Fingerprint Scanners Still Easy to Fool

Anlan writes "A Swedish student wrote her Master's thesis about current fingerprint technology. After a thorough literature study some live testing took place. Simple DIY fingerprint copies were used (detailed how-to in the thesis). Have current commercial products improved as much as proponents claim? Well, this qoute from the abstract says it all: 'The experiments focus on making artificial fingerprints in gelatin from a latent fingerprint. Nine different systems were tested at the CeBIT trade fair in Germany and all were deceived. Three other different systems were put up against more extensive tests with three different subjects. All systems were circumvented with all subjects' artificial fingerprints, but with varying results.' You can guess how happy the sales people at CeBIT were - most systems claim to be spoof proof..."

fix?

[ncurses]

An easy way to fix this, although I am no expert, is to make the fingerprint scanners heat sensitive. If the fingerprint matches and is within 1 degree of 98.6 F, then it opens. I think that would prevent people from holding a thing of gelatin against it, and it would prevent people from holding a lighter under it, because it has to be within 1 degree. It's not a flawless way to fix it, but it would make it at least a bit more difficult to foil, neh?

So you can expect...

[manavendra]

..the passports to be changed yet again, to have "better", "smart" fingerprint recognition/imprinting techniques?

Re:fix?

[SlamMan]

Won't work, for all the reasons specified. However, what about recording the body temperature as well as the fingerprint?

fingerprints at all...

[tuxette]

Probably old news to some, but here's an interesting article [theregister.co.uk] about how fingerprints are perhaps not infallible, unique ID, with a link to this article [newscientist.com]

Who cares about the scanners when the real problem lies in something entirely different?

Re:fix?

[HaloZero]

Unless it's ballistics gelatin. The stuff, allegedly, can almost match the conductivity of human flesh. Don't you watch MythBusters? (:-P)

Lo-tech method

[Zog The Undeniable]

I believe c't magazine successfully fooled more than 50% of scanners by placing a clear plastic bag, filled with water, on top of the glass. This makes the greasy residue of the genuine user's fingerprint show up clearly to the scanner.

Re:fix?

[Ralph Wiggam]

I've worked with machines that try to calculate body fat percentage by measuring conductivity across a person's body. What they really measure is how hydrated a person is. The fluctuation is proably less when measuring just a finger or hand. Hand lotion would proabably mess with conductivity, too.

-B

Re:Something you have and Something you know

[BluedemonX]

The reason why many of these systems don't have a "something you have, something you know is".... because somebody (whose "software company" consists of nothing but patent lawyers sitting on ideas) patented that idea.

None of the companies that manufacture biometric scanning technology can implement that without running afoul of the patent.

And the amount this shyster company is asking for is ludicrous. Hence, that kind of system is never used.

Re:fix?

[lachlan76]

And what if i'm sick and I need to go through?

How many people would want to live at work every time they get the flu? Someone would let them out eventually, but it makes thing harder. And I can rub the gelatin mould in my hand, to warm it up.

The CIA will love this

[Timesprout]

If its so easy to falsify fingerprints then they will want more. Say hello to have a DNA sample taken at birth to be used as ID for the rest of your monitored exixtence.

even if they did work

[Nf1nk]

they may not work for me. I have a chemical burn on three of my fingers on my right hand. It still hasn't healed properly and the scar tissue keeps rearanging itself (small blisters keep forming). My other hobby, wood carving, leaves me with several fresh cuts on my hands and fingers each week, from these I can see changes in my prints.

Accidental Discovery

[The Slashdolt]

In a former career I spent time mixing cement. One day I was mixing a small amount in a 5 gallon bucket. At the time I had nothing to mix it with so I used my hand. After mixing I washed my hand and it was amazingly smooth. I didn't think much more about it. The next day the skin on my hand was very sore. I looked at it and noticed that the mixing had worn down the top layes of skin on my hand. To the point where I barely had any fingerprints at all. So if you want to remove your fingerprints temporarily in a somewhat painful(but not excruciating) way, just mix up a bucket of concrete with your hand..... Hmmmm, is this a circumvention device?

Story

[HarveyBirdman]

I wrote a SF story in college where there were fingerprint scanners that also looked at the skin oils and other biometrics. The protagonist had to use an elaborate device to fake a finger print. If I recall, it was a micro-pingrid array with synthetic skin on the tops of the pins, and little cannister of actual skin oil and other stuff. You could program the pins to be anyone's fingerprint, and the bio-goos would be mixed to the appropriate levels. Of course, it worked perfectly.

Just thought I'd mention it. :) The story also had "heavy water fusion batteries" 4 years before the world learned the term "cold fusion". This was back in 1985 before my creativty was destroyed by life and career and reality television.

Re:Accidental Discovery

[WormholeFiend]

I had a similar experience when I worked at a summer job at industrial egg incubator facilities... we had to clean everything with bleach and even with all the protective clothing and gloves, we still all lost the friction ridges on our fingers and hands.

Fastforward to years later, I have to get a security clearance, and therefore have to get fingerprinted... So I asked the cop about this sort of situation.

