Skilled Impostor Attacks Against Fingerprint Verification Systems And Its Remedy
Fingerprint verification systems are becoming ubiquitous in everyday life. This trend is propelled especially by the proliferation of mobile devices with fingerprint sensors such as smartphones and tablet computers, and fingerprint verification is increasingly applied for authenticating financial transactions. In this study we describe a novel attack vector against fingerprint verification systems which we coin skilled impostor attack. We show that existing protocols for performance evaluation of fingerprint verification systems are flawed and as a consequence of this, the system's real vulnerability is systematically underestimated. We examine a scenario in which a fingerprint verification system is tuned to operate at false acceptance rate of 0.1 (zero-effort attacks). We demonstrate that an active and intelligent attacker can achieve a chance of success in the area of 89 by performing skilled impostor attacks. We describe a new protocol for evaluating fingerprint verification performance in order to improve the assessment of potential and limitations of fingerprint recognition systems. This new evaluation protocol enables a more informed decision concerning the operating threshold in practical applications and the respective trade-off between security (low false acceptance rates) and usability (low false rejection rates). The skilled impostor attack is a general attack concept which is independent of specific databases or comparison algorithms. The proposed protocol relying on skilled impostor attacks can directly be applied for evaluating the verification performance of other biometric modalities such as e.g. iris, face, ear, finger vein, gait or speaker recognition.
READ FULL TEXT