back to article Fingerprint scans learn to spot chopped-off fingers

What do Gummi Bears and amputated fingers have in common? They’ve both been demonstrated as techniques for defeating fingerprint scanners. Now, a German company called Dermalog Identification Systems is using the way skin changes colour under pressure to block both the soft sweet and the dead hand of the zombie from accessing …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Great!

    Now if someone could develop some sort of webcam that spots braindead users, that could help me tremendously in my job.

  2. Doug Glass
    Go

    And spot ...

    ... chopped off arms?

  3. Anonymous Coward
    Devil

    Chilly in QA

    How many QA departments keep a stock of the freshly deceased on the premises.

  4. Anonymous Coward
    FAIL

    Skin colour

    And how many subjects did they test. And were they all white. Were blacks and Asians included? Does a sun tan affect it. What about Albinos?

    1. Lee Dowling Silver badge
      FAIL

      Not just that

      Vibration-white-finger, colour-calibration on the cameras being out, someone sweating, someone with high/low blood pressure (people literally "go white" when their blood pressure is low), someone hyped on adrenaline (same effect, visible in anyone that is experiencing fight-or-flight, used as an indicator by anyone with knowledge of self-defence: red face = he's mad but you're safe for the moment, white face = run or get ready to fight back, and now you can't get into your building because the serial killer chasing you has made your adrenaline flood your limbs instead of blood).

      My bet is that it will be fooled by someone holding a CLEAR, very thin Gummi bear (or even just simple PVA-glue-skin with the right imprint) over their real finger. Did they test that? It took me all of five seconds to imagine one way around it, and would probably take only a day of testing on the system to make it a viable attack.

    2. NogginTheNog
      Thumb Down

      Read the article

      The detail was the change in the way the skin absorbed light when pressed against the pad, not the specific colours.

      1. Anonymous Coward
        Anonymous Coward

        Excuse me for being thick.

        But I was under the assumption that different colours absorb light differently. The article mentions specific wavelengths, which translate to specific colours; I could understand your point if the article stated pressure causes an x nanometre shift in wavelength (due to the blood moving), but it doesn't.

        1. Old Handle
          Boffin

          That's not how colors work

          It's not quite correct to say wavelengths translate to specific colors. Yes pure light of a given wavelength has a color, but most colors we see in everyday life cannot be expressed as a single wavelength, they're made up of a combination. So I'm pretty sure that's not what they mean. I think they mean the finger's absorption of light at those specific frequencies. I imagine 550nm (green band, a bit on the yellow side) is absorbed by the blood itself, which should be pretty consistent between humans. The other part, 1650nm, is a little less obvious, but in any, it's infrared, so definitely not a skin color in the traditional sense.

  5. Ru
    Facepalm

    Awesome

    No-one will ever be able to make a material that can change colour under pressure. And even if they could, why would they go to such efforts merely to bypass fingerprint security?

    1. Lee Dowling Silver badge

      Awesome?

      They don't need to. What about an "almost" clear material over a real finger? The colour and fingerprint don't have to be the same finger, necessarily. The system probably isn't clever enough to detect that, especially if it blurs the underlying fingerprint just enough to make it flat but let colour through and then the camera will "see" the right fingerprint and the right colour from two different objects. Sure, there are probably countermeasures but it quickly becomes more expensive for the sake of some incredibly low-tech "hacks".

      And fingerprint security is the most ridiculous form ever but controls a lot of things. Hint: If you want access to a secure building (like a lot of schools nowadays) you just need to stick a gummi bear over a existing fingerprint (my bet would be the gate/door handle next to the fingerprint reader) and then put it on the fingerprint reader. You would be accepted as a valid user (hence the gummi-bear being renowned as completely defeating fingerprint security), allowed entrance and nobody would know who you were. It takes seconds and gets you into everything from private home to schools to industry to military complexes (not to mention encrypted off-the-shelf fingerprint-capable laptops like the Thinkpads).

      My daughter's nursery wanted my fingerprint in order to verify who collected her. You literally cannot get into the building without having your fingerprint taken and checked at every entrance. Once inside, they don't care who you are (yes, that's stupid but it's how fingerprint technology is perceived), because the fingerprint-reader verified you as a parent. At which point I told them that they wouldn't be getting my print and enquired about their procedures (which included - if I phoned them and told them that someone new was picking my daughter up, they would open the door for them and not require fingerprints or ID at all - and the phone call validation would be nothing more than SOMEONE phoning up and they had no way to tell if it was me or not). It was all a waste of time with SO much effort put into expensive equipment wasted by trusting it blindly.

      I could, literally, have stolen any child from that nursery using a gummi bear, or even just a previous phone call using the name of a parent.

      1. Anonymous Coward
        Anonymous Coward

        @Lee Dowling

        I couldn't agree more.

