Skilled Impostor Attacks Against Fingerprint Verification Systems And Its Remedy

TL;DR

This paper introduces a new skilled impostor attack against fingerprint verification systems, revealing that traditional evaluation methods underestimate vulnerabilities, and proposes a new protocol for more accurate performance assessment applicable to various biometric systems.

Contribution

The study presents a novel skilled impostor attack method and a new evaluation protocol that better assesses biometric system security and usability trade-offs.

Findings

Active attackers can succeed with over 89% probability against systems tuned at 0.1% false acceptance rate

Traditional evaluation protocols underestimate fingerprint system vulnerabilities

The proposed protocol is applicable to multiple biometric modalities

Abstract

Fingerprint verification systems are becoming ubiquitous in everyday life. This trend is propelled especially by the proliferation of mobile devices with fingerprint sensors such as smartphones and tablet computers, and fingerprint verification is increasingly applied for authenticating financial transactions. In this study we describe a novel attack vector against fingerprint verification systems which we coin skilled impostor attack. We show that existing protocols for performance evaluation of fingerprint verification systems are flawed and as a consequence of this, the system's real vulnerability is systematically underestimated. We examine a scenario in which a fingerprint verification system is tuned to operate at false acceptance rate of 0.1% using the traditional verification protocols with random impostors (zero-effort attacks). We demonstrate that an active and intelligent attacker can achieve a chance of success in the area of 89% or more against this system by performing skilled impostor attacks. We describe a new protocol for evaluating fingerprint verification performance in order to improve the assessment of potential and limitations of fingerprint recognition systems. This new evaluation protocol enables a more informed decision concerning the operating threshold in practical applications and the respective trade-off between security (low false acceptance rates) and usability (low false rejection rates). The skilled impostor attack is a general attack concept which is independent of specific databases or comparison algorithms. The proposed protocol relying on skilled impostor attacks can directly be applied for evaluating the verification performance of other biometric modalities such as e.g. iris, face, ear, finger vein, gait or speaker recognition.