Dark marketplace for fingerprints

Stealing Prints 2I know a family that, some years ago, replaced their standard mailbox with a locking mailbox. Someone had stolen an order of checks from the mailbox and gone on a spending spree. The family, if you can imagine, didn’t care for that.

Those were the days. Now people are making a business of stealing and selling fingerprints.

recent PYMTS.com post reports that 60,000 fingerprints, complete with Social Security numbers and addresses belonging to the fingerprints’ rightful owners, are now for sale on the dark web. The dark website even has a brand name: Genesis.

Hacking fingerprint databases is not new. For as long as fingerprint databases have been a thing, bad guys have been hacking them. Nor is the volume of 60,000 records all that impressive. It’s an arguable trifle compared with the estimated 5.5 million fingerprints with Social Security numbers and addresses stolen in 2015, allegedly by Chinese hackers. 

What is new—and, I suppose, inevitable—is that a stolen fingerprint marketplace has emerged on the dark web. As you might expect, the media are reacting to the news with either panic or a yawn. 

On the panic side, there’s the what-if-someone-cuts-off-your-finger angle, which I dispatched in a post last October. But at the saner end of the panic side are some disturbing reports. According to the BBC and The Telegraph, it’s possible for thieves to capture and duplicate your fingerprints from a photo of you waving a peace sign. The latter reports:

Researchers at Japan’s National Institute of Informatics (NII) have found that fingerprints can be easily recreated from photos taken up to three metres away without the need for advanced technology. So long as the picture is clear and well-lit, prints can be mimicked.

My initial reaction was that there’s quite a gap between “can be” and “it’s happening.” That bubble did not remain intact for long. All it took was this, written by reporter Kari Paul for Marketwatch:

In a few short minutes last week, using a standard printer and materials easily purchased online, security experts from tech developer Synaptics successfully replicated my fingerprint onto a piece of paper that could unlock my iPhone’s biometric sensor. The hack could be pulled off by anyone with a “first year university student level of programming,” according to Synaptics spokesman Godfrey Cheng, highlighting a major potential flaw in biometric authentication, part of the new security solution that could someday replace passwords.

It’s a little harder to change your fingerprint than to change your password. By “a little harder,” I mean “pretty much impossible.” In his article “The Myth of Fingerprints” in the most recent issue of Smithsonian, Clive Thompson wrote:

How reliable were prints, though? Could a person’s fingerprints change? To find out, Faulds and some students scraped off their fingertip ridges, and discovered they grew back in precisely the same pattern.

Thompson also noted,

Indeed, criminals themselves were so intimidated by the prospect of being fingerprinted that, in 1907, a suspect arrested by Scotland Yard desperately tried to slice off his own prints while in the paddy wagon.

I would like to go on the record as not recommending that.

Adding to the panic side is the fact that the uniqueness of fingerprints is being called into question. That’s why an increasing number of law enforcement agencies are doing less fingerprinting and more DNA matching. But then, the assumption that “no two DNA signatures are alike except with identical twins” is also under question.

On the yawn side, using a stolen print on a device requires stealing the device at the same time, a stunt more easily pulled in a spy movie than in real life. There is also the question of stealing the right prints out of a possible ten, or twenty if you use your toes.

An appeal to spy movies may not be far from the mark. In the wake of the 2015 hack, Oliver Roeder of the ABC News’s website FiveThirtyEight took a look at the practicality of using stolen fingerprints. He concluded:

… the most likely uses of the stolen prints are more about deep spycraft than petty phone theft, according to several experts I asked to theorize on potential exploits. Combine the old grade-school truism that fingerprints, like snowflakes, are unique (or at least pretty close to it) with the fact that fingerprints can’t be changed, and you’ve got a powerful identity authentication tool that could be used to great effect by a foreign intelligence agency.

But then, that was in 2015. In technology, four years is an eternity. It was only a year ago that The Atlantic reported, “That data doesn’t appear to have surfaced on the black market yet.” Now they have. And “… if it’s ever sold or leaked,” the Atlantic article had continued … 

… it could easily be used against the victims. Last year, a pair of researchers at Michigan State University used an inkjet printer and special paper to convert high-quality fingerprint scans into fake, 3-D fingerprints that fooled smartphone fingerprint readers—all with equipment that cost less than $500.

That’s progress. I guess.

Comments are closed.