The basic assumption that everyone has a unique fingerprint is questionable. Nobody has yet proved that fingerprints are unique and people from the same gene-pool can share elements of the same pattern. Francis Galton, British anthropologist and a cousin of Charles Darwin, published a book on the forensic science of fingerprints and claimed that the chance of two people having the same prints was about one in 64 million. Turns out, the statistical probability of fingerprints matching is overwhelmingly cumulative.
Researchers at the New York University Tandon School of Engineering and Michigan State University College of Engineering suggests that smartphones can be manipulated using fake fingerprints digitally composed of common features found in human prints. If you think that pressing a finger inside a banking app is going to keep your data secure, then you’re wrong.
The MasterPrints Bypass
In computer simulations, the researchers were able to develop a set of artificial “MasterPrints” culled from real fingerprint images. The experiments showed that synthetic partial prints have an even wider matching potential, making them even likelier to manipulate biometric security systems than real partial fingerprints. Using artificial MasterPrints bypass, the team reported successfully matching between 26 and 65 percent of users, within five or fewer tries.
“As fingerprint sensors become smaller in size, it is imperative for the resolution of the sensors to be significantly improved in order for them to capture additional fingerprint features,” Ross said. “If resolution is not improved, the distinctiveness of a user’s fingerprint will be inevitably compromised. The empirical analysis conducted in this research clearly substantiates this.”
The more partial fingerprints a phone stores for each user, the more vulnerable it is to remote hacks. The findings raise troubling questions about the effectiveness of fingerprint security on smartphones.
Fingerprint scanners on smartphones are so small that they read only partial fingerprints. When a user sets up fingerprint security on the phone, the system typically takes ten to fifteen images of a finger to make it easier to make a match. Many users record the thumbprint and the forefinger of each hand.
Using a synthetic fingerprint glove with a MasterPrint on each finger, you could easily get into 40 to 50 percent devices within five or fewer tries. Although, the actual risk is difficult to quantify. But, what’s worrisome is that the barrier to attack is pretty low.
Perhaps, a large fingerprint sensor would help decrease the risk. For instance, newer biometric security options, such as the iris scanner in Samsung’s new Galaxy S8, are hard to fool. Smartphone makers who use fingerprint security systems are studying anti-spoofing technique to detect the presence of a real finger, such as perspiration or examining patterns in deep layers of skin. A new fingerprint scanner from Qualcomm uses ultrasound.