Spoofing Fingerprint Scanner and Spoof Detection: How Do They Work?

In identity management space, things are quickly moving towards a password free environment. Increasing use of biometrics for day-to-day identity authentication needs, native support for biometric authentication within different systems and ever growing use of biometric authentication in mobile devices have already diverted the market towards biometrics.

Biometric authentication, specially fingerprint recognition is getting all the attention (and admiration) from users.However, their underlying concerns about biometric security often surface while using it to establish and protect their identities.

Is fingerprint secure enough? What if someone steals my fingerprint and misuse it? Can someone create a copy of my fingerprints? If these questions strike your mind at times, you are not alone. There are millions who use fingerprint authentication despite not being too sure about it.

This article sheds light on problems with fingerprint scanners and fingerprint security, fingerprint sensor spoofing attacks and common spoofing detection mechanisms used by fingerprint scanners.

Today’s fingerprint scanners are securer and more efficient than ever. However, they are still far from being perfect and contain inadequacies that can be exploited from someone who understands them.

This is one of the biggest problems with fingerprint scanners and the fingerprint security. Fake fingerprints can be created using inexpensive material and presented as in lieu of real one. To encounter this, fingerprint scanners use fake fingerprint detection mechanism.

Unfortunately, fingerprint scanner that leverage advance fingerprint spoofing detection are touted as premium and are usually more expensive than ordinary scanners or scanners only with basic fingerprint spoofing detection. Fingerprint anti-spoofing in biometric systems should be a must-have feature when depending on fingerprint security.

Today’s liveness detection techniques can prevent common fingerprint spoofing attacks carried out using fingerprint spoofs and replicas to weed out unauthorized users.

Human body responds differently in different environmental conditions. However, fingerprint scanners may not be able to adapt to these changes and it is one of the problems with fingerprint scanners that still needs to be fully addressed.

Our skin is kept adequately moist by an oily substance that our body produces. It keeps skin surface healthy and fingerprint scanners also prefer fingers that way. Fingerprint scanners want fingers to be optimally moist, not too much or not too less. But in cold weather, skin can lose this moisture and becomes dry, creating a problem for fingerprint scanners.

Fingerprint scanners find it hard to scan dry fingers because the image captured from dry fingers is usually not good enough to process. Fingerprint scanners may refuse to enroll or authenticate dry fingers.

Fingerprint scanners can be sensitive to environmental conditions, which is one of the problems with fingerprint scanners. A fingerprint scanner may refuse to operate optimally in high temperature, intense light, high radiation or wet environment.

Fingerprint scanners are electronic devices which require regular maintenance to keep their performance up to the mark. Fingerprint scanners, that are either exposed to harsh environmental conditions or not properly maintained, may not be able to keep up with your expectations.

Fingerprint spoofing is a way to circumvent the security of a biometric fingerprint system with the use of artificial fingerprints created using different materials and methods.

To create a fingerprint spoof, the attacker should have access to fingerprints of a user who is already registered on the target system. Sometime the authorized user may be involved in the process of spoof creation.When that is the case, it becomes comparatively easy to create fingerprint spoofs.

When the user is not involved in the process, fingerprint spoofs can be created with the fingerprint images and even with fingerprints left unintentionally (latent prints).

Taking a high resolution photo of your fingertip and printing it on a paper is probability the most basic type of spoof. This spoof, however, will fail on most modern fingerprint recognition systems. As fingerprint scanners advance, more sophisticated methods like 3D printing, using material that exhibits liveness, etc. are being leveraged.

Making of fingerprint spoofs starts with choosing a material which is preferably soft, flexible and on which fingerprint pattern can be engraved. Glue, clay, film, rubber, paper, silicon, etc. can be used for the purpose.

Spoof can be crated with or without an authorized user participating in the process. When an authorized user participates in the process (aka cooperative spoofing),his/her fingerprint can directly be engraved on a mold material to create a negative impression. Once mold is created, any moisture based material like glue or silicone is filled in the cast and when it gets dried, fingerprint pattern gets engraved on it.

When spoof is created without an authorized user’s participation in the process (aka uncooperative spoofing), the spoof creator has to have a fingerprint image or latent print of the said user. People touch different surfaces all the time and leave latent prints. An attacker may collect them to create a fingerprint spoof. These latent prints can be collected using any latent print collection technique like dusting, fuming and using fingerprint tape.

