Thursday, January 05, 2006

Researchers pore over biometrics spoofing data

By Michael Kanellos
Published: Thursday 22 December 2005

Sweaty hands might make you unpopular as a dance partner but they could someday prevent hackers from getting into your bank account. Researchers at Clarkson University have found that fingerprint readers can be spoofed by fingerprint images lifted with Play-Doh or gelatine or a model of a finger moulded out of dental plaster. The group even assembled a collection of fingers cut from the hands of cadavers. In live fingers, perspiration starts around the pore and spreads along the ridges, creating a distinct signature of the process. In a systematic test of more than 60 of the carefully crafted samples, the researchers found that 90 per cent of the fakes could be passed off as the real thing. But when researchers enhanced the reader with an algorithm that looked for evidence of perspiration, the false-verification rate dropped to 10 per cent. The idea of using perspiration is promising as a way to beat hackers because sweating follows a pattern that can be modelled. In live fingers, perspiration starts around the pore and spreads along the ridges, creating a distinct signature of the process. The algorithm, created by Stephanie Schuckers, associate professor of electrical and computer engineering at Clarkson, detects and accounts for the pattern of perspiration when reading a fingerprint image. Dead fingers don't sweat. Schuckers said in a pre-released statement: "Since liveness detection is based on the recognition of physiological activities as signs of life, we hypothesised that fingerprint images from live fingers would show a specific changing moisture pattern due to perspiration but cadaver and spoof fingerprint images would not." The research, funded by a $3.1m grant from the National Security Agency and conducted in collaboration with other universities, is part of an ongoing effort to improve biometric authentication and identification. Other methods are in the works as well. Fingerprint readers essentially take a picture of a fingerprint and match it to a sample in the database. To get around spoofs involving lifted fingerprints, NEC researchers have developed technology that actually takes a picture of the tissue underneath the fingertip to get a three-dimensional image that can be matched against a database sample. Fujitsu has developed an authentication technology that looks at vein patterns. Although biometric identification technologies continue to improve, each has its own flaws. Voice authentication is fairly accurate and tough to spoof, say advocates, but it can be affected by a bad phone connection. Iris scans work well but are commercially impracticable. Face scanning is actually less accurate than most but consultants for the US State Department say the technology was chosen for electronic passports because that particular identity test seems to make people feel less like criminals. Michael Kanellos writes for CNET News.com http://software.silicon.com/security/0,39024655,39155244,00.htm