FIDO Password Replacement: Spoofing Samsung Galaxy S5 Fingerprint Biometric Authenticator Using a Latent Fake Fingerprint Approach Rylan Chong1, Chris Flory2, Jim Lerums3, David Long4 Purdue University , [email protected]; Purdue University2, [email protected]; Purdue University3, [email protected]; Purdue University4, [email protected] 1

Keywords: Biometrics, FIDO, FIDO Ready Devices, Fingerprint Biometrics, ISO, Latent Fake Fingerprint, Metrics, Passwordless, Passwords, Samsung Galaxy S5, Spoofing, Fingerprints are the most common biometric means of authentication. This project was to determine if the Samsung Galaxy S5 and PayPal FIDO Ready implementation was vulnerable to latent fake fingerprint spoofing using Brown’s (1990) and Smith’s (2014) approaches. Latent fake fingerprints could allow an illegitimate user access to secure information. Table of Contents Executive Summary ........................................................................................................................ 2 1

Detailed Problem Description ................................................................................................. 4

2

Literature Review .................................................................................................................... 4

3

Approach ............................................................................................................................... 10

4

Results and Conclusions ........................................................................................................ 20

5

Schedule................................................................................................................................. 20

6

Budget .................................................................................................................................... 21

7

Final Discussion and Future Directions................................................................................. 22

8

Bibliography .......................................................................................................................... 23

9

Biographical sketches of the team members ......................................................................... 26

10

Appendix ............................................................................................................................ 27

12-Dec-14 Executive Summary This research is the next step for comparing authentication security between using Fast Identity Online (FIDO) solutions and passwords. The security authentication standards developed by the FIDO Alliance offered two architectures, the Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F). Both architectures include FIDO solutions (e.g., biometrics, twofactor authentication, client, and server) and FIDO protocols (i.e., the process to register, identify and verify identity of user, and provide access to secure information). The specifications for both architectures are currently under final review with completion scheduled for late 2014 or first quarter of 2015. Due to potential specification changes; and limited funding, time, and equipment, this project focus was to develop a pilot study to examine and determine if a FIDO Ready Samsung Galaxy S5 phone was vulnerable to spoofing with a latent fake fingerprint using Brown’s (1990) instructional approach and Smith’s (2014) superglue approach. The primary challenge was scoping down the FIDO project. The initial plan for the project was to create a matrix of relevant and important sub metrics necessary to evaluate FIDO Ready solutions. In addition, the intent included providing potential measures for each sub metrics considered. However, while conducting a second literature review on the various sub metrics, the team found that the authenticity sub metric had a significant security issue, which was spoofing a fingerprint biometric authenticator using a latent fake fingerprint. In light of the new direction, the team’s goal evolved from providing a matrix of relevant and important sub metrics and its associated measures with not much of a direction for the next team to build-on, to laying out some ground work and developed a pilot study that was conducted. One of the team members currently owns a FIDO compliant Samsung Galaxy S5 phone. Understandably, the phone’s owner preferred to use his own fingers for the test, because the phone had applications with access to his financial accounts and sensitive private information. As a result of the study, the owner of the phone was able to successfully develop a latent fake fingerprint of his right index finger. However, when the owner of the phone tried to use the latent fake fingerprint to spoof the phone by performing 10 attempts, the owner did not gain access to the phone. This pilot study was intended to determine testing the effectiveness of the Brown’s (1990) and Smith’s (2014) approaches and was not statistically sufficient to make any final conclusions on spoofing the FIDO Ready Samsung Galaxy S5 and PayPal solution. Although unsuccessful, the team gained some insights. First, the team was able to develop a latent fake fingerprint using the Brown’s (1990) and Smith’s (2014) approaches. Second, the process to develop the latent fake fingerprint with inexpensive and common household materials was observed by the team to be more complicated than internet search results suggested. Additionally higher level skills and more time were required than anticipated by the internet search results. Third, the team was unsuccessful in gaining access to the Samsung Galaxy S5 phone after 10 attempts that maintained a degree of authenticity security. For future direction, the team discussed two recommendations. The first is based on a depth direction. Meaning, the focus will be to explore and focus on the team’s approach to spoofing the Samsung Galaxy S5 phone. There are three steps for this direction. The first step would be to validate the team’s approach in using the same or similar materials. The second step is to further investigate and improve the process and materials used in developing the latent fake fingerprint. A third step is to investigate the developed latent fake fingerprint image quality.

