Subverting Fingerprinting 169
squizzar writes in with news of a 27 year old Chinese woman who was discovered to have had her fingerprints surgically swapped between hands in order to fool Japanese immigration. "It is Japan's first case of alleged biometric fraud, but police believe the practice may be widespread. ... The apparent ability of illegal migration networks to break through hi-tech controls suggests that other countries who fingerprint visitors could be equally vulnerable — not least the United States, according to BBC Asia analyst Andre Vornic." Time for some biometric escalation. Could iris scans be subverted as easily?
Shodan's retinal scanners can always be fooled (Score:2, Funny)
if you carry around a handy severed head.
Re:Shodan's retinal scanners can always be fooled (Score:5, Funny)
Re: (Score:2)
No, because when you peer into something your eye adapts for the darkness so the person would need to be peering into something of equal darkness as you kill them so the eye stays at the optimal configuration. Otherwise the scan will differ enough to fail.
Also the eye may dilate as you kill them which will also fuck the result.
Iris size: Trivial (Score:5, Informative)
Also the eye may dilate as you kill them which will also fuck the result.
Mydriasis happens with death, indeed.
But it's almost trivial to induce myosis instead, using the proper chemicals. (Cocaine, as an example of something which won't be difficult to obtain for would-be criminals. As a bonus, this same substances doubles as a way to kill the victim through overdoses AND a way to preserve the iris in myosis).
Re: (Score:2)
Voice of experience, is that you?
Re: (Score:2)
Voice of experience, is that you?
Ya know, I was just starting to wonder why he is spending so much time on that, which could be spent digging a tunnel. :> Come on. It was funny in my head. lol
Re: (Score:2)
What's Demolition Man?
Re: (Score:2)
Hmmmmm....
Surly only someone with a valuable retina would hide.
Watching 'Bladerunner' too many times? (Score:3, Interesting)
However, the open question that TFA brings up is whether or not you can skin graft somebody elses fingerprints on to you. (Or vice versa). You can do allograft skin grafts, at least temporarily, so it's feasible.
Re:Watching 'Bladerunner' too many times? (Score:5, Interesting)
Or how about just carving a custom print into the finger. Maybe something like the laser surgery they do on corneas or tattoos.
Hard to fake. (Score:2)
carving a custom print into the finger {...} like the laser surgery they do on {...} tattoos.
Well, it's going to be less easy, because the actual appearance of fingerprints depends on the shape of deep skin structure.
Thus "fingerprint" laser surgery would have to go deeper as "tattoo" laser surgery.
This rises problems of transporting and focusing the laser energy.
This also brings more risks of scarring (and you want to present fingers which look "normal" to the security check).
etc.
Not impossible, but currently harder to do than transplant.
But perhaps 3D bio-matrix printing could be used ? There has
Re:Watching 'Bladerunner' too many times? (Score:4, Insightful)
The tech for swapping fingerprints apparently exists.
The tech for swapping fingerprint cards has existed even longer. Sometimes it's the people taking the prints that swap them for you.
Re: (Score:2)
I think you might be thinking about 'Minority Report' instead of 'Blade Runner' in terms of retinal scanning.
Re: (Score:2)
I've read several enlightening stories on the web in years past saying eyeball transplants are not far off. Apparently new eyeballs, some stem cells and time can allow the brain to recognize and rewire itself for the eyes of another.
Sounds really creepy, unless you're a blind man.
Re: (Score:3, Funny)
"We're closer to a working release of Duke Nukem Forever than we are to eyeball transplants."
We have already made eyeball replacements. Low resolution, only 12x12px, and it transmits the signals to your brain via the tongue, BUT IT WORKS.
Duke's fucking late to the party, as always.
Retina vs. optical nerve : It's CNS. (Score:3, Informative)
We have already made eyeball replacements. Low resolution, only 12x12px, and it transmits the signals to your brain via the tongue, BUT IT WORKS.
Sorry, no. The thing is a *retinal* replacement.
That's where the whole trick lies.
The main problem is the way the signal processing in the eye function - the eye is already central nervous system.
Absolutely everywhere in the body, senses signal are processed the exact same way :
Some specilised type of cell detects some event (chemical, physical, whatever).
