FB pixel

Faking vein scans is doable but maybe only after every single other option is exhausted

Categories Biometric R&D  |  Biometrics News
 

palm vein pattern

Researchers with access security player Duo Security have written about experiments they have conducted using near infrared light for authentication. They wanted some practical experience with near-IR in a biometrics role — specifically, imaging arm, hand and face veins.

Duo Security was bought by networking pioneer Cisco Systems in 2018 for $2.35 billion. Duo sells cloud-based unified access security and multi-factor authentication products.

The team’s work, laid out in a Duo post, found that a common digital, single lens reflex camera with various IR filters can be reconfigured to record veins relatively clearly in real time with an infrared light source of 940nm combined with a 950nm lens filter. The DIY vein scanner could then theoretically be used to capture images for use in spoof attacks.

But there remain serious complications to the process that in the short term likely will mean only the most determined attackers will even consider vein scanning.

In the post, Jeremy Erickson, senior R&D engineer with Duo, writes that the team was aware of “demonstrated working attacks” against near IR biometric security systems, but that no one seems to have followed up on the results.

Erickson said that it is hard to find information about general IR authentication. What they could find was specific to successful attacks. That limits useful insights.

The infrared spectrum as a whole typically is used to illuminate dark settings without using visible light. A prime example is lighting military environments. Some personal electronics use some of that spectrum, along with visible light, to authenticate a person by comparing a live face scan to stored images.

Near IR is the invisible spectrum adjacent to visible light, roughly from 700nm to 1,400nm. Veins in all of their unique branches beneath skin show up well in this range. Duo’s post spotlights multiple products the AccuView AV500, a med-tech system that uses near IR spectrum to scan veins and then display them as an overlay on a patient’s body to, for example, make phlebotomy a faster and less nauseating process.

The Duo researchers found that vein scanning is harder to accomplish than facial or fingerprint recognition. If nothing else, off-the-shelf hardware and software can image and process face and print images in their thousands. At the moment, capturing vein images takes a do-it-yourself effort, breaking down a digital camera, to get the endeavor underway.

And, finally, the security of vein-scanning is not certain. On the one hand, writes Erickson, it is not prohibitively hard to view a person’s vein structure. On the other, approximating the captured pattern in the experiment required printing it and covering the print with molded wax. As he points out, it is not unlike the tedious routine needed to fake fingerprints today, but even more strained.

Vein biometrics are forecast to be a $1 billion market by 2029.

Article Topics

 |   |   |   |   |   |   | 

Latest Biometrics News

 

A billion stolen passwords make passkeys look good, despite growing pains

In breaking news that should come as no surprise, your password isn’t good enough. And no, not even if you…

 

Trump puts brakes on Biden-era AI regulation; future uncertain

As was expected, on day one of being inaugurated, President Donald Trump repealed outgoing President Joe Biden’s Executive Order (EO)…

 

How AI fraudsters are capitalizing on the slow rollout of digital IDs

By Ofer Friedman, Chief Business Development Officer, AU10TIX As professional fraudsters ramp up their attacks, leveraging generative AI and randomization…

 

UK government reveals mDL pilot, Gov.uk digital wallet plans

A Gov.uk digital wallet and app will be introduced this year to ease access to pubic services for British residents,…

 

Yoti responds to Ofcom’s guidance on age checks for porn sites

While the age assurance sector has welcomed Ofcom’s newly published guidance on highly effective age assurance for adult content sites,…

 

Jumio, Innovatrics, Vouched and Regula advance identity verification use cases

Whether it’s in gaming, home stays or automotive sales, the need to establish trust is crucial. Effective digital identity verification…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events