Hopefully, we all know by now that it's a big mistake to post too much personal information on social media. For instance, telling the world that your house will empty because you're going away on holiday could lead to burglary. Similarly, it's a pretty dumb idea to post photos of your debit card on Twitter. And we all should know by now about the dangers of posting images online containing EXIF meta data that might expose our physical location. Just ask John McAfee if you're unsure how that can be a problem... But can any harm come from flashing a "peace" V-sign in a selfie? A group of Japanese scientists are claiming that the seemingly harmless gesture, which is particularly popular amongst youngsters in Asia, could potentially lead to individuals' fingerprints being stolen. Researchers from the National Institute of Informatics (NII) are claiming that criminals can extract fingerprints from a high resolution photograph of you flashing a peace sign and use that data to recreate your prints. They can then leverage those reproductions to access data that you have protected behind biometric authentication (such as Touch ID on your Apple iPhone). Professor Isao Echizen reportedly told local media that it wouldn't take a huge amount of effort for a determined hacker to exploit a photograph:
"Just by casually making a peace sign in front of a camera, fingerprints can become widely available. Fingerprint data can be recreated if fingerprints are in focus with strong lighting in a picture."
According to the researchers, photos taken under the right conditions from up to three metres away from exposed fingers have had fingerprint data successfully extracted from them.
Of course, this isn't the first time security researchers have raised the spectre of fingerprint theft. For instance, in 2013, the Chaos Computer Club demonstrated how it could lift a physical fingerprint and then use a copy to unlock an iPhone. The NII has said that it is developing a transparent film that could be worn on fingertips to hide their prints without interfering with biometric scanners. The film will not be available for a couple of years. Somehow, I find it hard to imagine that people would bother to wear such things. And maybe we won't need to, as others are skeptical about whether there is truly much for the average person to worry about. For instance, biometric expert Jason Chaikin told Mashable that taking a fingerprint-stealing photograph was not as trivial as it first sounded despite the constant improvement in camera technology:
"Ultimately, it's not that easy. If you look at 100 pictures of people staring into a megapixel camera flashing the piece sign, probably less than 30 percent have the right type of lighting. Secondly, if you have a picture that works, there's a real craft to being able to take that, size it, bring it into another application and print it out in the right scale with the right form and then transfer that to a mold to then make an impression."
All the same, it's probably worth remembering that, from the security point of view, fingerprints are not the same as passwords in some important ways. For instance, you can change your password anytime you like, but good luck changing your fingerprints if they are ever stolen. Furthermore, we make a point of reminding users to be careful with their passwords and use unique combinations for different purposes. It goes without saying that by their very nature you leave your fingerprints lying around everywhere you go, and you're limited to a maximum of ten. And as technology becomes ever more sophisticated, there is a good chance that biometrics will become an ever-more-present part of our daily lives. You may be unconcerned about your fingerprints being "stolen" today because you question how they could be exploited, but can you feel so confident that those stolen fingerprints might not be exploited against you in 30, 40 or 50 years time? That was one of my concerns when I heard that the Office of Personnel Management (OPM) hack in 2015 didn't just steal the personal details of some 21.5 million current and former US government employees but also 5.6 million fingerprint records. Without wishing to sound alarmist, maybe it does make sense to think twice before flashing the peace sign in photographs after all....
Meet Fortra™ Your Cybersecurity Ally™
Fortra is creating a simpler, stronger, and more straightforward future for cybersecurity by offering a portfolio of integrated and scalable solutions. Learn more about how Fortra’s portfolio of solutions can benefit your business.
