A hacker claims he replicated the fingerprint of a German politician by using publicly accessible photos of her thumb – which easy-to-use ID methods should mobile tech employ instead?
The man in the trench coat offers his visitor a Scotch. The visitor accepts, but as soon as his back is turned, Mr. Trench Coat lifts his fingerprints off the glass.
You’ve probably watched a scene like that on TV or in the movies dozens of times. But just as our fingerprints are becoming an increasingly common component of identification, from airport terminals and smartphone screens to luxury handbags and Brazilian polling booths, along comes a German hacker to let us know that people who want our prints – whether to figure out whodunit or to steal our identity – may no longer need to get us to touch that glass of Scotch first.
Jan Krissler, a German hacker also known as Starbug, told a hacking convention in Hamburg that he replicated the fingerprint of a German politician by using publicly accessible photos of her thumb taken by a standard camera, BBC News reported this week.
Starbug says he copied the fingerprint of German Defense Minister Ursula von der Leyen using a close-up shot of her thumb and pictures taken during a press conference in October, a decision he speculated could affect the sartorial choices of public figures. “Politicians will presumably wear gloves when talking in public” from now on, he said.
So should we stock up on gloves?
Or, at the minimum, should we be worried that fingerprints are not a secure means of identification? That’s precisely what U.S. Sen. Al Franken, a Democrat from Minnesota, fears.
Months before Starbug’s revelation, Franken, who chairs the Senate Judiciary Committee’s privacy and technology subcommittee, wrote to Samsung executives to say the feature in the company’s Galaxy S5 phone that recognizes users based on their fingerprints could allow people’s identities to be stolen. “Fingerprints are the opposite of secret,” he wrote. “You leave them on countless objects that you touch throughout the day: your car door, a glass of water, even the screen of your smartphone… If hackers get hold of a digital copy of your fingerprint, they could use it to impersonate you for the rest of your life, particularly as more and more technologies start relying on fingerprint authentication.”
It’s all in the movement
But if you’re still worried, cybersecurity expert Alan Woodward, a visiting professor at England’s Surrey University, has a tip: Look for the kind of identification that relies on dynamic biometrics like vein recognition and body motion analysis rather than static ones like fingerprints and facial recognition.
“Biometrics that rely on static information like face recognition or fingerprints – it’s not trivial to forge them, but most people have accepted that they are not a great form of security because they can be faked,” says Woodward. “People are starting to look for things where the biometric is alive – vein recognition in fingers, gait analysis – they are also biometrics, but they are chosen because the person has to be in possession of them and exhibiting them in real life.”
Gait analysis could become a useful way for law enforcement authorities to identify suspects captured on video even if their faces are covered or indistinct. But when it comes to the prevention of identity fraud, it’s vein authentication, which uses the vascular patterns of a person’s finger, palm or back of the hand as a means of identification, that is heading toward becoming the new fingerprinting.
Barclays announced in September that starting from 2015, wealthy corporate banking clients could begin using Hitachi’s VeinID to read the sub-dermal patterns of the veins in the client’s finger as a way of combating identity theft. The authentication, which will later be made available to the rest of Barclays’ clients, requires customers to insert their fingers into a scanner the size of a tennis ball, and takes only two seconds.
Finger vein scanning is also used by banks in Japan, where the technology was invented. In Europe, Poland is the first country to use finger vein identification in the banking sector, replacing ATM cards with finger scanners at 2,000 cash machines earlier this year.
Featured Image Credit: Apple