We’re bored by voice identification, fatigued by Face ID, and totally over fingerprint-reading technology. Here in the closing days of 2018, it’s all about unusual new biometric technologies like “vein authentication.” As its name suggests, this technology involves reading the unique pattern of veins on a person’s palm to confirm that they are who they say they are. Such technology is reportedly being increasingly used in high-security facilities around the world.
Only it might not turn out to be quite as secure as people think — at least if a recent demonstration at the hacker-centric Chaos Communication Congress is to be believed.
This week, a small team of security researchers showcased how the latest vein-reading security systems are no match for something as basic as a fake wax hand containing printed vein details.
“We showed how to use a modified DLSR [camera] to capture hand vein patterns from a distance of around 5 meters,” security researcher Jan Krissler, aka Starbug, told Digital Trends. “After adjusting the contrast, we then printed the vein patterns with a standard laser printer and covered the print with a layer of bee wax to simulate human tissue. With those dummies, we were able to fool the latest systems of both major vendors of vein recognition systems, Fujitsu and Hitachi.”
As exploits go, it’s pretty ingenious — but also alarmingly straightforward. It’s not quite as easy as fooling a facial-recognition system by holding up a photograph of the person, but it’s not too far off. (Although actually getting a good photo of someone’s hand with their veins visible might be a little tough.) According to Krissler, until now the accepted wisdom was that veins are buried inside the body and were thought to be difficult to capture. Just as facial recognition has had to improve, however, it seems that vein authentication must also ramp up its efforts.
“There are ways to measure blood flow that would detect our dummy,” Krissler continued. Even then he thinks that there would be ways to fool the technology, though. It appears that there is more that needs to be done before we can rely on reading veins as a foolproof security system.
Hey, maybe one of these other oddball biometric technologies will have better luck.