Collected prints are digitized and their quality is enhanced with image editing techniques.Embossed or 3D printing will enable the spoof-maker to create a mold and then a fingerprint spoof by filling the mold with a flexible material like glue or silicone.

Today’s fingerprint sensors make a variety of hardware as well as software based anti-spoofing and spoof detection approaches. However, while fingerprint sensors evolved, so did sensor spoofing attacks. When one technique proves ineffective, fraudsters take no time in upping their game.

Fingerprint sensor spoofing attacks can come in many forms.It is not just manually created spoofs using flexible material and fingerprints engraved on them. Even sophisticated technologies like machine learning and artificial intelligence can be leveraged to circumvent fingerprint security.

In November 2018, a study published in ScienceDaily revealed that a team of researchers used neural network and machine learning trained to synthesize human fingerprints, which could potentially fool a touch based fingerprint authentication system.

If that is not shuddery enough, let’s have a look at a research done at Michigan State University. Scientists at Michigan State University have developed a fake finger that carries the optical, electrical, and mechanical properties of a live finger, features that many anti-spoofing approaches in biometric systems rely on.

This finger is aimed at challenging the spoof detection capabilities in fingerprint scanners, so that manufacturers can improve their anti-spoofing mechanism. Sounds good? The problem is that if scientists can create such a finger, fraudsters can also attempt to do it.

Use of artificial intelligence and machine learning for carrying out fingerprint sensor spoofing attacks hints at the possible future of sensor spoofing attacks, in which they are not just done with fingerprints engraved on a flexible material, but synthesized using highly sophisticated technologies.

Fingerprint spoofing detection is arguably the biggest challenge for biometric researchers as this technology increasingly penetrates the market for high security transactions. An attacker will not hesitate to create and perform sensor spoofing attack if reward is worth his/her effort.

Fingerprint spoofing can even be easier than password cracking and done using inexpensive and easily available material. There are step by step guides over the internet which will allow people to create spoofs in a matter of hours. How fingerprint security can be ensured in such circumstances?

The only viable solution is to enhance the fingerprint spoof detection and fingerprint anti-spoofing in biometric systems. Unfortunately, enhancing fingerprint spoof detection is not something a user can do at his/her end. It is unlike enhancing your phone or PC security by installing an anti-malware program or updating system.

Most fingerprint recognition devices come with embedded system, on which the user shave a very little or no control. Your fingerprint device vendor may choose to update its firmware with improved fingerprint spoofing detection mechanism or may release a new version of device, but there is nothing a user can do to enhance anti-spoofing mechanism of a device.

Fingerprint anti-spoofing in biometric systems makes use of several strategies to detect whether a fingerprint sample is presented by a spoof or a live finger.

Hardware based fingerprint anti-spoofing in biometric systems make use of properties found in a real finger such as temperature, electrical conductivity, pulse oximetry, skin resistance, etc.But these methods require additional hardware, which renders the device more expensive.

Despite leveraging additional hardware, hardware based fingerprint anti-spoofing in biometric systems have some limitations. For example, temperature based anti-spoofing mechanism may fail to distinguish spoof if it created with a very thin flexible material with good temperature conductivity.

Dynamic based fingerprint anti-spoofing in biometric systems are derived by processing multiple frames of same fingerprint in two successive images, which are captured within a finite time interval. It includes ridge distortion based and perspiration based methods.

Ridge distortion based method analyzes distortion of ridge by processing a sequence of frames at a very high frame rate. A live finger will produce more distortion than a spoof.

On the other hand, perspiration based fingerprint anti-spoofing in biometric systems is based on detecting perspiration between human skin and other material, as the sweat starts from pores and diffuses along the ridges; it makes the region between pores darker.The resultant moisture pattern can be captured. Live fingerprints exhibit non-uniformity due to perspiration, whereas spoofs show high uniformity.

Fingerprint devices make use all kind of methodologies in their capacity to ensure security of fingerprint data. They use encryption algorithms to encrypt fingerprint data, so that even if data is compromised, it is not of any use of attackers. On-device encryption algorithms can encrypt data right on the device so that data is always in encrypted before it leaves the device.