2

12-Dec-14 The second recommendation is the breadth direction, because FIDO is not solely about the Samsung Galaxy S5 phone and fingerprint biometric authenticator. It includes other solutions and protocols. The basis of the breadth direction would be to identify as many areas of FIDO that are vulnerable. A starting point for this direction is to validate the Security Research Laboratory’s (SRL) approach as it claimed to successfully spoofed not only the Samsung Galaxy S5 PayPal FIDO ready solution, but the fingerprint reader on Apple’s iPhone 5S. If the next team confirms SRL’s approach is as effective spoofing various fingerprint readers (FIDO or otherwise) as depicted on YouTube videos, then it may be inferred with the current state of the art, most if not all fingerprint readers are vulnerable, and the study should move on to analyze other aspects of FIDO’s solutions and protocols. Further testing of FIDO solutions will require additional investment in equipment and test server(s) access, since testing with a personal device with sensitive information on personal financial accounts is not desirable. Contact with the FIDO Alliance has been initiated to request access to test server(s) as well as FIDO Alliance partner’s contact information for technical collaboration.

3

12-Dec-14 1

Detailed Problem Description

Fast Identity Online (FIDO) Alliance has offered two architectures (i.e., UAF and U2F), which both includes FIDO solutions and FIDO protocols that will replace or supplement passwords. However, implementing the two architectures may reveal new security challenges that might jeopardize the confidentiality, integrity, and availability of what is being protected (e.g., ranging from a mobile device to critical infrastructures). Given fingerprints are the most common biometric means of authentication, the task of this project was to develop a pilot study to examine and determine if a FIDO Ready Samsung Galaxy S5 phone was vulnerable to spoofing with a latent fake fingerprint using Brown’s (1990) instructional approach and Smith’s (2014) superglue approach. 2

Literature Review

One of the challenges of this project was its scope. After several iterations of reviewing literature, the team scoped the project to develop a study methodology that will test if a FIDO Ready Samsung Galaxy S5 phone fingerprint biometric authenticator can be spoofed using a latent fake fingerprint. Before our midterm report, the team’s initial plan was to create a matrix of relevant and important sub metrics necessary to evaluate FIDO Ready fingerprint biometric solutions. In addition, the intent included providing potential measures for each sub metrics considered. While conducting a second literature review on relevant and important sub metrics, the team discovered that the sub metric of authenticity was linked to fingerprint biometric security issues. Furthering the review of literature, spoofing with latent fake fingerprints was a particular area of interest. This literature review section will discuss how the team scoped the project. The literature review is divided up into nine parts. The first part will introduce the security framework with potential metrics and sub metrics that are being considered as a starting point and are relevant to fingerprint biometrics. The term metrics used in this project is described as measurable characteristics of the fingerprint biometrics. The term sub metrics are measurable sub characteristics nested in measurable characteristics. Both metrics and sub metrics are illustrated in Figure 1 security framework below. The second part will discuss the metrics and sub metrics. The third part will discuss biometric advantages and security challenges. The fourth part of this previous work will discuss the consideration to use the fingerprint biometric for the project. The fifth part will discuss fingerprint issues relevant to the security framework sub metrics. The sixth part will discuss the authenticity sub metric and spoofing with fake fingerprints. The seventh part will discuss spoofing with latent fake fingerprints. The eight part will discuss approaches to capture latent fingerprints. The last part will discuss any necessary, measures, statistics, and interpretation of the results for this study. 2.1

Metrics and sub metrics consideration.

Figure 1 security framework is an illustration of potential metrics and sub metrics that will be considered as a starting point that applies to fingerprint biometrics.

4

12-Dec-14

Figure 1 Metrics and sub metrics security framework consideration 2.2

Metrics and sub metrics.

The International Organization for Standardization (2000) ISO/IEC FDIS 9126-1 was considered, because it is a starting point of this project and this standard is internationally recognized. The International Organization for Standardization (2000) ISO/IEC FDIS 9126-1 introduced several software product quality evaluation metrics and the corresponding sub metrics. The first set of metrics include, functionality (sub metrics include suitability, accuracy, interoperability, and security), usability (sub metrics include understandability, learnability, operability, and attractiveness), and efficiency (sub metrics include time behavior and resource utilization). However, when reviewing the ISO/IEC FDIS 9126-1, there were some sub metrics that could be considered as usability, which is one of the reasons Kainda, Fléchais, and Roscoe (2010) and Nielsen (1993) was introduced in this section. Another reason Kainda et al. (2010) and Nielsen (1993) were considered, they are experts in the field of usability and had incorporated organized the ISO/IEC FDIS 9126-1 usability metric. For example, Kainda et al. (2010) and Nielsen (1993) included the accuracy sub metric of functionality into usability, because if a legitimate user is having difficulty gaining access to protected information due to authentication false rejections (i.e., a legitimate user denied authorized access), then the authenticator is unusable. Kainda et al. (2010) and Nielsen (1993) also included efficiency in usability. Efficiency is a sub metric of usability, because if the authenticating process takes time or effort beyond an acceptable limit, than the authenticator is unusable. For example, instead of taking five seconds to authenticate, it takes 10 minutes to authenticate. Another example, instead of taking two steps to authenticate, it takes eight steps to authenticate. According to the authors, Kainda et al. (2010) and Nielsen (1993) usability metric include sub metrics:

5

12-Dec-14  

   

Effectiveness: “A system is only useful if its users are able to achieve intended goals” (Kainda et al., 2010, p. 277). Kainda et al. (2010) continues that “effectiveness is measured by whether users are able to complete a particular task or not” (p. 277). Efficiency: Nielsen (1993) described efficiency as “the system should be efficient to use, so that once the user has learned the system a high level of productivity is possible” (p. 26). Another description of efficiency is that “the goal must be achieved within an acceptable amount of time and effort” (Kainda et al., 2010, p. 277). Errors: “Any action that does not accomplish the desired goal” (Nielsen, 1993, p. 32). Another description of errors is accuracy (Kainda et al., 2010). Learnability: The effort to learn and understand a system that could result in improving knowledge and skill (Kainda et al., 2010; Nielsen, 1993). Memorability: The ease to remember (Kainda et al., 2010; Nielsen, 1993). Satisfaction: Nielsen (1993) described satisfaction as “the system should be pleasant to use, so that users are subjectively satisfied when using it; they like it” (p. 26). Kainda et al. (2010) described satisfaction as “users’ subjective assessment” that determines system success.

Security in International Organization for Standardization (2000) ISO/IEC FDIS 9126-1 was considered a sub metric of functionality. However, Azuma (2008) removed security from the functionality metric and included security as its own metric, because security had its own set of sub metrics. In addition, the International Organization for Standardization (2005) ISO/IEC 27002 renamed the security metric as information security. The following are the sub metrics of the information security metric:     

Confidentiality: “The degree to which the software product provides protection from unauthorized disclosure of data or information, whether accidental or deliberate.” Integrity: “The degree to which the accuracy and completeness of assets are safeguarded.” Non-repudiation: “The degree to which actions or events can be proven to have taken place, so that the events or actions cannot be repudiated later.” Accountability: “The degree to which the actions of an entity can be traced uniquely to the entity.” Authenticity: “The degree to which the identity of a subject or resource can be proved to be the one claimed” (p. 18).

Azuma (2008) did not include availability in the security metric, but according to International Organization for Standardization (2005) ISO/IEC 27002, availability should be considered an information security sub metric, because it is to a degree that the information and information system are operational and accessible when requested. The last metric is portability, which is the capability of a solution (e.g., fingerprint biometrics) or protocol to be “transferred from one environment to another” (International Organization for Standardization, 2000, p. 11). Without portability, the solutions and protocols will not perform and operate adequately, which will pose usability and security issues. According to the International Organization for Standardization (2000) ISO/IEC FIDS 9126-1, there are four sub metrics that are included:

6

12-Dec-14     2.3

Adaptability: The capability of a solution or protocol “to be adapted from different specified environments without applying actions or means other than those provided for this purpose for the software considered.” Installability: The capability of a solution or protocol “to be installed in a specified environment.” Co-existence: The capability of a solution or protocol “to co-exist with other independent software in a common environment sharing common resources.” Replaceability: The capability of a solution or protocol “to be used in place of another specified software product for the same purpose in the same environment.” (p. 11) Biometrics advantages and security challenges.

