Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Faking fingerprints

  1. #1
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152

    Faking fingerprints

    If this has been posted before I apologies. I did search.

    http://www.ccc.de/biometrie/fingerab...ml?language=en

    Pretty simple method. I don't think it would fool all fingerprint scanners but certainly some.
    Anyone tried it?

    The link was posted on Scheier.com by AO. Anyone round here?

    It was from a blog article here about finger print scanner not working in a prison.

    Fingerprint scanners in a prison. Hmmm good idea not. No keys just fingerprints. Good way to get your fingers cut off. Even if the lock only works with warm fingers I don't think that would stop the prisoners trying.

  2. #2
    ********** |ceWriterguy
    Join Date
    Aug 2004
    Posts
    1,608
    Low tech solution that works:

    Lift fingerprint, which gives you a mirror image. Transfer fingerprint onto latex cast. So much for the fingerprint scanner. Same method that's described in the article less the computer workup.

    I'd like to back this topic up a bit and talk about security devices in general - fingerprint scanners, retinal scanners, the works - and offer this:

    What if employees of a company (we'll call it Corporation X) were required to get a microchip implant into a part of their body, which would be used to monitor when they were on and off the premesis, perform time clock functions, the works. Now let's say Corporation X had scanners inside the building monitoring for the presence or lack of these chips, and when someone was found lacking one, it tracked that person and set off appropriate alarms?

    Badges, fingerprints, even retinas (with enough work) can be spoofed - what about the chip?
    Even a broken watch is correct twice a day.

    Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!

  3. #3
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    Theres a much easier way that fools a lot of fingerprint scanners. When someone uses the scanner (not, this is the full scanners that you place your finger on to), it leaves your fingerprint on the scanning surface. When the next person uses it, the oils from their finger more or less erases what was their and leaves their print. A person can take a good old fashion gummy bear, yes the candy, and flatten it onto the tip of their finger and press it onto the scanner. Because the gummy is flat the scanner will only see the fingerprint of the last person to use it. The gummy generaly will let some heat from your finger through to make it think that it is a real finger pressing on the sensor. Newer scanners won't be fooled by this, but beware of older ones. If nothing else, when deploying a scanner, try this to see if it works before trusting it.

  4. #4
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    I did read that you can just breath on some scanners and the misting from that is enough to bring up the previous users print.

    A biometric is only really useful as a single factor in a multifactor identification system.

    What if employees of a company (we'll call it Corporation X) were required to get a microchip implant into a part of their body, which would be used to monitor when they were on and off the premesis, perform time clock functions, the works. Now let's say Corporation X had scanners inside the building monitoring for the presence or lack of these chips, and when someone was found lacking one, it tracked that person and set off appropriate alarms?

    Badges, fingerprints, even retinas (with enough work) can be spoofed - what about the chip?
    Ethics of implating your employees with chip aside (I'm using that sort of phrase a lot now).
    That chip has to emit a signal like an rfID tag. If the signal can be decoded it can be reproduced. It would probably have some sort of crypto key imbedded rather than just emitting a static signal but if it can be cracked the signal could be spoofed.

    What about on the other side. It might be easier to compromise the detection system to ignore your 'evil' tag or to make it belive that it has seen the 'good' tag when it hasn't.

    Any company employing such a system would also have other factors in plae like ID badges and Pin numbers /swipe cards for sensitive areas. Otherwise Mr EvilDude could just mug you and cut the chip out of your arm and go to work in your place the next day.

  5. #5
    Senior Member
    Join Date
    Jul 2003
    Posts
    634
    I've tried lifting finger prints from glass before using a zip seal bag and super glue, works surprisingly well (but saying that, that is the technique forensics use)

    Personnally I would of made a PCB instead of relying on the relief of the toner, I wouldnt imagine that there would be a great deal of variation, and you might get more clarity with an etched PCB

    theres interesting articles about biometrics in this months (october) copy of "elektor electronics" - think its a UK and Netherlands thing, but might be availiable in rest of EU..

    i2c

  6. #6
    I was testing a fingerprint USB mouse from Fellowes a while back. We tried a number of simple methods similar to the above descriptions--without the heroic efforts--to defeat the fingerprint reader. None worked. For a cheapo mouse fingerprint reader, it was pretty effective.

    Keep in mind, we weren't looking at this to protect national security interests. We were looking for just one more level of confidence.

    Bio or other metrics as a factor in multi-factor authentication will become more and more important. Human memorable passwords just won't cut it any more.

  7. #7
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Human memorable passwords just won't cut it any more.
    How do you figure? An effective password policy is still a very strong tool. Sadly, so few people actually utilize EFFECTIVE policies.

    The typical drawbacks tend to be:
    - Requiring passwords that are too long or complex
    - Requiring too frequent password changes
    - Not properly monitoring and controlling password use

    Allowing simple passwords, that don't need to be changed every week and monitoring failed login attempts very closely (including careful lockout and recovery procedures) as well as restrictions to login times and locations is still the most effective single-factor authentication scheme and should remain a part of any multi-factor scheme.

    Retinal scans, fingerprints, voice analyzers, colonic maps, etc. are are useful... however they all have one major flaw. The attacker's response to the system's authorization request can be verified as correct WITHOUT access to the system, thus ensuring a seamless authenication.

    cheers,

    catch

  8. #8
    Hey, catch. Naw, I wasn't saying toss out the password. We just need a better way and more factors. The drawbacks you mention are the main things that make passwords ineffective. Companies or agencies tend to give up on requiring the necessary complexity requirements for passwords, so we have the pet names, spouse names, vacation places, etc. as the current password du jour. And, in all too many cases, it is the single point of failure for authentication. Adding more factors, say a USB key and a specific fingerprint (i.e.; right pinky) or an RSA dongle and a retinal scan, and the password becomes less critical, but still a useful factor.

  9. #9
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    Originally posted here by rapier57
    Hey, catch. Naw, I wasn't saying toss out the password. We just need a better way and more factors. The drawbacks you mention are the main things that make passwords ineffective. Companies or agencies tend to give up on requiring the necessary complexity requirements for passwords, so we have the pet names, spouse names, vacation places, etc. as the current password du jour. And, in all too many cases, it is the single point of failure for authentication. Adding more factors, say a USB key and a specific fingerprint (i.e.; right pinky) or an RSA dongle and a retinal scan, and the password becomes less critical, but still a useful factor.
    If companies are giving up on requiring the necessary complexity, what makes you think that they'll increase the complexity of loggin in by adding additional technical methods?

    The companies that are willing to deploy these things, are generally the ones with the best password policies to start with.

  10. #10
    The companies that are willing to deploy these things, are generally the ones with the best password policies to start with
    I'm not entirely sure of that - some companies may view such alternate authentication methods as a replacement for strong password requirements, rather than a positive supplement.

    I know of at least one company which introduced fingerprint scanners, then two years later decided to strengthen their password policy to something more than "change your password every 30 days with no password history, length requirement, or complexity requirement."
    \"The future stretches out before us, uncharted. Find the open road and look back with a sense of wonder. How pregnant this moment in time. How mysterious the path ahead. Now, step forward.\"
    Phillip Toshio Sudo, Zen Computer
    Have faith, but lock your door.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •