Biometric authorization – can I copy you?

Biometric authentication relies on distinguishing physiological and sometimes behavioral characteristics in order to authenticate a particular individual, such as gait appearance. We will have a look at some of the more well known authorization methods. (Tistarelli, Bigun and Jain, 2006)

Some well-known types of biometric authorization:

Face recognition


Source:
(Xu et al., 2016)

Using public Facebook photos, researchers found that they could use 3D facial models to fool systems. They displayed these models using virtual reality mobile technology and managed to bypass 4 out of the 5 facial recognition systems they tried. (Xu et al., 2016, Newman, 2016)

Fingerprint recognition


Source:
(Kleinman, 2014)

Hackers have successfully faked fingerprints from HD photographs, as demonstrated by copying the fingerprints of a German defence minister. While it sounds like something from a science fiction story, the responsible hacker – Jan Krissler – has also co-published a paper showing how using the camera on a user’s mobile phone for this purpose. The phone can take photos of their finger while reaching for the phone or holding it and thereby create an image of the fingerprint to be used. (Fiebig, Krissler and Hänsch, 2014, Hern, 2014, Kleinman, 2014, Beals, 2002)

Ocular-based scanning

Retina blood vessels are quite unique to each person and this makes it a good choice for security and authentication. It’s scanned with infrared light and because it’s in the back of the eye, it’s considered tamper-proof. This method is often used in military and high-security physical access authentication. (Spinella, 2003, Vora, Bharadi and Kekre, 2012)

Iris scanning is done by a camera subtly using infrared light to get an image of the structure of the size and the amount of light the iris lets through. Mathematics is involved to recognize patterns which are unique. This is used on many passports, including my Norwegian one. Iris scanning has been hacked by the same hackers which copied the German minister’s fingerprint, namely Jan Krissler. Using HD images from Google they managed to fool some iris scanning systems. (Fox-Brewster, 2015)

Source: (Tistarelli, Bigun and Jain, 2006)

Concerns and their validity:

  • Privacy: The databases where these fingerprints or face recognition patterns are stored. How safe are they for hacking, and who can access them? Any database is vulnerable for attack.
  • Violence: In movies, eyes have been cut out for retina scans. While that might be extreme, fingers have been cut off for using fingerprint scans.
  • Change of biometric data: Myself, I have eczema on my fingertips and therefore struggle with the fingerprint recognition on my iPhone. I reconfigure the setup often but my fingertips change too much to make it useful. I have to rely on my backup code for access.
  • Identity theft: If someone steals your password you can reset it. If someone steals your fingerprint or copies your iris picture, you’re in more trouble.
  • Fooling fingerprint readers: Making a copy of your fingerprint seems to be somewhat easy. (Beals, 2002)

Conclusion: Biometrics is a good way of authentication, but maybe only as part of a 2 step verification. Further research is needed to avoid the hacks presented. (Beals, 2002)

 

 

 

Bibliography

Beals, B. (2002) Biometrics: Hack Proof?[Online] SANS Institute. Available from: https://www.giac.org/paper/gsec/2282/biometrics-hack-proof/103919 (Accessed: 12.02.2017).

Fiebig, T., Krissler, J. and Hänsch, R. (2014) ‘Security Impact of High Resolution Smartphone Cameras.’, Anonymous WOOT,

Fox-Brewster, T. (2015) Hacking Putin’s Eyes: How To Bypass Biometrics The Cheap And Dirty Way With Google Images [Online] Available from: http://www.forbes.com/sites/thomasbrewster/2015/03/05/clone-putins-eyes-using-google-images/#11645b204f85 (Accessed: 12.02.2017).

Hern, A. (2014) Hacker fakes German minister’s fingerprints using photos of her hands [Online] Available from: https://www.theguardian.com/technology/2014/dec/30/hacker-fakes-german-ministers-fingerprints-using-photos-of-her-hands (Accessed: 12.02.2017).

Kleinman, Z. (2014) Politician’s fingerprint ‘cloned from photos’ by hacker [Online] Available from: http://www.bbc.com/news/technology-30623611 (Accessed: 12.02.2017).

Newman, L. H. (2016) Hackers Trick Facial-Recognition Logins With Photos From Facebook (What Else?) [Online] Available from: https://www.wired.com/2016/08/hackers-trick-facial-recognition-logins-photos-facebook-thanks-zuck/#slide-3 (Accessed: 12.02.2017).

Spinella, E. (2003) Biometric Scanning Technologies: Finger, Facial and Retinal Scanning [Online] SANS Institute. Available from: https://www.sans.org/reading-room/whitepapers/authentication/biometric-scanning-technologies-finger-facial-retinal-scanning-1177; (Accessed: 12.02.2017).

Tistarelli, M., Bigun, J. and Jain, A. K. (2006) Biometric Authentication. [electronic book] : International ECCV 2002 Workshop Copenhagen, Denmark, June 1, 2002 Proceedings. Heidelberg : Springer Berlin Heidelberg, 2006. [EBSCO].

Vora, R. A., Bharadi, V. A. and Kekre, H. B. (2012) ‘Retinal scan recognition using wavelet energy entropy’, 2012 International Conference on Communication, Information & Computing Technology (ICCICT), pp.1.

Xu, Y., Price, T., Frahm, J. and Monrose, F. (2016) ‘Virtual U: Defeating Face Liveness Detection by Building Virtual Models from Your Public Photos’, Anonymous 25th USENIX Security Symposium (USENIX Security 16), USENIX Association. pp.497-512.

Image source: https://pixabay.com/en/cat-pet-mirror-697113/, user: Schmid-Reportagen. CC0 Licence, public domain.