Biometric Identity Theft

Posted on Updated on

Recently I have been researching the potential of fraud and identity theft using fingerprints from photos posted on social media. Last week Amazon released its “Amazon One” Palm Scanner as a means to pay for purchases when shopping. That announcement made me wonder, what are the potential implications for fraud and identity theft using biometric data taken from images?

Man's forearm and hand, index finger extended to point to one of a series of "digital keys"
Could Photos posted on Social Media sites become the Key to Digital Identify Theft?

There are a surprising number of ways to accurately identify someone from a photo or video. Moreover, there is technology to copy fingerprints from social media photos taken up to three meters away. New technology has been proven effective at using 3D printing technology to create “fake fingerprints” that will bypass many fingerprint scanners.

Technology continues to improve at a rapid pace, which often means, “Where there is the will there’s a way.”

Since fingerprints can be copied from photos taken up to three meters away does that mean a palm print could potentially be copied from a photo taken 5-10 meters away? That question led to an interesting but unscientific experiment where I took pictures of my own hand, enlarged them, and then measured the distance between the ridges and furrows of both my fingers and my palm, and then compared the results of the two. Spoiler – probably not.

There are several areas where that distance was similar for both my fingers and palm. But, there were also areas on my palm where the average distance between “landmarks” was 3-5+ times greater. It turns out that for identification purposes a palm image is often segment into 3-4 distinct regions, likely due to this type of variation. This link was helpful to understand the process.

This research led to an idea for a chip-based embedded filter for smart devices and laptops. It would obfuscate key biometric information when extracting the data for display, without affecting the integrity of the original stored image. This functionality would automatically provide an additional layer of privacy and data protection. It would require optimized object detection capabilities (possibly R-CNN) that were highly efficient, and run on a capable but low energy processor like the Arm Cortex-M. Retraining and upgrades would be accomplished with firmware updates.

Edit 2020-10-13: This article on “Tiny ML” from is the perfect tie-in to the idea described above.

While Amazon’s technology is much newer and presumably at least partially based on their 2019 Patent Application (which does look impressive), it makes you wonder how susceptible these devices might be to fraud given reports of the scans occurring “almost instantaneously.” Speed is one aspect of successful large-scale commercial adoption but the accuracy and integrity of the system are far more important from my perspective.

Time will tell how robust and foolproof Amazon’s new technology really is. Given their reach, this could occur sooner than later. Ultimately, multiple forms of biometric scans (such as a full handprint with shape, palm, and fingerprints, or a retina scan 2-3 minutes prior to the palm scan to maintain performance) may be required for enhanced security, especially with mobile devices.

Additional Resources: