Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

Fingerprint Scanners Still Easy to Fool 378

Anlan writes "A Swedish student wrote her Master's thesis about current fingerprint technology. After a thorough literature study some live testing took place. Simple DIY fingerprint copies were used (detailed how-to in the thesis). Have current commercial products improved as much as proponents claim? Well, this qoute from the abstract says it all: 'The experiments focus on making artificial fingerprints in gelatin from a latent fingerprint. Nine different systems were tested at the CeBIT trade fair in Germany and all were deceived. Three other different systems were put up against more extensive tests with three different subjects. All systems were circumvented with all subjects' artificial fingerprints, but with varying results.' You can guess how happy the sales people at CeBIT were - most systems claim to be spoof proof..."
This discussion has been archived. No new comments can be posted.

Fingerprint Scanners Still Easy to Fool

Comments Filter:
  • Airport Police (Score:5, Insightful)

    by mirko ( 198274 ) on Friday June 25, 2004 @09:12AM (#9527463) Journal
    So, will they remove these fingerprint scanners, in the US Internaitonal Airport ?
    • by Stargoat ( 658863 ) <stargoat@gmail.com> on Friday June 25, 2004 @09:18AM (#9527552) Journal
      Airport! No, don't bring that up! George Bush will have to invade Sweden now!
    • Re:Airport Police (Score:5, Insightful)

      by dave420 ( 699308 ) on Friday June 25, 2004 @09:23AM (#9527607)
      No, because it appears like they're actually doing some good. Just like when they had the national guard monkeys running around with M16s. Absolutely no use whatsoever, but makes the American public go "Gee - we're so protected! I love our President(tm)!"

      The war on terror isn't about the terrorists, it's all PR.

      • national guard monkeys

        Gee! A little respect! These are hard working patriots, protecting the american public from multiple threats and dangers of all sorts!

        Ts ts ts ts ts!

        They enlist themselves and their kids to fight wars on terrors(TM) and defend democracy and freedom and the Values of Western Civilization(TM), at least we could show some respect to that Saintly Sacrifice!

        Do you think it's easy to torture Iraqi people in order to liberate them?
      • Re:Airport Police (Score:5, Informative)

        by jrumney ( 197329 ) on Friday June 25, 2004 @11:53AM (#9529413)
        Just like when they had the national guard monkeys running around with M16s. Absolutely no use whatsoever, but makes the American public go "Gee - we're so protected! I love our President(tm)!

        Granted, I'm not an American so maybe my perception is different, but the sight of nervous 19 year olds with M16s at Logan airport in late 2001 did not make me feel "protected".

        • Re:Airport Police (Score:3, Informative)

          by gfilion ( 80497 )

          Granted, I'm not an American so maybe my perception is different, but the sight of nervous 19 year olds with M16s at Logan airport in late 2001 did not make me feel "protected".

          Don't worry, I read in Bruce Scheiner's Beyond Fear that there are no bullets in the M16s, it would be way too dangerous. It's really just for the show.

          Damn, the guys with these empty weapons must feel like complete morons.

        • Re:Airport Police (Score:3, Informative)

          • the sight of nervous 19 year olds with M16s at Logan airport in late 2001 did not make me feel "protected".
          How about the fact that the rifles you saw were unloaded [google.com]?
      • Re: (Score:3, Insightful)

        Comment removed based on user account deletion
        • Re:Airport Police (Score:3, Insightful)

          by KjetilK ( 186133 )

          Terror is not about killing people, it's about scaring the public and causing them to act a certain way.

          Agreed.

          The train bombing in Madrid, for example, though didn't kill a whole lot of people, was completely effective because the Spanish public immediately voted in a leader with a soft spot for terrorists,

          Bullshit. Aznar was voted out because he had done everything wrong, and the bombings showed conclusively that all the things that had been done to make everybody feel so much safer was a com

    • by wo1verin3 ( 473094 ) on Friday June 25, 2004 @09:26AM (#9527651) Homepage
      >>So, will they remove these fingerprint
      >>scanners, in the US Internaitonal Airport ?

