Fake Fingerprint Stickers for Gloves

There's a Kickstarter for a sticker that you can stick on a glove and then register with a biometric access system like an iPhone. It's an interesting security trade-off: swapping something you are (the biometric) with something you have (the glove).

Gizmodo story.

Posted on November 14, 2016 at 9:26 AM • 20 Comments

Comments

Carl 'SAI' MitchellNovember 14, 2016 10:50 AM

It's swapping something you have (your finger, more specifically the copyable pattern of ridges on the finger) for something you have (the sticker/glove).

Gordon DoveNovember 14, 2016 11:17 AM

"Swapping something you are for something you have"...

My first thoughts were that this would allow phone owners to give muggers the gloves to save their fingers :o

Actually, no, the use case they're pushing is to allow you to unlock the phone with either your fingers or the gloves, for winter use, so it is just the usual security/convenience trade off.

MarkNovember 14, 2016 12:20 PM

So if i can unlock an iphone with this little plastic sticker on a glove, law enforcement can just grab your prints (in a variety of ways) and make a copy of your print to unlock your iphone.

Roger BWNovember 14, 2016 12:22 PM

First thought: oh, are people going to send images of their own fingerprints?

Second thought: how well are these guys going to look after all those fingerprint copies?

A biometric access system means a password you can't ever change.

SpeedNovember 14, 2016 12:43 PM

Bruce Schneier asked many years ago, "What will you do when somebody steals your fingerprints?" I guess we'll soon find out.

Clive RobinsonNovember 14, 2016 12:59 PM

As I've mentioned befor on this blog over the years, I was making "fake fingerprints" using the red wax around Edam cheese to make a mould, penetrating oil (WD40) as a release and rubber solution glue to make the "skin" with the fake finger print on it which could be easily attached to surgical style rubber gloves.

This was a very long time ago when I was a pre teen (and I'm older than Bruce). It used to amuse some of the kids I interacted with, which was all well and good but... As I also mentioned that when doing design work for a company that started working on fingerprint scanners, various "seniors" were not amused when I demonstrated it. Thus had to find new employment shortly there after. People just do not like you showing their goose is not just not laying golden eggs but cooked to...

Peter S. ShenkinNovember 14, 2016 4:56 PM

It's more likely to be "Swapping something that somebody else is for something you have."

WaitAMicrosecnond hereNovember 14, 2016 5:49 PM

@Clive Robinson
The finger print may not be indefinitely secure. You have shown that it is easy to copy.

But I must say, there are people in society(not you or me), who don't chose a password on I-Phones. It is better to have a tiny pinch of protection with fingerprints, than no protection at all. I am pretty sure your company is not Apple.

Security is based on the cost and what is being defended. The gold is better defended than the firewood analogy. Maybe the odds of a customer giving the pass code on the internet, or to a friend, are greater than the odds of someone stealing the finger print. Maybe someone could easily record a video of the password typed, instead of stealing the finger print.

Maybe the company has a business model that prioritizes speed over security. This idea is generally not good, but maybe the firewood shop in Idaho needs convince over security, but enough security to stop the average drunk thief.

Of course, maybe this company is selling finger print locks to high threat locations, which is bad. Different circumstances = different plans

WaelNovember 14, 2016 6:29 PM

swapping something you are (the biometric) with something you have (the glove).

Actually it's swapping "something you are" with "something you are not"! It uses "something you have" to masquerade as "something you are". May enable some use cases. I wonder what legal issues this will bring up.

MatthewNovember 14, 2016 8:53 PM

I think fingerprints are a good replacement for ID passcards which you have to tap on the lock sensor to enter a room.

These passcards are used to identify you as a authorised person before allowing access. The cards can be lost, left at home, damaged (flexed too much or left inside pocket of pants in the washing machine). They also can be stolen or copied* to gain access to a secure room.

So instead of the hassle of card replacement as well as making a police report (a requirement by some companies), using "something you are" for identification may be better as it is always with you, harder to lose or damaged (by body injury). Combined with a passcode "something you know" and a surveillance camera, you have reasonable security against the common criminal.

* I am not sure how secure these passcards are against duplication by hackers.

Clive RobinsonNovember 14, 2016 11:41 PM

@ Matthew,

I am not sure how secure these passcards are against duplication by hackers.

The short overly simple answer is,

    What man can make, man can duplicate.

The longer answer is based on the observation that,

    In general human terms only three numbers make any sense "zero, one and infinity.

That is something does not exist, something can be unique and there can be an unknown number of things.

Where something rests on that line between zero and infinity mainly depends on how you measure and record it. The more intently you measure something the more unique it becomes. This is because of the amount and quality of information that becomes available to record. Thus your ability to copy a tangible physical object goes down with the increase in intangible information on it you can measure and record, thus compare at a later date.

There is obviously a significant trade off in the resources required to measure an object record those details and later check them. That is your ability to identify something uniquely is based on what resources are put into measuring and recording it initialy and subsiquently measuring it again and checking the new,measurments against the old. The less resources used the easier it is going to be for a person to make a second object that matches the measurments of the first object and thus falsely pass a verification test.

passionate readerNovember 15, 2016 1:22 AM

@ismar duderija
:You should be thinking of writing a book

we all (readers) know this, it's the reason we read with BIG passion all the stories/knowledge/thoughts/reviews etc here
I (personally) doubt Clive will do [although I would vote for, by all 19 remaining fingers of mine:)], it requires a LOT of time, would take too much time better spent focusing on smthing more interesting than just writing/remembering

Maybe some editor would be able to 'pre-process' what was already written here, saving his time - but that should be doen with sense&sensibility [and of course with his consent/post edit]

:You should be thinking of writing a book
In fact he is writing it - but in the form of blog, so you (almost) never finish reading it...

AgammamonNovember 15, 2016 5:04 AM

This could have some interesting legal complications - after all, the sticker doesn't have to be *your* fingerprint.

GarthNovember 15, 2016 10:55 PM

This reminds me of a Get Smart episode where Maxwell Smart wore gloves with someone else's fingerprints to crack a safe. He also had their ear prints.

Life imitating art?

nikoNovember 15, 2016 11:45 PM

Please leave phone and glove on table when you use bathroom. I will install camera trojan and watch you sleep. just jk.

xNovember 17, 2016 10:43 AM

I see more then one problem with the approach.
First of all: you trade one thing you are with one thing you own.
Second: you do not own it alone. The maker of the gloves now owns a copy.
Third: in case of the maker going titsup, whoever sells off the assets has a copy of it, too. maybe they even are sold of to people operating fingerprint databases.
Fourth: if their servers are not secure enough at any time (remember: breakins _will_ happen. only a matter of time. especially if you have correlations of e.g. fingerprints to creditcards/names) - who else gets the data ? pastebin ?

we should go to finger artery printing + heartbeats, they also have the kink of requiring an alive subject.


if you trade security for convenience, someone is going to fuck with both of it.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.