Before the Ink is Dry: Correcting Biometric Spoofing Myths

Before the Ink is Dry: Correcting Biometric Spoofing Myths

Eric Setterberg

System Design Engineer at Fingerprints

Views 465

Before the Ink is Dry: Correcting Biometric Spoofing Myths

18.05.2020 12:45 pm

Biometric authentication is highly robust, and the latest solutions offer considerably greater security than their authentication predecessors: PINs and passwords.

But as biometrics moves into new areas such as payments and access control, privacy and security concerns are rising. Biometrics has long been subject to scrutiny, with many elaborate examples of people working to trick biometric sensors to crack devices in the media and online. 

To ensure the continued adoption of biometrics, it is important to shine a light on the reality of biometric spoofing.   

The Evolution of Biometric Solutions…

The first use of fingerprints as forensic evidence was in an Argentinean court case in the late 1800s. With the technology still in its infancy, this was done manually and by eye, comparing latent residual prints lifted from crime scenes to charts of inked fingerprints obtained from the suspects at arrest.

A few decades later, the FBI began collecting fingerprints of criminals and civilians. They also introduced the automated comparison of fingerprints by computers in the 1970s. These “traditional representations” have now been standardized by ISO and ANSI.

… and their Spoofs

The earliest and simplest of these matching devices were easy to spoof. Really, all you needed was a photocopy or a good image of a fingerprint to make a successful spoof.

But as biometrics moved to more advanced technology, the game for biometric ‘spoofers’ has changed and the task of crafting fake fingerprints is considerably more difficult.

The biggest boost for biometric security, however, came with its introduction into mobile phones.

How Mobile Changed the Game

Before the widespread integration of fingerprint sensors in smartphones, the technology underwent significant evolution. No operator wanted to use large biometric sensors in modern phone designs. Sensors had to become much smaller to reach the perfect price and design point for the mobile world, but this meant needing to capture data from a smaller surface area of the finger. 

To maintain the security of these smaller sensors, algorithms evolved significantly in order to utilize a greater amount of data per unit area. These mobile-driven hardware and software changes resulted in the optimized image capture of modern touch sensors.

As a result, tricking these systems now requires a considerably higher level of detail to be reproduced correctly for a match to be successful, far beyond rudimentary gummi bear spoofs and photocopies… 

Setting the Perfect Spoofing Scenario

Compromising fingerprint authentication via spoofing can still be done, even with all the technological advancements. However, it now requires considerable care, skill, money, and time. And to start, a good latent print…

To retrieve a latent print that’s high quality enough to work, you either need a willing volunteer to lend you their finger, or the commitment to stalk a victim until a viable fingerprint can be retrieved. Even with a decent latent print, modern spoofs then require advanced photoshop skills and/or a lab to successfully convert latent prints into effective moulds.

So - what about those articles boasting how easily they have hacked the latest smartphone device’s fingerprint sensor?

In fact, there are only two instances of fingerprint spoofing seen in the media nowadays: proof of concept and cooperative spoofs. Lay enthusiasts and media go through the effort of setting up a lab to create spoofs with latent fingerprints either from themselves or cooperative volunteers. Even the most successful of these take months of work, a highly skilled team, and the perfect scenario of circumstances. 

Put simply, the effort required for spoofing modern fingerprint sensors cannot be applied at any scale. Each biometric spoof needs to go through the same laborious process and clinical conditions. So, if you can bring together a willing group of spoofing enthusiasts, tricking a biometric device could earn you fifteen minutes of fame on the internet, but it is likely to be conducive to a successful criminal business plan…

A “How” Without a “Why”

Spoofing biometrics remains technically possible, and there will always be those up to the challenge of trying to hack the latest technology. But the reality is that modern biometric solutions require more time, skill, and frankly, luck, to successfully spoof than ever before. Not to mention that tireless R&D work is continuously strengthening spoofing resistance. And, as use cases start to combine multiple biometric authenticators, such as combining fingerprints with face or iris to perform an authentication, spoofing will only become more complex.

By comparison, hacking PINs and passwords is considerably simpler and more scalable, making it far more lucrative. And, criminals generally take the path of least resistance.

For the average consumer, greater use of biometric authentication is not only a means of simplifying authentication, but dramatically improving the security of their devices, applications, and personal data. With PINs and passwords still the most common authentication method outside of mobile, it is imperative that the true security and advanced nature of modern biometric authentication solutions are understood.

To learn about the other biometric misconceptions and gain greater insight into the quality of modern biometric authentication solutions, read our myth-busting eBook

Latest blogs

Nabeel Irshad Mastercard

Two sides of the same coin: Financial and digital inclusion

The issue of how to tackle financial inclusion has long been a part of the conversation in banking and financial services circles. Regulations have ledto the UK’s biggest banks having to provide ‘basic bank accounts’ to cater for those who do not Read more »

Alex Malyshev SDK.finance

The Biggest Danger to Branchless Banking

With a third of the global population on lockdown and scores of bank branches closed, many are convinced that branch banking is dead, and the future is branchless. Is this really true? Branchless alternatives like Revolut, N26, Monzo, and NuBank Read more »

Dima Feldman and Aviv Castro Altair Semiconductor, a Sony Group Company

Constantly tracking anything, anywhere

The internet of things is changing the shape of many businesses. Not only does the IoT herald in greater visibility of production asset effectiveness, improve operational efficiencies, and facilitate more informed decision making, it is also Read more »

Francesca Campanelli Axyon AI

How Fund Managers Can Use AI to Retain Current Investors and Rebuild Client Confidence

After months of market volatility and challenging conditions, fund managers are starting to see a light at the end of the Covid-19 tunnel. Countries are starting to relax their lockdown measures and restart economies, with stock markets reacting Read more »

N/A ReliaMax

College Dreams? Here’s How to Get Accepted

Higher education in the United States is not just about getting accepted, it is about where you get accepted. Sure, there are options, there are seemingly endless options - from community colleges to Ivy League schools and everything in between. The Read more »

Magazine
ALL
Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel