Traditional passwords have started to yield ground to biometric security options, like fingerprint scanning and even retina scans. Going even deeper (literally), there's yet another method that involves authenticating a person's identity by scanning his or her veins. It sounds secure, except that researchers have already found a way to thwart it using wax.
The process of authenticating a user's veins involves scanning the shape, size, and position of veins that are underneath a person's hand, and then comparing the scan with a record that is already on file. It's believed that German's Federal Intelligence Agency (Bundesnachrichtendienst, or BND) employs this type of security.
In theory, it should be more challenging to present a fake copy of someone's veins, compared to lifting someone's fingerprint from an object or high resolution photograph. Last week, however, security researchers at Chaos Communication Congress explained how they created a fake hand out of wax to thwart this type of biometric security.
What they did was take pictures of their hands using a modded SLR camera with the infrared filter removed. At a distance of five meters, the camera was able see vein patterns underneath the skin. The images were then used to make wax replicas, which in turn were able to fool a vein authentication system.
"It makes you feel uneasy that the process is praised as a high-security system and then you modify a camera, take some cheap materials and hack it," Jan Krissler, who researched the vein authentication system along with Julian Albrecht, told Motherboard. "When we first spoofed the system, I was quite surprised that it was so easy."
The researchers presented their findings to Fujitsu and Hitachi, both of which make and sell vein authentication solutions.