Security and encryption guru Bruce Scheier, who publishes the excellent Crypto-gram newsletter [Subscribe - Ed.], has an interesting report in the May 15, 2002 edition on fooling fingerprint scanners (Fun With Fingerprint readers). Tsutomu Matsumoto, a Japanese cryptographer, has discovered a means to fool many of the commercial fingerprint scanners available using inexpensive and common ingredients. Using a live finger, he is able to make a fake fingerprint using gelatin. In other words, a "gummy finger." Homer Simpson would love this, because you can eat the evidence afterwards ("Mmmmmm, gummy fingers"). Of more interest however, is that Matsumoto is able to fool scanners with a fake finger created from a latent fingerprint. In other words, the fingerprints you have innocently left on a glass in a bar could possibly be used to fool fingerprint scanners. Look at slides of a presentation by Matsumoto on his research Presentation [PDF] (1.3Mb).
You may have wondered why no one has tried this before. The reason is that, conventionally, dummy fingers were made from silicon and fingerprint scanners used capacitive sensors to distinguish between silicon and live fingers (take that, Mission Impossible). Silicon and flesh have very different electrical properties. However, this is not the case for gelatin, which is, after all, animal protein.
This is a serious problem. Biometrics are increasingly touted as a solution to all sorts of identification problems, from terrorism to credit card fraud. However, although this research shows how weak one common method of biometric identification can be, it must be remembered that biometric systems have inherent flaws, not to mention that the systems can be pathetically designed in other ways...
One problem with biometrics is that once a form of biometric identity is compromised, that's it. If your credit card or driver's license is stolen, you can always get another one with a new number. However, if criminals have compromised your fingerprints, you can't get new fingers. This is why the issue of latent fingerprint forgery is critical. Using Matsumoto's technique, criminals could create a booming market in photoshopped fingerprint images. For more on the problems of biometrics, see Bruce Scheier in 1998 (Biometrics: Truths and Fictions).
Matsumoto's technique also defeats this fingerprint-activated computer password and encryption management system reviewed by ABC News (Review: Targus Defcon Authenticator). A laptop is likely covered by many of the owner's latent fingerprints. Steal the laptop, use Matsumoto's technique, and the files are made available to the thief.
Of course, the above assumes that the system is well-designed in the first place, which is a big assumption. For an example of a poorly designed system, the Houston Chronicle reports that a local supermarket chain is experimenting with fingerprint identification at checkouts (It's kinda touch-and-go: New system lets Kroger shoppers pay with fingerprint).
To first enroll in the system, "customers show a Kroger representative their driver's license and a credit card, and have their fingerprints recorded." A "Kroger representative", hmmm, that sounds secure. Who will these representatives be and how much training will they get? Does one just "show" a credit card and license, or will the card and license be verified somehow?
"Typically their [the customer's] phone number becomes their PIN." Brilliant. Sheer brilliance. No one would ever guess in a million years that the phone number is the PIN, unless, of course, you publish it in a newspaper. And we all know how hard it is to find out someone's phone number. What will the geniuses who designed the system (Biometric Access) come up with next? Your Social Security Number is the PIN? By the way, I love these guy's motto, "Biometric Access, Where You're the Key!" Seriously, that is their motto.
Nice "Ewwwww...." factor with this system as well. Sometimes your finger may be too dry to properly scan (not enough electrical conductivity, unlike a gummy finger). What do you do? One customer had "exceptionally dry skin and has to rub her finger behind her ear or against the side of her nose before pressing it on the small SecureTouch window."
Grocery stores might worry that people might value their privacy and will resist joining the system. However, the grocery industry can rest assured according to Lorrie Griffith, associate editor of the Shelby Report, a trade journal specializing in the supermarket industry. Ms. Griffith notes that there are grocery shoppers "who don't even want loyalty cards, because they gather information about you." They are a relatively small percentage of consumers, she said, "Most people are very interested in convenience."
Well. Most people use loyalty cards because otherwise they will have to pay exorbitant prices. Heck, even I, as concerned about my privacy as I am, use loyalty cards - several of them, bearing the names of "George Costanza," "Art Vandelay" and "Keyser Soze." What Ms. Griffith seems to be not-so-subtly hinting at here is that supermarkets might be able to coerce people into using these biometric systems the same way they coerce people into using "loyalty cards."
But Biometric Access isn't the only company in this business. In mid-April, the Seattle-Post Intelligencer reported on another supermarket experiment by BA's arch-rival Indivos (The latest way to pay is at our fingertips).
There are some great quotes in this article from Paul Kapioski, the store owner. For example, "If we can come up with a payment method where there's no opportunity for fraud, then the fees come down." First, there would seem to be many opportunities for fraud. However, if there are lower fees, this would create a clear incentive for stores to coerce (with "discounts") their customers into this system as Ms. Griffith hinted above.
"Kapioski said he's put about four months into studying the system to remove any doubts, and he claims 'it's foolproof.'" Ooops.
"'It takes about one minute to enroll,' Kapioski said." Lots of verification there.
"Employees underwent 15 or 20 minutes of training in the system this week." Gee, I bet all that training will really help them spot fraud, especially when enrolling people in about a minute. I bet all these people were trained to check the signatures on the credit cards too.
"'They [store owners] love [the biometric identification system] because it takes the cash out of the hands of 18-year-old clerks,' [said] Jim Nickerson, [an Indivos] spokesman." These wouldn't happen to be the same 18-year-olds who got the 20 minutes of training and can enroll people in about a minute would they?
Slashdot readers discuss the issue (Your Fingerprint Buys Groceries in Seattle) and (Fun with Fingerprint Readers). The readers have some interesting ideas. I like the one where the criminal watches for those who use the system to pick something up and put it down, and then the criminal buys the item to get the latent print.
The Superman/Clark Kent Biometric Conundrum
Newsbytes reports on an ACLU press release showing how failure-prone facial-recognition systems are (Face Recognition Technology Fails Again, ACLU Claims). According to the report, the facial-recognition system was about as good as a coin toss. The system matched the faces of the volunteers just 455 out of 958 times, or about 47 percent of the time. Read the press release (Data on Face-Recognition Test at Palm Beach Airport Further Demonstrates Systems' Fatal Flaws, ACLU Says) and the report (Facial Recognition System Test Report [PDF]).
My favorite part of the press release is:
The subject could not be wearing glasses "Eyeglasses were problematic," according to a summary of the test findings. "Glare from ambient light and tinted lenses diminished the system's effectiveness."
Although the company that built the facial-recognition system, Visionics, claims to have co-headquarters in Minnetonka, MN and Jersey City, NJ, I believe that the technology was actually designed by Lois Lane in the city of Metropolis because, like Lois and the citizens of that fair city, the software is apparently unable to recognize that Clark Kent is really Superman.
Additional resources on facial-recognition:
Phil Agre (Your Face Is Not a Bar Code:
Arguments Against Automatic Face Recognition in Public Places)