The Fickleness of Fingerprints

fingerprint

It only took two days for the Chaos Computer Club to sneak past Apples Touch ID last year. They fooled the fingerprint scanner with a fake print made of wood glue, of all things.

Two weeks ago history repeated itself, although it took double the time for the Samsung Galaxy S5 to have its fingerprinting security bypassed… using the exact same trick.

“It is plain stupid to use something that you can’t change and that you leave everywhere everyday as a security token,” – Chaos Computer Club.

Apple at least has fail-safes in place for their fingerprinting technology. It requires a password after too many incorrect attempts, and limits fingerprint authenticated purchases to their app store. Samsung on the other hand, provides unlimited authentication attempts without ever requiring a password! That includes access to sensitive banking apps like Paypal.

PayPal-is-an

Essentially, Samsung  spent more money to build a smartphone that provides less security than simple password protection.

IT’S NOT CSI

On popular television shows like Law and Order and CSI, Fingerprinting technology can often seem foolproof. Someone (a good looking television star usually) finds a fingerprint and enters it into a computer. The computer than cycles through thousands of fingerprints in a few minutes before finding an exact match.

A witty catchphrase is uttered and the crime is solved.

match

The reality is a little different.

For one, it isn’t done by computer. An expert examiner is needed to determine whether a print taken from a crime scene and one taken from a subject are likely to have come from the same finger.

eyes

The fingerprint itself usually isn’t perfect. It might be dirty or smudged. There are all sorts of things that reduce the accuracy.

blur

There are other problems too, such as scanning fingerprints of the elderly. Their skin loses elasticity and in rare conditions leaves some people with smooth, featureless fingertips.

A study by Southampton University found that two thirds of experts, who were given the same sets of prints twice, came to a different conclusion on the second occasion.

This can lead to false positives.

  • In 2004, Brandon Mayfield, was wrongly linked to the Madrid train bombings by FBI fingerprint experts in the United States.
  • Shirley McKie, a Scottish police officer, was wrongly accused of having been at a murder scene in 1997 after a print supposedly matching hers was found near the body.

FICKLE FINGERPRINTS AND SCANNING TECHNOLOGY

Both the Samsung S5 and the iPhone 5s had their fingerprint scanners easily bypassed using wood glue, which is a pretty common household object.

Wood-glue-is-an-adhesive

In 2002, a Japanese cryptographer demonstrated how fallible fingerprint technology was by using gelatine and a plastic mould to create a fake finger which he used to fool 11 commercially available fingerprint biometric systems.

That test was done 14 years ago. Both phones had their scanners bypassed using practically the same technology.

Has fingerprint technology become stagnate? How can something that can be hacked the same way today as it was 14 years ago be considered a viable security option?

Are the continuously more complex written passwords any better?

Your password must be at least 14 characters, with at least 2 upper-case letters and 5 lower-case, 3 numbers and 2 symbols.

It’s clear that with hackers advancing as quickly as the technology (Heartbleed) that some new secure form of password protection needs to be developed.

If not fingerprints, then what?

IT’S IN YOUR VEINS

Are you ready to pay for things with your blood?

Vein matching, also called vascular technology, is a technique of biometric identification through the analysis of the patterns of blood vessels visible from the surface of the skin.

Palm-vein-pattern

Vein patterns are just as unique as irises and fingerprints, but much more difficult to hack. There is also, as far as we know, no risk of cancer as has been rumoured with iris scanners. Article HERE

Vein geometry is just as unique as irises and fingerprintsThe serpentine network of your vascular system is determined by many factors, including random influences in the wombThe result is a chaotic, singular printEven twins have different vein structure in their handsVein patterns don’t change much as you age, so a scan of your palm can serve as biometric identification for the rest of your life. – quartz.com

This isn’t some theoretical option either. Vein scanners are already on the market and are successfully being used.

  • Quixter -Already shops and cafes at Lund University in Sweden are using it. It’s a vein pattern payment system developed by student Fredrik Leifland, and apparently already has over 1600 customers.
  •  Biyo– (which debuted at 2012′s Consumer Electronics Show as PulseWallet) is the first U.S. company that provides payment terminals that connect a vein reader to credit cards.

This is just the beginning. Most vein scanners coming out this year require no physical contact. That means there are no residual patterns that could be copied, unlike Fingerprints.

Vein scanners rely, in part, on blood flow. Blood needs to be flowing through those veins for the palms to match. There will be no chance of people using fake or ‘dead’ hands to bypass these passwords.

Using this technology in smartphones is already in talks. Fujitsu wants to use palm-vein scanners in their new smartphones.

That is entirely possible. The latest model of the vein scanner is as small as a postage stamp.

stamp

 —

Amanda Portelli, Social Media Manager at Planet4IT

Follow us on twitter @pfourdigital

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s