Spoofing fingerprint scanners - NEWBIE()

Hi,

I was wondering if it is possible to spoof a fingerprint scanner, I am
particularly referring to the relatively cheap ones that you can get on
a computer mouse.

For a relatively cheap implementation of this system in order to log
onto a PC using a normal login ID and your scanned print, is there a
standard for how much data is required for each scanned print and in an
organisation of say 5,000 would the search be virtually instenteanous?

I would have thought fingerprint scanners built into computer mice
would be susceptible to dust and scratches (I'm thinking of a place
like a university where PC's have multiple users).

Any advice would be greatly appreciated.

Regards,

Sarah Hamilton.

Re: Spoofing fingerprint scanners - NEWBIE()

shamilton72@hotmail.co.uk wrote:

> I was wondering if it is possible to spoof a fingerprint scanner, I am
> particularly referring to the relatively cheap ones that you can get on
> a computer mouse.
>
> For a relatively cheap implementation of this system in order to log
> onto a PC using a normal login ID and your scanned print, is there a
> standard for how much data is required for each scanned print and in an
> organisation of say 5,000 would the search be virtually instenteanous?

A simple fingerprint extracted from a coffee cup is sufficient. For
cheap systems no don't even need to take care for wetness and aliveness
checks.

> I would have thought fingerprint scanners built into computer mice
> would be susceptible to dust and scratches (I'm thinking of a place
> like a university where PC's have multiple users).

You just need about 10 curve data samples to get pretty unique fingerprints.

> Any advice would be greatly appreciated.

You're leaving your fingerprint on about a thousand objects per day.
Very bad idea to use it as authentication.

Re: Spoofing fingerprint scanners - NEWBIE()

Sebastian Gottschalk writes:

> You're leaving your fingerprint on about a thousand objects per day.
> Very bad idea to use it as authentication.

As sole authentication, I agree.

As one factor of two factor authentication, it sure beats a poke in
the eye.

Swipe style scanners are marginally more secure than simple imagers
where you leave a nice handy latent fingerprint on em. These are
included in certain IBM/Lenovo thinkpads.


--
Todd H.
http://www.toddh.net/

Re: Spoofing fingerprint scanners - NEWBIE()

Post removed (X-No-Archive: yes)

Re: Spoofing fingerprint scanners - NEWBIE()

Todd H. wrote:
> Sebastian Gottschalk writes:
>
>> You're leaving your fingerprint on about a thousand objects per day.
>> Very bad idea to use it as authentication.
>
> As sole authentication, I agree.
>
> As one factor of two factor authentication, it sure beats a poke in
> the eye.

Not actually. It's neither a reliable or efficient improvement over one
factor authentication and clearly doesn't reach two factor ~. Especially
due to error rates.

But "eye" is a good keyword. Iris scanning actually fulfills the
"something you are" factor mantra.

Re: Spoofing fingerprint scanners - NEWBIE()

shamilton72@hotmail.co.uk wrote:
> Hi,
>
> I was wondering if it is possible to spoof a fingerprint scanner, I am
> particularly referring to the relatively cheap ones that you can get on
> a computer mouse.
>
> For a relatively cheap implementation of this system in order to log
> onto a PC using a normal login ID and your scanned print, is there a
> standard for how much data is required for each scanned print and in an
> organisation of say 5,000 would the search be virtually instenteanous?
>
> I would have thought fingerprint scanners built into computer mice
> would be susceptible to dust and scratches (I'm thinking of a place
> like a university where PC's have multiple users).
>
> Any advice would be greatly appreciated.
>
> Regards,
>
> Sarah Hamilton.
>
Trivial to do .. I seem to remember that it can be done using only stuff
you can buy at your local grocery store. Given that the fingerprint that
you want to spoof is likely to be on the reader from when the legitimate
user touched, this is no security at all.
With some cheap fingerprint readers, breathing lightly onto the reader,
to reactivate the latent print, is enough. Only slightly harder is the
manufacture of a gelatin reproduction ... do a google search for "gummy
finger".

Re: Spoofing fingerprint scanners - NEWBIE()

Post removed (X-No-Archive: yes)

Re: Spoofing fingerprint scanners - NEWBIE()

Sebastian Gottschalk writes:
> Not actually. It's neither a reliable or efficient improvement over one
> factor authentication and clearly doesn't reach two factor ~. Especially
> due to error rates.
>
> But "eye" is a good keyword. Iris scanning actually fulfills the
> "something you are" factor mantra.

some number of atm operators have been looking at both fingerprint
scanning and iris scanning, in place of PIN for two-factor
authentication.

from three-factor authentication model
http://www.garlic.com/~lynn/subpubkey.html#3factor

* something you have
* something you know
* something you are

PIN is a shared-secret "something you know" in conjunction with the
card "something you have".
http://www.garlic.com/~lynn/subpubkey.html#secret

the issue is that shared-secret "something you know" paradigm has been
grossly overworked ... as a result there are some statistics that at
least 1/3rd of debit cards have PINs written on them. there is
assumption with multi-factor authentication regarding whether they
are subject to independent vulnerabilities and exploits. obviously
writting PIN on the card defeats any assumptions about multi-factor
independent vulnerability related to lost/stolen card.

the argument allowing a user to choose fingerprint ("something you
are") in lieu of PIN ("something you know") authentication ... is
whether it easier for a crook with a lost/stolen card to "lift" a PIN
written on the card and replay the PIN at a terminal ... vis-a-vis
"lifting" some possible fingerprint on the card and replay the
fingerprint at a terminal (even allowing a customer to choose a finger
that is least likely to have been used in handling their card).

misc. past posts mentioning fingerprint vulnerability vis-a-vis
debit cards that have PIN written on them:
http://www.garlic.com/~lynn/99.html#165 checks (was S/390 on PowerPC?)
http://www.garlic.com/~lynn/99.html#167 checks (was S/390 on PowerPC?)
http://www.garlic.com/~lynn/99.html#172 checks (was S/390 on PowerPC?)
http://www.garlic.com/~lynn/aadsm10.htm#biometrics biometrics
http://www.garlic.com/~lynn/aadsm10.htm#bio2 biometrics
http://www.garlic.com/~lynn/aadsm10.htm#bio3 biometrics (addenda)
http://www.garlic.com/~lynn/aadsm10.htm#bio6 biometrics
http://www.garlic.com/~lynn/aadsm15.htm#36 VS: On-line signature standards
http://www.garlic.com/~lynn/aadsm19.htm#5 Do You Need a Digital ID?
http://www.garlic.com/~lynn/aadsm19.htm#47 the limits of crypto and authentication
http://www.garlic.com/~lynn/aadsm20.htm#41 Another entry in the internet security hall of shame
http://www.garlic.com/~lynn/2002g.html#72 Biometrics not yet good enough?
http://www.garlic.com/~lynn/2002h.html#6 Biometric authentication for intranet websites?
http://www.garlic.com/~lynn/2002h.html#8 Biometric authentication for intranet websites?
http://www.garlic.com/~lynn/2002h.html#41 Biometric authentication for intranet websites?
http://www.garlic.com/~lynn/2002o.html#62 Certificate Authority: Industry vs. Government
http://www.garlic.com/~lynn/2002o.html#63 Certificate Authority: Industry vs. Government
http://www.garlic.com/~lynn/2002o.html#64 smartcard+fingerprint
http://www.garlic.com/~lynn/2002o.html#65 smartcard+fingerprint
http://www.garlic.com/~lynn/2002o.html#67 smartcard+fingerprint
http://www.garlic.com/~lynn/2003o.html#44 Biometrics
http://www.garlic.com/~lynn/2005g.html#54 Security via hardware?
http://www.garlic.com/~lynn/2005i.html#22 technical question about fingerprint usbkey
http://www.garlic.com/~lynn/2005i.html#25 technical question about fingerprint usbkey
http://www.garlic.com/~lynn/2005m.html#37 public key authentication
http://www.garlic.com/~lynn/2005o.html#1 The Chinese MD5 attack
http://www.garlic.com/~lynn/2005p.html#2 Innovative password security
http://www.garlic.com/~lynn/2005p.html#25 Hi-tech no panacea for ID theft woes
http://www.garlic.com/~lynn/2006d.html#31 Caller ID "spoofing"
http://www.garlic.com/~lynn/2006e.html#21 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#30 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#44 Does the Data Protection Act of 2005 Make Sense

