Peace-sign selfie fools menaced by fingerprint-harvesting tech Researchers from Japan's National Institute of Informatics say people's fingerprints could be extracted from photographs using yet-to-be built technology. The eggheads warn that fingerprints can be copied from photographs snapped up to three metres from targets. Prints would need to be captured clearly in strong lighting, …
"[F]ingerprints could be extracted from photographs using yet-to-be built technology".
I'm pretty sure they did more than this in an X-Files episode years ago...
Meanwhile, on planet Earth, I am happy if the work punch-in thingy doesn't take ages to recognize my finger pressed right there!!
Also, did these guys look at the output quality of even a decent digital camera...?
This post has been deleted by its author
"Because the two-finger gesture most commonly used doesn't show the fingerprint to the recipient."
I must say I am a fan of that particular gesture. It portrays the message quite clearly, is easier to make, and somehow **classier than the North American equivalent of "flipping someone the bird".
**taken from a Canadian perspective anyhow. Would be curious to see how a Brit would compare the two gestures.
If I am not mistaken, that had been done 2 or 3 years ago, with a picture of the German Minister.
I even think that had been reported in El Reg.
That's: "German minister fingered as hacker 'steals' her thumbprint from a PHOTO", dated December 2014, here http://www.theregister.co.uk/2014/12/29/german_minister_fingered_as_hackers_steal_her_thumbprint_from_a_photo/
Fingerprints are a simply terrible form of security, for any non-trivial purpose, worse even than a decent memorised password. You leave them everywhere and it simply isn't difficult to lift and copy them.
The fact that Apple hyped print scanning on its phones and was then followed by every lemming on the planet changes nothing.
No entity with genuine security needs uses fingerprints as a sole defence.
True, it depends on what's being secured and against whom. Fingerprints are not secure enough to be used to launch nuclear missiles, but they are also not secure enough to be used to start my car. They are not secure enough to be used to access my bank account. They are also not secure enough to be used to unlock my phone, if my phone contains any data worth stealing.
The problem is that they are being used for all of that and more, where in reality they are only good enough to access low-impact services for which the main defense is that nobody really cares about impersonating you.
I mean, would you like the same level of security used for launching nuclear missiles to be applied to, say, launching your car...?
Pro tip: Some nuclear powers sell of old ICBMs via military surplus auction sites. I have one for my daily commute (without the warhead obvs). Not sure that it is strictly road legal but it has outrun every cop car so far. I just hope the po-po never get the budget to start using 'yet-to-be built technology' in their pursuit fleet.
This post has been deleted by its author
So many possibilities. The first three ideas to spring to mind: keeping the veg fresh, using the tritium to make glow-in-the-dark key ring fobs and breeding giant mutant super intelligent gerbils.
In a similar vein, there is a use for a finger print scanner on a car. Set it so any finger activates the cameras and the cattle prod.
This post has been deleted by its author
"I mean, would you like the same level of security used for launching nuclear missiles to be applied to, say, launching your car...?"
So basically you are asking if I'd like Donald "The Duck" Trump to have the codes to start my car? That would be a resounding NO.
I'd not turst him with my car let alone ..... Wait, dear baby Jesus Christ, God save us all!!
"It was Motorola who started the bloody stupid fad, about two years before Apple and the rest lemming'd merrily after them."
A number of Compaq/HP iPAQ PDA's and Smartphones had them dating back to atleast 2003
http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c00031055
And if I recall correctly, they were actually built by HTC.
It can in principle, and identifying people in photographs using their iris patterns has been done (the famous Afghan refugee girl featured on the National Geographic magazine is a well-known example). To gain access using a photo could be done, but a good iris scanner can (or rather should) check it is a real iris. Any digital print usually shows a very fine regular pattern that stands out hugely in the Fourier spectrum of the image, besides, changing illumination levels causes a real iris to contract. This can be detected easily. Note that iris scans are preferably done in infra-red, so when printing the captured iris, you may also need to get the right reflection in that band as well (certainly possible, not perhaps trivial in your regular ink-jet printer), and indeed capture may need to be done in IR (some DSLRs allow that).
> So, likewise, a good, open eyed, mug shot might be enough to be able to get an iris scan ?
I paid for the "check and send" passport application service. The guy (aged 60+, thick glasses, dusty shelves with poor lighting) squinted at the 1" passport photo, and asked me if it had been taken in "a proper booth". When I said no, he tried to knock back my application, as "they need to scan your iris off the photo, so if it's not taken in a proper booth, it may not be good enough."
The "3-metre range" is cobblers too...range would depend upon lighting; the sensitivity of the CCD; and the in-camera processing before you're even in a position to start trying to lift a fingerprint.
Also fingers are curved; which means it's relatively do-able in theory to get a stripe of fingerprint; but extracting it from the areas in shadow and the highlighted areas wouldn't be as easy.
