Hackers Bypass Palm Vein Biometric Authentication With Fake Wax Hands

Traditional passwords have started to yield ground to biometric security options, like fingerprint scanning and even retina scans. Going even deeper (literally), there's yet another method that involves authenticating a person's identity by scanning his or her veins. It sounds secure, except that researchers have already found a way to thwart it using wax.

The process of authenticating a user's veins involves scanning the shape, size, and position of veins that are underneath a person's hand, and then comparing the scan with a record that is already on file. It's believed that German's Federal Intelligence Agency (Bundesnachrichtendienst, or BND) employs this type of security.

In theory, it should be more challenging to present a fake copy of someone's veins, compared to lifting someone's fingerprint from an object or high resolution photograph. Last week, however, security researchers at Chaos Communication Congress explained how they created a fake hand out of wax to thwart this type of biometric security.

What they did was take pictures of their hands using a modded SLR camera with the infrared filter removed. At a distance of five meters, the camera was able see vein patterns underneath the skin. The images were then used to make wax replicas, which in turn were able to fool a vein authentication system.

"It makes you feel uneasy that the process is praised as a high-security system and then you modify a camera, take some cheap materials and hack it," Jan Krissler, who researched the vein authentication system along with Julian Albrecht, told Motherboard. "When we first spoofed the system, I was quite surprised that it was so easy."

The researchers presented their findings to Fujitsu and Hitachi, both of which make and sell vein authentication solutions.