A recent blog article published by Kraken, the worlds biggest global digital asset exchange, highlighted how easy it is to circumvent the fingerprint authentication controls that laptops and other devices fitted with biometric fingerprint scanners rely upon.
The article explained how attackers could take a photo of a target's fingerprint and create a fake fingerprint to gain access to any devices they had which used a fingerprint scanner to authenticate the user.
The photo of the fingerprint could be lifted from any surface, for example at a gym or a library, or from a glass in a restaurant and using an editing tool such as photoshop, a negative of the fingerprint could be created. When that negative was printed onto an acetate sheet by a laser printer, the toner would create a 3D structure which in turn could be moulded by wood glue or any other resinous material to make a fingerprint mould. The article demonstrated how this mould was realistic enough to be used on the fingerprint scanner across a range of devices and gain access to them. For digital assets such as cryptocurrencies, gaining access to a fingerprint protected laptop, could provide rich pickings.
It's also serves as a vivid example of just how innovative criminals can become when seeking to circumvent controls.
This is an important point because typically criminals are faster to identify and take advantage of control weaknesses than risk managers are to respond to the latest threats and exploits.
For companies that are seeking to test existing or design new controls, particularly in areas that are prone to fraud or other criminal activities, it's worthwhile considering if every possible angle has been considered, not just from the angle of established risk and controls and associated standards, but also from the perspective of a responsive, innovative and determined attacker - how would they circumvent controls?
The fingerprint scanner exploit is a clear illustration of something which was thought to be secure but which in some circumstances can be easily circumvented.
It's always a worthwhile exercise to revisit your controls and challenge yourself to think in the same way as the innovative and determined attacker.
If you'd like some help to think about controls, please contact Neal Ysart, Lead Regulatory & Investigations Advisor at firstname.lastname@example.org / Tel: +971 55 138 9250 or your usual Clyde & Co point of contact.
To compromise your device or account, we don’t even need direct access to your fingerprint. A photo of a surface you’ve touched (from a table at the local library to the equipment at your nearest gym) will do.