This signal is carried from there by a nerve - which linkes peripheral nervous system to central nervous system - to a first place (in the central nervou
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
None of those really subvert fingerprint scanning. It just invalidates the results. The police are highly likely to notice your lack of prints.
A transplant moving your finger pads around though will let you through as unidentified. A far more valuable thing.
Re: (Score:2, Interesting)
There are several cases of this in the USA in the last few years.
So far they've all ended up being attributed to disease or professions that have the side effect of diminishing or eliminating fingerprints.
Having a lack of fingerprints is not illegal, but the cops excuses have always been, "If'n ya ain't got dem fingerprints, ya must be upz ta no good...".
(Extreme hick accent intended for purposes of parody.)
Re: (Score:2)
Surely there was a reason they were trying to fingerprint those people for the police to even notice...
I have never had a cop in the US (nor Canada) randomly ask to verify if I have fingerprints.
Re: (Score:2)
What a security vulnerability! (Score:2, Insightful)
This is only a security threat if someone removes my finger and graft's it to someone else's hand so they can get my data. So my data is only as secure as the skin on my finger. I'm so scared. The likelihood of someone stealing my finger to get data is really high. Worse, they'll steal my eyeball to fake an iris scan. Maybe soon they'll just steal my brain and remove the passwords I have memorized. I'm sure in all those scenarios what I'll be thinking is "OMG, My Data!"
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2, Informative)
Well, I'd get in trouble for this if I didn't post anonymously....
I work for a Fingerprint Sensor manufacturer. There are roughly two of those for current laptops (Authentec and Upek), with several other up-and-comers (Validity, Egistech), and a legion of failed manufacturers.
The ability to spoof a fingerprint sensor using a printed fingerprint is highly dependent on the specific technology used. As I remember the Mythbusters episode, they used an optical placement fingerprint sensor (glass plate that you
Re: (Score:2)
You'd get in trouble from your employer for breaking the news that the systems are getting more secure and harder to spoof?
Re: (Score:2)
Actually, I've heard stories of rich folk in Central America who get car jacked, but have biometric locks, so the carjackers cut off their fingers.
It happens.
Re: (Score:2)
Re: (Score:2)
Malaysia, is the story you're thinking of - http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm [bbc.co.uk] - though it's happened more than once I've heard, but don't have any other links.
Re: (Score:3, Interesting)
Just buy insurance for the stolen car.
While insurance might compensate you for your lost finger, most people are more attached to their fingers than they are to their car
And even if you're more attached to your car, this sort of system will cause you to lose both.
Gives a new meaning to... (Score:3, Funny)
I'm sure in all those scenarios what I'll be thinking is "OMG, My Data!"
Gives a new meaning to the term "thumb drive".
Re:Gives a new meaning to... (Score:4, Funny)
I don't want to see the keychain of a future burglar...
Re: (Score:2)
Pretty much that. All it proves is that you can become "not you", not that you can become someone else. It works to avoid a positive match, but it won't work to create a false positive match.
Woah (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:Woah (Score:5, Informative)
Re:Woah (Score:5, Funny)
True story:
I worked at a video game developer once who had biometric finger scanners to clock in and out, but required you to type in your employee number first.
"If it has my fingerprint, shouldn't it know my employee number?"
So I started playing with it. I started with the same finger on the same hand. It took it. Then a different finger on the same hand. Yup. It took a different finger on a different hand. And then we got creative.
Someone Else's finger? Check. Elbow? Check. Toe? Check. Tongue? Check.
In fact, we finally found the limit of the system. It took a warm hot dog pressed up against the fingerprint scanner, but not a cold one. A lot of my faith in fingerprint biometrics was shattered then and there. I since dated someone who had a fingerprint scanner on her computer, though that only seemed to let me trough wrongly some of the time.
Another thing we learned? Co-workers don't appreciate it when you lick the thumb scanner that everyone has to clock in with.
Re: (Score:2, Informative)
Re: (Score:2)
Biometrics can be used for prevention but also detection. The scanner may not be doing a comparison at all but just recording the fingerprint. Simply a digital way of "signing in". If another employee or an outsider logs in under a false employee number then at least you now have recorded evidence. And implementing this will be dirt cheap.
Phillip.
