Sweaty hands might make you unpopular as a dance partner but they could someday prevent hackers from getting into your bank account.
Researchers at Clarkson University have found that fingerprint readers can be spoofed by fingerprint images lifted with Play-Doh or gelatine or a model of a finger moulded out of dental plaster. The group even assembled a collection of fingers cut from the hands of cadavers.
In live fingers, perspiration starts around the pore and spreads along the ridges, creating a distinct signature of the process.
In a systematic test of more than 60 of the carefully crafted samples, the researchers found that 90 percent of the fakes could be passed off as the real thing.
But when researchers enhanced the reader with an algorithm that looked for evidence of perspiration, the false-verification rate dropped to 10 per cent.
The idea of using perspiration is promising as a way to beat hackers because sweating follows a pattern that can be modelled. In live fingers, perspiration starts around the pore and spreads along the ridges, creating a distinct signature of the process. The algorithm, created by Stephanie Schuckers, associate professor of electrical and computer engineering at Clarkson, detects and accounts for the pattern of perspiration when reading a fingerprint image.
Dead fingers don't sweat.
Schuckers said in a pre-released statement: "Since liveness detection is based on the recognition of physiological activities as signs of life, we hypothesised that fingerprint images from live fingers would show a specific changing moisture pattern due to perspiration but cadaver and spoof fingerprint images would not."
The research, funded by a $3.1m (£1.7m) grant from the National Security Agency and conducted in collaboration with other universities, is part of an ongoing effort to improve biometric authentication and identification.
Other methods are in the works as well. Fingerprint readers essentially take a picture of a fingerprint and match it to a sample in the database. To get around spoofs involving lifted fingerprints, NEC researchers have developed technology that actually takes a picture of the tissue underneath the fingertip to get a three-dimensional image that can be matched against a database sample. Fujitsu has developed an authentication technology that looks at vein patterns.
Although biometric identification technologies continue to improve, each has its own flaws. Voice authentication is fairly accurate and tough to spoof, say advocates, but it can be affected by a bad phone connection. Iris scans work well but are commercially impracticable.
Face scanning is actually less accurate than most, but consultants for the US State Department say the technology was chosen for electronic passports because that particular identity test seems to make people feel less like criminals.
Talkback
Don't be frigthened with fake fingers (unless Cadburry ones) ! *
Grapho-Lock has solved this issue , using fingerprints check as identification scheme and then Dynamic signature verification to recognize your unique behavioural handwritten topics. Templates are stored over a secure smartcard with X509 v3 Certificate which usage is constraint to prior both fingerprint and Handwritten dynamic signature verification.
So a rodent has to be very very organized, he must cut finger on monday, prepare his play Doh fake finger, then stole the Smartcard of the user then train himself to write whith the same hand like the user.
Grapho-Lock Project has just been shortlisted finalist R&D at the European Information Security Awards and looks for seed Capital and first Customers to establish a Proof of Concept. (Search on Google)
In general, any type of multi-biometric authentication can reduce the possibility of fraud, which is why you're seeing so many finger-face combinations these days. However, once you've crossed that hurdle you need to deal with the accuracy of the various biometrics selected, and figure out how best to use the biometrics. For example, in a two-biometric system using 1:n searches, do you compare the search case against the full databases for both biometrics, or do you use one biometric to create a candidate list, then only run the candidate list through the second biometric? These are the items that need to be worked out in each individual system.