24C3 howto: fake fingerprints...

while looking at the 24C3 hack list of the currently ongoing 24C3 hack conf, i found this howto detailing the procedure to create fake fingerprints — all you need are:

  • glass with fingerprint of the person you want to impersonate
  • screw-top of a bottle (like the one from a coke bottle)
  • super-glue
  • wood glue (PVA)
  • skin friendly glue (theatrical glue)
  • digital camera
  • PC
  • laser printer
  • foil

the process itself is rather easy — and, together with german TV station WDR, they demonstrated that you can use that method to fool the fingerprint recognition system used by the European super-market chain EDEKA…

EDEKA seemed non-fazed:

Edeka Südwest teilt uns auf Anfrage schriftlich mit, man sehe „keinen Handlungsbedarf“. Die bestehenden Sicherheitsvorkehrungen seien, „wie unsere Erfahrungen gezeigt haben, vollkommen ausreichend“.1

…and they went on to state that the system they used was being used by the US government and other governments worldwide.

wow. good security relies either on something only i know, or something only i have, or something only i am. the emphasis is on only, your fingerprints? they are all over the place…and that place…and that place over there as well, yep.

the scary thing is, fingerprints are being used (as secondary biometrics) for the new biometric EU passports!

  1. roughly translated: “Edeka southwest replied to our request in writing, stating that they ‘saw no need to act’. The existing security procedures were, ‘as their experience had demonstrated’, completely sufficient”