      No, they'll just continue to refuse letting travellers use gelatin molds in place of their real hands.
      • Re:Airport Police (Score:5, Insightful)

        by XryanX ( 775412 ) <XryanX.earthlink@net> on Friday June 25, 2004 @09:33AM (#9527723)
        I'm sure someone that was trained in stage makeup could easily make a fake finger that would slip over their real one, and yet still look realistic.
    • by MyNameIsFred ( 543994 ) on Friday June 25, 2004 @09:40AM (#9527792)
      There is an old saying that is attributed to the Secret Service. They can't stop someone really dedicated from killing the President. All they can do is raise the level of difficulty so high that the average individual won't be able to do it. I think that is applicable to the fingerprint scanners used in American airports. Yes, they can be beat, but they raise the threshold. They won't catch the dedicated/educated terrorists, but it will help against idiots. And stopping idiot terrorists is still a good idea. And don't fool yourselves, a lot of terrorists are idiots. Just look at the Shoe Bomber, not what I would call England's best and brightest.
    • by Captain Caveman ( 181138 ) on Friday June 25, 2004 @09:58AM (#9528015)
      Yes, they will be replaced by rectal scanners because it is impossible to make a perfect gelatin mold out of your ass.
  • the Security Industry, I'd just like to say:

    Shhhhhhhhhhhhhhhhhhh!!!!!

    Please remember this the next time a non-productive "feature" is uncovered.

  • by Mz6 ( 741941 ) * on Friday June 25, 2004 @09:15AM (#9527494) Journal
    Don't let your fingerprints get copied. Wear gloves ALL the time. Problem solved.
    • Re:Easy Solution (Score:3, Insightful)

      by endx7 ( 706884 )
      Even when you are using the scanner?
    • Re:Easy Solution (Score:5, Insightful)

      by jacksonyee ( 590218 ) on Friday June 25, 2004 @09:27AM (#9527661) Homepage

      So what happens when some law enforcement organization such as the police or the passport office want to take your fingerprints? Do you deny their request and don't get anything done, or do you use glove prints rather than fingerprints. Even worse, what if someone hacks into the police database and creates fake gloves with other people's fingerprints etched in them?

      As much as the privacy advocates will laugh at this news article, fingerprints have been a proven source of clues for law enforcement agencys for decades. Nowadays, we have more sophisticated methods of detecting whether someone might have been at the scene of a crime or not, but fingerprinting is nice, quick, easy, and obvious. Of course, every system in existence can be fooled, and if you're really willing to break the system, you can. However, I hate to think that people other than the tinfoil hat crowd would be so concerned about fingerprints that they would wear gloves all the time. This is much more a legislative issue than it is a technological issue. Unless we stop legislative processes invading our privacy, technological means will be only a band-aid onto the root of the problem.

      • Re:Easy Solution (Score:3, Informative)

        There was a piece on NPR last week about an American who was charged with terrorism in Spain because his fingerprint was there. He was in America at the time the event occured, but two fingerprint experts (his own and the FBI's) verified that the prints matched.

        Fortunately for him, Spain independantly matched the fingerprint to a known terrorism suspect then in Spain. The only reason the fingerprint matched the American was because it was slightly smudged.
        • Re:Easy Solution (Score:3, Informative)

          by Zone-MR ( 631588 ) *
          Even worse, what if someone hacks into the police database and creates fake gloves with other people's fingerprints etched in them?

          That's why fingerprint databases don't store the full image of a fingerprint, only hashes which can verify a fingerprint, but not reconstruct it.
  • J311-0 (Score:5, Funny)

    by lunarscape ( 704562 ) on Friday June 25, 2004 @09:15AM (#9527496)
    The experiments focus on making artificial fingerprints in gelatin from a latent fingerprint

    That's great to know that some of the world's most sophisticated security systems can be circumvented with Jell-O

  • by cacheMan ( 150533 ) on Friday June 25, 2004 @09:15AM (#9527498)
    make sure not to touch your car much or leave it parked in the same place too long.
  • fix? (Score:2, Interesting)

    by ncurses ( 764489 ) *
    An easy way to fix this, although I am no expert, is to make the fingerprint scanners heat sensitive. If the fingerprint matches and is within 1 degree of 98.6 F, then it opens. I think that would prevent people from holding a thing of gelatin against it, and it would prevent people from holding a lighter under it, because it has to be within 1 degree. It's not a flawless way to fix it, but it would make it at least a bit more difficult to foil, neh?
    • Re:fix? (Score:5, Insightful)

      by tomcio.s ( 455520 ) on Friday June 25, 2004 @09:17AM (#9527534) Homepage Journal
      Not at all actually, your extremedies (hands, feet) change temperature faster than the core of your body, and most people's extremedies are either colder (more common) or warmer (?) than the core of their body. So to make it heat sensitive would be to deny access to most users.

