Using a Fake Hand to Defeat Hand-Vein Biometrics

Nice work: One attraction of a vein based system over, say, a more traditional fingerprint system is that it may be typically harder for an attacker to learn how a user’s veins are positioned under their skin, rather than lifting a fingerprint from a held object or high quality photograph, for example. But with that said, Krissler and Albrecht first…

Nice work:

One attraction of a vein based system over, say, a more traditional fingerprint system is that it may be typically harder for an attacker to learn how a user's veins are positioned under their skin, rather than lifting a fingerprint from a held object or high quality photograph, for example.

But with that said, Krissler and Albrecht first took photos of their vein patterns. They used a converted SLR camera with the infrared filter removed; this allowed them to see the pattern of the veins under the skin.

"It's enough to take photos from a distance of five meters, and it might work to go to a press conference and take photos of them," Krissler explained. In all, the pair took over 2,500 pictures to over 30 days to perfect the process and find an image that worked.

They then used that image to make a wax model of their hands which included the vein detail.

Slashdot thread.

from https://www.schneier.com/blog/

Using Machine Learning to Create Fake Fingerprints

Researchers are able to create fake fingerprints that result in a 20% false-positive rate. The problem is that these sensors obtain only partial images of users’ fingerprints — at the points where they make contact with the scanner. The paper noted that since partial prints are not as distinctive as complete prints, the chances of one partial print getting matched…

Researchers are able to create fake fingerprints that result in a 20% false-positive rate.

The problem is that these sensors obtain only partial images of users' fingerprints -- at the points where they make contact with the scanner. The paper noted that since partial prints are not as distinctive as complete prints, the chances of one partial print getting matched with another is high.

The artificially generated prints, dubbed DeepMasterPrints by the researchers, capitalize on the aforementioned vulnerability to accurately imitate one in five fingerprints in a database. The database was originally supposed to have only an error rate of one in a thousand.

Another vulnerability exploited by the researchers was the high prevalence of some natural fingerprint features such as loops and whorls, compared to others. With this understanding, the team generated some prints that contain several of these common features. They found that these artificial prints were more likely to match with other prints than would be normally possible.

If this result is robust -- and I assume it will be improved upon over the coming years -- it will make the current generation of fingerprint readers obsolete as secure biometrics. It also opens a new chapter in the arms race between biometric authentication systems and fake biometrics that can fool them.

More interestingly, I wonder if similar techniques can be brought to bear against other biometrics are well.

Research paper.

Slashdot thread

from https://www.schneier.com/blog/

Troy Hunt on Passwords

Troy Hunt has a good essay about why passwords are here to stay, despite all their security problems: This is why passwords aren’t going anywhere in the foreseeable future and why [insert thing here] isn’t going to kill them. No amount of focusing on how bad passwords are or how many accounts have been breached or what it costs when…

Troy Hunt has a good essay about why passwords are here to stay, despite all their security problems:

This is why passwords aren't going anywhere in the foreseeable future and why [insert thing here] isn't going to kill them. No amount of focusing on how bad passwords are or how many accounts have been breached or what it costs when people can't access their accounts is going to change that. Nor will the technical prowess of [insert thing here] change the discussion because it simply can't compete with passwords on that one metric organisations are so focused on: usability. Sure, there'll be edge cases and certainly there remain scenarios where higher-friction can be justified due to either the nature of the asset being protected or the demographic of the audience, but you're not about to see your everyday e-commerce, social media or even banking sites changing en mass.

He rightly points out that biometric authentication systems -- like Apple's Face ID and fingerprint authentication -- augment passwords rather than replace them. And I want to add that good two-factor systems, like Duo, also augment passwords rather than replace them.

Hacker News thread.

from https://www.schneier.com/blog/

Database Policing: Can Your Personal Data Be Used to Arrest You?

Police now have access to a broad expanse of databases detailing information on individuals, but there are few limitations on how they can obtain or use this information, according to a forthcoming study in the Iowa Law Review.

If police find incriminating evidence against you in the course of an identity check, are they entitled to make an arrest?

Police now have access to a broad expanse of databases detailing information on individuals, but there are few limitations on how they can obtain or use this information, according to a forthcoming study in the Iowa Law Review.

The study, by Florida State University-College of Law professor Wayne A. Logan, warns that even as technology has rapidly increased police capabilities of discovering personal information about suspects, such as the usage of “remote biometric identifiers” which allow people to be identified without physical seizures or demands for identification, Constitutional protections against unreasonable search and seizure or from self-incrimination have not been broadened to cover them,

“Taken together, the proliferation of databases, their inter-operability, and the ease with which information can be retrieved from them (by computer laptops, tablets and handheld devices),has fostered a revolution in policing akin to that of the introduction of patrol cars and two-radios,” the study said.

“As two policing scholars [Stephen Mastrofiski and James Willis] recently put it, officers today engage in ‘database policing’ in the search of ‘hits.’ ”

The study notes that so far the Supreme Court has provided scant protection. Citing Utah v. Strieff, a 2016 ruling upholding law enforcement’s right to use personal identity data that provides information about a previous criminal offense, even when a suspect has been stopped and questioned unlawfully.

In Strieff, a Salt Lake City police officer unlawfully seized Edward Strieff outside a house after receiving a tip that drug dealing was going on there. On checking his identity, in a government database, the officer discovered Strieff was the subject of a “minor traffic warrant.” He then arrested Strieff and searched him, finding drug paraphernalia and methamphetamine. The court validated the search, saying the traffic warrant was an “intervening circumstance.”

Officers around the country have come to rely on this wealth of identity-related information in databases to make arrests, the study said.

In Chicago, officers can access a “Strategic Subject List” and a “Heat List” which assesses individuals who are likely to be involved in future crimes. New York City has a “Domain Awareness System” which aggregates information from sources like video surveillance tapes, license plates, and arrest records.

Having access to these types of information is especially harmful if police obtain a person’s identity unlawfully, as Logan argues was the case in Utah v. Strieff.

“Properly viewed, identity information is an evidentiary fruit that should be subject to suppression when it is unlawfully secured by police,” said the study.

“Without it, information associated with an individual lies inert in government databases; with it, police can stop, arrest, search and question individuals they encounter on street patrol.”

Logan argued that the most serious danger is that the information collected in personal databases could be incorrect or wrongly interpreted.

“One might argue….that wrongdoing is wrongdoing and any violation of law should preclude grousing about negative consequences,” he wrote.

But quoting one scholar as saying, “[t]he consequences of arrests simply cannot be waved away on the ground that they are deserved,” Logan pointed out that “failure to appear is often the result of innocent mistake, such as being unware of, or forgetting the date for, a court appearance, or is excusable, due to illness, inability to leave work, child care responsibilities, or unforeseen personal emergencies.”.

“It can also be the case that significant court costs, system fees, and fines, deter individuals from appearing,” he continued.

The full report, entitled “Policing Police Access to Criminal Justice Data,” can be downloaded here.

This summary was prepared by TCR news intern Marianne Dodson. Readers’ comments are welcome.

from https://thecrimereport.org

Apple FaceID Hacked

It only took a week: On Friday, Vietnamese security firm Bkav released a blog post and video showing that — by all appearances — they’d cracked FaceID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking. The article points out that the hack hasn’t been independently confirmed,…

It only took a week:

On Friday, Vietnamese security firm Bkav released a blog post and video showing that -- by all appearances -- they'd cracked FaceID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking.

The article points out that the hack hasn't been independently confirmed, but I have no doubt it's true.

I don't think this is cause for alarm, though. Authentication will always be a trade-off between security and convenience. FaceID is another biometric option, and a good one. I wouldn't be less likely to use it because of this.

FAQ from the researchers.

from https://www.schneier.com/blog/

Hacking a Fingerprint Biometric

Embedded in this story about infidelity and a mid-flight altercation, there’s an interesting security tidbit: The woman had unlocked her husband’s phone using his thumb impression when he was sleeping……

Embedded in this story about infidelity and a mid-flight altercation, there's an interesting security tidbit:

The woman had unlocked her husband's phone using his thumb impression when he was sleeping...

from https://www.schneier.com/blog/

Heart Size: Yet Another Biometric

Turns out that heart size doesn’t change throughout your adult life, and you can use low-level Doppler radar to scan the size — even at a distance — as a biometric. Research paper (to be available soon)….

Turns out that heart size doesn't change throughout your adult life, and you can use low-level Doppler radar to scan the size -- even at a distance -- as a biometric.

Research paper (to be available soon).

from https://www.schneier.com/blog/