
Hacker fakes German minister's fingerprints using photos of her hands - pearjuice
https://www.theguardian.com/technology/2014/dec/30/hacker-fakes-german-ministers-fingerprints-using-photos-of-her-hands
======
Kliment
While this is and remains amazingly interesting, it does need a (2014) in the
title.

Background material: [https://www.ccc.de/en/updates/2013/ccc-breaks-apple-
touchid](https://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid)

Primary source:
[https://www.ccc.de/en/updates/2014/ursel](https://www.ccc.de/en/updates/2014/ursel)
and video (in German) [https://media.ccc.de/v/31c3_-_6450_-_de_-
_saal_1_-_201412272...](https://media.ccc.de/v/31c3_-_6450_-_de_-
_saal_1_-_201412272030_-_ich_sehe_also_bin_ich_du_-_starbug)

Instructions (in German):
[https://www.ccc.de/de/campaigns/aktivitaeten_biometrie/finge...](https://www.ccc.de/de/campaigns/aktivitaeten_biometrie/fingerabdruck_kopieren)

~~~
mmarx
Also, back in 2008, activists published the fingerprints of another
minister[0]—that one was lifted from a glass of water, though.

[0] [https://www.wired.com/2008/03/hackers-
publish/](https://www.wired.com/2008/03/hackers-publish/)

------
buro9
Identity should never be used as a password.

Identity cannot be changed if compromised.

As a second form of authentication it is fine, but as a single form alone it
is a bad idea.

Ideally you would always have two of these:

* Something you know (i.e. password)

* Something you have (i.e. yubikey or a token generator on your phone)

* Something you are (i.e. fingerprint)

But if you must have only one of these then the weakest one is something you
are as, if compromised, it can never be changed.

~~~
koolba
> Identity should never be used as a password.

Yes.

> Identity cannot be changed if compromised.

I'm not up to date at what's possible with plastic surgery, but in this
specific case I think it's doable (new fingerprints).

> As a second form of authentication it is fine, but as a single form alone it
> is a bad idea.

I don't consider it authentication. More like a record locator.

> But if you must have only one of these then the weakest one is something you
> are as, if compromised, it can never be changed.

I think a lot of this "fingerprints as authentication" stuff will go away once
situations like this become commonplace:
[https://news.ycombinator.com/item?id=11726108](https://news.ycombinator.com/item?id=11726108)

~~~
hellofunk
> I don't consider it authentication.

Maybe you don't, but a lot of others do. Like, Apple.

~~~
emodendroket
Is the point of fingerprint scanners really to defeat advanced, targeted
hacking efforts where someone has multiple high-resolution photos of you? Or
is it (IMO more plausibly) just to keep somebody who picks your pocket or
whatever from _also_ getting access to your bank accounts and so on? For the
latter scenario the fingerprint works fine.

~~~
Avshalom
well except that your phone is covered in your fingerprints...

~~~
phlo
Touch ID is a fun case in security where bad is better. Fingerprint
authentication on a fingerprint magnet seems like a foolish idea until you
realize the alternative (for the majority of users) is 4-digit PINs[1], not
strong passwords.

[1]
[http://www.datagenetics.com/blog/september32012/](http://www.datagenetics.com/blog/september32012/)

~~~
emodendroket
The Android password pattern thing apparently offers close to 400k
possibilities so it's considerably better than PINs.

~~~
wcoenen
I used patterns for a while, until I noticed that I could simply see the
unlock pattern on the greasy screen if the sunlight hit it just right.

~~~
emodendroket
And PINs don't have the same problem?

~~~
alblue
Not really - with a pattern you drag from one loaction to another. With a PIN
you tend not to drag your finger along but lift and press.

In addition with PINs you can have diagonally opposite numbers (e.g. 1-9 or
3-7) but with patterns you don't have that unless you use 5 on the way (e.g.
1-5-9 or 3-5-7). In fact most people will have the central dot in their
pattern recognition somewhere in the middle just through human nature.

~~~
koolba
> In fact most people will have the central dot in their pattern recognition
> somewhere in the middle just through human nature.

Yep. Either that or just the classic double circle.

------
8draco8
And this is the reason why fingerprints should not be used as a password. If
the password that you are using (string, pin, fingerprint, iris) can not be
change then this could be use as username not password. It is very convenient
to use things like fingerprints to lock your devices but if your credentials
will get compromised once then you can not ever secure it again. Plus we leave
finger prints everywhere all the time, it's just a matter of time when
databases with fingerprints matching fb profiles will show up on the internet.
Think about it as rainbow tables for unlocking stolen devices.

------
SEJeff
Fingerprints make excellent usernames and terrible passwords:

[http://blog.dustinkirkland.com/2013/10/fingerprints-are-
user...](http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-
not.html)

