Security for Dummies

security tips and tricks

Faking fingerprint (part 3)

Dear all, since the problem of faking fingerprints attracted so much interest, I decided to collect few available videos here. I am sure you can find more. If you meet something interesting, please drop a link in comments.

1. Karen Friar has sent a link to Dialogue Box video . This video describes an easy way to make a fake finger. Moulding plastic, jelly, milk and tea are all the ingredients that Dialogue Box needed to get past one biometric security device.   

2. This following one gets the same result with some other tools and materials

3. I personnaly love this one.

4. This one is really interesting for those who understand. They trick a Upek swipe-type capacitive sensor with a piece of wet paper.

5. One more crack of Digital Persona with gelly fingers. in German

I hope that you agree with me, there is no fingerprint sensor that cannot be tricked by artificial fingerprints. But I want you to understand me right. I am not against using biometrics! I am biometrics stickler! I beleive that it just shall be used in right place and it shall be called by the right name – not security provider, but security assistant.

 

June 30, 2008 Posted by | Biometrics, How-to, Security, Security Threats | , , | Leave a comment

Faking a fingerprint (Part 2)

In my previous post I have described the simple way of faking a finger for an optical fingerprint sensor.
The second experiment demonstrated the high identification capabilities of optical fingerprint capturing devices together with their absolute lack of discrimination of fake “fingers”.

During the study we managed to get the fingerprint image that was accepted by an optical sensor. The “victim” was unaware and the fingerprint was captured during his absence.
The equipment for the second study was as simple and available as the previous one. After the clean and smooth surface contact the fingers of a “victim”, fingerprints are settled on it.

The only problem is to make them visible.
We used the glass (touched by the “victim”), scotch tape, PPC film (the same one as in the previous study), and carbon powder. You can use black toner for any laser printer or copy machine toner.

Gently sprinkle the surface with the carbon powder. Blow away excess powder. Aren’t they beautiful? You need to take them off the surface. Of course, we have scotch tape for this purpose.

Place the scotch tape above the fingerprint with its adhesive side towards the glass and gently stick the tape. Do not wipe or press it.
Gently pull the tape off. The fingerprint stays on it. Stick the tape to the PPC film. Repeat the procedure for each fingerprint. 
 
Now you have at least three fingerprint images. Cut them as in the previous experiment. You can run the identification procedure. They will undoubtedly be accepted.
 
The fingerprints of an innocent “victim” were captured and saved. They were identified later with an optical sensor and accepted without any hesitation.
 

CONCLUSION
Optical sensors are the most widely used devices in the field of fingerprint identification and the only type that has already found its consumer use. This makes them a target for falsification attempts. Our experiment demonstrated that optical sensors are not able to determine whether the presented for identification is a finger or an image. This makes it possible to reproduce fingerprint images using even a consumer copier. This is compromising the entire method of personal identification by fingerprint – making it untrustworthy and less reliable. The suggested alternative for optical biometrics would be to solve this problem by abandoning the optical sensor and turning to more reliable capacitive or thermal type of sensor.
Please notice that this was a conclusion that we came to a decade ago. It was partly correct. Today we know much more about biometrics. There are more sensors available. New optical sensors have an option of latent finger removal and a protection against artificial images. RF sensors like these has 47 patents for liveness detection. Manufacturers of capacitive sensors claim that only live fingerprints can be scanned. All this is bulshit. We claim that we can fake every sensor. Even now.
Whar is the bottom line? If you are concerned about your data never trust biometrics. Use it in combination with encryption, password and hardware factor. In later posts I will show you more tricks and more sensors. Keep reading.

 

June 27, 2008 Posted by | Biometrics, How-to, Security | , | 6 Comments

Faking a fingerprint (part 1)

Back in nineties I was working with TeKey Research group, supplying them raw materials for their tests.  The task was to study if fingerprint sensors accept dead fingers. Yes, I was pathologist these years and got plenty of themJ. After few experiments we realized that optical sensors cannot distinguish dead fingers from alive. Even worse, they accepted fingerprint images.

See how we did it. You will like the idea and simplicity.

First you will need some equipment. We used something always available in every office or home.

  1. PPC transparence film
  2. Stamp-pad
  3. Scissors

 

 

Touch a stamp-pad to blot the finger tip with ink. You can use any other method, like ink marker, water or oil color, carbon paper etc.

 

 

 

Seal the transparence film with your finger. You can experiment with various types of films. It could be any transparence plastic flexible material. 

Make sure that you’ve got a clear fingerprint. If not, repeat previous steps.

 

Cut the fingerprint out close to the outline. For the sensor that was used in our study it was important to fit the film to the window of the device. If you have to sweep the image along the sensor cut the  ribbon corresponding to the direction of sweeping.

 

 

Place the film on the sensitive part of the device. Now the devise is ready for an “optical illusion”

 

 

 

In order to reduce the risk to expose your own fingerprint, cover your falsification with soft material, hold it tight and wait for the result.

When presented to an optical sensor the fingerprint image is accepted and identified like the original finger.

 

What is the bottom line?

  1. Optical fingerprint sensors accept fake fingerprints, fingerprint images and scans
  2. If you use one for protection of your computer you are always at risk
  3. Biometrics offers a false sence of security and protection, especially when using optical sensors.

But this is far not all. In my next post I will show you the second part of this experiment, which is even more impressive. Keep reading

June 26, 2008 Posted by | Biometrics, How-to, Security, Security Threats | , , | 8 Comments