Static based fingerprint anti-spoofing in biometric systems compares a single fingerprint impression with others. When compared with dynamic based methods, static based methods are cheaper as well as process their anti-spoof mechanism with much faster speed. Static based methods consider textural characteristics, skin elasticity, perspiration based characteristics or combination of these features. Analysis of minute differences in the images presented by a spoof also comes in static based methods, e.g. analyzing presence of air bubbles in a fingerprint spoof.

In biometric systems, immunity to spoofs will be a boon, as it remains the biggest threat to biometric systems; however, if we talk about the overall security, spoof detection is just a part of it.

Protection from spoofing is not the ultimate security measure against unauthorized access to your physical or digital space. Security is a strategy and it works by many systems working together. Each system participating in overall security should avoid being a weak link. For example, you may have the best fingerprint scanner to unlock your PC but what if your system is vulnerable to cyber attacks? In this case, even best fingerprint scanner will not be able to protect your identity and information.

Spoofing is not the only concern in today’s connected world. There are many security threats to evade in order to overall security effort work for you.

SQL Injection is a code injection attack, in which an attacker tries to exploit database vulnerability by injecting malicious SQL statements in an entry field. SQL injection attacks targets data driven applications on websites. For example, injecting a malicious SQL statement in the product search field of an e-commerce website.

SQL injections can manipulate a database, delete it, dump it at the attacker’s location and can leak sensitive information (e.g. personal information, credit card details, user name / passwords, etc.).

Like many other types of cyber attacks, SQL injections attacks may be organized, in which an attacker already has system information including the vulnerabilities or it may be blind / hit and try types of attacks, just to check if something comes up.

Consequences of a successfully SQL injection can be disastrous, for example, if an attacker finds some vulnerability in biometric database of national identities and able to run SQL commands, he/she may add, edit or delete entries or the tables, he may shuffle the database to mix identities and more.

Malicious programs are the computer programs that are designed to damage IT system or steal information. Malicious programs are generally designed by programmers with malicious intents, e.g. to slowdown a computer system or network (worms, viruses), steal information (spyware), encrypting or locking data of a target and asking for ransom money (ransomware), etc.

Packet sniffer, aka packet analyzer is a piece of hardware or software, which targets packets of data transmitted over the Internet.Packet sniffers can be configured in two ways. In “unfiltered,” mode, they can capture all packets possible and write them to a local hard drive for later examination. Another is “filtered” mode, meaning analyzers will only capture packets that contain specific data elements. A packet sniffer can record any data transmitted and send it to a command and control (C&C) server for further analysis, which can be used for malicious purposes.

Social engineering attacks are carried out to trick people into providing their personal details like PINs, passwords, financial information, payment card details, etc. Attackers make use of psychological manipulation to convince a target that providing information is in his/her best interest, after which the target may convincingly provide his/her personal / confidential information. It is called social engineering as tricking people to provide their personal / confidential information may require some social skills.

There is no limit what all can be encompassed within the definition of social engineering, so anything that can trick people into providing their sensitive information will come under the definition of social engineering.

Calls and emails for winning millions of dollars on the lottery tickets that you never purchased or a fake login page of your bank’s website comes in the definition of social engineering attacks.

Phishing attack is a widely used social engineering method to obtain personal / confidential information fraudulently. Phishing attack is initiated by sending a message (usually by an email) that is designed to look as if it was sent by a trustworthy entity (like a bank or a financial institution).

This email contains links or forms that are asked to click or fill, respectively. Phishing attacks can take place in one go or may take more than one steps to build confidence in providing sensitive information. Phishing attacks can be of bulk phishing types or can target a particular individual or entity. When phishing attacks are targeted, they are called spear phishing.

Fingerprint security is better than ever, you may trust it as much as you do passwords but unfortunately we live in a world where best security efforts may fail sometimes.

Our answer had been same if it was asked for passwords or PINs as well. All authentication methods have their own set of advantages and flaws. Unfortunately, we are yet to find something which is 100 percent secure as well as feasible.

For now, multi-factor authentication can be a good to go until all loopholes of fingerprint security and problems with fingerprint scanners are patched. A good authentication system will use both, a PIN or password as well as a biometric scan.