Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

Chaos Computer Club Claims It Can Reproduce Fingerprints From People's Photos 80

An anonymous reader writes Chaos Computer Club, Europe's largest association of hackers, claims it can reproduce your fingerprints from a couple of photos that show your fingers. At the 31st annual Chaos Computer Club convention in Hamburg, Germany, Jan Krissler, also known by his alias "Starbug," explained how he copied the thumbprint of German Defense Minister Ursula von der Leyen. Because these fingerprints can be used for biometric authentication, Starbug believes that after his talk, "politicians will presumably wear gloves when talking in public." Even better than gummi bears.
This discussion has been archived. No new comments can be posted.

Chaos Computer Club Claims It Can Reproduce Fingerprints From People's Photos

Comments Filter:
  • by Iamthecheese ( 1264298 ) on Sunday December 28, 2014 @04:58PM (#48686073)
    It's trivial to get fingerprints of a politician. If, say, China doesn't lift the fingerprints off of every presidential candidate's glass at a fundraiser I'll eat my shoe. This really is nothing special.
    • Re: (Score:3, Funny)

      This really is nothing special.

      Depends on what the shoe is made of...

    • If you are not China, and do not control the glass? Is it special then? If you are not even suspected of controlling the glass?

  • by Anonymous Coward on Sunday December 28, 2014 @05:14PM (#48686129)

    Despite some of the biggest names in security lauding the advantages of biometric authentication, it's pretty flawed by design. If your fingerprints, facial structure, etc. are ever compromised, they become useless. Unlike a password or a cert, you cannot simply revoke who you are. So once the cat is out of the bag, you simply cannot use it again. Not to mention the fact that it could be fairly trivial to obtain fingerprints or other biometric data of a target.

    • Well, actually they can change.... I'm pretty sure my right retina is considerably different today than it was before 2010, when I had radiation and laser treatment for a tumor. Likewise, people can burn their fingers, altering the fingerprints with scar tissue.

      Certs are certainly the way to go. What is needed is a way to be able to carry them on you at all times (implant perhaps?), while being able to update it and offer up public information on demand. The downside of this is a loss of anonymity. We alrea

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        The problem isn't how to identify people. The problem is that we think that we need to identify people all the time. Tracking and identification is an obsession that's obviously rooted in paranoia. When was the last time you actually needed to prove to a stranger who you are and it wasn't just to satisfy an arbitrary requirement? When did you last perform full identification when a proof of ownership or proof of age had sufficed? Posting as AC because that's what I do, but also to make a point.

        • by Qzukk ( 229616 )

          Shame I'm out of mod points.

          Fact is, even the government hasn't got a clue who you are, other than the fact that you've got a card from them with a photo and a name printed on it. You probably got that card by showing them some other card with a photo and a name printed on it. That card, you probably got because you convinced your electric company and the library that your name really WAS Bobba Fett. They probably didn't care too much as long as they got paid and the books came back.

    • Not useless, just not sufficient.

      Your house key will work in hundreds of locks, but it's easier to pick the lock than track down exactly which house key might work on the house you want to break into. The reason that biometrics are useful is that they provide a second condition that has to be met for authentication, not because they provide the only one. If you give employees RFID cards and pair it with iris scanning, you're going to have moderately secure door security. It can get a lot better by adding other controls, for example introducing human checks into the system or an employee PIN.

      Most businesses don't even have a second check for door security. I wish people would quit confusing a method of authentication with the idea that any single method is sufficient.

      • by Opportunist ( 166417 ) on Sunday December 28, 2014 @07:21PM (#48686645)

        It all boils down to the triad of security: Something you know, something you have, something you are. It's GOOD practice to pick one from each group in your authentication process (or at least, as it's common, one of two groups, usually a token and a PIN). It's useless to pick more than one from each group.

        All three would e.g. mean that you have a guard sitting there who compares your face to a book of "accepted" faces (something you are) while you hold your RFID card (something you have) against a scanner after punching in your PIN (something you know). That's about as good as it gets. Nothing you could do that ADDS to this could improve this part of your security. Using two of one group is useless. It's useless to require two different PINs. For the obvious reason, someone who can force you to hand over your first pin will also force the second one out of you. Equally it's useless to require two tokens. Where you can steal one, you can steal two.

        You can of course improve by using better means to do either of the three groups. You could give the guard additional tools, use better encoding for the cards, use longer PINs. But you cannot improve by using two features from the same group.

        • by Anonymous Coward on Sunday December 28, 2014 @07:57PM (#48686837)

          It should actually be a quartet of security: something you know, something you have, who you are & where you are.
          Where you are is interesting for banks for example, they know that it is not possible to have two ATM transactions in the same hour on the other side of the world.

          "Something you are" is not easy to establish by machines.
          Any biometric system needs a guard to check if you are not trying to fake it. For example with a finger print scanner's guard should:
          - Clean the scanner. In case the latent finger print left on the device won't confuse it.
          - Check the person fingers for fake prints, and medical scars.
          - Physically take the person's finger and put it on the scanner (to make sure the person has no possibility to add the fake print to the finger between the check and the scan)
          - Clean the scanner. To make sure the latent finger print will not be lifted from the scanner's smooth surface, when the guard is looking away.

          The person with the finger, should wear gloves everywhere, except when using the scanner.

          Soon we will be wearing, burkas, sun glasses and gloves to make sure our identities will not be lifted.

          • The where clause in your example does not work out as a valid authentication feature. It can be used as a flag to show that "there's something not right here", but it cannot answer one important question: Which transaction was genuine, the one in Paris or the one in Melbourne?

            You can use various plausibility checks on top of it, depending on the actual application (e.g. in banking you can draw from the transaction patterns so far and flag suspicious transactions that differ greatly in target or amount) and

          • Soon we will be wearing, burkas, sun glasses and gloves to make sure our identities will not be lifted.

            No. Biometric authentication won't replace all other methods of security anytime in the foreseeable future, nothing that requires serious security will rely on them alone. I have a hard time believing they ever could. If any serious company tries anytime in the next twenty years, you have my advice to place bets that it will be compromised in short order.

            I keep seeing this idea that biometrics are flawed b

          • Where you are is interesting for banks for example, they know that it is not possible to have two ATM transactions in the same hour on the other side of the world.

            So AMEX blocked my card because they found it suspicious that I tried to buy a train ticket at Tokyo Narita Airport, 13 hours after having bought something at London Heathrow Airport...

        • It is of course best to use factors from different groups. Your theory takes a much stronger stance than that. I'm not sure your theory is correct.

          I would say that a six-digit PIN is slightly more secure than a three-digit pin. Not twice as secure, but somewhat better. Agreed?

          Two pins of three digits each is the same as a six-digit pin. Agreed?

          Therefore, two three-digit pins is somewhat better than one three-digit pin.

          Two from the same group are therefore somewhat better than just one, but not as good a

          • Two three-digit pins are not more secure than one six digit pin. Essentially, they ARE one six digit pin. If I can force you to hand over one pin, I can force you to hand over two, three or any number that you might have. If you write down one pin, you'll just as well write down two. Anything that compromises the first pin will nearly certainly compromise the other one.

            • > Two three-digit pins are not more secure than one six digit pin.
              > Essentially, they ARE one six digit pin.

              That was #2 of my three statements. You seem to have missed the other two.

              a) Two three-digit PINS are the same as one six digit PIN.

              b) One six-digit PIN is better than one 3-digit PIN.

              c) Therefore, two 3-digit PINs is better than one 3-digit PIN.

              If you have any confusion or disagreement let me know whether it's with a, b, or c.

              Your constraint that security breeches can occur only by the princip

        • Minor quibble: using two of one group is not useless either, it is only less useful.

          • Most login prompts require a username and a password, which are both things you know, but that combination is better than requiring only one thing you know.
          • Requiring answers to security questions, yet another thing you know, is often considered better still.
          • Iris scans can be faked as can fingerprints, but both together is harder to fake than either alone.
          • Bribing one guard is easier than bribing two.
          • Checking that a browser supplies a cookie is a good thing, but checking that the IP and the cookie are paired correctly is better.
          • No, sorry. Usernames are not one of the authentication factors. They play a key role in authorization, and it's very common to get the whole spiel conflated, but there is a very important distinction: Usernames are probably something you know, but also something everyone else can know. They are not a secret. Authentication factors are distinguished by the fact that only the "right" person has them. Something you know is something YOU know (and nobody else). Something you have is something YOU have (and nobo

            • If we're talking about protecting against unauthorized access in the real world, we do want a username and password combination because that's harder to guess than just a password. If I am running a website where I'm using a cookie as part of the authentication process, then yes, it is best to keep a database where I tie the cookie to an IP address because that makes it harder to hijack a session.

              When I can force you to hand over one thing you know, I can force you to hand over two things you know.... that

              • It's the same deal with a nonphysical attack. How is 8 letters username + 8 letters password harder or easier to crack than a 16 letters password? Even provided that both username and password WERE secret, which they usually are not, you don't gain security by splitting up a X-bit key into two keys Y and Z that have together a length of len(X). It is the same attack complexity. How are the two tokens "username" and "password" harder or easier to brute force than the one token "usernamepassword"?

                The point is

                • How is 8 letters username + 8 letters password harder or easier to crack than a 16 letters password?

