Now if someone could develop some sort of webcam that spots braindead users, that could help me tremendously in my job.
What do Gummi Bears and amputated fingers have in common? They’ve both been demonstrated as techniques for defeating fingerprint scanners. Now, a German company called Dermalog Identification Systems is using the way skin changes colour under pressure to block both the soft sweet and the dead hand of the zombie from accessing …
Vibration-white-finger, colour-calibration on the cameras being out, someone sweating, someone with high/low blood pressure (people literally "go white" when their blood pressure is low), someone hyped on adrenaline (same effect, visible in anyone that is experiencing fight-or-flight, used as an indicator by anyone with knowledge of self-defence: red face = he's mad but you're safe for the moment, white face = run or get ready to fight back, and now you can't get into your building because the serial killer chasing you has made your adrenaline flood your limbs instead of blood).
My bet is that it will be fooled by someone holding a CLEAR, very thin Gummi bear (or even just simple PVA-glue-skin with the right imprint) over their real finger. Did they test that? It took me all of five seconds to imagine one way around it, and would probably take only a day of testing on the system to make it a viable attack.
But I was under the assumption that different colours absorb light differently. The article mentions specific wavelengths, which translate to specific colours; I could understand your point if the article stated pressure causes an x nanometre shift in wavelength (due to the blood moving), but it doesn't.
It's not quite correct to say wavelengths translate to specific colors. Yes pure light of a given wavelength has a color, but most colors we see in everyday life cannot be expressed as a single wavelength, they're made up of a combination. So I'm pretty sure that's not what they mean. I think they mean the finger's absorption of light at those specific frequencies. I imagine 550nm (green band, a bit on the yellow side) is absorbed by the blood itself, which should be pretty consistent between humans. The other part, 1650nm, is a little less obvious, but in any, it's infrared, so definitely not a skin color in the traditional sense.
They don't need to. What about an "almost" clear material over a real finger? The colour and fingerprint don't have to be the same finger, necessarily. The system probably isn't clever enough to detect that, especially if it blurs the underlying fingerprint just enough to make it flat but let colour through and then the camera will "see" the right fingerprint and the right colour from two different objects. Sure, there are probably countermeasures but it quickly becomes more expensive for the sake of some incredibly low-tech "hacks".
And fingerprint security is the most ridiculous form ever but controls a lot of things. Hint: If you want access to a secure building (like a lot of schools nowadays) you just need to stick a gummi bear over a existing fingerprint (my bet would be the gate/door handle next to the fingerprint reader) and then put it on the fingerprint reader. You would be accepted as a valid user (hence the gummi-bear being renowned as completely defeating fingerprint security), allowed entrance and nobody would know who you were. It takes seconds and gets you into everything from private home to schools to industry to military complexes (not to mention encrypted off-the-shelf fingerprint-capable laptops like the Thinkpads).
My daughter's nursery wanted my fingerprint in order to verify who collected her. You literally cannot get into the building without having your fingerprint taken and checked at every entrance. Once inside, they don't care who you are (yes, that's stupid but it's how fingerprint technology is perceived), because the fingerprint-reader verified you as a parent. At which point I told them that they wouldn't be getting my print and enquired about their procedures (which included - if I phoned them and told them that someone new was picking my daughter up, they would open the door for them and not require fingerprints or ID at all - and the phone call validation would be nothing more than SOMEONE phoning up and they had no way to tell if it was me or not). It was all a waste of time with SO much effort put into expensive equipment wasted by trusting it blindly.
I could, literally, have stolen any child from that nursery using a gummi bear, or even just a previous phone call using the name of a parent.
This is all good and well, though something that one would expect to've been thought of before deploying fingerprint reading around the globe. Apparently that just wasn't important, just like making sure facial recognition scanners on Blighty's airports being able to discern husband from wife wasn't important. Heck, making the darn things work at all wasn't important. Bit of a sign on the wall, all that.
The real problem is that no matter how hard you make it to fake, redress after succesful faking will remain harder. And this also doesn't address the recently measured at a fingerprints-for-passports station over in the Netherlands of a somewhere over 20% failure to match up after initial fingerprinting. Thus it stands that the fingerprintee is still less important than the virtual person with the synthetic identity being "identified". That is, the paperwork trumps the living human every time, regardless of whether he's impersonating, impersonated, or the real deal. And what was that paperwork for in the first place, eh?
What's government for? Why, carrying on regardless of reality, of course.
It boils down to this: You, the human, are expendable.