Re: (Score:2)
The reason you had to enter the employee ID first is likely because it was doing a 1:1 match on the fingerprint, which in most devices I've used is done at a MUCH lower threshold than a 1:many search.
On any decent device these thresholds (1:1 and 1:many) can usually be set separately and what can often happen is that the employees aren't properly trained how to use them (yes, there should be training) so they run into all sorts of issues with failed scans, so rather than train the employees they just set th
Re: (Score:2)
Did she fool anyone, though? (Score:5, Insightful)
Japanese newspapers said police had noticed that Ms Lin's fingers had unnatural scars when she was arrested last month for allegedly faking a marriage to a Japanese man.
Seems like until they can get rid of the circular scars around their fingertips, they aren't going to fool anyone. From now on, when officials notice circular scars or other shaped scars around fingertips, they will probably have the person undergo further testing.
As far as iris switching...I don't think so. I have a feeling that the permanent blindness that likely follows(though I am not an ophthalmologist, so I can't be sure as to what is possible) will override any benefits that come from the short term gains of biometrics trickery.
Re:Did she fool anyone, though? (Score:5, Insightful)
From now on, when officials notice circular scars or other shaped scars around fingertips, they will probably have the person undergo further testing.
However, their cost to check has now gone up by at least 2x, maybe even 10x - they need to manually inspect every person (you can't just check the negatives because if the faker happens to have passed through successfully in the past their 'new' prints will already be in the database).
And this is only one attack vector. We've already seen the korean woman [crunchgear.com] last year who used a practical application of the gummy bear [theregister.co.uk] trick to fool the japanese too.
The thing to remember is that these systems will only get less effective as time goes by. All the hype when proposed about how great they are, for whatever intended purpose, represents the best they will ever be - the more familiarity people get with the systems, the more ways people will figure out how to circumvent them.
Kinda warms my freedom loving heart it does.
Re: (Score:2)
However, their cost to check has now gone up by at least 2x, maybe even 10x - they need to manually inspect every person (you can't just check the negatives because if the faker happens to have passed through successfully in the past their 'new' prints will already be in the database).
Not really. Japan prints every foreigner that passes into the country anyway, I don't think a manual inspection before they make you put your fingers on the pad would add that much time to the process.
Re: (Score:3, Interesting)
It does add up. And some people have scars on their fingers for non-nefarious purposes. The tip of one of my thumbs was cut off in an accident and then sewn back on. I fly in and out of Japan all the time. All I need is more Mickey Mouse at immigration.
Re: (Score:3, Interesting)
I has psoriasis when I was fingerprinted for a DOD lab job. My fingerprints were temporarily gone and all I had was thick smooth skin on my fingertips. I even told them I had no prints and they didn't care. My print cards looked like heel prints, they wouldn't match my hands today at all.
I also had a hard time holding onto things with smooth fingertips.
Re: (Score:2)
Mythbusters defeated a similar lock using a simple fingerprint photocopy. [engadget.com]
Re: (Score:2)
My first thought. Their methods & technique were crude, but with practice and probably some refinement it could probably be made turnkey for anyone who could make chocolate chip cookies from the recipe on the chip bag.
Re:Did she fool anyone, though? (Score:5, Funny)
That always struck me as a little improbable. You mean you're just going to eat that thing right after you pressed it against a disgusting fingerprint scanner?
Re: (Score:2)
That always struck me as a little improbable. You mean you're just going to eat that thing right after you pressed it against a disgusting fingerprint scanner?
Some people live by the five-second rule!
Re: (Score:2)
That always struck me as a little improbable. You mean you're just going to eat that thing right after you pressed it against a disgusting fingerprint scanner?
Totally. No way the gazillions of dollars or revenge or whatever you'd get from your perfect crime would be worth that.
Re: (Score:3, Insightful)
Won't most people end up doing that anyway?
Come to work, put the finger on the scanner, go to the cafeteria, grab a donut or something, eat it.
If the thought of eating something that touched a fingerprint scanner disgusts you, avoid thinking too much of all the crap you touch with the fingers every day, or you might vomit.
Just a few examples: your car'
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I've always thought there was something suspicious about Stevie Wonder.
Both hands (Score:2)
Fingerprint both hands. With digital scanning it's not that big of a deal.
