path: root/updates/2007/umsonst-im-supermarkt.en.md

title: Fingerprint Recognition at the Supermarket as insecure as Biometrics in Passports
date: 2007-11-27 00:00:00 
updated: 2009-11-18 09:26:51 
author: webmaster
tags: update, pressemitteilung

Berlin, Germany (presse@ccc.de, November 27, 2007) Biometrics experts of the German Chaos Computer Club (CCC) worked together with German TV magazine "PlusMinus" to demonstrate the ease of counterfeiting fingerprints. In front of running cameras, a fingerprint scanner installed at a supermarket checkout was deceived, charging the transaction to someone else's account. The journalists of the TV magazine were able to trick the point-of-sale system with forged fingerprints after only a short tutorial from CCC experts, therefore refuting the claim of biometrics proponents and manufacturers that such a forgery scenario is only possible in a controlled environment such as a laboratory. Fingerprinting systems which are used in the new biometric passport and are planned to be deployed in the German ID-card, can be deceived with the most trivial methods and do not provide any mentionable security.

<!-- TEASER_END -->

For reasons of their own safety, they chose a German supermarket in the
Swabian city of Rülzheim (near Karlsruhe) instead of an airport. As part
of a trial run of the technology, the store, along with over a hundred
others, offers an account which allows the customer to complete
transactions using only their fingerprint. As demonstrated in a
three-year old video, the fingerprints of a customer (who participated
in the experiment) could be lifted off an everyday item. According to a
method developed by the biometrics experts of the CCC these imprints can
be transformed into a dummy fingerprint which easily allows use of
someone else's account. The needed materials (super glue, wood glue,
skin friendly glue, and a laser printer) can be found in almost every
household.

It is feared that the installation of fingerprint readers at German
border control in conjunction with the introduction of the "ePass"
(German Biometric Passport) will undermine the security of, and not
enhance, one of the most fraud-resistant documents in the world.

The issue of liability surrounding biometric payment systems remains
unclear. Similar to the fraud-plagued EC-card, the victims of the fraud
must prove that they did not act fraudulently. Finding this proof is
very difficult, given the complexity of these systems. The CCC strongly
recommends not to use these systems. Anyone who is already registered
with such a system should cancel the contract immediately, and demand a
written confirmation that your personal biometric data has been deleted.

Unlike security characteristics which can be changed, like a password or
PIN, one's fingerprint is unchangeable. Once a fingerprint has been
lifted and copied, it is useless as a security feature for the person's
whole lifetime. Each individual has only eight fingers that are useful
for authentication: the fingerprints of the fifth, or little, finger are
too small to be used for this purpose.

Frank Rosengart, CCC spokesperson, concluded: “The fingerprint as
security feature loses more and more of his value the more biometric
verification systems use it as a feature. The same fingerprint, which is
scanned in high resolution at the grocery store shall be used at the
border for verification. No customer can verify if the high resolution
fingerprint is stored anyway.”

Rosengart continued, “We demand a legislative ban of biometric
identification systems because neither the operator nor the user of the
system can estimate the risks.” In the past CCC thoroughly pointed out
that fingerprints are neither suitable in payment systems nor in
passport documents.

### Further information

-   \[1\] [Press release of ARD's
    PlusMinus](http://www.daserste.de/plusminus/beitrag_dyn~uid,y2i9gnyp0ejp1iqp~cm.asp)
-   \[2\] [Video: Faking Fingerprints, how simple is it
    really?](ftp://ftp.ccc.de/pub/video/Fingerabdruck_Hack/fingerabdruck.mpg)