Q

Hacking smart cards and biometric security systems

In this Ask the Expert Q&A, our identity and access management guru explains how biometrics and smart cards can be fooled.

How can biometrics be fooled? What are the threats/attacks/limitations of other technologies (e.g. smart cards, databases) that are used with biometrics?

Biometrics can be fooled just like any other access management system: by being spoofed. A fingerprint can be duplicated using gelatin molds and then pressed against the scanner of a fingerprint reader, granting entry to a malicious user. Voice recognition systems have been defeated with voice recordings and face recognition systems bypassed with photographs of the legitimate user.

A particularly nasty way of getting past a fingerprint scanner would be to chop off the finger of somebody whose fingerprint is registered with the system. Gruesome, yes, but it has happened. Less brutal, but equally effective, would be to force the legitimate user at gunpoint to put their finger on the reader and then just pass them when the door opens, or the system activates. Either way, like stealing a good key, the intruder is taking advantage of the legitimate user's "credential," in this case their fingerprint, to gain access.

These sound like far-fetched scenarios and may seem harder crimes to commit than the standard hacker trick of dropping a Trojan on the desktop and stealing a user ID and password, but they can and do happen.

The other way to fool biometrics is by replaying their digital data. All biometric data -- whether photos of faces from face recognition systems, fingerprints from scanners or voice recordings -- is converted, at some point, into a digital format that can be stored on a computer system, a database or a portable storage device. When the user needs to log in again by showing their face, rubbing their fingerprint or speaking into a microphone, this information is converted into a digital format that can be compared with their digitized biometric data already stored in the system.

These scenarios are definitely more far-fetched than the borrowed fingerprint, gelatin or otherwise, but are things to consider when deploying biometric systems. Just as the system itself needs safeguarding, the data stores or databases holding digitized biometric information also need protection from malicious intruders.

Other technologies used with biometrics, such as smart cards, have other vulnerabilities that need to be considered. Smart cards look like, and are the size of, a credit card, but, unlike credit cards, carry an embedded microchip holding any number of pieces of data: customer information, medical records or financial information, and even sums of money. The card is either swiped through a device that reads it or is inserted into a reader. The user may then be required to enter a PIN number to get access to the system. However, these tiny microchips can only receive so much protection in something as small as a credit card. They are also sensitive to light and can be easily scraped or damaged. Researchers have found ways to steal the data on the microchip by tampering with the cards using light from camera flashbulbs and signals from radio devices.

In short, despite the vulnerabilities, combining these systems -- biometrics and smart cards -- protects systems through a multi-layered approach.

More on this topic

 

This was first published in September 2005

Dig deeper on Biometric Technology

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close