Re: (Score:2)
Systems probably don't do comparisons between different fingers, if you don't know which finger it is yes it should. But comparing a finger known to be the left thumb against another finger known the be the right thumb? or even worse they switch the prints on the middle 3 fingers and swap them around from index to ring finger or something. The computing time for a problem like that goes up 10x if you have to compare each incoming print against all fingerprints on a person.
long term identity subversion prevention (Score:4, Insightful)
The only real identity that is immune from subversion is consistent, community agreement.
What I mean by this is that every piece of data measured can be faked, copied, or altered in the database against which the measurement is checked. DNA can be planted, id cards will be sold on black markets and faked, biometrics can be later changed or forged. The measured data in the database against which identity is checked can be altered - *all* the technology-based methods for ID have vectors of attack.
What cannot be faked is what ones peers and friends agree upon regarding who an individual really is, and that the human in wuestion really is the person they agree it is. If all the friends and neighbors agree you really are Bob, then you're Bob regardless of what you do, or what data is stored in electronic systems. This is an unwieldy (nearly impossible) metric for access to a bar, authentication for into services, permission to drive, or asserting your ID at the bank to get your money. However, at its heart, community consistency could be the unalterable root from which all the other identification methods would rely upon. Basically one can create all kinds of electronic, physical, and technology based systems that will need to get reset when they are faked or forged or incorrect. To rely on other electronic systems for that reset is flawed and misses the essential nature of how people understand and use interpersonal identity.
Re:long term identity subversion prevention (Score:4, Funny)
To rely on other electronic systems for that reset is flawed and misses the essential nature of how people understand and use interpersonal identity.
Not everyone likes their friends, family, coworkers, or neighbors. Some people have jobs that are highly mobile. Some people prefer not having attachments to others. There are individuals that don't have a community identity of any kind. Should a person be denied access to those resources simply on the basis that they have no friends?
Officer: "Well your honor, he hadn't committed any crimes but we noticed that he had no friends."
Judge: "Good enough for me! Anyone who has no friends is clearly a threat to society. Book 'em danno."
Officer: "Uh, yes sir. Who's Danno?"
Judge: "Nevermind, son. It was before your time."
Re: (Score:3, Insightful)
At one time, that was sort of the final safety valve. If worst came to worst, a person could start over with a more or less fictional history and be judged from that point forward only.
While that can be misused, there can also be legitimate uses. We as a society seem to be racing headlong the other direction. Get caught peeing on a dumpster and you might get a scarlet letter for life.
Re: (Score:2)
I dunno . . . ever seen the movie "The Return of Martin Guerre?"
Re:long term identity subversion prevention (Score:4, Insightful)
What cannot be faked is what ones peers and friends agree upon regarding who an individual really is, and that the human in wuestion really is the person they agree it is. If all the friends and neighbors agree you really are Bob, then you're Bob regardless of what you do, or what data is stored in electronic systems. This is an unwieldy (nearly impossible) metric for access to a bar, authentication for into services, permission to drive, or asserting your ID at the bank to get your money. However, at its heart, community consistency could be the unalterable root from which all the other identification methods would rely upon. Basically one can create all kinds of electronic, physical, and technology based systems that will need to get reset when they are faked or forged or incorrect. To rely on other electronic systems for that reset is flawed and misses the essential nature of how people understand and use interpersonal identity.
I disagree. Community relationships can be forged just as easily (if not easier) than biometrics in every sense. ... those are a person's closest contacts giving their most sincere impressions of that person. Do you feel like you really know him after reading one? Is it really likely that they do?
... a complete rewiring! ... but it's still Bob, from society's (and the law's) point of view.
... it resides in a medium that is neither fully understood nor fully expressible. For all practical purposes, Bob will remain the sum of his parts, both socially and biometrically. Our ability to gauge Bob, like our ability to impersonate him, is based squarely on our perceptive capabilities and our time investment, and biometrics (especially retinal scans and DNA prototyping) are pretty damned capable.
