By John E. Dunn of Sophos
For anyone who believes vein authentication is more secure than fingerprints or facial recognition, we have good news – researchers have just showed how the technology can be beaten.
Before we explain why that statement isn’t a contradiction, let’s dive a bit deeper into what researchers Jan Krissler and Julian Albrecht reportedly outlined at last weekend’s Chaos Communication Congress (CCC) in Germany.
As with fingerprints, faces, or the iris of the human eye, the complex shape, size and position of veins in someone’s palm is unique to each person, including for identical twins.
These patterns are read using near-infrared light (i.e. almost visible as opposed to the non-visible ‘far’ infrared emitted by warm objects) and are less prone to physical injury than fingerprints. Unlike fingerprints, we also don’t leave them on the objects we touch for someone to copy.
There are disadvantages: vein patterns change slightly as people age, ambient light can interfere with recognition, and the precision needed to make the technology work makes it expensive.
That last issue might explain why, beyond a handful of banks and high-end users such as the HQ of Germany’s Bundesnachrichtendienst (BND) intelligence agency, few people are currently likely to encounter the use of vein authentication.
And the hack?
According to Motherboard, Krissler and Albrecht’s presentation showed how vein authentication systems could be fooled using nothing more complicated than a faked-up wax hand model and a printout of their own veins photographed using a good-quality SLR camera which had had its infrared filter removed.
This sounds like a simple hack – print off a picture of the target’s veins, and mock up something that looks like a hand to cover it.
The fact this can be done at all doesn’t sound like a great advert for vein authentication until you read the extended testing the pair had to go through simply to get to that point.
To get an accurate print of the veins, the pair admitted they’d had to experiment with 2,500 pictures over a one-month period to get to an image that worked. Explained Krissler to Motherboard:
It’s enough to take photos from a distance of five meters, and it might work to go to a press conference and take photos of them.
Presumably, this would require a clear view, minimal interference from other light sources, and the ability to take full images of someone’s hand without that being detected.
Krissler was pleased with their achievement:
When we first spoofed the system, I was quite surprised that it was so easy.
Not that easy. What they’ve really demonstrated is that with enough resources, time, and a motive, an attacker would have a fair chance of beating vein authentication for a single person.
This doesn’t mean that using a fake handprint in a real-world situation also using other security measures (i.e. a security guard) would be straightforward.
It’s true that vein authentication systems are vulnerable to bypasses but so are all other systems yet invented, including fingerprint and facial recognition (Apple’s Face ID), and almost any authentication system when used in isolation.