        (Btw, how many kids did you nick?)

      2. Anonymous Coward
        WTF?

        Voting with your finger

        Government depts and stuff are hard to avoid. But braindead nurseries are just private companies (selling YOU a service) in a crowded market: why did you use them? Personally I'd have told them to go and get stuffed rather than have my fingerprints.

        1. Lee Dowling Silver badge

          @Anon

          They don't have my fingerprints. Precisely because of this stupidity.

  6. Anonymous Coward
    Terminator

    Army of dead lawyers

    I note the article says the living test subjects had volunteered. But had the deceased? I see a zombie rights issue looming (or possibly lumbering) in the future.

  7. Anonymous Coward
    Anonymous Coward

    Doesn't fix the real problem.

    This is all good and well, though something that one would expect to've been thought of before deploying fingerprint reading around the globe. Apparently that just wasn't important, just like making sure facial recognition scanners on Blighty's airports being able to discern husband from wife wasn't important. Heck, making the darn things work at all wasn't important. Bit of a sign on the wall, all that.

    The real problem is that no matter how hard you make it to fake, redress after succesful faking will remain harder. And this also doesn't address the recently measured at a fingerprints-for-passports station over in the Netherlands of a somewhere over 20% failure to match up after initial fingerprinting. Thus it stands that the fingerprintee is still less important than the virtual person with the synthetic identity being "identified". That is, the paperwork trumps the living human every time, regardless of whether he's impersonating, impersonated, or the real deal. And what was that paperwork for in the first place, eh?

    What's government for? Why, carrying on regardless of reality, of course.

    1. Peter2 Silver badge
      Unhappy

      No.

      The real problem is that the sort of person that would chop off body parts to use on a biometric scanner is unlikely to realise/care it won't work.

      1. Anonymous Coward
        Black Helicopters

        Different face on the same problem.

        It boils down to this: You, the human, are expendable.

        The technology doesn't really do what the people deploying it say it is supposed to do, yet we're forced to comply anyway. I, as a thoroughly nerdy and un-social person, think this highly offensive and would like to go back to old fashioned personal checks. As mentioned elsethread, say, schools would do far better to know just who they're teaching and who the parents are rather than trying to substitute technology for all that. The former is their bloody job and the latter is just more costs leading to pointless fingerpointing once it inevitably goes wrong worse than when people keep using their heads now and then in practice. Last I checked I was still socially inept but not quite a robot, thanks.

  8. Anonymous Coward
    Anonymous Coward

    I thought other solutions had been found ages ago.

    The one that comes to my mind is simply to detect whether blood is flowing in the tested appendage, using the same IR method that is used in hospitals to measure the patents pulse?

    Certain establishments I have to attend rely on several full hand print scans complete with checks to see if it is still attached before you progress another 10 metres into their lovely site.

    Boy is it a pain in the arse then the pass expires @ 00:00 and you can't get out of the damn place and there's nobody there to reauthorise your credentials

    1. david 63

      At a datacenter I visited years ago...

      ...the thumbprint reader looked for a pulse.

      1. Martin.Hale

        Similar Experience

        The last thumbprint reader system I had installed looked for a pulse as well. Funny thing is that one of the owners of the company, a man with a two-pack-a-day habit had terribly poor circulation (big surprise) and he was often locked out of his own company. Within two weeks I was told to replace it with a swipe-card system with proximity readers at the executive door so he wouldn't even have to take his wallet out.

        The best laid plans...

        1. Anonymous Coward
          Anonymous Coward

          wow

          That probably explains it.

          I have access to a building and data center floor for work. It took about two days and more tries than I have fingers to get a print into the system that would let me open the doors.

  9. Christoph
    Trollface

    Tell Leicester about this

    Leicester City Council should be putting this in all their buildings to defend against zombie attack.

    http://www.bbc.co.uk/news/uk-england-leicestershire-13713798

    1. Field Marshal Von Krakenfart
      Coat

      Eh???

      How are the employess going to get in?

      Mine's the one with a pocket full of severed fingers.

  10. Bumpy Cat
    Happy

    Oh good ...

    Now please make sure all the finger-chopping intruders are informed before they get near me!

  11. A J Stiles
    Boffin

    Hmm

    I suspect that they are already working on a workaround, and it will probably be ready within a week.

    1. dssf

      The WorkAround is...a wheel-around...

      Take the necessay prints WITH the whole body. If the credentialed fingerprints are attached to a dead body, "reanimate" it in a wheelchair hiding circulation pumps. A faux colostomy bag or some hoses entering and exiting at various circulation-producing points (abdomen, toes, rectum) and sealant and good testing can probably get a few hours out of a body.

      But, to make it lol, talk, drool, and hold coherent conversation? Animatronix and respiration attachments required. In any case, you might wind up (or down) with a Captain Christopher Pike or a Professor John Gil...