The technology doesn't really do what the people deploying it say it is supposed to do, yet we're forced to comply anyway. I, as a thoroughly nerdy and un-social person, think this highly offensive and would like to go back to old fashioned personal checks. As mentioned elsethread, say, schools would do far better to know just who they're teaching and who the parents are rather than trying to substitute technology for all that. The former is their bloody job and the latter is just more costs leading to pointless fingerpointing once it inevitably goes wrong worse than when people keep using their heads now and then in practice. Last I checked I was still socially inept but not quite a robot, thanks.
The one that comes to my mind is simply to detect whether blood is flowing in the tested appendage, using the same IR method that is used in hospitals to measure the patents pulse?
Certain establishments I have to attend rely on several full hand print scans complete with checks to see if it is still attached before you progress another 10 metres into their lovely site.
Boy is it a pain in the arse then the pass expires @ 00:00 and you can't get out of the damn place and there's nobody there to reauthorise your credentials
The last thumbprint reader system I had installed looked for a pulse as well. Funny thing is that one of the owners of the company, a man with a two-pack-a-day habit had terribly poor circulation (big surprise) and he was often locked out of his own company. Within two weeks I was told to replace it with a swipe-card system with proximity readers at the executive door so he wouldn't even have to take his wallet out.
The best laid plans...
Take the necessay prints WITH the whole body. If the credentialed fingerprints are attached to a dead body, "reanimate" it in a wheelchair hiding circulation pumps. A faux colostomy bag or some hoses entering and exiting at various circulation-producing points (abdomen, toes, rectum) and sealant and good testing can probably get a few hours out of a body.
But, to make it lol, talk, drool, and hold coherent conversation? Animatronix and respiration attachments required. In any case, you might wind up (or down) with a Captain Christopher Pike or a Professor John Gil...
I can see blackhats and morticians working on this body of knowledge....
Imagine, it's 20below(Celsius. no F! clue as to what it's in Fahrenheit), you pull of your glowe, shuffle a bit, drop the glowe and pick it up again... Then you press your now very cold finger against the reader...
Guess what, one of your body's defese mechanisms against cold is to contract the blood vessels near the skin and extremeties to reduce bloodflow(and heat loss) there.
..then the farmed finger probably won't match, either. Fingerprints have a chaos factor in their production: they're as much a product of environment as they are the DNA. And since physics as we know it prevents two people from being in the exact same place at the exact same time, the end result are two distinct sets of prints. That's one reason why fingerprints are still kept even in an era of DNA testing.
I hadn't expected the DNA alone to form the correct fingerprint - and anyway the stem cells would be from the recipient, not the fingerprint donor.
I'd sort of imagined using a framework or mold of some sort to shape the growing cells into the required print. Or maybe some sort of micro electronic or printing trickery.
Dead easy(pardon the pun), skin-colour-insensitive and doesn't rely on surface capillaries.
BTW: most school lunch/hand scanners _don't_ rely on fingerprints, but instead use infrared to look at the vein pattern within a hand - these are just as unique and a lot harder to copy/fake using a gummi bear.
This post has been deleted by its author
Retina scans, combined with fingerprints, vein patterns, and ana-rectal webbing and vein patterns would deep eye-dent-ify a contiguous, valid person and weed out body doubles. Of course, in most societies, this would endtroduce a whole new meaning to bending over to endvasive access.
The really gruesome part of this is if some nefarios go into the biz of stealing valuable whole a$$holes to gain access to some facility... Could probably upend the organ theft black market
There is a balance between cost and functionality to be struck, but the "missing body" problem was also solved by a US provider whose swipe reader is based on radio technology. Their matrix sense out radio signals, which get absolved by ridges connected to a large enough mass to dampen the signal. If you use a "disconnected" finger or use a fingerprint cover like wood glue to swipe, you change the capacity, and the thing won't work.
Good to see they keep working on it, but their solution probably needs a bit of work before it becomes affordable (I'm assuming here their principle is right, of course). Meanwhile, keep using the other kit..
The Australian developed "Fingerscan" technology of early 1990s vintage had a method to detect "false fingers". IIRC they took the image using multiple flashes at slightly different angles. A living finger with *some* blood flowing through it would come through a little darker. I don't remember having to press particularly hard on the scanner surface. The system had a "False Finger Index" setting which you "tuned" for users with circulation issues. It sounds like it was taking advantage of the same light absorbing characteristics described in the paper, albeit in a less sophisticated way via old fashioned image processing algorithms. Looking for a real time *change* in light absorption by scanning, rescanning and comparing is a tad more sophisticated. And of course it has to be "thumbs up!"
Biting the hand that feeds IT © 1998–2020