                  It isn't easier to crack, but people remember usernames easier, so you get people who will enter 16 characters instead of eight. The validating server can treat them as separate lookups or not without impacting the efficiency of brute force attacks. The advantage of using multiple entries is that you end up getting more characters that have to be guessed correctly, which is a compound effect, so adding a PIN

                  • Still, for an attacker adding a second "what you know" part doesn't change the game. Look at it from an attacker's point of view. When he can browbeat you into handing over your credentials, it matters not whether he has to listen to one word or two. When he can trick you into handing them over (e.g. via keylogger), it matters not whether it's one word or two.

                    And even if he has to employ brute force it matters little, for however complicated it may be to brute force two words m and n letters long, it is jus

                    • As for remembering, is it harder to remember "username" and "password" or "usernamepassword"? It's the same. You just don't press return in between them.

                      Logically? No. But in practice, I support both approaches and yes, for no obvious logical reason, it makes a huge difference.

        • . That's about as good as it gets. Nothing you could do that ADDS to this could improve this part of your security. Using two of one group is useless. It's useless to require two different PINs. For the obvious reason, someone who can force you to hand over your first pin will also force the second one out of you.

          This seems strange to me. Why is the use of 2 categories an improvement, but 2 from one category is not? It seems to me that the attacker who would coerce you to give up 2 "somethings you know" would just as easily force you to give up a "something you know" and a "something you have". But you're differentiating as if a mugger could only demand one type of thing.

          Security is layered. Having multiple forms of "something you know" could be useful, just as having multiple "something you haves" could-- and i

          • Of course, as soon as you add brutal force to the attack spectrum, things get a bit harder to defend against. But still two of different categories will provide better (I don't say perfect, just better) protection against attacks in general. There are of course certain attacks you will not defend against.

            Most of all, using two distinct authentication factors (of different groups) make it much harder to swipe them unnoticed, or at least not noticed until too late. If I can slip a trojan into your computer, a

      • by pz ( 113803 ) on Sunday December 28, 2014 @07:46PM (#48686779) Journal

        I always think of security like the Miller-Rabin test for primality [wikipedia.org] (which is really a test for a number being composite): it does not give an absolute assurance, but each time you test a given candidate again with a new challenge, you reduce the probability that the candidate is composite, and each test is orthogonal to the previous ones. You, the designer of the system requiring confidence that a big number is prime, get to select your confidence level by adjusting the number of tests applied.

        So too, then, you, the designer of a security system requiring confidence that a given person is who they claim to be, get to select your confidence level by adjusting the number of factors required. A brass key gives a certain level of confidence. An iris/thumbprint/palmprint/voiceprint scan another. An RFID card another. A PIN/password another. Being recognized by a guard another. Each is orthogonal to the rest.

  • Gummi bears are a medium to reproduce fingerprints (and a delicious snack). This is a method to capture fingerprint images. Two completely different things.

  • No details (Score:4, Insightful)

    by Anonymous Coward on Sunday December 28, 2014 @05:20PM (#48686147)

    TFA has no details, so there is no way to evaluate the credibility of the claim.

    • Why do you need to evaluate the credibility of something that's obvious? A similar technique was already used to confirm the identity of the woman in the famous National Geographic photo of the Afghan Girl [wikipedia.org]. The photo was taken before iris scanning was practical as biometric security. But the photo contained enough detail (on 35mm Kodachrome slide) that in 2002 they used her iris pattern in the photo to verify that they had found the correct woman [nationalgeographic.com].

      Any photograph with sufficient resolution and contrast
      • Deckard: Enhance 224 to 176.

        [a man's arm becomes visible]

        Deckard: Enhance. Stop.

        [the man's shoulder and wrist are visible]

        Deckard: Move in. Stop.

        [close-up of man's wrist]

        Deckard: Pull out, track right. Stop.

        [writing is visible]

        Deckard: Center and pull back. Stop.

        [arm and door are visible]

        Deckard: Track 45 right. Stop. Center and stop.

        [doorway and mirror are visible]

        Deckard: Enhance 34 to 36.

        [dresser top is visible]

        Deckard: Pan right or-and pull back. Stop.

        [mirror is visible]

        Deckard: Enhance 34 to 46.

        [blurre

      • The point being that although the prints may not show up to the eye in the photo, processing it to enhance the size and contrast may make the prints stand out.

        Exactly - the investigators on the CSI tv series have been able to do this for years so I don't know why this is news.. All they have to do to read a person's drivers license from a 640x480 security camera image taken from 200 meters away in poor light is to ask the image processing dude to "enhance image".

  • Biometrics (Score:2, Informative)

    by Anonymous Coward

    If you running a security system that only uses fingerprints you are a fool.

    In a security area it should also at least be protected by a code/pattern + prints + tag/card/key, when each piece is scanned/entered and image/photo of the person wanting access is displayed to your security personnel who can then either approve/deny access.

