[LINK] ArsTechnica: 'Crawl the Web with your fingers'

Roger Clarke Roger.Clarke at xamax.com.au
Wed Oct 11 09:09:17 AEST 2006

At 8:55 +1000 11/10/06, Pilcher, Fred wrote:
>Roger wrote:
>>  http://arstechnica.com/news.ars/post/20061009-7941.html
>>  Crawl the Web with your fingers
>>  10/9/2006 4:15:37 PM, by Nate Anderson
>Am I correct in recalling that a couple of years ago a Japanese 
>researcher managed to cook up some gunk in his kitchen (for less 
>than $10 IIRC) that managed to fool every fingerprint scanner that 
>was thrown at it? Have they improved since then?

That's correct, but it's not the vulnerability I'm on about.

The gummi attack requires access to either the thumb, or a 
good-enough image generated from the thumb.

There are other forms of attack that can be based simply on the 
'template' that's generated from the print.  And that means that the 
fraudster need never go anywhere near the individual, or even know 
much about them.

In this case (judging by the description on the company's site), the 
template is a list of the features of the thumbprint, and their 
locations.  (This is a conventional approach to extracting a template 
from thumb- and fingerprints).

It's been demonstrated that such templates can be easily used to 
perform masquerade, without access to the thumb or an image of it.

Roger Clarke                  http://www.anu.edu.au/people/Roger.Clarke/

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in Info Science & Eng  Australian National University
Visiting Professor in the eCommerce Program      University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW

More information about the Link mailing list