Fingerprint Scanners Still Easy to Fool 378
Anlan writes "A Swedish student wrote her Master's thesis about current fingerprint technology. After a thorough literature study some live testing took place. Simple DIY fingerprint copies were used (detailed how-to in the thesis). Have current commercial products improved as much as proponents claim? Well, this qoute from the abstract says it all: 'The experiments focus on making artificial fingerprints in gelatin from a latent fingerprint. Nine different systems were tested at the CeBIT trade fair in Germany and all were deceived. Three other different systems were put up against more extensive tests with three different subjects. All systems were circumvented with all subjects' artificial fingerprints, but with varying results.' You can guess how happy the sales people at CeBIT were - most systems claim to be spoof proof..."
Airport Police (Score:5, Insightful)
So if you can open your car with fingerprints... (Score:4, Insightful)
Something you have and Something you know (Score:5, Insightful)
Think of the simple RSA keyfob some of us carry; it gives us a number and we use that PLUS a password to get into secure systems (have + know).
Carry this one step further and have the system check your fingerprint/handprint/iris/whatever PLUS ask for a password.
I personally think it's damn scary in this age of terrorism that someone could fake a biometric and get onto a plane; if the airlines for example issued me a unique password to go along with fingerprint (or whatever) recognition then I'd feel a whole bunch better about the entire process and the underlying technologies.
Are you surprised? (Score:2, Insightful)
As is true with any security measure, if it can br beaten, the geeks will find a way.
Re:fix? (Score:5, Insightful)
Re:fix? (Score:3, Insightful)
Is this is the state of our security today?
Re:Easy Solution (Score:3, Insightful)
Re:Are you surprised? (Score:3, Insightful)
Re:fix? (Score:4, Insightful)
It would also be impossible to use. 98.6 degrees is the temperature of certain orifices in your body. These orifices are generally pretty good at maintaining a certain amount of heat. However, your hands and feet are extremities that do not keep a constant temperature. In fact, your body will sometimes shut off the blood flow if it needs the heat somewhere else.
This means that you'll never be able to accurately predict the lower bounds of finger temperature. Someone may have just been outside in cold weather. Or they may have poor blood flow to their hands (e.g. my wife's hands barely even show up on an heat sensitive screen). Similarly, they may have just touched a warm car door, or lit up a cigarette. Maybe they have some coffee in their hands.
Basically, there's almost no way short of human or artificial intelligence to near flawlessly determine if the fingerprint belongs to a real human or not.
Re:fix? (Score:5, Insightful)
98 degrees is an average core body temperature, extremedies generally run cooler. Thats why your testicles hang down - they dont work at 98 degrees, they need to be cooler. It's also why briefs and tight pants make you sterile.
Besides, all you'd have to do is put the fake finger in a cup of warm (98 degree) water..
I think the real solution is to realize that this kind of shit only works in movies or cartoons right now.
Re:Airport Police (Score:5, Insightful)
The war on terror isn't about the terrorists, it's all PR.
Okay. (Score:5, Insightful)
Re:Something you have and Something you know (Score:5, Insightful)
The problem is that "something you are" is just a really weak version of "Something you have". Why is it weak? Because once it is compromised, you can never get it back. Never.
If my RSA fob is stolen, I can get it reissued. If my password is stolen, I generate a new one. What am I supposed to do when my fingerprint shows up on Kazza? Sure, I can use one of the other nine, then once they're compromised, use my toes, after that...?
Biometrics have a (small) part to play in security. But relying on them for anything important is daft.
T
Re:Easy Solution (Score:5, Insightful)
So what happens when some law enforcement organization such as the police or the passport office want to take your fingerprints? Do you deny their request and don't get anything done, or do you use glove prints rather than fingerprints. Even worse, what if someone hacks into the police database and creates fake gloves with other people's fingerprints etched in them?
As much as the privacy advocates will laugh at this news article, fingerprints have been a proven source of clues for law enforcement agencys for decades. Nowadays, we have more sophisticated methods of detecting whether someone might have been at the scene of a crime or not, but fingerprinting is nice, quick, easy, and obvious. Of course, every system in existence can be fooled, and if you're really willing to break the system, you can. However, I hate to think that people other than the tinfoil hat crowd would be so concerned about fingerprints that they would wear gloves all the time. This is much more a legislative issue than it is a technological issue. Unless we stop legislative processes invading our privacy, technological means will be only a band-aid onto the root of the problem.
Re:Airport Police (Score:5, Insightful)
Fact is... (Score:3, Insightful)
They'll stay to raise the threshold... (Score:5, Insightful)
Non-US student (Score:4, Insightful)
Re:Airport Police (Score:4, Insightful)
If the war on terrorism was about decreasing terrorism, the US wouldn't have invaded Iraq. Iraq had nothing to do with any terrorism, but they did have plenty of oil. You figure it out. You have to be seriously missing the plot if you can't understand it.
Re:Airport Police (Score:2, Insightful)
Proof the documents that say Iraqi generals are not to have contact with Al -queda as hussain was a secular president.
Re:Something you have and Something you know (Score:3, Insightful)
Re:They'll stay to raise the threshold... (Score:5, Insightful)
I would describe John Hinckley, as average at best, and he stepped forward from a crowd of television reporters and fired six shots hitting the President (Reagan) and others.
