Watch Out, Your Fingerprint Can Be Spoofed, Too

February 26, 2016 | Archibald Preuschat from The Wall Street Journal

BARCELONA – People trust their fingers when using smartphones–for typing, sure, but also to unlock phones protected by fingerprint-recognition security measures. Some online banking transactions and mobile payments these days also rely on fingerprint recognition.

Is that all as safe as it sounds?

Turns out a fingerprint can be “spoofed,” just like a password. Jason Chaikin, president of New York City-based Vkansee, which develops fingerprint-based security systems, says he can hack the fingerprint sensor of an iPhone in 10 minutes.

At his booth at the Mobile World Congress here, he showed Digits how. The good news: It still takes a bit of work, as well as cooperation from the victim.

This reporter pressed his finger into a wad of dental mold for five minutes. After the mold set, Mr. Chaikin pushed a bit of Play-Doh into the mold, creating an impression of the fingerprint. Then he pressed the Play-Doh onto the fingerprint sensor of the iPhone. It didn’t work on the first try, but after a few more attempts, bingo, he was in.

Other experts say hacking can be even easier—and done without the (unlikely) cooperation of the phone owner. A fingerprint can simply be lifted—a la Sherlock Holmes—off anything from a wine glass to the phone screen itself.

Research by Kai Cao and Anil K. Jain of the department of computer science and engineering at Michigan State University found it was relatively simple to take a photo of someone’s fingerprint, print it out using special ink and then unlock phones using the printout. They said they hacked a Samsung Galaxy S6 and a Huawei Honor 7 phone that way.

“This is obviously very dangerous, potentially, for the user,” said Bo Pi, chief technology officer at Goodix Technology Inc., another technology-security company.

A U.K.-based spokesperson for Apple Inc. declined to comment specifically about the hack, but referred to the company’s white paper on security, which says its fingerprint security “creates a mathematical representation of your fingerprint to provide an accurate match and a very high level of security.” Both Samsung Electronics Co. and Huawei Technologies Co. declined to make a representative available to discuss the fingerprint sensor security.

So, what’s the fix? Goodix has developed ways to integrate extra layers of security into today’s standard fingerprint security system. Those include a sensor that can measure blood flow, which can confirm a finger is a real one.

Vkansee has also added a camera to its latest fingerprint sensor. Mr. Chaikin says it can differentiate between a human finger and a spoof print.

Sam Shrauger, senior vice president, digital solutions, at Visa Inc., says fingerprint technology can be a trade-off between convenience and security. Visa is working on new ways to approve mobile payments using biometrics. The credit card company, for instance, is showcasing here an iris scan. Facial recognition for payment approval is also possible. That’s already being used at some national borders, and in airports.

Mr. Shrauger advises using a combination of biometric authentication like fingerprint recognition, in combination with a strong password.

Fingerprints have another drawback. You only have ten of them.

“One of the major pros of a password is how easy it is to reset,” says James Lyne, global head of security research at consultancy Sophos. If fingerprint spoofing ever becomes more sophisticated and widespread, that could be a problem. “Once you’ve lost a fingerprint, changing these can be extremely difficult,” Mr. Lyne says, wiggling his own fingers in the air.

George Downs contributed to this item.