Biometric Security Can Be Hacked, but It's Really Hard to Do

NEWS ANALYSIS: Last month, a pair of security researchers demonstrated how it’s possible to fool a vein recognition system, but they also showed just how hard that actually is to do. New-gen scanners work a lot better now than they did previously, but like any biometric reader, they can be fooled.

At the end of December 2018, security researchers in Leipzig, Germany, demonstrated at a security conference their method of hacking a biometric security system that depends on reading the pattern of blood vessels in the palm of the hand. This method of vein authentication involves reading the details of the veins just below the skin in a person’s hand and comparing that to an already recorded image of those veins.

Vein authentication is considered secure because no two people have exactly the same pattern. The readers shine near-infrared light on a person’s palm, which reveals the vein structure to a special camera, which then takes a digital photograph of those veins. Such a means of identification is considered more secure than, say, fingerprints, because the subject doesn’t have to touch anything to have their veins read. Instead, they can simply hold them above the reader briefly while the scanning happens.

Scanning of the palm for security reasons has been around for a while. I first tested such a system over a decade ago when the vein-scanning reader was embedded in the top of a mouse. It worked well, although the early software was sometimes confused when you didn’t hold your hand in just the right position.

Biometric Readers Can Be Fooled

Things have changed since then, and those scanners work a lot better now than before. But like any biometric reader, they can be fooled. In the case reported in Germany by the magazine Motherboard, the researchers took photos of their own hands with a readily available camera that had had the infrared filter removed. They then printed the image so it was the size of a normal hand on a sheet of paper, covered the printed image with wax and used that to simulate a hand. After some 2,500 attempts, it worked.

While vein recognition is still fairly rare in the U.S., one form of it—finger vein recognition—is growing in Asia, where it’s used for a variety of purposes, including in ATMs. The concern about faking vein patterns has followed that development, with tests involving faking vein patterns. Possible prevention has been studied by Japan’s National Institute of Informatics, according to a report in The Asahi Shimbun. There, the institute has developed a shield to prevent the theft of vein patterns.

So why am I suggesting that the ability to hack these readers isn’t a major concern? There are several reasons—the primary one being that it’s really hard to accomplish, requires a lot of time and would never go unnoticed. It also requires a subject willing to have his/her hands photographed hundreds of times, which is not the sort of thing that can happen surreptitiously.

In addition, the means of fooling the vein-recognition system worked for only one type of technology. Other means of vein recognition depend on seeing the blood flow through that pattern of veins. Still others, including one recently patented by Apple, depend on a 3D image of the veins within a body structure, such as the face. Faking a 3D image while also demanding to see the movement of blood flowing within the veins is so far a method that hasn’t been hacked.

Two-Factor Authentication Always Safer

And of course, you should never depend on a single method of authentication, no matter how secure you think it might be. A biometric authentication method coupled with something else, such as a six-digit PIN, is dramatically more difficult to crack than cracking either on its own.

Vein authentication is already joining the mainstream, and it’s about to get more popular. Fujitsu and Microsoft are working to bring PalmSecure to Windows 10 Hello as a way to eliminate passwords with Windows 10, which is part of a significant effort by Microsoft. This would work by plugging a reader into your computer’s USB port. Then you could be authenticated simply by holding your hand above the reader.

As nice as this sounds, for good security you can’t just depend on one factor for authentication. The rule, which you’ve heard by now, is that you must use something you have and something you know. The something you have might include a fingerprint, a smart card or your vein pattern, but the something you know must also be there. Better security would include a password or PIN. Without both, you can’t be authenticated.

You may have noticed by now that what we’re really talking about are forms of two-factor authentication. For most uses, this would be fine, but it’s not good enough for real security. For that, you must also protect the access method by having good physical security.

Physical Security for Certain Use Cases Is Recommended

For example, if you want to have secure access to something really important, such as your server room, then you’d want your vein reader supervised by a security guard as a way to prevent multiple tries with printed veins and wax hands. Such a security presence also helps protect against tailgating, and it helps protect against someone making multiple guesses on a PIN reader. That security guard can also control physical access to the reader by controlling when someone is able to use it, which will prevent someone taking out the guard first.

Admittedly, some of these suggestions may sound like overkill, and perhaps for your organization it is. Only you can decide how much your data is worth, and only you can guess the damage if your security is compromised.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...