If a hacker steals your password, you can create a new one, but if someone gains access to your fingerprint or iris data, you can hardly replace your fingers or eyes. But a new study has shown promise with a technique that allows users to “update” their fingerprints, which could make us all safer online.
Spy novels
Concern about the security of using fingerprints instead of passwords has grown this month amid reports that scammers could extract close-ups of fingerprints from social media photos and “enhance them with AI”, said Money Wise. The criminals could then use the victim’s unique fingerprint ID to gain access to their accounts, or launch identity theft and phishing attacks, although they would still need access to a physical scanner, like a smartphone unlock key, to use the cloned fingerprint.
It “sounds like the stuff out of spy novels or ‘Mission Impossible’”, Vyas Sekar, a professor at Carnegie Mellon University, told CBS News, but “in theory, it’s possible, especially if people are posting high-resolution images”. In 2014, a hacker claimed to have cloned a fingerprint of European Commission President Ursula von der Leyen, then Germany’s defence minister, using close-up photos taken at a press event.
‘Scrambled and compressed’
A study in the International Journal of Computational Vision and Robotics has found that “irreversible identity theft” can be “largely avoided” by giving users a chance to “reset” fingerprints and other biometrics, said TechXplore.
The method is “similar to changing a password”, said Knowridge. Rather than storing a person’s original fingerprint or other biometric information directly, it transforms their data into a protected version. To do this, it identifies unique features in a fingerprint image, such as distinctive patterns and points, and “uses mathematical methods to convert these features into a different form that is difficult to reverse-engineer”. The data is then “further scrambled and compressed” into a secure digital version.
In this form, it can still verify a person’s identity, but the original biometric data is hidden. If the protected version is ever compromised, it can be “cancelled and replaced”. Even if hackers gained access to the stored information, the user would not be permanently exposed.