First, you have to ask yourself "which community?" With modern transportation, Bob's community could easily span his state. With modern communication, Bob's community could span the entire world. Concepts of traditional associations and communities are in a state of constant flux. To Bob's closest friends, he may be a blob of text. It's entirely possible that Bob goes throughout life without anybody ever truly knowing him. And even if he develops close relationships, they may be difficult to extract and correlate enough to develop any serious sense of him. Just go read an obituary
Then, you have to ask yourself "what consistency?" To his World of Warcraft pals he may be a secret agent astronaut millionaire [toynk.com]. To his Facebook friends, he may seem a fun, insightful guy who loves to play sports. To his parents, whom he visits on holidays, he might be a successful banker. To his landlord, he might be a deadbeat who lost his banking job in the recession. All of these personas are maintainable and verifiable in the context of his community relationships.
So bring forgery into account. Online, forgery is easy, as long as there's internal consistency with his community. In person is more difficult, but there are physical look-alikes and actors who could pull it off. Someone claiming to be Bob could completely redefine his community impression with enough determination. Point is, someone can easily pretend to be Bob, with or without his blessing, in any of his community relationships if they devote enough time and circumstance works in their favor.
So what really is a person's identity? It's not community relationships any more than it's biometrics. All of those are third-person impressions of an organism, and they only certify identity through temporal and physical correlation of their data. The only physical identity that is Bob is his brain, which (for now) cannot be duplicated and (spiritually) will never be (if that's the kind of thing you believe in). Even then, Bob can change in an instant with brain trauma
His identity is not absolutely verifiable for the same reason it's unique
Re: (Score:2)
Which works just fine up until the point that everyone is bribed to say something.
Or maybe Bob just did something so apparently horrible that everyone decides to lynch him by refusing to vouch for him.
Really.... (Score:2)
Re: (Score:3, Insightful)
"The Myth of Fingerprints" - Paul Simon, right? As far as I understand it they only use a few "distinguishing features" anyway - and they allow for damage to those (like a cut). However, the point is that it's hard to predict what will "fool the scanner" and what won't. If you don't know which "distinguishing features" it's looking for what do you change? Even harder is to get the scanner to give a false hit on someone else's finger print data (so you can pretend to be them).
As evidence at a crime scene I t
Re: (Score:2)
Scanners (Score:2, Interesting)
The problem isn't technology in this case, but rather bad assumptions made by the designers and users. What you're doing when you use a biometric scanner is (most often) taking a reading and converting that into a hash. And for any given hash, there will be at least one pattern that will resolve for that hash, possibly several or many. It's the same with DNA -- we can't sequence and compare a person's entire DNA, but we know certain parts of certain genes exhibit a high degree of variability, and so we sequ
FBI fighting this since the 1930's (Score:5, Informative)
"other countries who fingerprint visitors could be equally vulnerable — not least the United States", according to BBC Asia analyst Andre Vornic.
Vornic needs to do some research. Criminals in the US have been attempting to surgically alter or mask their fingerprints since at least the 1930s, and the FBI has been researching the techniques since then as well. I remember reading about this in a book from the 60's, where a counterfeiter surgically swapped his prints around, and the FBI recognized them, out of order, and matched them back up with the original fingers.
Still the same fingerprints...? (Score:2, Interesting)
So the only way this person's surgery is actually worth anything is if fingerprint scans care which hand the prints are one? I would think that if you switched your hands' fingerprints, you'd still have the same prints, which could be picked up easily enough as long as the scan tests the prints against your right and left hands both.
Not to mention, as I'm sure someone has by now, they would probably notice the scars. I would think it would be more worth it to get someone else's fingerprints, if you could.
Re: (Score:2)
Also, I think they only transplanted part of each fingerprint around. So you would get a transplanted section in the middle of your finger or something. That would make detection harder.
Life imitates art (Score:2)
So I gather it's time to upgrade our biometric identification to the new "colonic map" technology?
Fraud? (Score:3, Interesting)
Is it really fraud? Is there some promise that everyone has made to never make alterations to their bodies?
(I think it's dumb, but I don't see how it is fraud, she didn't actually impersonate anyone or anything)
Re: (Score:2)
Note the word "alleged". They are accusing her of doing it in order illegally enter the country.
She obviously did impersonate someone, well at least claim to be someone who possibly doesn't exist at all, since otherwise she wouldn't be in the country.
It seems pretty cut and dry since she would also have had to use false information on the parts of the immigration form asking things like "what is your name?", "have you ever been deported?", and so on.
