Here's some text on that: -- RealityFans

[ Show ]

Support VoyForums

[ Shrink ]

VoyForums Announcement: Programming and providing support for this service has been a labor of love since 1997. We are one of the few services online who values our users' privacy, and have never sold your information. We have even fought hard to defend your privacy in legal cases; however, we've done it with almost no financial support -- paying out of pocket to continue providing the service. Due to the issues imposed on us by advertisers, we also stopped hosting most ads on the forums many years ago. We hope you appreciate our efforts.

Show your support by donating any amount. (Note: We are still technically a for-profit company, so your contribution is not tax-deductible.) PayPal Acct: Feedback:

Donate to VoyForums (PayPal):

[ Login ] [ Contact Forum Admin ] [ Main index ] [ Post a new message ] [ Search | Check update time | Archives: 1, 2, 3, 4, 5, 6, 7, [8], 9, 10 ]

[ Next Thread | Previous Thread | Next Message | Previous Message ]

Date Posted: 22:00:55 05/15/02 Wed
Author: zazoo
Subject: Here's some text on that:
In reply to: zazoo says: No Way Jose! 's message, "No way! To easy to counterfiet. A Japanese guy recently worked out how do counterfiet" on 21:07:46 05/15/02 Wed

Fun with Fingerprint Readers

Tsutomu Matsumoto, a Japanese cryptographer, recently decided to look at biometric fingerprint devices. These are security systems that attempt to identify people based on their fingerprint. For years the companies selling these devices have claimed that they are very secure, and that it is almost impossible to fool them into accepting a fake finger as genuine. Matsumoto, along with his students at the Yokohama National University, showed that they can be reliably fooled with a little ingenuity and $10 worth of household supplies.

Matsumoto uses gelatin, the stuff that Gummi Bears are made out of. First he takes a live finger and makes a plastic mold. (He uses a free-molding plastic used to make plastic molds, and is sold at hobby shops.) Then he pours liquid gelatin into the mold and lets it harden. (The gelatin comes in solid sheets, and is used to make jellied meats, soups, and candies, and is sold in grocery stores.) This gelatin fake finger fools fingerprint detectors about 80% of the time.

His more interesting experiment involves latent fingerprints. He takes a fingerprint left on a piece of glass, enhances it with a cyanoacrylate adhesive, and then photographs it with a digital camera. Using PhotoShop, he improves the contrast and prints the fingerprint onto a transparency sheet. Then, he takes a photo-sensitive printed-circuit board (PCB) and uses the fingerprint transparency to etch the fingerprint into the copper, making it three-dimensional. (You can find photo-sensitive PCBs, along with instructions for use, in most electronics hobby shops.) Finally, he makes a gelatin finger using the print on the PCB. This also fools fingerprint detectors about 80% of the time.

Gummy fingers can even fool sensors being watched by guards. Simply form the clear gelatin finger over your own. This lets you hide it as you press your own finger onto the sensor. After it lets you in, eat the evidence.

Matsumoto tried these attacks against eleven commercially available fingerprint biometric systems, and was able to reliably fool all of them. The results are enough to scrap the systems completely, and to send the various fingerprint biometric companies packing. Impressive is an understatement.

There's both a specific and a general moral to take away from this result. Matsumoto is not a professional fake-finger scientist; he's a mathematician. He didn't use expensive equipment or a specialized laboratory. He used $10 of ingredients you could buy, and whipped up his gummy fingers in the equivalent of a home kitchen. And he defeated eleven different commercial fingerprint readers, with both optical and capacitive sensors, and some with "live finger detection" features. (Moistening the gummy finger helps defeat sensors that measure moisture or electrical resistance; it takes some practice to get it right.) If he could do this, then any semi-professional can almost certainly do much much more.

More generally, be very careful before believing claims from security companies. All the fingerprint companies have claimed for years that this kind of thing is impossible. When they read Matsumoto's results, they're going to claim that they don't really work, or that they don't apply to them, or that they've fixed the problem. Think twice before believing them.

Matsumoto's paper is not on the Web. You can get a copy by asking:
Tsutomu Matsumoto

Here's the reference:
T. Matsumoto, H. Matsumoto, K. Yamada, S. Hoshino, "Impact of Artificial Gummy Fingers on Fingerprint Systems," Proceedings of SPIE Vol. #4677, Optical Security and Counterfeit Deterrence Techniques IV, 2002.

Some slides from the presentation are here:

My previous essay on the uses and abuses of biometrics:

Biometrics at the shopping center: pay for your groceries with your thumbprint.

--------------------------------------------------------------------------------

Comments from Readers

From: "Joosten, H.J.M."
Subject: How to Think About Security
> More and more, the general public is being asked to make
> security decisions, weigh security tradeoffs, and accept
> more intrusive security.
>
> Unfortunately, the general public has no idea how to do this.
People are quite capable of making security decisions. People get burglar alarms, install locks, get insurance all the time. Of course it doesn't always help, and people may differ with respect to the security levels they require, but I don't see a fundamental difference in decision making.
So what IS the difference then? It's that people in "the real world" have an idea of what the security problems are. Your car can get stolen. You can get burgled. And so on. They have a perception of the consequences of having to get a new car, having to buy stolen stuff and repairing the entrance.
People don't have this idea with respect to information security. They may go like: "So what about firewall settings? Customers don't complain, they pay their bill. So WHAT are the problems that I must solve?" People don't seem to feel the REAL consequences. Within companies, this might be an organisational issue. For individuals, not all that much seems to go wrong if you stick to whatever your ISP says is good practice.
We, as security experts, keep talking of what MIGHT happen, and we're all too happy if some incident actually happens. Most of these incidents are not actually felt by people, so they don't perceive it as their problem. We can frighten them by pointing to these incidents. But then they don't have a security problem. Their problem is one of fear, and this can be gotten rid of easily by the same person that installed the fear. That's how some security sales can, and are made to work.
So while your "Step One: What problem does a measure solve?" is a crucial step, there's real work to do before that. We should come up with a self-help method for the general public, that they can use to assess what kind of problems they have, and actually perceive, from their own perspective. They are responsible, meaning that when things turn sour, they're the ones that face the consequences. Where they don't perceive realistic consequences, they don't have problems. If your or your neighbour's house gets burgled, or a house in your block, that's when you perceive a problem, and then you're going to do something about it. People can do that. They've been doing it all the time. And then, but only then, is your five-step process going to be of help.

[ Next Thread | Previous Thread | Next Message | Previous Message ]

Replies:

Thanks Zaz -- Cari, 00:04:12 05/16/02 Thu