Can you forge fingerprints?

Life has never been easier: one touch and the shopping is done. For example with PayPal. The company allows members to pay by fingerprint. However, identification with this biometric method is evidently much less secure than most people believe. At least recently, Japanese researchers from the National Institute of Informatics warned against holding the Victory sign in front of the camera: The gesture could make fingerprints available worldwide, said scientist Isao Echizen. The researcher took photos of fingers from a distance of three meters with a digital camera and used the recordings to reconstruct the person's fingerprint.

Falk Garbsch, spokesman for the Chaos Computer Club (CCC), is also familiar with such methods: "It is relatively easy to build a dummy from a photo of a fingerprint," he says. "Such procedures were presented at the CCC twelve years ago." The defense minister's fingerprint, for example, has been in the hands of the hackers since 2014. CCC member Jan Krissler - also known as died on the internet - had made a copy of Ursula von der Leyen's thumbprint. To do this, he used a photo of her finger. Krissler wanted to draw attention to security gaps in biometric systems.

In principle, anyone can make such an impression. A photo of the front of the finger is enough: it can be edited with software such as VeriFinger or Photoshop. The result is printed on a foil, a commercially available laser printer is sufficient: A good device prints the height relief of the finger along with it. The print is then coated with latex milk or wood glue. If everything is dry, you can use the wrong finger. The CCC shows such counterfeiting methods on its website. But that doesn't mean that every Facebook photo is dangerous. "It depends on the quality of the photo," says Garbsch. Photos from cell phone cameras are usually of poor quality. The distance to the finger counts. With compact cameras it is easier and with professional equipment there are no problems at all.

Money can already be transferred with a fingerprint

It is different with iris recognition. The resolution is so low with this method that a portrait photo is usually enough to outsmart it. A more exotic method of biometric authentication is the palm vein scan. Like the fingerprint, hand veins are different and unique in everyone. A corresponding device can read either the veins of the fingers, the palm of the hand or the back of the hand. To do this, the system uses infrared radiation to create an image of the vein pattern. In order to forge the palm veins, criminals would need an infrared camera.

The palm vein scan is not part of everyday life like the fingerprint and iris scan: be it in the smartphone, notebook or when paying. In addition to PayPal, Postbank, for example, allows money to be transferred using fingerprints. With systems like "Windows Hello", users can log in to their computer using an iris scan. And since Apple introduced fingerprint unlocking for the iPhone 5s in 2013, the system has been used on many new smartphones.

Apple called the method safe at the time. However, CCC hackers were able to outsmart the sensor within 48 hours: They scanned the smartphone and got the fingerprint. After that, they had to edit the picture and create a dummy. Hacker Jan Krissler presented the method at a CCC conference in 2014: "I expected to have fun with it for two weeks," he said. In less than two days, however, he had already overcome the system.

A fingerprint is unique. If it is stolen, it cannot be changed like a password

The proven safety deficiencies do not bother the population. 60 percent of iOS users with the corresponding hardware pay with PayPal via finger login. A Visa survey from 2016 with more than 14,000 participants showed: Two thirds of the respondents are impressed with biometric authentication methods when paying. The most popular method is the fingerprint, followed by the iris scan and face recognition. However, the CCC warns against biometric procedures. Because securing the cell phone with the fingerprint may be convenient. But a biometric pattern is part of a person. If it is stolen, its owner cannot change it. Instead, Garbsch recommends a secure password.

The Japanese National Institute of Informatics is currently developing a method to protect against biometric data theft: users can stick a transparent film containing titanium oxide on their fingers. You should still be able to unlock your devices with it. How this works exactly is still top secret. The institute intends to present the method in two years at the earliest. According to Garbsch, if you don't want to wait that long, you have the following options: Either completely dispense with biometric authenticity procedures, or "wear gloves all day long. Ideally even when you sleep."