Security of biometric ID's like biometric passports is a very frequent topic of discussion and we all know there are issues. But most of those issues are related to encryption, materials and generally anything that requires a lot of technical knowledge.
Here is an example of the possibility to create a fake Biometric ID with very little technical knowledge. In order to understand this possibility, we need to discuss the 2 biometric elements within the ID:
1. Facial information
Each biometric ID contains a very clear and accurate photo of the owner of the ID. And facial recognition is used in a lot of systems, most frequently in organizations which require non-intrusive identification - like casinos and some border controls. So facial recognition systems are quite common and commercially available.
But facial recognition has an inherent weakness - it cannot be calibrated to 100% accuracy. This is simply because some features of your face can actually change at a daily basis: facial bloating, skin discoloration, acne, minor injuries. So the facial recognition system needs to be flexible - most facial recognition systems are set-up to match at around 70-80%
Fingerprints are also stored in the biometric ID, with most ID's storing only one or two fingerprint - the index finger of the right hand or the fingerprints of both index fingers. It is common knowledge that fingerprint readers can be easily fooled, with very simple and available methods. One simply lifts the fingerprints and creates a copy using photoshop, laser printer and gelatin or wood glue. Here is an example of a simple fingerprint lifting method - the first step in recreating a fingerprint.
So far, these two elements may be fooled, but how can we create a fake biometric ID with such information?
Technically, it is very very difficult to modify a manufactured biometric ID into a fake one, which was the initial idea.
But what if you can alter the input data into the process of creating a new legal biometric ID? The process is quite simple:
- The seller of fake ID must create the fake ID for a person that has similar facial features to him/her, so the facial recognition software matches the expected 70-80% similarity. To match a seller and a buyer with sufficient similarity, you can use a public web site http://celebrity.myheritage.com/FP/Company/try-face-recognition.php
- The seller will prepare fake fingerprint covers of the buyer and attach them to his/hers fingers.
- The seller simply enters the appropriate authority and applies for the biometric ID. He/she gets photographed and the fingerprints get scanned on a scanner that is in front of a bulletproof glass (to isolate from the flu). These authorities are staffed by overworked people and there is usually a lot of commotion, so very few people will ever notice your fake fingerprint covers. Oh, and the application software rarely compares the previous fingerprints with the currently scanned ones
- If all goes well, the seller will receive an original ID which contains a face of the seller as well as his/her personal information, but the fingerprints are of another person - the buyer. The buyer can now take that ID and actually pass most control checks.
- For all legal purposes such an ID is very much a fake, and there is no way to prove that the seller faked his/her information - even if the fake fingerprints are found on file, how will you prove that the seller faked his fingerprints?
What's your opinion? Can this method actually work?