It is a video whose aim is to warn us and question the false sense of security that the fingerprint has inherited from spy films in the collective unconscious. Its authors? Computer security experts from the American bank Kraken, specializing in crypto-currencies.
In this video, they show how easy it is to reproduce a fingerprint to make a copy that fools the biometric sensors of all our connected devices: smartphones, tablets and computers.
The first step is to recover an object on which the fingerprint to be reproduced has been deposited by its owner: “A photo of the fingerprint is all that someone who wants to hurt you needs to copy it, whether they take it on a computer screen, smartphone or on the glass in which you have drank”, says the voiceover in the video.
This photo must then be processed, cleaned, optimized for printing. It therefore goes through image processing software such as Photoshop or Pixelmator. The authors of the video estimate the time required to perform all the retouching on the image at one hour, which therefore involves a little know-how.
Third step: printing, via a laser printer, on a sheet of acetate, in other words of transparent plastic. They can be found at 35 cents per unit on the Internet. Finally, place a few drops of wood glue on the printed impression and let it set and dry. Result: a false fingertip, made of an opaque pearly material, on which we find the convolutions of the characteristic ridges of each of us.
If it was simply a question of making a false nose, it would be much less serious, because this false index finger succeeds in deceiving all the biometric readers on which it is tested: iPhone, iPad, Android smartphones, laptops , and even, electronic wallets!
No current fingerprint reader can resist this copy: the fault, in large part, with these so-called capacitive sensors which are satisfied with probabilities to say if the finger presented is indeed yours, and to give access in particular to your means of payment. like Samsung Pay, Google Pay or Apple Pay. Biometric authentication involves a telephone or a bank card, such as the card with a fingerprint reader launched this year by BNP Paribas, which enables “contactless” use without the ceiling of 50 euros.
They have not radically evolved in our devices since the revolution represented by the iPhone 5S in 2013. We are now awaiting the arrival of ultra-sound readers, infinitely more precise, and which operate in the same way as a bat is spotted in the dark. On paper, it is a hope of greater security, but it remains to be confirmed.
“Never trust fingerprint identification alone.”
An expert in computer securityat Kraken Security Labs
This demonstration has one purpose: to encourage us not to trust our fingerprint readers too much: “To protect yourself, never completely trust fingerprint identification”, adds the voice-over in the video.
We understand that using your only fingerprint to give access to what you have most precious is a bit like writing your secret code on Post-it notes that you stick in your wallet. This immediate recognition by putting his finger has long made us dream, and James Bond is not for nothing. But it turns out, today, to be very insufficient to protect us from the risks of piracy, whether it concerns economic intelligence or – sometimes – the private sphere.
If possible, favor devices with facial recognition: it sold 1 billion last year. But he had also sold 1 billion smartphones with fingerprint readers in 2018! These devices that scan your face (“FaceID” on iPhone, “facial recognition” on Samsung Galaxy, “Face Unlock” on Google Pixel except on the very latest models, the Pixel 6 and Pixel 6 Pro) are much more secure, although some also managed to trick them with “Mission Impossible” latex masks.
Otherwise, in addition to your fingerprint, activate two-factor authentication, even if it means putting your good old secret code back into service… but without writing it down everywhere!