Fake Wax Hand Cracks Vein Authentication

Tom Jowitt,
handprint palm vein biometric scan security identity © Claudia Perez Leal Shutterstock

Biometric bypass sees researchers use fake wax hand to trick vein authentication system

An established form of biometric security has a potential security vulnerability after researchers were able to crack it using a false hand made out of wax.

The low-tech wax hand hack was used to crack vein authentication scanners made by both Hitachi and Fujitsu, which are said to be used by 95 percent of the vein authentication market.

Vein authentication has been around for a number of years now, and is considered by some experts as a more secure biometric system than fingerprints, which can be left behind on certain surfaces and lifted off and used maliciously.

Vein authentication

Typically, vein authentication scanners use a person’s finger or hand vein pattern. Vein patterns are said to be highly unique, with only a one in 34 billion chance that two people share the same vein pattern.

But now researchers think they have found a way to crack the tech, thanks to the use of a wax hand.

According to Motherboard, Jan Krissler and Julian Albrecht demonstrated how they were able to bypass scanners made by both Hitachi and Fujitsu, with their fake hand. The method was demonstrated at the annual Chaos Communication Congress in Germany.

“It makes you feel uneasy that the process is praised as a high-security system and then you modify a camera, take some cheap materials and hack it,” Jan Krissler told Motherboard via email.

Essentially, the researchers were able to copy their target’s vein layout from a photograph taken with an SLR camera modified to remove its infrared filter.

“It’s enough to take photos from a distance of five meters, and it might work to go to a press conference and take photos of them,” Krissler reportedly said.

The two researchers apparently took over 2,500 pictures over 30 days in order to perfect the process and find an image that worked.

They then used that image to make a wax model of their hands which included the vein detail.

“When we first spoofed the system, I was quite surprised that it was so easy,” Krissler reportedly said.

The researchers acted responsibly and disclosed the details of their research to Hitachi, but it seems that Fujitsu did not reply back to them.

Biometric arrival

Biometric security has been in used for a while now, especially in financial circles.

In 2015 for example Barclays launched a new high-end banking service called iPortal, that acts as a central hub for corporate customers to access all of the bank’s services through a single gateway, with entry gained by using Barclays’ Biometric Reader tool.

Prior to that in 2014, a Polish banking services provider (ITCard) began rolling out Europe’s first cash dispensing machines to use vein pattern recognition to identify clients, using a Hitachi technology called VeinID.

Do you know all about biometric technology? Take our quiz!