Exorcising the Biometric Boogeyman
Misinformation breeds monstrous tales of biometric technology
29 September, 2014
category: Biometrics, Digital ID, Government
Spoofing confusion fuels biometric critics
Publicized spoofs tend to be overblown and misinterpreted
The iPhone 5S, the Samsung Galax S5 and the HTC One all have fingerprint scanners – and have all been spoofed.
Now, the state of Florida has banned biometrics in schools for fear that the identifying information will be breached, leaving children vulnerable to identity theft. While breaching a biometric database, reverse engineering templates and creating fake fingerprints seems like a lot of effort to go through, at least one of the steps is possible.
As detailed in the cover story, biometric databases are encrypted and templates are just about impossible to reverse engineer. But what about the media reports of hackers lifting latent fingerprints and creating fakes that fool mobile devices?
For some inexpensive scanners, and those designed for convenience rather than security applications, spoofing may be not be that difficult for determined individuals, says Mark Cornett, CEO at NexID Biometrics, a company focused on creating liveness detection systems for fingerprint scanners.
This is why additional protections and liveness detection are a necessity – and a common component – in secure biometric systems.
NexID works with cooperative spoofs – when the subject willingly gives up their fingerprint – as well as latent prints, where the image is covertly taken from a glass or other surface, Cornett says.
When trying to grab a latent image, the first step is making sure to grab the correct fingerprint. Fraudsters need to watch the target to find out which finger is used to access the device. Then it’s a matter of grabbing that print off of a surface.
There are a couple of different ways this can be done. First, a spoofer can use fingerprint dust to bring the image to the surface, Cornett says. The second way it to use a fumer stick. This is about the size of a pen and it uses superglue fumes to make the print visible.
After bringing the fingerprint image to the surface, there are a couple of different ways to capture the image. One is to use tape to physically lift the print and then use a scanner to digitize the print. The other is to use a digital camera to photograph the image, but additional steps must be taken to make sure the scale of the image is correct.
With practice, a spoofer can grab a print from a surface in 30 to 60 seconds, Cornett says. But things only get tougher from here.
If the spoofer has the device and the print, then they are ready to start creating fake fingerprints. Back in the lab, the latent print is scanned into a computer, at which point the spoofer has a couple of different options.
One of the more popular methods is to use a laser printer and create the image on acetate, Cornett says. The image will appear raised on the acetate and the spoofer can then smear on some wood glue or other mold material to create a fake. The resulting fake is not of high quality, but it can do the trick with low-end biometric scanners, he says.
Other methods include etching the print image onto a circuit board via a chemical reaction or printing the fake using a three-dimensional printer, Cornett says.
Even with the variety of ways a spoofer can create fake fingerprints, biometrics is still a better way to secure devices than PINs or passwords, Cornett says. “A PIN is binary, you either have it right or you don’t,” he explains. “A fingerprint is analog, it still has to be good enough to fool the matching algorithm.”
It is imperative that the public understands that while fakes can be created, it is a very unlikely attack against biometric systems designed for security rather than convenience applications. Secure biometric systems include liveness detection features that sense a variety of characteristics found only in living tissue. Thus, a photo of an iris, a rubber finger or a plastic hand from a 3D printer can be easily dismissed.
So what about the spoofed iPhones and other handsets? NexID and others are working on software-based liveness detection systems that will secure these and other convenience-focused biometric devices from spoofing attacks as well.
As with any other security system, you get what you pay for. Investing in a robust, advanced and proven biometric authentication solution remains one of the best means of security available, spoofers abound or not.