Not so secure: There are few forms of data protection that are more secure than fingerprint authentication... Right? You'd certainly think so -- that's what companies and security pros have told us for years, after all. However, as it turns out, fingerprint spoofing might be considerably easier than heist movies would have you believe. According to Kraken Security Labs, all you need is a bit of wood glue, a laser printer, and an acetate sheet.
The cryptocurrency trading company published a report describing how the "hack" can be done over on its official blog a few days ago. The items you'd need to pull it off are affordable, and the steps are simple enough that virtually anyone could pull them off, provided they have the motivation to do so, which is a pretty frightening thought.
So, how does it work? First things first, a potential hacker needs your fingerprint -- or, to be more accurate, a photo of your fingerprint. They don't actually need physical access to anything you've touched, only a picture of, say, a smudge mark on a laptop screen or a reflective desktop keyboard. Kraken also gives examples like tables at a local library or gym equipment.
In either case, once a reasonably-clear photo has been acquired, you'd need to create a negative in Photoshop -- Kraken says its team was able to create a "decent" one in about an hour.
Next, Kraken printed the negative image onto an "acetate sheet" using a standard laser printer. The toner, according to the company, mimics the 3D structure of a real fingerprint. The next and final step is to grab some wood glue from your local hardware store, squirt some over the top of the faked fingerprint, and let it dry. You can peel it off later, and there you have it: a (hopefully not) working fingerprint copy.
Obviously, we would not advise anyone to go out and do this but according to Kraken, it was able to perform this "well-known attack" on the "majority" of devices its team members had available. As the company notes, if this was a real attack and not a controlled experiment, the implications could be devastating for a victim.
With that said, it's not all doom and gloom. Fingerprint authentication should be just one layer of an ideally multi-faceted approach to data and account security. You should also have a strong password and (non-SMS) two-factor authentication -- the latter would prevent fingerprint hacks from being a problem in the first place.
Well, most of the time. Unfortunately, some apps allow users to bypass 2FA with a fingerprint sign-in, so in those cases, it would actually be more secure to shut off the latter entirely and rely only on 2FA and a strong password.
Masthead credit: George Prentzas
