Hacking a Fingerprint Video

Mythbusters spent 3 days experimenting with ways to break into a high security thumbprint lock. They did it in ten minutes using both a photocopy of a fingerprint, and a more complicated method of using a cast fingerprint lifted off of a CD.

For the few customers who do work with equipment that’s secured with biometrics, it is something to consider. If someone with less than honest motives was working at a car dealership that had access to your thumbprint, they would also have your employer’s name and information.

Check out the video.

Update: some interesting links via an old boingboing post:
Gummi bears defeat Fingerprint Sensors

More on the Gummi bears

Making homegrown cyanoacrylate fingerprints

Some dealerships say that thieves are deterred when thumbprints are taken. But since they don’t tell you about about this policy until the last minute, customers must make a very awkward choice: put your thumbprint in a box and feel like a criminal being booked, or say no thank you, and walk out the door knowing they believe you to be a thief, deterred by their clever tactic?

I believe their faith in this is misguided. When you can pick out any glass bottle out of someone’s trash and create a false prosthetic print from it with superglue fumes, how does that protect anyone? If it becomes necessary to use someone else’s thumbprint to steal a car, that’s exactly what thieves will do.

Imagine if every dealer uses this technique. It won’t stop the thieves. They’ll just get more creative.

What if your print was stolen and used to acquire a car? It could work like this: the print is run through the DMV database. Your name comes up – a perfect match, but you’ve never even set foot in that dealership. How can you ever hope to prove your innocence? Better hope you had a good alibi.

A forged thumbprint can be a damning indictment, far worse than a badly forged signature.

4 Responses to “Hacking a Fingerprint Video”

  1. Mary Lu Says:

    Kudos to the star on TV! Just saw you on Channel 4! Go get em!

  2. lorna Says:

    thanks Mary Lu! I think somebody in the news room had a head cold. Hope those people in that crash are OK.

  3. Kevin Says:

    All this nonsense, I have been selling Biometric Verfifciation & identification devices (Electronic fingerprinting) for 15 years now. The industry does not know of a single event in which an operator of a biometric verification system would allow a person to be scanned that has a fake fingerprint attached to thier finger. This is rediculous. It would be very evident that such a technique was being used to try and fool the system. The operator would never proceed and the subject / applicant would not be so foolish to even try. New scanners detect latex and live finger pulse.

    Now for those still interested, it is possible that the latex or other technique can in fact be used on an unattended access control device if enough time and patience is used. But these devices are typically used to allow one to enter a protected room or area in a building. The perpertrator would also need the real users PIN# to effect the match.

  4. Student Says:

    Kevin is correct.

    Thumb print locks are hardly widely used or perfected anyhow. And if there are security concerns they wont be.

    Someone with less honest motives could do way more with a social security number. A fingerprint cant open checking accounts, credit accounts, make loans, etc…

    How could your fingerprint be stolen and used to buy a car when they fingerprint you in person at the dealership…Unless someone gets plastic surgery to have someone else’s print grafted onto their thumb its impossible to use another’s print when the salesman takes yours.

    And currently the dealers are just protecting themselves, which is neither an advantage or disadvantage to us.. I hope you don’t believe your accomplishing something because as a computer salesman I know they’re getting along just as well. After u left that day, someone else came in and bought a car right after you and asked no questions. You obviously don’t understand how much shrink (theft) hurts a business and why any new levels of security (especially one as simple as this) can prevent losses. Dealers and business in general get paid by profit. A dealership loses 1 car, 35,000. When they sell a car they make between 1-5000; how many does it take to reach 35,000 to replace 1 car. All the sales just paid for the stolen car, so theres no accumulation from the all sales they just made. Very detrimental. Stopping 1 thief really pays off.

    Ill say it again, a thief cant forge their print right in front of the salesman. Therefore they could not use your identity to buy a car this way. THIEVES, AND IDENTITY THIEVES “ARE” DETERRED THIS WAY.

    They’ll probably have databases in the future to instantly validate them as well.

    You really need to think about your comments before u print them. I swear, its like your so angry because u didn’t get your way, that your ranting on with these false and unintelligent statements. If you make so much sense then why are people like me and Kevin (also everyone on the previous article) proving you wrong. I’m a college student, and you sound like me when I was a kid, then I grew up….

    Lorna stated “Dealerships can only afford to refuse so many sales before it cuts into profits. But when some dealership starts going all homeland security on its customers, there’s just not a good enough deal for me to willingly support that.

    I believe that the only reason 5200 people gave their fingerprints to that dealership is because the negotiation process wears the customer down completely – it’s designed to. After you’ve spent so much effort shopping and then haggling, and the dealer sneaks in this policy at the last minute, well – most people feel stuck in the deal. They don’t feel like they can say no, so they don’t. That doesn’t mean it’s a good policy, it just means people don’t feel like they have a choice, and that’s what stinks about it.

    Bottom line? To this dealership, my lost sale is the equivalent of 25% of their stated last years’ losses to fraud.

    They said one other person walked out because of this policy in the past three months. If they lose one sale over this every three months, they’re exactly break-even with the losses from fraud. Currently, they’re at double that.

    Except losing your customers due to your own bad policies, that isn’t covered by insurance.”

    As a salesman, I wholeheartedly guarantee that the loss of your sale was nothing to the dealer and they are getting just as many sales of before. Hence your 5200 number. As you can see, you are 1 out of 5200 thats making a big deal out of nothing. Move on to something that actually helps the world.

Leave a Reply