Fingerprint Lifting 101

The Chaos Computer Club has - I hope - done it again. Waaaaaay back in the 80s they demonstrated with a wonderful hack how easy it was to subvert the pay-by-BTX schemes that were cropping up.

Now they set their sights on biometrics, specifically fingerprinting. They managed to get the Minister of the Interior, Wolfgang Schäuble, to take a drink of water from a glass with a nice, clean surface (I have heard many entertaining stories about this, let's just say that the drinking receptacles at CCC are not normally this squeaky clean). From the glass they managed to lift his fingerprints - it is actually very easy to do, they published a step-by-step instruction (or for the visually inclined, a video).

They are publishing the copies of Schäuble's fingerprint in the current version of their newsletter.

A team of reporters from the ARD was so intrigued by this, that they wanted to see if a pay-by-fingerprint system that the chain Edeka uses can be fooled by this rather simple method. One reporter registered to pay by fingerprint, and goes shopping on camera. No problem, he can pay. Then they have one of his fingerprints lifted and a replica of his fingertip produced with materials that can be purchased at any hardware store.

Another reporter then went shopping for one item, and used the replica to successfully purchase piece of chocolate on camera. Even shown the video footage of this, both the supermarket owner and the head of the company which makes the technology insisted that the method was secure and could not be compromised. Apparently they subscribe to the self-delusional school of thought that "if I want it to be thus and such hard enough, it will be so".

I showed the video to a friend, who quickly understood that fingerprints are not as secure as he had thought. And his computer at work is secured by a fingerprint reader....

Now we just have to find some way to force-feed the ARD footage to politicians who believe anything technical must be magically secure.

No comments: