sure, I can use one of the other nine, then once they're compromised, use my toes, after that...?

Biometrics have a (small) part to play in security. But relying on them for anything important is daft.

T

Re:Easy Solution

[jacksonyee]

So what happens when some law enforcement organization such as the police or the passport office want to take your fingerprints? Do you deny their request and don't get anything done, or do you use glove prints rather than fingerprints. Even worse, what if someone hacks into the police database and creates fake gloves with other people's fingerprints etched in them?

As much as the privacy advocates will laugh at this news article, fingerprints have been a proven source of clues for law enforcement agencys for decades. Nowadays, we have more sophisticated methods of detecting whether someone might have been at the scene of a crime or not, but fingerprinting is nice, quick, easy, and obvious. Of course, every system in existence can be fooled, and if you're really willing to break the system, you can. However, I hate to think that people other than the tinfoil hat crowd would be so concerned about fingerprints that they would wear gloves all the time. This is much more a legislative issue than it is a technological issue. Unless we stop legislative processes invading our privacy, technological means will be only a band-aid onto the root of the problem.

Re:Airport Police

[XryanX]

I'm sure someone that was trained in stage makeup could easily make a fake finger that would slip over their real one, and yet still look realistic.

Fact is...

[csirac]

... defeating fingerprint scans is a lot harder than stealing a PIN.

They'll stay to raise the threshold...

[MyNameIsFred]

There is an old saying that is attributed to the Secret Service. They can't stop someone really dedicated from killing the President. All they can do is raise the level of difficulty so high that the average individual won't be able to do it. I think that is applicable to the fingerprint scanners used in American airports. Yes, they can be beat, but they raise the threshold. They won't catch the dedicated/educated terrorists, but it will help against idiots. And stopping idiot terrorists is still a good idea. And don't fool yourselves, a lot of terrorists are idiots. Just look at the Shoe Bomber, not what I would call England's best and brightest.

Non-US student

[AragornSonOfArathorn]

Good thing this was written by a student who is NOT a US citizen or she would probably be prosecuted under the DMCA.

Re:Airport Police

[dave420]

The 3,000 dead on 9/11 died in a single incident, 3 years ago. Those who died in Afghanistan and Iraq died at American hands. I stand by my point - what age of terrorism?

If the war on terrorism was about decreasing terrorism, the US wouldn't have invaded Iraq. Iraq had nothing to do with any terrorism, but they did have plenty of oil. You figure it out. You have to be seriously missing the plot if you can't understand it.

Re:Airport Police

[peragrin]

There never was proof linking baghdad and Alqueda In fact it was just the opposite with lots of proof trying to keep the two seperate as baghdad feared Al-queda as much as anyone else.

Proof the documents that say Iraqi generals are not to have contact with Al -queda as hussain was a secular president.

Re:Something you have and Something you know

[hawkeyeMI]

Could you post a link or information about which company this is?

Re:They'll stay to raise the threshold...

[hackstraw]

All they can do is raise the level of difficulty so high that the average individual won't be able to do it.

I would describe John Hinckley, as average at best, and he stepped forward from a crowd of television reporters and fired six shots hitting the President (Reagan) and others.

Re:Airport Police

[zors]

So, because he responding to your opinion with one of his own, he's a fascist?

And he has a point too, just because they were never trained for airport security doesn't mean theyre stupid. And either way they deserve a modicum of respect for the commitment that they have made to their country.

Oops, i'm a fascist.

What's the big deal

[icejai]

Fingerprint scanners are exactly that.

Finger. Print. Scanners.

They're not "Absolute Identity Verifiers", or "Identity Truth Machines".

They are simply tools to be used with other forms and methods of identification. Are *all* fingerprinting validation systems supposed to include "temperature, pulse, blood pressure, electric resistance, etc"? Only if some company were relying on fingerprints ALONE to verify someone's identity. But NO company would rely on fingerprints alone. Also, it would make the machine MUCH too costly for anybody to buy.

The bottom line is, yeah sure, fingerprint scanners can't tell the difference between a human finger and a gelatin one. But if a fingerprint is *all* that it takes to get access to something, then the institution has problems that dig far deeper than the inadequacies of any fingerprint scanner.

Re:Fact is...

[Macka]

I think that's rubbish. If I want to steal your fingerprint then I don't have to actually take something from you at all. I could just follow you around and watch what you touch or pick up, and then go back a take my sample a long time after you're gone. Hell I could even visit your car or front house door late at night.

Stealing a PIN is way way harder and requires considerable more effort and resources than that.

life imitating art

[slartibart]

I swear, the only reason people keep pushing for fingerprint ID machines is because they saw them in movies and thought they looked cool.

Imagine if the keyring that you currently keep in your pocket, kept leaving copies of itself on every object you touch. Imagine anyone who found a copy (with a little work) could drive your car away or freely spend your money or walk right in the front door of your locked house. Now imagine that the worst has happened, that someone has stolen a copy of your keys. Currently, it's rather inconvenient, you must create new keys (and sometimes, locks). Now tell me, how do you change your keys when the key is your right thumb? You can't. Once your key is stolen, you're totally screwed, forever.

