It is possible to use simple payment applications by forging coated fingerprint that is located on the back of an identification card. This indicates that one can steal another’s Smartphone and pass through authentication and make payments through forged fingerprint.
It is confirmed that it is also possible to use payment applications through forged fingerprint. This result calls for follow-up measures towards biometrics authentication systems.
It is also possible to access ‘Government 24’, which is a portal site operated by South Korean Government, through forged fingerprint. Fortunately, possibilities of abuse were low as it requires a certificate authentication process. However, because South Korean Government is starting to abolish use of certificates, it needs to also work on enhancing online and mobile fingerprint authentication systems at the same time.
The Electronic Times and Real iDentity (CEO Lee Seom-kyu), which specializes in biometrics authentication, also assessed major South Korean simple payment applications, internet-only banks, and ‘Government 24’ through forged fingerprint on the 4th followed by their previous experiments on unmanned kiosks.
First, they saw that it is possible to access mobile simple payment applications without further verification process. Biometric authentication detection sensors within Smartphones were not able to distinguish if fingerprint was real or not. Although this requires one to steal another person’s Smartphone and copy his or her fingerprint, there is a high chance that this method will be abused by hackers or people around.
It was also shown that it is possible to use wire transfer service of an internet-only bank through forged fingerprint. Situation on iPhones was even more serious.
“It is easier to use forged fingerprint on iPhones rather than South Korean Smartphones.” said a representative for a research institution. “Because use of simple payment authentication through fingerprints is becoming more universal, research on ways of supplementing biometrics authentication systems is necessary.”
It is also possible to use forged fingerprint for ‘Government 24’. However, this bad news turned into a good news as Government 24 still uses certificates.
The Electronic Times attempted to obtain various civil documents from Government 24 using forged fingerprint. It was impossible to obtain them through laptops or iPhones. However, it was possible to obtain them using Android Smartphones.
Certificates were needed to register Government 24 for the first time through forged fingerprint and they were also needed to print official documents. As a result, there are limitations for regular people to abuse this system even if they have forged fingerprints.
Representatives from security industries emphasized that South Korean Government as well as Smartphone manufacturers and web developers must strengthen and enhance their biometric authentication sensors and mixed authentication systems as soon as possible.
They are saying that either introduce mixed authentication systems that include multiple fingerprint authentications, fingerprint and face authentications, and fingerprint and iris authentications or ways to differentiate biometric information additionally.
Technical upgrades can also be alternatives.
Sweat can be used to differentiate if fingerprint belongs to a specific person. Also, fingers have special electric signal values. By using these values, it is possible to accurately distinguish actual fingerprints or forged fingerprints made from silicon, clay, or gelatin.
Staff Reporter Gil, Jaeshik | osolgil@etnews.com