Can you give away your fingerprints in a photo?
Experts are divided on whether a V-sign in a photo could mean compromising your smartphone’s security
Asians love throwing up the V-sign in photos. It's also been popular with people around the world at various points in time, even getting thrown up by US presidents and adopted as a peace sign in the 1960s.
But warnings about the V-sign contributing to fingerprint theft made waves on the internet recently after a Chinese cybersecurity expert told people that doing so in photos is a security threat.
At a cybersecurity event in Shanghai, one booth was dedicated to warning people about the dangers of using the V-sign too close to the camera, according to a report by The Paper. Zhang Wei, deputy director at the Shanghai Information Security Trade Association, told the news outlet that people’s fingerprint information can be 100% restored if the picture was taken within 1.5 meters (5 feet) of the camera. He added that it becomes difficult to extract fingerprints from photos taken more than 3 meters (10 feet) away.
Zhang’s warning echoes findings from a team of Japanese researchers in 2017. Researchers at Japan’s National Institute of Informatics (NII) also warned about fingerprints in photos taken within 3 meters, saying advanced technology wasn’t required to recreate the prints.
News reports at the time said that NII was developing a transparent film that can hide real fingerprints when attached to fingers. Isao Echizen, a researcher at NII, told us that the project is still underdevelopment and that he can’t disclose details.
Going to such lengths to protect your fingerprints might seem extreme, but incentives to bypass biometric security are growing as it increasingly shows up in everything from smartphones to door locks.
“As biometrics become more prevalent in the authentication process, motivated attackers will definitely find innovative ways to bypass them,” said Vivek Chudgar, senior director at Mandiant, a consulting arm of cybersecurity firm FireEye.
But some experts say harvesting fingerprints from pictures requires some specific conditions. Zang Yali, a researcher at the Chinese Academy of Sciences, told Chinese media that a photo must be high resolution, taken at a good angle and shot in the right lighting conditions.
Extracting fingerprints from pictures has proved viable. In 2014, hacker Jan Krissler famously faked the fingerprint of German defense minister Ursula von der Leyen using a few high-definition pictures of her.
In China, users have been growing more concerned about their personal data. So this latest news about fingerprint forgeries triggered a big reaction online.
A hashtag about the topic rose to become the second-highest trending search on Weibo, where many users appeared alarmed. Many people also said that they weren’t worried about it, joking that pictures on social media are heavily filtered and fingerprints would be smoothed out.
In China, smartphone cameras are known for heavily smoothing out textures to create a look considered more appealing to Chinese users -- and if they don’t do so automatically, users tend to apply Meitu filters to existing photos.
Even if your fingerprints are captured in an image, though, some cybersecurity experts suggested there are other things the average user should be more concerned about. Photographs are not the only way, and not even necessarily the easiest way, your fingerprints could be stolen.
FireEye’s Chudgar said that one often overlooked avenue of stealing biometric data is the targeting of systems and applications that store the data for various business purposes. These applications, Chudgar said, are usually built by small vendors and often do not have enough security baked into them, possibly making them easy targets.
Pei Zhiyong, a research director at cybersecurity firm Qi An Xin Group, told Beijing Youth Daily that taking a photo with the V-sign doesn’t create additional security risks. While forging fingerprints from photos is not technically difficult, he said, people are more likely to have devices like smartphones physically near them. It’s the people around you or thieves that are already targeting you that you need to look out for. And these people might have easier ways of stealing your fingerprints.
Gao Yi, senior security expert at Alipay, expressed similar views in a CCTV program. “It is theoretically possible, but in reality, we don’t need to be too worried,” Gao said in the interview, referring to the use of the V-sign.
He said that the fingerprint scanners on many smartphones are capacitive, which are difficult to trick with fake fingerprints. Fingerprint sensors on some smartphones use other methods to confirm the fingerprint is from a real person, such as detecting body heat. Gao added that users should be safe as long as others don’t have physical access to the device.
(Abacus is a unit of the South China Morning Post, which is owned by Alibaba, whose affiliate Ant Financial operates Alipay.)