You’ll just need $5 worth of supplies.
Fingerprint authentication is one of the most secure techniques of data protection… right? You’d think so; after all, that’s what businesses and security experts have been telling us for years. Fingerprint spoofing, however, turns out to be a lot easier than heist movies would have you believe. All you need is a little wood glue, a laser printer, and an acetate sheet, according to Kraken Security Labs.
The cryptocurrency trading company published a report describing how the “hack” can be done over on its official blog a few days ago. The items you’d need to pull it off are affordable, and the steps are simple enough that virtually anyone could pull them off, provided they have the motivation to do so, which is a pretty frightening thought.
So, how does it work? First things first, a potential hacker needs your fingerprint — or, to be more accurate, a photo of your fingerprint. They don’t actually need physical access to anything you’ve touched, only a picture of, say, a smudge mark on a laptop screen or a reflective desktop keyboard. Kraken also gives examples like tables at a local library or gym equipment.
In either case, once a reasonably-clear photo has been acquired, you’d need to create a negative in Photoshop — Kraken says its team was able to create a “decent” one in about an hour.
Next, Kraken printed the negative image onto an “acetate sheet” using a standard laser printer. The toner, according to the company, mimics the 3D structure of a real fingerprint. The next and final step is to grab some wood glue from your local hardware store, squirt some over the top of the faked fingerprint, and let it dry. You can peel it off later, and there you have it: a (hopefully not) working fingerprint copy.
Obviously, we would not urge anyone to try this, but Kraken claims that it was able to carry out this “well-known attack” on the “majority” of devices available to its team members. The repercussions for a victim may be disastrous if this was a real attack rather than a controlled experiment, according to the company.
However, it is not all doom and gloom. Fingerprint authentication should be simply one component of a comprehensive data and account security strategy. You should also have a strong password and (non-SMS) two-factor authentication, the latter of which will prevent fingerprint attacks in the first place.
Well, most of the time. Unfortunately, some apps allow users to bypass 2FA with a fingerprint sign-in, so in those cases, it would actually be more secure to shut off the latter entirely and rely only on 2FA and a strong password.
Masthead credit: George Prentzas