Security for Dummies

security tips and tricks

Faking a fingerprint (part 1)

Back in nineties I was working with TeKey Research group, supplying them raw materials for their tests.  The task was to study if fingerprint sensors accept dead fingers. Yes, I was pathologist these years and got plenty of themJ. After few experiments we realized that optical sensors cannot distinguish dead fingers from alive. Even worse, they accepted fingerprint images.

See how we did it. You will like the idea and simplicity.

First you will need some equipment. We used something always available in every office or home.

  1. PPC transparence film
  2. Stamp-pad
  3. Scissors

 

 

Touch a stamp-pad to blot the finger tip with ink. You can use any other method, like ink marker, water or oil color, carbon paper etc.

 

 

 

Seal the transparence film with your finger. You can experiment with various types of films. It could be any transparence plastic flexible material. 

Make sure that you’ve got a clear fingerprint. If not, repeat previous steps.

 

Cut the fingerprint out close to the outline. For the sensor that was used in our study it was important to fit the film to the window of the device. If you have to sweep the image along the sensor cut the  ribbon corresponding to the direction of sweeping.

 

 

Place the film on the sensitive part of the device. Now the devise is ready for an “optical illusion”

 

 

 

In order to reduce the risk to expose your own fingerprint, cover your falsification with soft material, hold it tight and wait for the result.

When presented to an optical sensor the fingerprint image is accepted and identified like the original finger.

 

What is the bottom line?

  1. Optical fingerprint sensors accept fake fingerprints, fingerprint images and scans
  2. If you use one for protection of your computer you are always at risk
  3. Biometrics offers a false sence of security and protection, especially when using optical sensors.

But this is far not all. In my next post I will show you the second part of this experiment, which is even more impressive. Keep reading

Advertisements

June 26, 2008 - Posted by | Biometrics, How-to, Security, Security Threats | , ,

8 Comments »

  1. alright you debunked finger scanning, but whats the real deal with optical scans?

    Comment by Ed | June 30, 2008 | Reply

  2. Ed,
    Optical fingerprint scanners are not reliable. Optical sensor cannot distinguish fake from real. Even those that cost more than $700, like Crossmatch and are used in visa program by UK and USA government.
    Matrix capacitive scanners are also not reliable. Swipe-type sensors, like Upek, LTT, Authentec, Atmel are a bit more reliable, because they need some proficiency to fake a finger they will accept.
    What I am trying to say is that Biometrics has nothing to do with Security, at least in the way it is currently used.

    Biometrics can offer user convenience and ease of operation, and enhance security indirectly. For example, if you must not remember your password, and if it is filled automatically after your finger recognized – you may use long and strong ones. Another example – your digital signature is released after you are recognized.
    Anyway, these applications must be used with personal devices and in no way with publically available biometric terminals.

    Comment by patholog | June 30, 2008 | Reply

  3. So, how would you copy the guy’s fingerprint? Let’s say he’s a stranger…

    Comment by neosomosis | June 30, 2008 | Reply

  4. It is much easier than you can imagine. Just see the second part of tutorial

    Comment by patholog | June 30, 2008 | Reply

  5. You have to know someones fingerprint to fool a scanner. You dont have that image, you dont have jack. So unless you can obtain it, you may as well go fuck yourself instead of tyring to fool the system IMO.

    Comment by Yummi_Research | July 7, 2008 | Reply

  6. I think you did not get the point.
    Let us assume I know who you are. I can get all 10 of your figerprints within minutes. It is much more simple than to guess a password.

    Comment by patholog | July 7, 2008 | Reply

  7. Even if you do claim to know how to bypass a top end RF sensor, you don’t show any proof. You only prove about optical sensors. We know about optical sensor faking for 15years. I never seen a correctly setup RF sensor fake. I have seen bugs in matching Data bases allow false acceptances, never seen the actually rf finger print reader fooled in the 10 years i been designing readers.

    Comment by James | August 6, 2008 | Reply

  8. Dear James,
    In 2003 I have sent an image of pyramid from 1$ bill to Authentec. This image was scanned with their AF-S2.
    Validity sensor accepts printed images even better than Authentec.
    Watch movie #4 here . The same could be done with swipe RF sensor.
    I agree that this is much more difficult than to fake an optical, but it is possible and does not require special equipment.
    When I shot the movie on it, I will send you a copy.

    Comment by patholog | August 6, 2008 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: