No doubt: fingerprints fascinated our ancestors. For example, it was a common practice to imprint a fingerprint image on a raw clay tablet as a seal in Hammurabi’s reign. It would serve as a unique ‘signature’ of sorts, which validated deals. Want to buy a Meriz goat or 50 pounds of ripe dates? Press your thumb here and here.
And two millennia before Juan Vucetich struck gold with the first criminal fingerprint database, ancient China under Qin Dynasty had its own folio The Volume of Crime Scene Investigation—Burglary, where handprints were described as an evidence viable for a court hearing — welcome to Xianyang: Crime Scene Investigation.
Today, a fingerprint scanner handily added to a cavalcade of phone models is our best buddy. It’s a loyal treasurer and guardian. Should someone stick their nose into the private data that your phone retains, the scanner will turn into a Cerberus with a stubborn ‘access denied’ message. And every time we want to buy something or pay a bill from a phone, it hardly takes a second to validate a payment with it.
At the first blush fingerprint verification is hacker-proof. No other earthling has the same fingerprints as you. But while it’s true, no one can really vouch for your safety either. Fingerprints can be falsified like anything else. The Antispoofing Wiki confirms it.
The Curse of a Dead Man’s Finger
So, how do you spoof a fingerprint scanner? A notion has persisted for a long time that it’s enough to cut someone’s finger off and use it as a master key to a biometric security system. Luckily, it proved to be a doltish legend.
In 2018 two police detectives had a need to access a dead person’s phone. For that purpose they headed to the funeral home and attempted to unlock the gizmo with a lifeless finger. A somewhat disrespectful experiment failed: the scanner couldn’t do the job due to the lack of electric conductance that a living person’s finger normally has. (Our, for example, sweat contains sodium and chloride — perfect natural electrolytes).
But what a dead man’s finger can’t do, a simple… gummy bear can. A quaint attack scenario was described by two researchers Yulong Zhang and Tao Wei from the FireEye security company. As they highlighted, a source fingerprint could be nicked from any appropriate smooth surface: metal, glass, touchscreen. And then replicated with a tasty gelatin Ursidae.
There’s actually a whole bevy of substances that villains can employ to imitate your fingerprints. For example, you’ve probably seen dental impression material in action — dentists use it to capture your oral structure and occlusion to produce a dental cast.
This material, based on alginic acid, is quite elastic. It easily mimics the rubbery qualities of a human finger pad, which sometimes is enough to fool a verification system. Especially if it’s just optical implying that it simply matches a previously captured photo of your fingerprint.
Besides, when it comes to stealing your fingerprints, miscreants show a devilish creativity. They don’t need to lift your physical fingerprints from coffee cups or electric cigarettes anymore. Government already has millions of those and sometimes their databases get leaked. But there are plenty more nefarious tactics!
One of them is to upload a spy app that is disguised as a benign and useful mobile application or a game. Once you install it, it will promptly ask you to ‘confirm your identity’ via a fingerprint. Or in a more insidious manner it will urge you to touch the screen section exactly where the scanner is located. The pretext can be absolutely unpredictable: calibrating the screen, grabbing a super-duper bonus, selecting a playbale character, and so on.
And to top it all off, a horrific case of fingerprint theft occurred in 2015. A hacker under an alias Starbug used a VeriFinger app and a few hi-def photos, in which Ursula von der Leyen’s palms and fingers were clearly visible. With this simple arsenal he managed to replicate her fingerprints.
Eye, Me, Mine
Incredible, but true: eyes are even more unique than fingerprints. While the chance for two fingerprints to be identical is 1 in 64 billion, for the human iris it’s even higher. Odds are, the heat death of the universe will come sooner than two humans with identical irises will be born.
The reason why: human iris has 260 key points that allow a virtually 101% accurate personal verification. What’s even better, it’s fully contactless and unintrusive. You don’t need to touch anything, provide a saliva sample or prove Polignac’s conjecture to get verified.
The problem, as with any part of our body, is that it also can be replicated. In fact, it’s even easier to achieve than stealing your fingerprints: people have loads of hi-res photos online thanks to the splendid phone cameras capable of registering pigmented epithelial cells and other iris components.
After the source material is obtained, a whole spoofing quest begins. Usually, digital thugs will produce an eye lens that cautiously repeats subtleties of your eye retina’s constitutional patterns and color. But it’s the easy mode.
In hard mode they will produce an entire prosthetic eye from scratch. What used to be a privilege of Drake-era pirates and Sammy Davis is now also a crime tool. It takes about 3.5 hours to produce a synthetic plastic eye from scratch. And the finished prosthesis will be hard to tell from a legitimate peeper — all thanks to the artful coloring.
Multimodality Strikes Back…?
Alas, but no verification system is perfect. Human mind is vivid and versatile, in many cases moving one step ahead of the most advanced AIs and other hi-tech mumbo-jumbo. However, there’s a way out.
Combining two separate liveness systems into one — like eye and fingerprint verification — dramatically handicaps fraudsters. It’s already a costly hassle to fool one state-of-the-art system with a high-quality fake body part.
And when there are two of them, chances for success dip faster than a hungry hawk swooping down for a ferret. So, three cheers for duplicate biometric verification.