According to Bonneau, Herley, Van Oorschot, & Stajano (2012), biometrics have an advantage over passwords, which is resiliency to physical observation and random guessing. O’Gorman, (2003) also found that biometrics has an additional advantage, biometrics are not easily shared or stolen. Both Bonneau et al. (2012) and O’Gorman (2003) supported each other by claiming that a primary advantage biometrics have in comparison to passwords is the absence of the recollection issues. Unlike passwords, biometrics is part of a person; may it be in the form of a fingerprint, facial recognition, iris scan, or voice match. Biometrics also have security challenges. Unlike passwords, biometrics are not considered 1:1 match (i.e., biometrics is considered 1: many match). More specifically, “comparing one set of submitted samples to one set of enrollment records (Anil K. Jain et al., 2004, p. 5). Hence, biometrics include the challenge of false acceptance rates (i.e., a user who should not gain access, is allowed access) and false rejection rates (A.K. Jain, Bolle, & Pankanti, 1999; A.K. Jain & Ross, 2008; Anil K. Jain et al., 2004), which vary by system. A second disadvantage, biometrics are expensive and inconvenient compared to passwords (O’Gorman 2003). It is important to note that there is some disagreement in this area as Jain et al. (2004) claims, that biometrics are not expensive and are convenient. The third disadvantage is if biometric identifiers become compromised, as they may be difficult to change (Jain et al., 2004), due to the fact users only have one face, a limited number of digits for prints, and limited irises. 2.4

Considering fingerprint biometrics for the project.

Since FIDO only offers fingerprint, iris, voice, and face, these biometrics will be compared and discussed in this section. Jain et al. (1999) developed a biometric comparison table that was comprised of seven characteristics. Jain et al. (2008) defined the following characteristics:    

Universality – “Every individual accessing the application should possess the trait.” Uniqueness – “The given trait should be sufficiently different across individuals comprising the population.” Permanence – “The biometric trait of an individual should be sufficiently invariant over a period of time with respect to the matching algorithm. A trait that changes significantly over time is not a useful biometric.” Collectability – “It should be possible to acquire and digitize the biometric trait using suitable devices that do not cause undue inconvenience to the individual. Furthermore, the acquired raw data should be amenable to processing in order to extract representative feature sets.”

7

12-Dec-14   

Performance – “The recognition accuracy and the resources required to achieve that accuracy should meet the constraints imposed by the application.” Acceptability – “Individuals in the target population that will utilize the application should be willing to present their biometric trait to the system.” Circumvention – “This refers to the ease with which the trait of an individual can be imitated using artifacts (e.g., fake fingers), in the case of physical traits, and mimicry, in the case of behavioral traits.” (p. 22)

Table 1 illustrates the comparison of the biometric solutions FIDO offers and Jain et al. (1999) seven characteristics. Table 1 Biometric characteristics comparison Adapted from (Jain et al., 1999, p. 16) Face

Fingerprint

Iris

Voice

Universality

HIGH

MEDIUM

HIGH

MEDIUM

Uniqueness

LOW

HIGH

HIGH

LOW

Permanence

MEDIUM

HIGH

HIGH

LOW

Collectability

HIGH

MEDIUM

MEDIUM

MEDIUM

Performance

LOW

HIGH

HIGH

LOW

Acceptability

HIGH

MEDIUM

LOW

HIGH

Circumvention

LOW

HIGH

HIGH

LOW

Based on Table 1, the fingerprint and iris biometrics did not have as many low characteristics in comparison to face and voice biometrics. However, the reason the study considered fingerprint, was because fingerprints were more mature than iris (A.K. Jain & Ross, 2008; United States Marshal’s Service, 2014) and a team member has access to a fingerprint biometric authenticator through his FIDO Ready Samsung Galaxy S5 phone. 2.5

Fingerprint biometric security issues relevant to particular sub metrics.

Since fingerprint biometrics are being considered, according to Bhattacharyya, Ranjan, Alisherov, and Choi (2009) and Jain et al. (2008), fingerprints do include security issues relevant to a few sub metrics discussed in Figure 1 security framework, which were availability, authenticity, error, and effectiveness. The security issues include, the lack of availability of the ridges and valleys of a finger due to wet or dry fingers, aging, and/or injuries degrade the quality of the captured fingerprint template that can result in a false acceptance rate or a false rejection rate of a user. A poor quality template would affect the availability of protected information by prohibiting a legitimate user (i.e., the correct user) to gain access. Moreover, a poor quality captured

8

12-Dec-14 template may make protected information available for a malicious actor (i.e., an incorrect user that may be an imposter). Authenticity is another sub metric that will be impacted, such that a user will not be able to prove him or herself as a result to the third sub metric of errors of false acceptance or false rejection. Lastly, if a user cannot gain access to protected information and cannot authenticate, effectiveness of the fingerprint biometric will be a concern as a user will not be able to achieve his or her intended goals of accessing the protected information. In summary, availability, authenticity, error, and effectiveness are potential significant sub metrics to consider and the starting point for this project. //put this in the conclusion //think about putting in the approach 2.6

Focusing on spoofing with latent fake fingerprints.