      I can see blackhats and morticians working on this body of knowledge....

  12. Trygve Henriksen

    Does it work in Winter?

    Imagine, it's 20below(Celsius. no F! clue as to what it's in Fahrenheit), you pull of your glowe, shuffle a bit, drop the glowe and pick it up again... Then you press your now very cold finger against the reader...

    Guess what, one of your body's defese mechanisms against cold is to contract the blood vessels near the skin and extremeties to reduce bloodflow(and heat loss) there.

  13. Heironymous Coward

    But

    I may want a particular zombie to be able to pass the fingerprint scan, just not some other random zombie...

  14. Anonymous Coward
    Thumb Up

    Maybe

    Maybe it'd be possible to use stem cells to grow a new finger with the desired fingerprint? You could even have the extra finger grafted on in a sort of "shared key" arrangement.

    ^^ Or a thumb, I suppose.

    1. Petrea Mitchell
      Boffin

      Not quite

      Just duplicating DNA isn't enough to duplicate a fingerprint. If you can find a way to grow a reliable fingerprint, though, I like the second part of the idea. :-)

    2. Charles 9

      If Identical Twins don't have the same fingerprints...

      ..then the farmed finger probably won't match, either. Fingerprints have a chaos factor in their production: they're as much a product of environment as they are the DNA. And since physics as we know it prevents two people from being in the exact same place at the exact same time, the end result are two distinct sets of prints. That's one reason why fingerprints are still kept even in an era of DNA testing.

      1. Anonymous Coward
        Thumb Up

        Hmm, yes

        I hadn't expected the DNA alone to form the correct fingerprint - and anyway the stem cells would be from the recipient, not the fingerprint donor.

        I'd sort of imagined using a framework or mold of some sort to shape the growing cells into the required print. Or maybe some sort of micro electronic or printing trickery.

  15. Alan Brown Silver badge

    Why not check for a pulse?

    Dead easy(pardon the pun), skin-colour-insensitive and doesn't rely on surface capillaries.

    BTW: most school lunch/hand scanners _don't_ rely on fingerprints, but instead use infrared to look at the vein pattern within a hand - these are just as unique and a lot harder to copy/fake using a gummi bear.

  16. This post has been deleted by its author

  17. Pascal Monett Silver badge
    Pirate

    A more gruesome alternative

    Garrot the finger before cutting it off.

  18. Gobhicks
    FAIL

    News?

    see US Patent 5737439, published in 1998.

  19. dssf

    Speaking of vein patterns...

    Retina scans, combined with fingerprints, vein patterns, and ana-rectal webbing and vein patterns would deep eye-dent-ify a contiguous, valid person and weed out body doubles. Of course, in most societies, this would endtroduce a whole new meaning to bending over to endvasive access.

    The really gruesome part of this is if some nefarios go into the biz of stealing valuable whole a$$holes to gain access to some facility... Could probably upend the organ theft black market

  20. Fred Flintstone Gold badge

    Different solutions exist

    There is a balance between cost and functionality to be struck, but the "missing body" problem was also solved by a US provider whose swipe reader is based on radio technology. Their matrix sense out radio signals, which get absolved by ridges connected to a large enough mass to dampen the signal. If you use a "disconnected" finger or use a fingerprint cover like wood glue to swipe, you change the capacity, and the thing won't work.

    Good to see they keep working on it, but their solution probably needs a bit of work before it becomes affordable (I'm assuming here their principle is right, of course). Meanwhile, keep using the other kit..

  21. brainwrong
    Childcatcher

    Dead finger

    Do they have a real chopped-off finger with which they can test their new scanner?

    Dunno who the guy in the tiny little icon is, but he looks like the sort of person who would have a severed finger in one of his pockets.

    1. Old Handle
      Thumb Up

      Yes, yes they did.

      It says so at the bottom of the article.

  22. Anonymous Coward
    Thumb Up

    "False Finger Detection" has been done before..

    The Australian developed "Fingerscan" technology of early 1990s vintage had a method to detect "false fingers". IIRC they took the image using multiple flashes at slightly different angles. A living finger with *some* blood flowing through it would come through a little darker. I don't remember having to press particularly hard on the scanner surface. The system had a "False Finger Index" setting which you "tuned" for users with circulation issues. It sounds like it was taking advantage of the same light absorbing characteristics described in the paper, albeit in a less sophisticated way via old fashioned image processing algorithms. Looking for a real time *change* in light absorption by scanning, rescanning and comparing is a tad more sophisticated. And of course it has to be "thumbs up!"

  23. Andy Gates

    I hope it works for black people...

    It'd be a hell of an embarrassment (hello, HP webcam face detection!) if it didn't work on dark fingers.

This topic is closed for new posts.