From: Tyler Durden <camera_lumina@hotmail.com> Sent: Oct 12, 2004 1:43 PM To: franks@mcs.anl.gov Cc: cypherpunks@al-qaeda.net Subject: Re: Cash, Credit -- or Prints?
...
Very interesting question. I'd bet almost any amount of money that it's fairly trivial to simply alligator-clip-out the fingerprint's file from almost any of the cheaper devices. Hell, I'd bet that's true even of more expensive "secure" devices as well.
I don't think the readers store an image of the fingerprint, just some information to make it easy to verify a match. I don't think you could reconstruct a fingerprint from that information, though you could presumably reconstruct a fingerprint image that would fool the detector.
From what I've seen, the whole field of biometrics needs a lot of work on characterizing the attacks and defenses against them, and coming up with reasonable ways to verify that a reader resists some attack. I think individual vendors often have some ideas about this (though I gather their defenses are often disabled to keep the false reject rate acceptably low), but there doesn't seem to be a clean process for determining how skilled an attacker needs to be to, say, scan my finger once, and produce either a fake finger or a machine for projecting a fake fingerprint into the reader. Anyone know whether some kind of standard for this exists?
-TD
--John