Skip to content
Naked Security Naked Security

Vein authentication beaten by wax hand and photograph

A new presentation shows how vein authentication systems can be fooled using a fake wax hand model.

For anyone who believes vein authentication is more secure than fingerprints or facial recognition, we have good news – researchers have just showed how the technology can be beaten.

Before we explain why that statement isn’t a contradiction, let’s dive a bit deeper into what researchers Jan Krissler and Julian Albrecht reportedly outlined at last weekend’s Chaos Communication Congress (CCC) in Germany.

As with fingerprints, faces, or the iris of the human eye, the complex shape, size and position of veins in someone’s palm is unique to each person, including for identical twins.

These patterns are read using near-infrared light (i.e. almost visible as opposed to the non-visible ‘far’ infrared emitted by warm objects) and are less prone to physical injury than fingerprints. Unlike fingerprints, we also don’t leave them on the objects we touch for someone to copy.

There are disadvantages: vein patterns change slightly as people age, ambient light can interfere with recognition, and the precision needed to make the technology work makes it expensive.

That last issue might explain why, beyond a handful of banks and high-end users such as the HQ of Germany’s Bundesnachrichtendienst (BND) intelligence agency, few people are currently likely to encounter the use of vein authentication.

And the hack?

According to Motherboard, Krissler and Albrecht’s presentation showed how vein authentication systems could be fooled using nothing more complicated than a faked-up wax hand model and a printout of their own veins photographed using a good-quality SLR camera which had had its infrared filter removed.

This sounds like a simple hack – print off a picture of the target’s veins, and mock up something that looks like a hand to cover it.

The fact this can be done at all doesn’t sound like a great advert for vein authentication until you read the extended testing the pair had to go through simply to get to that point.

To get an accurate print of the veins, the pair admitted they’d had to experiment with 2,500 pictures over a one-month period to get to an image that worked. Explained Krissler to Motherboard:

It’s enough to take photos from a distance of five meters, and it might work to go to a press conference and take photos of them.

Presumably, this would require a clear view, minimal interference from other light sources, and the ability to take full images of someone’s hand without that being detected.

Krissler was pleased with their achievement:

When we first spoofed the system, I was quite surprised that it was so easy.

Not that easy. What they’ve really demonstrated is that with enough resources, time, and a motive, an attacker would have a fair chance of beating vein authentication for a single person.

This doesn’t mean that using a fake handprint in a real-world situation also using other security measures (i.e. a security guard) would be straightforward.

It’s true that vein authentication systems are vulnerable to bypasses but so are all other systems yet invented, including fingerprint and facial recognition (Apple’s Face ID), and almost any authentication system when used in isolation.

9 Comments

If only there was a way we could hold secret information. not a fixed thing, like a body part, phone number, something that is not a thing. Information we could hold in our brain maybe? like a Code, that we can change in a moments notice. That we could put into a system fairly securely with standard equipment to Pass an authentication test. I think I’ll call it a Passcode. I was thinking Password, but in order to make the code hard to break, we would have to use symbols and numbers mixed in, so yeah, code works better. And best of all, I can keep it a secret in my head, nobody can steel it. Now granted I have to remember the code, but with a few training aids that would be easy.
I’ve got to run down to the patent office and get this patented! I’m going to be RICH!!!
meh, I don’t feel like running. If you steel my idea and get rich, you should at least buy me a beer.
Bonus on the idea, also use additional authentication can call it Multipass, oh wait, that’s a girls name. Guess I’ll buy my own beer. Happy Friday

Nobody’s getting rich off that idea :)

Remember, the challenge isn’t to remember one strong password, it’s to remember upwards of 25. I get what I think you’re saying about biometrics though, and I’m sort of with you, but I PIN/biometrics + public key crypto could take us a long way. Of course nobody will understand it…

I would love to see more pgp in authentication, especially if keys are stored in i key servers that allow users to do things like lock or change their keys.

what if we used the veins of a more “private” body part… no one would want pics of that and hopefully no one is showing it in public… of coursing logging in would be something everyone would need to use the restroom for…

Gents, at the end of the day, I can imagine it took some very intelligent genius types to come up with biometrics and if humans weren’t so bad at creating good passwords and there weren’t evil villains waiting to steal or trick people out of their passwords or banking on weak passwords using cracking tools or breaking into weakly secured systems then passwords due to their ubiquity and ease of use would be the only way to go but alas we don’t live in a perfect world. Let’s be honest though for the majority of consumer users using a password manager and enabling MFA and using biometrics on a mobile device is going to be good enough at least in the short term future. I know deep down that I am just not ever going to be targeted by villains who think my personal data is worth going to the effort of capturing my veins and wrapping it around a 3D model of a hand in order to gain access, who am I, certainly not 24601 :-)

Biometric authentication will become so pervasive that the only thing the bad guys will need to do will be to hack your existing biometric data from your office, your bank, or more likely the half-competent consulting firm one or the other used, who left all of the collected biometric data they have in an unsecured AWS S3 bucket.

What I absolutely do not want to see is systems eliminating the ability to use passwords on favor of ONLY biometrics, since my personal password hygiene is stronger than any biometric approach and doing such a thing would leave me more exposed, and I’m not interested in leaving my biometric data in the care of big tech companies that have already repeatedly demonstrated total disdain for the proper use and care of my sensitive personal data.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?