My team member,looking very upset, came to tell me that he had just found three mobile connections registered in his name, whereas, he actually owned only one. Both of his disowned number was activated on same date in two cities over 100 Km apart and away from his native city. Smiling, I asked did he do any activity, where his fingerprints were taken?Yes! He had put his fingerprints and citizen ID number on a register, where he got a sale deed registered only two days ago.The fake mobile connections obtained through replica finger prints on biometric scanners, a mandatory law requirement to verify the subscriber’s identity,was everyday challenge many operators around the world are facing,while combating against SIM box and commission fraud.
The authorities, the institutions and the individuals all across the world use various types of biometric systems mainly to (1) ensure the authenticity of the person, before one is allowed to perform an activity, use the services, or accessing a device and (2)record keeping for future reference. The biometric systems include, but not limited to fingerprint, face recognition, DNA, palm print, iris recognition, retina, palm veins, odour/scent etc. The biometric systems are used for various purposes such as mobile connections, voting, property transfer, issuance of passports, bank account opening, attendance, issuance of driving license, immigration counters etc. The typical examples for mandatory requirement are Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016 in India, Biometric verification from NADRA for mobile connection and bank account opening in Pakistan and mobile connections in Uganda.
Of various types, the finger prints are the oldest and most commonly used, which are considered to be detailed, nearly unique, difficult to alter, and durable over the life of an individual, making them suitable as long-term markers of human identity. The computerization and digitalization has made it possible to take, keep, compare and verify large volume of fingerprints using various types of scanners in short time. There are mainly four categories of scanners: (1) optical, (2) capacitance(3) thermal and (4) ultrasonic.
The optical fingerprint device captures digital image of the print using visible light. This type of sensor is, actually, a specialized type of digital camera making a high-resolution image of the finger’s ridges and valleys and in some types, the vein patterns beneath the skin as an additional security.The methods used to capture fingerprint images include touch, swipe, and roll, depending on the device.
The capacitance devices take the image,using the principles associated with capacitance,by measuring the voltage changes between the ridges having higher capacitance than valleys of the finger skin and thus generating varying signals. The capacitance devices could be passive or active types.
The thermal sensors take images on principle of temperature using difference between the finger skin and the air, meaning thermal resistivity and thermal capacitance. When the finger touches the sensor surface, the ridges transfer more heat than the valleys creating a variance used to develop the image. The thermal sensors are also active and passive.
The ultrasonic being the latest in imaging technology, use the intensity of reflected ultrasound, where the sensor can generate a 3D map of the finger surface. Unlike thermal, capacitance, and optical sensors, the ultrasonic fingerprint sensor could work through metal, glass, and other solid surfaces, making it theoretically more susceptible.
All these sensors are subject to exploitation, as proved by a Japanese cryptographer, Tsutomu Matsumoto in 2002, who had managed to fool finger print sensors by using a “gummy finger” made directly from a residual fingerprint left on a glass of a target finger. The film then was made into an etching, a mold was created, and a gelatin finger was used. The fraudsters use various techniques depending upon the type of installed sensors, the purpose, the possible spread, the level of collusion etc. The commonly known techniques include, but not limited to (1) fingerprint films (2) fingerprint molds (3) the database hacking or buying for optic, capacitance and thermal scanners. We however. don’t have any knowledge of fooling of Ultrsonic sensor in this respect so far.
In a country, where fingerprint biometric verification is mandatory for getting mobile connection, the SIM box fraudsters were caught to have an Organized Crime Group (OCG) to arrange SIMs by fooling around the optical fingerprint scanners, the mobile operators had provided to their sales channels. These scanners are integrated with government’s central citizen registration system on one hand and the CRMs of the operators on the other. The OCG which include some sales channels/staff, the fingerprint arrangers and the SIM box operators. These dubious sales channels engage people who take high contrast and good resolution (300-500 pixel per inch) pictures using DSLR cameras from the documents from the court, government offices, housing societies etc., prepare high resolution films with multiple pictures along with the relevant citizen registration number. They were paid between US$ 0.25 – 1.5 per fingerprint picture which is shared with the holder of the documents or the record. These prints would be separated and packed in plastic frames in three to four unique prints per frame mentioning the associated citizen ID number to be dispatched to the counterpart sales channels in other parts of the country .
Each picture (2D image), in these frames was put on the scanner, which would scan and send the print to the central database for comparison and verification.The success rate usually ranges between 75%-85% depending upon the quality of the image and the finally developed print.
Other scanners, which use more characteristics (electrical and thermal) than just the pattern of ridges and valleys as in optic scanners cannot be fooled by a simple 2D image. The fraudsters therefore use other techniques like molds and database stealing enacting the third dimension to mimic the other characteristics to fool the scanner. The molds are prepared by taking a fingerprint image or the original finger out of suitable material such as silicone, play dough, or the material used to make gummy bears. This ability has also made it possible to use 3D printer to create the fake fingerprint molds.
The third technique,the fraudsters use to fool the fingerprint scanners,is stealing and using the database which is not properly encrypted, from the systems used by the organizations in collusion with the staff holding such data. This is the most sophisticated technique requiring technically sound hackers to retrieve biometric data from the sensor’s database, change the digital codes, reconstruct the fingerprints thus eliminating the need of the fake fingerprint on the scanner and using the same for the malicious purposes. This technique is more dangerous because it made it possible to be used in large volume. The use of this technique has been reported mainly to obtain mobile phone connections.
This ability of the fraudsters to fool around the scanners is not only a concern for the organizations from their businesses, the individuals from their interests, but also for the governments from security perspectives. The manufacturers of the scanners remain busy in introducing new controls such as fingerprinting multiple fingers than simply thumb and using two than one hand for critical verifications. These controls have caused delays and caused complexity to the verification process in general as a result the single fingerprint scanner continues to remain majorly used tool.Despite all the risks discussed above, the fingerprint scanning remains the most used biometric system being practical and economic around the world.The risk managers therefore need to remain on their toes deploying, maintaining and keep updating an effective detective and preventive control framework to avoid any damage.
Ahmad Nadeem Syed
Chief Executive Officer
Business Assurance Services
DISCLAIMER: Comments expressed here do not reflect the opinions of FraudXpose or any employee thereof.