David Papp Blog

Fingerprint theft: Should we be concerned?

Before touch identification-based security was introduced, most of our smartphones required only a passcode or a pattern to unlock. Now, after Apple introduced its Touch ID system, it seems more and more smartphone companies are integrating fingerprint-scanning technology to their models.

Fingerprints vary from person to person and do not change over time. On paper, they seem like the perfect verification tools; far more secure than any passcode could ever be… or are they?

A group of German hackers seem to think otherwise. Indeed, they have demonstrated a process in which they could lift off prints from a surface, recreate them on a flexible material, which they can then use to break into a phone or any fingerprint-scanning device.

Much more alarming, however, is a new method of stealing fingerprints discovered by a certain hacker who calls himself “Starbug“. Without needing to lift any fingerprints from surfaces, Starbug made use of a high-resolution image of the German Minister of Defense, and successfully created a working thumbprint. Starbug then used tracing paper to copy the print from the image, transferred it onto a plastic board, covered it with graphite, and used wood glue to produce the print. The materials he used cost him around $200. Check out the video of how it is done.

The very fact that Starbug was able to duplicate a fingerprint without any form of direct contact is a scary thought, but should that spell the end for fingerprint scanning-based security?

If anything, the hack just proves that we can’t treat fingerprints as replacements for passwords. Instead, biometrics system makers should treat fingerprint scanning as an “extra layer” of security, one that is used in combination with a passcode. We call this two-factor authentication. That way, it creates two barriers that work together to help create systems that are much more secure.

30 thoughts on “Fingerprint theft: Should we be concerned?”

  1. You certainly can’t rely on fingerprints alone to keep things secure – they are easily obtained and replication seems fairly simple too. I agree that they should form part of a multi-layer security system, or two-factor authentication. Whilst we shouldn’t rely on them alone to stay safe, they make an excellent additional measure.

  2. Using a fingerprint identification scan as part of the security on my laptop, I am moderately concerned. The feature of fingerprint scanning has been around since even before Apple popularized it. I kind of wish they hadn’t, to be honest. Anyway, as long as the surface is for finger swiping and not for finger scanning, you’re immune.

  3. I had not even considered that it would be possible to use fingerprint scans to hack into my electronics. I always thought of that as a pretty fool-proof way to protect my things. I know that most people aren’t going to be dishonest in this situation but it sounds so easy, and it really only takes one person to produce a pretty terrible situation. I hope this technology gets improved soon.

    • Fingerprint scanning is a good additional measure, yet it’s not so advanced yet that we can trust it alone. Good old passwords and two-step authentication is still a better way to make sure that data is secure. It’ll definitely improve in the future, don’t worry. But right now, like with any new system, there’s always going to be loopholes and insecurities.

    • Fingerprint technology is flawed and there’s no way around it. Retinal scans or something like that would be less flawed. Fingerprints are kinda easy to replicate after all. There are other biometric ways of authentication too, but I haven’t gotten too into those.

      • I agree, but I guess it’s a bit of a failure and they could get rid of it, perhaps in the next coming brands and versions. I would hope they do that because it’s going to cause a lot of problems, as I’m already hearing of it causing problems people accessing their phones due to the system detecting it in a faulty way, I’m just not sure!

  4. I totally agree that two-factor authentication is the way to go these days. Hackers are just going to get more proficient and smarter with stealing your info online, so it never hurts to be too careful.

  5. One has to assume that if you have the phone of someone, then that phone is going to be covered in that person’s fingerprints. OK a large number are going to be smudged and a even more will be for the wrong finger, but there is a good chance, (if you were serious enough to really want to obtain it) that there is at least one good print that you could use. So what you have is effectively a password book alongside your laptop or the biometric equivalent at the very minimum. Now magnify this to something like a laptop or a desktop with a swipe screen… more viable fingerprints become a much bigger possibility.

    Fingerprints can only sensibly be used with other security – ideally something that is not written down alongside the equipment in question.

  6. Everything has an exploit, and this just proves that fingerprints are not “hack-proof”. This is the reason why 2-step authentication is so important. People may not want to sacrifice accessibility for security, but it is something that we all must succumb to in these days of increased breaches of security by various entities.

  7. Wow, I don’t know if I’m just not creative enough or what, but it would never occur to me to simply take a photo of someone and hone in on their thumb enough to manage to get a thumbprint. The other method where someone simply lifted someone’s fingerprint from an object should have been fairly obvious to manufacturers who thought a fingerprint would be a good way to identify someone. We know fingerprints can be lifted quite easily.

    It was a good article. It helps a person understand that no matter how a company may hype about their security features, there is probably always going to be someone out in the world doing a pretty good job at breaking those features.

  8. The idea and the technology is there, but we need to improve it a lot so that it becomes more secure.
    The latest Galaxy S6 with the improved fingerprint scanner is a step ahead in this niche idea, so there is potential for improvement.

  9. Fingerprint sensors are starting to be implemented in lots of new technology. I work in retail and I am quite amazed at how most of the current mobile devices has fingerprint sensitivity functions. It would be extremely dangerous if a biometric aspect is used as a password. Your post mentions that these fingerprint sensors should be an ““extra layer” of security” and I totally agree on that. I believe it would create a secure environment with this two-step verification method.

    • I agree as well!!!! It should be used as part of a two-step verification method, and not as the only verification method available. I think using a password as the first step would be great, then as a second layer of security the fingerprint verification should be used 🙂 Just to make sure all is in order.

  10. A very interesting article! I honestly thought that the fingerprint technology was very safe, but after reading this I’m not very sure anymore. I guess we do need to be careful with our fingerprints as well? It’s good to be completely aware that people can actually steal our fingerprints as well, that way we won’t make the huge mistake of thinking this new method is 100% safe. I guess nothing is.

    • I agree with you, practically nothing is safe now! I think that, as another user mentioned, the next step would be retinal scans, I’m not sure if that’s 100% safe, and it actually seems like an extreme security measure, but sadly, that would be the only option to be completely safe since finger prints are not anymore.

  11. Imagine in the future where “two factor” authentication is combination of retinal scans and fingerprint scans. I’m sure they already have this in top secret facilities the world over, but I bet Apple will be the company to bring it to the general public. That’s a scary thought.

    • It is a scary thought indeed. Imagine identity thiefs getting the most out of this fingerprint charade, getting your money out of the safe without you being there. Seems like a futuristic idea, it may be benefic to all of us, but God help me if the bad guys find the flaw in the system.

  12. The fact remains: any type of security that can potentially be duplicated, or is not stored in the mind, is insecure. It’s true that fingerprints are unique to each person, but because fingerprints are constantly being left behind and are easily accessible, it’s almost too simple for hackers or criminals to attempt to reproduce them. Fingerprint scanning may be a deterrent for amateur hackers, but are a piece of cake to crack for more experienced ones. And how about an eye scanner? Most of us would probably claim that this is even more secure than a fingerprint scanner, but anything that we expose to the outside world is vulnerable to be reproduced and attacked. I’m pretty sure that the most secure form of security remains the old-fashioned typed in password. You can make it as long and as complex as you want, and if it’s sufficiently long enough, no amount of hacking will ever be able to crack it. I agree with most people here, in that fingerprint scanners may not become obsolete if they are used in a two-factor authentication. After all, most secure government agencies probably use a multi-factor authentication to protect their information, and if we’re truly worried about protecting our accounts, that’s what we should endeavor to implement.

  13. I’d never use fingerprint detection for anything important. In fact, I only used it in the past to log into my family laptop, and I stopped using it because of how unreliable it was. The detector fails if your fingers aren’t completely clean.

    The fact that fingerprint theft is on the rise just further shows that we should stop bothering with such technology, it is unpractical and obsolete.

    • Great point, there has to be something more secure out there. Do you think that retinal scanning would prove to be a good alternative?

  14. This is interesting. While technology does present avenues to make everyone secure, it does a volte-face and provides ways to bypass the security.

    While copying fingerprints will not raise alarms at all levels, it does scare me a bit. I use fingerprint authentication for a few devices including my laptop, and the security aspects of the hack do introduce a couple of doubts about its effectiveness.

  15. This was certainly and eye opening article for me and I’m sure quite a few articles. I was always under the assumption that fingerprint locks were more secure, I mean a lot of high security places use fingerprint locks for security. I suppose that if someone steals your phone, your fingerprints are all over it. The method of taking a fingerprint from a photo though is really quite impressive and scary. It’s definitely something to think about.

    • Gosh yes, that really is food for thought. Your prints will be all over the very device you are trying to protect so it seems quite counter-productive really.

  16. Looks like it’s not easy, but it’s possible. Who knows maybe eye-scanning is next, they already have a sensor, so I don’t think it would be that hard to develop. Although, even eye-scanning is hackeable, but that sure takes a lot of time and effort, which I think no one would even bother to go through, unless it’s the president’s phone lol

  17. Just a fingerprint has never been enough for identification and is not a replacement for passwords. They need to be used in conjunction. I do like the TouchID on my iPad, but that’s just because it’s cool to use. I rarely have anything that shouldn’t be seen on my devices. The TouchID is great for phones though, since most people just use it to get past the lock screen quickly and don’t have much to hide, just some messages and stuff that wouldn’t do too much if they got seen.

  18. I think it is a concern and you really can’t rely on it because it can be a bit faulty and it can be cracked somehow. It also has the ability to go completely wrong, not as planned.

  19. Both fingerprint identification and passcode authentication have their cons, so I agree with many before me, two-factor authentication is essential. Sure, the average person would probably never consider stealing fingerprints, but there are those out there to whom $200 is a drop in the bucket to be able to steal someone’s identity. Even a two-factor authentication probably isn’t foolproof, but at least in conjunction it’s a stronger security method.

  20. Wow, it seems that fingerprint scanning security still has a far way to go, but the idea is solid overall if developers can just ensure that third-party prints are rendered invalid. They will probably have to invent a mechanism that tests for exact matching skin cells, temperature and surface of a finger and it’s print. For now though, maybe it is best advised to continue using pin and pattern codes.

  21. We see people breaking into places with fingerprint scanners in all of the movies so I knew that they would not be secure. I personally just do not keep anything that I might want private on my phone. if I have to use my phone for something where I have to input something sensitive I delete it and I do not save password or any of my card information. I think if you really want to be secure change your password every so often. my sister has the finger print thing on her phone and it does helps but it is not always helpful.

  22. I had no idea that this was even possible, it’s actually kind of scary because I think that the majority of us thought that fingerprints were actually a safer plan than passwords but as almost everything nowadays, that can be hacked too.
    I wonder what would be the next step when it comes to cell phone security, I’m aware that not everyone will know about this process, but it’s still there, it’s still an option.

Comments are closed.