There is a weakness in using fingerprint biometrics as a security authentication. Fingerprints are the most used biometric authenticator and may be vulnerable to spoofing attacks by leaving a fingerprint on anything we touch with our hands (Galbally, Fierrez, Rodriguez, Alonzo, Ortega & Tapiador, 2006; Galbally, Cappelli, Lumini, Maltoni & Fierrez, 2008). There are several approaches a malicious actor can replicate a fingerprint to try and spoof a fingerprint biometric authenticator, which includes the plastic approach, exemplar approach, patent approach, and the latent approach. 2.6.1 Plastic fingerprints Plastic fingerprints are prints that individuals leave after placing a finger into some form of malleable material. This method is usually accomplished by having an individual willingly push one, or all, of their fingers into silly putty, gummy bears, used chewing gum, or any other soft material that would leave an imprint of the individuals fingerprint in the material. A mold of the print can be made from the print impression and a spoofed fingerprint is obtained. Due to malleability of material being used, mold of fingerprint can be difficult to obtain (Maltoni, Maio, Jain, & Prabhakar, 2005). 2.6.2 Exemplar fingerprints Exemplar fingerprints are prints that are recorded by an agency using ink or automated laser technology. This method is accomplished by rolling the individual’s fingers in an ink substance and then transferring the prints onto a fingerprint card one at a time, or pressing each individual finger on to a laser fingerprinting machine and the machine records the print image into a computer database for storage. This is the method that law enforcement and other agencies utilize when capturing fingerprints of arrested persons or for background checks for employment purposes (Maltoni, D., et al., 2005). 2.6.3 Patent fingerprints Patent fingerprints are prints that result in the transfer a substances, other than the normal skin oils and chemicals, from the individual’s finger to another surface. For example, if an individual had been working on a motor vehicle, and engine grease and grime transferred from residue left on the individual’s hands to a surface or tool being used. This type of print can be digitally photographed and duplicated using a common laser printer, but will be more likely to be smeared or disfigured depending on the amount and type of transfer substance (Maltoni, D., et al., 2005).

9

12-Dec-14 2.6.4 Latent fingerprints Latent fingerprints are prints that individuals leave on everything touched and therefore is the most common type of fingerprint left on surfaces. The oil residue and sweat present on the skin is transferred to objects through applying pressure with the finger to a surface. The residue on the skin is transferred to the surface and an impression of the skin surface remains. The quality of the print is dependent on the amount of residue present on the skin, the amount of pressure applied to the surface, and the surface material and characteristics. The print can be exposed and lifted using a fingerprint kit and dusting technique, which takes practice and training or the use of superglue and a semi air tight environment, created utilizing a cardboard box (Maltoni et al., 2005; Saferstein, 1998). 2.6.5 Latent fingerprint acquisition In 1978, the Japanese Criminal Identification Division used superglue to capture fingerprints. This technique was simple and cost effective. An area where fingerprints were thought to be located was discovered. A small amount of superglue was placed in an open dish. An airtight box was placed over the area and the superglue was placed inside the box. When a heat source was introduced into the closed space the chemical composition of the superglue, methylcyanoacrylate or ethylcyanoacrylate reacts with the oils on the fingerprint surface. The fingerprint becomes visible and can be photographed utilizing a simple digital camera (Brown, 1990; Smith, 2014). For this study, the team are recommending the Brown’s (1990) and Smith’s (2014) approaches to be used to capture the latent fingerprint, because of several reasons. The first few reasons was due to time, material availability, and budget constraints. Another set of reasons was based on the easiness and learnability. Lastly, the materials introduced by Brown (1990) and Smith (2014) could be found in the average home. 2.7 Measures, statistics, and interpretation The International Organization for Standardization 2005 ISO/IEC FCD 19795-1 on Biometric performance testing and reporting – Part 1 provides definitions and procedures for statistically determining the veracity of a fingerprint authentication process. For authentication security comparison of FIDO solutions with passwords, research did not uncover any authoritative measure of False Acceptance Rates (FAR) (i.e., FAR = number of successful spoofing attempts/number of attempts) from using passwords. This in turn leads to selecting a target FAR for testing FIDO solutions which will be constrained by time and funding. Specifically to have 90% confidence level that a FIDO solution has 1% or less FAR then 3000 genuine attempt uses by different users would be required, if the target is 0.1% FAR is desired then 30,000 genuine attempt uses will be required (reference Annex B of 2005 ISO/IEC FCD 19795-1). //number attempts and number participants will have to do more research //future works as well 3