It's worse than that; boffins could, one day, build a device that can read what you were thinking when the photograph was taken. Imagine the security risks if you were thinking about your password at that point - there's your two factor authentication gubbed at a stroke.
OK, some of them still do, but the more modern, and much more secure, way to do it is to read the blood vessel patterns inside the finger. Taking a photo isn't going to be much of a problem there.
There are real problems with biometrics as authentication, primarily the fact that they can't be changed and so are useless once compromised (and as with all passwords, compromising them only requires copying the electronic data they generate, not the biometrics themselves). It would be best to focus on the actual issues, rather than some work-in-progress idea that can never even work on the up-to-date ways of doing things. It's like worrying about people taking pictures of your keys, while forgetting that burglars have access to tools like screwdrivers and bricks.
But what do you use when that's the ONLY thing you have to work with? The big thing about biometrics is that, barring an injury severe enough to basically put you out of work, they'll ALWAYS be there unlike anything else you can propose. People have TERRIBLE memories so WILL forget passwords no matter what the length (heck, people forget their own names and dates of birth--I speak firsthand). Plus people frequently have to wear clothes with no pockets or lanyards so have no way to store external credentials (plus if the security is high they may not be allowed to for sake of blocking hidden recording devices).
As for recording the impulses, I thought ATMs found a way out of this by black-boxing the scanners and only emitting encrypted streams that include timestamps or other nonces so no two reads produce the same signals, defeating replay attacks.
I'm planning, in the next few years, on constructing a hat using yet-to-be built technology that will be able to see inside your mind and the yet-to-be determined wearer of said hat will have access to all your yet-to-be established secrets.
I bet you're quaking in your boots now.
The first suggestion that fingerprints can be copied/faked was a long time ago. The Red Thumb Mark by R Austin Freeman was first published in 1907. It's the first book about Dr Thorndyke, a 'scientific detective' - better than Holmes! All available on Gutenberg, and they're jolly good!
This boils down to the difference between identification and authentication.
Fingerprints can IDENTIFY you but shouldn't be used to authenticate you.
Authentication ie can this person do this thing should not rely simply on identification, there should be a secondary token for authentication.
Your fingerprints are essentially your Username but you still should need a password to get into a system.
A fingerprint is always on you unlike anything else you can think of.
A fingerprint is always on you unlike anything else you can think of.
A fingerprint is always on you unlike anything else you can think of.
What do you do when it's the ONLY thing you have to work with?
> Authentication ie can this person do this thing
Nope, that's authorisation. You have a database saying (this identity) can do (this thing).
Authentication is when a person claiming to be (this identity) can prove that they are. Nothing more.
Setting that aside: you're proposing that claimed identity should come from biometrics (fingerprint, facial recognition etc), while authentication should come from some other factor (password, smartcard etc)
That's certainly better than taking both identity and authentication from the biometrics. But there are advantages in doing it the other way round.
For example, if I can prove that I hold the token which identifies me as J Bloggs, then the fingerprint or face scanner only has to do a comparison against the stored details of J Bloggs, which it can do quickly and accurately and with tight tolerance.
If I use my fingerprint as identity, then the system has to first look at my fingerprint and compare it against all the possible fingerprints which might be in the system, hoping to find one which is a close match to a single person but with sufficient rejection of everyone else, before proceeding.
We also leave fingerprints all over the place, on practically enything we touch. If someone really wants to get hold of your prints they already can, they don't have to rely on yet-to-be-built technology.
I use my fingerprint to unlock my phone. I was initially a bit dubious about it, but the ease of use is compelling - it's something I do literally dozens of times per day, so any saving of effort pays back quickly. The data on the phone has some value, sure, but not enough to encourage someone to commit several serious crimes in order to gain access to it (theft of the phone, hacking charges for unauthorised somputer use, fraud/extortion/other charges for misusing any information gleaned). So for me this particular security versus usability equation comes out on the usability side, I accept that I'm an easy mark for a determined opponent, but I reason that I (currently) don't have any of those.
The problem with fingerprints if you're being truly diligent about security is they can't be changed or revoked - once you're tied into using them that's it. I've seen it said that they should only be used as a username, not a password, because all they do is prove that you are present, not that you consciously want access (e.g. could be your suspicious partner using your print whilst you're asleep). In reality they're weaker than even a username - finding out that my work login is g907qbe (N.B. it's not really) would be an initial hurdle for an attacker, but if it were compromised I could be issued with a different one. Not so with a fingerprint.
Fingerprints can sensibly be used to make existing two factor authentication a little easier to use by replacing the token or one-time pad with something you carry around all the time anyway. Alternatively they could be used to add an extra hurdle in three factor authentication (password + token + biometric). They're not useless, you just have to be careful how much faith you place in them.
