Fingerprints; safe feature or actually quite risky?


Fingerprints have been used in passports for years, saved on paper. Mostly used to check for authenticity when leaving the border. But with the digital transformation of the society, so have fingerprints. Using your fingerprint to identify yourself is very easy, and it offers quit some benefits compared to passwords. It is impossible to lose your fingerprint, you can’t forget it. There is no chance on ‘bruteforcing’ your fingerprint by trying different solutions, and where passwords are often obtained by social hacking or (finding a password by studying somebody’s history) or actual sharing, fingerprints have none of those weaknesses.

Fingerprint’s have been used for years in personal items. One of those is the Biometric Safe of Barska. Sometimes a key just isn’t safe enough. Barska’s safe allows you to store guns and other items that you would not want your children to have access to. It’s technology is rather simple and offers a biometric scanner that remembers your fingerprint. The safe locks up after reading it and won’t open again until you put your finger back on the scanner.

With modern advancement, big companies have also seen the fun in fingerprints and are implementing it in different, more technological ways. Apple has introduced its so called  ‘breakthrough Touch ID’. The technology allows to unlock your phone with a simple fingerprint. The opportunities don’t stop there. Your fingerprint also allows you to approve purchases from iBooks, the app Store and iTunes after you have given permission to buy with your fingerprint. With the recent introduction of Apple Pay, the iPhone also allows you to pay in thousands of physical stores and even more online sites and apps with just your fingerprint.

Just two days ago Mastercard has announced that the company has started an experiment with a fingerprint scanner in the creditcard. The card has a specialized small scanner and stores the information only on the card itself. The creditcard needs a battery to function and users will need to charge it to function. Mastercard stated that future iterations of the card will be more efficient and can be charged by just sweeping it through payment terminals.

But not only companies, also governments are catching up to the digital possibilities of fingerprints. The European Union is slowly putting up regulations among its members to have fingerprints in passports mandatory. The fingerprints will be saved in a huge digital databank. At the moment, the Dutch government was still able to block this and a majority of the Dutch politicians are against fingerprints in passports. The politicians still think fingerprints aren’t the safest way of identifications. Are these concerns justified?

Researches have looked at different ways of attacking the fingerprint scanners and found at least 6 legitimate attacks to beat the system:
1. Use the finger itself. The researchers found that one of the highest risk is still being forced to press your own alive finger against the scanner. It is easier for criminals to use your finger than to find out your password. As advice they give to always combine fingerprints with passwords.
2. Use someone ells his finger. The research showed that most fingerprint scanners work with a system of categorizing the user with loops, whorls or arches. If the attacker knows which category the user belongs to, he might be able to find a person within the same category.
3. Use a severed finger. This is almost a Hollywood movie plot, but the researchers state this a option that could be used frequently in high level crime. Sophisticated systems can counter this attack by putting in a extra check to detect if the finger is actually alive.
4. Use a genetic clone. Again, the risk of this happening seems farfetched. The researchers state that sometimes twins can have fingerprints that look alike so much, they fool the system. Fingerprints aren’t genetically determined but is a pattern of the nerves growing into your skin. Still, some twins seem to have almost identical prints. A really precise system however, can still find the difference.
5. Use an artificial fingerprint. The biggest risk of all, use a fake finger with the real subjects fingerprint. This fingerprint can either be obtained physically or from a (hacked) database. Researchers have been successful in making a fake finger that could trick scanners in thinking it was the finger of the original user.
6. Other ways. Fingerprint systems are just systems too. Some attackers may use strange errors to fool the system into believing something that didn’t happen. Reports have been made that exposing sensors to extreme lights, heat or cold, different humidity’s or vibrating the scanner can cause it to malfunction and give access to the hackers.

Sources:

http://www.barska.com/Products-Biometric_Safe.html

http://lucidfood.com/2014/01/09/passport-iran-struggled-get-iranian-citizenship/

http://cryptome.info/0001/gummy/gummy.htm

https://www.apple.com/iphone-6/touch-id/

http://tweakers.net/nieuws/99115/mastercard-experimenteert-met-vingerafdruklezer-in-creditcard.html

http://www.privacybarometer.nl/maatregel/62/ID-kaart_zonder_vingerafdrukken

Advertisements

Tags:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: