Despite their uniqueness, even fingerprints can be hacked
Previous << QnA with Sven Hammar
By Martin Scholz, R&D Manager
Each of us has fingerprints that are unique, so it makes sense that we'd like to use them to secure our devices and identify us in other ways. The problem is, we're not even close to having fingerprint verification systems that can prove with high certainty exactly whose fingerprint is being verified.
Even 1 error in 100 billion fingerprint verifications could be too many. Today many practical applications have a fingerprint verification error rate closer to 1 in 10 000. And with smart attacks, the false matches can be much more frequent than that.
Many people use fingerprint recognition to secure their smart phones, but what most don't realize is that the phone's sensors capture just a small portion of the actual fingerprint while setting up the security feature. It's simply a matter of the size of the fingerprint sensor on the phone.
While that partial fingerprint alone isn't problematic, the larger issue is that because individual fingerprint sections are not as distinctive as the full print, it's easier for incorrect partial prints to be matched. And if we're still finding high error rates even when using full fingerprints, just imagine the problems we might see when using just partial prints.
A paper presented at the IEEE International Conference on Biometrics last month, "DeepMasterPrints: Generating MasterPrints for Dictionary Attacks via Latent Variable Evolution," received the best paper award. It shows how researchers were able to build a set of DeepMasterPrints created both from real and synthetic fingerprints that can then be used to impersonate multiple identities. The authors explained that DeepMasterPrints are "partial fingerprint images which can be used for launching dictionary attacks against a fingerprint verification system." Dictionary attacks are those in which the hacker attempts to defeat the authentication mechanism by barraging it with hundreds or even millions of likely possibilities.
The article goes into great detail about how the authors created MasterPrints. It also explains how they used Latent Variable Evolution as the means for creating and generating DeepMasterPrints. Using these real and synthetic prints, the authors demonstrated how they defeated a fingerprint recognition system by spoofing it. Poor methods and technologies for fingerprint recognition is problematic, and the MasterPrints take advantage of this.
The good news is the study authors are all university researchers who are simply looking for vulnerabilities, so they can be addressed.
At Versasec, we've always been a worried about how fingerprints and other unique biometric attributes - including retinas and faces -- are stored. If they end up in a database at the user's credit card company or bank, there is the potential that they could be are vulnerable to hacking. And since unlike a password or a physical smart card which can be replaced, we only have one set of fingerprints, one face, one set of retinas., that's simply not acceptable. If the storage location is completely under the control of the owner of the biometic attributes, we believe those attributes can be an excellent factor in multi-factor authentication. So, for instance, we condone using fingerprints as an identification element when the fingerprints are stored on a PKI smart card and the fingerprint matching is done only on the card.
What this study also shows is that any system when standing alone is more vulnerable than those requiring multi-factor authentication. If you want to learn more about working with multi-factor authentication and how to best manage a multi-factor authentication system, please contact us here
Tags: iam, cybersecurity, two-factor, authentication, hacker, breach, identity, smartcard, access.