    • by Mz6 ( 741941 ) *
      OK, So, is there a time limit then that exists that you have stand there and hold your finger against the sensor? The average internal body temperature is ~98.5, but that doesn't mean your external temperature would be the same or be a constant all the time and between different people. I'm not so sure that would work.
    • Re:fix? (Score:3, Insightful)

      by ecklesweb ( 713901 )
      A person's external skin temp is going to be a lot less than 98.6, and I think it's going to be a lot more variable than a person's internal temperature. Even if that wasn't true, your system would deny access to anyone with a cold and a 1.1 degree fever. Beyond all that, how much harder would it be to mold that fake fingerprint into, say, latex intead of gelatin, and then putting it on the end of an electric heater that pumps out your magic 98.6 degrees?

      Is this is the state of our security today?

    • by VinceWuzHere ( 733075 ) on Friday June 25, 2004 @09:19AM (#9527557)
      From the document abstract... "A description of different liveness detection methods is presented and discussed. Methods requiring extra hardware use temperature, pulse, blood pressure, electric resistance, etc., and methods using already existent information in the system use skin deformation, pores, perspiration, etc."
      • The best system I have seen so far is the U.are.U 4000 [sciam.com]. This system uses multiple CMOS camera's to construct a 3D image of the ridgelines which is not easily defeated by a gelatin mold (rarely do they build a good 3D map), if they added a camera which was sensitive to IR they could take a temerature or bloodflow measurement and make it basically foolproof. Besides which a 3D gelatin mold is basically impossible to obtain without the subject's knowledge. Also the way we are using the U.Are.U for our client i
    • Re:fix? (Score:5, Interesting)

      by SlamMan ( 221834 ) on Friday June 25, 2004 @09:19AM (#9527561)
      Won't work, for all the reasons specified. However, what about recording the body temperature as well as the fingerprint?
    • Another good one would be conductivity and capacitance. Easy to measure, should be within a certain range... Gelatine is probably higly resistive.
      • Re:fix? (Score:3, Interesting)

        by HaloZero ( 610207 )
        Unless it's ballistics gelatin. The stuff, allegedly, can almost match the conductivity of human flesh. Don't you watch MythBusters? (:-P)
      • Re:fix? (Score:3, Interesting)

        by Ralph Wiggam ( 22354 )
        I've worked with machines that try to calculate body fat percentage by measuring conductivity across a person's body. What they really measure is how hydrated a person is. The fluctuation is proably less when measuring just a finger or hand. Hand lotion would proabably mess with conductivity, too.

        -B
    • Re:fix? (Score:4, Insightful)

      by AKAImBatman ( 238306 ) <akaimbatman@gmaiBLUEl.com minus berry> on Friday June 25, 2004 @09:22AM (#9527590) Homepage Journal
      It's not a flawless way to fix it, but it would make it at least a bit more difficult to foil, neh?

      It would also be impossible to use. 98.6 degrees is the temperature of certain orifices in your body. These orifices are generally pretty good at maintaining a certain amount of heat. However, your hands and feet are extremities that do not keep a constant temperature. In fact, your body will sometimes shut off the blood flow if it needs the heat somewhere else.

      This means that you'll never be able to accurately predict the lower bounds of finger temperature. Someone may have just been outside in cold weather. Or they may have poor blood flow to their hands (e.g. my wife's hands barely even show up on an heat sensitive screen). Similarly, they may have just touched a warm car door, or lit up a cigarette. Maybe they have some coffee in their hands.

      Basically, there's almost no way short of human or artificial intelligence to near flawlessly determine if the fingerprint belongs to a real human or not.

    • Re:fix? (Score:5, Insightful)

      by stratjakt ( 596332 ) on Friday June 25, 2004 @09:22AM (#9527600) Journal
      The temperature of your fingertips is going to vary widely. If you've been holding a cup of coffee, it'll jack up to 110, 120 maybe, if you just came inside it could be down around 60 or so.

      98 degrees is an average core body temperature, extremedies generally run cooler. Thats why your testicles hang down - they dont work at 98 degrees, they need to be cooler. It's also why briefs and tight pants make you sterile.

      Besides, all you'd have to do is put the fake finger in a cup of warm (98 degree) water..

