I'm sure most everybody knows ways to trick or fool a fingerprint scanner, but how many people know an exact proven procedure that works most of the time. The procedure here is based on a study by Dr. Matsumoto on 'gummy' fingers.

Materials Needed:
Graphite Powder or Superglue
Digital Camera or Scanner
Transparency Film (acetate)
Ferric Chloride
Gelatin
Silly Putty
Photosensitive Coated Copper Clad Board

[list=1]Procedure:
Use the graphite powder to make the print become visible OR use fumes from the superglue to get the same effect.
Scan the fingerprint image into your computer OR take a good quality digital picture of the print.
Use Photoshop or other graphics editor to inverse colors and increase contrast so fingerprint is clear and bold.
Print inverted fingerprint image onto the acetate (transparency). We need light to shine through it where the fingerprint should be.
Enter a dark area, place the transparency over the copper clad board, and expose to UV light for brief amount of time. This will eat away at the thin top layer where the fingerprint mold should be.
Soak the board in the ferric chloride. The solution eats away where the photosensitive layer is missing.
The fingerprint mold will emerge in the board, proceed to pour gelatin over the board.
Voila! Fake fingerprint :)
[/list=1]

The created print can be used to fool most fingerprint scanners, and if sprayed with a little bit of WD-40, it will leave behind a fingerprint as your real finger would on surfaces. Don't do anything illegal now! :cool: This is merely a BRIEF procedure of how this method can be achieved, if you are considering doing this and need help, or are stuck... I'm happy to answer any questions. Also, if you're looking for ways around other biometric systems, ask away.

What about the Pulse, the moisture, and the temperature detection thats inside a biometrical finger print scanners? This will only fool lil cheap scanners for 20$ at walmarts at the most, but it will not work on a "real" finger print scanner. Prove me wrong.

Cheers.

Tempreature can be fooled quite easily. Unfortunately I couldn't find the link to an article I read >6 months ago, but an (I think Italian) uni prof did some gelatin finger experiments to spoof finger print scanners. He used a couple of different methods to get the print and made a gelatin 'finger' with the extracted print on it. For the ones that required tempreature he simply left the fake fingers in warm water before using them on the scanners. From memory it was approximately an 70-80% success rate. Quite surprising really.

Pulse and the right type and amount of moisture is a significantly bigger challenge though.

This artical is quite good, it has several methods by which finger prints could be gathered and fake fingers produced.

http://www.itu.int/itudoc/itu-t/workshop/security/present/s5p4.pdf
the file is quite big though ~ 1.2MB, I won't upload it to here as I am not sure about copyright etc.

in fact it is the same guy.

Actually... the two best substances for fake fingers are silicon and gelatin. Gelatin actually comes out on top because of the already existant moisture level VERY close to that of a human finger. As for temperature... there are ways.

I usually just chop off the user's fingers... works 99% of the time.

I like the chop off the hand, or hold a gun to the guys head method....Now try to use the gelatin in a real world situation...Some one will notice that you don't have an ID/belong there...The company I work at the guards know every ones face (no small task with 2000 employees but they know every ones face within a week of work and name in two weeks) and the security system pulls up an image of each employ as you walk in, just try and get in and two the computer you want with a mold on your finger se how fast you land in jail...why hasn't this guy been banned yet?

Hey Plastic have you ever actualy tried this? I doubt it. And if you ever did you would get busted in no time flat. Time to wake up. Your not james bond and that stuff only works in the movies.

I've read dr Matsumoto's report a while ago, and what it says (if I remember correct) is that many fingerprint readers can be fooled (even the expensive ones). Matsumoto's report is about a year old by now, so maybe the technology has improved.

Anyway, there was one type of fingerprint scanner that he couldn't fool with his tecnique. Those are the capacitive fingerprint readers. They measure the amount of static electricity in a human finger, which I suppose must differ from a gelatin finger. In addition to checking the fingerprint, of course.

Other methods are (from the top of my head), measuring of moisture and heat. But I think the Dr fooled both of those.

I heard a story one, which I'm not sure is true, but anyway, in South Africa some time a go a bank tried out using fingerprints in addition to credit cards. The had to abandon as criminals started cutting of people's fingers.

As I did a project on fingerprint scanner a while ago, I know how bad they are. The problems is not so much that they can be fooled, it's rather that they are impossible to use. At least mine was, and that was quite expensive and from a market leader. Lots of times you are rejected because you didn't put your finger on the pad exactly the way you did the first time. And if your finger is dirty, it's not gonna work at all. You actually have to go and wash your hands before you can use the scanner. Sweaty finger fill not work either. I can tell you I was very dissappointed.

On most fingerprint software that I know of you can decrease the security level, and raise the acceptance rate. There are two terms when it comes to this issue: "False Acceptance Rate" and "False Rejection Rate". The first means how many are accepted in that shouldn't be allowed, and the second means how many should have been accepted but wasn't allowed in. In the ideal software you can level these to an acceptable level for both. My opinion is that todays technology is nowhere near... Either the FAR is to high or the FRR is to high, there is no such thing as a middle way. I remember on my fingerprint scanner, I set the false acceptence rate to lowest (eg. highest security), and was rejected 19 out of 20 times. Well, that's just not good enough.

Oh, and another thing. There are software for generating fingerprints! Which means brute forcing of fingerprint authentication should be possible, just cut the cable to the fingerprint reader and feed the system raw images from another computer. That's because most fingerprint scanner can only recognize 150.000 - 300.000 different fingerprints. So in a group of 600.000, you can have at best 2 people with the same fingerprint. This also has to do with the FAR/FRR, eg. the security/usability level. When I tried on the highest security level, my fingerprint scanner was supposed to recognize one in 200.000 fingerprints. But as I said before, it was not very usable. At a usable level with low security i would only be rejected 1 of of 15 times! That might seem like good news, but then the scanner would only recognize 1 in 5.000 fingerprints. All numbers are from the top of my head and might not be very accurate...

But it's an exiting technology, so I'm gonna try again when it has matured.

For authentication, I say go with PKI for now. It's currently a more promising technology.

fingerprint machines have been the bottom of the barrel for years in biometric authentication methods. There are numerous ways to defeat/fool even the most expensive readers, although I was just hearing from one of the big names in the industry that they have a new type of reader coming out that is not defeatable by "known methods". They wouldn't share much information with me without my company signing an NDA, which we haven't done yet, so I can't even begin to validate their claims.

Retina scanners are still fairly good, and bone geometry scanners are also good. It's kind of hard to fool the bone geometry scanners, even if you cut a persons hand off. That will impact the layout of the hand. Also, supposedly, if the person is unconsious and you attempt to use their hands that it will throw the reader off. I have only seen one place, personally, that uses bone geometry readers, and it was one of the most secure facilities I have been to.

Still, biometrics (of some sorts) used in conjunction with something like a 30-second SecureID style card/fob is one of the better methods for securing whatever it is you wish to secure, from physical entry to locking a computer system down.

hmm....so a PCB fingerprint will fool a fingerprint scanner??? Don't think so mate, as for the gelatine stuff....sure, bot you have a limited amount of time to make and use it, as well as the *other* problems you'r bound to fun into by grace of Murphies law, the fack that a fingerprint scanner is enough to stop just about every one cept the stupid, not that it can't be faked, but that *while* your faking and using it, your a sitting duck.. oh well

- Noia

We had a presentation from Gartner on the use of Biometrics and other security technologies not too long ago. They presented their flashy "Technology Hype Cycle" with a focus on security. Here is an example:

http://watch.state.wi.us/Home/links/gartner/g100902-Hype%20Cycle.pdf

Here is one of their analyst's comments a bit on fingerprint readers:

http://security1.gartner.com/story.php.id.109.s.1.jsp

I also remember the Gartner presenters stating that humidty and room temperatures changes will affect the fingerprint readers effectiveness. That and any residual jelly on your fingers from jelly-filled doughnuts.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by ZomBieMann77
Hey Plastic have you ever actualy tried this? I doubt it. And if you ever did you would get busted in no time flat. Time to wake up. Your not james bond and that stuff only works in the movies.

Yes, I have tried it; in a controlled envirornment at UTSA and on my fingerprint scanner at home. As for illegal use of it, no I have not... nor do I plan to.

As allways my intervention is to change the focus of the thread. Because we are security consultants, we have to now that this things realy works, and many entusiastic boys can try into ower enterprices or even specialiced industrial spy or terrorist can use this method. So the thru point here is how to keep them out when they try to do some penetration with this method. The method expoused are good, also the point of temperature. lest find other ways to keep the good intention of the thread, and suges ways to make the perimetral security bether. I cann sugest a wheigt detector, to complete the finger print scanner with temperature mesurement capabilities.

xDrack

I'm a bit confused. I really don't understand how pulse can't be a factor in fingerprint scanning.

What if the guy just broke up with his girlfriend a few minutes before? Or he just asked a coworker out to dinner during the weekend. This would obviously result in a much faster pulse - does this mean he would be unable to access that restricted place/information?

[P.S. - XDrack, stop stealing my style, man ;) - nice avatar.]

Some fingerprint scanners have a device in them that measure pulse.. similar to the sensors on treadmills and excercise equipment. All it does is make sure there is a pulse, as a very basic precondition before even considering to allow access.