Hackers can copy your fingerprints directly from photos

WHY THIS MATTERS IN BRIEF

Unlike passwords you can’t change your biometric ID’s, and hackers are finding new ways to lift them and use them for their own nefarious objectives.

Thanks Donald. Can I call you Donald? Now pass me your phone and don’t worry – I’ll take good care of your Twitter account, and nice selfies BTW.

Most people, including the new President, are undoubtedly aware it’s a bad idea to post sensitive and personally identifying information on the web, such as their date of birth, address, mother’s maiden name and flight details because they can all be hoovered up and used by scammers with nefarious objectives. And they most certainly wouldn’t publicly share their passwords.

Sharing pictures, however, is something everyone is comfortable with. But research has revealed that these can also be used to glean telling information. Posing for a picture while giving a thumbs up, or holding your hands up in a peace sign, for example, could pose a security threat because hackers can use them to lift your prints and unlock anything you own that has a fingerprint ID system – including phones, computers and tablets.

Researchers at Japan’s National Institute of Informatics (NII) have found that fingerprints can be easily recreated from photos taken up to three metres away without the need for advanced technology. So long as the picture is clear and well-lit, prints can be mimicked.

“Just by casually making a peace sign in front of a camera, fingerprints can become widely available,” Professor Isao Echizen, a security and digital media researcher at the NII, told local paper Sankei Shimbun.

It isn’t the first time the security of biometrics has been called into question. Back in 2015, hacker Jan “Starbug” Krissler recreated Angela Merkel’s iris from a photo and managed to unlock a test.

Unlike passwords, biometrics cannot be easily changed, prompting fears over the safety of people’s personal data.

“We shed physical biometric data wherever we go, leaving fingerprints on everything we touch, posting selfies on social media, and videos with friends and family. Much of this information can then be captured by fraudsters,” said Robert Capps, from biometrics company NuData Security.

“Once biometric data is stolen and resold on the Dark Web, the risk of inappropriate access to a user’s accounts and identity will persist for that person’s lifetime.”

Echizen’s team has created a transparent film that can be applied to finger tips to protect the print from prying eyes. Made of titanium oxide, it prevents fingerprints from being copied without inhibiting unlocking.

But the protective technology won’t be ready for two years and is unlikely to be a widely adopted measure of protection.

Another solution is for companies to make their biometric tests more secure. China based Goodix is developing a “live” fingerprint scanner that users prints and infrared analysis of underlying tissue and pulse. Going layers deeper could be one way to prevent spoofing.

“The transparent film with white patterns we have developed can prevent identity theft through fake fingerprints from photographed subjects, but does not interfere with identity verification with fingerprint authentication device,” said Dr Echizen.

Japanese government officials last year launched a new system that enables visitors to pay in shops with a touch of the fingertips, after registering their credit card and fingerprints details so this latest hack comes at an interesting time.