Peace, man – and then you’re pwned
Peace, man – and then you’re pwned

A security researcher is warning that fingerprints can be derived from high-resolution pictures of fingers, creating a potential security nightmare for those who just want to promote peace online.

However, this is not the first time this has been done and it appears the researcher has a product to promote.

Isao Echizen, a professor in the digital content and media sciences research division at the National Institute of Informatics in Japan, has demonstrated the technique. Taking a high res photo of the pads of someone's fingers in strong light, using a high resolution camera from up to three metres away, provided enough information to recreate the fingerprints.

Making a peace sign at the camera would provide an attacker with a wealth of information: two fingerprints and an associated face.

This is not the first time that a security researcher has done this: A hacker known as Starbug – real name Jan Krissler – demonstrated this at the Chaos Communication Congress in 2014. He used VeriFinger software and several closeup photos of Germany's defence minister to recreate her fingerprints.  

Digital fingerprints can be recreated using a range of techniques involving variously latex, inkjet printing, 3D printing and even wood glue.

The Japanese researchers are developing a transparent film containing titanium oxide that can be attached to the fingertips to hide them from photos, but it's not clear how many people are going to go to the trouble of doing that.

Robert Capps, VP of business development at NuData Security, said, “Consumers bear additional risk in using physical biometrics online, as they become static identifiers that can never be changed, and in their digital form, can be stolen, traded, and potentially reused to impersonate the legitimate user. Once biometric data is stolen and resold on the Dark Web, the risk of inappropriate access to a user's accounts and identity will persist for that person's lifetime. As the most stringent of authentication verifications deploy physical biometrics, such as immigration and banking, physical biometric data will become very desirable to hackers.  We can expect more creative attempts by hackers to capture this information. The benefit of passive behavioural biometrics is that the information used to uniquely identify a user is passively collected and dynamically analysed, and has an extremely limited shelf life of usefulness - making theft and successful reuse of raw behavioural signals nearly impossible.”