Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • Development
    • IT Management

    Biometric Security Can Be Hacked, but It’s Really Hard to Do

    By
    WAYNE RASH
    -
    January 5, 2019
    Share
    Facebook
    Twitter
    Linkedin
      Biometric.security

      At the end of December 2018, security researchers in Leipzig, Germany, demonstrated at a security conference their method of hacking a biometric security system that depends on reading the pattern of blood vessels in the palm of the hand. This method of vein authentication involves reading the details of the veins just below the skin in a person’s hand and comparing that to an already recorded image of those veins.

      Vein authentication is considered secure because no two people have exactly the same pattern. The readers shine near-infrared light on a person’s palm, which reveals the vein structure to a special camera, which then takes a digital photograph of those veins. Such a means of identification is considered more secure than, say, fingerprints, because the subject doesn’t have to touch anything to have their veins read. Instead, they can simply hold them above the reader briefly while the scanning happens.

      Scanning of the palm for security reasons has been around for a while. I first tested such a system over a decade ago when the vein-scanning reader was embedded in the top of a mouse. It worked well, although the early software was sometimes confused when you didn’t hold your hand in just the right position.

      Biometric Readers Can Be Fooled

      Things have changed since then, and those scanners work a lot better now than before. But like any biometric reader, they can be fooled. In the case reported in Germany by the magazine Motherboard, the researchers took photos of their own hands with a readily available camera that had had the infrared filter removed. They then printed the image so it was the size of a normal hand on a sheet of paper, covered the printed image with wax and used that to simulate a hand. After some 2,500 attempts, it worked.

      While vein recognition is still fairly rare in the U.S., one form of it—finger vein recognition—is growing in Asia, where it’s used for a variety of purposes, including in ATMs. The concern about faking vein patterns has followed that development, with tests involving faking vein patterns. Possible prevention has been studied by Japan’s National Institute of Informatics, according to a report in The Asahi Shimbun. There, the institute has developed a shield to prevent the theft of vein patterns.

      So why am I suggesting that the ability to hack these readers isn’t a major concern? There are several reasons—the primary one being that it’s really hard to accomplish, requires a lot of time and would never go unnoticed. It also requires a subject willing to have his/her hands photographed hundreds of times, which is not the sort of thing that can happen surreptitiously.

      In addition, the means of fooling the vein-recognition system worked for only one type of technology. Other means of vein recognition depend on seeing the blood flow through that pattern of veins. Still others, including one recently patented by Apple, depend on a 3D image of the veins within a body structure, such as the face. Faking a 3D image while also demanding to see the movement of blood flowing within the veins is so far a method that hasn’t been hacked.

      Two-Factor Authentication Always Safer

      And of course, you should never depend on a single method of authentication, no matter how secure you think it might be. A biometric authentication method coupled with something else, such as a six-digit PIN, is dramatically more difficult to crack than cracking either on its own.

      Vein authentication is already joining the mainstream, and it’s about to get more popular. Fujitsu and Microsoft are working to bring PalmSecure to Windows 10 Hello as a way to eliminate passwords with Windows 10, which is part of a significant effort by Microsoft. This would work by plugging a reader into your computer’s USB port. Then you could be authenticated simply by holding your hand above the reader.

      As nice as this sounds, for good security you can’t just depend on one factor for authentication. The rule, which you’ve heard by now, is that you must use something you have and something you know. The something you have might include a fingerprint, a smart card or your vein pattern, but the something you know must also be there. Better security would include a password or PIN. Without both, you can’t be authenticated.

      You may have noticed by now that what we’re really talking about are forms of two-factor authentication. For most uses, this would be fine, but it’s not good enough for real security. For that, you must also protect the access method by having good physical security.

      Physical Security for Certain Use Cases Is Recommended

      For example, if you want to have secure access to something really important, such as your server room, then you’d want your vein reader supervised by a security guard as a way to prevent multiple tries with printed veins and wax hands. Such a security presence also helps protect against tailgating, and it helps protect against someone making multiple guesses on a PIN reader. That security guard can also control physical access to the reader by controlling when someone is able to use it, which will prevent someone taking out the guard first.

      Admittedly, some of these suggestions may sound like overkill, and perhaps for your organization it is. Only you can decide how much your data is worth, and only you can guess the damage if your security is compromised.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×