Finger Print Scanners Really Aren’t That Secure

Maybe you suspected this already, but researchers at MSU Computer Science just published a paper explaining just how easy it is to spoof a fingerprint scanner with a ink-jet printed scan of a finger.

We’re not talking about casting a new finger using superglue or anything, but rather using conductive ink you can literally print — on paper. A paper-printed-fingerprint that will unlock your smartphone. We’ve already told you fingerprints suck for security, but hopefully this drives the point home.

[Kai Cao] and [Anil K Jain] released this paper (Direct PDF link) outlining their technique. Using an existing scan of a fingerprint (which can be taken from your phone’s scanner), the image is mirrored, and then printed using a regular ink-jet printer, with all of its color cartridges replaced with AgIC4 silver conductive ink.

Now this ink and the associated paper to go with it is pretty pricey — you’ll be looking at close to $500 for those cartridges, but when it comes to spoofing someone’s identity, it’s certainly not enough to stop a would-be thief.

52 thoughts on “Finger Print Scanners Really Aren’t That Secure

  1. They are not supposed to be secure. They are just a more convenient replacement for the “unlock pattern” thingy, which is not terribly secure either, but does say “please don’t play with my phone while I go to the bathroom”. I think of it more like a social cue than a security mechanism, just like closing the door to your room doesn’t actually grant protection from someone who wants to enter it.

    1. I would totally agree with you.
      Biometrics are not perfectly safe, but are convenient, thus make it actually much more safer for those who are too lazy to use codes or unlock patterns at all. (A bird in the hand is worth two in the bush.)

      But that don’t apply to Apple. With Apple Pay they made PAYMENT and contactless access to your creditcard secured only by your fingerprint reader. So hacking that is a real security issue and mostly even a greater threat than access to all your data.

        1. I hope you are aware that Apple has officially apologized to the public and released a fix for the Error 53 (stating that it was used for internal testing and never should have been seen by the public).
          However, Touch ID still won’t work (that requires an official fix by Apple) but the phones will be un-bricked and usable.

      1. THis matters NOT, did you even READ the article. Even I, yes ME, can open your device with a mere copy of your fingerprint tathI can grab from anything you touch. Like your screen. Oops. Maybe you should read the article.

  2. I’ve seen the opposite also, when the machine refuses to validate your fingerprint. Biometrics in today’s cost effective technology is too primitive to be used in such sensitive applications like accessing your bank account and so on.

  3. No authentication method, including biometrics is foolproof when used alone, which is why security-conscious orgs do not rely on them exclusively. At least two of the “something you own, something you know, something you are” factors of authentication is required. Two-factor authentication is the current norm around the world. Smartphones due to their size, cost and convenience have been slow to follow the multi-factor path. However, it would not be difficult to add a PIN to a fingerprint or voiceprint scan on a smartphone to make it a true two-factor device. I predict that will come anyway when people realize their phones are not as secure as they’d thought they were.

    1. I never understood the point or utility of voice recognition on a phone for security… Have you ever tried to speak a text message? The results can be quite irritating. Failing that, what if you have a cold, lose your voice, are in a noisy environment, or are someplace you don’t want to make noise either not to disturb others or don’t want to be detected?

      1. Yeah, reminds me of that scene in “Mission To Mars” where they are loosing air pressure and one guy has to authenticate a command via voice ID but he is out of breath. Voice recognition has never really been good but could be dangerous in some circumstances.

  4. I think no one has ever (?) seriously claimed that fingerprints are one hundred percent secure. They are just a convenient way to lock out the usual thieves of opportunity. Anything beyond that requires, of course, additional barriers (for example two-factor authentication, like apple’s own iStore). So, nothing really new under the sun. ;-)

    1. Yeah, then try telling that to banks that will change your card and their ATMs to use only fingerprint instead of good old passwords….l Just waif for some cases of finger-stealing making the news…

      1. Remember Demolition Man, where Simon Phoenix used a fork to yank out the warden’s eyeball to get past the retina scan? Then Stalone makes the comment he hope’s Simon doesn’t figure out to rip someone’s arm off to get money…

        Lol… Classic example.

        1. I think that would already not work because security systems based on eye scanning have liveness checks. Meaning you couldn’t use a dead eye, or a photograph or a living eye.

          1. But you can hold a photograph of a living eye (with pupil cut out) in front of your own eye and fool all but the best of security systems. Funny little things they teach you in biometrics class in my uni.

  5. Thinking a fingerprint and lockcode will keep your credit card safe is idiocy.
    Being mostly NFC capable now, your best bet is to setup none or low value PIN-less transactions on your account ($10-$20). You can set time between transactions, daily, weekly, monthly limits. That way you still have the convenience, but noone can spend 5K on hookers and blow if you leave your phone in the pooper.

    1. Or could it possibly be that those marketing boys at apple with their overpriced stuff that is essentially the same as the cheaper competition actually have a better implementation of this type of tech that actually isn’t a cheap knock-off?

  6. First, you can snap fingerprints with a camera and some photoshop. It was covered here last year.
    http://hackaday.com/2015/11/10/your-unhashable-fingerprints-secure-nothing/

    Or you are just leaving them everywhere on daily basis. For instance, you are leaving them in the back of the phone itself. So get the phone carefully you might get the fingerprint for free.

    Surprised no one mentioned this, but mythbusters did beat some fingerprint keylocks with : printer, printer + powder, or printer + gel. They even tried to crack the NFC safety but VISA/Mastercard pressure made and it couldnt be shown or explained .

    The most secure (or insecure) method to secure something is still people.Helped by technology, of course, but always human redundancy in it. Try getting into Fort Knox safes unsolicited to check if there’s gold. You can’t.

    1. But yes, it can be etched in copper (PCBs). And then a “cast” with wood glue can be made from the copper image. AFAIK this cast put on your finger fools many commercial fingerprint readers.

    1. Market Ready biometric technology at 2016 is still unsafe for being used alone.That’s what the article is about .
      Can you pick an article or example showing the opposite?

    2. Well I’m not up to date with details but from what I heard the modern fingerprint scanners are suppose to be smarter than just looking at ridges, they are suppose to look a bit under the skin and test if it’s a living organism and stuff.
      And theoreticcally it might be possible to push such check to quite an extend, you can crossreference the vein structure and match that with the surface ridges and then you won’t be easily lifting a usable print from any surface.

      Or you can do a retinal scan, also not something you casually access

      But personally I don’t like biometrics, I think its purpose most often is not to protect the user but to get positive tracking fro governments and advertisers and the like. A way to make sure you track the right person.

  7. No surprise here. What cracks me up is my company policy lets us use laptop fingerprint readers but not mobile phone fingerprint readers. Both are stupid easy to get around.

  8. Operationalizing these attacks are much harder than one might think. Even if a device is covered in salvageable prints most have time settings that cause prints to expire after a few hours of non-usage (or a power cycle) and require the code to be entered again. That gives very little time to steal a device, lift viable prints and manufacture the fake print.

    1. Seriously? If that is true it makes the whole use of them pointless. That can’t be true can it?

      But anyway, they also use fingerprints for doors and such, and I know for sure those don’t expire after a few hours like you claim phone fingerprint scanners do. (And I never heard that mentioned and if it was true that is extremely odd since it’s something to bitch about – and the internet exists.)

Leave a Reply to ShrikeCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.