Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Privacy Science Technology

Fake Fingerprints Can Imitate Real Ones In Biometric Systems, Research Shows (theguardian.com) 64

schwit1 shares a report: Researchers have used a neural network to generate artificial fingerprints that work as a "master key" for biometric identification systems and prove fake fingerprints can be created. According to a paper [PDF] presented at a security conference in Los Angeles, the artificially generated fingerprints, dubbed "DeepMasterPrints" by the researchers from New York University, were able to imitate more than one in five fingerprints in a biometric system that should only have an error rate of one in a thousand.

The researchers, led by NYU's Philip Bontrager, say that "the underlying method is likely to have broad applications in fingerprint security as well as fingerprint synthesis." As with much security research, demonstrating flaws in existing authentication systems is considered to be an important part of developing more secure replacements in the future. In order to work, the DeepMasterPrints take advantage of two properties of fingerprint-based authentication systems. The first is that, for ergonomic reasons, most fingerprint readers do not read the entire finger at once, instead imaging whichever part of the finger touches the scanner.

This discussion has been archived. No new comments can be posted.

Fake Fingerprints Can Imitate Real Ones In Biometric Systems, Research Shows

Comments Filter:
  • by Anonymous Coward

    Can't change them. Can't revoke them. You leave a copy of them around on everything you touch. Why do people still use these for identification?

    • There's even a commercial on TV now about how great the fingerprint password system is on their laptop... that they show off by having a child use your fingerprint while you're asleep. See, you don't even have to get woken up or supervise your kids to authorize them for whatever they want.

    • No, they're just fine for identification...just not for authentication.
  • Prior Art (Score:2, Insightful)

    by Anonymous Coward

    James Bond
    Myth Busters...

    It's been done. Finger print scanners are NOT secure.

    Having said that, I too have developed a "don't give a fuck attitude" towards the insecurity. It's just too convenient to touch my PC or phone and have it unlock.

    I use it. I know it's wrong, but...

    • The only reason I even lock my phone is because I don't want to pocket-dial anyone (or press other random buttons in my pocket). I don't lock my wallet, either.
    • Myth Busters...

      Myth Busters made a copy of a real fingerprint. These guys generated an image of a fingerprint that was close enough to unlock the phone.....without knowing what the original fingerprint looked like.

      That's why they call it the "master key" fingerprint....because it can unlock the phone like a ghost key. They used the adversarial neural network to find weaknesses in the fingerprint identification algorithm. Basically, some features of fingerprints are more common than others.

      • Sometimes it pays off to RTFA or even just the summary, doesn't it.

        I haven't really considered fingerprints to be a very secure to begin with, due to the possibility of copying the prints or even just some goon forcefully pushing your thumb into the scanner. Still, it was "good enough" for most cases and to CYA from the corporate overlords who require the phone to be locked. This just makes it completely useless against any professional attacker and maybe even Joe Blow the phone thief, if the method can be

    • by rtb61 ( 674572 )

      Consider the security difference between a passphrase and a fingerprint. You can use different passphrases for different sites but your fingerprint, give it away once to some fuckhead corporation and they have it for life and it can be sold to whomever wants to buy. So yeah, password has been compromised change it once at that location, so what the fuck do you do if you fingerprint has been compromised, for the rest of your fucking life, hmmm.

  • I'm sure some governments have known this for awhile. I wonder how many people have been framed? And how would you ever prove your innocence?

    I have similar worries in regard to the proliferation of 'deep fakes' and other methods of realistic video editing that is indistinguishable from original recordings.

    I imagine we will deal with these issues to the best of our ability as time goes on, but "Damn future, you scary!"
    • by rgmoore ( 133276 )

      I wonder how many people have been framed? And how would you ever prove your innocence?

      I don't think this would be very helpful for framing anyone; the goal is completely different. The goal when framing somebody is to create a unique match, while this technique creates a fingerprint that matches something like 20% of the database. If you could manage to plant one of these fingerprints, it might well match the person you're trying to frame, but it would match many other people who you aren't trying to fra

      • Fingerprint analysis is normally limited to returning a "match"/"no match" on the suspect. So, if you didn't have an example of the fingerprint, it's a 20% chance of working.

        • by rgmoore ( 133276 )

          Actually, fingerprint evidence is used in a number of ways. One way is to get a match vs no match on the suspect. Another way is to query a fingerprint database to find a list of possible suspects. The key is that the defendant is allowed to have their expert look at the evidence, so the person trying to frame them can't control and make sure it's only used for match/no match. If the defendant's expert uses it to query the database and finds it's a match to 20% of the fingerprints there, you have instan

          • That's true, if the person you're framing has resources. Otherwise, it works 20% of the time. And given that something like 1/4 of Americans cannot put together $400 in an emergency, you have a 8% chance of it working.

  • It may also be worth noting that today's cameras have enough resolution to reveal your fingerprints when you flash a peace sign in a photo, for example.
  • Maybe the Orange Dude is right: everything is becoming fake, rigged, and/or bugged.

    He's not paranoid, he's a profi...prophet.

  • Research shows? (Score:3, Insightful)

    by glenebob ( 414078 ) on Thursday November 15, 2018 @04:39PM (#57651484)

    What the hell was wrong with "common sense shows"? It's a hell of a lot cheaper.

    • by yarbo ( 626329 )
      A lot is wrong with it. How hard is it? What information do you need? Can anything change with storage or reading to fix it? What? Your common sense doesn't take you far when it's right, and when it's wrong, it's even worse. https://www.newscientist.com/a... [newscientist.com] - here's a whole list of examples of common sense leading researchers astray. In short, common sense is easy when you already know the answer.
  • Why did this need to be researched? We've known about this as long as we've had the technology.

  • Oh, wait, it already is.

    Look, the main problem is one of tuning. Fingerprints are just 3D printed objects, and many scanners aren't that bright. In the old days we could just do a ridge pattern on plastic to throw them, now we have to emulate the ridges for the fancier detection devices. Still takes us less than 60 seconds, of course.

  • >"Fake Fingerprints Can Imitate Real Ones In Biometric Systems, Research Shows"

    Which is one of MANY reasons why fingerprints should not be used for "real" security- it isn't really secure.

    Further, using fingerprints (or worse, DNA) and allowing a third-party to have access to that data is unacceptable. Not only because the government and big business should have no need to indiscriminately track what people are doing all the time but because they should not have fingerprint registration data (which will

  • The fundamental issue with biometrics is that people tend to think they represent a kind of security token (an idea actually pushed by greedy companies whose only goal is to sell you more of their useless stuff under the umbrella of "innovation").
    It is clearly not ! This is simply an easier/convenient way to identify yourself, the equivalent of your good old login name. Full stop. any attempt to use biometrics beyond this point is just utterly stupid.

Whoever dies with the most toys wins.

Working...