Re: (Score:2)
Its not illegal to copy/forge a signature either, unless the purpose is to impersonate or defraud. Its called intent. It will llikely be more diffucult to prove intent than to prove the act itself, however. It is like the difference between copying someone's signature on a blank sheet of paper versus doing so on a check.
Re: (Score:2)
Its not illegal to copy/forge a signature either, unless the purpose is to impersonate or defraud. Its called intent. It will llikely be more diffucult to prove intent than to prove the act itself, however. It is like the difference between copying someone's signature on a blank sheet of paper versus doing so on a check.
IANAL but I would have thought it pretty hard to come up with a convincing alternative to the explanation a prosecutor may use: "the accused had their fingerprints surgically swapped around to avoid detection".
What about publishing them openly? (Score:5, Interesting)
How about a public (anonymised) repository of fingerprints. The idea is this: I can't change my prints, nor can I get back control once the government has taken them. But I could publish them to the world. That makes the print very easy for anyone else to fake. In other words, plausible deniability.
Re: (Score:2)
How about a public (anonymised) repository of fingerprints. The idea is this: I can't change my prints, nor can I get back control once the government has taken them. But I could publish them to the world. That makes the print very easy for anyone else to fake. In other words, plausible deniability.
Your plausible deniability just landed you in jail for aiding terrorists. Please try again later.
Re: (Score:3, Insightful)
How is that going to help you when they refuse to let you in at the border check?
Re: (Score:2)
Well, I may not be able to control my identity, but I can repudiate my biometrics. The idea would be (if enough people participated) that a given fingerprint or DNA sample at a crime scene etc would cease to identify any one person in any reliable way.
Re: (Score:2, Insightful)
How about a public (anonymised) repository of fingerprints. The idea is this: I can't change my prints, nor can I get back control once the government has taken them. But I could publish them to the world. That makes the print very easy for anyone else to fake. In other words, plausible deniability.
Why stop there.. Post DNA to the web too ;)
To my mind the who idea of biometrics as an absolute to your identity is bogus. It is nuts to think that just because DNA is 'unique' you it makes it exclusive enough to be a guarantee of who you are. Given time and technology and the descendants of the current DNA cloning technology they use to solve crimes being smaller, cheaper and portable how long will it be before DNA is realised to be THE most unreliable source of exclusivity there is as EVERYONE leaves tra
Re: (Score:2)
No different to software experts objecting to voting machines based on general purpose computers...
Bottle Cap Technique (Score:2)
The obvious answer? (Score:2)
Easy enough... (Score:2)
If your only objective was to stop your retinal scan from being successfully compared to one on record, I'd think a little mild laser surgery would solve the problem.
Subverting iris scans (Score:2)
Hello, Mr. Yukamoto, and welcome back to the GAP!
Time for some biometric escalation?? WTF! (Score:2)
Time for some biometric escalation.
BULLSHIT! It's time to stop the gestapo tactics and open all the borders to anyone that wants to enter any country. After all, we are all human beings born in the same planet. Those imaginary lines that they always told you were borders between US and THEM, they are just that, imaginary lines made up by the people in power.
"Imagine there's no countries" - John Lennon
Re: (Score:2)
Well okay but you could spend all century talking about Bad Shit in China which the people there want to get away from.
Re: (Score:2)
I am not sure Japan is actively trying to keep Darth Vader and Luke Skywalker out of the country.
But as to your point: yes I suppose so. Techniques like this which work on 99% of the population free up resources to manually check the remaining 1%.
Re:What about the disabled? (Score:4, Funny)
Yes, Darth Vader has been able to slip undetected into numerous Western democracies for this very reason.
Re: (Score:3, Funny)
Re: (Score:2)
Yeh, that Dick Chaney disguise is a ripper!
Re: (Score:2)
He even got a job at CNN
Re: (Score:2)
Re: (Score:2, Funny)
Yea but that won't work on Americans.
Re: (Score:2)
Re: (Score:2)
It's another Bond film - 'Diamonds are Forever' - that has the fake fingerprint tech [jamesbondmm.co.uk] in it.
Re: (Score:2)
Re: (Score:2)
I'm willing to bet there are far more nerves in the glans of your penis.