Before the Ink is Dry: Correcting Biometric Spoofing Myths

Before the Ink is Dry: Correcting Biometric Spoofing Myths

Eric Setterberg

System Design Engineer at Fingerprints

Views 704

Before the Ink is Dry: Correcting Biometric Spoofing Myths

18.05.2020 12:45 pm

Biometric authentication is highly robust, and the latest solutions offer considerably greater security than their authentication predecessors: PINs and passwords.

But as biometrics moves into new areas such as payments and access control, privacy and security concerns are rising. Biometrics has long been subject to scrutiny, with many elaborate examples of people working to trick biometric sensors to crack devices in the media and online. 

To ensure the continued adoption of biometrics, it is important to shine a light on the reality of biometric spoofing.   

The Evolution of Biometric Solutions…

The first use of fingerprints as forensic evidence was in an Argentinean court case in the late 1800s. With the technology still in its infancy, this was done manually and by eye, comparing latent residual prints lifted from crime scenes to charts of inked fingerprints obtained from the suspects at arrest.

A few decades later, the FBI began collecting fingerprints of criminals and civilians. They also introduced the automated comparison of fingerprints by computers in the 1970s. These “traditional representations” have now been standardized by ISO and ANSI.

… and their Spoofs

The earliest and simplest of these matching devices were easy to spoof. Really, all you needed was a photocopy or a good image of a fingerprint to make a successful spoof.

But as biometrics moved to more advanced technology, the game for biometric ‘spoofers’ has changed and the task of crafting fake fingerprints is considerably more difficult.

The biggest boost for biometric security, however, came with its introduction into mobile phones.

How Mobile Changed the Game

Before the widespread integration of fingerprint sensors in smartphones, the technology underwent significant evolution. No operator wanted to use large biometric sensors in modern phone designs. Sensors had to become much smaller to reach the perfect price and design point for the mobile world, but this meant needing to capture data from a smaller surface area of the finger. 

To maintain the security of these smaller sensors, algorithms evolved significantly in order to utilize a greater amount of data per unit area. These mobile-driven hardware and software changes resulted in the optimized image capture of modern touch sensors.

As a result, tricking these systems now requires a considerably higher level of detail to be reproduced correctly for a match to be successful, far beyond rudimentary gummi bear spoofs and photocopies… 

Setting the Perfect Spoofing Scenario

Compromising fingerprint authentication via spoofing can still be done, even with all the technological advancements. However, it now requires considerable care, skill, money, and time. And to start, a good latent print…

To retrieve a latent print that’s high quality enough to work, you either need a willing volunteer to lend you their finger, or the commitment to stalk a victim until a viable fingerprint can be retrieved. Even with a decent latent print, modern spoofs then require advanced photoshop skills and/or a lab to successfully convert latent prints into effective moulds.

So - what about those articles boasting how easily they have hacked the latest smartphone device’s fingerprint sensor?

In fact, there are only two instances of fingerprint spoofing seen in the media nowadays: proof of concept and cooperative spoofs. Lay enthusiasts and media go through the effort of setting up a lab to create spoofs with latent fingerprints either from themselves or cooperative volunteers. Even the most successful of these take months of work, a highly skilled team, and the perfect scenario of circumstances. 

Put simply, the effort required for spoofing modern fingerprint sensors cannot be applied at any scale. Each biometric spoof needs to go through the same laborious process and clinical conditions. So, if you can bring together a willing group of spoofing enthusiasts, tricking a biometric device could earn you fifteen minutes of fame on the internet, but it is likely to be conducive to a successful criminal business plan…

A “How” Without a “Why”

Spoofing biometrics remains technically possible, and there will always be those up to the challenge of trying to hack the latest technology. But the reality is that modern biometric solutions require more time, skill, and frankly, luck, to successfully spoof than ever before. Not to mention that tireless R&D work is continuously strengthening spoofing resistance. And, as use cases start to combine multiple biometric authenticators, such as combining fingerprints with face or iris to perform an authentication, spoofing will only become more complex.

By comparison, hacking PINs and passwords is considerably simpler and more scalable, making it far more lucrative. And, criminals generally take the path of least resistance.

For the average consumer, greater use of biometric authentication is not only a means of simplifying authentication, but dramatically improving the security of their devices, applications, and personal data. With PINs and passwords still the most common authentication method outside of mobile, it is imperative that the true security and advanced nature of modern biometric authentication solutions are understood.

To learn about the other biometric misconceptions and gain greater insight into the quality of modern biometric authentication solutions, read our myth-busting eBook

Latest blogs

Darren Capehorn Icon Solutions

Unbanked and Unconnected: Supporting Financial Inclusion Beyond Digital

Many of us take it for granted, but accessing basic financial services is fundamental to our economic and social development. It is hard to ‘get on’ if you are forced to hide life savings under the mattress, or rely on predatory loan sharks for Read more »

Konstantin Demishev Archer Software

How Machine Learning Helps Fintech Companies Detect Fraud

Machine learning (ML) is one of the most discussed technological tools, and if in the past only a few companies could use it due to high cost and lack of resources, today many industries use ML. The financial sector is not an exception and embraces Read more »

Nish Kotecha Finboot and Bryan Foss, NED, Visiting Professor at Bristol Business School and member of the FRC Audit & Assurance Council

How Listed Companies Can Use Blockchain to Prevent Auditing and Reporting Malpractice and Avoid Scandal

Not too long ago, there was very little to link Wirecard, the disgraced payments platform in Aschheim, Germany, with Boohoo, the fast-fashion online retailer in Leicester, England, but both have recently been embroiled in high-profile scandals. Read more »

Leon Muis Yolt Technology Services

The Time for Financial Services to Become Truly Digital is Now

The financial services industry looks set to change dramatically over the next couple of years in response to COVID-19. The pandemic has certainly highlighted some inefficiencies and weak spots in current processes for many businesses, such as those Read more »

Granville Turner Turner Little

The Lockdown Money Revolution

Many Brits have found that lockdown has been beneficial for their money, having cut back on personal spending and managing to put away some extra cash. According to eToro, Brits with unspent discretionary income are set to accumulate £75.5bn in Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel