Digital Cloning: Hacking Your Fingerprints

Posted by

While your biometrics may be as unique as a snowflake, they can still be digitally captured, copied and used to gain access to your “secure” computer network and data storage facilities.  Using standard photos taken during a press event in October and commercially available software, a 31-year-old member of Europe’s largest association of hackers successfully re-created a digital fingerprint of German defense minister Ursula von der Leyen.  The digital print could then be used not only to fool security software, but with the increasing sophistication of 3D printers, to turn the digital print into a physical replica.

Fingerprints, which are widely used on Samsung and Apple devices, as well as human voices and faces are being dismissed by a growing number of experts as “insecure” static information, as opposed to dynamic personal identifiers including finger vein patterns and gait/body motion, both of which require a living person to re-create.  In September 2014, international bank Barclays PLC introduced finger vein recognition for business customers.  The technology, initially developed and patented by Hitachi in 2005, uses near-infrared LED light to scan hemoglobin in the bloodstream and map the pattern of veins, all in under two seconds. A prototype compact scanner released by Hitachi in December 2014 would allow users simply to waive their finger over the scanner, which can read the three-dimensional vein patters regardless of finger positioning.

“Digital cloning” raises universal concerns for consumers and companies alike, as well as insurers covering the many businesses relying on potentially out-of-date security systems.  The risks associated with digital hacking of traditional biometrics should be incorporated into any company’s data security plan, and regularly updated to ensure the highest-level of protection.  Continued reliance on antiquated security systems not only invites avoidable data breaches, but could also impact both the cost and scope of insurance coverage available in the event of a cyber-attack where the insured is obligated to maintain a secure computer network and data storage facility.