Speaking at the 31st annual Chaos Computer Club convention in Hamburg, Germany, hacker Jan Krissler, a.k.a. “Starbug,” says that he replicated the thumbprint of Ursula von der Leyen using pictures shot with a “standard photo camera”. The announcement was made at the annual convention for the 31-year-old network of hackers known as the Chaos Computer Club.
Krissler claims that he took a close-up of Ms von der Leyen during a press event in October as well as photos taken from different angles. He then employed the commercial software program VeriFinger in order to put the print together. Krissler was clearly quite proud of himself and went so far as to suggest that in the future politicians will be forced to “wear gloves when talking in public.”
If true Apple’s claim that its Touch ID, that also is used with Apple Pay, is “the most advanced hardware or software we’ve put in any device,” may be a bit suspect.
“In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake”, said the Starbug. “As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints.”
He then explained the process of making a fake latex finger.
“First, the fingerprint of the enrolled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white wood glue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.”
Fingerprints are not terrifically great biometrics according to a number of security experts. Professor Alan Woodward from Surrey University recently told the BBC that. “Biometrics that rely on static information like face recognition or fingerprints – it’s not trivial to forge them but most people have accepted that they are not a great form of security because they can be faked,”
“People are starting to look for things where the biometric is alive – vein recognition in fingers, gait analysis – they are also biometrics but they are chosen because the person has to be in possession of them and exhibiting them in real life.”
Earlier this year, Barclays bank introduced devices manufactured by Hitachi that reads not the fingerprint of customers but the unique pattern of veins inside the finger.