He told me that if they can't let a suspect go until they can ascertain his/her identity. So it's in the suspect's best interest to have printable fingerprints.

Obviously this cop wasnt very forthcoming with answers for all possible situations, but I would assume that if your prints have to be scanned to open some sort of security mechanism or to obtain access to a secure area, you have to have readable fingerprints, otherwise you're S.O.L.

(OT side note: at that summer job, I also learned that egg incubator facilities have to employ specially trained Japanese sex differentiators, and that the best ones all come from Japan, with a less than 1% margin of error -- they pick up each chick, and look at its ass, then put it on the male or female conveyor belt. Don't ask me what they look for to make the difference between males and females, they never told me.)

How about incorporating pulse oximetry

[beesquee]

Incorporating pulse oximeters (those little things with the red light they put on you fingers while in the hospital) could make it harder to use Jell-o fingers. They verify it is a real finger by sensing blood oxygen and pulse and then the scanner would verify the identity. They are also cheap and realiable Just a thought.

Not conclusive...

[DarthBart04]

Has anyone read the actual report?

In order to get the latent prints (from which the 'fake' prints are created), the experimenters had their subjects wipe their finger on their nose (to make the latent prints easier to capture), had them press their finger on a glass platen, and even checked if their fingers had scars (if so, they chose another, better finger).

With this kind of cooperation and preparation, no wonder they beat the systems. As anyone knows, once you have someone on the inside you can break any security system.

In the real world, latent prints are blurred, not defined; smudged, not clean; and might not even be the finger the user has enrolled in the fingerprint device itself. Fingers don't come with labels like 'index' or 'thumb'.

Again, if the experimenters retrieved their samples from a dirty beer glass in a smoky bar I'd be more concerned, but...they didn't. The world of the lab is a lot different from the real world.

Let's take these reports in context, fellow Slashdotters.

In any case, I say we argue for fingerprint devices that protect fingerprint templates by matching and storing them on-board a device that you carry with you as another reply mentioned, where the fingerprint templates are encrypted or protected.

Re:Airport Police

[CreatureComfort]

I think you missed his point, Dook"43".

He did not say that efforts to stop terrorism shouldn't be made, only that the efforts that are currently being made are pure PR fluff. Having M16 armed national guardsmen at airports was absurd. What were they supposed to accomplish? In any instance, opening fire with a machine gun in a crowded airport lobby would kill far more innocent people than terrorists. Not to mention, just how were these guardsmen supposed to tell if someone was a terrorist, before blowing themselves up or driving an explosive laden vehicle into the terminal?

Lets talk about other "safety" measures:
1) Turn all airport screeners into government employees. Well, now our dear TSA is moving to recertify airports to use private screeners.
2) Even with government screeners, security is like tissue paper. I attended a conference last week, and one of the vendors was giving out "swiss army" type knives, 5 blades + corkscrew, etc. He told me he had dumped a box 50 of these into his bag, and at the last minute decided to carry that bag on instead of checking it. He didn't even remember that the box was in there until he was in the air. He stayed quiet about it until after he landed, because he didn't want to get stuck somewhere in middle america. Security never even noticed. (BTW, he said he did report it to airport security after he landed and was outside the secured zone.)

If we are going to be serious about security follow El Al's proceedures, most of which are deliberately kept very quiet and out of the public view. Instead the current administration follows a typical american penchant to do something, anything that makes a lot of noise and is very visible for "feel good" moments, but which accomplish either nothing, or the opposite of what they are supposed to.

Re:They'll stay to raise the threshold...

[emptor]

Actually the saying goes something like "They can't stop someone who is committed enough to sacrifice their own life from killing the President."

It's even easier than that.

[pclminion]

Forget making crude copies of authorized fingerprints... It's even easier than that.

A friend of mine in the office has some sort of skin condition which causes his hands to produce very acidic sweat. It's acidic enough to buff the leather on his steering wheel and gear shifter. His fingers will erase the letters off the keys on some keyboards (I assume some keyboards use better quality ink that is more resistant). Coffee mugs with cheap paint on them suffer the same fate on the handles.

This person can open any fingerprint-protected laptop in the office (we bought a bunch of these from some company who was beta-testing them, they are now out of production) and make it boot. He just smears his fingertip onto the sensor and wiggles it a little bit, and the machine accepts it as an authorized print.

These fingerprint detectors are of the capacitance-coupling variety. I don't know if the same trick works with the other fingerprint sensor technologies.

Is it possible to fool iPaq fingerprint scanner??

[rwrife]

Wonder if her techniques would fool the fingerprint scanner on the high-end iPaq PPCs?? It's not the type you press your finger on, you have to roll your finger over a narrow scanner...so the "gelatin" technique doesn't seem like it would be as effective on the rolling sytems because you'd be stretching/skewing the gelettin imprint....just a thought.

Re:Airport Police

[flosofl]

How Americans can put up with his bullshit is beyond me

Probably the same way people put up with political bullshit on Slashdot.
They either ignore it or have a knee-jerk reaction.