Re:Airport Police

[gtaluvit]

Sweden. Sounds fine by me. I got dibs on the princess. Swedish Princess [tv2.no] SFW

Re:They'll stay to raise the threshold...

[AviLazar]

There is another saying (more or less), if you are willing to go to the extreme to accomplish something (extreme being killed, caught, etc) then you have a much greater chance of doing it.
Yea he shot the President - when the President was in lower security then normal (walking to his car surrounded by about 8 people is barely any security, especially when a ton of people are surrounding them). But what happend to him? Did he sneak away? Nope - he got busted. Now try and shoot the president AND slink away, that becomes much harder.
Having security, even that which can be circumvented by SOME, is better then not having any security at all. To leave the doors wide open because a few can get passed the locked doors is foolish to say the least.

Re:Airport Police

[dave420]

By invading Iraq he's turned it into a hotbet of terrorist activity. He actively made the world a more dangerous place. That was the only possible outcome of the action. That man did not have an alterior reason for what he did - it was oil, plain and simple. I mean, why else would you send hundreds of thousands of troops into a country to fight a war everyone's saying can't be won, against international will, which will obviously and eventually worsen the very cause you say you're fighting for? If it wasn't for oil, Bush is quite likely the very stupidest individual the world has ever seen, let alone president. Sheesh.

just another argument against cheap stuff

[rozz]

this thesis is only a better documented, nicely written replay of a japanese experiment from some years ago :
the matsumoto experiment [cryptome.org]

and it surely doesnt mean the biometrics are not secure!

a complete biometrics based security solution has 3 "components" :

Something you know: e.g. a password or a PIN.

Something you hold: e.g. a credit card, a key, or a passport.

Something you are (biometrics): e.g. a fingerprint, iris pattern, etc.

their demonstration only fooled the 3-rd component of such a system ... which means they got NOTHING! ... plus, the most secure fingerprint scanners read the biometric info from under the epidermis(the outer "dead" skin) and are not so easily fooled with an artificial finger or fingertip ... the fact that they tested cheap of-the-shelf hardware is not exactly concludent.
The whole study is just an argument against bad hardware and sloppy security systems, not against the usage of the biometrics .. while unfailible security does not exist, biometrics can make a big difference when used right!

Re:Airport Police

[dave420]

Saddam hated Osama each other more than Bush hates either of them. Their islamic leanings didn't gel, in fact quite the opposite.

The war was a great idea if you want oil. Seeing as it's for one of the greatest oil reserves in the world, if you win, you get lots of oil. If you push the price up in the mean time, you've won even more. It's simple.

What about Donald Rumsfeld meeting Saddam - by your logic, he's as bad as Saddam, as he didn't punch his lights out.

"Your either with us or against us" is the most ridiculous, basic argument for attacking or praising anyone ever thought up. It's pure hype and BS. You have to be a right sucker to believe in it.

It is very hard to believe Iraq was a danger to the world. It had ridiculous weapons, a tiny army, and a leader hated by its military. It was as threatening as a dead bluebottle. If you can't see that, you've been suckered in by the pentagon, or you just missed the entire story.

Can you give specific examples of Saddam Hussein sponsoring terrorism? I guarantee you I can find even more showing Bush's support for terrorism...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re: stage makeup, fake finger

[arth1]

IMHO, a fingerprint scanner works well enough as a basically useful screening device. Sure, it can be fooled, like most people or devices... but it's like your door locks at home. Won't stop a professional with lockpicks, but serves the general purpose.

There's a big difference. If someone compromises your lock, you can change it.
If someone compromises your finger, you can't chop it off and grow a new one. Your method of authentication is screwed for the rest of your life.

--
*Art

Re:Airport Police

[KjetilK]

Terror is not about killing people, it's about scaring the public and causing them to act a certain way.

Agreed.

The train bombing in Madrid, for example, though didn't kill a whole lot of people, was completely effective because the Spanish public immediately voted in a leader with a soft spot for terrorists,

Bullshit. Aznar was voted out because he had done everything wrong, and the bombings showed conclusively that all the things that had been done to make everybody feel so much safer was a complete failure. Furthermore, he was lying through his teeth about the events as they happened.

Fact is, Spain has dealt with terrorism for many years, and they know very well that you can't fight terrorism with military counterattacks. It simply does not work.

Compare with the US, which has had their tail behind the collective legs since 911, and running scared to abandon every freedom, which is pretty much the only thing the rest of the world has had reason to look up to US for. Great.

Have a look at a piece a friend of mine wrote [ucr.edu]. He's a native of Madrid, now studying in the US, and one of the most brilliantly intelligent people that I've met. Read it carefully.

And, oh, BTW, I've got karma to burn.... :-)

It's Not Only What You Are

[eidola]

Any reasonable authentication system will require more than one factor, only if you have someone's ID card and passphrase would this work in a 2 or 3 factor scenario. Maybe a concern for Lexus but not for most access control systems. In the world of biometrics its a trade off, throughput, accuracy and price for customer acceptance. Fingerprint is easy to use and inexpensive.