Doubt cast on fingerprint security

BBC ^ | Friday, 17 May, 2002, 11:15 GMT 12:15 UK | Staff

[rwb]

Fake fingers made out of common household ingredients can fool security systems that use fingerprints to identify people.

The artificial fingers and prints were created with gelatine by Japanese researchers who used the digits to get trick biometric systems into thinking they were seeing the real thing.

Not only was it possible to fool the security systems with casts of fingers, the researchers found they could make convincing fakes using fingerprints lifted from glass.

Experts say the experiments cast serious doubt on any claims that this type of biometric system can be made fully secure.

'Impressive work'

The work was done by engineering professor Tsutomu Matsumoto and his colleagues at the Graduate School of Environment and Information Sciences at the University of Yokohama.

The first set of experiments used fake fingers formed when gelatine was poured into a mould created by pushing a finger into a malleable plastic more often used by model makers.

The fingers created this way fooled the fingerprint readers 80% of the time.

Making the fingers took only a few minutes and used raw materials that cost less than £10. The researchers also developed a way to create fake fingers using prints left on glass.

First, the latent print was hardened using glue that sticks to the ridges of bodily detritus, such as sweat and skin cells, left behind when a finger touches a hardened surface.

'Impressive' work

This improved print was photographed using a digital camera and was then enhanced using Adobe Photoshop software to emphasise the difference between its ridges and gaps.

The image was transferred to a photosensitive sheet, etched into copper to turn it from a flat image into a three-dimensional print, and then used to create another mould.

Again the fake fingers fooled the biometric readers 80% of the time.

Security expert Bruce Schneier wrote of Dr Matsumoto's work: "Impressive is an understatement."

He said the fact the systems were fooled using easily available ingredients should be enough to end the use of fingerprint-based security systems.

"If he could do this, then any semi-professional can almost certainly do much, much more." wrote Mr Schneier.

Dr Matsumoto and his colleagues first presented their work in January at the Electronic Imaging 2002 conference organised by the International Society for Optical Engineering.

[rwb]

10 bucks to beat a million-dollar system ... typical.

I guess nothing's more secure than a 'mark of the beast' chip insert, for ID purposes. </sarcasm off

[smoking camels]

I said this several years ago... that this could most likely be done. I roll my eyes at all this crap...

thanks for posting this...

[em2vn]

In the very early 1970s, professor Seneker, I believe, in the criminal justice department of Missouri Southern State College in Joplin, Missouri was able to recreate a person's fingerprints. The copies were of such a high degree that he was able to leave the prints at a fake crime scene and they weren't detected as being bogus by crime lab technicians. His work was reported in an issue of the college newspaper,The Chart.I don't have the exact date.

[rwb]

I never thought about the 'scene of the crime' issue, but your right.
I hope police departments will depend more on DNA rather than fingerprint evidence.
(It'll probably be about twenty years before anyone can fake DNA for only $10).

[3AngelaD]

Bringing new meaning to the phrase, "He gave me the finger."

[rwb]

bump

[knarf]

I'm sure I remember an old "Mission Impossible" episode that showed this technique ... very quick and brief camera shots ... in order to fool a high security system in Nouthern Mystovia (of course I made that up ... so did "Mission Impossible") for ... I forget the reason.

MI was on the cutting edge of spynology.

... or true anarchists.

[Lessismore]

Quality readers sense the temperature and pulse of the finger to make use of a fake more difficult. If higher security is wanted, a guard should be employed to make sure that the fingers are real.

Iris scan readers can also flash a light and measure how the pupil diameter changes in response.

[buffyt]

We had a 'touch pad' type mouse for a while. I liked it fine, except if my hands were the least bit dry, or wet. If I had really dry skin, the touch pad wouldn't read my finger movements. If I had just washed my hands or used hand lotion, the touch pad wouldn't read my finger movements. That is what I heard about the fingerprint reading machines at Kroger Grocery stores. They have them already, but they can't read your finger/thumbprint if you have really dry skin. These things will never be foolproof!

And you are right, ten bucks to fool a million dollar machine.

[toddst]

Quality readers sense the temperature and pulse of the finger to make use of a fake more difficult. If higher security is wanted, a guard should be employed to make sure that the fingers are real.

Yep, pulse & temperature are more difficult to include in the fake. My question is, what are these readers being used to protect?

Per the iris readers, that I don't like. Something goes wrong and my eyesight is harmed? Nope, not acceptable.

[Lessismore]

The technique for the iris readers would be similar to the "red-eye reduction" feature in cameras. Red-eye is due to having the flash lamp too close to the lense in the compact-type cameras. The light from the flash enters the pupil reflects off the retina and back to the camera lens. "Red-eye reduction" works by triggering a "pre-flash" or series of pre-flashes prior to the main flash. The subject's eye senses the pre-flash and the iris response causes the pupil diameter to shrink. This minimizes the amount of light that gets reflected during the main flash and the taking of the picture.

Note that this applies to the iris-scanning biometric readers, which are typically feet from the eye. Perhaps you are thinking of retinal-scan readers, which scan the patterns in the back of the eyeball and require that the subject place his eye close to the reader.

[toddst]

Thanks for the information. I'm familiar with the red-eye reduction mechanism from my Canon SLR camera strobe flash.

I still don't like the eye scan approach, don't want anything used that requires access to my eyes in any manner. Fingerprints I have no problem with.