Fact Check

Can Hackers Use Peace Sign Selfies to Steal Fingerprints and Identities?

Two articles heralding anti-fingerprint theft technology kicked off a wave of claims that hackers are duplicating prints to steal identities.

Published Jan. 12, 2017

Claim:
Hackers can extract fingerprints from peace sign selfies and steal people's identities.

On 9 January 2017, Japanese outlet Shankei Shimbun published an article positing that hackers could use peace signs in selfies to obtain people's fingerprints and compromise their biometric security.  Not long afterward, the article (and other stories about the same topic) had become inaccessible.

A retrieved copy of the Shankei Shimbum article (translated) reported:

Posting photos taken with your face and hand together on the net may cause individuals and fingerprints to be identified. Celebrities in which images are frequently displayed are particularly dangerous to be targeted. Even if you do not submit to it yourself, there is also the risk of being reflected in the photographs taken by other people unknowingly.

In addition to fingerprints, smartphone authentication also uses images of faces, irises of the eyes whose patterns are different among people. Such biometric information is also used for administrative organizations and entrance/exit control. In the past, in order to steal individual's biometric information, it was necessary to take the photograph in close proximity to the person.

However, as biological information became available on the Internet, hurdles dropped greatly for criminals. In the experiments of the National Institute of Informatics, it has been found that even images taken at a distance of 3 meters are readable, and posting "self-shot" piece photographs on the net is easily stolen.

The original articles were less about the dangers of identity theft using fingerprints, and more about the National Institute of Informatics' efforts to develop technology that could potentially prevent such theft in the future.  Professor and researcher Isao Echizen, who works in the lab, told the media:

Biometric information such as fingerprints cannot be changed over the lifetime; I want to educate them on how to protect them.

The article did not explicitly mention the potential for hackers to steal identities, but when the claim filtered into the English-speaking press it was considerably puffed up into alarming claims:

How YOUR selfies are allowing crooks to steal your identity... by zooming in on your FINGERS: HD lenses mean thieves can replicate your fingerprints

People uploading pictures to social media have been urged not to pose pulling the peace sign because crooks can use it to carry out identity theft.

Celebrities are seen as those at the highest risk, but with fingerprint technology on the rise, people's smartphones are seen as vulnerable and fraudsters could even break into workplaces ... Professor Echizen carried out an experiment, which concluded data could be scanned from three metres away if the fingertips were exposed.

This excerpt described what was potentially possible, not what was necessarily taking place.  Information about Echizen's role of anti-fingerprint theft technology was left out entirely, leaving the impression the information emerged purely as a safety warning, rather than as business news about the developing technology.  Also missing from later reports were statements made by Echizen about fingerprint security and technological advances:

"Fingerprint data can be recreated if fingerprints are in focus with strong lighting in a picture," Echizen also told Yomiuri TV.

He added that advanced technology was not necessary and anyone could easily copy fingerprints.

But NII says it has developed a transparent film containing titanium oxide that can be attached to fingers to hide their prints, the reports said.

The film prevents identity theft but does not interfere with fingerprints being effective in identity verification, the Sankei Shimbun reported.

Although the articles routinely referenced "identity theft" (commonly interpreted to mean unauthorized use of financial accounts and personal identification documents), they also described hypothetical situations in which a fingerprint passcodes could potentially be replicated. In those instances, the "hackers" would require both a rendering of the fingerprints and personal devices belonging to their targets (such as a smartphone or point of sale access) to do any damage:

It’s not the first time we’ve been warned against photographing our fingers. In 2014, a hacker demonstrated almost exactly the technique described above, where a German politician’s fingerprints were replicated from photos taken in public, from a distance of around three meters. A 3D mold of the fingerprint was created from the images, which could be used to unlock a secured phone.

No evidence was presented to demonstrate that hackers are currently using photographs to duplicate fingerprints in order to commit crimes or steal identities. The professor quoted on the possibility works with a laboratory that is developing a technology to secure fingerprints, and noted that technology of any sort was not necessary to copy them, as people leave them on surfaces throughout the day.

While the possibility exists that devices could potentially be compromised, the exaggerated headlines made the threat sound more plausible and immediate than even the professor with a new invention did.

Sources

Boxall, Andy.   "Careful, Your Fun Peace Sign Selfie May Lead To Identity Theft."     Digital Trends.   11 January 2017.

McGoogan, Cara Danielle Demetriou.   "Peace Sign Selfies Could Let Hackers Copy Your Fingerprints."     Telegraph.   12 January 2017.

AFP.   "Japan Researchers Warn Of Fingerprint Theft From 'Peace' Sign."     11 January 2017.

Planet Biometrics.   "Security Experts Say Peace Sign Selfies Are A Fingerprint Risk."     10 January 2017.

Kim LaCapria is a former writer for Snopes.