How a man used a fake finger to trick his smartphone biometrics

Last updated: 01 December 2021

Chances are you’ve seen a Hollywood film where criminals manage to access biometric security systems using basic spoof attacks such as gelatin-made fingerprints and fake irises. For example, in Minority Report, Tom Cruise’s character Anderson gets an eye transplant so that he can’t be identified by the citywide optical recognition system. But what’s even more amusing is that he carries his original eyeballs in a plastic bag to maintain access to his former workplace.

The reality is that the trick that Anderson used in Minority Report wouldn’t fool today’s advanced systems thanks to their liveness detection capabilities.

But before I go into more detail of how liveness detection ensures that biometric systems remain spoof proofed, I wanted to quickly touch on a recent example where a Register reader, named Kieran, managed to essentially recreate a scene straight out of a Hollywood film. He demonstrated how he unlocked his smartphone using the severed tip of his finger, parted from his hand as a result of an industrial incident.

So how was Kieran able to unlock his smartphone with a severed fingertip? In this instance, the severed tip belonged to the finger that was registered to the device and Kieran was able to access his device because the finger used to identify enrolment was the same used for the authentication. This means that there were no faults in the system of the manufacturer.

While we hope that using a severed finger to unlock a smartphone is very uncommon, can cases of using a silicone or gelatin finger to unlock a device be successful?

Where does liveness detection fit in this scenario?

Liveness detection is the ability of biometric systems to detect whether a fingerprint or face (or other biometric information) is real (from a live person present at the point the information is captured) or fake (from a spoofed artifact). It’s powered by AI which analyses the data collected by the biometric scanner and verifies if the source is coming from a live or fake representation.

The features of liveness detection are purposed to counter biometric spoofing attacks, where a replica is used to emulate a person’s unique biometric information.

It’s worth noting that the standard terminology in the market is ‘Liveness Finger Detection’, which means that it stops replicas imitating a person’s unique biometrics – like a fingerprint mold – but enables real fingers, dead or alive, to work. And consumer grade devices still haven’t evolved so much to include signs-of-life detectors. So, in Kieran’s case the technology worked to the market standards.

What is Presentation Attack Detection (PAD)?

Let’s look into single finger scanners to explain what a Presentation Attack Detection (PAD) is. Single finger scanners are usually used for ID verification mainly on unattended applications like ATMs. To avoid people using fake fingers to attack the system, these scanners have been fitted with a technology that is able to detect the real nature of the finger placed on the scanner – PAD. For example, the Thales Cogent Single Finger Scanner AI-based solution uses a patented technology that is based on infrared light, and has been independently tested by iBeta and verified to ISO/ IEC 30107-3 standard. It is the first in the world to receive the iBeta PAD level 2 certification. Our technology has also achieved an Attack Presentation Classification Error Rate (APCER) of 0%.

PAD is usually implemented within systems where security comes as a higher priority to user convenience, according to The Biometric Institute. That’s why many consumer devices are unlikely to have been equipped with the technology but given how quickly the market is growing as well as consumers’ increased security awareness, this will likely change soon.

As companies and organisations across the world search for the most secure method of authentication and identification, biometrics has quickly become one of the premier methods of ensuring these two principles. Failure to prevent fingerprint spoofing attacks may have serious consequences not just for individuals but on a wider scale.

Unfortunately, there isn’t a magic formula to combatting fingerprint spoof attacks at the moment, but the real solution lies in combining the right number of different features. In a marketplace that features an abundance of solutions, your best bet would be choosing a solution that meets the ISO Presentation Attack Detection benchmark.

Hype Cycle™ for Digital Government Technology, 2021 Survey

Download the Gartner Research

Leave a Reply

Your email address will not be published. Required fields are marked *