When Fingerprints Are as Easy to Steal as Passwords

How do you prove who you are to a computer?

You could just use a password, a shared secret between you and the machine. But passwords are easily compromised—through a phishing scam, or a data breach, or some good old-fashioned social engineering—making it simple to impersonate you.

Today, you’re often asked to produce something more fundamental and harder to imitate than a password: something that you are rather than something that you know. Your fingerprint, for instance, can get you into a smartphone, a laptop, and a bank account. Like other biometric data, your fingerprints are unique to you, so when the ridges of your thumb come in contact with a reader, the computer knows you’re the one trying to get in.

Your thumb is less likely to wander off than a password, but that doesn’t mean it’s a foolproof marker of your identity. In 2014, hackers working for the Chinese government broke into computer systems at the Office of Personnel Management and made off with sensitive personal data about more than 22 million Americans—data that included the fingerprints of 5.6 million people.

That data doesn’t appear to have surfaced on the black market yet, but if it’s ever sold or leaked, it could easily be used against the victims. Last year, a pair of researchers at Michigan State University used an inkjet printer and special paper to convert high-quality fingerprint scans into fake, 3-D fingerprints that fooled smartphone fingerprint readers—all with equipment that cost less than $500.

In the absence of a state-sponsored cyberattack, there are other ways to glean someone’s fingerprint. Researchers at Tokyo’s National Institute of Informatics were able to reconstruct a fingerprint based off of a photo of a person flashing a peace sign taken from nine feet away. “Once you share them on social media, then they’re gone,” Isao Echizen told the Financial Times.

Face-shape data is susceptible to hacking, too. A study at Georgetown University found that images of a full 50 percent of Americans are in at least one police facial-recognition database, whether it’s their drivers’ license photo or a mugshot. But a hacker wouldn’t necessarily need to break into one of those databases to harvest pictures of faces—photos can be downloaded from Facebook or Google Images, or even captured on the street.

And that data can be weaponized, just like a fingerprint: Last year, researchers from the University of North Carolina built a 3D model of a person’s head using his Facebook photos, creating a moving, lifelike animation that was convincing enough to trick four of five facial-recognition tools they tested.

The fundamental trouble with biometrics is that they can’t be reset. If the pattern of one of your fingerprints is compromised, that’s fine; you have a few backups. But if they’re all gone—some law-enforcement databases contain images of all ten fingers—getting them replaced isn’t an option. The same goes for eyes, which are used for iris or retina scans, and your face. Unlike a compromised password, these things can’t be changed without unpleasant surgery or mutilation.

“If Border Patrol and your bank and your phone all are collecting your fingerprint data, all it takes is one actor who figures out how to manipulate that and you’ve basically wiped out the usefulness of that information,” said Betsy Cooper, the director of the Center for Long-Term Cybersecurity at the University of California, Berkeley.

What’s more, fingerprints and face shape, the two most widely used forms of biometric identification, stay quite stable over time. A study of automatic face-recognition systems from Michigan State’s Biometrics Research Group examined nearly 150,000 mugshots from 18,000 criminals, with at least 5 years between the first and last photo. The researchers found that one off-the-shelf software package was still 98 percent accurate when matching a subject’s photo to one taken 10 years prior. There’s even a field of research that studies how facial software can recognize the same face before and after plastic surgery.

The same Michigan State lab found that fingerprint patterns stay consistent over time, too. This time, the study examined a database of fingerprints from more than 15,000 people who were arrested by Michigan State Police over the span of five years. The results showed that for practical purposes, a 12-year-old fingerprint could be matched with an original, with nearly 100 percent accuracy. In another experiment, the group found that children’s fingerprints begin to stabilize at about one year of age, and remain of sufficient quality to identify them for at least a year.

(Not all biometric identifiers remain constant: Pregnancy can alter the blood-vessel patterns in women’s retinas, for example, confusing retinal scanners.)

To overcome the security risk of static fingerprints, irises, and face shapes, some research has turned to the development of changeable biometrics.

In 2013, a team of Berkeley researchers came up with a futuristic system called “passthoughts.” The technique combines three factors: something you know (a thought), something you are (your brain patterns), and something you have (an EEG sensor for measuring brainwaves). To authenticate with a passthought, you think your secret key while wearing the sensor. The key can be just about anything: a song, a phrase, a mental image. The thought itself is never transmitted—just a mathematical representation of the electric signals your brain makes while thinking it.

If someone else were to figure out exactly what you were thinking, they couldn’t impersonate your passthought, because every person thinks the same thought differently. A hacker might be able to defeat the system by using a phishing scheme: by tricking you into thinking your passthought, capturing the output, and later replaying it back to an authentication system to trick it. But you wouldn’t be compromised forever. You can just change your passthought.

Cooper says researchers are exploring ways to use a CRISPR-like system to embed alterable encryption keys into DNA, too. With changeable biometrics that use brainwaves or genetics, you’d have a way to prove you’re you, even if each of your fingerprints has been compromised ten times over.