What do Gummi Bears and amputated fingers have in common? They’ve both been demonstrated as techniques for defeating fingerprint scanners. Now, a German company called Dermalog Identification Systems is using the way skin changes colour under pressure to block both the soft sweet and the dead hand of the zombie from accessing …
Now if someone could develop some sort of webcam that spots braindead users, that could help me tremendously in my job.
And spot ...
... chopped off arms?
Chilly in QA
How many QA departments keep a stock of the freshly deceased on the premises.
And how many subjects did they test. And were they all white. Were blacks and Asians included? Does a sun tan affect it. What about Albinos?
Not just that
Vibration-white-finger, colour-calibration on the cameras being out, someone sweating, someone with high/low blood pressure (people literally "go white" when their blood pressure is low), someone hyped on adrenaline (same effect, visible in anyone that is experiencing fight-or-flight, used as an indicator by anyone with knowledge of self-defence: red face = he's mad but you're safe for the moment, white face = run or get ready to fight back, and now you can't get into your building because the serial killer chasing you has made your adrenaline flood your limbs instead of blood).
My bet is that it will be fooled by someone holding a CLEAR, very thin Gummi bear (or even just simple PVA-glue-skin with the right imprint) over their real finger. Did they test that? It took me all of five seconds to imagine one way around it, and would probably take only a day of testing on the system to make it a viable attack.
Read the article
The detail was the change in the way the skin absorbed light when pressed against the pad, not the specific colours.
Excuse me for being thick.
But I was under the assumption that different colours absorb light differently. The article mentions specific wavelengths, which translate to specific colours; I could understand your point if the article stated pressure causes an x nanometre shift in wavelength (due to the blood moving), but it doesn't.
That's not how colors work
It's not quite correct to say wavelengths translate to specific colors. Yes pure light of a given wavelength has a color, but most colors we see in everyday life cannot be expressed as a single wavelength, they're made up of a combination. So I'm pretty sure that's not what they mean. I think they mean the finger's absorption of light at those specific frequencies. I imagine 550nm (green band, a bit on the yellow side) is absorbed by the blood itself, which should be pretty consistent between humans. The other part, 1650nm, is a little less obvious, but in any, it's infrared, so definitely not a skin color in the traditional sense.
No-one will ever be able to make a material that can change colour under pressure. And even if they could, why would they go to such efforts merely to bypass fingerprint security?
They don't need to. What about an "almost" clear material over a real finger? The colour and fingerprint don't have to be the same finger, necessarily. The system probably isn't clever enough to detect that, especially if it blurs the underlying fingerprint just enough to make it flat but let colour through and then the camera will "see" the right fingerprint and the right colour from two different objects. Sure, there are probably countermeasures but it quickly becomes more expensive for the sake of some incredibly low-tech "hacks".
And fingerprint security is the most ridiculous form ever but controls a lot of things. Hint: If you want access to a secure building (like a lot of schools nowadays) you just need to stick a gummi bear over a existing fingerprint (my bet would be the gate/door handle next to the fingerprint reader) and then put it on the fingerprint reader. You would be accepted as a valid user (hence the gummi-bear being renowned as completely defeating fingerprint security), allowed entrance and nobody would know who you were. It takes seconds and gets you into everything from private home to schools to industry to military complexes (not to mention encrypted off-the-shelf fingerprint-capable laptops like the Thinkpads).
My daughter's nursery wanted my fingerprint in order to verify who collected her. You literally cannot get into the building without having your fingerprint taken and checked at every entrance. Once inside, they don't care who you are (yes, that's stupid but it's how fingerprint technology is perceived), because the fingerprint-reader verified you as a parent. At which point I told them that they wouldn't be getting my print and enquired about their procedures (which included - if I phoned them and told them that someone new was picking my daughter up, they would open the door for them and not require fingerprints or ID at all - and the phone call validation would be nothing more than SOMEONE phoning up and they had no way to tell if it was me or not). It was all a waste of time with SO much effort put into expensive equipment wasted by trusting it blindly.
I could, literally, have stolen any child from that nursery using a gummi bear, or even just a previous phone call using the name of a parent.
I couldn't agree more.
