Hacking Your Fingerprints

Andrew Sullivan —  Dec 30 2014 @ 5:33pm


It can be done from photographs:

In his talk at the Chaos Computer Club — Europe’s largest hacker organization — Jan Krissler said he used a high-profile target for his attempt: German defense minister Ursula von der Leyen. Krissler, also known by the pseudonym “Starbug,” used several close-range photos from a “standard photo camera” of von der Leyen’s hand from a few angles before creating an image of her thumbprint via VeriFinger, a software program used to read fingerprints.

In a 2013 interview, the same hacker panned Apple’s fingerprint reader: 

Biometry just also has its weaknesses. Unlike passwords that are either right or wrong, there is always a certain probability of match. Therefore the TouchID scanner isn’t really a security method, but a comfortable method. Had Apple made the mechanism more secure, too many people would have struggled turning on their iPhone and too many people would have been rejected too often.

Many don’t use any passcode on their smartphone at all, whereas using a fingerprint is still better than nothing – as Apple said at the launch. But it’s obviously about convenience and ease of use, not about security. Therefore I would not even want to rate TouchID associated with security practices.

However, Emil Protalinski thinks it’s “important to keep the findings in perspective”:

Even if reproducing a fingerprint was a viable method for breaking into a system, be it a smartphone or a high-security vault, this news doesn’t mean that fingerprints are suddenly useless. Perfect security measures do not exist, and fingerprints definitely still have their place. They can still be more secure than PIN codes in many cases, and can always be used in conjunction with them or other types of passwords for multiple layers of security.

Megan Geuss considers alternatives to fingerprints:

Fingerprints have been favored in the past as biometric identifiers, but because fingerprints can be reproduced, some security experts have recommended biometric keys that are less dependent on a single aspect of a person’s body. For example, earlier this month researchers were able to identify people using only video shot from a camera on a fixed point on their body by recreating defining characteristics of the target person’s gait. Vein pattern analysis is also considered a potential way to identify a person without leaning on an outwardly identifiable physical trait.