A team of Clarkson University researchers headed by Stephanie A. Schuckers, associate professor of electrical and computer engineering, was able to break virtually all the biometric fingerprint identification systems they tested.

The researchers used fake fingers created by lifting prints from live fingers and making Play-Doh copies based on casts of the live fingers.

In a statement issued by Clarkson University, the researchers said they created over 60 false fingers, which were then tested in biometric fingerprint readers. The false fingers were authenticated by the readers in nine out of every 10 attempts.

False Fingers

Fingerprint scanning devices typically use very basic technology, such as an optical camera that takes pictures of fingerprints, which are then read by a computer. "The machines could not distinguish between a live sample and a fake one," Schuckers said.

Schuckers decided to test whether fingerprint readers could be made more secure against "spoofing" by giving them the ability to detect moisture in a finger.

"Since liveness detection is based on the recognition of physiological activities as signs of life, we hypothesized that fingerprint images from live fingers would show a specific changing moisture pattern due to perspiration, but cadaver and spoof fingerprint images would not," she said.

The Clarkson researchers were able to develop a technique for distinguishing live digits by detecting changing moisture patterns. This technique reduced the false detection rate to less than one in every 10 attempts, Schuckers said.

Nothing Spoof-Proof

"While it is true that we can spoof biometric systems with Play-Doh, it is important to understand that security is about staying one step ahead of the bad guys," said Schuckers. "Nothing is spoof-proof."

But she noted that if your security is better than what it was before you added a biometric system , then it is a worthwhile endeavor. "The biometric community is well aware of these vulnerabilites and is working hard to address them," she said. "Hence, my research."

There are many ways to make spoofing more difficult, she explained, such as combining a biometric system with something else, like a password, smart card, or another biometric system.

Professor Schuckers' biometrics security research was funded by the U.S. Department of Defense, the National Science Foundation, and the Office of Homeland Security.

Retail Applications

"We have been saying for a long time that fingerprint readers can be compromised by someone lifting live prints and creating false fingers," said Avivah Litan, a Gartner analyst specializing in security technologies. "There is a perception that biometrics is more secure than other authentication technologies, but every time a new security technology is discovered, there will be attempts to get round it."

Litan said that in the U.S., the most likely consumer application of biometric fingerprint technology will be in retail stores.

"Fingerprint scanning can save time at the checkout and it is seen as increasing transaction security," she said. "There are already trials taking place at U.S. retailers of fingerprint authentication systems for payments."

The main supplier of fingerprint-based payments in the U.S. is Pay By Touch of San Francisco, California. Its system allows customers to link their checking accounts or their Discover Card to their fingerprints. Customers can make payments just through a fingerprint scan at retailers that have installed Pay By Touch retailers.

Last month, Pay By Touch acquired its U.S. rival, BioPay, in a cash and stock deal worth $82 million.