      I think the real solution is to realize that this kind of shit only works in movies or cartoons right now.
      • Huh? (Score:3, Funny)

        by blunte ( 183182 )
        I didn't really understand anything you said, but I see you managed to mention testicles in a /. post, and that was cool...

        [cue Butthead laugh]
    • Re:fix? (Score:3, Interesting)

      by lachlan76 ( 770870 )
      And what if i'm sick and I need to go through?

      How many people would want to live at work every time they get the flu? Someone would let them out eventually, but it makes thing harder. And I can rub the gelatin mould in my hand, to warm it up.
    • Other posters have pointed out that 98.6F is core temperature. But I can think of at least three perfectly normal and understandable reasons why a person's finger temperature would be hotter / colder than normal :

      -the user was holding a coffee, or a can of soft drink before trying to gain admittance.

      -Or it's winter and they just took off their gloves.

      -User went to washroom, and cleaned their hands, with water that is colder or warmer than their skin temperature, or dried them with friction or blown heat
    • Did you read the thesis at all ? In there, it is explicitly stated that epidermic temperatures at extremities like hands are between 26C and 30C. Thin silicone oder gelatine layers lower the temperature by max. 2C, so it is well in the accepted range.
  • by imranius ( 786955 ) on Friday June 25, 2004 @09:15AM (#9527510)
    "I'll show you a finger, Trebek!"

    - SNL Celebrity Jeopardy
  • by VinceWuzHere ( 733075 ) on Friday June 25, 2004 @09:15AM (#9527513)
    I really don't think that ANY biometric system will be foolproof until the old basic of security is implemented. The scheme is called "Something you have and Something you know" (someone out there does know the right name even if I can't remember it at the moment).

    Think of the simple RSA keyfob some of us carry; it gives us a number and we use that PLUS a password to get into secure systems (have + know).

    Carry this one step further and have the system check your fingerprint/handprint/iris/whatever PLUS ask for a password.

    I personally think it's damn scary in this age of terrorism that someone could fake a biometric and get onto a plane; if the airlines for example issued me a unique password to go along with fingerprint (or whatever) recognition then I'd feel a whole bunch better about the entire process and the underlying technologies.

    • by Tryfen ( 216209 ) on Friday June 25, 2004 @09:26AM (#9527640) Homepage
      The mantra used to be something you know (password), something you have (ID card), something you are (fingerprint).

      The problem is that "something you are" is just a really weak version of "Something you have". Why is it weak? Because once it is compromised, you can never get it back. Never.

      If my RSA fob is stolen, I can get it reissued. If my password is stolen, I generate a new one. What am I supposed to do when my fingerprint shows up on Kazza? Sure, I can use one of the other nine, then once they're compromised, use my toes, after that...?

      Biometrics have a (small) part to play in security. But relying on them for anything important is daft.

      T
    • by Anonymous Coward
      Right, because the 09/11 hijackers had to fake ID to get on their planes. Oh wait. No, they didn't--they complied with all ID requirements using their real ID.

      If you must fear something, fear sleeper agents more than known international terrorists. Besides, terrorists hit where you don't expect (so, planes should be safe for the foreseeable future).

      • Now, a clever man would not use a plane, because he would know that only a great fool would repeat the same method. I am not a great fool, so I can clearly not choose to attack with a plane. But you must have known I was not a great fool, you would have counted on it, so I can clearly have to attack with a plane.
        Because counter-terrorist come from America, as everyone knows. And the America's is entirely peopled with infidels. And infedels are used to having people not trust them, as you are not trusted by me. So I can clearly not attack with a plane.
        and you must have suspected I would have known you where an infidel, so I can clearly have to attack with a plane.
        You've beaten my Sadam, which means you're exceptionally strong. So, you could have placed your men on the plane, trusting on your strength to save you. So I can clearly not choose to attack with a plane. But, you've also bested my sleeper cells. And in studying, you must have learned that terrorist are dangerious so you would stay as far away from us as possible, so I can clearly attack with a plane.
    • "Age of terrorism" - that's hilarious. Do you watch Fox?
  • So you can expect... (Score:3, Interesting)

    by manavendra ( 688020 ) on Friday June 25, 2004 @09:16AM (#9527519) Homepage Journal
    ..the passports to be changed yet again, to have "better", "smart" fingerprint recognition/imprinting techniques?
  • These have been, and probably always will be easy to fool. If anyone needs ultra-high security, it's doubtful that they'd choose this form of biometrics to begin with, unless they themselves are foolish.