other past posts about skimming exploits of magstripe plus PIN (or any
other relatively static authentication data that can be subject to
replay attack) ... also invalidating any assumptions about
multi-factor authentication independent vulnerabilitys/exploits/threats
http://www.garlic.com/~lynn/aadsm17.htm#13 A combined EMV and ID card
http://www.garlic.com/~lynn/aadsm17.htm#25 Single Identity. Was: PKI International Consortium
http://www.garlic.com/~lynn/aadsm17.htm#42 Article on passwords in Wired News
http://www.garlic.com/~lynn/aadsm18.htm#20 RPOW - Reusable Proofs of Work
http://www.garlic.com/~lynn/aadsm19.htm#5 Do You Need a Digital ID?
http://www.garlic.com/~lynn/aadsm20.htm#41 Another entry in the internet security hall of shame
http://www.garlic.com/~lynn/aadsm22.htm#20 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#23 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#29 Meccano Trojans coming to a desktop near you
http://www.garlic.com/~lynn/aadsm22.htm#33 Meccano Trojans coming to a desktop near you
http://www.garlic.com/~lynn/aadsm22.htm#34 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#39 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#40 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#45 Court rules email addresses are not signatures, and signs death warrant for Digital Signatures
http://www.garlic.com/~lynn/aadsm22.htm#47 Court rules email addresses are not signatures, and signs death warrant for Digital Signatures
http://www.garlic.com/~lynn/aadsm23.htm#2 News and Views - Mozo, Elliptics, eBay + fraud, naïve use of TLS and/or tokens
http://www.garlic.com/~lynn/2003o.html#37 Security of Oyster Cards
http://www.garlic.com/~lynn/2004g.html#45 command line switches [Re: [REALLY OT!] Overuse of symbolic constants]
http://www.garlic.com/~lynn/2004j.html#12 US fiscal policy (Was: Bob Bemer, Computer Pioneer,Father of ASCII,Invento
http://www.garlic.com/~lynn/2004j.html#13 US fiscal policy (Was: Bob Bemer, Computer Pioneer,Father of ASCII,Invento
http://www.garlic.com/~lynn/2004j.html#14 US fiscal policy (Was: Bob Bemer, Computer Pioneer,Father of ASCII,Invento
http://www.garlic.com/~lynn/2004j.html#35 A quote from Crypto-Gram
http://www.garlic.com/~lynn/2004j.html#39 Methods of payment
http://www.garlic.com/~lynn/2004j.html#44 Methods of payment
http://www.garlic.com/~lynn/2005o.html#17 Smart Cards?
http://www.garlic.com/~lynn/2005p.html#2 Innovative password security
http://www.garlic.com/~lynn/2005p.html#25 Hi-tech no panacea for ID theft woes
http://www.garlic.com/~lynn/2005q.html#11 Securing Private Key
http://www.garlic.com/~lynn/2005t.html#28 RSA SecurID product
http://www.garlic.com/~lynn/2005u.html#13 AMD to leave x86 behind?
http://www.garlic.com/~lynn/2006d.html#31 Caller ID "spoofing"
http://www.garlic.com/~lynn/2006d.html#41 Caller ID "spoofing"
http://www.garlic.com/~lynn/2006e.html#3 When *not* to sign an e-mail message?
http://www.garlic.com/~lynn/2006e.html#4 When *not* to sign an e-mail message?
http://www.garlic.com/~lynn/2006e.html#10 Caller ID "spoofing"
http://www.garlic.com/~lynn/2006e.html#21 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#24 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#30 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#44 Does the Data Protection Act of 2005 Make Sense
http://www.garlic.com/~lynn/2006g.html#38 Why are smart cards so dumb?
http://www.garlic.com/~lynn/2006h.html#13 Security
http://www.garlic.com/~lynn/2006h.html#15 Security
http://www.garlic.com/~lynn/2006h.html#33 The Pankian Metaphor

--
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/

Re: Spoofing fingerprint scanners - NEWBIE()

Juergen Nieveler wrote:

>> But "eye" is a good keyword. Iris scanning actually fulfills the
>> "something you are" factor mantra.
>
> ....but at least some implementations are easily fooled by a colour
> printout of an iris :-)

It should be pretty hard to get a sufficient high-quality scan of the
retina in everyday.

Re: Spoofing fingerprint scanners - NEWBIE()

shamilton72@hotmail.co.uk wrote:
> I was wondering if it is possible to spoof a fingerprint scanner, I am
> particularly referring to the relatively cheap ones that you can get on
> a computer mouse.

You can spoof most of the more expensive ones, too. Many of them
with a gummibear. A short introduction into a more professional method
you can find here:

http://www.ccc.de/biometrie/fingerabdruck_kopieren.xml?langu age=en

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain

Re: Spoofing fingerprint scanners - NEWBIE()

Post removed (X-No-Archive: yes)

Re: Spoofing fingerprint scanners - NEWBIE()

Juergen Nieveler wrote:
> Sebastian Gottschalk wrote:
>
>> It should be pretty hard to get a sufficient high-quality scan of the
>> retina in everyday.
>
> All it takes is a camera with a telephoto lens, actually :-)

Are there actually such lousy implementations out there that allow such
a low-quality input to be successfully authenticated?

Re: Spoofing fingerprint scanners - NEWBIE()

Post removed (X-No-Archive: yes)