Ask the Expert

Hacking smart cards and biometric security systems

How can biometrics be fooled? What are the threats/attacks/limitations of other technologies (e.g. smart cards, databases) that are used with biometrics?

    Requires Free Membership to View

Biometrics can be fooled just like any other access management system: by being spoofed. A fingerprint can be duplicated using gelatin molds and then pressed against the scanner of a fingerprint reader, granting entry to a malicious user. Voice recognition systems have been defeated with voice recordings and face recognition systems bypassed with photographs of the legitimate user.

A particularly nasty way of getting past a fingerprint scanner would be to chop off the finger of somebody whose fingerprint is registered with the system. Gruesome, yes, but it has happened. Less brutal, but equally effective, would be to force the legitimate user at gunpoint to put their finger on the reader and then just pass them when the door opens, or the system activates. Either way, like stealing a good key, the intruder is taking advantage of the legitimate user's "credential," in this case their fingerprint, to gain access.

These sound like far-fetched scenarios and may seem harder crimes to commit than the standard hacker trick of dropping a Trojan on the desktop and stealing a user ID and password, but they can and do happen.

The other way to fool biometrics is by replaying their digital data. All biometric data -- whether photos of faces from face recognition systems, fingerprints from scanners or voice recordings -- is converted, at some point, into a digital format that can be stored on a computer system, a database or a portable storage device. When the user needs to log in again by showing their face, rubbing their fingerprint or speaking into a microphone, this information is converted into a digital format that can be compared with their digitized biometric data already stored in the system.

These scenarios are definitely more far-fetched than the borrowed fingerprint, gelatin or otherwise, but are things to consider when deploying biometric systems. Just as the system itself needs safeguarding, the data stores or databases holding digitized biometric information also need protection from malicious intruders.

Other technologies used with biometrics, such as smart cards, have other vulnerabilities that need to be considered. Smart cards look like, and are the size of, a credit card, but, unlike credit cards, carry an embedded microchip holding any number of pieces of data: customer information, medical records or financial information, and even sums of money. The card is either swiped through a device that reads it or is inserted into a reader. The user may then be required to enter a PIN number to get access to the system. However, these tiny microchips can only receive so much protection in something as small as a credit card. They are also sensitive to light and can be easily scraped or damaged. Researchers have found ways to steal the data on the microchip by tampering with the cards using light from camera flashbulbs and signals from radio devices.

In short, despite the vulnerabilities, combining these systems -- biometrics and smart cards -- protects systems through a multi-layered approach.

More Information

  • Visit our biometrics resource center for news, tips and expert advice.
  • Learn how to avoid authentication bypass attacks.
  • Learn how to create an (almost) invulnerable computing environment.

  • This was first published in September 2005

    There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: