summaryrefslogtreecommitdiff
path: root/updates/2007
diff options
context:
space:
mode:
Diffstat (limited to 'updates/2007')
-rw-r--r--updates/2007/umsonst-im-supermarkt.en.md62
1 files changed, 62 insertions, 0 deletions
diff --git a/updates/2007/umsonst-im-supermarkt.en.md b/updates/2007/umsonst-im-supermarkt.en.md
new file mode 100644
index 00000000..e77ab20b
--- /dev/null
+++ b/updates/2007/umsonst-im-supermarkt.en.md
@@ -0,0 +1,62 @@
1title: Fingerprint Recognition at the Supermarket as insecure as Biometrics in Passports
2date: 2007-11-27 00:00:00
3updated: 2009-04-18 19:12:41
4author: webmaster
5tags: update, pressemitteilung
6
7Berlin, Germany (presse@ccc.de, November 27, 2007) Biometrics experts of the German Chaos Computer Club (CCC) worked together with German TV magazine "PlusMinus" to demonstrate the ease of counterfeiting fingerprints. In front of running cameras, a fingerprint scanner installed at a supermarket checkout was deceived, charging the transaction to someone else's account. The journalists of the TV magazine were able to trick the point-of-sale system with forged fingerprints after only a short tutorial from CCC experts, therefore refuting the claim of biometrics proponents and manufacturers that such a forgery scenario is only possible in a controlled environment such as a laboratory. Fingerprinting systems which are used in the new biometric passport and are planned to be deployed in the German ID-card, can be deceived with the most trivial methods and do not provide any mentionable security.
8
9<!-- TEASER_END -->
10
11For reasons of their own safety, they chose a German supermarket in the
12Swabian city of Rülzheim (near Karlsruhe) instead of an airport. As part
13of a trial run of the technology, the store, along with over a hundred
14others, offers an account which allows the customer to complete
15transactions using only their fingerprint. As demonstrated in a
16three-year old video, the fingerprints of a customer (who participated
17in the experiment) could be lifted off an everyday item. According to a
18method developed by the biometrics experts of the CCC these imprints can
19be transformed into a dummy fingerprint which easily allows use of
20someone else's account. The needed materials (super glue, wood glue,
21skin friendly glue, and a laser printer) can be found in almost every
22household.
23
24It is feared that the installation of fingerprint readers at German
25border control in conjunction with the introduction of the "ePass"
26(German Biometric Passport) will undermine the security of, and not
27enhance, one of the most fraud-resistant documents in the world.
28
29The issue of liability surrounding biometric payment systems remains
30unclear. Similar to the fraud-plagued EC-card, the victims of the fraud
31must prove that they did not act fraudulently. Finding this proof is
32very difficult, given the complexity of these systems. The CCC strongly
33recommends not to use these systems. Anyone who is already registered
34with such a system should cancel the contract immediately, and demand a
35written confirmation that your personal biometric data has been deleted.
36
37Unlike security characteristics which can be changed, like a password or
38PIN, one's fingerprint is unchangeable. Once a fingerprint has been
39lifted and copied, it is useless as a security feature for the person's
40whole lifetime. Each individual has only eight fingers that are useful
41for authentication: the fingerprints of the fifth, or little, finger are
42too small to be used for this purpose.
43
44Frank Rosengart, CCC spokesperson, concluded: “The fingerprint as
45security feature loses more and more of his value the more biometric
46verification systems use it as a feature. The same fingerprint, which is
47scanned in high resolution at the grocery store shall be used at the
48border for verification. No customer can verify if the high resolution
49fingerprint is stored anyway.”
50
51Rosengart continued, “We demand a legislative ban of biometric
52identification systems because neither the operator nor the user of the
53system can estimate the risks.” In the past CCC thoroughly pointed out
54that fingerprints are neither suitable in payment systems nor in
55passport documents.
56
57### Further information
58
59- \[1\] [Press release of ARD's
60 PlusMinus](http://www.daserste.de/plusminus/beitrag_dyn~uid,y2i9gnyp0ejp1iqp~cm.asp)
61- \[2\] [Video: Faking Fingerprints, how simple is it
62 really?](ftp://ftp.ccc.de/pub/video/Fingerabdruck_Hack/fingerabdruck.mpg)