Here’s how easily hackers can copy your fingerprints

June 9, 2017 | by Kari Paul of MarketWatch

Biometrics can be less safe than you might think

In a few short minutes last week, using a standard printer and materials easily purchased online, security experts from tech developer Synaptics successfully replicated my fingerprint onto a piece of paper that could unlock my iPhone’s biometric sensor.

The hack could be pulled off by anyone with a “first year university student level of programming,” according to Synaptics spokesman Godfrey Cheng, highlighting a major potential flaw in biometric authentication, part of the new security solution that could someday replace passwords. This is because often the sensors on devices that unlock using fingerprints are not encrypted. Without this protection, hackers could steal copies of a user’s fingerprint from a device, clone it, and gain access to all of the files, emails, and data on the device — and anything else their fingerprint is used to open.

“As fingerprint usage goes up, so does the risk of exposure to hacking and the need for end-to-end encryption of fingerprint sensors,” Cheng said.

Hackers cost the American economy as much as $600 billion annually and the number of identity fraud victims rose 18% in 2015 to 15.4 million U.S. consumers. The vast majority of these incidents were related to credit-card fraud, which reached a new peak in 2015 after fraudulent online purchases increased by 15%.

Biometrics are meant to be a more reliable solution to security issues like these, but hackers have shown they also come with significant risks. A number of security experts have replicated fingerprints from imprints on glue, a gummy bear, or even using a high-resolution photo. These replicated fingerprints could be used to access devices locked with biometrics.

However, most of these kinds of hacks require the cooperation of the victim: the average person would decline to hold their fingerprint on a piece of glue or a gummy bear until it could be cloned. But while there are no proven examples of someone stealing a fingerprint in real life (that is to say, outside of very controlled demonstrations by these security experts), it reveals a potential weak point.

“The fingerprint is a really good technology and it works for many use cases,” said Eyal Goldwerger, the chief executive officer of BioCatch, a Tel Aviv-based company that specializes in behavioral biometric technology. “The one thing to realize about things like fingerprints is that you cannot reset it — you cannot replace your finger.”

Experts suggest a combination of traditional biometrics like a fingerprint or face scan with other biometrics offered by BioCatch, such as monitoring how quickly someone types or how they scroll to continuously verify their identity.

But additional security also comes with challenges. Jason Chaikin of Vkansee, a Beijing-based cybersecurity company that also develops fingerprint sensors, said the more common problem is user frustration with the “false reject rate” — or getting locked out of their own device.

“It’s very hard to effectively steal a fingerprint from a mobile device and there is no guarantee of success, even with the best equipment and years of experience, because its only one of many layers to protect our privacy,” he said.

Synaptics says fingerprints are easily stolen from a number of devices, but with built-in encryption these problems can largely be avoided. It has developed encryption of fingerprint sensor technology and is already shipping devices equipped with it. Synaptics isn’t the only company offering encryption for these measures: Apple also encrypts its fingerprint data. Consumers can research a device before purchasing it to make sure its fingerprint sensors are encrypted end-to end. Although such a hack has yet to be recorded, Goldwerger said all devices are at risk until they are fully encrypted.

“Fraud is driven by market forces just like everything in the capital market,” he said. “If information can be stolen, it will be stolen. Protection by encryption is a really good thing and solves many of the issues with fingerprints,” he said.