Approach

This pilot study was comprised of eight parts. The first part discussed the reasons to focus on authenticity sub metric. The second part discussed the reasons to focus on latent fake fingerprints. The third part discussed the pilot study participant and spoofing attempts. The fourth part introduced the materials used in the pilot study. The fifth part discussed a short overview of the pilot study procedure that the team performed. The sixth part discussed a step-by-step process to develop a latent fake fingerprint. The seventh part discussed the implementation of the pilot study. The last part discussed the data management plan. 10

12-Dec-14 3.1

Authenticity sub metric scoped to latent fake fingerprints.

The authenticity sub metric was chosen and scoped to latent fake fingerprints as shown in Figure 2.

Figure 2 Authenticity sub metric scoped to latent fake fingerprints 3.1.1 Focusing on authenticity sub metric and spoofing with fake fingerprints. The team chose the security sub metric of authenticity among availability, error, and effectiveness, because of several reasons. The first reason was when the team typed key words in various search engines, Purdue library, and other online databases of “fingerprint biometric security” “challenges” or “issues” or “problems”, the team observed that the key words were tied to the sub metric of authenticity in the area of spoofing with fake fingerprints (Espinoza, Champod, & Margot, 2011; Galbally-Herrero et al., 2006; Galbally et al., 2010; Galbally, Fierrez, & OrtegaGarcia, 2007; Henniger, Scheuermann, & Kniess, 2010; Marasco & Ross, 2014; Marcialis, Roli, & Tidu, 2010; Matsumoto, Matsumoto, Yamada, & Hoshino, 2002; Nikam & Agarwal, 2008; Uludag & Jain, 2004; Xiao, 2005; Yıldırım & Varol, n.d.). Secondly, authenticity does incorporate the other three sub metrics to some extent. For example, if a malicious actor spoofs the fingerprint biometric authenticator using a fake fingerprint, then the authenticator made an error, the protected data or information will become available, and the overall security that the fingerprint biometric authenticator was supposed to provide was ineffective. Third, the area of spoofing with fake fingerprints was an area the entire team was interested in and one member of the team had experience in working with fingerprint forensics. Lastly, the pursuit of spoofing with fake fingerprints will build-upon the previous INSURE team’s paper (Carras, Parekh, & Chavali, 2014) recommendation. 3.1.2 Team chose the latent fake fingerprint approach The team decided to use the latent fingerprint approach to obtain a viable sample based on the following reasons: 1. The capture of a fingerprint from random surfaces seems to be the more likely scenario for a malicious actor to capture a user’s biometric, since we leave fingerprints every-

11

12-Dec-14 where we go and on everything we touch (Galbally-Herrero et al., 2006; Galbally, Cappelli, Lumini, Maltoni, & Fierrez, 2008; Mong, Peterson, & Clauss, 1999). It was highly unlikely that a user will voluntarily provide a copy of his/her fingerprint to a malicious actor in hopes to spoof and fool the users device. Even in the case that the malicious actor has acquired the user’s device, pulling the fingerprint from a surface of the device was a likely scenario of how the fingerprint biometric could be acquired. 2. The patent approach is similar to the latent approach as it leaves a residue of a user’s fingerprint. However, the issue with the patent approach is the dependence upon the residue being from an external substance, such as grease or grime that the latent approach does not rely on. 3. The time, budget, and materials constraints involved in this study does not allow the team to set up a test for every possible approach malicious actors could use to acquire a user’s fingerprint biometric. 4. The use of common household materials was selected to obtain a latent fake fingerprint, because security concerns of a person with minimal hacking skills or knowledge can gain access to protected information on the Samsung Galaxy S5 phone. The table below provides the types of fingerprints and commonly acquired materials needed (Brown, 1990; Goodin, 2008; Holland-Minkley, 2006) to extract a fingerprint from surfaces along with the cost of finding and capturing the print. Table 2.1 Type of fingerprint, materials and associated cost Type of Fingerprint

Materials

Cost

Latent

Super glue, small cardboard box, digital phone camera, wood glue, transparency sheet