Re:Airport Police (Score:3, Insightful)
And he has a point too, just because they were never trained for airport security doesn't mean theyre stupid. And either way they deserve a modicum of respect for the commitment that they have made to their country.
Oops, i'm a fascist.
What's the big deal (Score:3, Insightful)
Finger. Print. Scanners.
They're not "Absolute Identity Verifiers", or "Identity Truth Machines".
They are simply tools to be used with other forms and methods of identification. Are *all* fingerprinting validation systems supposed to include "temperature, pulse, blood pressure, electric resistance, etc"? Only if some company were relying on fingerprints ALONE to verify someone's identity. But NO company would rely on fingerprints alone. Also, it would make the machine MUCH too costly for anybody to buy.
The bottom line is, yeah sure, fingerprint scanners can't tell the difference between a human finger and a gelatin one. But if a fingerprint is *all* that it takes to get access to something, then the institution has problems that dig far deeper than the inadequacies of any fingerprint scanner.
Re:Fact is... (Score:3, Insightful)
I think that's rubbish. If I want to steal your fingerprint then I don't have to actually take something from you at all. I could just follow you around and watch what you touch or pick up, and then go back a take my sample a long time after you're gone. Hell I could even visit your car or front house door late at night.
Stealing a PIN is way way harder and requires considerable more effort and resources than that.
life imitating art (Score:2, Insightful)
Imagine if the keyring that you currently keep in your pocket, kept leaving copies of itself on every object you touch. Imagine anyone who found a copy (with a little work) could drive your car away or freely spend your money or walk right in the front door of your locked house. Now imagine that the worst has happened, that someone has stolen a copy of your keys. Currently, it's rather inconvenient, you must create new keys (and sometimes, locks). Now tell me, how do you change your keys when the key is your right thumb? You can't. Once your key is stolen, you're totally screwed, forever.
Re:Airport Police (Score:3, Insightful)
Re:They'll stay to raise the threshold... (Score:3, Insightful)
Yea he shot the President - when the President was in lower security then normal (walking to his car surrounded by about 8 people is barely any security, especially when a ton of people are surrounding them). But what happend to him? Did he sneak away? Nope - he got busted. Now try and shoot the president AND slink away, that becomes much harder.
Having security, even that which can be circumvented by SOME, is better then not having any security at all. To leave the doors wide open because a few can get passed the locked doors is foolish to say the least.
Re:Airport Police (Score:4, Insightful)
just another argument against cheap stuff (Score:4, Insightful)
this thesis is only a better documented, nicely written replay of a japanese experiment from some years ago :
the matsumoto experiment [cryptome.org]
and it surely doesnt mean the biometrics are not secure!
a complete biometrics based security solution has 3 "components" :
Something you know: e.g. a password or a PIN.
Something you hold: e.g. a credit card, a key, or a passport.
Something you are (biometrics): e.g. a fingerprint, iris pattern, etc.
their demonstration only fooled the 3-rd component of such a system ... which means they got NOTHING! ... plus, the most secure fingerprint scanners read the biometric info from under the epidermis(the outer "dead" skin) and are not so easily fooled with an artificial finger or fingertip ... the fact that they tested cheap of-the-shelf hardware is not exactly concludent.
.. while unfailible security does not exist, biometrics can make a big difference when used right!
The whole study is just an argument against bad hardware and sloppy security systems, not against the usage of the biometrics
Re:Airport Police (Score:4, Insightful)
The war was a great idea if you want oil. Seeing as it's for one of the greatest oil reserves in the world, if you win, you get lots of oil. If you push the price up in the mean time, you've won even more. It's simple.
What about Donald Rumsfeld meeting Saddam - by your logic, he's as bad as Saddam, as he didn't punch his lights out.
"Your either with us or against us" is the most ridiculous, basic argument for attacking or praising anyone ever thought up. It's pure hype and BS. You have to be a right sucker to believe in it.
It is very hard to believe Iraq was a danger to the world. It had ridiculous weapons, a tiny army, and a leader hated by its military. It was as threatening as a dead bluebottle. If you can't see that, you've been suckered in by the pentagon, or you just missed the entire story.
Can you give specific examples of Saddam Hussein sponsoring terrorism? I guarantee you I can find even more showing Bush's support for terrorism...
Comment removed (Score:3, Insightful)
Re: stage makeup, fake finger (Score:3, Insightful)
There's a big difference. If someone compromises your lock, you can change it.
If someone compromises your finger, you can't chop it off and grow a new one. Your method of authentication is screwed for the rest of your life.
--
*Art
Re:Airport Police (Score:3, Insightful)
Bullshit. Aznar was voted out because he had done everything wrong, and the bombings showed conclusively that all the things that had been done to make everybody feel so much safer was a complete failure. Furthermore, he was lying through his teeth about the events as they happened.
Fact is, Spain has dealt with terrorism for many years, and they know very well that you can't fight terrorism with military counterattacks. It simply does not work.
Compare with the US, which has had their tail behind the collective legs since 911, and running scared to abandon every freedom, which is pretty much the only thing the rest of the world has had reason to look up to US for. Great.
Have a look at a piece a friend of mine wrote [ucr.edu]. He's a native of Madrid, now studying in the US, and one of the most brilliantly intelligent people that I've met. Read it carefully.
And, oh, BTW, I've got karma to burn.... :-)
It's Not Only What You Are (Score:2, Insightful)