Comment: Commercial vein sensor spoofed - so what?
17 October 2014 14:12 GMT

Vein sensor spoofed by Swiss researchers

The vein recognition industry has been somewhat immune from the problem of biometric spoof attacks. But this perception could gradually change due to the efforts of a group of Swiss researchers who have spoofed - at least under specific limitations - a commercial sensor for what is believed to be the first time. The deeper question though - is does this really matter, at least for the majority of use cases…

In a video posted by Idiap and the Swiss Center for Biometrics Research and Testing it appears that a finger vein sensor resembling those manufactured by Hitachi has been used. Following enquiries, Hitachi told Planet Biometrics it would not comment at this time.

How does the spoof work?

First comes the enrolment stage. The researchers use a real finger from an accomplice – captured using an “open source” finger vein sensor. The resulting image is then manipulated and printed onto paper. The paper with the vein pattern is then fixed using scotch tape to a finger. This fake then appears to be enrolled into the system (three times) without any problem.

To complete the enrolment stage the system requires the finger vein to be verified. Again the finger vein spoof is correctly verified.

Following enrolment, the fake finger vein spoof is ready to go – and appears to have no trouble being identified in subsequent identification attempts – regardless of which finger the spoof is attached to.

(Editor's note: We would have been interested to see if the fake image would have been recognised when presented on something other than a live finger - so as to see if the vein sensor's ability to perform liveness testing was also compromised.)

So what?

Of course attempts at spoofing biometrics should be taken seriously, but it is tempting to say "so what" to the latest claims - at least for the majority of use cases. This is because there are serious limitations to the work - even to the extent that one could argue the sensor hasn't really been properly spoofed.

The researchers themselves admit that while the above technique works when enrolling a fake vein image and subsequently verifying against a fake, it does not work when a real finger is enrolled and subsequently verified against the fake.

This is a key point. The fact is that a person properly enrolled in a vein recognition system cannot "yet" be subsequently spoofed using a fake vein image. This is presumably due to the proprietary way that commercial vein recognition device manufacturers create their template images.

To be ultra safe, the researchers say that this means the enrolment process is key. They recommend that:

  • The enrolled subject is properly authorised to use the system;
  • The subject to be enrolled must use the system in the proper manner and not be allowed to present a spoofed image for enrolment.

There is also a disclaimer – this research only focused on one specific device and does not necessarily mean that all vein sensors would be vulnerable to such an attack.

Another important consideration is the not-so-easy task of acquiring a vein image from someone without them being a co-operative partner – in other words a person’s vein image is not easy to acquire and is not routinely available to acquire in the way a fingerprint or facial image might be.

Except…

As mentioned, for most use cases, there is little or no concern. But one area where this might be a problem is in a time and attendance scenario, where "buddy punching" is a recognised issue.

If a worker can enrol into a system using a fake image, and have that fake image associated with their attendance record, then it would be possible for multiple copies of that fake to be made. These could then be used by that worker's "buddies" to log that person into work, so fraudulently allowing that worker to appear as if they had been on site.

Again, this is why enrolment procedures must be performed correctly.

What next?

So what is next for the researchers? Well nothing is off the table – including an attack on palm vein technology. Dr Sebastien Marcel, Senior Research Scientist, Head of the Biometrics Group, Idiap Research Institute, told Planet Biometrics that: “We will be continuing to investigate finger vein spoofing with other materials, as well as palm vein spoofing, provided we can fund the activities. And, of course, we will be proposing anti-spoofing techniques.”

But, for now at least, vein sensor manufacturers and their customers, probably don't need to be fretting too much, so long as their enrolment procedures are up to scratch...

Note: Marcel’s group is organising the Kick-Off of the Swiss Center for Biometrics Research and Testing ( http://www.biometrics-center.ch/kickoff-workshop/kickoff-program ) in November this year where spoofing and anti-spoofing will be an active subject of discussion between the partners.