Reading the news this week one would think cybersecurity was the most interesting topic on the planet! It seems as though every publication and news outlet has a computer security story: the release of celebrity credit reports (which may not really be serious hacking at all), a new Linux distro with a host of security tools (OK, that was in the technology news), and then there were the fake fingers. Bob Cromwell first made me aware of this earlier in the week, hen last night it was on the evening news!
The story is simple enough: one person uses a replica of another person’s finger to clock him or her in and out of a facility – a hospital in this case. Most biometric fingerprint scanners require only one finger at a time, have a keypad so a pin is required (multifactor authentication), and are in an area that is easily viewed or is under video surveillance. It is the video surveillance that was used to catch the culprit in this case. Some years ago I proposed a similar setup to a client because employees were clocking in for others using an old paper card system. I don’t think any of them were capable of making fake silicone fingers.
So how do the fingers work? It’s actually quite simple, really. If one has access to the real finger, a mold is made and the mold is then filled with silicone to create a copy of the end of the finger. It is a little more difficult if one doesn’t have access to the actual finger, though. In that case one has to take a fingerprint (say from a drinking glass) and make the mold from an image of that. I discuss how it works when I teach Course 468. The point is that the silicone finger (material similar to that used for Gummi Bears can be used instead, but it’s less durable) have ridges just like real fingers and those ridges are seen by the camera in the fingerprint scanner much as it sees real ridges.
Less expensive fingerprint scanners only have cameras that look for and process images of ridges. More expensive ones look for heat (and can thus be fooled by warmed fake fingers) and even more expensive versions check for blood flow. One version sends a tiny electrical current through the “finger” to ensure it is indeed real. Each of these versions has its place, though. Less expensive scanners may be appropriate if there is less to protect and where another factor such as a security badge is also used. I would think that a hospital, though, might want something a bit more secure than just a simple image, though…
We’d like to hear your thoughts on biometrics and fingerprints in particular. As more people figure out how to spoof these systems is something more sophisticated needed?