Here’s hoping none of you, dear readers, has spent much money recently on finger-scanning biometric security technology lately. Because it turns out it’s pretty easy to hack.
A news report from the BBC reveals that a 29-year-old Brazilian doctor, Thaune Nunes Ferreira, working in a small town outside Sao Paulo was arrested over the weekend for allegedly using prosthetic silicone fingers to fake the presence of six of her colleagues.
That’s right. If you can find a decent fingerprint and a way to manufacture silicone objects (as some 3D printers can), you probably have what it takes to break-into anything that requires a finger scan.
The hospital where Ferreira worked had a finger-scanning device used to take the attendance of its employees, and the doctor claimed she was forced to scam the device under threat of losing her job. But her tactic may have been just one ploy in a much bigger fraud. According to the local mayor, the police investigation that busted Ferreira was part of a broader inquiry that implicated around 300 of the town’s workers for collecting wages without regularly showing up to work.
As creative as Ferreira’s tactic is, it’s hardly the first case of fingerprint hacking we’ve seen. And apparently, would-be hackers don’t even need a real fingerprint. According to a CNN report last summer, Italian researchers figured out in 2011 how to reconstruct fingerprints starting with a digital template commonly stored by biometric security systems to archive fingerprint information. Rather than using an actual fingerprint, the scientists used data alone to create the same kind of “gummy finger” used by Ferreira.
Even iris scanners are susceptible to hacking, the article continues:
Iris scanners take an image of the eye, stretch the iris out into a rectangle, and then create a template of 0s and 1s called an "iriscode." In image form, it resembles a series of black and white pixels in a long, narrow rectangle. It looks nothing like an actual iris.
But don't tell that to an iris scanning system. By making an image out of the stored iriscode, stretching it into a circle, and feeding it back into the system, Galbally's team was able to get into the system with an 87% success rate.
But it’s not just companies and people with high security clearances that need worry. Everyday people can get finger hacked just by going to the ATM. Stories over the last few years have shown that thieves using digital infrared cameras can steal your PIN by detecting heat traces left behind by your fingers on the numeric keypad.
Of course, when it comes to fingerprint hacking, there’s always the much easier (if significantly more gruesome) method of hacking fingerprints—by literally hacking off fingers. Reports of thieves actually cutting off fingers to fool security systems are scarce, but it has happened.
As the BBC reported in 2005, a gang of thieves in Kuala Lumpur, Malaysia, hacked off a man’s finger with a machete to steal his Mercedes S-Class, which was fingerprint protected. According to the report, the car can fetch up to $75,000 because of high import tariffs. Luckily, a German company called Dermalog Identification Systems invented technology in 2011 they say can distinguish between living and dead tissue, which would help deter would-be digital thieves.
No word on whether hackers have figured out how to successfully use enucleation (eyeball removal) to hack eye scanners.