    Biometics alone is insufficient as is very easy to pick up prints, even retinal scanners can be fooled with enough tech, A 4 way security system is better but not foolproof, the

    • 100% security is actually possible. It is just very, very expensive. And as soon as the security expense outmatches what you try to secure with it, it stops fulfilling its purpose because it becomes actually cheaper to have your security broken.

      I remember back when I was still programming peopel used to say "90% of the work take 10% of the expenses, it's the other 10% that cost 90% of time and money". In security the rate is close to 98:2. You can get your system very secure at very little expense. Getting

    • Good enough. Is the key.
      If you go too crazy with security. People will find shortcuts around the team in charge of security.
      Too lax you are open to problems. Biometric in generally is the sweet spot.
      Good enough to to keep people secure without becoming overly burdensome.
      For your phone or your pc, being that you are not a direct target to get your account. You prevent people from getting into your system. If you are some person who has access to hard to get to data. Then yes you may need to go more secure.

    • If you running a security system that only uses fingerprints you are a fool.

      Great job. Now go convince 7 billion people of that. Meanwhile, people are buying bio-only devices.

      If you came here to proselytize, you have the wrong audience. Isn't this demonstration far more effective than your post was?

  • ... authentication is that even if all of the security measures associated with storing and authenticating your fingerprint were utterly unbreachable, your fingerprints can still be taken without your consent, while if you do not want someone accessing data that is guarded by a a secure password, however, then barring vulnerabilities in the security facilities associated with it (which would apply equally to fingerprint security as well anyways), then that information can only be obtained by you voluntarily surrendering it.
    • Fingerprints aren't good as a password anyway. At best they are a method of identification.
      • by markdavis ( 642305 ) on Sunday December 28, 2014 @06:31PM (#48686427)

        Fingerprints aren't even good for ID. They shouldn't be used at all.

        Biometrics should be limited to deep vein scans which are fast, accurate, very hard to "steal", very difficult to obtain without the user's consent, and aren't being left all over the place all the time.

    • ... authentication is that even if all of the security measures associated with storing and authenticating your fingerprint were utterly unbreachable, your fingerprints can still be taken without your consent, while if you do not want someone accessing data that is guarded by a a secure password, however, then barring vulnerabilities in the security facilities associated with it (which would apply equally to fingerprint security as well anyways), then that information can only be obtained by you voluntarily surrendering it.

      http://xkcd.com/538/ [xkcd.com]

    • by Opportunist ( 166417 ) on Sunday December 28, 2014 @07:28PM (#48686683)

      The biggest problem with fingerprints is very simply that, if compromised, it's damn hard to change them, unlike passwords.

      Second problem, unlike your password, you can't really help but compromise them. You leave them littered about everywhere. Every waiter can have your prints if he so chooses.

  • lets see you have the "service tech" that comes in for X (GHod knows what all he might have in his tool box) You have the High Dollar Client that comes with his 6 year old daughter (who has Kali Nethunter installed on that sparkly purple phone of hers) any time you have a NOT ONE OF US in your site (down to somebody that works for your company but at a smaller/remote office) you need to be careful. And then you have the Victoria Secret exploit that can be used on most adult males. Its almost like som
    • Whom do you mean by "NOT ONE OF US"? And when you say " IT LIVING ON SITE (think Monastery)" do you mean that no one is safe? If so, then what do you mean by "NOT ONE OF US"?

      Everyone is subject to any attack any moment of the day, by someone who knows the vulnerabilities. Anyone with sufficient power who does not already know this is an idiot, and likely not reading this website.

      Restate your point, if indeed you have one?

  • TFA says fingerprint authentication is still better than a PIN. I disagree: the fundamental problem with biometric authentication is that authentication credentials cannot be revoked once they are leaked.
    • They can still be more secure than PIN codes in many cases, and can always be used in conjunction with them or other types of passwords for multiple layers of security.

      You are repeating something that has been said elsewhere, and I suggest you cite sources when you plagiarize ideas that can be quickly checked. And, TFA does not say what you think it says - the quote is above for anyone to judge for themselves.

    • by allo ( 1728082 )

      And you have at most 10.
      Now think of one sensor type. You need access to 12 things. 12 Things save the data of your fingerprint (fuzzy). Enough data to identify a fuzzy fingerprint from you. Now lets start calculating something similiar to a fingerprint, which matches the fuzzy data. Now print it in 3D and authenticate at one of the other things with it. So suddenly the thief of your mobile phone can be you at the ATM.

  • When I read the subject, I thought they could reproduce fingerprints based on people's photos instead of the photos of hands as mentioned later :P
    http://popularbloggingtopics.c... [popularblo...topics.com]

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...