Log in

View Full Version : Gummi bears defeat fingerprint sensors


Jason Dunn
05-17-2002, 07:55 AM
<a href="http://www.theregister.co.uk/content/55/25300.html">http://www.theregister.co.uk/content/55/25300.html</a><br /><br />Well, so much for fingerprints being a reliable bio-security measure. Sheesh - back to the drawing board for these biotech security companies!<br /><br />"A Japanese cryptographer has demonstrated how fingerprint recognition devices can be fooled using a combination of low cunning, cheap kitchen supplies and a digital camera. First Tsutomu Matsumoto used gelatine (as found in Gummi Bears and other sweets) and a plastic mould to create a fake finger, which he found fooled fingerprint detectors four times out of five."<br /><br />The Crypto-Gram <a href="http://www.counterpane.com/crypto-gram-0205.html#5">newsletter also had this to add</a>:<br /><br />"His more interesting experiment involves latent fingerprints. He takes a fingerprint left on a piece of glass, enhances it with a cyanoacrylate adhesive, and then photographs it with a digital camera. Using PhotoShop, he improves the contrast and prints the fingerprint onto a transparency sheet. Then, he takes a photo-sensitive printed-circuit board (PCB) and uses the fingerprint transparency to etch the fingerprint into the copper, making it three-dimensional. (You can find photo-sensitive PCBs, along with instructions for use, in most electronics hobby shops.) Finally, he makes a gelatin finger using the print on the PCB. This also fools fingerprint detectors about 80% of the time."

Kre
05-17-2002, 02:27 PM
You have GOT to be kidding me. Thats pathetic. :oops: Yeah, back to the drawing board indeed. Maybe they can design them to read pH values and sense blood flow, too. Unbelievable.

Brad Adrian
05-17-2002, 02:30 PM
Well, it's a far from easy process he outlines, but it's interesting to see the results.

What the article does NOT mention is that the fingerprint (and iris) identification devices being piloted by a few financial services providers include methods for detecting the so-called "non-viable body part." For instance, they include such things as infrared sensors for detecting a pulse. So, don't give up on biometrics just yet...

Lotto
05-17-2002, 02:37 PM
It worked in the movie F/X :)

entropy1980
05-17-2002, 03:46 PM
Well I guess it's back to good ole retina scanning! Hope nobody finds any latent retina prints laying around! :D

Bob Anderson
05-17-2002, 05:36 PM
OK... Hold the phone... Yeah, the fingerprints can be duplicated, but my god, how much time did it take this person to do what is described in the article.

Oh, and don't forget, that other security measures are likely to be used in conjunction with the fingerprint sensor (or should be) because until the world is a "loving-trusting" environment you should always plan that someone will figure out a way to overcome some type of security system, and instead of finding the ever-elusive "foolproof" method use a combination of methods that simply make it too time consuming and difficult to pull off a breach of security.

Gerard
05-17-2002, 06:08 PM
None of the steps involved in this process involves anything beyond the skills of a moderately talented craftsman. I went through each step in my head, and you know what? I've done half this stuff accidentally! The highlighting with cyanoacrylate adhesive is something I try to AVOID every time I glue two pieces of Lexan or other acrylic sheet together. And heightening contrast, well, Photogenics and Pocket Artist are both full fo tools for playing with this.
As for gelatin being foiled by Ir detection, sorry, a 2mm thick layer applied to a finger or thumb with actor's gum adhesive a minute before use would be the same temperature as the skin, or within half a degree. It could be transparent, and so, invisible to casual inspection. Eaten after use, all evidence would be gone in a moment.
The photo-etching thing is, as stated, very simple.
You know what I think though? Who cares? The whole culture of secrets ought to be toppled, thrown in a ditch and forgotten. I don't trust any corporation or business which needs to keep secrets. The only 'dangerous' information in my computer is threatening only insofar as it might be used to steal software, as in registration codes. Oh, and my email passwords and dialup numbers of course, and forum passwords in the cookies I suppose... really critical stuff, huh? I mean, if someone stole my dialup, I'd soon find out, and simply contact my friendly local ISP and switch user information over to a different account name and password. My virtual email address would remain identical, so no hassle there. And if some loser stole my computer and software, well, they'd have a toy they didn't know how to use. Big deal. A loss, sure, but how is fingerprint security going to stop me from being such an idiot that I leave my computer available for theft?
Of course, some computers are too big to put in a pocket or bag and take along everywhere, I understand. My notebook never leaves the house. But I keep a fresh backup of all that is of use on it on a small removable hard drive, and take that with me on anything longer that a day trip.
Guess people can find justifications for worrying about security of data, and sure, there are a lot of bad people in the world... but is catering to their whims the best way to change their effect on our lives? Why not disarm them instead? Take away the secrets, take away the power criminals have over business, right?