~~~
maze-le
Interesting, I never even thought about this usecase. But fingerprints can
change over long enough timescales, either by accident or simply old age.

~~~
SEJeff
Perhaps, but even with acid burns, computers can still find enough commonality
to link them. Fundamentally, a secret is something that needs to be
changeable. Since you can't (currently) change your fingerprints on-demand,
they can't be used as a good secret.

------
kelvin0
That's all very interesting stuff, but somehow I missed something: how was he
able to verify the fake finger prints from the minister were usable and close
enough to the real finger prints to fool a biometric device? I read the
article twice and haven't spotted how he verified the hack worked in the case
of the minister.

------
kelvin0
Let's not forget the classic biometric-hospital-gate : People using silicon
fingerprints to sign in for their colleagues: [http://www.bbc.com/news/world-
latin-america-21756709](http://www.bbc.com/news/world-latin-america-21756709)

------
hsileng
Seriously, fingerprints is the worst biometric password. Anything you touch
leaves a piece of it, if not the whole thing. The fact that it's still being
used is a testament to how easy it is to break into various "secure" accounts.

~~~
JadeNB
> The fact that it's still being used is a testament to how easy it is to
> break into various "secure" accounts.

I don't disagree with your premise (that fingerprints are very bad passwords),
but I don't see the logic of this sentence. If I were in favour of the use of
fingerprints as passwords, I would think their continued use pointed to how
_hard_ , not how easy, it is to break them (because otherwise, hypothetical me
would think, surely they would no longer be used).

------
Dolores12
Fingerprint is username, not a password.

------
rwmj
There was this story (which I find an incredible achievement, if true) of a
child abuser's fingerprints being taken just from a photo that he had posted
online:

[http://edition.cnn.com/2016/04/21/us/project-vic-child-
abuse...](http://edition.cnn.com/2016/04/21/us/project-vic-child-abuse/)

------
simonh
For most people, using fingerprints for authentication is fine. Any security
measure has pros and cons. If they're too hard to use, people will circumvent
them or the usefulness of the device or service will be degraded. It's just a
matter of cost-benefit. I could use a 6-figure passcode on my phone, or a
4-figure one or my fingerprint. I choose to use the latter, with a 6-figure
code as backstop, knowing that this is in some ways a less secure option. It's
my choice and I'm glad I have it. Still, stunts like this serve a useful
purpose in making sure we're all very much aware of the limitations of the
security options available. That's valuable to know.

------
justinclift
This makes the publicly accessible handprint bronzes at ITV Studio in London
seem like a bad idea:

[https://en.wikipedia.org/wiki/The_London_Studios#Audiences](https://en.wikipedia.org/wiki/The_London_Studios#Audiences)

When I saw them a few years ago, they definitely had distinct fingerprint
ridges.

------
bitwize
Corneal keylogger?

So "enhance, enhance, enhance" is real now?

------
owenversteeg
Anyone have a link to the photos (or if they're not available, an example
photo that you could do this on)?

------
abysmallyideal
Fingerprints and cornea are bad ideas to use as passwords.

One of my friends likes to go hiking in this area a few miles away from
million+ dollar neighborhoods. They get approached by someone pretending to be
a union member and they get to chatting. The union member has to show them
some video on his phone, and so my friend takes a look. There's a slight
glitch in the guy's phone and my friend sees their own face for a brief second
with what looked like highlighters around their eyes, kind of like those eye
tracking things.

They didn't think much of it until they read about cornea copying and hacking.
They realized they were being "bio-hacked" but there is nothing they work on
that needs bio clearance so they figure the union members were hired by some
people to collect bio prints of likely targets in the area.

Plus I heard it is common to use union and organized crime groups, police,
etc.. to stake out and collect intelligence on possible targets for corporate
espionage, and other related crimes. It seems to be an unspoken problem in the
area.

------
weatherlight
Biometrics should be utilized as a login replacement, not a password
replacement.

------
majewsky
(2014)

------
_Codemonkeyism
In this context I find it most interesting that many reviews of the Note7
disregard the iris scanner as not as easy to use as the fingerprint scanner so
the reviewer will stay with the fingerprint sensor, and I always thing "Yes,
well, but ..."

~~~
ralfd
Aren't Iris scanners potentially even more foolable? There are often tons of
high res photos of peoples eyes, not so much of their thumbs.

~~~
_Codemonkeyism
Sounds interesting, I thought the iris scanner needs to illuminate your iris
to make it work and you can't do this from photos, I've head this from you for
the first time.

Any source where I can read about fooling iris scanners with photos?

------
gjolund
This is old news.

~~~
JadeNB
And yet the use of fingerprints as authentication has only increased ….

------
eveningcoffee
Lets just remind.

Fingerprints are not something you are. Fingerprints are something you own.

Well, you actually own them as much as you own the ideas. Or passwords.
Written in your forehead.

It is very foolish to use them for security purposes. And it is very dangerous
to allow some entity to collect them, as this will eventually lead to very
large privacy and freedom violations.