(Btw, how many kids did you nick?)
Voting with your finger
Government depts and stuff are hard to avoid. But braindead nurseries are just private companies (selling YOU a service) in a crowded market: why did you use them? Personally I'd have told them to go and get stuffed rather than have my fingerprints.
They don't have my fingerprints. Precisely because of this stupidity.
Army of dead lawyers
I note the article says the living test subjects had volunteered. But had the deceased? I see a zombie rights issue looming (or possibly lumbering) in the future.
Doesn't fix the real problem.
This is all good and well, though something that one would expect to've been thought of before deploying fingerprint reading around the globe. Apparently that just wasn't important, just like making sure facial recognition scanners on Blighty's airports being able to discern husband from wife wasn't important. Heck, making the darn things work at all wasn't important. Bit of a sign on the wall, all that.
The real problem is that no matter how hard you make it to fake, redress after succesful faking will remain harder. And this also doesn't address the recently measured at a fingerprints-for-passports station over in the Netherlands of a somewhere over 20% failure to match up after initial fingerprinting. Thus it stands that the fingerprintee is still less important than the virtual person with the synthetic identity being "identified". That is, the paperwork trumps the living human every time, regardless of whether he's impersonating, impersonated, or the real deal. And what was that paperwork for in the first place, eh?
What's government for? Why, carrying on regardless of reality, of course.
The real problem is that the sort of person that would chop off body parts to use on a biometric scanner is unlikely to realise/care it won't work.
Different face on the same problem.
It boils down to this: You, the human, are expendable.
The technology doesn't really do what the people deploying it say it is supposed to do, yet we're forced to comply anyway. I, as a thoroughly nerdy and un-social person, think this highly offensive and would like to go back to old fashioned personal checks. As mentioned elsethread, say, schools would do far better to know just who they're teaching and who the parents are rather than trying to substitute technology for all that. The former is their bloody job and the latter is just more costs leading to pointless fingerpointing once it inevitably goes wrong worse than when people keep using their heads now and then in practice. Last I checked I was still socially inept but not quite a robot, thanks.
I thought other solutions had been found ages ago.
The one that comes to my mind is simply to detect whether blood is flowing in the tested appendage, using the same IR method that is used in hospitals to measure the patents pulse?
Certain establishments I have to attend rely on several full hand print scans complete with checks to see if it is still attached before you progress another 10 metres into their lovely site.
Boy is it a pain in the arse then the pass expires @ 00:00 and you can't get out of the damn place and there's nobody there to reauthorise your credentials
At a datacenter I visited years ago...
...the thumbprint reader looked for a pulse.
The last thumbprint reader system I had installed looked for a pulse as well. Funny thing is that one of the owners of the company, a man with a two-pack-a-day habit had terribly poor circulation (big surprise) and he was often locked out of his own company. Within two weeks I was told to replace it with a swipe-card system with proximity readers at the executive door so he wouldn't even have to take his wallet out.
The best laid plans...
That probably explains it.
I have access to a building and data center floor for work. It took about two days and more tries than I have fingers to get a print into the system that would let me open the doors.
I suspect that they are already working on a workaround, and it will probably be ready within a week.
The WorkAround is...a wheel-around...
Take the necessay prints WITH the whole body. If the credentialed fingerprints are attached to a dead body, "reanimate" it in a wheelchair hiding circulation pumps. A faux colostomy bag or some hoses entering and exiting at various circulation-producing points (abdomen, toes, rectum) and sealant and good testing can probably get a few hours out of a body.
But, to make it lol, talk, drool, and hold coherent conversation? Animatronix and respiration attachments required. In any case, you might wind up (or down) with a Captain Christopher Pike or a Professor John Gil...
I can see blackhats and morticians working on this body of knowledge....
Tell Leicester about this
Leicester City Council should be putting this in all their buildings to defend against zombie attack.
How are the employess going to get in?
Mine's the one with a pocket full of severed fingers.
Oh good ...
Now please make sure all the finger-chopping intruders are informed before they get near me!
Does it work in Winter?
Imagine, it's 20below(Celsius. no F! clue as to what it's in Fahrenheit), you pull of your glowe, shuffle a bit, drop the glowe and pick it up again... Then you press your now very cold finger against the reader...
Guess what, one of your body's defese mechanisms against cold is to contract the blood vessels near the skin and extremeties to reduce bloodflow(and heat loss) there.
I may want a particular zombie to be able to pass the fingerprint scan, just not some other random zombie...
Maybe it'd be possible to use stem cells to grow a new finger with the desired fingerprint? You could even have the extra finger grafted on in a sort of "shared key" arrangement.
^^ Or a thumb, I suppose.
Just duplicating DNA isn't enough to duplicate a fingerprint. If you can find a way to grow a reliable fingerprint, though, I like the second part of the idea. :-)
If Identical Twins don't have the same fingerprints...
..then the farmed finger probably won't match, either. Fingerprints have a chaos factor in their production: they're as much a product of environment as they are the DNA. And since physics as we know it prevents two people from being in the exact same place at the exact same time, the end result are two distinct sets of prints. That's one reason why fingerprints are still kept even in an era of DNA testing.
I hadn't expected the DNA alone to form the correct fingerprint - and anyway the stem cells would be from the recipient, not the fingerprint donor.
I'd sort of imagined using a framework or mold of some sort to shape the growing cells into the required print. Or maybe some sort of micro electronic or printing trickery.
Why not check for a pulse?
Dead easy(pardon the pun), skin-colour-insensitive and doesn't rely on surface capillaries.
BTW: most school lunch/hand scanners _don't_ rely on fingerprints, but instead use infrared to look at the vein pattern within a hand - these are just as unique and a lot harder to copy/fake using a gummi bear.
Will the CCC post instructions for Wolfgang Schauble's prints on a better fake finger?
A more gruesome alternative
Garrot the finger before cutting it off.
see US Patent 5737439, published in 1998.
Speaking of vein patterns...
Retina scans, combined with fingerprints, vein patterns, and ana-rectal webbing and vein patterns would deep eye-dent-ify a contiguous, valid person and weed out body doubles. Of course, in most societies, this would endtroduce a whole new meaning to bending over to endvasive access.
The really gruesome part of this is if some nefarios go into the biz of stealing valuable whole a$$holes to gain access to some facility... Could probably upend the organ theft black market
Different solutions exist
There is a balance between cost and functionality to be struck, but the "missing body" problem was also solved by a US provider whose swipe reader is based on radio technology. Their matrix sense out radio signals, which get absolved by ridges connected to a large enough mass to dampen the signal. If you use a "disconnected" finger or use a fingerprint cover like wood glue to swipe, you change the capacity, and the thing won't work.
Good to see they keep working on it, but their solution probably needs a bit of work before it becomes affordable (I'm assuming here their principle is right, of course). Meanwhile, keep using the other kit..
Do they have a real chopped-off finger with which they can test their new scanner?
Dunno who the guy in the tiny little icon is, but he looks like the sort of person who would have a severed finger in one of his pockets.
Yes, yes they did.
It says so at the bottom of the article.
"False Finger Detection" has been done before..
The Australian developed "Fingerscan" technology of early 1990s vintage had a method to detect "false fingers". IIRC they took the image using multiple flashes at slightly different angles. A living finger with *some* blood flowing through it would come through a little darker. I don't remember having to press particularly hard on the scanner surface. The system had a "False Finger Index" setting which you "tuned" for users with circulation issues. It sounds like it was taking advantage of the same light absorbing characteristics described in the paper, albeit in a less sophisticated way via old fashioned image processing algorithms. Looking for a real time *change* in light absorption by scanning, rescanning and comparing is a tad more sophisticated. And of course it has to be "thumbs up!"
I hope it works for black people...
It'd be a hell of an embarrassment (hello, HP webcam face detection!) if it didn't work on dark fingers.
- Review Reg man looks through a Glass, darkly: Google's toy ploy or killer tech specs?
- +Comment 'Stop dissing Google or quit': OK, I quit, says Code Club co-founder
- Nokia: Read our Maps, Samsung – we're HERE for the Gear
- Ofcom will not probe lesbian lizard snog in new Dr Who series
- Rejoice, Windows fans: Stable 64-bit Chromium drops for Win 7 and 8