    As is true with any security measure, if it can br beaten, the geeks will find a way.
    • by Mz6 ( 741941 ) *
      Which still means that ANY highly secretive area will still be secured by a person (as is with the military). This person will know everyone that is allowed access into that area. Thus no need for a finger-printing device, then an eye scanner like in the movies. People will still do this.
      • Umm, I hate to break it to you, but there are many secured areas in the military that dont have people watching them. Sure, there are people on the very ouside areas, but the more you get in, the fewer people around watching you.
  • by tuxette ( 731067 ) * <tuxette&gmail,com> on Friday June 25, 2004 @09:22AM (#9527591) Homepage Journal
    Probably old news to some, but here's an interesting article [theregister.co.uk] about how fingerprints are perhaps not infallible, unique ID, with a link to this article [newscientist.com]

    Who cares about the scanners when the real problem lies in something entirely different?

  • For the Swedish bikkinni team anway, should use other "appendages" to authenticate the message.
  • Okay. (Score:5, Insightful)

    by Red Dane ( 771396 ) on Friday June 25, 2004 @09:23AM (#9527609)
    Just wanted to interject... I suppose it depends on whether you have one that bounces small radio signals off of the inside of your finger or one that simply captures an image. Certain fingerprint readers bounce radio signals off of the inside of your finger and read the underlying tissue structure (no, I'm not going to plug the product here). This prevents people from doing what she did at the trade convention. Fingerprint technology is always improving, and I'm sure that the industry will take this to heart and make these things even more complex. When you get right down to it, the systems aren't as complex as you might think. Most fingerplate templates weigh in from anywhere to 300 - 600 bytes in size.. but that is more to ease hardware requirements. I think they will combine other methods in the fingerprint taking process and eliminate these problems. Just my take on it, tear it apart guys ;)
    • "(no, I'm not going to plug the product here)"

      Plug the product... I would be interested to find out who is doing this type of research and looking up documentation on how it works if possible. Sounds interesting. Post as AC or something :)

      • Re:Oh, come on.... (Score:2, Informative)

        by Red Dane ( 771396 )
        Okay, Assuming you are still reading this.. check out the Tensor 4210 sub-dermal reader, there are a lot of other products out there that do the same thing. If it can be found OEM, then it might be worth half a poop. Otherwise you're married :( product marriage + attempted product development = low return/failure. But I'm preaching to the choir here ;)
    • Re:Okay. (Score:3, Informative)

      by iabervon ( 1971 )
      The thesis tested one of those at the trade show. You wear the artificial fingertip on your real hand, so it contains normal human tissue and bone structure. In fact, the real issue is that a real finger has a bunch of non-distinctive live matter covered by a layer of distinctive dead matter (your epidermis, with your fingerprints, is dead cells). It's very difficult to detect the difference between dead matter that's supposed to be there and dead matter that's not supposed to be there.

      Obviously, wearing t
  • Lo-tech method (Score:4, Interesting)

    by Zog The Undeniable ( 632031 ) on Friday June 25, 2004 @09:25AM (#9527627)
    I believe c't magazine successfully fooled more than 50% of scanners by placing a clear plastic bag, filled with water, on top of the glass. This makes the greasy residue of the genuine user's fingerprint show up clearly to the scanner.
  • What about all the oil from fingerprints. Do the replicas have oil as well in order to leave an actual fingerprint on the system or does it just scan the pattern of print like a flatbed scanner?

    GroupShares Inc. [groupshares.com] - A Free and Interactive Stock Trading Community
  • wasn't this same thing done in a james bond movie from the about the early 80's?

    I seem to remember him picking off some fake fingerprints he used to pick up a wineglass with at some womans place (who 'gasp' turned out to be a spy for the 'other' side..)

    • Re:james bond (Score:2, Informative)

      by dcphoenix ( 528517 )
      You're right about that. It was in Diamonds Are Forever. Bond was posing as a diamond thief, if I'm remembering correcting, while meeting with the real theif's contact for something. The real theif and the contact had never actually meet face to face before and the only identification she had to verify his identity were his finger prints. So, Q mad a set of fake "press on" prints for Bond.
  • by Timesprout ( 579035 ) on Friday June 25, 2004 @09:29AM (#9527674)
    If its so easy to falsify fingerprints then they will want more. Say hello to have a DNA sample taken at birth to be used as ID for the rest of your monitored exixtence.
  • by MojoRilla ( 591502 ) on Friday June 25, 2004 @09:31AM (#9527700)
    From the thesus...

