[IP] From CryptoGram: faking fingerprints trivial
Delivered-To: dfarber+@xxxxxxxxxxxxxxxxxx
Date: Sun, 16 Nov 2003 04:59:18 -0800
From: Thomas Leavitt <thomasleavitt@xxxxxxxxxxxxx>
Subject: From CryptoGram: faking fingerprints trivial
To: dave@xxxxxxxxxx
Dave,
Check out this letter to Bruce Schneier on the (non)security of biometric
fingerprint identifications... I guess all those movie dramatics where they
slam the bloody hand of a dead person down on the biometric ID panel are
just that, dramatics - it appears that, in the real world, it's far easier
(half an hour and $20, if you don't happen to have the person handy).
Regards,
Thomas Leavitt
From: Ton van der Putte <Ton.vanderPutte@xxxxxxxxxxxxxx>
Subject: Hacking Fingerprint Readers
Last year in the June issue of CRYPTO-GRAM you made a reference to our
article "Don't get your fingers burned". In the article we describe
two methods to duplicate fingerprints. One method assumes co-operation
(somebody "lends" his finger to make a duplicate), while in the other
method a lifted latent fingerprint is duplicated by means of a
photo/chemical process. With these dummy fingerprints we have been
able to fool all fingerprint sensors we have tested in our lab and on
exhibitions (about 20 different brands). I started with these
experiments in the early nineties, so more than 10 years ago.
Last week we were invited by the BBC to come to London for in interview
about duplicating fingerprints. The reason was that the British
Administration intends to add biometrics to the new British identity
card, one of the options is fingerprint biometrics. The programme,
"Kenyon Confronts" has aired on Wednesday October 29th and is (for a
short period of time) available for on-line viewing at the BBC site.
Since my first experiments were dated ten years back, I decided to redo
my experiments. I knew it would be easier to duplicate fingerprints
with all the materials and equipment available today, but the results
even amazed me. To give you an idea, ten years ago to make a duplicate
of a fingerprint with co-operation took me 2 to 3 hours and for an
optimum result I used materials used by dental technicians. Nowadays I
use materials you can buy in a do-it-yourself shop and the total
material costs are about $10 (enough for about 20 dummy fingers).
The time it takes to make a perfect duplicate is about 15 minutes (with
special material it can be reduced to less than 10 minutes). To make a
duplicate of a lifted fingerprint took me several days in 1992 and I
had to do a lot of experiments to find the right
process/technique. Now it takes me half an hour and the material costs
are $20 (also sufficient for about 20 duplicates), the only equipment
you need is a digital camera and an UV lamp. Not only do I now make
the duplicates in a fraction of the time, but also the quality is better.
The reason for writing you all this is the following. Although, most
of the fingerprint manufacturers still ignore that there is a problem
or claim to have solved it, some are willing to admit, but use the
argument that it is very difficult and expensive to duplicate
fingerprints and that it can only be done by highly skilled
professionals. In the first place I think this is not a very strong
argument, second I admit I am a professional, but now the average
do-it-yourselfer is able to achieve perfect results and requires only
limited means and skills.
So it is our opinion, that as long as the manufacturers of fingerprint
equipment do not solve the live detection problem (i.e. detect the
difference between a live finger and a dummy), biometric fingerprint
sensors should not be used in combination with identity cards, or in
medium to high security applications. In fact, we even believe that
identity cards with fingerprint biometrics are in fact weaker than
cards without it. The following two examples may illustrate this
statement.
1. Suppose, because of the fingerprint check, there is no longer
visual identification by an official or a controller. When the
fingerprint matches with the template in the card then access is
granted if it is a valid card (not on the blacklist). In that case
someone who's own card is on the blacklist, can buy a valid identity
card with matching dummy fingerprint (only 15 minutes work) and still
get access without anyone noticing this.
2. Another example: Suppose there still is visual identification and
only in case of doubt--the look-alike problem with identity cards--the
fingerprint will be checked. When the photo on the identity card and
the person do not really match and the official asks for fingerprint
verification, most likely the positive result of the fingerprint scan
will prevail. That is, the "OK" from the technical fingerprint system
will remove any (legitimate) doubt.
It is our opinion that especially the combination of identity cards and
biometric fingerprint sensors results in risks of which not many people
are aware.
--
Thomas Leavitt, Sr. Systems Admin For Hire
Resume at http://www.thomasleavitt.org/personal/resume/
Phone: 408-591-3342 / Email: thomas@xxxxxxxxxxxxxxxxx / Fax: 815-371-2804
Wired since 1981. Internet-enabled since 1990. Web-enabled since 1993.
Older, wiser, and poorer, post-crash. :)
Join the System/Database/Network Administrators Job Search Community:
http://groups.yahoo.com/group/sdnadminjobs/
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/