Simple Hack Beats Biometrics

Japan passed a measure back in 2006 to fingerprint and photograph all foreigners coming into the country. They implemented a biometric system at airports that will compare fingerprints to a database containing the fingerprints of terrorists and other individuals barred from entering Japan. But now that system has been fooled by a South Korean woman who had been barred from entering Japan. Now Japan is worried that this simple hack has been used by numerous "barred" individuals, forcing a review of all of its antiterrorism measures at airports.

So how did she do it? Well, it turns out it was pretty easy, though it took knowing someone on the shady side of the law. The South Korean woman was caught by immigration officials in August of 2008, and she told them she had gone to a broker who supplied her with a fake passport and some "special" tape with another person's fingerprints on the tape. When she put her covered finger on the biometric pad, it registered the fake fingerprint, which was not in the database of criminals.

So instead of trying to determine the identification of someone for entry, Japan is trying to determine the ID to keep them out. Though I am not familiar with the workings of Japan's system, trying to prove that you are NOT someone is really not a good use of biometrics. It probably has some kind of failsafe that makes sure it is seeing a "real" fingerprint (you can't burn off your fingerprints or just put Scotch tape over them), but unless the system has a database of EVERY person in the world, then it has no idea that the fake fingerprints are not real. All you have to do is jack with the system in such a way that it doesn't pick up your real fingerprints.

Of course, Japan is fingerprinting every foreigner, so they might have a database of every relevant foreigner. But again, how difficult is it for criminals to get the fingerprints of someone in the database but not on the bad list? Obviously not very. And if this is how the system works, then Japan will have a bear of a time counteracting the hack. Basically, they will need to catch every individual who has bypassed the system using this method and correlate what fingerprints they used for the bypass so they build those fingerprints into their database as well. And then what if those fingerprints are simply being lifted versus being willingly given by that person? How do you prove that they sold their fingerprints? What a debacle.  

Can you say "fail"? I knew you could.

Subscribe to the Security Watch Newsletter

Comments