The data on the phone has some value, sure, but not enough to encourage someone to commit several serious crimes in order to gain access to it (theft of the phone, hacking charges for unauthorised somputer use, fraud/extortion/other charges for misusing any information gleaned). So for me this particular security versus usability equation comes out on the usability side,
The data on your phone is pretty much useless to probably 99% of the phone thieves. They want the phone to sell on the black/gray market for cash. So your fingerprint is probably all that system needs at this point. IF the crims ever smarten up and figure out they can use your bank details, then the fun and games start.
"The data on your phone is pretty much useless to probably 99% of the phone thieves. They want the phone to sell on the black/gray market for cash."
That's quite correct, though slightly besides the point. The security method I've used on the lock screen is about protecting the data, not the device itself. Protecting the device itself is more about not leaving it unattended and not taking it out in full view when walking through the wrong neighborhood at night i.e. being streetwise.
The first thing phone thieves generally do when they lift a phone is turn it off, making it harder to trace and/or brick it remotely. For the first login after a power cycle you can't use the fingerprint, you have to use an actual password "for enhanced security" (the fingerprints registered are just linked to the underlying password, they're not a complete replacement for it). You also need the real password if you want to replace the stored fingerprints or change to a new password, so even if they steal the phone whilst it's unlocked (i.e. grab it out of my hands) it doesn't really help them unless it was the data they were after. And once again, if they steal the phone when it's unlocked it really doesn't matter what method I used to secure the login.
Phone thieves who are just after the hardware don't actually need to log into the device anyway, they would just reset it to factory defaults and in the process would effectively delete the data on it (encrypted filesystem).
So, until crims start routinely hacking into phones for their data I'll carry on using my fingerprint to unlock.
I've never trusted using bio-metrics for anything security related, especially not for my phone. My main complaint is that a phone can't really be trusted all that much and someone could easily steal the image of it and then re-use it on something else that uses fingerprints for authentication.
There is also the issue that if you lose your fingerprints, there really isn't a 'reset' option. I had an external drive that used fingerprints to authorize decryption. Worked fine until one day I stupidly grabbed a hot pan as it was falling off the stove and burnt my fingers to the point of blistering. Took a couple weeks before the drive would recognize me again...
Its really the same issue as password re-use, except in this case, you only have, at most, 10 different ones you can use over your entire life. Although the number of possibilities is much lower since most people's finger prints are mirrored on the other hand and there isn't much difference between the prints on each finger on any given hand.
My main complaint is that a phone can't really be trusted all that much and someone could easily steal the image of it and then re-use it on something else that uses fingerprints for authentication.
The phone doesn't necessarily store an image of your fingerprint. It probably stores information *about* your fingerprint, like the distances between key patterns, whorls and what have you.
most people's finger prints are mirrored on the other hand
Citation Needed™. I believe that's a myth.
So you're supposed to cover your fingers with this stuff to prevent the prints being lifted from a photograph? Talk about an impractical solution!
Face it, fingerprints, irises, etc. should not be used as secure authentication. I use it on my iPhone because I don't need ultimate security on it - I certainly wouldn't keep my medical records on my phone protected only by a fingerprint, but what I actually have on there, sure.
The problem is that the public has seen fingerprint readers and iris scanners as "high security" for 30 years, ever since they first started showing up in spy films. Laptop vendors and more recently smartphone vendors have capitalized on that with their marketing, but they shouldn't be trusted as the sole means of authentication for anything important.
Fingerprints can IDENTIFY you but shouldn't be used to authenticate you.
Please provide links to the numerous studies, or maybe even one study that provides scientific proof that finger prints are UNIQUE. Good luck with that coz there ain't any, yet the fingerprint is used to convict people of all sorts of crimes.
That's a straw man argument. There are lots of studies, but they never claim that prints are unique. What they do say is that they can use prints to evaluate a statistical probability that they are your prints and not anyone elses. If they're working with a single partial print that degree of confidence is always going to be low, and likely not usable in court (certainly not on it's own). However, if they have an object that has prints matching all ten of your pinkies with a high degree of confidence then they're going to have a pretty high level of confidence that the object was in fact handled by you.
TV crime fiction almost always gets this wrong, because it's flashy and snazzy to show the CSIs nailing the perp on the basis of a single partial print found on the collar of the deceased's shirt, but in real life the burden of proof should be far more stringent (and boring) - i.e. beyond reasonable doubt, including any doubts over a false matches. It's up to the defence counsel to point this out to the jury though.
Likewise in DNA analysis - in CSI it's always "we got a match" - in real life it's "there's a DNA signature matching the suspect to a degree of confidence of one person per million of the general population". And even then that can be enough doubt - in a large population that one in a million would mean there are dozens of other people - most likely of similar genetic background - who would also match; and communities (especially minority ones) often gather within very small areas, making most of those dozens of people near neighbours of the accused.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
