Financial Daily from THE HINDU group of publications
Monday, Aug 02, 2004
eWorld
Features
Stocks
Port Info
Archives

Group Sites

 eWorld - Security


Faking 'made easy'

Isabelle Raja

USING fingerprints to prove authenticity is a traditional technology. The Babylonians and Chinese used it to sign important legal documents even before the invention of paper. In countries such as India, fingerprints are still used to sign important documents and the law accepts the practice. It is simple and easy to use technology that relies on the fact that no two fingerprints in the world can be identical. However, the success of this technology not only relies on the absence of an identical print but also on the way this technology is deployed. When somebody signs a document with a fingerprint, he does so in the presence of human witnesses. These witnesses attest to the ownership of the fingerprint.

Compare this to the way biometrics is deployed for authentication on the Internet and other areas with restricted access. A fingerprint reader scans your fingerprint and searches its database for a match. If it finds a match, it associates you with the name given to the fingerprint in the database and authenticates you. Otherwise, it rejects you. In a typical online banking scenario, the Web site allows you to login using your fingerprint. In this case, you don't even have to provide a username or password; fingerprints are treated as a replacement for passwords. So you can simply sit at your table, connect your fingerprint reader, place your finger and bingo! You are authenticated and allowed to view your bank account. See what's wrong? How does the bank know that it is only you who placed your finger on the fingerprint reader? Of course, the fingerprint is yours, but it does not necessarily have to originate only from your finger. No two people have the same fingerprint, but what prevents somebody from faking your fingerprint and having it on his finger? The same argument holds for unattended airports or restricted areas that rely on only a fingerprint reader to authenticate people.

The proponents of this technology defend it by arguing that it is not easy to make fake fingerprints; the technology is very expensive and accessible only to a few, they say. Unfortunately, the assumption that fingerprints are difficult to fake is a major flaw in the argument. Japanese Professor Tsutomu Matsumoto demonstrated how fingerprints can be faked using gelatine. Here is another way to fake fingerprints. It actually costs less than Rs 50 ($1) and 15 minutes. It worked beautifully on a fingerprint reader.

Enrol a friend's thumb (any finger would do) with the fingerprint reader. Buy some china clay. The clay is available at any stationery shop. It can be any colour you fancy. Place the finger you enrolled with the reader on the china clay. Press gently until it leaves a beautiful print on the clay. Bake the clay until it hardens. Now, apply fevicol on the printed side of the clay. Let it dry. When it gets dry, it becomes transparent. Peel off the fevicol film. Your fake fingerprint is ready. Stick it to the underside of your finger and place it on the fingerprint reader. The reader will identify the print as belonging to the friend, whose thumb was already enrolled. However the film works only when it contains slight moisture.

This method assumes that you have the co-operation of the person who enrolled his fingerprint. But even otherwise, you can easily coerce somebody into leaving his or her fingerprint on the clay. It comes in different colours and people love playing with it.

This is not to say fingerprint readers have no future. Despite the said drawbacks, they do have their uses. However, like every technology, fingerprint identification and authentication also has its limitations. It cannot serve as a substitute for a human supervisor, but can assist him greatly. Understanding such limitations and implementing the technology at the right places can save a multitude of resources.

(The author is Security Consultant, Odyssey Technologies Ltd, and can be reached at bella@odysseytec.com)

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
Slowing down

Computing power on demand
Some pencil truths
At the stroke of a mouse
Here's the key
Trouble with macros
More on file extensions
Trouble playing games
The real McCoy
Faking 'made easy'
Ouch! That hurts
From all sides...
Quiz
Lights, camera, CG!
Cartoon
A new line

The Hindu Group: Home | About Us | Copyright | Archives | Contacts | Subscription
Group Sites: The Hindu | Business Line | The Sportstar | Frontline | The Hindu eBooks | Home |

Copyright © 2004, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line