Within weeks after its introduction , a security researcher has cracked the Tip2Pay fingerprint payment system for Dutch supermarket chain Albert Heijn. The researcher succeeded at paying for groceries by using a copied fingerprint.
The Tip2Pay system allows consumers to pay for their groceries through a fingerprint reader. Albert Heijn is the largest chain of grocery stores in the Netherlands and the namesake of Ahold, a global supermarket group with stores in Europe and the US that had annual sales of US$70.4 billion in fiscal 2006.
Security researcher Ton van der Putte, a retired employee for ATOS Origin who specializes in biometric security, successfully crafted a copy of a fingerprint out of rubber that was accepted by the Tip2Pay system. Staff members for the grocery store failed to detect the fraud. The method is easy to copy: typically a fingerprint left on a glass suffices to create a usable copy.
The hack hardly comes as a surprise. Security experts at the time of launch cautioned that the technology used by the store was insecure. Albert Heijn, however, didn't seem too worried. The store in public comments has brushed away any security concerns.
Van der Putte has a long track record in biometric security. Since 1990 he has undertaken several experiments demonstrating that secure authentication through fingerprints requires additional security measures.
The Chaos Computer Club in 2004 also demonstrated that a stand-alone fingerprint can be easily copied. The club wrote a how-to guide with instructions on how to create a copy. Also, a system similar to the technology deployed by Albert Heijn was hacked last year in Germany.
BioXS, a firm specializing in biometric security, cautions that Albert Heijn's system was poorly designed. The company worries that the failed experiment will wrongfully damage public trust in biometrics.
A spokesperson for Albert Heijn argues that the hack doesn't demonstrate a genuine security threat, because a registered user of the payment system voluntarily provided his fingerprint to the hacker. The company argues that therefore the hack compares to cloning an ATM (automated teller machine) card.
A company spokesperson told Webwereld, an IDG affiliate, that customers at no time will be at risk. The system has a daily spending limit and will compensate consumers if fraud is detected. Tip2Pay for now is run as a test. Albert Heijn expects to deploy additional security measures in case of a large-scale roll-out.