Brad Adrian
05-17-2002, 08:29 PM
...a 2mm thick layer applied to a finger or thumb with actor's gum adhesive a minute before use would be the same temperature as the skin, or within half a degree...

But, my point was that it wouldn't be able to show a normal pulse.

You make a lot of valid points, though. Secrecy and privacy are issues that are very jugular to most people, especially Americans, so it's easy to get people riled up about something that doesn't directly affect them.

When it comes to biometics, though, a few more points are important:

*Many organizations and institutions DO have stuff that's worth stealing, and I'm sure that you do, too. Imagine someone following you to your ATM and lifting a latent print after you were there. MY account wouldn't make anybody rich, but on the right day might justify all the trouble a thief would go through.

*Falsifying body parts for biometric theft is INCREDIBLY difficult to do when robust systems are in place. When a high-tech, high-security office building puts in a retinal scanner, it is certain that it can detect a living, breathing being behind the eyeball. Gummi bears and contact lenses cannot fool these systems.

*The use of biometrics for public sector security is NOT going to happen any time soon, at least not in North America. Consumer studies show that we are all still very leery of having a fingerprint on file ANYWHERE, even if it's only used by our most trusted partners, our banks.

Having said (ranted) all that, what this report will help accomplish is make sure that haphazard, low-tech fingerprint security systems are revealed for the risky products they are.

Brad Adrian
05-17-2002, 08:40 PM
Besides, this is all old news. Q accomplished this back in 1971 when James wore those counterfeit fingerprints of Peter Franks in order to fool Tiffany Case and steal those diamonds that were hidden in the chandelier before she could deliver them to Ernst Blofeld...

Gerard
05-17-2002, 08:49 PM
Why not a 'normal pulse', I wonder? Gelatin blended/congealed to the correct density would simulate thin human tissue layers very effectively, as we are, after all, made of these same protiens. And with a decent glue bond there should be a perfect acoustical transmission of there's a 'listening' device involved. IrDA through-tissue scanning for bloodflow would not find any interference from a thin gel layer, would it?

But that's not my point. Yes, sure, I have stuff that someone might want to steal. I never keep enough in the bank for more than a few hours to be worth anyone's trouble; too broke all the time. :) But my point was, all of this escalation is going to stop, one day. It would seem to make more sense to head it off now, before too many millions of hours of people's lives are wasted developing these 'security' technologies. Corporate greed, fraud, thievery, and murder (of the millions of poor in the world who are the balancing factor in the North American success story) inspire this kind of technology, and so it is the nervousness of the criminal inspiring it. Do away with the excesses of capitalism and the 'need' for biometric and other security technologies will evaporate. But that's just an opinion...

Brad Adrian
05-17-2002, 09:18 PM
Do away with the excesses of capitalism and the 'need' for biometric and other security technologies will evaporate. But that's just an opinion...

And an entirely legitimate one, too. I think, though, that we can all stand around holding hands, singing Kum By Yah and "buying the world a Coke" [sorry for the archaic reference], but doing away with secrets ain't gonna happen. We're too dishonest a species, too scared, too selfish for this to happen. I wish it weren't that way, but our track record, since Cain and Abel, shows that people covet, lie, cheat and kill. It's not capitalism that causes this, it's our fouled human nature.

I'm optimistic about our ability to change the world, just a bit more realistic than you, I think.

Ed Hansberry
05-17-2002, 10:19 PM
Do away with the excesses of capitalism and the 'need' for biometric and other security technologies will evaporate. But that's just an opinion...

Yeah, it is us evil capitalists that asked to be attacked requiring security measures. :roll:

Gerard
05-18-2002, 02:05 AM
Nothing so reliably brings out hostility as the mention of pacifism.

Ed Hansberry
05-18-2002, 03:49 AM
Nothing so reliably brings out hostility as the mention of pacifism.
What does pacifism have to do with socialism? :roll: