Swipe Your Fingerprints! How Biometric Authentication Simplifies Payment, Access and Identity Fraud


Julian Fietkau, Starbug, and Jean-Pierre Seifert, Technische Universität Berlin


Biometric authentication is a trending topic in securing modern devices. Examples of this can be found in many widely deployed systems such as Apple's Touch ID or Microsoft's Windows Hello face recognition. Miniaturization and increased processing power are thereby leading to new applications not imaginable a couple of years ago. Such a solution is the new fingerprint smart card built by a Norwegian company that must not be named. Their biometric match-on-card platform is designed to provide a convenient solution for access, identity, and payment applications and aims to replace PIN authentication for the next generation of payment cards by VISA and Mastercard. In this paper, we are going to analyze how this company has implemented their already available demo kit for access control in hardware and software. We will point out critical weaknesses in its architecture and algorithm and show how these could be misused for payment, access and identity fraud by attackers able to steal or clone the device. Thereby, we combine software and hardware hacking techniques as well as extraction methods, to acquire fingerprints from photos and latent prints, to successfully spoof the system in various ways. This works in particular without the error-prone creation of physical dummies due to the exploitation of the insecure on-device communication. The attacks presented require little effort and low-cost equipment that can be already refinanced by abusing a single card at all. Finally, we will discuss countermeasures and ideas to improve the security of this and future implementations for match-on-card fingerprint authentication.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {220566,
author = {Julian Fietkau and Starbug and Jean-Pierre Seifert},
title = {Swipe Your Fingerprints! How Biometric Authentication Simplifies Payment, Access and Identity Fraud},
booktitle = {12th USENIX Workshop on Offensive Technologies (WOOT 18)},
year = {2018},
address = {Baltimore, MD},
url = {https://www.usenix.org/conference/woot18/presentation/fietkau},
publisher = {USENIX Association},
month = aug