Just a few days back, we had saw Bykea had exposed millions of users data available to download with over size of 200+ Gigabytes.
So, Again another thumb impression scandal reported by ARY News and Rafay Baloch. One of top Pakistan’s Cyber Security Expert pointed out some valid points regarding this scandal.
Last night, a report on ARY News pertaining to “Fake Thumb Impressions Scandal” claimed to have disrupted the biometric fingerprint authentication system of Pakistan and the rest of world. The investigators went to great lengths claiming it to be the biggest digital scandal of this century.
Being someone closely involved in several Cyber investigations related to Biometric fingerprint frauds in the past, I would like point that several claims were misleading, therefore let’s get some facts straight:
– The technique works by tricking people into giving their biometric fingerprints by posing as agents of a telecom company or Ehsas/BISP program. This is equivalent to people voluntarily giving away their passwords. However, unlike a password, you can’t change your fingerprint.
– This is not the first time crime gangs using ‘fake silicone thumbs’ have been uncovered. The first instance of using fake biometric fingerprints was reported to FIA CCW back in 2016. Similarly, FIA CCW in April 2020, arrested a gang involved using similar techniques to illegally register sims.
– The technique of creating Silicon Rubber Fingerprints is not new and has been around since early use of biometric fingerprint as an authentication mechanism. Tsutomu Matsumoto in his paper published in 2002 “The Impact of Artificial “Gummy” Fingers on Fingerprint Systems” has demonstrated the very same technique to create fake fingerprints. The same technique was used by researchers at lookout to bypass Apple Touch ID.
– In 2014, at CCC Conference, a similar technique was demonstrated by the researcher, who managed to construct a working model of German’s defense minister based upon a high resolution photograph of his hand.
– Biometric fingerprints alone cannot be used to register a SIM, unless and until the retailer or franchise is involved. PTA has recently fined two operators Rs 100 Mn and Rs 50 Mn each for sale of grey SIMs.
– Similarly, having a duplicate biometric fingerprint alone would not allow an attacker to withdraw money from your ATM card in most of the cases. Many banks use biometric fingerprint as second factor authentication, instead of PIN Number.
However, many users in comments have reported banks solely using cnic and biometric fingerprints and allowing cardless transaction, this is highly insecure behavior.
Of course, there are other ways how users identity can be authenticated, However the most important thing here is any form of authentication mechanism can be defeated if user willfully gives their data.