Resources
Identity Use Cases & Scenarios.- FIDIS Deliverables.
- Identity of Identity.
- Interoperability.
- Profiling.
- Forensic Implications.
- D5.1: A survey on legislation on ID theft in the EU and….
- D5.2: ID Fraud Workshop.
- D5.2b: ID-related Crime: Towards a Common Ground for Interdisciplinary Research.
- D5.2c: Identity related crime in the world of films.
- D5.3: A Multidisciplinary Article on Identity-related Crime.
- D5.4: Anonymity in electronic government: a case-study analysis of governments? identity knowledge.
- D6.1: Forensic Implications of Identity Management Systems.
- D6.5/D6.6: Second thematic Workshop forensic implications.
- D6.7b: Workshop on Forensic Profiling.
- D6.7c: Forensic Profiling.
- HighTechID.
- Privacy and legal-social content.
- Mobility and Identity.
- Other.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
D5.2b: ID-related Crime: Towards a Common Ground for Interdisciplinary Research
 |
Title: SPOOFING |
 |
The spoofing of biometric devices by making copies with silicon or any other casting material of the fingerprint is legendary. The first publications on spoofing were from the Yokohama National University in Japan (Matsumoto 2002), which even gives a detailed recipe, and from T. van der Putte (2000). Another publication that attracted a lot of attention was CT Magazine (Thalheim and Krissler 2002), a popular German computer journal.
Experiments with spoofing
The Dutch Forensic Institute has done extensive tests with the various biometric systems. Several fingerprint systems and an iris system have been tested for possibilities of tampering. In most case it appeared to be easy if a person allowed to enrol into the system is cooperating. Some biometric features can also be copied without this person’s awareness and consent (for example fingerprints taken from a glass.
A low cost (Panasonic) iris scanner in our laboratory could easily be faked with a photograph of a person revealing the iris (). Punching a hole in the place of the iris turned out to be sufficient to mimic the light absorption exhibited by a real iris and fool the system into falsely accepting the photo as a real iris. It is claimed that high end scanners do not have this disadvantage:
“Because the iris and eyelid vibrate at known frequencies, and because oxygenated tissue reflects light at a specific frequency, it is possible to differentiate between a real person and a digital image, glass eye or contact lenses with irises printed on them.”
We have not substantiated this claim.
Figure . Image of iris spoofed by low resolution print and also possibilities with fun lenses for enrolment and access control
Figure . Silicon casts of fingerprints with silicon cast negative and acrylate paint as positive.
The NFI lab has also tested the methods described in literature to create copies of fingerprints. shows the use of Silmark silicon casting material to copy a fingerprint. The negative can then be used to create a positive made up of a thin layer of acrylate paint that can be used as a layer on top of one’s finger to impersonate the victim whose fingerprint was acquired.
Figure . Fingerprint access with copy of fingerprint on scanner “Digital Persona”.
The method described uses a mold created from the actual fingerprint. This means the victim has to cooperate in the identity change (identity takeover or identity delegation).
The literature (e.g. van der Putte and Keuning 2000) also describes methods to use photographs of fingerprints left on glasses to create the required positives by means of photolithographic processes. An even easier method is reported by the Computer Chaos Club which relies on a fingerprint on glass, simple means such as superglue, wood glue, a digital camera, an overhead foil and a laserprinter.
Several patents and information sources describe the method of computing a template to be used for the comparison. Depending on the implementation, it may be possible to reverse engineer the template to create a ‘biometric feature’ that, when presented to the scanner matches the template used by the scanner. The biometric feature constructed in this way most likely is not the same as the one that was used to create the template as information is lost in the process of creating the template. It does resemble the original sufficiently, or has the essential features to fool the algorithm employed by the system, though.
The prevention against fingerprint spoofing has also received attention, for instance from Biosal at the biometric summit 2005 in Miami. This report acknowledges the risks of spoofing and concludes:
“Compared to other components of the digital infrastructure, biometrics has much higher failure rates. That is, false accept rates are much higher and the ability to spoof biometric systems is relatively easy. If any improvements in overall security system failure rates are to be accomplished, biometrics must be complemented with other forms of physical and logical security”
There are several methods that can be used against fingerprint spoofing :
supervision of verification, in addition to enrolment
addition of another token (password, smart card)
aliveness detection based on recognition of physiological activities as signs of life (see also patent literature
thermal sensing of the finger temperature
detection of 3 dimensional shape and pulse
pulse oximetry
ECG
electrical conductivity of skin
Surgery
To change a biometric property without spoofing (for instance, a fingerprint) is only possible with surgery (and only a few cases with transplantation have been reported on this). Concerning iris surgery, there appear to be a few cases where this had an influence on the iris.
Another case that has been reported is the amputation of an index finger of a Malaysian Mercedes car owner. The amputated finger was used to unlock the car’s fingerprint access control system. This kind of biometric system could cause a new kind of severe crime of mutilation of the human body.
Conclusion
The preceding examples show that biometric systems are not completely tamper-proof, especially if the equipment is unattended. When investigating evidence from biometric devices, the forensic examiner should therefore consider the possibilities of tampering with the biometric systems, or the possibilities of unauthorized access, before drawing conclusions. A problem with biometric features is that they are not easily revoked or changed if they are compromised. We only have two irises, two hands, 10 fingers etc. A compromised single finger can be replaced by another, but after all ten are used there are no options. There are methods to extract multiple templates from a single biometric feature that allow for template revocation, but these are not employed in actual practice yet (see for instance Linnartz & Tuyl, 2003).
Detecting and addressing fraud involving biometrics is difficult. If the biometric feature is implemented on a smart card to be carried by the victim, and the card, in conjunction with the biometric is used to verify the holder’s identity, this practically means that theft of the card, and cloning of the biometric renders the validation useless. The card can only be blocked if the use of the card is validated against a central database which blacklists compromised cards/identities. The card can be revoked, but the biometric remains compromised and can no longer be used without fear of additional ID fraud.
Biometrics at present also represents immature technology, as there are hardly any large scale implementations, let alone independent evaluations of these systems. This is necessary before a wide-scale introduction of these systems is sound.
| |
   |
|
| Denis Royer | 32 / 44 |