    The main problem with liveness detection methods based on extra hardware, is that the scanners have to be adjusted to operate e±ciently in different kinds of environments, leading to problems when using a wafer-thin artifcial fingerprint glued on to a live finger.

    And finally, monsieur, a wafer-thin fingerprint. Oh sir...it's only wafer thin.
  • What does liveness detection have to do with the problem of a twin/clone having similar fingerprints? Unless your twin/clone is dead I can't see how it would make a difference.
  • by Nf1nk ( 443791 ) <nf1nk@@@yahoo...com> on Friday June 25, 2004 @09:37AM (#9527763) Homepage
    they may not work for me. I have a chemical burn on three of my fingers on my right hand. It still hasn't healed properly and the scar tissue keeps rearanging itself (small blisters keep forming). My other hobby, wood carving, leaves me with several fresh cuts on my hands and fingers each week, from these I can see changes in my prints.
  • Accidental Discovery (Score:5, Interesting)

    by The Slashdolt ( 518657 ) on Friday June 25, 2004 @09:38AM (#9527779) Homepage
    In a former career I spent time mixing cement. One day I was mixing a small amount in a 5 gallon bucket. At the time I had nothing to mix it with so I used my hand. After mixing I washed my hand and it was amazingly smooth. I didn't think much more about it. The next day the skin on my hand was very sore. I looked at it and noticed that the mixing had worn down the top layes of skin on my hand. To the point where I barely had any fingerprints at all. So if you want to remove your fingerprints temporarily in a somewhat painful(but not excruciating) way, just mix up a bucket of concrete with your hand..... Hmmmm, is this a circumvention device?

    • by WormholeFiend ( 674934 ) on Friday June 25, 2004 @09:55AM (#9527962)
      I had a similar experience when I worked at a summer job at industrial egg incubator facilities... we had to clean everything with bleach and even with all the protective clothing and gloves, we still all lost the friction ridges on our fingers and hands.

      Fastforward to years later, I have to get a security clearance, and therefore have to get fingerprinted... So I asked the cop about this sort of situation.

      He told me that if they can't let a suspect go until they can ascertain his/her identity. So it's in the suspect's best interest to have printable fingerprints.

      Obviously this cop wasnt very forthcoming with answers for all possible situations, but I would assume that if your prints have to be scanned to open some sort of security mechanism or to obtain access to a secure area, you have to have readable fingerprints, otherwise you're S.O.L.

      (OT side note: at that summer job, I also learned that egg incubator facilities have to employ specially trained Japanese sex differentiators, and that the best ones all come from Japan, with a less than 1% margin of error -- they pick up each chick, and look at its ass, then put it on the male or female conveyor belt. Don't ask me what they look for to make the difference between males and females, they never told me.)
    • by SuperBanana ( 662181 ) on Friday June 25, 2004 @10:16AM (#9528238)
      In a former career I spent time mixing cement. One day I was mixing a small amount in a 5 gallon bucket. At the time I had nothing to mix it with so I used my hand. After mixing I washed my hand and it was amazingly smooth. I didn't think much more about it. I looked at it and noticed that the mixing had worn down the top layes of skin on my hand.

      Uh, that's because calcium hydroxide -burned- it off, not "wore it down". It's actually quite common, because there is a delay between exposure and reaction. Well, that and people think "hey, it's just rocks and dirt and stuff, i don't have to wear gloves..."

      • Which is odd, because every bag of concrete mix I've ever seen has very clear warnings printed on it telling you that when mixed with water, this product will burn your skin. I realize you can print warnings on products as clearly as you want and people won't read them, but you'd think people with a career in mixing cement would realize this.
  • Fact is... (Score:3, Insightful)

    by csirac ( 574795 ) on Friday June 25, 2004 @09:39AM (#9527788)
    ... defeating fingerprint scans is a lot harder than stealing a PIN.
    • Re:Fact is... (Score:3, Insightful)

      by Macka ( 9388 )

      I think that's rubbish. If I want to steal your fingerprint then I don't have to actually take something from you at all. I could just follow you around and watch what you touch or pick up, and then go back a take my sample a long time after you're gone. Hell I could even visit your car or front house door late at night.

      Stealing a PIN is way way harder and requires considerable more effort and resources than that.

  • Non-US student (Score:4, Insightful)

    by AragornSonOfArathorn ( 454526 ) on Friday June 25, 2004 @09:42AM (#9527818)
    Good thing this was written by a student who is NOT a US citizen or she would probably be prosecuted under the DMCA.
  • Story (Score:4, Interesting)

    by HarveyBirdman ( 627248 ) on Friday June 25, 2004 @09:52AM (#9527929) Journal
    I wrote a SF story in college where there were fingerprint scanners that also looked at the skin oils and other biometrics. The protagonist had to use an elaborate device to fake a finger print. If I recall, it was a micro-pingrid array with synthetic skin on the tops of the pins, and little cannister of actual skin oil and other stuff. You could program the pins to be anyone's fingerprint, and the bio-goos would be mixed to the appropriate levels. Of course, it worked perfectly.

    Just thought I'd mention it. :) The story also had "heavy water fusion batteries" 4 years before the world learned the term "cold fusion". This was back in 1985 before my creativty was destroyed by life and career and reality television.

  • by lucifuge31337 ( 529072 ) <.ten.tcepsortni. .ta. .lyrad.> on Friday June 25, 2004 @10:06AM (#9528106) Homepage
    The main problem with liveness detection methods based on extra hardware, is that the scanners have to be adjusted to operate efficiently in different kinds of environments...

    "So why does it have a rectal probe?"

    "That's just part of the design."
  • by icejai ( 214906 ) on Friday June 25, 2004 @10:41AM (#9528510)
    Fingerprint scanners are exactly that.

    Finger. Print. Scanners.

    They're not "Absolute Identity Verifiers", or "Identity Truth Machines".

    They are simply tools to be used with other forms and methods of identification. Are *all* fingerprinting validation systems supposed to include "temperature, pulse, blood pressure, electric resistance, etc"? Only if some company were relying on fingerprints ALONE to verify someone's identity. But NO company would rely on fingerprints alone. Also, it would make the machine MUCH too costly for anybody to buy.

    The bottom line is, yeah sure, fingerprint scanners can't tell the difference between a human finger and a gelatin one. But if a fingerprint is *all* that it takes to get access to something, then the institution has problems that dig far deeper than the inadequacies of any fingerprint scanner.
  • by pclminion ( 145572 ) on Friday June 25, 2004 @11:03AM (#9528778)
    Forget making crude copies of authorized fingerprints... It's even easier than that.

    A friend of mine in the office has some sort of skin condition which causes his hands to produce very acidic sweat. It's acidic enough to buff the leather on his steering wheel and gear shifter. His fingers will erase the letters off the keys on some keyboards (I assume some keyboards use better quality ink that is more resistant). Coffee mugs with cheap paint on them suffer the same fate on the handles.

    This person can open any fingerprint-protected laptop in the office (we bought a bunch of these from some company who was beta-testing them, they are now out of production) and make it boot. He just smears his fingertip onto the sensor and wiggles it a little bit, and the machine accepts it as an authorized print.

    These fingerprint detectors are of the capacitance-coupling variety. I don't know if the same trick works with the other fingerprint sensor technologies.

  • by rozz ( 766975 ) on Friday June 25, 2004 @11:20AM (#9528987)

    this thesis is only a better documented, nicely written replay of a japanese experiment from some years ago :
    the matsumoto experiment [cryptome.org]

    and it surely doesnt mean the biometrics are not secure!

    a complete biometrics based security solution has 3 "components" :

    Something you know: e.g. a password or a PIN.

    Something you hold: e.g. a credit card, a key, or a passport.

    Something you are (biometrics): e.g. a fingerprint, iris pattern, etc.

    their demonstration only fooled the 3-rd component of such a system ... which means they got NOTHING! ... plus, the most secure fingerprint scanners read the biometric info from under the epidermis(the outer "dead" skin) and are not so easily fooled with an artificial finger or fingertip ... the fact that they tested cheap of-the-shelf hardware is not exactly concludent.
    The whole study is just an argument against bad hardware and sloppy security systems, not against the usage of the biometrics .. while unfailible security does not exist, biometrics can make a big difference when used right!

You know you've landed gear-up when it takes full power to taxi.

Working...