Is it live, or is it ... latex?
In the 2004 film 'National Treasure,' the character played by Nicholas Cage surreptitiously steals a wineglass that had been used by the curator of the National Archives and in a matter of minutes creates a replica of her fingerprint. He uses the image to get past security measures protecting the Declaration of Independence and steals the document in order to look for a treasure map on the back.Faking it
The rest of the movie's plot might be outlandish, but finding a way to fake someone else's fingerprints is not.
'The scene portrayed in 'National Treasure' is feasible, though not in that time frame,' said Chet Hosmer, president and chief technology officer of WetStone Technologies Inc. of Cortland, N.Y.
Using a fingerprint replicated on a small, oval piece of thin latex film, Hosmer demonstrated for GCN how easy it can be to fool current fingerprint readers.
He simply fitted the replica to his own finger, fixing it in place with a small dab from a glue stick, then put the fake fingerprint on the scanner and clicked OK on the computer monitor. And it worked'he gained access to the supposedly secure computer.
The prospect of being able to spoof fingerprints is disturbing because government agencies and industry alike have been moving to incorporate biometrics into a variety of systems that require identity authentication.
Classified facilities at military bases could have fingerprint readers that verify a person's identity before he or she can enter. The Homeland Security Department is planning to include fingerprint biometrics in its U.S. Visit program; visitors to this country will have to get their fingerprints scanned to confirm their passports.
Companies are looking for ways to incorporate fingerprint biometrics as part of security measures. Many notebook PCs include built-in fingerprint readers so users can log on without passwords.
In short, not being able to trust fingerprint verification carries significant risk.
The Defense Department's Biometrics Management Office is aware of growing concerns about the possibility of spoofing fingerprints, too.
'Biometric spoofing techniques have garnered some public attention. We are aware of these, and of the industry response to integrate liveness [ways of verifying live tissue as opposed to a replication] and other safeguards,' said Joseph Guzman, acting BMO director.
WetStone and another company, Lumidigm Inc. of Albuquerque, N.M., have received Small Business Innovation Research awards from the Air Force Research Laboratory Information Directorate, based in Rome, N.Y., to find ways to guard against fingerprint spoofing.
'The detection and reaction to intrusions from malicious outsiders and insiders alike is an example of a cybersecurity technology we are interested in,' said John Feldman, senior program manager in the Cyber Operations Branch of AFRL.
Feldman said it is premature to think about applying anti-spoofing technology throughout the Air Force or other government agencies. 'The testing of biometric anti-spoofing fingerprint devices as a secondary control mechanism to the building or to very specific controlled areas at AFRL has crossed my mind, but we don't have any specific plans to do so yet,' he said.Beneath the surface
According to Matthew Ennis, director of business development at Lumidigm, the company is pursuing improvements in fingerprint readers as a safeguard against spoofing.
When enrolling an individual, the company's technology develops a multicolored image of skin features that lie below the surface of a finger.
This 'internal fingerprint' is a complex structure of collagen and blood vessels responsible for creating the unique surface print pattern, Ennis said. The 3-D approach makes spoofing very difficult, because a replica surface print, such as one generated from a latent print, will not match the more in-depth image.
The Lumidigm approach takes into account the issue of liveness: Is the scanned fingerprint being generated by a real, live person? 'The question of liveness is important in view of the fact that many spoofing methods ... make use of artificial substances,' Feldman said.
Ennis said the company's reader can spot an individual using a spoofed fingerprint when he or she enrolls in a biometric database, as well as someone trying to use a fake fingerprint to pass as someone else.
This could have great applicability for a program such as U.S. Visit, he said. Someone already on a watch list who thinks to use a fake print to enter the country would get caught simply because the print wouldn't register as 'live.'
Lumidigm's new reader will have backward and forward compatibility with existing fingerprint databases, Ennis said. The company aims to have a commercial product ready by the first quarter of 2006.
WetStone's approach is to look for a software-based solution, rather than enhancing hardware.
'Most folks working on this are concentrating on building better'that is, more expensive'readers,' Hosmer said. 'The problem with that is twofold. You have to redeploy readers, and you have to re-enroll people in the database.'
A software solution would allow agencies to avoid both those expenses, he said.
As a first step, the company sought to understand how spoofing might work. This is why Hosmer had the latex spoofs on hand, so to speak'the company re-searched the kinds of material used to make the spoofs, how thick or thin they had to be, how durable or fragile they were, and so on.
'They had to be small enough to be concealed, with a high rate of effectiveness, and affordable,' he said.
The company found that building imposter prints out of a thin film of latex, just two millimeters thick, was ideal, because the material is robust and costs almost nothing. A little bit of experimentation to match skin tones, and the spoof's presence is almost impossible to detect even when the wearer is surrounded by people, Hosmer said.
The company also began to build a research database of fingerprints collected from a diverse population and under many different conditions, such as wet or dirty fingers.
WetStone also evaluated different ways of producing the spoofs and how they worked under a variety of conditions.
While Hosmer is tight-lipped about the specifics of his company's software product, he did say it takes up to 14 different factors from the reader and the fingerprint algorithms to determine whether a fingerprint is genuine or a spoof.
'There was one counterintuitive result,' he said. 'Fingerprint readers have sensitivity settings. The higher they're set, the more sensitive they are. It turns out that ... our imposters work better at the higher settings than real fingers do. It gives 'sharper image' a whole new meaning.'